Date
July 23, 2025, 3:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.601654] ================================================================== [ 32.601883] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.601963] Read of size 1 at addr fff00000c9bf8000 by task kunit_try_catch/262 [ 32.602033] [ 32.602115] CPU: 1 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 32.602229] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.602323] Hardware name: linux,dummy-virt (DT) [ 32.602379] Call trace: [ 32.602420] show_stack+0x20/0x38 (C) [ 32.602487] dump_stack_lvl+0x8c/0xd0 [ 32.602589] print_report+0x118/0x5e8 [ 32.602634] kasan_report+0xdc/0x128 [ 32.602703] __asan_report_load1_noabort+0x20/0x30 [ 32.602914] mempool_uaf_helper+0x314/0x340 [ 32.602975] mempool_kmalloc_large_uaf+0xc4/0x120 [ 32.603041] kunit_try_run_case+0x170/0x3f0 [ 32.603100] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.603281] kthread+0x328/0x630 [ 32.603372] ret_from_fork+0x10/0x20 [ 32.603434] [ 32.603466] The buggy address belongs to the physical page: [ 32.603505] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf8 [ 32.603625] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.603682] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.603743] page_type: f8(unknown) [ 32.603807] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.603865] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.603936] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.603994] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.604058] head: 0bfffe0000000002 ffffc1ffc326fe01 00000000ffffffff 00000000ffffffff [ 32.604107] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.604148] page dumped because: kasan: bad access detected [ 32.604178] [ 32.604198] Memory state around the buggy address: [ 32.604230] fff00000c9bf7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.604275] fff00000c9bf7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.604319] >fff00000c9bf8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.604371] ^ [ 32.604403] fff00000c9bf8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.604453] fff00000c9bf8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.604492] ================================================================== [ 32.644385] ================================================================== [ 32.644455] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.644598] Read of size 1 at addr fff00000c9bf8000 by task kunit_try_catch/266 [ 32.644649] [ 32.644688] CPU: 1 UID: 0 PID: 266 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 32.644797] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.644829] Hardware name: linux,dummy-virt (DT) [ 32.644860] Call trace: [ 32.644917] show_stack+0x20/0x38 (C) [ 32.645063] dump_stack_lvl+0x8c/0xd0 [ 32.645113] print_report+0x118/0x5e8 [ 32.645192] kasan_report+0xdc/0x128 [ 32.645237] __asan_report_load1_noabort+0x20/0x30 [ 32.645283] mempool_uaf_helper+0x314/0x340 [ 32.645330] mempool_page_alloc_uaf+0xc0/0x118 [ 32.645378] kunit_try_run_case+0x170/0x3f0 [ 32.645438] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.645490] kthread+0x328/0x630 [ 32.645530] ret_from_fork+0x10/0x20 [ 32.645577] [ 32.645613] The buggy address belongs to the physical page: [ 32.645741] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf8 [ 32.645883] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.646046] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 32.646099] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.646139] page dumped because: kasan: bad access detected [ 32.646191] [ 32.646268] Memory state around the buggy address: [ 32.646308] fff00000c9bf7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.646454] fff00000c9bf7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.646523] >fff00000c9bf8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.646615] ^ [ 32.646644] fff00000c9bf8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.646686] fff00000c9bf8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.646724] ==================================================================
[ 26.864853] ================================================================== [ 26.865378] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.865945] Read of size 1 at addr ffff888106228000 by task kunit_try_catch/282 [ 26.866286] [ 26.866440] CPU: 0 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 26.866499] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.866548] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.866572] Call Trace: [ 26.866587] <TASK> [ 26.866634] dump_stack_lvl+0x73/0xb0 [ 26.866693] print_report+0xd1/0x640 [ 26.866717] ? __virt_addr_valid+0x1db/0x2d0 [ 26.866756] ? mempool_uaf_helper+0x392/0x400 [ 26.866778] ? kasan_addr_to_slab+0x11/0xa0 [ 26.866800] ? mempool_uaf_helper+0x392/0x400 [ 26.866822] kasan_report+0x141/0x180 [ 26.866844] ? mempool_uaf_helper+0x392/0x400 [ 26.866871] __asan_report_load1_noabort+0x18/0x20 [ 26.866896] mempool_uaf_helper+0x392/0x400 [ 26.866919] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.866953] ? dequeue_entities+0x23f/0x1630 [ 26.866998] ? __kasan_check_write+0x18/0x20 [ 26.867033] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.867053] ? irqentry_exit+0x2a/0x60 [ 26.867086] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 26.867111] mempool_page_alloc_uaf+0xed/0x140 [ 26.867135] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 26.867172] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 26.867226] ? __pfx_mempool_free_pages+0x10/0x10 [ 26.867252] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 26.867278] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 26.867315] kunit_try_run_case+0x1a5/0x480 [ 26.867343] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.867366] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.867442] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.867468] ? __kthread_parkme+0x82/0x180 [ 26.867490] ? preempt_count_sub+0x50/0x80 [ 26.867515] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.867539] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.867565] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.867589] kthread+0x337/0x6f0 [ 26.867609] ? trace_preempt_on+0x20/0xc0 [ 26.867640] ? __pfx_kthread+0x10/0x10 [ 26.867661] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.867685] ? calculate_sigpending+0x7b/0xa0 [ 26.867710] ? __pfx_kthread+0x10/0x10 [ 26.867733] ret_from_fork+0x116/0x1d0 [ 26.867754] ? __pfx_kthread+0x10/0x10 [ 26.867775] ret_from_fork_asm+0x1a/0x30 [ 26.867808] </TASK> [ 26.867820] [ 26.881303] The buggy address belongs to the physical page: [ 26.881925] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106228 [ 26.882357] flags: 0x200000000000000(node=0|zone=2) [ 26.882683] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 26.883271] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.883643] page dumped because: kasan: bad access detected [ 26.884006] [ 26.884108] Memory state around the buggy address: [ 26.884535] ffff888106227f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.884883] ffff888106227f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.885412] >ffff888106228000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.885874] ^ [ 26.886103] ffff888106228080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.886872] ffff888106228100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.887284] ================================================================== [ 26.800328] ================================================================== [ 26.800948] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.801315] Read of size 1 at addr ffff8881060f0000 by task kunit_try_catch/278 [ 26.801857] [ 26.801982] CPU: 1 UID: 0 PID: 278 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 26.802063] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.802077] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.802132] Call Trace: [ 26.802182] <TASK> [ 26.802205] dump_stack_lvl+0x73/0xb0 [ 26.802240] print_report+0xd1/0x640 [ 26.802275] ? __virt_addr_valid+0x1db/0x2d0 [ 26.802301] ? mempool_uaf_helper+0x392/0x400 [ 26.802324] ? kasan_addr_to_slab+0x11/0xa0 [ 26.802345] ? mempool_uaf_helper+0x392/0x400 [ 26.802453] kasan_report+0x141/0x180 [ 26.802481] ? mempool_uaf_helper+0x392/0x400 [ 26.802530] __asan_report_load1_noabort+0x18/0x20 [ 26.802556] mempool_uaf_helper+0x392/0x400 [ 26.802580] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.802602] ? update_load_avg+0x1be/0x21b0 [ 26.802650] ? finish_task_switch.isra.0+0x153/0x700 [ 26.802676] mempool_kmalloc_large_uaf+0xef/0x140 [ 26.802712] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 26.802739] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.802765] ? __pfx_mempool_kfree+0x10/0x10 [ 26.802800] ? __pfx_read_tsc+0x10/0x10 [ 26.802823] ? ktime_get_ts64+0x86/0x230 [ 26.802849] kunit_try_run_case+0x1a5/0x480 [ 26.802876] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.802898] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.802942] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.802968] ? __kthread_parkme+0x82/0x180 [ 26.802988] ? preempt_count_sub+0x50/0x80 [ 26.803011] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.803036] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.803060] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.803084] kthread+0x337/0x6f0 [ 26.803104] ? trace_preempt_on+0x20/0xc0 [ 26.803129] ? __pfx_kthread+0x10/0x10 [ 26.803159] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.803183] ? calculate_sigpending+0x7b/0xa0 [ 26.803207] ? __pfx_kthread+0x10/0x10 [ 26.803229] ret_from_fork+0x116/0x1d0 [ 26.803250] ? __pfx_kthread+0x10/0x10 [ 26.803272] ret_from_fork_asm+0x1a/0x30 [ 26.803304] </TASK> [ 26.803317] [ 26.812658] The buggy address belongs to the physical page: [ 26.813009] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060f0 [ 26.813473] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.813855] flags: 0x200000000000040(head|node=0|zone=2) [ 26.814137] page_type: f8(unknown) [ 26.814332] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.814808] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 26.815156] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.815496] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 26.815836] head: 0200000000000002 ffffea0004183c01 00000000ffffffff 00000000ffffffff [ 26.816224] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.816839] page dumped because: kasan: bad access detected [ 26.817064] [ 26.817167] Memory state around the buggy address: [ 26.817448] ffff8881060eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.817778] ffff8881060eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.818246] >ffff8881060f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.818656] ^ [ 26.818852] ffff8881060f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.819128] ffff8881060f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.819610] ==================================================================