Date
July 24, 2025, 4:41 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.546913] ================================================================== [ 34.548328] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.548723] Read of size 1 at addr fff00000c9b74000 by task kunit_try_catch/260 [ 34.549171] [ 34.549641] CPU: 0 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250724 #1 PREEMPT [ 34.550465] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.550588] Hardware name: linux,dummy-virt (DT) [ 34.551013] Call trace: [ 34.551056] show_stack+0x20/0x38 (C) [ 34.551117] dump_stack_lvl+0x8c/0xd0 [ 34.551727] print_report+0x118/0x5e8 [ 34.551876] kasan_report+0xdc/0x128 [ 34.551923] __asan_report_load1_noabort+0x20/0x30 [ 34.553068] mempool_uaf_helper+0x314/0x340 [ 34.553139] mempool_kmalloc_large_uaf+0xc4/0x120 [ 34.553192] kunit_try_run_case+0x170/0x3f0 [ 34.554022] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.554451] kthread+0x328/0x630 [ 34.554965] ret_from_fork+0x10/0x20 [ 34.555415] [ 34.555440] The buggy address belongs to the physical page: [ 34.555667] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b74 [ 34.556310] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.556671] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.557254] page_type: f8(unknown) [ 34.557303] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 34.557943] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 34.558466] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 34.558826] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 34.558881] head: 0bfffe0000000002 ffffc1ffc326dd01 00000000ffffffff 00000000ffffffff [ 34.558931] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 34.559689] page dumped because: kasan: bad access detected [ 34.559765] [ 34.559785] Memory state around the buggy address: [ 34.560154] fff00000c9b73f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.560206] fff00000c9b73f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.560250] >fff00000c9b74000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.560945] ^ [ 34.561315] fff00000c9b74080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.561361] fff00000c9b74100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.561401] ================================================================== [ 34.620299] ================================================================== [ 34.620380] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.620598] Read of size 1 at addr fff00000c9bac000 by task kunit_try_catch/264 [ 34.620688] [ 34.620736] CPU: 1 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250724 #1 PREEMPT [ 34.620844] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.620874] Hardware name: linux,dummy-virt (DT) [ 34.621065] Call trace: [ 34.621225] show_stack+0x20/0x38 (C) [ 34.621283] dump_stack_lvl+0x8c/0xd0 [ 34.621393] print_report+0x118/0x5e8 [ 34.621443] kasan_report+0xdc/0x128 [ 34.621503] __asan_report_load1_noabort+0x20/0x30 [ 34.621552] mempool_uaf_helper+0x314/0x340 [ 34.621600] mempool_page_alloc_uaf+0xc0/0x118 [ 34.621648] kunit_try_run_case+0x170/0x3f0 [ 34.621699] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.621760] kthread+0x328/0x630 [ 34.621806] ret_from_fork+0x10/0x20 [ 34.621878] [ 34.621908] The buggy address belongs to the physical page: [ 34.621966] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bac [ 34.622025] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.622105] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 34.622161] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 34.622203] page dumped because: kasan: bad access detected [ 34.622235] [ 34.622260] Memory state around the buggy address: [ 34.622293] fff00000c9babf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.622347] fff00000c9babf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.622399] >fff00000c9bac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.622447] ^ [ 34.622475] fff00000c9bac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.622525] fff00000c9bac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.622575] ==================================================================
[ 28.509537] ================================================================== [ 28.510020] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.510507] Read of size 1 at addr ffff88810614c000 by task kunit_try_catch/281 [ 28.510765] [ 28.510865] CPU: 0 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) [ 28.511320] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 28.511343] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.511367] Call Trace: [ 28.511381] <TASK> [ 28.511401] dump_stack_lvl+0x73/0xb0 [ 28.511539] print_report+0xd1/0x640 [ 28.511566] ? __virt_addr_valid+0x1db/0x2d0 [ 28.511605] ? mempool_uaf_helper+0x392/0x400 [ 28.511627] ? kasan_addr_to_slab+0x11/0xa0 [ 28.511648] ? mempool_uaf_helper+0x392/0x400 [ 28.511671] kasan_report+0x141/0x180 [ 28.511693] ? mempool_uaf_helper+0x392/0x400 [ 28.511719] __asan_report_load1_noabort+0x18/0x20 [ 28.511744] mempool_uaf_helper+0x392/0x400 [ 28.511767] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.511799] ? dequeue_entities+0x23f/0x1630 [ 28.511825] ? __kasan_check_write+0x18/0x20 [ 28.511849] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.511873] ? finish_task_switch.isra.0+0x153/0x700 [ 28.511898] mempool_page_alloc_uaf+0xed/0x140 [ 28.511929] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 28.511955] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 28.511980] ? __pfx_mempool_free_pages+0x10/0x10 [ 28.512006] ? __pfx_read_tsc+0x10/0x10 [ 28.512030] ? ktime_get_ts64+0x86/0x230 [ 28.512054] kunit_try_run_case+0x1a5/0x480 [ 28.512081] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.512104] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.512130] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.512155] ? __kthread_parkme+0x82/0x180 [ 28.512175] ? preempt_count_sub+0x50/0x80 [ 28.512198] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.512222] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.512246] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.512269] kthread+0x337/0x6f0 [ 28.512289] ? trace_preempt_on+0x20/0xc0 [ 28.512314] ? __pfx_kthread+0x10/0x10 [ 28.512334] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.512357] ? calculate_sigpending+0x7b/0xa0 [ 28.512381] ? __pfx_kthread+0x10/0x10 [ 28.512403] ret_from_fork+0x116/0x1d0 [ 28.512423] ? __pfx_kthread+0x10/0x10 [ 28.512443] ret_from_fork_asm+0x1a/0x30 [ 28.512475] </TASK> [ 28.512486] [ 28.523951] The buggy address belongs to the physical page: [ 28.524343] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10614c [ 28.524693] flags: 0x200000000000000(node=0|zone=2) [ 28.525124] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 28.525515] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 28.525803] page dumped because: kasan: bad access detected [ 28.526247] [ 28.526322] Memory state around the buggy address: [ 28.526552] ffff88810614bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.526831] ffff88810614bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.527119] >ffff88810614c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.527401] ^ [ 28.527544] ffff88810614c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.527836] ffff88810614c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.528650] ================================================================== [ 28.433294] ================================================================== [ 28.434289] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.434598] Read of size 1 at addr ffff88810617c000 by task kunit_try_catch/277 [ 28.434894] [ 28.435380] CPU: 1 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) [ 28.435444] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 28.435683] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.435708] Call Trace: [ 28.435723] <TASK> [ 28.435743] dump_stack_lvl+0x73/0xb0 [ 28.435778] print_report+0xd1/0x640 [ 28.435881] ? __virt_addr_valid+0x1db/0x2d0 [ 28.435911] ? mempool_uaf_helper+0x392/0x400 [ 28.435934] ? kasan_addr_to_slab+0x11/0xa0 [ 28.435955] ? mempool_uaf_helper+0x392/0x400 [ 28.435978] kasan_report+0x141/0x180 [ 28.436000] ? mempool_uaf_helper+0x392/0x400 [ 28.436027] __asan_report_load1_noabort+0x18/0x20 [ 28.436051] mempool_uaf_helper+0x392/0x400 [ 28.436074] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.436097] ? dequeue_entities+0x23f/0x1630 [ 28.436122] ? __kasan_check_write+0x18/0x20 [ 28.436146] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.436168] ? finish_task_switch.isra.0+0x153/0x700 [ 28.436196] mempool_kmalloc_large_uaf+0xef/0x140 [ 28.436219] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 28.436246] ? __pfx_mempool_kmalloc+0x10/0x10 [ 28.436270] ? __pfx_mempool_kfree+0x10/0x10 [ 28.436295] ? __pfx_read_tsc+0x10/0x10 [ 28.436318] ? ktime_get_ts64+0x86/0x230 [ 28.436344] kunit_try_run_case+0x1a5/0x480 [ 28.436371] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.436394] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.436421] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.436446] ? __kthread_parkme+0x82/0x180 [ 28.436467] ? preempt_count_sub+0x50/0x80 [ 28.436490] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.436514] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.436538] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.436562] kthread+0x337/0x6f0 [ 28.436596] ? trace_preempt_on+0x20/0xc0 [ 28.436622] ? __pfx_kthread+0x10/0x10 [ 28.436645] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.436668] ? calculate_sigpending+0x7b/0xa0 [ 28.436692] ? __pfx_kthread+0x10/0x10 [ 28.436715] ret_from_fork+0x116/0x1d0 [ 28.436735] ? __pfx_kthread+0x10/0x10 [ 28.436757] ret_from_fork_asm+0x1a/0x30 [ 28.436834] </TASK> [ 28.436847] [ 28.449082] The buggy address belongs to the physical page: [ 28.449768] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10617c [ 28.450264] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.450663] flags: 0x200000000000040(head|node=0|zone=2) [ 28.451072] page_type: f8(unknown) [ 28.451248] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.451895] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 28.452315] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.452705] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 28.453177] head: 0200000000000002 ffffea0004185f01 00000000ffffffff 00000000ffffffff [ 28.453455] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 28.453794] page dumped because: kasan: bad access detected [ 28.454025] [ 28.454403] Memory state around the buggy address: [ 28.454613] ffff88810617bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.454939] ffff88810617bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.455585] >ffff88810617c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.455943] ^ [ 28.456069] ffff88810617c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.456365] ffff88810617c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.456659] ==================================================================