Date
June 18, 2025, 6:43 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.765085] ================================================================== [ 22.765285] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.765453] Read of size 1 at addr fff00000c77c0000 by task kunit_try_catch/239 [ 22.765564] [ 22.765655] CPU: 0 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc2-next-20250618 #1 PREEMPT [ 22.765862] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 22.765921] Hardware name: linux,dummy-virt (DT) [ 22.766032] Call trace: [ 22.766244] show_stack+0x20/0x38 (C) [ 22.766439] dump_stack_lvl+0x8c/0xd0 [ 22.766614] print_report+0x118/0x608 [ 22.767211] kasan_report+0xdc/0x128 [ 22.767464] __asan_report_load1_noabort+0x20/0x30 [ 22.768066] mempool_uaf_helper+0x314/0x340 [ 22.768246] mempool_kmalloc_large_uaf+0xc4/0x120 [ 22.768801] kunit_try_run_case+0x170/0x3f0 [ 22.769377] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.769646] kthread+0x328/0x630 [ 22.770235] ret_from_fork+0x10/0x20 [ 22.770391] [ 22.770442] The buggy address belongs to the physical page: [ 22.770505] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077c0 [ 22.770624] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.771204] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 22.772146] page_type: f8(unknown) [ 22.772293] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.772682] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 22.772819] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.772944] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 22.773073] head: 0bfffe0000000002 ffffc1ffc31df001 00000000ffffffff 00000000ffffffff [ 22.773196] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 22.773299] page dumped because: kasan: bad access detected [ 22.773378] [ 22.773422] Memory state around the buggy address: [ 22.773711] fff00000c77bff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.773907] fff00000c77bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.774121] >fff00000c77c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.774302] ^ [ 22.774391] fff00000c77c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.774839] fff00000c77c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.774968] ================================================================== [ 22.852584] ================================================================== [ 22.852788] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.852945] Read of size 1 at addr fff00000c77c4000 by task kunit_try_catch/243 [ 22.853062] [ 22.853145] CPU: 0 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc2-next-20250618 #1 PREEMPT [ 22.853755] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 22.853853] Hardware name: linux,dummy-virt (DT) [ 22.854135] Call trace: [ 22.854192] show_stack+0x20/0x38 (C) [ 22.854317] dump_stack_lvl+0x8c/0xd0 [ 22.855222] print_report+0x118/0x608 [ 22.855324] kasan_report+0xdc/0x128 [ 22.855713] __asan_report_load1_noabort+0x20/0x30 [ 22.856013] mempool_uaf_helper+0x314/0x340 [ 22.856271] mempool_page_alloc_uaf+0xc0/0x118 [ 22.856372] kunit_try_run_case+0x170/0x3f0 [ 22.856489] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.856995] kthread+0x328/0x630 [ 22.857435] ret_from_fork+0x10/0x20 [ 22.857952] [ 22.858053] The buggy address belongs to the physical page: [ 22.858537] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077c4 [ 22.858647] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.858795] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 22.858984] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 22.859121] page dumped because: kasan: bad access detected [ 22.859492] [ 22.859543] Memory state around the buggy address: [ 22.859631] fff00000c77c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.859748] fff00000c77c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.859878] >fff00000c77c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.860039] ^ [ 22.860137] fff00000c77c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.860239] fff00000c77c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.860330] ==================================================================
[ 12.665640] ================================================================== [ 12.666690] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.666920] Read of size 1 at addr ffff888102b44000 by task kunit_try_catch/255 [ 12.667137] [ 12.667461] CPU: 0 UID: 0 PID: 255 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) [ 12.667528] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.667771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.667800] Call Trace: [ 12.667813] <TASK> [ 12.667843] dump_stack_lvl+0x73/0xb0 [ 12.667875] print_report+0xd1/0x650 [ 12.667895] ? __virt_addr_valid+0x1db/0x2d0 [ 12.667924] ? mempool_uaf_helper+0x392/0x400 [ 12.667948] ? kasan_addr_to_slab+0x11/0xa0 [ 12.667968] ? mempool_uaf_helper+0x392/0x400 [ 12.667990] kasan_report+0x141/0x180 [ 12.668011] ? mempool_uaf_helper+0x392/0x400 [ 12.668036] __asan_report_load1_noabort+0x18/0x20 [ 12.668059] mempool_uaf_helper+0x392/0x400 [ 12.668081] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.668104] ? __kasan_check_write+0x18/0x20 [ 12.668127] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.668147] ? irqentry_exit+0x2a/0x60 [ 12.668167] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.668193] mempool_kmalloc_large_uaf+0xef/0x140 [ 12.668224] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.668249] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.668271] ? __pfx_mempool_kfree+0x10/0x10 [ 12.668294] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.668318] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.668342] kunit_try_run_case+0x1a5/0x480 [ 12.668365] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.668387] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.668409] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.668431] ? __kthread_parkme+0x82/0x180 [ 12.668451] ? preempt_count_sub+0x50/0x80 [ 12.668473] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.668496] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.668518] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.668540] kthread+0x337/0x6f0 [ 12.668559] ? trace_preempt_on+0x20/0xc0 [ 12.668583] ? __pfx_kthread+0x10/0x10 [ 12.668602] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.668621] ? calculate_sigpending+0x7b/0xa0 [ 12.668645] ? __pfx_kthread+0x10/0x10 [ 12.668669] ret_from_fork+0x116/0x1d0 [ 12.668688] ? __pfx_kthread+0x10/0x10 [ 12.668708] ret_from_fork_asm+0x1a/0x30 [ 12.668737] </TASK> [ 12.668748] [ 12.685555] The buggy address belongs to the physical page: [ 12.686192] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b44 [ 12.686468] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.687316] flags: 0x200000000000040(head|node=0|zone=2) [ 12.687905] page_type: f8(unknown) [ 12.688261] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.688671] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 12.688900] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.689128] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 12.689822] head: 0200000000000002 ffffea00040ad101 00000000ffffffff 00000000ffffffff [ 12.690740] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 12.691478] page dumped because: kasan: bad access detected [ 12.692133] [ 12.692358] Memory state around the buggy address: [ 12.692898] ffff888102b43f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.693364] ffff888102b43f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.693862] >ffff888102b44000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.694069] ^ [ 12.694177] ffff888102b44080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.694392] ffff888102b44100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.694608] ================================================================== [ 12.737000] ================================================================== [ 12.737494] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.737847] Read of size 1 at addr ffff888102b48000 by task kunit_try_catch/259 [ 12.738222] [ 12.738312] CPU: 0 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) [ 12.738382] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.738407] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.738430] Call Trace: [ 12.738442] <TASK> [ 12.738458] dump_stack_lvl+0x73/0xb0 [ 12.738488] print_report+0xd1/0x650 [ 12.738509] ? __virt_addr_valid+0x1db/0x2d0 [ 12.738533] ? mempool_uaf_helper+0x392/0x400 [ 12.738554] ? kasan_addr_to_slab+0x11/0xa0 [ 12.738573] ? mempool_uaf_helper+0x392/0x400 [ 12.738594] kasan_report+0x141/0x180 [ 12.738614] ? mempool_uaf_helper+0x392/0x400 [ 12.738640] __asan_report_load1_noabort+0x18/0x20 [ 12.738663] mempool_uaf_helper+0x392/0x400 [ 12.738685] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.738705] ? update_load_avg+0x1be/0x21b0 [ 12.738730] ? update_load_avg+0x1be/0x21b0 [ 12.738750] ? update_curr+0x80/0x810 [ 12.738772] ? finish_task_switch.isra.0+0x153/0x700 [ 12.738797] mempool_page_alloc_uaf+0xed/0x140 [ 12.738819] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 12.738844] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 12.738867] ? __pfx_mempool_free_pages+0x10/0x10 [ 12.738892] ? __pfx_read_tsc+0x10/0x10 [ 12.738913] ? ktime_get_ts64+0x86/0x230 [ 12.738957] kunit_try_run_case+0x1a5/0x480 [ 12.738981] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.739002] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.739040] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.739062] ? __kthread_parkme+0x82/0x180 [ 12.739082] ? preempt_count_sub+0x50/0x80 [ 12.739103] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.739125] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.739147] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.739169] kthread+0x337/0x6f0 [ 12.739188] ? trace_preempt_on+0x20/0xc0 [ 12.739224] ? __pfx_kthread+0x10/0x10 [ 12.739244] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.739263] ? calculate_sigpending+0x7b/0xa0 [ 12.739287] ? __pfx_kthread+0x10/0x10 [ 12.739307] ret_from_fork+0x116/0x1d0 [ 12.739324] ? __pfx_kthread+0x10/0x10 [ 12.739344] ret_from_fork_asm+0x1a/0x30 [ 12.739374] </TASK> [ 12.739384] [ 12.748285] The buggy address belongs to the physical page: [ 12.748544] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b48 [ 12.749014] flags: 0x200000000000000(node=0|zone=2) [ 12.749514] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 12.749938] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 12.750152] page dumped because: kasan: bad access detected [ 12.750627] [ 12.750767] Memory state around the buggy address: [ 12.750961] ffff888102b47f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.751320] ffff888102b47f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.751648] >ffff888102b48000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.751946] ^ [ 12.752103] ffff888102b48080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.752496] ffff888102b48100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.752697] ==================================================================