Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.932870] ================================================================== [ 17.932934] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.933011] Read of size 1 at addr fff00000c7998000 by task kunit_try_catch/230 [ 17.933063] [ 17.933093] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.933173] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.933214] Hardware name: linux,dummy-virt (DT) [ 17.933478] Call trace: [ 17.933526] show_stack+0x20/0x38 (C) [ 17.933581] dump_stack_lvl+0x8c/0xd0 [ 17.933657] print_report+0x118/0x5d0 [ 17.933704] kasan_report+0xdc/0x128 [ 17.933776] __asan_report_load1_noabort+0x20/0x30 [ 17.933953] mempool_uaf_helper+0x314/0x340 [ 17.934125] mempool_kmalloc_large_uaf+0xc4/0x120 [ 17.934187] kunit_try_run_case+0x170/0x3f0 [ 17.934288] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.934341] kthread+0x328/0x630 [ 17.934410] ret_from_fork+0x10/0x20 [ 17.934475] [ 17.934512] The buggy address belongs to the physical page: [ 17.934546] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107998 [ 17.934600] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.934756] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 17.934810] page_type: f8(unknown) [ 17.934952] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 17.935027] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 17.935080] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 17.935176] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 17.935255] head: 0bfffe0000000002 ffffc1ffc31e6601 00000000ffffffff 00000000ffffffff [ 17.935307] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 17.935348] page dumped because: kasan: bad access detected [ 17.935611] [ 17.935639] Memory state around the buggy address: [ 17.935675] fff00000c7997f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.935786] fff00000c7997f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.935830] >fff00000c7998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.935907] ^ [ 17.935962] fff00000c7998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.936006] fff00000c7998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.936057] ================================================================== [ 17.965262] ================================================================== [ 17.965344] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.965419] Read of size 1 at addr fff00000c799c000 by task kunit_try_catch/234 [ 17.965471] [ 17.965526] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.965611] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.965793] Hardware name: linux,dummy-virt (DT) [ 17.965939] Call trace: [ 17.966010] show_stack+0x20/0x38 (C) [ 17.966215] dump_stack_lvl+0x8c/0xd0 [ 17.966479] print_report+0x118/0x5d0 [ 17.966670] kasan_report+0xdc/0x128 [ 17.966843] __asan_report_load1_noabort+0x20/0x30 [ 17.966961] mempool_uaf_helper+0x314/0x340 [ 17.967044] mempool_page_alloc_uaf+0xc0/0x118 [ 17.967092] kunit_try_run_case+0x170/0x3f0 [ 17.967393] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.967547] kthread+0x328/0x630 [ 17.967634] ret_from_fork+0x10/0x20 [ 17.967789] [ 17.967839] The buggy address belongs to the physical page: [ 17.967914] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10799c [ 17.968054] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.968282] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 17.968389] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 17.968431] page dumped because: kasan: bad access detected [ 17.968463] [ 17.968502] Memory state around the buggy address: [ 17.968534] fff00000c799bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.968578] fff00000c799bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.968622] >fff00000c799c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.968662] ^ [ 17.968915] fff00000c799c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.969061] fff00000c799c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.969232] ==================================================================
[ 18.660469] ================================================================== [ 18.660526] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.660573] Read of size 1 at addr fff00000c78e8000 by task kunit_try_catch/230 [ 18.660622] [ 18.660654] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.660735] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.660762] Hardware name: linux,dummy-virt (DT) [ 18.660794] Call trace: [ 18.660816] show_stack+0x20/0x38 (C) [ 18.660862] dump_stack_lvl+0x8c/0xd0 [ 18.660908] print_report+0x118/0x5d0 [ 18.660953] kasan_report+0xdc/0x128 [ 18.660998] __asan_report_load1_noabort+0x20/0x30 [ 18.661048] mempool_uaf_helper+0x314/0x340 [ 18.661093] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.661141] kunit_try_run_case+0x170/0x3f0 [ 18.661201] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.661253] kthread+0x328/0x630 [ 18.661294] ret_from_fork+0x10/0x20 [ 18.661340] [ 18.661361] The buggy address belongs to the physical page: [ 18.661394] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e8 [ 18.661464] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.661512] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.661564] page_type: f8(unknown) [ 18.661603] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.662131] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.662243] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.662294] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.662344] head: 0bfffe0000000002 ffffc1ffc31e3a01 00000000ffffffff 00000000ffffffff [ 18.662394] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.662443] page dumped because: kasan: bad access detected [ 18.662593] [ 18.662613] Memory state around the buggy address: [ 18.662644] fff00000c78e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.662709] fff00000c78e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.662761] >fff00000c78e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.662850] ^ [ 18.662898] fff00000c78e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.663099] fff00000c78e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.663291] ================================================================== [ 18.705305] ================================================================== [ 18.705369] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.705430] Read of size 1 at addr fff00000c78e8000 by task kunit_try_catch/234 [ 18.705481] [ 18.705514] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.705610] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.705735] Hardware name: linux,dummy-virt (DT) [ 18.705791] Call trace: [ 18.705833] show_stack+0x20/0x38 (C) [ 18.706084] dump_stack_lvl+0x8c/0xd0 [ 18.706139] print_report+0x118/0x5d0 [ 18.706203] kasan_report+0xdc/0x128 [ 18.706246] __asan_report_load1_noabort+0x20/0x30 [ 18.706875] mempool_uaf_helper+0x314/0x340 [ 18.706944] mempool_page_alloc_uaf+0xc0/0x118 [ 18.706993] kunit_try_run_case+0x170/0x3f0 [ 18.707307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.707702] kthread+0x328/0x630 [ 18.707883] ret_from_fork+0x10/0x20 [ 18.707937] [ 18.707959] The buggy address belongs to the physical page: [ 18.707990] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e8 [ 18.708045] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.708405] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.708464] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.708507] page dumped because: kasan: bad access detected [ 18.708540] [ 18.708588] Memory state around the buggy address: [ 18.708624] fff00000c78e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.708731] fff00000c78e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.708777] >fff00000c78e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.708817] ^ [ 18.708845] fff00000c78e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.708953] fff00000c78e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.709038] ==================================================================
[ 14.272956] ================================================================== [ 14.273415] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.273836] Read of size 1 at addr ffff888103a64000 by task kunit_try_catch/251 [ 14.274116] [ 14.274235] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.274281] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.274295] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.274317] Call Trace: [ 14.274331] <TASK> [ 14.274347] dump_stack_lvl+0x73/0xb0 [ 14.274380] print_report+0xd1/0x610 [ 14.274425] ? __virt_addr_valid+0x1db/0x2d0 [ 14.274463] ? mempool_uaf_helper+0x392/0x400 [ 14.274486] ? kasan_addr_to_slab+0x11/0xa0 [ 14.274508] ? mempool_uaf_helper+0x392/0x400 [ 14.274532] kasan_report+0x141/0x180 [ 14.274579] ? mempool_uaf_helper+0x392/0x400 [ 14.274607] __asan_report_load1_noabort+0x18/0x20 [ 14.274633] mempool_uaf_helper+0x392/0x400 [ 14.274656] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.274681] ? __kasan_check_write+0x18/0x20 [ 14.274702] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.274726] ? finish_task_switch.isra.0+0x153/0x700 [ 14.274755] mempool_page_alloc_uaf+0xed/0x140 [ 14.274779] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.274808] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.274834] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.274861] ? __pfx_read_tsc+0x10/0x10 [ 14.274883] ? ktime_get_ts64+0x86/0x230 [ 14.274908] kunit_try_run_case+0x1a5/0x480 [ 14.274935] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.274958] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.274984] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.275008] ? __kthread_parkme+0x82/0x180 [ 14.275030] ? preempt_count_sub+0x50/0x80 [ 14.275054] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.275078] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.275103] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.275129] kthread+0x337/0x6f0 [ 14.275148] ? trace_preempt_on+0x20/0xc0 [ 14.275173] ? __pfx_kthread+0x10/0x10 [ 14.275194] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.275215] ? calculate_sigpending+0x7b/0xa0 [ 14.275241] ? __pfx_kthread+0x10/0x10 [ 14.275262] ret_from_fork+0x116/0x1d0 [ 14.275282] ? __pfx_kthread+0x10/0x10 [ 14.275302] ret_from_fork_asm+0x1a/0x30 [ 14.275334] </TASK> [ 14.275344] [ 14.284306] The buggy address belongs to the physical page: [ 14.284528] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a64 [ 14.284956] flags: 0x200000000000000(node=0|zone=2) [ 14.285206] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.285595] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.285869] page dumped because: kasan: bad access detected [ 14.286120] [ 14.286212] Memory state around the buggy address: [ 14.286432] ffff888103a63f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.286735] ffff888103a63f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.287022] >ffff888103a64000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.287281] ^ [ 14.287682] ffff888103a64080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.287987] ffff888103a64100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.288231] ================================================================== [ 14.217334] ================================================================== [ 14.218259] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.218896] Read of size 1 at addr ffff888103a20000 by task kunit_try_catch/246 [ 14.219207] [ 14.219299] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.219347] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.219360] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.219382] Call Trace: [ 14.219394] <TASK> [ 14.219410] dump_stack_lvl+0x73/0xb0 [ 14.219441] print_report+0xd1/0x610 [ 14.219480] ? __virt_addr_valid+0x1db/0x2d0 [ 14.219504] ? mempool_uaf_helper+0x392/0x400 [ 14.219527] ? kasan_addr_to_slab+0x11/0xa0 [ 14.219548] ? mempool_uaf_helper+0x392/0x400 [ 14.219582] kasan_report+0x141/0x180 [ 14.219605] ? mempool_uaf_helper+0x392/0x400 [ 14.219633] __asan_report_load1_noabort+0x18/0x20 [ 14.219658] mempool_uaf_helper+0x392/0x400 [ 14.219683] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.219706] ? update_load_avg+0x1be/0x21b0 [ 14.219735] ? finish_task_switch.isra.0+0x153/0x700 [ 14.219761] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.219786] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.219814] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.219840] ? __pfx_mempool_kfree+0x10/0x10 [ 14.219866] ? __pfx_read_tsc+0x10/0x10 [ 14.219888] ? ktime_get_ts64+0x86/0x230 [ 14.219913] kunit_try_run_case+0x1a5/0x480 [ 14.219939] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.219962] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.219989] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.220014] ? __kthread_parkme+0x82/0x180 [ 14.220035] ? preempt_count_sub+0x50/0x80 [ 14.220059] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.220084] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.220109] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.220135] kthread+0x337/0x6f0 [ 14.220155] ? trace_preempt_on+0x20/0xc0 [ 14.220180] ? __pfx_kthread+0x10/0x10 [ 14.220201] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.220224] ? calculate_sigpending+0x7b/0xa0 [ 14.220249] ? __pfx_kthread+0x10/0x10 [ 14.220271] ret_from_fork+0x116/0x1d0 [ 14.220296] ? __pfx_kthread+0x10/0x10 [ 14.220317] ret_from_fork_asm+0x1a/0x30 [ 14.220348] </TASK> [ 14.220361] [ 14.228619] The buggy address belongs to the physical page: [ 14.228823] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a20 [ 14.229248] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.229801] flags: 0x200000000000040(head|node=0|zone=2) [ 14.230071] page_type: f8(unknown) [ 14.230211] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.230465] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.230807] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.231190] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.231556] head: 0200000000000002 ffffea00040e8801 00000000ffffffff 00000000ffffffff [ 14.231834] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.232109] page dumped because: kasan: bad access detected [ 14.232365] [ 14.232493] Memory state around the buggy address: [ 14.232727] ffff888103a1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.233000] ffff888103a1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.233214] >ffff888103a20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.233425] ^ [ 14.233600] ffff888103a20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.233909] ffff888103a20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.234620] ==================================================================
[ 14.426579] ================================================================== [ 14.427108] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.427393] Read of size 1 at addr ffff888103bc0000 by task kunit_try_catch/247 [ 14.427748] [ 14.428160] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.428211] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.428224] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.428245] Call Trace: [ 14.428258] <TASK> [ 14.428276] dump_stack_lvl+0x73/0xb0 [ 14.428309] print_report+0xd1/0x610 [ 14.428331] ? __virt_addr_valid+0x1db/0x2d0 [ 14.428357] ? mempool_uaf_helper+0x392/0x400 [ 14.428380] ? kasan_addr_to_slab+0x11/0xa0 [ 14.428401] ? mempool_uaf_helper+0x392/0x400 [ 14.428424] kasan_report+0x141/0x180 [ 14.428446] ? mempool_uaf_helper+0x392/0x400 [ 14.428473] __asan_report_load1_noabort+0x18/0x20 [ 14.428500] mempool_uaf_helper+0x392/0x400 [ 14.428523] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.428546] ? update_load_avg+0x1be/0x21b0 [ 14.428574] ? finish_task_switch.isra.0+0x153/0x700 [ 14.428601] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.428626] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.428851] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.428881] ? __pfx_mempool_kfree+0x10/0x10 [ 14.428907] ? __pfx_read_tsc+0x10/0x10 [ 14.428930] ? ktime_get_ts64+0x86/0x230 [ 14.428955] kunit_try_run_case+0x1a5/0x480 [ 14.428982] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.429005] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.429031] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.429069] ? __kthread_parkme+0x82/0x180 [ 14.429091] ? preempt_count_sub+0x50/0x80 [ 14.429115] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.429152] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.429177] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.429203] kthread+0x337/0x6f0 [ 14.429222] ? trace_preempt_on+0x20/0xc0 [ 14.429247] ? __pfx_kthread+0x10/0x10 [ 14.429267] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.429290] ? calculate_sigpending+0x7b/0xa0 [ 14.429315] ? __pfx_kthread+0x10/0x10 [ 14.429336] ret_from_fork+0x116/0x1d0 [ 14.429356] ? __pfx_kthread+0x10/0x10 [ 14.429376] ret_from_fork_asm+0x1a/0x30 [ 14.429408] </TASK> [ 14.429418] [ 14.437901] The buggy address belongs to the physical page: [ 14.438144] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103bc0 [ 14.438458] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.438857] flags: 0x200000000000040(head|node=0|zone=2) [ 14.439076] page_type: f8(unknown) [ 14.439384] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.439853] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.440221] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.440529] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.440945] head: 0200000000000002 ffffea00040ef001 00000000ffffffff 00000000ffffffff [ 14.441229] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.441462] page dumped because: kasan: bad access detected [ 14.441756] [ 14.441851] Memory state around the buggy address: [ 14.442096] ffff888103bbff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.442432] ffff888103bbff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.442846] >ffff888103bc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.443097] ^ [ 14.443273] ffff888103bc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.443596] ffff888103bc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.444193] ================================================================== [ 14.480508] ================================================================== [ 14.481574] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.482153] Read of size 1 at addr ffff888102cc0000 by task kunit_try_catch/251 [ 14.482616] [ 14.482799] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.482848] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.482862] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.482884] Call Trace: [ 14.482897] <TASK> [ 14.482914] dump_stack_lvl+0x73/0xb0 [ 14.483218] print_report+0xd1/0x610 [ 14.483249] ? __virt_addr_valid+0x1db/0x2d0 [ 14.483274] ? mempool_uaf_helper+0x392/0x400 [ 14.483298] ? kasan_addr_to_slab+0x11/0xa0 [ 14.483320] ? mempool_uaf_helper+0x392/0x400 [ 14.483342] kasan_report+0x141/0x180 [ 14.483365] ? mempool_uaf_helper+0x392/0x400 [ 14.483393] __asan_report_load1_noabort+0x18/0x20 [ 14.483419] mempool_uaf_helper+0x392/0x400 [ 14.483443] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.483468] ? __kasan_check_write+0x18/0x20 [ 14.483489] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.483511] ? finish_task_switch.isra.0+0x153/0x700 [ 14.483538] mempool_page_alloc_uaf+0xed/0x140 [ 14.483563] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.483592] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.483621] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.483662] ? __pfx_read_tsc+0x10/0x10 [ 14.483684] ? ktime_get_ts64+0x86/0x230 [ 14.483709] kunit_try_run_case+0x1a5/0x480 [ 14.483735] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.483759] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.483785] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.483809] ? __kthread_parkme+0x82/0x180 [ 14.483832] ? preempt_count_sub+0x50/0x80 [ 14.483856] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.483881] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.483907] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.483934] kthread+0x337/0x6f0 [ 14.483953] ? trace_preempt_on+0x20/0xc0 [ 14.483978] ? __pfx_kthread+0x10/0x10 [ 14.483999] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.484021] ? calculate_sigpending+0x7b/0xa0 [ 14.484046] ? __pfx_kthread+0x10/0x10 [ 14.484078] ret_from_fork+0x116/0x1d0 [ 14.484098] ? __pfx_kthread+0x10/0x10 [ 14.484119] ret_from_fork_asm+0x1a/0x30 [ 14.484151] </TASK> [ 14.484163] [ 14.496499] The buggy address belongs to the physical page: [ 14.496874] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102cc0 [ 14.497260] flags: 0x200000000000000(node=0|zone=2) [ 14.497596] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.497932] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.498425] page dumped because: kasan: bad access detected [ 14.498729] [ 14.498900] Memory state around the buggy address: [ 14.499279] ffff888102cbff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.499506] ffff888102cbff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.499931] >ffff888102cc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.500362] ^ [ 14.500530] ffff888102cc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.500919] ffff888102cc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.501331] ==================================================================