Date
July 10, 2025, 9:07 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.608829] ================================================================== [ 31.608912] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.609092] Read of size 1 at addr fff00000c9b88000 by task kunit_try_catch/264 [ 31.609156] [ 31.609210] CPU: 0 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT [ 31.609301] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.609359] Hardware name: linux,dummy-virt (DT) [ 31.609397] Call trace: [ 31.609437] show_stack+0x20/0x38 (C) [ 31.609490] dump_stack_lvl+0x8c/0xd0 [ 31.609535] print_report+0x118/0x5d0 [ 31.609577] kasan_report+0xdc/0x128 [ 31.609635] __asan_report_load1_noabort+0x20/0x30 [ 31.609685] mempool_uaf_helper+0x314/0x340 [ 31.609732] mempool_page_alloc_uaf+0xc0/0x118 [ 31.609780] kunit_try_run_case+0x170/0x3f0 [ 31.609830] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.609884] kthread+0x328/0x630 [ 31.609926] ret_from_fork+0x10/0x20 [ 31.609973] [ 31.610012] The buggy address belongs to the physical page: [ 31.610047] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b88 [ 31.610119] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.610192] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 31.610261] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 31.610334] page dumped because: kasan: bad access detected [ 31.610384] [ 31.610423] Memory state around the buggy address: [ 31.610472] fff00000c9b87f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.610516] fff00000c9b87f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.610578] >fff00000c9b88000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.610635] ^ [ 31.610662] fff00000c9b88080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.610767] fff00000c9b88100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.610889] ================================================================== [ 31.575942] ================================================================== [ 31.576008] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.576061] Read of size 1 at addr fff00000c9b88000 by task kunit_try_catch/260 [ 31.576113] [ 31.576185] CPU: 0 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT [ 31.576276] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.576303] Hardware name: linux,dummy-virt (DT) [ 31.576376] Call trace: [ 31.576402] show_stack+0x20/0x38 (C) [ 31.576470] dump_stack_lvl+0x8c/0xd0 [ 31.576568] print_report+0x118/0x5d0 [ 31.576613] kasan_report+0xdc/0x128 [ 31.576661] __asan_report_load1_noabort+0x20/0x30 [ 31.576733] mempool_uaf_helper+0x314/0x340 [ 31.576800] mempool_kmalloc_large_uaf+0xc4/0x120 [ 31.576857] kunit_try_run_case+0x170/0x3f0 [ 31.576906] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.576960] kthread+0x328/0x630 [ 31.577205] ret_from_fork+0x10/0x20 [ 31.577294] [ 31.577334] The buggy address belongs to the physical page: [ 31.577368] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b88 [ 31.577423] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.577511] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.577563] page_type: f8(unknown) [ 31.577602] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 31.577675] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 31.577763] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 31.577830] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 31.577886] head: 0bfffe0000000002 ffffc1ffc326e201 00000000ffffffff 00000000ffffffff [ 31.577937] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 31.578014] page dumped because: kasan: bad access detected [ 31.578063] [ 31.578091] Memory state around the buggy address: [ 31.578124] fff00000c9b87f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.578181] fff00000c9b87f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.578390] >fff00000c9b88000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.578452] ^ [ 31.578481] fff00000c9b88080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.578530] fff00000c9b88100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.578587] ==================================================================
[ 26.736909] ================================================================== [ 26.737305] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.737683] Read of size 1 at addr ffff8881060f4000 by task kunit_try_catch/281 [ 26.739134] [ 26.739454] CPU: 0 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) [ 26.739725] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.739741] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.739787] Call Trace: [ 26.739802] <TASK> [ 26.739825] dump_stack_lvl+0x73/0xb0 [ 26.739867] print_report+0xd1/0x610 [ 26.739890] ? __virt_addr_valid+0x1db/0x2d0 [ 26.739917] ? mempool_uaf_helper+0x392/0x400 [ 26.739940] ? kasan_addr_to_slab+0x11/0xa0 [ 26.739961] ? mempool_uaf_helper+0x392/0x400 [ 26.739983] kasan_report+0x141/0x180 [ 26.740005] ? mempool_uaf_helper+0x392/0x400 [ 26.740031] __asan_report_load1_noabort+0x18/0x20 [ 26.740055] mempool_uaf_helper+0x392/0x400 [ 26.740079] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.740102] ? __kasan_check_write+0x18/0x20 [ 26.740126] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.740149] ? finish_task_switch.isra.0+0x153/0x700 [ 26.740175] mempool_page_alloc_uaf+0xed/0x140 [ 26.740199] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 26.740224] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 26.740249] ? __pfx_mempool_free_pages+0x10/0x10 [ 26.740275] ? __pfx_read_tsc+0x10/0x10 [ 26.740297] ? ktime_get_ts64+0x86/0x230 [ 26.740322] kunit_try_run_case+0x1a5/0x480 [ 26.740346] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.740367] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.740390] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.740414] ? __kthread_parkme+0x82/0x180 [ 26.740435] ? preempt_count_sub+0x50/0x80 [ 26.740458] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.740497] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.740523] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.740548] kthread+0x337/0x6f0 [ 26.740567] ? trace_preempt_on+0x20/0xc0 [ 26.740592] ? __pfx_kthread+0x10/0x10 [ 26.740612] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.740633] ? calculate_sigpending+0x7b/0xa0 [ 26.740657] ? __pfx_kthread+0x10/0x10 [ 26.740680] ret_from_fork+0x116/0x1d0 [ 26.740707] ? __pfx_kthread+0x10/0x10 [ 26.740728] ret_from_fork_asm+0x1a/0x30 [ 26.740759] </TASK> [ 26.740792] [ 26.756949] The buggy address belongs to the physical page: [ 26.757595] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060f4 [ 26.758493] flags: 0x200000000000000(node=0|zone=2) [ 26.759149] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 26.759992] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.760799] page dumped because: kasan: bad access detected [ 26.761369] [ 26.761627] Memory state around the buggy address: [ 26.762178] ffff8881060f3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.762407] ffff8881060f3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.762668] >ffff8881060f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.763524] ^ [ 26.763895] ffff8881060f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.764300] ffff8881060f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.764977] ================================================================== [ 26.668995] ================================================================== [ 26.669444] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.669820] Read of size 1 at addr ffff8881061ac000 by task kunit_try_catch/277 [ 26.670170] [ 26.670369] CPU: 1 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) [ 26.670424] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.670437] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.670461] Call Trace: [ 26.670475] <TASK> [ 26.670508] dump_stack_lvl+0x73/0xb0 [ 26.670552] print_report+0xd1/0x610 [ 26.670576] ? __virt_addr_valid+0x1db/0x2d0 [ 26.670601] ? mempool_uaf_helper+0x392/0x400 [ 26.670635] ? kasan_addr_to_slab+0x11/0xa0 [ 26.670656] ? mempool_uaf_helper+0x392/0x400 [ 26.670679] kasan_report+0x141/0x180 [ 26.670711] ? mempool_uaf_helper+0x392/0x400 [ 26.670738] __asan_report_load1_noabort+0x18/0x20 [ 26.670771] mempool_uaf_helper+0x392/0x400 [ 26.670848] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.670873] ? update_load_avg+0x1be/0x21b0 [ 26.670897] ? update_load_avg+0x1be/0x21b0 [ 26.670919] ? update_curr+0x80/0x810 [ 26.670942] ? finish_task_switch.isra.0+0x153/0x700 [ 26.670982] mempool_kmalloc_large_uaf+0xef/0x140 [ 26.671005] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 26.671042] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.671066] ? __pfx_mempool_kfree+0x10/0x10 [ 26.671101] ? __pfx_read_tsc+0x10/0x10 [ 26.671123] ? ktime_get_ts64+0x86/0x230 [ 26.671159] kunit_try_run_case+0x1a5/0x480 [ 26.671182] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.671203] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.671227] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.671251] ? __kthread_parkme+0x82/0x180 [ 26.671273] ? preempt_count_sub+0x50/0x80 [ 26.671296] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.671319] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.671344] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.671370] kthread+0x337/0x6f0 [ 26.671389] ? trace_preempt_on+0x20/0xc0 [ 26.671413] ? __pfx_kthread+0x10/0x10 [ 26.671435] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.671456] ? calculate_sigpending+0x7b/0xa0 [ 26.671482] ? __pfx_kthread+0x10/0x10 [ 26.671512] ret_from_fork+0x116/0x1d0 [ 26.671532] ? __pfx_kthread+0x10/0x10 [ 26.671552] ret_from_fork_asm+0x1a/0x30 [ 26.671583] </TASK> [ 26.671596] [ 26.681779] The buggy address belongs to the physical page: [ 26.682105] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061ac [ 26.682382] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.682721] flags: 0x200000000000040(head|node=0|zone=2) [ 26.682994] page_type: f8(unknown) [ 26.683128] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.683447] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 26.684228] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.684579] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 26.685158] head: 0200000000000002 ffffea0004186b01 00000000ffffffff 00000000ffffffff [ 26.685523] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.685925] page dumped because: kasan: bad access detected [ 26.686174] [ 26.686265] Memory state around the buggy address: [ 26.686472] ffff8881061abf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.686813] ffff8881061abf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.687026] >ffff8881061ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.687406] ^ [ 26.687609] ffff8881061ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.688042] ffff8881061ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.688379] ==================================================================