Date
May 29, 2025, 7:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 24.206603] ================================================================== [ 24.207618] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.208113] Read of size 1 at addr fff00000c78a4000 by task kunit_try_catch/229 [ 24.208253] [ 24.208347] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250529 #1 PREEMPT [ 24.209497] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.209845] Hardware name: linux,dummy-virt (DT) [ 24.210088] Call trace: [ 24.210198] show_stack+0x20/0x38 (C) [ 24.210789] dump_stack_lvl+0x8c/0xd0 [ 24.211112] print_report+0x118/0x608 [ 24.211436] kasan_report+0xdc/0x128 [ 24.211966] __asan_report_load1_noabort+0x20/0x30 [ 24.212113] mempool_uaf_helper+0x314/0x340 [ 24.212482] mempool_kmalloc_large_uaf+0xc4/0x120 [ 24.212887] kunit_try_run_case+0x170/0x3f0 [ 24.213016] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.213428] kthread+0x328/0x630 [ 24.213986] ret_from_fork+0x10/0x20 [ 24.214501] [ 24.214636] The buggy address belongs to the physical page: [ 24.214984] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078a4 [ 24.215147] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.215237] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 24.215351] page_type: f8(unknown) [ 24.215453] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.215569] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 24.216681] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.217005] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 24.217252] head: 0bfffe0000000002 ffffc1ffc31e2901 00000000ffffffff 00000000ffffffff [ 24.217614] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.217729] page dumped because: kasan: bad access detected [ 24.218097] [ 24.218278] Memory state around the buggy address: [ 24.218369] fff00000c78a3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.218740] fff00000c78a3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.219014] >fff00000c78a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.219090] ^ [ 24.219149] fff00000c78a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.219242] fff00000c78a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.219336] ================================================================== [ 24.290697] ================================================================== [ 24.290995] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.291165] Read of size 1 at addr fff00000c78a4000 by task kunit_try_catch/233 [ 24.291292] [ 24.291390] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250529 #1 PREEMPT [ 24.291600] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.292384] Hardware name: linux,dummy-virt (DT) [ 24.292626] Call trace: [ 24.292838] show_stack+0x20/0x38 (C) [ 24.292980] dump_stack_lvl+0x8c/0xd0 [ 24.293256] print_report+0x118/0x608 [ 24.293380] kasan_report+0xdc/0x128 [ 24.293585] __asan_report_load1_noabort+0x20/0x30 [ 24.293694] mempool_uaf_helper+0x314/0x340 [ 24.293753] mempool_page_alloc_uaf+0xc0/0x118 [ 24.293809] kunit_try_run_case+0x170/0x3f0 [ 24.293868] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.293928] kthread+0x328/0x630 [ 24.293978] ret_from_fork+0x10/0x20 [ 24.294037] [ 24.294065] The buggy address belongs to the physical page: [ 24.294104] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078a4 [ 24.294170] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.294253] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.294311] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.294373] page dumped because: kasan: bad access detected [ 24.294457] [ 24.294494] Memory state around the buggy address: [ 24.294564] fff00000c78a3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.294663] fff00000c78a3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.294763] >fff00000c78a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.294907] ^ [ 24.294997] fff00000c78a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.295106] fff00000c78a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.295204] ==================================================================
[ 12.390368] ================================================================== [ 12.391023] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.391259] Read of size 1 at addr ffff888102a88000 by task kunit_try_catch/246 [ 12.391490] [ 12.391581] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250529 #1 PREEMPT(voluntary) [ 12.391641] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.391654] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.391676] Call Trace: [ 12.391688] <TASK> [ 12.391703] dump_stack_lvl+0x73/0xb0 [ 12.391727] print_report+0xd1/0x650 [ 12.391806] ? __virt_addr_valid+0x1db/0x2d0 [ 12.391831] ? mempool_uaf_helper+0x392/0x400 [ 12.391854] ? kasan_addr_to_slab+0x11/0xa0 [ 12.391875] ? mempool_uaf_helper+0x392/0x400 [ 12.391898] kasan_report+0x141/0x180 [ 12.391920] ? mempool_uaf_helper+0x392/0x400 [ 12.391948] __asan_report_load1_noabort+0x18/0x20 [ 12.391968] mempool_uaf_helper+0x392/0x400 [ 12.391991] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.392017] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.392039] ? finish_task_switch.isra.0+0x153/0x700 [ 12.392065] mempool_kmalloc_large_uaf+0xef/0x140 [ 12.392089] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.392116] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.392136] ? __pfx_mempool_kfree+0x10/0x10 [ 12.392157] ? __pfx_read_tsc+0x10/0x10 [ 12.392178] ? ktime_get_ts64+0x86/0x230 [ 12.392201] kunit_try_run_case+0x1a5/0x480 [ 12.392222] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.392242] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.392267] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.392291] ? __kthread_parkme+0x82/0x180 [ 12.392311] ? preempt_count_sub+0x50/0x80 [ 12.392334] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.392355] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.392379] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.392404] kthread+0x337/0x6f0 [ 12.392423] ? trace_preempt_on+0x20/0xc0 [ 12.392446] ? __pfx_kthread+0x10/0x10 [ 12.392466] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.392488] ? calculate_sigpending+0x7b/0xa0 [ 12.392513] ? __pfx_kthread+0x10/0x10 [ 12.392535] ret_from_fork+0x116/0x1d0 [ 12.392555] ? __pfx_kthread+0x10/0x10 [ 12.392576] ret_from_fork_asm+0x1a/0x30 [ 12.392607] </TASK> [ 12.392628] [ 12.409047] The buggy address belongs to the physical page: [ 12.409683] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a88 [ 12.410434] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.410685] flags: 0x200000000000040(head|node=0|zone=2) [ 12.411272] page_type: f8(unknown) [ 12.411632] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.412413] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.413217] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.413466] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.413724] head: 0200000000000002 ffffea00040aa201 00000000ffffffff 00000000ffffffff [ 12.414511] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 12.415371] page dumped because: kasan: bad access detected [ 12.415936] [ 12.416143] Memory state around the buggy address: [ 12.416591] ffff888102a87f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.417344] ffff888102a87f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.417877] >ffff888102a88000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.418280] ^ [ 12.418405] ffff888102a88080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.418657] ffff888102a88100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.419469] ================================================================== [ 12.467167] ================================================================== [ 12.467577] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.468168] Read of size 1 at addr ffff8881039d8000 by task kunit_try_catch/250 [ 12.468541] [ 12.468650] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250529 #1 PREEMPT(voluntary) [ 12.468702] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.468715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.468737] Call Trace: [ 12.468762] <TASK> [ 12.468780] dump_stack_lvl+0x73/0xb0 [ 12.468809] print_report+0xd1/0x650 [ 12.468833] ? __virt_addr_valid+0x1db/0x2d0 [ 12.468858] ? mempool_uaf_helper+0x392/0x400 [ 12.468881] ? kasan_addr_to_slab+0x11/0xa0 [ 12.468902] ? mempool_uaf_helper+0x392/0x400 [ 12.468926] kasan_report+0x141/0x180 [ 12.468948] ? mempool_uaf_helper+0x392/0x400 [ 12.468976] __asan_report_load1_noabort+0x18/0x20 [ 12.469010] mempool_uaf_helper+0x392/0x400 [ 12.469034] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.469057] ? __kasan_check_write+0x18/0x20 [ 12.469078] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.469101] ? irqentry_exit+0x2a/0x60 [ 12.469120] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.469150] mempool_page_alloc_uaf+0xed/0x140 [ 12.469174] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 12.469200] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 12.469223] ? __pfx_mempool_free_pages+0x10/0x10 [ 12.469245] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 12.469271] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 12.469298] kunit_try_run_case+0x1a5/0x480 [ 12.469322] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.469342] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.469367] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.469392] ? __kthread_parkme+0x82/0x180 [ 12.469414] ? preempt_count_sub+0x50/0x80 [ 12.469439] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.469460] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.469485] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.469510] kthread+0x337/0x6f0 [ 12.469530] ? trace_preempt_on+0x20/0xc0 [ 12.469554] ? __pfx_kthread+0x10/0x10 [ 12.469575] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.469598] ? calculate_sigpending+0x7b/0xa0 [ 12.469631] ? __pfx_kthread+0x10/0x10 [ 12.469653] ret_from_fork+0x116/0x1d0 [ 12.469672] ? __pfx_kthread+0x10/0x10 [ 12.469693] ret_from_fork_asm+0x1a/0x30 [ 12.469724] </TASK> [ 12.469736] [ 12.483647] The buggy address belongs to the physical page: [ 12.484670] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039d8 [ 12.485108] flags: 0x200000000000000(node=0|zone=2) [ 12.485334] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 12.485663] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 12.486542] page dumped because: kasan: bad access detected [ 12.487377] [ 12.487670] Memory state around the buggy address: [ 12.487940] ffff8881039d7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.488549] ffff8881039d7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.488867] >ffff8881039d8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.489153] ^ [ 12.489279] ffff8881039d8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.489675] ffff8881039d8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.489997] ==================================================================