Date
June 5, 2025, 7:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 28.410442] ================================================================== [ 28.410682] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.410929] Read of size 1 at addr fff00000c787c000 by task kunit_try_catch/233 [ 28.411061] [ 28.411253] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT [ 28.411640] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.411712] Hardware name: linux,dummy-virt (DT) [ 28.411787] Call trace: [ 28.411846] show_stack+0x20/0x38 (C) [ 28.411972] dump_stack_lvl+0x8c/0xd0 [ 28.412518] print_report+0x118/0x608 [ 28.412701] kasan_report+0xdc/0x128 [ 28.412959] __asan_report_load1_noabort+0x20/0x30 [ 28.413369] mempool_uaf_helper+0x314/0x340 [ 28.413502] mempool_page_alloc_uaf+0xc0/0x118 [ 28.413643] kunit_try_run_case+0x170/0x3f0 [ 28.413794] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.413947] kthread+0x328/0x630 [ 28.414952] ret_from_fork+0x10/0x20 [ 28.415137] [ 28.415283] The buggy address belongs to the physical page: [ 28.415384] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10787c [ 28.415514] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.415783] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 28.416207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 28.416324] page dumped because: kasan: bad access detected [ 28.416425] [ 28.416482] Memory state around the buggy address: [ 28.416875] fff00000c787bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.417191] fff00000c787bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.417317] >fff00000c787c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.417429] ^ [ 28.417496] fff00000c787c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.417649] fff00000c787c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.417815] ================================================================== [ 28.303509] ================================================================== [ 28.303631] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.303737] Read of size 1 at addr fff00000c7878000 by task kunit_try_catch/229 [ 28.303878] [ 28.303965] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT [ 28.305025] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.305102] Hardware name: linux,dummy-virt (DT) [ 28.305182] Call trace: [ 28.305237] show_stack+0x20/0x38 (C) [ 28.305563] dump_stack_lvl+0x8c/0xd0 [ 28.305700] print_report+0x118/0x608 [ 28.306171] kasan_report+0xdc/0x128 [ 28.307149] __asan_report_load1_noabort+0x20/0x30 [ 28.307522] mempool_uaf_helper+0x314/0x340 [ 28.307646] mempool_kmalloc_large_uaf+0xc4/0x120 [ 28.308642] kunit_try_run_case+0x170/0x3f0 [ 28.309043] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.309214] kthread+0x328/0x630 [ 28.309463] ret_from_fork+0x10/0x20 [ 28.309647] [ 28.309699] The buggy address belongs to the physical page: [ 28.310071] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107878 [ 28.310572] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.310692] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 28.310976] page_type: f8(unknown) [ 28.311142] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.312029] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 28.312200] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.312343] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 28.312470] head: 0bfffe0000000002 ffffc1ffc31e1e01 00000000ffffffff 00000000ffffffff [ 28.312597] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 28.312703] page dumped because: kasan: bad access detected [ 28.312795] [ 28.312929] Memory state around the buggy address: [ 28.313110] fff00000c7877f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.313265] fff00000c7877f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.313568] >fff00000c7878000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.313673] ^ [ 28.313743] fff00000c7878080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.313847] fff00000c7878100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.313942] ==================================================================
[ 13.043002] ================================================================== [ 13.043423] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.043653] Read of size 1 at addr ffff888103b0c000 by task kunit_try_catch/250 [ 13.043872] [ 13.044925] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT(voluntary) [ 13.044981] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.044995] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.045016] Call Trace: [ 13.045029] <TASK> [ 13.045050] dump_stack_lvl+0x73/0xb0 [ 13.045078] print_report+0xd1/0x650 [ 13.045100] ? __virt_addr_valid+0x1db/0x2d0 [ 13.045123] ? mempool_uaf_helper+0x392/0x400 [ 13.045144] ? kasan_addr_to_slab+0x11/0xa0 [ 13.045165] ? mempool_uaf_helper+0x392/0x400 [ 13.045186] kasan_report+0x141/0x180 [ 13.045209] ? mempool_uaf_helper+0x392/0x400 [ 13.045236] __asan_report_load1_noabort+0x18/0x20 [ 13.045260] mempool_uaf_helper+0x392/0x400 [ 13.045283] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.045306] ? __kasan_check_write+0x18/0x20 [ 13.045325] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.045348] ? finish_task_switch.isra.0+0x153/0x700 [ 13.045373] mempool_page_alloc_uaf+0xed/0x140 [ 13.045396] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.045422] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.045442] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.045465] ? __pfx_read_tsc+0x10/0x10 [ 13.045487] ? ktime_get_ts64+0x86/0x230 [ 13.045511] kunit_try_run_case+0x1a5/0x480 [ 13.045533] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.045553] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.045578] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.045602] ? __kthread_parkme+0x82/0x180 [ 13.045622] ? preempt_count_sub+0x50/0x80 [ 13.045645] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.045666] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.045690] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.045714] kthread+0x337/0x6f0 [ 13.045733] ? trace_preempt_on+0x20/0xc0 [ 13.045756] ? __pfx_kthread+0x10/0x10 [ 13.045776] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.045798] ? calculate_sigpending+0x7b/0xa0 [ 13.045822] ? __pfx_kthread+0x10/0x10 [ 13.045843] ret_from_fork+0x116/0x1d0 [ 13.045861] ? __pfx_kthread+0x10/0x10 [ 13.045882] ret_from_fork_asm+0x1a/0x30 [ 13.045921] </TASK> [ 13.045931] [ 13.061255] The buggy address belongs to the physical page: [ 13.061500] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b0c [ 13.062213] flags: 0x200000000000000(node=0|zone=2) [ 13.062476] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.062838] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.063470] page dumped because: kasan: bad access detected [ 13.063835] [ 13.063974] Memory state around the buggy address: [ 13.064400] ffff888103b0bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.064770] ffff888103b0bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.065322] >ffff888103b0c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.065750] ^ [ 13.065925] ffff888103b0c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.066453] ffff888103b0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.066796] ================================================================== [ 12.976834] ================================================================== [ 12.977617] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.977942] Read of size 1 at addr ffff888103b0c000 by task kunit_try_catch/246 [ 12.978670] [ 12.978824] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT(voluntary) [ 12.978973] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.979068] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.979091] Call Trace: [ 12.979103] <TASK> [ 12.979202] dump_stack_lvl+0x73/0xb0 [ 12.979238] print_report+0xd1/0x650 [ 12.979261] ? __virt_addr_valid+0x1db/0x2d0 [ 12.979286] ? mempool_uaf_helper+0x392/0x400 [ 12.979308] ? kasan_addr_to_slab+0x11/0xa0 [ 12.979330] ? mempool_uaf_helper+0x392/0x400 [ 12.979354] kasan_report+0x141/0x180 [ 12.979376] ? mempool_uaf_helper+0x392/0x400 [ 12.979404] __asan_report_load1_noabort+0x18/0x20 [ 12.979431] mempool_uaf_helper+0x392/0x400 [ 12.979454] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.979481] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.979505] ? finish_task_switch.isra.0+0x153/0x700 [ 12.979533] mempool_kmalloc_large_uaf+0xef/0x140 [ 12.979557] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.979586] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.979609] ? __pfx_mempool_kfree+0x10/0x10 [ 12.979645] ? __pfx_read_tsc+0x10/0x10 [ 12.979668] ? ktime_get_ts64+0x86/0x230 [ 12.979694] kunit_try_run_case+0x1a5/0x480 [ 12.979719] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.979742] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.979771] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.979798] ? __kthread_parkme+0x82/0x180 [ 12.979819] ? preempt_count_sub+0x50/0x80 [ 12.979843] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.979866] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.979903] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.979931] kthread+0x337/0x6f0 [ 12.980003] ? trace_preempt_on+0x20/0xc0 [ 12.980029] ? __pfx_kthread+0x10/0x10 [ 12.980051] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.980075] ? calculate_sigpending+0x7b/0xa0 [ 12.980101] ? __pfx_kthread+0x10/0x10 [ 12.980125] ret_from_fork+0x116/0x1d0 [ 12.980143] ? __pfx_kthread+0x10/0x10 [ 12.980165] ret_from_fork_asm+0x1a/0x30 [ 12.980198] </TASK> [ 12.980208] [ 12.992490] The buggy address belongs to the physical page: [ 12.992868] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b0c [ 12.993357] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.993851] flags: 0x200000000000040(head|node=0|zone=2) [ 12.994230] page_type: f8(unknown) [ 12.994366] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.994948] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.995291] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.995741] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.996308] head: 0200000000000002 ffffea00040ec301 00000000ffffffff 00000000ffffffff [ 12.996711] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 12.997173] page dumped because: kasan: bad access detected [ 12.997518] [ 12.997617] Memory state around the buggy address: [ 12.998094] ffff888103b0bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.998432] ffff888103b0bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.998937] >ffff888103b0c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.999382] ^ [ 12.999630] ffff888103b0c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.000011] ffff888103b0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.000480] ==================================================================