Date
July 16, 2025, 12:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.706355] ================================================================== [ 32.706421] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.706481] Read of size 1 at addr fff00000c9bf4000 by task kunit_try_catch/260 [ 32.706592] [ 32.706739] CPU: 0 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT [ 32.706970] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.706998] Hardware name: linux,dummy-virt (DT) [ 32.707030] Call trace: [ 32.707058] show_stack+0x20/0x38 (C) [ 32.707293] dump_stack_lvl+0x8c/0xd0 [ 32.707360] print_report+0x118/0x5d0 [ 32.707487] kasan_report+0xdc/0x128 [ 32.707612] __asan_report_load1_noabort+0x20/0x30 [ 32.707661] mempool_uaf_helper+0x314/0x340 [ 32.707709] mempool_kmalloc_large_uaf+0xc4/0x120 [ 32.707761] kunit_try_run_case+0x170/0x3f0 [ 32.707843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.707920] kthread+0x328/0x630 [ 32.707963] ret_from_fork+0x10/0x20 [ 32.708011] [ 32.708031] The buggy address belongs to the physical page: [ 32.708064] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf4 [ 32.708427] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.708965] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.709353] page_type: f8(unknown) [ 32.709445] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.709497] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.709559] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.709608] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.709658] head: 0bfffe0000000002 ffffc1ffc326fd01 00000000ffffffff 00000000ffffffff [ 32.709708] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.709750] page dumped because: kasan: bad access detected [ 32.709781] [ 32.709799] Memory state around the buggy address: [ 32.709833] fff00000c9bf3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.710128] fff00000c9bf3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.710186] >fff00000c9bf4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.710271] ^ [ 32.710397] fff00000c9bf4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.710464] fff00000c9bf4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.710515] ================================================================== [ 32.769991] ================================================================== [ 32.770050] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.770114] Read of size 1 at addr fff00000c9bf8000 by task kunit_try_catch/264 [ 32.770165] [ 32.770200] CPU: 0 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT [ 32.770288] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.770316] Hardware name: linux,dummy-virt (DT) [ 32.770348] Call trace: [ 32.770381] show_stack+0x20/0x38 (C) [ 32.770430] dump_stack_lvl+0x8c/0xd0 [ 32.770479] print_report+0x118/0x5d0 [ 32.770688] kasan_report+0xdc/0x128 [ 32.770735] __asan_report_load1_noabort+0x20/0x30 [ 32.770790] mempool_uaf_helper+0x314/0x340 [ 32.772534] mempool_page_alloc_uaf+0xc0/0x118 [ 32.773134] kunit_try_run_case+0x170/0x3f0 [ 32.773469] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.774227] kthread+0x328/0x630 [ 32.774358] ret_from_fork+0x10/0x20 [ 32.775046] [ 32.775763] The buggy address belongs to the physical page: [ 32.775878] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf8 [ 32.775937] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.776269] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 32.776936] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.777062] page dumped because: kasan: bad access detected [ 32.777108] [ 32.777127] Memory state around the buggy address: [ 32.777163] fff00000c9bf7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.777210] fff00000c9bf7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.777265] >fff00000c9bf8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.777304] ^ [ 32.777838] fff00000c9bf8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.777914] fff00000c9bf8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.777996] ==================================================================
[ 24.837855] ================================================================== [ 24.838329] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.838609] Read of size 1 at addr ffff888106100000 by task kunit_try_catch/278 [ 24.838934] [ 24.839353] CPU: 1 UID: 0 PID: 278 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) [ 24.839411] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.839426] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.839449] Call Trace: [ 24.839464] <TASK> [ 24.839485] dump_stack_lvl+0x73/0xb0 [ 24.839518] print_report+0xd1/0x610 [ 24.839544] ? __virt_addr_valid+0x1db/0x2d0 [ 24.839570] ? mempool_uaf_helper+0x392/0x400 [ 24.839592] ? kasan_addr_to_slab+0x11/0xa0 [ 24.839614] ? mempool_uaf_helper+0x392/0x400 [ 24.839636] kasan_report+0x141/0x180 [ 24.839659] ? mempool_uaf_helper+0x392/0x400 [ 24.839696] __asan_report_load1_noabort+0x18/0x20 [ 24.839721] mempool_uaf_helper+0x392/0x400 [ 24.839744] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.839767] ? update_load_avg+0x1be/0x21b0 [ 24.839793] ? update_curr+0x7d/0x7f0 [ 24.839815] ? finish_task_switch.isra.0+0x153/0x700 [ 24.839842] mempool_kmalloc_large_uaf+0xef/0x140 [ 24.839865] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 24.839892] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.839916] ? __pfx_mempool_kfree+0x10/0x10 [ 24.839941] ? __pfx_read_tsc+0x10/0x10 [ 24.840189] ? ktime_get_ts64+0x86/0x230 [ 24.840218] kunit_try_run_case+0x1a5/0x480 [ 24.840245] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.840268] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.840309] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.840333] ? __kthread_parkme+0x82/0x180 [ 24.840354] ? preempt_count_sub+0x50/0x80 [ 24.840377] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.840401] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.840427] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.840454] kthread+0x337/0x6f0 [ 24.840474] ? trace_preempt_on+0x20/0xc0 [ 24.840498] ? __pfx_kthread+0x10/0x10 [ 24.840519] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.840540] ? calculate_sigpending+0x7b/0xa0 [ 24.840565] ? __pfx_kthread+0x10/0x10 [ 24.840598] ret_from_fork+0x116/0x1d0 [ 24.840617] ? __pfx_kthread+0x10/0x10 [ 24.840638] ret_from_fork_asm+0x1a/0x30 [ 24.840670] </TASK> [ 24.840682] [ 24.849146] The buggy address belongs to the physical page: [ 24.849419] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106100 [ 24.849752] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.850302] flags: 0x200000000000040(head|node=0|zone=2) [ 24.850501] page_type: f8(unknown) [ 24.850757] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.851052] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.851366] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.851609] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.851841] head: 0200000000000002 ffffea0004184001 00000000ffffffff 00000000ffffffff [ 24.852161] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.852897] page dumped because: kasan: bad access detected [ 24.853164] [ 24.853255] Memory state around the buggy address: [ 24.853488] ffff8881060fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.853851] ffff8881060fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.854189] >ffff888106100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.854443] ^ [ 24.854560] ffff888106100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.854917] ffff888106100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.855245] ================================================================== [ 24.896617] ================================================================== [ 24.897460] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.897727] Read of size 1 at addr ffff888106278000 by task kunit_try_catch/282 [ 24.897948] [ 24.898039] CPU: 0 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) [ 24.898096] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.898110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.898133] Call Trace: [ 24.898149] <TASK> [ 24.898170] dump_stack_lvl+0x73/0xb0 [ 24.898204] print_report+0xd1/0x610 [ 24.898228] ? __virt_addr_valid+0x1db/0x2d0 [ 24.898255] ? mempool_uaf_helper+0x392/0x400 [ 24.898277] ? kasan_addr_to_slab+0x11/0xa0 [ 24.898342] ? mempool_uaf_helper+0x392/0x400 [ 24.898365] kasan_report+0x141/0x180 [ 24.898388] ? mempool_uaf_helper+0x392/0x400 [ 24.898414] __asan_report_load1_noabort+0x18/0x20 [ 24.898439] mempool_uaf_helper+0x392/0x400 [ 24.898461] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.898484] ? dequeue_entities+0x23f/0x1630 [ 24.898610] ? __kasan_check_write+0x18/0x20 [ 24.898695] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.898720] ? finish_task_switch.isra.0+0x153/0x700 [ 24.898784] mempool_page_alloc_uaf+0xed/0x140 [ 24.898809] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 24.898835] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 24.898879] ? __pfx_mempool_free_pages+0x10/0x10 [ 24.898904] ? __pfx_read_tsc+0x10/0x10 [ 24.898928] ? ktime_get_ts64+0x86/0x230 [ 24.898954] kunit_try_run_case+0x1a5/0x480 [ 24.898981] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.899003] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.899028] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.899052] ? __kthread_parkme+0x82/0x180 [ 24.899075] ? preempt_count_sub+0x50/0x80 [ 24.899097] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.899120] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.899146] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.899173] kthread+0x337/0x6f0 [ 24.899192] ? trace_preempt_on+0x20/0xc0 [ 24.899217] ? __pfx_kthread+0x10/0x10 [ 24.899237] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.899258] ? calculate_sigpending+0x7b/0xa0 [ 24.899282] ? __pfx_kthread+0x10/0x10 [ 24.899317] ret_from_fork+0x116/0x1d0 [ 24.899336] ? __pfx_kthread+0x10/0x10 [ 24.899357] ret_from_fork_asm+0x1a/0x30 [ 24.899390] </TASK> [ 24.899404] [ 24.914470] The buggy address belongs to the physical page: [ 24.915122] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106278 [ 24.915621] flags: 0x200000000000000(node=0|zone=2) [ 24.916118] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.916455] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.917067] page dumped because: kasan: bad access detected [ 24.917497] [ 24.917737] Memory state around the buggy address: [ 24.918313] ffff888106277f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.918755] ffff888106277f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.919243] >ffff888106278000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.919550] ^ [ 24.919861] ffff888106278080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.920415] ffff888106278100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.920818] ==================================================================