Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 49.944094] ================================================================== [ 49.955260] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 49.962062] Read of size 1 at addr ffff000095740000 by task kunit_try_catch/342 [ 49.969469] [ 49.971002] CPU: 6 UID: 0 PID: 342 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 49.971036] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.971045] Hardware name: Thundercomm Dragonboard 845c (DT) [ 49.971059] Call trace: [ 49.971066] show_stack+0x20/0x38 (C) [ 49.971087] dump_stack_lvl+0x8c/0xd0 [ 49.971110] print_report+0x118/0x608 [ 49.971130] kasan_report+0xdc/0x128 [ 49.971148] __asan_report_load1_noabort+0x20/0x30 [ 49.971165] mempool_uaf_helper+0x314/0x340 [ 49.971182] mempool_page_alloc_uaf+0xc0/0x118 [ 49.971200] kunit_try_run_case+0x170/0x3f0 [ 49.971220] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.971240] kthread+0x328/0x630 [ 49.971255] ret_from_fork+0x10/0x20 [ 49.971273] [ 50.041449] The buggy address belongs to the physical page: [ 50.047102] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115740 [ 50.055211] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.061837] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 50.069675] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.077509] page dumped because: kasan: bad access detected [ 50.083150] [ 50.084681] Memory state around the buggy address: [ 50.089546] ffff00009573ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.096860] ffff00009573ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.104172] >ffff000095740000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.111483] ^ [ 50.114769] ffff000095740080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.122081] ffff000095740100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.129395] ================================================================== [ 49.353461] ================================================================== [ 49.364866] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 49.371664] Read of size 1 at addr ffff000095590000 by task kunit_try_catch/338 [ 49.379066] [ 49.380605] CPU: 4 UID: 0 PID: 338 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 49.380639] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.380648] Hardware name: Thundercomm Dragonboard 845c (DT) [ 49.380663] Call trace: [ 49.380671] show_stack+0x20/0x38 (C) [ 49.380692] dump_stack_lvl+0x8c/0xd0 [ 49.380715] print_report+0x118/0x608 [ 49.380737] kasan_report+0xdc/0x128 [ 49.380755] __asan_report_load1_noabort+0x20/0x30 [ 49.380773] mempool_uaf_helper+0x314/0x340 [ 49.380789] mempool_kmalloc_large_uaf+0xc4/0x120 [ 49.380808] kunit_try_run_case+0x170/0x3f0 [ 49.380827] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.380849] kthread+0x328/0x630 [ 49.380867] ret_from_fork+0x10/0x20 [ 49.380888] [ 49.451333] The buggy address belongs to the physical page: [ 49.456979] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115590 [ 49.465084] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 49.472839] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 49.479891] page_type: f8(unknown) [ 49.483353] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 49.491197] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 49.499040] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 49.506967] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 49.514895] head: 0bfffe0000000002 fffffdffc2556401 00000000ffffffff 00000000ffffffff [ 49.522821] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 49.530744] page dumped because: kasan: bad access detected [ 49.536384] [ 49.537909] Memory state around the buggy address: [ 49.542763] ffff00009558ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.550080] ffff00009558ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.557398] >ffff000095590000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.564712] ^ [ 49.567992] ffff000095590080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.575310] ffff000095590100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.582617] ==================================================================
[ 33.119314] ================================================================== [ 33.119431] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.119877] Read of size 1 at addr fff00000c9c78000 by task kunit_try_catch/265 [ 33.119932] [ 33.119974] CPU: 0 UID: 0 PID: 265 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.120145] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.120209] Hardware name: linux,dummy-virt (DT) [ 33.120572] Call trace: [ 33.120799] show_stack+0x20/0x38 (C) [ 33.120893] dump_stack_lvl+0x8c/0xd0 [ 33.120955] print_report+0x118/0x608 [ 33.121166] kasan_report+0xdc/0x128 [ 33.121220] __asan_report_load1_noabort+0x20/0x30 [ 33.121270] mempool_uaf_helper+0x314/0x340 [ 33.121318] mempool_page_alloc_uaf+0xc0/0x118 [ 33.121367] kunit_try_run_case+0x170/0x3f0 [ 33.121421] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.121972] kthread+0x328/0x630 [ 33.122285] ret_from_fork+0x10/0x20 [ 33.122439] [ 33.122493] The buggy address belongs to the physical page: [ 33.122569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c78 [ 33.122668] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.122741] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 33.122794] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.122853] page dumped because: kasan: bad access detected [ 33.122995] [ 33.123075] Memory state around the buggy address: [ 33.123223] fff00000c9c77f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.123360] fff00000c9c77f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.123453] >fff00000c9c78000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.123512] ^ [ 33.123622] fff00000c9c78080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.123677] fff00000c9c78100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.123717] ================================================================== [ 33.066033] ================================================================== [ 33.066508] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.066927] Read of size 1 at addr fff00000c9c78000 by task kunit_try_catch/261 [ 33.066996] [ 33.067036] CPU: 0 UID: 0 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.067361] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.067389] Hardware name: linux,dummy-virt (DT) [ 33.067425] Call trace: [ 33.067447] show_stack+0x20/0x38 (C) [ 33.067499] dump_stack_lvl+0x8c/0xd0 [ 33.067550] print_report+0x118/0x608 [ 33.067599] kasan_report+0xdc/0x128 [ 33.067645] __asan_report_load1_noabort+0x20/0x30 [ 33.067695] mempool_uaf_helper+0x314/0x340 [ 33.068574] mempool_kmalloc_large_uaf+0xc4/0x120 [ 33.068744] kunit_try_run_case+0x170/0x3f0 [ 33.068797] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.069010] kthread+0x328/0x630 [ 33.069372] ret_from_fork+0x10/0x20 [ 33.069422] [ 33.069789] The buggy address belongs to the physical page: [ 33.069825] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c78 [ 33.070135] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.070356] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 33.070846] page_type: f8(unknown) [ 33.070898] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.070949] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 33.071525] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.071748] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 33.072228] head: 0bfffe0000000002 ffffc1ffc3271e01 00000000ffffffff 00000000ffffffff [ 33.072552] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 33.072600] page dumped because: kasan: bad access detected [ 33.072863] [ 33.072886] Memory state around the buggy address: [ 33.072936] fff00000c9c77f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.073125] fff00000c9c77f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.073171] >fff00000c9c78000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.073557] ^ [ 33.073787] fff00000c9c78080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.074063] fff00000c9c78100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.074363] ==================================================================
[ 24.705697] ================================================================== [ 24.706892] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.707732] Read of size 1 at addr ffff88810607c000 by task kunit_try_catch/278 [ 24.708574] [ 24.708806] CPU: 1 UID: 0 PID: 278 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.708871] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.708893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.708917] Call Trace: [ 24.708931] <TASK> [ 24.708949] dump_stack_lvl+0x73/0xb0 [ 24.708993] print_report+0xd1/0x650 [ 24.709016] ? __virt_addr_valid+0x1db/0x2d0 [ 24.709041] ? mempool_uaf_helper+0x392/0x400 [ 24.709062] ? kasan_addr_to_slab+0x11/0xa0 [ 24.709086] ? mempool_uaf_helper+0x392/0x400 [ 24.709109] kasan_report+0x141/0x180 [ 24.709131] ? mempool_uaf_helper+0x392/0x400 [ 24.709157] __asan_report_load1_noabort+0x18/0x20 [ 24.709181] mempool_uaf_helper+0x392/0x400 [ 24.709243] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.709267] ? __call_rcu_common.constprop.0+0x455/0x9e0 [ 24.709293] ? __pfx_task_dead_fair+0x10/0x10 [ 24.709323] mempool_kmalloc_large_uaf+0xef/0x140 [ 24.709346] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 24.709372] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.709395] ? __pfx_mempool_kfree+0x10/0x10 [ 24.709420] ? __pfx_read_tsc+0x10/0x10 [ 24.709443] ? ktime_get_ts64+0x86/0x230 [ 24.709478] kunit_try_run_case+0x1a5/0x480 [ 24.709504] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.709527] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.709550] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.709576] ? __kthread_parkme+0x82/0x180 [ 24.709597] ? preempt_count_sub+0x50/0x80 [ 24.709620] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.709645] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.709669] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.709693] kthread+0x337/0x6f0 [ 24.709713] ? trace_preempt_on+0x20/0xc0 [ 24.709736] ? __pfx_kthread+0x10/0x10 [ 24.709757] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.709783] ? calculate_sigpending+0x7b/0xa0 [ 24.709807] ? __pfx_kthread+0x10/0x10 [ 24.709829] ret_from_fork+0x116/0x1d0 [ 24.709853] ? __pfx_kthread+0x10/0x10 [ 24.709873] ret_from_fork_asm+0x1a/0x30 [ 24.709905] </TASK> [ 24.709916] [ 24.721167] The buggy address belongs to the physical page: [ 24.721941] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10607c [ 24.722516] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.722851] flags: 0x200000000000040(head|node=0|zone=2) [ 24.723171] page_type: f8(unknown) [ 24.723401] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.723909] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.724408] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.724828] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.725272] head: 0200000000000002 ffffea0004181f01 00000000ffffffff 00000000ffffffff [ 24.725742] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.726183] page dumped because: kasan: bad access detected [ 24.726683] [ 24.726778] Memory state around the buggy address: [ 24.726986] ffff88810607bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.727679] ffff88810607bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.727941] >ffff88810607c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.728590] ^ [ 24.728758] ffff88810607c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.729201] ffff88810607c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.729610] ================================================================== [ 24.768672] ================================================================== [ 24.770154] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.771494] Read of size 1 at addr ffff88810607c000 by task kunit_try_catch/282 [ 24.772281] [ 24.772381] CPU: 1 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.772434] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.772448] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.772482] Call Trace: [ 24.772495] <TASK> [ 24.772512] dump_stack_lvl+0x73/0xb0 [ 24.772542] print_report+0xd1/0x650 [ 24.772564] ? __virt_addr_valid+0x1db/0x2d0 [ 24.772588] ? mempool_uaf_helper+0x392/0x400 [ 24.772610] ? kasan_addr_to_slab+0x11/0xa0 [ 24.772634] ? mempool_uaf_helper+0x392/0x400 [ 24.772656] kasan_report+0x141/0x180 [ 24.772678] ? mempool_uaf_helper+0x392/0x400 [ 24.772704] __asan_report_load1_noabort+0x18/0x20 [ 24.772728] mempool_uaf_helper+0x392/0x400 [ 24.772750] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.772773] ? __kasan_check_write+0x18/0x20 [ 24.772796] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.772818] ? finish_task_switch.isra.0+0x153/0x700 [ 24.772844] mempool_page_alloc_uaf+0xed/0x140 [ 24.772868] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 24.772893] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 24.772916] ? __pfx_mempool_free_pages+0x10/0x10 [ 24.772942] ? __pfx_read_tsc+0x10/0x10 [ 24.772963] ? ktime_get_ts64+0x86/0x230 [ 24.772987] kunit_try_run_case+0x1a5/0x480 [ 24.773012] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.773036] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.773056] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.773082] ? __kthread_parkme+0x82/0x180 [ 24.773103] ? preempt_count_sub+0x50/0x80 [ 24.773125] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.773193] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.773219] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.773244] kthread+0x337/0x6f0 [ 24.773264] ? trace_preempt_on+0x20/0xc0 [ 24.773286] ? __pfx_kthread+0x10/0x10 [ 24.773307] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.773331] ? calculate_sigpending+0x7b/0xa0 [ 24.773354] ? __pfx_kthread+0x10/0x10 [ 24.773376] ret_from_fork+0x116/0x1d0 [ 24.773394] ? __pfx_kthread+0x10/0x10 [ 24.773415] ret_from_fork_asm+0x1a/0x30 [ 24.773445] </TASK> [ 24.773469] [ 24.784003] The buggy address belongs to the physical page: [ 24.784513] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10607c [ 24.784853] flags: 0x200000000000000(node=0|zone=2) [ 24.785073] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.785803] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.786404] page dumped because: kasan: bad access detected [ 24.786772] [ 24.786999] Memory state around the buggy address: [ 24.787407] ffff88810607bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.788005] ffff88810607bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.788549] >ffff88810607c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.789056] ^ [ 24.789249] ffff88810607c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.789545] ffff88810607c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.789862] ==================================================================