Date
July 9, 2025, 1:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.410154] ================================================================== [ 31.410226] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.410406] Read of size 1 at addr fff00000c9acc000 by task kunit_try_catch/261 [ 31.410577] [ 31.410716] CPU: 1 UID: 0 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 31.410803] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.410830] Hardware name: linux,dummy-virt (DT) [ 31.410860] Call trace: [ 31.410884] show_stack+0x20/0x38 (C) [ 31.410939] dump_stack_lvl+0x8c/0xd0 [ 31.411029] print_report+0x118/0x5d0 [ 31.411296] kasan_report+0xdc/0x128 [ 31.411719] __asan_report_load1_noabort+0x20/0x30 [ 31.411781] mempool_uaf_helper+0x314/0x340 [ 31.411831] mempool_kmalloc_large_uaf+0xc4/0x120 [ 31.411878] kunit_try_run_case+0x170/0x3f0 [ 31.411928] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.412392] kthread+0x328/0x630 [ 31.412681] ret_from_fork+0x10/0x20 [ 31.412990] [ 31.413016] The buggy address belongs to the physical page: [ 31.413064] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109acc [ 31.413126] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.413173] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.413526] page_type: f8(unknown) [ 31.413572] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 31.413625] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 31.413976] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 31.414071] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 31.414143] head: 0bfffe0000000002 ffffc1ffc326b301 00000000ffffffff 00000000ffffffff [ 31.414470] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 31.414631] page dumped because: kasan: bad access detected [ 31.414664] [ 31.414683] Memory state around the buggy address: [ 31.414717] fff00000c9acbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.414862] fff00000c9acbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.415225] >fff00000c9acc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.415279] ^ [ 31.415311] fff00000c9acc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.415569] fff00000c9acc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.415688] ================================================================== [ 31.478072] ================================================================== [ 31.478176] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.478318] Read of size 1 at addr fff00000c9ad0000 by task kunit_try_catch/265 [ 31.478404] [ 31.478623] CPU: 1 UID: 0 PID: 265 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 31.478740] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.478767] Hardware name: linux,dummy-virt (DT) [ 31.478822] Call trace: [ 31.478848] show_stack+0x20/0x38 (C) [ 31.478959] dump_stack_lvl+0x8c/0xd0 [ 31.479015] print_report+0x118/0x5d0 [ 31.479073] kasan_report+0xdc/0x128 [ 31.479150] __asan_report_load1_noabort+0x20/0x30 [ 31.479201] mempool_uaf_helper+0x314/0x340 [ 31.479248] mempool_page_alloc_uaf+0xc0/0x118 [ 31.479294] kunit_try_run_case+0x170/0x3f0 [ 31.479345] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.479404] kthread+0x328/0x630 [ 31.479456] ret_from_fork+0x10/0x20 [ 31.479824] [ 31.480164] The buggy address belongs to the physical page: [ 31.480211] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ad0 [ 31.480269] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.480554] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 31.480661] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 31.480855] page dumped because: kasan: bad access detected [ 31.480938] [ 31.481017] Memory state around the buggy address: [ 31.481339] fff00000c9acff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.481475] fff00000c9acff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.481629] >fff00000c9ad0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.481671] ^ [ 31.481925] fff00000c9ad0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.482021] fff00000c9ad0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.482096] ==================================================================
[ 25.712621] ================================================================== [ 25.714064] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 25.714576] Read of size 1 at addr ffff888106158000 by task kunit_try_catch/283 [ 25.715183] [ 25.715476] CPU: 1 UID: 0 PID: 283 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 25.715578] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 25.715604] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.715629] Call Trace: [ 25.715644] <TASK> [ 25.715667] dump_stack_lvl+0x73/0xb0 [ 25.715712] print_report+0xd1/0x610 [ 25.715737] ? __virt_addr_valid+0x1db/0x2d0 [ 25.715762] ? mempool_uaf_helper+0x392/0x400 [ 25.715785] ? kasan_addr_to_slab+0x11/0xa0 [ 25.715805] ? mempool_uaf_helper+0x392/0x400 [ 25.715830] kasan_report+0x141/0x180 [ 25.715852] ? mempool_uaf_helper+0x392/0x400 [ 25.715879] __asan_report_load1_noabort+0x18/0x20 [ 25.715914] mempool_uaf_helper+0x392/0x400 [ 25.715937] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 25.715960] ? __kasan_check_write+0x18/0x20 [ 25.715984] ? __pfx_sched_clock_cpu+0x10/0x10 [ 25.716007] ? finish_task_switch.isra.0+0x153/0x700 [ 25.716035] mempool_page_alloc_uaf+0xed/0x140 [ 25.716058] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 25.716084] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 25.716111] ? __pfx_mempool_free_pages+0x10/0x10 [ 25.716137] ? __pfx_read_tsc+0x10/0x10 [ 25.716160] ? ktime_get_ts64+0x86/0x230 [ 25.716187] kunit_try_run_case+0x1a5/0x480 [ 25.716214] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.716236] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.716262] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.716286] ? __kthread_parkme+0x82/0x180 [ 25.716307] ? preempt_count_sub+0x50/0x80 [ 25.716330] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.716352] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.716377] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.716402] kthread+0x337/0x6f0 [ 25.716422] ? trace_preempt_on+0x20/0xc0 [ 25.716446] ? __pfx_kthread+0x10/0x10 [ 25.716467] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.716489] ? calculate_sigpending+0x7b/0xa0 [ 25.716514] ? __pfx_kthread+0x10/0x10 [ 25.716536] ret_from_fork+0x116/0x1d0 [ 25.716557] ? __pfx_kthread+0x10/0x10 [ 25.716578] ret_from_fork_asm+0x1a/0x30 [ 25.716610] </TASK> [ 25.716622] [ 25.733104] The buggy address belongs to the physical page: [ 25.733675] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106158 [ 25.734242] flags: 0x200000000000000(node=0|zone=2) [ 25.735157] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 25.735731] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 25.735989] page dumped because: kasan: bad access detected [ 25.736161] [ 25.736229] Memory state around the buggy address: [ 25.736383] ffff888106157f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.736596] ffff888106157f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.737432] >ffff888106158000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.739014] ^ [ 25.739749] ffff888106158080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.740626] ffff888106158100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.740945] ================================================================== [ 25.637608] ================================================================== [ 25.638474] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 25.638721] Read of size 1 at addr ffff888106230000 by task kunit_try_catch/279 [ 25.639475] [ 25.639734] CPU: 0 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 25.639812] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 25.639833] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.639856] Call Trace: [ 25.639870] <TASK> [ 25.639892] dump_stack_lvl+0x73/0xb0 [ 25.639928] print_report+0xd1/0x610 [ 25.639951] ? __virt_addr_valid+0x1db/0x2d0 [ 25.639977] ? mempool_uaf_helper+0x392/0x400 [ 25.640000] ? kasan_addr_to_slab+0x11/0xa0 [ 25.640020] ? mempool_uaf_helper+0x392/0x400 [ 25.640042] kasan_report+0x141/0x180 [ 25.640082] ? mempool_uaf_helper+0x392/0x400 [ 25.640119] __asan_report_load1_noabort+0x18/0x20 [ 25.640144] mempool_uaf_helper+0x392/0x400 [ 25.640175] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 25.640201] ? __pfx_sched_clock_cpu+0x10/0x10 [ 25.640224] ? finish_task_switch.isra.0+0x153/0x700 [ 25.640250] mempool_kmalloc_large_uaf+0xef/0x140 [ 25.640273] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 25.640298] ? __pfx_mempool_kmalloc+0x10/0x10 [ 25.640322] ? __pfx_mempool_kfree+0x10/0x10 [ 25.640346] ? __pfx_read_tsc+0x10/0x10 [ 25.640368] ? ktime_get_ts64+0x86/0x230 [ 25.640393] kunit_try_run_case+0x1a5/0x480 [ 25.640417] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.640437] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.640463] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.640486] ? __kthread_parkme+0x82/0x180 [ 25.640507] ? preempt_count_sub+0x50/0x80 [ 25.640530] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.640552] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.640577] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.640602] kthread+0x337/0x6f0 [ 25.640622] ? trace_preempt_on+0x20/0xc0 [ 25.640646] ? __pfx_kthread+0x10/0x10 [ 25.640667] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.640689] ? calculate_sigpending+0x7b/0xa0 [ 25.640724] ? __pfx_kthread+0x10/0x10 [ 25.640746] ret_from_fork+0x116/0x1d0 [ 25.640783] ? __pfx_kthread+0x10/0x10 [ 25.640803] ret_from_fork_asm+0x1a/0x30 [ 25.640836] </TASK> [ 25.640849] [ 25.654086] The buggy address belongs to the physical page: [ 25.654748] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106230 [ 25.655617] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.656413] flags: 0x200000000000040(head|node=0|zone=2) [ 25.656998] page_type: f8(unknown) [ 25.657351] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 25.658111] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 25.658907] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 25.659716] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 25.660546] head: 0200000000000002 ffffea0004188c01 00000000ffffffff 00000000ffffffff [ 25.661359] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 25.662165] page dumped because: kasan: bad access detected [ 25.662661] [ 25.662839] Memory state around the buggy address: [ 25.663356] ffff88810622ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.664055] ffff88810622ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.664771] >ffff888106230000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.665311] ^ [ 25.665449] ffff888106230080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.665653] ffff888106230100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.665939] ==================================================================