Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 47.159853] ================================================================== [ 47.171259] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 47.178065] Read of size 1 at addr ffff0000967e8000 by task kunit_try_catch/327 [ 47.185476] [ 47.187015] CPU: 1 UID: 0 PID: 327 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 47.187051] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.187060] Hardware name: Thundercomm Dragonboard 845c (DT) [ 47.187073] Call trace: [ 47.187081] show_stack+0x20/0x38 (C) [ 47.187104] dump_stack_lvl+0x8c/0xd0 [ 47.187128] print_report+0x118/0x608 [ 47.187149] kasan_report+0xdc/0x128 [ 47.187169] __asan_report_load1_noabort+0x20/0x30 [ 47.187191] mempool_uaf_helper+0x314/0x340 [ 47.187211] mempool_kmalloc_large_uaf+0xc4/0x120 [ 47.187231] kunit_try_run_case+0x170/0x3f0 [ 47.187254] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.187277] kthread+0x328/0x630 [ 47.187295] ret_from_fork+0x10/0x20 [ 47.187319] [ 47.257772] The buggy address belongs to the physical page: [ 47.263423] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1167e8 [ 47.271538] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.279294] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 47.286356] page_type: f8(unknown) [ 47.289824] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 47.297669] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 47.305514] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 47.313444] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 47.321374] head: 0bfffe0000000002 fffffdffc259fa01 00000000ffffffff 00000000ffffffff [ 47.329305] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 47.337230] page dumped because: kasan: bad access detected [ 47.342880] [ 47.344412] Memory state around the buggy address: [ 47.349281] ffff0000967e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.356603] ffff0000967e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.363926] >ffff0000967e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.371239] ^ [ 47.374531] ffff0000967e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.381852] ffff0000967e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.389173] ================================================================== [ 47.746102] ================================================================== [ 47.757255] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 47.764069] Read of size 1 at addr ffff000095654000 by task kunit_try_catch/331 [ 47.771475] [ 47.773018] CPU: 6 UID: 0 PID: 331 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 47.773056] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.773067] Hardware name: Thundercomm Dragonboard 845c (DT) [ 47.773081] Call trace: [ 47.773091] show_stack+0x20/0x38 (C) [ 47.773113] dump_stack_lvl+0x8c/0xd0 [ 47.773136] print_report+0x118/0x608 [ 47.773157] kasan_report+0xdc/0x128 [ 47.773175] __asan_report_load1_noabort+0x20/0x30 [ 47.773193] mempool_uaf_helper+0x314/0x340 [ 47.773210] mempool_page_alloc_uaf+0xc0/0x118 [ 47.773231] kunit_try_run_case+0x170/0x3f0 [ 47.773251] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.773273] kthread+0x328/0x630 [ 47.773288] ret_from_fork+0x10/0x20 [ 47.773308] [ 47.843473] The buggy address belongs to the physical page: [ 47.849116] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115654 [ 47.857227] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 47.863852] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 47.871697] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 47.879530] page dumped because: kasan: bad access detected [ 47.885170] [ 47.886693] Memory state around the buggy address: [ 47.891550] ffff000095653f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.898857] ffff000095653f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.906169] >ffff000095654000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.913476] ^ [ 47.916755] ffff000095654080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.924062] ffff000095654100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.931373] ==================================================================
[ 35.791769] ================================================================== [ 35.792075] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.792849] Read of size 1 at addr fff00000c7818000 by task kunit_try_catch/240 [ 35.793812] [ 35.794105] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 35.795117] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.795395] Hardware name: linux,dummy-virt (DT) [ 35.795483] Call trace: [ 35.795551] show_stack+0x20/0x38 (C) [ 35.796778] dump_stack_lvl+0x8c/0xd0 [ 35.797134] print_report+0x118/0x608 [ 35.797246] kasan_report+0xdc/0x128 [ 35.797850] __asan_report_load1_noabort+0x20/0x30 [ 35.798995] mempool_uaf_helper+0x314/0x340 [ 35.799509] mempool_kmalloc_large_uaf+0xc4/0x120 [ 35.800337] kunit_try_run_case+0x170/0x3f0 [ 35.801259] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.801972] kthread+0x328/0x630 [ 35.802606] ret_from_fork+0x10/0x20 [ 35.803227] [ 35.803497] The buggy address belongs to the physical page: [ 35.803584] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107818 [ 35.803707] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.803815] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 35.805626] page_type: f8(unknown) [ 35.806047] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 35.806177] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 35.806295] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 35.806436] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 35.807518] head: 0bfffe0000000002 ffffc1ffc31e0601 00000000ffffffff 00000000ffffffff [ 35.807780] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 35.807879] page dumped because: kasan: bad access detected [ 35.808155] [ 35.808214] Memory state around the buggy address: [ 35.808301] fff00000c7817f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.808410] fff00000c7817f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.808762] >fff00000c7818000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.808979] ^ [ 35.809113] fff00000c7818080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.809346] fff00000c7818100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.809516] ================================================================== [ 35.923528] ================================================================== [ 35.923648] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.923783] Read of size 1 at addr fff00000c781c000 by task kunit_try_catch/244 [ 35.924315] [ 35.924406] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 35.924609] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.925021] Hardware name: linux,dummy-virt (DT) [ 35.925216] Call trace: [ 35.925291] show_stack+0x20/0x38 (C) [ 35.925646] dump_stack_lvl+0x8c/0xd0 [ 35.925920] print_report+0x118/0x608 [ 35.926163] kasan_report+0xdc/0x128 [ 35.926573] __asan_report_load1_noabort+0x20/0x30 [ 35.926864] mempool_uaf_helper+0x314/0x340 [ 35.927385] mempool_page_alloc_uaf+0xc0/0x118 [ 35.927614] kunit_try_run_case+0x170/0x3f0 [ 35.927748] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.928084] kthread+0x328/0x630 [ 35.928256] ret_from_fork+0x10/0x20 [ 35.928382] [ 35.928441] The buggy address belongs to the physical page: [ 35.928521] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10781c [ 35.928647] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.928798] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 35.930564] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 35.930879] page dumped because: kasan: bad access detected [ 35.931406] [ 35.931528] Memory state around the buggy address: [ 35.931863] fff00000c781bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.932282] fff00000c781bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.932674] >fff00000c781c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.932772] ^ [ 35.933156] fff00000c781c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.933547] fff00000c781c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.933701] ==================================================================
[ 31.164519] ================================================================== [ 31.165119] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 31.166535] Read of size 1 at addr ffff888103bdc000 by task kunit_try_catch/263 [ 31.167525] [ 31.168122] CPU: 1 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 31.168328] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.168363] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.168391] Call Trace: [ 31.168409] <TASK> [ 31.168433] dump_stack_lvl+0x73/0xb0 [ 31.168481] print_report+0xd1/0x650 [ 31.168513] ? __virt_addr_valid+0x1db/0x2d0 [ 31.168570] ? mempool_uaf_helper+0x392/0x400 [ 31.168602] ? kasan_addr_to_slab+0x11/0xa0 [ 31.168634] ? mempool_uaf_helper+0x392/0x400 [ 31.168675] kasan_report+0x141/0x180 [ 31.168706] ? mempool_uaf_helper+0x392/0x400 [ 31.168742] __asan_report_load1_noabort+0x18/0x20 [ 31.168774] mempool_uaf_helper+0x392/0x400 [ 31.168804] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 31.168835] ? __pfx_sched_clock_cpu+0x10/0x10 [ 31.168866] ? finish_task_switch.isra.0+0x153/0x700 [ 31.168900] mempool_page_alloc_uaf+0xed/0x140 [ 31.168931] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 31.168965] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 31.168998] ? __pfx_mempool_free_pages+0x10/0x10 [ 31.169031] ? __pfx_read_tsc+0x10/0x10 [ 31.169072] ? ktime_get_ts64+0x86/0x230 [ 31.169128] kunit_try_run_case+0x1a5/0x480 [ 31.169189] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.169239] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.169295] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.169352] ? __kthread_parkme+0x82/0x180 [ 31.169399] ? preempt_count_sub+0x50/0x80 [ 31.169431] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.169465] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.169498] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.169529] kthread+0x337/0x6f0 [ 31.169578] ? trace_preempt_on+0x20/0xc0 [ 31.169611] ? __pfx_kthread+0x10/0x10 [ 31.169650] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.169686] ? calculate_sigpending+0x7b/0xa0 [ 31.169719] ? __pfx_kthread+0x10/0x10 [ 31.169748] ret_from_fork+0x116/0x1d0 [ 31.169774] ? __pfx_kthread+0x10/0x10 [ 31.169801] ret_from_fork_asm+0x1a/0x30 [ 31.169841] </TASK> [ 31.169856] [ 31.190079] The buggy address belongs to the physical page: [ 31.190628] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103bdc [ 31.191098] flags: 0x200000000000000(node=0|zone=2) [ 31.191600] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 31.192283] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 31.193557] page dumped because: kasan: bad access detected [ 31.194025] [ 31.194372] Memory state around the buggy address: [ 31.194720] ffff888103bdbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.195558] ffff888103bdbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.196284] >ffff888103bdc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.196638] ^ [ 31.196839] ffff888103bdc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.197031] ffff888103bdc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.198061] ================================================================== [ 31.057448] ================================================================== [ 31.058268] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 31.059263] Read of size 1 at addr ffff888103bdc000 by task kunit_try_catch/259 [ 31.059625] [ 31.059934] CPU: 1 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 31.060090] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.060124] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.060184] Call Trace: [ 31.060216] <TASK> [ 31.060274] dump_stack_lvl+0x73/0xb0 [ 31.060347] print_report+0xd1/0x650 [ 31.060405] ? __virt_addr_valid+0x1db/0x2d0 [ 31.060466] ? mempool_uaf_helper+0x392/0x400 [ 31.060521] ? kasan_addr_to_slab+0x11/0xa0 [ 31.060590] ? mempool_uaf_helper+0x392/0x400 [ 31.060756] kasan_report+0x141/0x180 [ 31.060877] ? mempool_uaf_helper+0x392/0x400 [ 31.060972] __asan_report_load1_noabort+0x18/0x20 [ 31.061036] mempool_uaf_helper+0x392/0x400 [ 31.061105] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 31.061164] ? __kasan_check_write+0x18/0x20 [ 31.061225] ? __pfx_sched_clock_cpu+0x10/0x10 [ 31.061267] ? irqentry_exit+0x2a/0x60 [ 31.061309] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 31.061367] mempool_kmalloc_large_uaf+0xef/0x140 [ 31.061417] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 31.061462] ? __pfx_mempool_kmalloc+0x10/0x10 [ 31.061491] ? __pfx_mempool_kfree+0x10/0x10 [ 31.061521] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 31.061575] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 31.061607] kunit_try_run_case+0x1a5/0x480 [ 31.061663] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.061696] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.061728] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.061758] ? __kthread_parkme+0x82/0x180 [ 31.061784] ? preempt_count_sub+0x50/0x80 [ 31.061813] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.061842] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.061872] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.061900] kthread+0x337/0x6f0 [ 31.061924] ? trace_preempt_on+0x20/0xc0 [ 31.061952] ? __pfx_kthread+0x10/0x10 [ 31.061978] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.062005] ? calculate_sigpending+0x7b/0xa0 [ 31.062034] ? __pfx_kthread+0x10/0x10 [ 31.062082] ret_from_fork+0x116/0x1d0 [ 31.062135] ? __pfx_kthread+0x10/0x10 [ 31.062177] ret_from_fork_asm+0x1a/0x30 [ 31.062237] </TASK> [ 31.062254] [ 31.081252] The buggy address belongs to the physical page: [ 31.082320] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103bdc [ 31.083057] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.083507] flags: 0x200000000000040(head|node=0|zone=2) [ 31.084696] page_type: f8(unknown) [ 31.085181] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 31.086031] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 31.086902] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 31.087652] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 31.088269] head: 0200000000000002 ffffea00040ef701 00000000ffffffff 00000000ffffffff [ 31.089002] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 31.089921] page dumped because: kasan: bad access detected [ 31.090303] [ 31.090743] Memory state around the buggy address: [ 31.091200] ffff888103bdbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.091929] ffff888103bdbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.092751] >ffff888103bdc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.093280] ^ [ 31.094002] ffff888103bdc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.094653] ffff888103bdc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.095332] ==================================================================