Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 19.109624] ================================================================== [ 19.109735] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.110104] Read of size 1 at addr fff00000c7900000 by task kunit_try_catch/234 [ 19.110321] [ 19.110401] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.110775] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.111077] Hardware name: linux,dummy-virt (DT) [ 19.111316] Call trace: [ 19.111375] show_stack+0x20/0x38 (C) [ 19.111489] dump_stack_lvl+0x8c/0xd0 [ 19.111581] print_report+0x118/0x608 [ 19.111763] kasan_report+0xdc/0x128 [ 19.111869] __asan_report_load1_noabort+0x20/0x30 [ 19.112045] mempool_uaf_helper+0x314/0x340 [ 19.112344] mempool_page_alloc_uaf+0xc0/0x118 [ 19.112561] kunit_try_run_case+0x170/0x3f0 [ 19.112658] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.113097] kthread+0x328/0x630 [ 19.113172] ret_from_fork+0x10/0x20 [ 19.113649] [ 19.113678] The buggy address belongs to the physical page: [ 19.113746] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107900 [ 19.114224] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.114374] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 19.114504] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.114547] page dumped because: kasan: bad access detected [ 19.114579] [ 19.114788] Memory state around the buggy address: [ 19.115127] fff00000c78fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.115225] fff00000c78fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.115308] >fff00000c7900000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.115440] ^ [ 19.115535] fff00000c7900080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.115601] fff00000c7900100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.115839] ================================================================== [ 19.050033] ================================================================== [ 19.050229] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.050421] Read of size 1 at addr fff00000c7900000 by task kunit_try_catch/230 [ 19.050549] [ 19.050595] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.051145] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.051299] Hardware name: linux,dummy-virt (DT) [ 19.051347] Call trace: [ 19.051373] show_stack+0x20/0x38 (C) [ 19.051642] dump_stack_lvl+0x8c/0xd0 [ 19.051821] print_report+0x118/0x608 [ 19.051965] kasan_report+0xdc/0x128 [ 19.052087] __asan_report_load1_noabort+0x20/0x30 [ 19.052165] mempool_uaf_helper+0x314/0x340 [ 19.052271] mempool_kmalloc_large_uaf+0xc4/0x120 [ 19.052324] kunit_try_run_case+0x170/0x3f0 [ 19.052384] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.052438] kthread+0x328/0x630 [ 19.052487] ret_from_fork+0x10/0x20 [ 19.052537] [ 19.052568] The buggy address belongs to the physical page: [ 19.052612] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107900 [ 19.052686] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.052735] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 19.052792] page_type: f8(unknown) [ 19.052841] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.052896] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.052946] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.053016] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.053070] head: 0bfffe0000000002 ffffc1ffc31e4001 00000000ffffffff 00000000ffffffff [ 19.053122] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 19.053163] page dumped because: kasan: bad access detected [ 19.053195] [ 19.053213] Memory state around the buggy address: [ 19.053258] fff00000c78fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.053302] fff00000c78fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.053346] >fff00000c7900000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.053389] ^ [ 19.053437] fff00000c7900080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.053488] fff00000c7900100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.053537] ==================================================================
[ 18.749308] ================================================================== [ 18.749404] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.749469] Read of size 1 at addr fff00000c783c000 by task kunit_try_catch/234 [ 18.749518] [ 18.749555] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.749648] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.749675] Hardware name: linux,dummy-virt (DT) [ 18.749709] Call trace: [ 18.749737] show_stack+0x20/0x38 (C) [ 18.749787] dump_stack_lvl+0x8c/0xd0 [ 18.749832] print_report+0x118/0x608 [ 18.749878] kasan_report+0xdc/0x128 [ 18.750398] __asan_report_load1_noabort+0x20/0x30 [ 18.750851] mempool_uaf_helper+0x314/0x340 [ 18.750956] mempool_page_alloc_uaf+0xc0/0x118 [ 18.751028] kunit_try_run_case+0x170/0x3f0 [ 18.751505] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.751662] kthread+0x328/0x630 [ 18.751835] ret_from_fork+0x10/0x20 [ 18.752006] [ 18.752029] The buggy address belongs to the physical page: [ 18.752118] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10783c [ 18.752354] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.752843] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.752982] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.753096] page dumped because: kasan: bad access detected [ 18.753130] [ 18.753149] Memory state around the buggy address: [ 18.753379] fff00000c783bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.753573] fff00000c783bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.753701] >fff00000c783c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.753842] ^ [ 18.753946] fff00000c783c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.754167] fff00000c783c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.754411] ================================================================== [ 18.675805] ================================================================== [ 18.676236] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.676334] Read of size 1 at addr fff00000c783c000 by task kunit_try_catch/230 [ 18.676551] [ 18.676857] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.677117] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.677162] Hardware name: linux,dummy-virt (DT) [ 18.677241] Call trace: [ 18.677368] show_stack+0x20/0x38 (C) [ 18.677449] dump_stack_lvl+0x8c/0xd0 [ 18.677496] print_report+0x118/0x608 [ 18.677541] kasan_report+0xdc/0x128 [ 18.677946] __asan_report_load1_noabort+0x20/0x30 [ 18.678360] mempool_uaf_helper+0x314/0x340 [ 18.678416] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.678572] kunit_try_run_case+0x170/0x3f0 [ 18.678630] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.678752] kthread+0x328/0x630 [ 18.679058] ret_from_fork+0x10/0x20 [ 18.679223] [ 18.679290] The buggy address belongs to the physical page: [ 18.679517] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10783c [ 18.679819] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.680100] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.680228] page_type: f8(unknown) [ 18.680735] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.681199] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.681290] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.681337] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.681387] head: 0bfffe0000000002 ffffc1ffc31e0f01 00000000ffffffff 00000000ffffffff [ 18.681675] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.682095] page dumped because: kasan: bad access detected [ 18.682128] [ 18.682148] Memory state around the buggy address: [ 18.682347] fff00000c783bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.682581] fff00000c783bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.682655] >fff00000c783c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.682694] ^ [ 18.682721] fff00000c783c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.682764] fff00000c783c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.682802] ==================================================================
[ 15.130094] ================================================================== [ 15.130526] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.131136] Read of size 1 at addr ffff888102b48000 by task kunit_try_catch/251 [ 15.131871] [ 15.132362] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.132502] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.132765] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.132797] Call Trace: [ 15.132812] <TASK> [ 15.132832] dump_stack_lvl+0x73/0xb0 [ 15.132869] print_report+0xd1/0x650 [ 15.132891] ? __virt_addr_valid+0x1db/0x2d0 [ 15.132912] ? mempool_uaf_helper+0x392/0x400 [ 15.132931] ? kasan_addr_to_slab+0x11/0xa0 [ 15.132950] ? mempool_uaf_helper+0x392/0x400 [ 15.132969] kasan_report+0x141/0x180 [ 15.132989] ? mempool_uaf_helper+0x392/0x400 [ 15.133013] __asan_report_load1_noabort+0x18/0x20 [ 15.133034] mempool_uaf_helper+0x392/0x400 [ 15.133055] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.133076] ? __kasan_check_write+0x18/0x20 [ 15.133094] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.133135] ? finish_task_switch.isra.0+0x153/0x700 [ 15.133160] mempool_page_alloc_uaf+0xed/0x140 [ 15.133181] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 15.133204] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 15.133226] ? __pfx_mempool_free_pages+0x10/0x10 [ 15.133247] ? __pfx_read_tsc+0x10/0x10 [ 15.133265] ? ktime_get_ts64+0x86/0x230 [ 15.133288] kunit_try_run_case+0x1a5/0x480 [ 15.133310] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.133329] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.133351] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.133371] ? __kthread_parkme+0x82/0x180 [ 15.133389] ? preempt_count_sub+0x50/0x80 [ 15.133410] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.133430] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.133450] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.133471] kthread+0x337/0x6f0 [ 15.133487] ? trace_preempt_on+0x20/0xc0 [ 15.133535] ? __pfx_kthread+0x10/0x10 [ 15.133575] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.133608] ? calculate_sigpending+0x7b/0xa0 [ 15.133653] ? __pfx_kthread+0x10/0x10 [ 15.133674] ret_from_fork+0x116/0x1d0 [ 15.133692] ? __pfx_kthread+0x10/0x10 [ 15.133711] ret_from_fork_asm+0x1a/0x30 [ 15.133738] </TASK> [ 15.133751] [ 15.146832] The buggy address belongs to the physical page: [ 15.147037] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b48 [ 15.147256] flags: 0x200000000000000(node=0|zone=2) [ 15.147449] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 15.148902] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 15.149956] page dumped because: kasan: bad access detected [ 15.150598] [ 15.151014] Memory state around the buggy address: [ 15.151796] ffff888102b47f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.152732] ffff888102b47f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.153511] >ffff888102b48000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.154837] ^ [ 15.155387] ffff888102b48080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.156189] ffff888102b48100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.157347] ================================================================== [ 15.054203] ================================================================== [ 15.054660] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.055185] Read of size 1 at addr ffff888102b48000 by task kunit_try_catch/247 [ 15.055415] [ 15.055543] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.055636] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.055656] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.055689] Call Trace: [ 15.055708] <TASK> [ 15.055731] dump_stack_lvl+0x73/0xb0 [ 15.055773] print_report+0xd1/0x650 [ 15.055801] ? __virt_addr_valid+0x1db/0x2d0 [ 15.055829] ? mempool_uaf_helper+0x392/0x400 [ 15.055855] ? kasan_addr_to_slab+0x11/0xa0 [ 15.055879] ? mempool_uaf_helper+0x392/0x400 [ 15.055904] kasan_report+0x141/0x180 [ 15.055930] ? mempool_uaf_helper+0x392/0x400 [ 15.055957] __asan_report_load1_noabort+0x18/0x20 [ 15.055978] mempool_uaf_helper+0x392/0x400 [ 15.055997] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.056020] ? finish_task_switch.isra.0+0x153/0x700 [ 15.056044] mempool_kmalloc_large_uaf+0xef/0x140 [ 15.056065] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 15.056089] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.056136] ? __pfx_mempool_kfree+0x10/0x10 [ 15.056185] ? __pfx_read_tsc+0x10/0x10 [ 15.056222] ? ktime_get_ts64+0x86/0x230 [ 15.056266] kunit_try_run_case+0x1a5/0x480 [ 15.056305] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.056336] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.056375] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.056412] ? __kthread_parkme+0x82/0x180 [ 15.056449] ? preempt_count_sub+0x50/0x80 [ 15.056491] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.056544] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.056585] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.056641] kthread+0x337/0x6f0 [ 15.056680] ? trace_preempt_on+0x20/0xc0 [ 15.056718] ? __pfx_kthread+0x10/0x10 [ 15.056747] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.056780] ? calculate_sigpending+0x7b/0xa0 [ 15.056820] ? __pfx_kthread+0x10/0x10 [ 15.056856] ret_from_fork+0x116/0x1d0 [ 15.056894] ? __pfx_kthread+0x10/0x10 [ 15.056934] ret_from_fork_asm+0x1a/0x30 [ 15.056997] </TASK> [ 15.057021] [ 15.069211] The buggy address belongs to the physical page: [ 15.069462] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b48 [ 15.069757] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.070724] flags: 0x200000000000040(head|node=0|zone=2) [ 15.071154] page_type: f8(unknown) [ 15.071426] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 15.071924] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 15.072463] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 15.073061] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 15.073356] head: 0200000000000002 ffffea00040ad201 00000000ffffffff 00000000ffffffff [ 15.073991] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 15.074843] page dumped because: kasan: bad access detected [ 15.075264] [ 15.075382] Memory state around the buggy address: [ 15.075870] ffff888102b47f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.076340] ffff888102b47f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.076894] >ffff888102b48000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.077270] ^ [ 15.077442] ffff888102b48080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.078055] ffff888102b48100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.078413] ==================================================================
[ 15.145449] ================================================================== [ 15.146433] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.146686] Read of size 1 at addr ffff888102a0c000 by task kunit_try_catch/246 [ 15.148015] [ 15.148470] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.148565] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.148581] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.148604] Call Trace: [ 15.148619] <TASK> [ 15.148635] dump_stack_lvl+0x73/0xb0 [ 15.148665] print_report+0xd1/0x650 [ 15.148687] ? __virt_addr_valid+0x1db/0x2d0 [ 15.148743] ? mempool_uaf_helper+0x392/0x400 [ 15.148779] ? kasan_addr_to_slab+0x11/0xa0 [ 15.148799] ? mempool_uaf_helper+0x392/0x400 [ 15.148822] kasan_report+0x141/0x180 [ 15.148844] ? mempool_uaf_helper+0x392/0x400 [ 15.148871] __asan_report_load1_noabort+0x18/0x20 [ 15.148897] mempool_uaf_helper+0x392/0x400 [ 15.148920] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.148946] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.148969] ? finish_task_switch.isra.0+0x153/0x700 [ 15.148994] mempool_kmalloc_large_uaf+0xef/0x140 [ 15.149018] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 15.149045] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.149080] ? __pfx_mempool_kfree+0x10/0x10 [ 15.149105] ? __pfx_read_tsc+0x10/0x10 [ 15.149125] ? ktime_get_ts64+0x86/0x230 [ 15.149149] kunit_try_run_case+0x1a5/0x480 [ 15.149174] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.149196] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.149219] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.149242] ? __kthread_parkme+0x82/0x180 [ 15.149262] ? preempt_count_sub+0x50/0x80 [ 15.149285] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.149308] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.149330] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.149353] kthread+0x337/0x6f0 [ 15.149373] ? trace_preempt_on+0x20/0xc0 [ 15.149397] ? __pfx_kthread+0x10/0x10 [ 15.149418] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.149438] ? calculate_sigpending+0x7b/0xa0 [ 15.149462] ? __pfx_kthread+0x10/0x10 [ 15.149484] ret_from_fork+0x116/0x1d0 [ 15.149502] ? __pfx_kthread+0x10/0x10 [ 15.149529] ret_from_fork_asm+0x1a/0x30 [ 15.149560] </TASK> [ 15.149572] [ 15.165739] The buggy address belongs to the physical page: [ 15.165950] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a0c [ 15.166599] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.167223] flags: 0x200000000000040(head|node=0|zone=2) [ 15.167722] page_type: f8(unknown) [ 15.167967] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 15.168405] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 15.168643] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 15.169457] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 15.170452] head: 0200000000000002 ffffea00040a8301 00000000ffffffff 00000000ffffffff [ 15.171446] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 15.171902] page dumped because: kasan: bad access detected [ 15.172099] [ 15.172179] Memory state around the buggy address: [ 15.172345] ffff888102a0bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.172571] ffff888102a0bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.172794] >ffff888102a0c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.173012] ^ [ 15.173454] ffff888102a0c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.174299] ffff888102a0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.175152] ================================================================== [ 15.213099] ================================================================== [ 15.213586] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.213903] Read of size 1 at addr ffff888103950000 by task kunit_try_catch/250 [ 15.214321] [ 15.214435] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.214482] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.214496] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.214518] Call Trace: [ 15.214532] <TASK> [ 15.214548] dump_stack_lvl+0x73/0xb0 [ 15.214578] print_report+0xd1/0x650 [ 15.214601] ? __virt_addr_valid+0x1db/0x2d0 [ 15.214625] ? mempool_uaf_helper+0x392/0x400 [ 15.214648] ? kasan_addr_to_slab+0x11/0xa0 [ 15.214668] ? mempool_uaf_helper+0x392/0x400 [ 15.214691] kasan_report+0x141/0x180 [ 15.214713] ? mempool_uaf_helper+0x392/0x400 [ 15.214759] __asan_report_load1_noabort+0x18/0x20 [ 15.214785] mempool_uaf_helper+0x392/0x400 [ 15.214808] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.214840] mempool_page_alloc_uaf+0xed/0x140 [ 15.214864] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 15.214892] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 15.214917] ? __pfx_mempool_free_pages+0x10/0x10 [ 15.214944] ? __pfx_read_tsc+0x10/0x10 [ 15.214966] ? ktime_get_ts64+0x86/0x230 [ 15.214992] kunit_try_run_case+0x1a5/0x480 [ 15.215017] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.215040] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.215076] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.215100] ? __kthread_parkme+0x82/0x180 [ 15.215122] ? preempt_count_sub+0x50/0x80 [ 15.215147] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.215170] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.215194] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.215218] kthread+0x337/0x6f0 [ 15.215238] ? trace_preempt_on+0x20/0xc0 [ 15.215263] ? __pfx_kthread+0x10/0x10 [ 15.215284] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.215307] ? calculate_sigpending+0x7b/0xa0 [ 15.215333] ? __pfx_kthread+0x10/0x10 [ 15.215356] ret_from_fork+0x116/0x1d0 [ 15.215375] ? __pfx_kthread+0x10/0x10 [ 15.215395] ret_from_fork_asm+0x1a/0x30 [ 15.215429] </TASK> [ 15.215441] [ 15.224179] The buggy address belongs to the physical page: [ 15.224464] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103950 [ 15.224887] flags: 0x200000000000000(node=0|zone=2) [ 15.225083] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 15.225386] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 15.225684] page dumped because: kasan: bad access detected [ 15.226037] [ 15.226170] Memory state around the buggy address: [ 15.226367] ffff88810394ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.226701] ffff88810394ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.227023] >ffff888103950000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.227343] ^ [ 15.227504] ffff888103950080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.227977] ffff888103950100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.228302] ==================================================================
[ 37.313510] ================================================================== [ 37.324749] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 37.331457] Read of size 1 at addr ffff8881081f8000 by task kunit_try_catch/270 [ 37.338773] [ 37.340271] CPU: 3 UID: 0 PID: 270 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 37.340280] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 37.340283] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 37.340287] Call Trace: [ 37.340288] <TASK> [ 37.340290] dump_stack_lvl+0x73/0xb0 [ 37.340295] print_report+0xd1/0x650 [ 37.340299] ? __virt_addr_valid+0x1db/0x2d0 [ 37.340303] ? mempool_uaf_helper+0x392/0x400 [ 37.340307] ? kasan_addr_to_slab+0x11/0xa0 [ 37.340311] ? mempool_uaf_helper+0x392/0x400 [ 37.340315] kasan_report+0x141/0x180 [ 37.340319] ? mempool_uaf_helper+0x392/0x400 [ 37.340324] __asan_report_load1_noabort+0x18/0x20 [ 37.340329] mempool_uaf_helper+0x392/0x400 [ 37.340350] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 37.340355] ? __kasan_check_write+0x18/0x20 [ 37.340358] ? __pfx_sched_clock_cpu+0x10/0x10 [ 37.340362] ? finish_task_switch.isra.0+0x153/0x700 [ 37.340367] mempool_kmalloc_large_uaf+0xef/0x140 [ 37.340371] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 37.340389] ? __pfx_mempool_kmalloc+0x10/0x10 [ 37.340393] ? __pfx_mempool_kfree+0x10/0x10 [ 37.340398] ? ktime_get_ts64+0x83/0x230 [ 37.340402] kunit_try_run_case+0x1a2/0x480 [ 37.340407] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.340411] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 37.340415] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 37.340420] ? __kthread_parkme+0x82/0x180 [ 37.340423] ? preempt_count_sub+0x50/0x80 [ 37.340427] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.340432] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.340436] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 37.340441] kthread+0x334/0x6f0 [ 37.340444] ? trace_preempt_on+0x20/0xc0 [ 37.340448] ? __pfx_kthread+0x10/0x10 [ 37.340452] ? _raw_spin_unlock_irq+0x47/0x80 [ 37.340456] ? calculate_sigpending+0x7b/0xa0 [ 37.340460] ? __pfx_kthread+0x10/0x10 [ 37.340464] ret_from_fork+0x113/0x1d0 [ 37.340467] ? __pfx_kthread+0x10/0x10 [ 37.340471] ret_from_fork_asm+0x1a/0x30 [ 37.340477] </TASK> [ 37.340479] [ 37.533130] The buggy address belongs to the physical page: [ 37.538703] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1081f8 [ 37.546711] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 37.554371] flags: 0x200000000000040(head|node=0|zone=2) [ 37.559709] page_type: f8(unknown) [ 37.563118] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 37.570864] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 37.578605] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 37.586438] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 37.594264] head: 0200000000000002 ffffea0004207e01 00000000ffffffff 00000000ffffffff [ 37.602089] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 37.609916] page dumped because: kasan: bad access detected [ 37.615488] [ 37.616989] Memory state around the buggy address: [ 37.621781] ffff8881081f7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.629001] ffff8881081f7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.636228] >ffff8881081f8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.643456] ^ [ 37.646690] ffff8881081f8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.653915] ffff8881081f8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.661134] ================================================================== [ 38.125030] ================================================================== [ 38.136008] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 38.142714] Read of size 1 at addr ffff888104eb8000 by task kunit_try_catch/274 [ 38.150028] [ 38.151531] CPU: 0 UID: 0 PID: 274 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 38.151540] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 38.151543] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 38.151546] Call Trace: [ 38.151548] <TASK> [ 38.151550] dump_stack_lvl+0x73/0xb0 [ 38.151555] print_report+0xd1/0x650 [ 38.151559] ? __virt_addr_valid+0x1db/0x2d0 [ 38.151563] ? mempool_uaf_helper+0x392/0x400 [ 38.151567] ? kasan_addr_to_slab+0x11/0xa0 [ 38.151571] ? mempool_uaf_helper+0x392/0x400 [ 38.151575] kasan_report+0x141/0x180 [ 38.151579] ? mempool_uaf_helper+0x392/0x400 [ 38.151584] __asan_report_load1_noabort+0x18/0x20 [ 38.151589] mempool_uaf_helper+0x392/0x400 [ 38.151593] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 38.151598] ? __pfx_sched_clock_cpu+0x10/0x10 [ 38.151602] ? finish_task_switch.isra.0+0x153/0x700 [ 38.151607] mempool_page_alloc_uaf+0xed/0x140 [ 38.151611] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 38.151617] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 38.151621] ? __pfx_mempool_free_pages+0x10/0x10 [ 38.151627] ? ktime_get_ts64+0x83/0x230 [ 38.151631] kunit_try_run_case+0x1a2/0x480 [ 38.151636] ? __pfx_kunit_try_run_case+0x10/0x10 [ 38.151640] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 38.151644] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 38.151648] ? __kthread_parkme+0x82/0x180 [ 38.151652] ? preempt_count_sub+0x50/0x80 [ 38.151656] ? __pfx_kunit_try_run_case+0x10/0x10 [ 38.151661] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 38.151665] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 38.151670] kthread+0x334/0x6f0 [ 38.151673] ? trace_preempt_on+0x20/0xc0 [ 38.151677] ? __pfx_kthread+0x10/0x10 [ 38.151681] ? _raw_spin_unlock_irq+0x47/0x80 [ 38.151685] ? calculate_sigpending+0x7b/0xa0 [ 38.151690] ? __pfx_kthread+0x10/0x10 [ 38.151694] ret_from_fork+0x113/0x1d0 [ 38.151697] ? __pfx_kthread+0x10/0x10 [ 38.151701] ret_from_fork_asm+0x1a/0x30 [ 38.151707] </TASK> [ 38.151708] [ 38.340277] The buggy address belongs to the physical page: [ 38.345849] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104eb8 [ 38.353852] flags: 0x200000000000000(node=0|zone=2) [ 38.358739] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 38.366487] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 38.374227] page dumped because: kasan: bad access detected [ 38.379798] [ 38.381296] Memory state around the buggy address: [ 38.386091] ffff888104eb7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.393311] ffff888104eb7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.400537] >ffff888104eb8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.407757] ^ [ 38.410991] ffff888104eb8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.418210] ffff888104eb8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.425437] ==================================================================