Date
July 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.312813] ================================================================== [ 21.312884] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.313094] Read of size 1 at addr fff00000c76c4000 by task kunit_try_catch/233 [ 21.313214] [ 21.313247] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.313333] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.313359] Hardware name: linux,dummy-virt (DT) [ 21.313391] Call trace: [ 21.313413] show_stack+0x20/0x38 (C) [ 21.313464] dump_stack_lvl+0x8c/0xd0 [ 21.313513] print_report+0x118/0x608 [ 21.313559] kasan_report+0xdc/0x128 [ 21.313604] __asan_report_load1_noabort+0x20/0x30 [ 21.313655] mempool_uaf_helper+0x314/0x340 [ 21.313700] mempool_page_alloc_uaf+0xc0/0x118 [ 21.313745] kunit_try_run_case+0x170/0x3f0 [ 21.313794] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.313845] kthread+0x328/0x630 [ 21.313885] ret_from_fork+0x10/0x20 [ 21.313944] [ 21.313966] The buggy address belongs to the physical page: [ 21.313997] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c4 [ 21.314074] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.314137] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 21.314195] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.314236] page dumped because: kasan: bad access detected [ 21.314268] [ 21.314285] Memory state around the buggy address: [ 21.314316] fff00000c76c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.314393] fff00000c76c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.314433] >fff00000c76c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.314471] ^ [ 21.314498] fff00000c76c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.314565] fff00000c76c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.314628] ================================================================== [ 21.269815] ================================================================== [ 21.269885] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.269946] Read of size 1 at addr fff00000c76c4000 by task kunit_try_catch/229 [ 21.269996] [ 21.270035] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.270121] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.270148] Hardware name: linux,dummy-virt (DT) [ 21.270313] Call trace: [ 21.270462] show_stack+0x20/0x38 (C) [ 21.270734] dump_stack_lvl+0x8c/0xd0 [ 21.270944] print_report+0x118/0x608 [ 21.271013] kasan_report+0xdc/0x128 [ 21.271063] __asan_report_load1_noabort+0x20/0x30 [ 21.271527] mempool_uaf_helper+0x314/0x340 [ 21.271592] mempool_kmalloc_large_uaf+0xc4/0x120 [ 21.271973] kunit_try_run_case+0x170/0x3f0 [ 21.272038] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.272092] kthread+0x328/0x630 [ 21.272280] ret_from_fork+0x10/0x20 [ 21.272333] [ 21.272537] The buggy address belongs to the physical page: [ 21.272693] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c4 [ 21.272846] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.272950] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 21.273054] page_type: f8(unknown) [ 21.273103] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.273214] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 21.273264] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.273500] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 21.273701] head: 0bfffe0000000002 ffffc1ffc31db101 00000000ffffffff 00000000ffffffff [ 21.273966] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 21.274029] page dumped because: kasan: bad access detected [ 21.274062] [ 21.274080] Memory state around the buggy address: [ 21.274116] fff00000c76c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.274170] fff00000c76c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.274224] >fff00000c76c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.274260] ^ [ 21.274324] fff00000c76c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.274632] fff00000c76c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.274754] ==================================================================
[ 14.162721] ================================================================== [ 14.164005] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.164818] Read of size 1 at addr ffff888103b34000 by task kunit_try_catch/251 [ 14.165141] [ 14.165250] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.165295] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.165308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.165330] Call Trace: [ 14.165342] <TASK> [ 14.165358] dump_stack_lvl+0x73/0xb0 [ 14.165390] print_report+0xd1/0x650 [ 14.165413] ? __virt_addr_valid+0x1db/0x2d0 [ 14.165438] ? mempool_uaf_helper+0x392/0x400 [ 14.165461] ? kasan_addr_to_slab+0x11/0xa0 [ 14.165481] ? mempool_uaf_helper+0x392/0x400 [ 14.165504] kasan_report+0x141/0x180 [ 14.165526] ? mempool_uaf_helper+0x392/0x400 [ 14.165554] __asan_report_load1_noabort+0x18/0x20 [ 14.165579] mempool_uaf_helper+0x392/0x400 [ 14.165616] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.166051] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.166078] ? finish_task_switch.isra.0+0x153/0x700 [ 14.166116] mempool_page_alloc_uaf+0xed/0x140 [ 14.166141] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.166169] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.166194] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.166221] ? __pfx_read_tsc+0x10/0x10 [ 14.166242] ? ktime_get_ts64+0x86/0x230 [ 14.166267] kunit_try_run_case+0x1a5/0x480 [ 14.166292] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.166315] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.166340] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.166364] ? __kthread_parkme+0x82/0x180 [ 14.166386] ? preempt_count_sub+0x50/0x80 [ 14.166409] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.166435] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.166460] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.166487] kthread+0x337/0x6f0 [ 14.166505] ? trace_preempt_on+0x20/0xc0 [ 14.166530] ? __pfx_kthread+0x10/0x10 [ 14.166550] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.166571] ? calculate_sigpending+0x7b/0xa0 [ 14.166596] ? __pfx_kthread+0x10/0x10 [ 14.166629] ret_from_fork+0x116/0x1d0 [ 14.166647] ? __pfx_kthread+0x10/0x10 [ 14.166667] ret_from_fork_asm+0x1a/0x30 [ 14.166699] </TASK> [ 14.166710] [ 14.175411] The buggy address belongs to the physical page: [ 14.175786] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b34 [ 14.176212] flags: 0x200000000000000(node=0|zone=2) [ 14.176476] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.176852] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.177271] page dumped because: kasan: bad access detected [ 14.177456] [ 14.177528] Memory state around the buggy address: [ 14.177696] ffff888103b33f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.178012] ffff888103b33f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.178355] >ffff888103b34000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.178771] ^ [ 14.179015] ffff888103b34080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.179272] ffff888103b34100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.179513] ================================================================== [ 14.101571] ================================================================== [ 14.102047] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.102342] Read of size 1 at addr ffff888103b34000 by task kunit_try_catch/247 [ 14.102680] [ 14.102779] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.102824] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.102836] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.102857] Call Trace: [ 14.102868] <TASK> [ 14.102885] dump_stack_lvl+0x73/0xb0 [ 14.102914] print_report+0xd1/0x650 [ 14.102936] ? __virt_addr_valid+0x1db/0x2d0 [ 14.102959] ? mempool_uaf_helper+0x392/0x400 [ 14.102980] ? kasan_addr_to_slab+0x11/0xa0 [ 14.103001] ? mempool_uaf_helper+0x392/0x400 [ 14.103022] kasan_report+0x141/0x180 [ 14.103043] ? mempool_uaf_helper+0x392/0x400 [ 14.103070] __asan_report_load1_noabort+0x18/0x20 [ 14.103489] mempool_uaf_helper+0x392/0x400 [ 14.103525] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.103553] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.103579] ? finish_task_switch.isra.0+0x153/0x700 [ 14.103619] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.103644] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.103672] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.103697] ? __pfx_mempool_kfree+0x10/0x10 [ 14.103722] ? __pfx_read_tsc+0x10/0x10 [ 14.103744] ? ktime_get_ts64+0x86/0x230 [ 14.103770] kunit_try_run_case+0x1a5/0x480 [ 14.103794] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.103817] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.103842] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.103866] ? __kthread_parkme+0x82/0x180 [ 14.103887] ? preempt_count_sub+0x50/0x80 [ 14.103910] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.104007] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.104034] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.104059] kthread+0x337/0x6f0 [ 14.104077] ? trace_preempt_on+0x20/0xc0 [ 14.104102] ? __pfx_kthread+0x10/0x10 [ 14.104123] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.104144] ? calculate_sigpending+0x7b/0xa0 [ 14.104169] ? __pfx_kthread+0x10/0x10 [ 14.104191] ret_from_fork+0x116/0x1d0 [ 14.104209] ? __pfx_kthread+0x10/0x10 [ 14.104229] ret_from_fork_asm+0x1a/0x30 [ 14.104261] </TASK> [ 14.104272] [ 14.116686] The buggy address belongs to the physical page: [ 14.117273] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b34 [ 14.117810] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.118317] flags: 0x200000000000040(head|node=0|zone=2) [ 14.118748] page_type: f8(unknown) [ 14.118940] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.119558] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.120012] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.120572] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.120914] head: 0200000000000002 ffffea00040ecd01 00000000ffffffff 00000000ffffffff [ 14.121233] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.121596] page dumped because: kasan: bad access detected [ 14.121981] [ 14.122050] Memory state around the buggy address: [ 14.122494] ffff888103b33f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.122787] ffff888103b33f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.123318] >ffff888103b34000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.123630] ^ [ 14.123782] ffff888103b34080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.124206] ffff888103b34100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.124509] ==================================================================