Date
July 9, 2025, 11:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.618486] ================================================================== [ 18.618562] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.618895] Read of size 1 at addr fff00000c640c000 by task kunit_try_catch/233 [ 18.618961] [ 18.619176] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.619482] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.619562] Hardware name: linux,dummy-virt (DT) [ 18.619603] Call trace: [ 18.619645] show_stack+0x20/0x38 (C) [ 18.619824] dump_stack_lvl+0x8c/0xd0 [ 18.619879] print_report+0x118/0x608 [ 18.619934] kasan_report+0xdc/0x128 [ 18.619982] __asan_report_load1_noabort+0x20/0x30 [ 18.620032] mempool_uaf_helper+0x314/0x340 [ 18.620655] mempool_page_alloc_uaf+0xc0/0x118 [ 18.620843] kunit_try_run_case+0x170/0x3f0 [ 18.621001] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.621218] kthread+0x328/0x630 [ 18.621357] ret_from_fork+0x10/0x20 [ 18.621540] [ 18.621566] The buggy address belongs to the physical page: [ 18.621728] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10640c [ 18.621794] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.622346] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.622515] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.622592] page dumped because: kasan: bad access detected [ 18.622800] [ 18.623284] Memory state around the buggy address: [ 18.623405] fff00000c640bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.623458] fff00000c640bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.623510] >fff00000c640c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.623548] ^ [ 18.623586] fff00000c640c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.623627] fff00000c640c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.624058] ================================================================== [ 18.559049] ================================================================== [ 18.559465] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.559556] Read of size 1 at addr fff00000c6404000 by task kunit_try_catch/229 [ 18.559617] [ 18.559655] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.560200] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.560246] Hardware name: linux,dummy-virt (DT) [ 18.560377] Call trace: [ 18.560455] show_stack+0x20/0x38 (C) [ 18.560566] dump_stack_lvl+0x8c/0xd0 [ 18.560703] print_report+0x118/0x608 [ 18.560754] kasan_report+0xdc/0x128 [ 18.561046] __asan_report_load1_noabort+0x20/0x30 [ 18.561270] mempool_uaf_helper+0x314/0x340 [ 18.561678] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.561839] kunit_try_run_case+0x170/0x3f0 [ 18.562222] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.562377] kthread+0x328/0x630 [ 18.562630] ret_from_fork+0x10/0x20 [ 18.562830] [ 18.562942] The buggy address belongs to the physical page: [ 18.563279] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106404 [ 18.563466] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.563549] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.563729] page_type: f8(unknown) [ 18.563818] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.563872] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.564248] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.564396] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.564474] head: 0bfffe0000000002 ffffc1ffc3190101 00000000ffffffff 00000000ffffffff [ 18.564849] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.564917] page dumped because: kasan: bad access detected [ 18.565031] [ 18.565093] Memory state around the buggy address: [ 18.565140] fff00000c6403f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.565216] fff00000c6403f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.565547] >fff00000c6404000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.565659] ^ [ 18.565695] fff00000c6404080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.565755] fff00000c6404100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.565981] ==================================================================
[ 14.082498] ================================================================== [ 14.082983] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.083525] Read of size 1 at addr ffff888102a44000 by task kunit_try_catch/246 [ 14.083853] [ 14.083969] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.084011] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.084023] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.084181] Call Trace: [ 14.084193] <TASK> [ 14.084207] dump_stack_lvl+0x73/0xb0 [ 14.084249] print_report+0xd1/0x650 [ 14.084271] ? __virt_addr_valid+0x1db/0x2d0 [ 14.084293] ? mempool_uaf_helper+0x392/0x400 [ 14.084319] ? kasan_addr_to_slab+0x11/0xa0 [ 14.084340] ? mempool_uaf_helper+0x392/0x400 [ 14.084362] kasan_report+0x141/0x180 [ 14.084383] ? mempool_uaf_helper+0x392/0x400 [ 14.084410] __asan_report_load1_noabort+0x18/0x20 [ 14.084435] mempool_uaf_helper+0x392/0x400 [ 14.084458] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.084482] ? __kasan_check_write+0x18/0x20 [ 14.084668] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.084696] ? finish_task_switch.isra.0+0x153/0x700 [ 14.084731] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.084756] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.084784] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.084808] ? __pfx_mempool_kfree+0x10/0x10 [ 14.084833] ? __pfx_read_tsc+0x10/0x10 [ 14.084854] ? ktime_get_ts64+0x86/0x230 [ 14.084878] kunit_try_run_case+0x1a5/0x480 [ 14.084901] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.084924] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.084948] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.084972] ? __kthread_parkme+0x82/0x180 [ 14.084992] ? preempt_count_sub+0x50/0x80 [ 14.085016] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.085208] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.085238] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.085263] kthread+0x337/0x6f0 [ 14.085283] ? trace_preempt_on+0x20/0xc0 [ 14.085306] ? __pfx_kthread+0x10/0x10 [ 14.085327] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.085349] ? calculate_sigpending+0x7b/0xa0 [ 14.085372] ? __pfx_kthread+0x10/0x10 [ 14.085394] ret_from_fork+0x116/0x1d0 [ 14.085413] ? __pfx_kthread+0x10/0x10 [ 14.085433] ret_from_fork_asm+0x1a/0x30 [ 14.085465] </TASK> [ 14.085475] [ 14.098015] The buggy address belongs to the physical page: [ 14.098590] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a44 [ 14.099154] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.099492] flags: 0x200000000000040(head|node=0|zone=2) [ 14.099745] page_type: f8(unknown) [ 14.099914] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.100540] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.101012] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.101489] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.101914] head: 0200000000000002 ffffea00040a9101 00000000ffffffff 00000000ffffffff [ 14.102387] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.102838] page dumped because: kasan: bad access detected [ 14.103053] [ 14.103363] Memory state around the buggy address: [ 14.103562] ffff888102a43f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.104002] ffff888102a43f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.104504] >ffff888102a44000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.104779] ^ [ 14.104943] ffff888102a44080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.105677] ffff888102a44100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.105972] ================================================================== [ 14.156850] ================================================================== [ 14.158281] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.158943] Read of size 1 at addr ffff888103990000 by task kunit_try_catch/250 [ 14.159579] [ 14.159684] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.159858] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.159875] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.159932] Call Trace: [ 14.159945] <TASK> [ 14.159964] dump_stack_lvl+0x73/0xb0 [ 14.160153] print_report+0xd1/0x650 [ 14.160177] ? __virt_addr_valid+0x1db/0x2d0 [ 14.160202] ? mempool_uaf_helper+0x392/0x400 [ 14.160224] ? kasan_addr_to_slab+0x11/0xa0 [ 14.160247] ? mempool_uaf_helper+0x392/0x400 [ 14.160270] kasan_report+0x141/0x180 [ 14.160292] ? mempool_uaf_helper+0x392/0x400 [ 14.160326] __asan_report_load1_noabort+0x18/0x20 [ 14.160351] mempool_uaf_helper+0x392/0x400 [ 14.160373] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.160398] ? __kasan_check_write+0x18/0x20 [ 14.160417] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.160441] ? finish_task_switch.isra.0+0x153/0x700 [ 14.160468] mempool_page_alloc_uaf+0xed/0x140 [ 14.160491] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.160518] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.160544] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.160571] ? __pfx_read_tsc+0x10/0x10 [ 14.160593] ? ktime_get_ts64+0x86/0x230 [ 14.160618] kunit_try_run_case+0x1a5/0x480 [ 14.160645] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.160668] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.160692] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.160728] ? __kthread_parkme+0x82/0x180 [ 14.160750] ? preempt_count_sub+0x50/0x80 [ 14.160772] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.160797] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.160821] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.160846] kthread+0x337/0x6f0 [ 14.160865] ? trace_preempt_on+0x20/0xc0 [ 14.160890] ? __pfx_kthread+0x10/0x10 [ 14.160910] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.160931] ? calculate_sigpending+0x7b/0xa0 [ 14.160956] ? __pfx_kthread+0x10/0x10 [ 14.160977] ret_from_fork+0x116/0x1d0 [ 14.160995] ? __pfx_kthread+0x10/0x10 [ 14.161016] ret_from_fork_asm+0x1a/0x30 [ 14.161059] </TASK> [ 14.161085] [ 14.173861] The buggy address belongs to the physical page: [ 14.174411] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103990 [ 14.174922] flags: 0x200000000000000(node=0|zone=2) [ 14.175382] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.175756] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.176395] page dumped because: kasan: bad access detected [ 14.176617] [ 14.176964] Memory state around the buggy address: [ 14.177447] ffff88810398ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.177920] ffff88810398ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.178455] >ffff888103990000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.178966] ^ [ 14.179265] ffff888103990080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.179583] ffff888103990100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.179907] ==================================================================