Date
June 2, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.660696] ================================================================== [ 21.661299] BUG: KASAN: use-after-free in mempool_uaf_helper+0x320/0x348 [ 21.661924] Read of size 1 at addr fff00000c6c78000 by task kunit_try_catch/216 [ 21.662247] [ 21.662448] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 21.662554] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.662587] Hardware name: linux,dummy-virt (DT) [ 21.662626] Call trace: [ 21.662652] dump_backtrace+0x9c/0x128 [ 21.662708] show_stack+0x20/0x38 [ 21.662750] dump_stack_lvl+0x8c/0xd0 [ 21.662798] print_report+0x118/0x5f0 [ 21.662842] kasan_report+0xdc/0x128 [ 21.662885] __asan_report_load1_noabort+0x20/0x30 [ 21.662932] mempool_uaf_helper+0x320/0x348 [ 21.662977] mempool_kmalloc_large_uaf+0xc4/0x120 [ 21.663025] kunit_try_run_case+0x170/0x3f0 [ 21.663071] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.663313] kthread+0x24c/0x2d0 [ 21.663373] ret_from_fork+0x10/0x20 [ 21.663426] [ 21.665909] The buggy address belongs to the physical page: [ 21.666379] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106c78 [ 21.666882] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.667713] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 21.668038] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.668306] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.668803] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.669099] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.669578] head: 0bfffe0000000002 ffffc1ffc31b1e01 ffffffffffffffff 0000000000000000 [ 21.669925] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 21.670356] page dumped because: kasan: bad access detected [ 21.670670] [ 21.670791] Memory state around the buggy address: [ 21.671394] fff00000c6c77f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.671712] fff00000c6c77f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.672142] >fff00000c6c78000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.672458] ^ [ 21.672776] fff00000c6c78080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.673142] fff00000c6c78100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.673518] ================================================================== [ 21.725271] ================================================================== [ 21.725800] BUG: KASAN: use-after-free in mempool_uaf_helper+0x320/0x348 [ 21.726250] Read of size 1 at addr fff00000c6c78000 by task kunit_try_catch/220 [ 21.726615] [ 21.726832] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 21.726937] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.726970] Hardware name: linux,dummy-virt (DT) [ 21.727010] Call trace: [ 21.727037] dump_backtrace+0x9c/0x128 [ 21.727103] show_stack+0x20/0x38 [ 21.727146] dump_stack_lvl+0x8c/0xd0 [ 21.727194] print_report+0x118/0x5f0 [ 21.727244] kasan_report+0xdc/0x128 [ 21.727294] __asan_report_load1_noabort+0x20/0x30 [ 21.727342] mempool_uaf_helper+0x320/0x348 [ 21.727388] mempool_page_alloc_uaf+0xc0/0x118 [ 21.727436] kunit_try_run_case+0x170/0x3f0 [ 21.727484] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.727535] kthread+0x24c/0x2d0 [ 21.727580] ret_from_fork+0x10/0x20 [ 21.727938] [ 21.731225] The buggy address belongs to the physical page: [ 21.731911] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106c78 [ 21.732189] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.732726] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 21.733116] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.733501] page dumped because: kasan: bad access detected [ 21.733780] [ 21.733945] Memory state around the buggy address: [ 21.734138] fff00000c6c77f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.734491] fff00000c6c77f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.734883] >fff00000c6c78000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.735207] ^ [ 21.735442] fff00000c6c78080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.735884] fff00000c6c78100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.736215] ==================================================================
[ 13.738949] ================================================================== [ 13.739379] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 13.739994] Read of size 1 at addr ffff888102b90000 by task kunit_try_catch/238 [ 13.740753] [ 13.741407] CPU: 1 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 13.741491] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.741505] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.741529] Call Trace: [ 13.741545] <TASK> [ 13.741566] dump_stack_lvl+0x73/0xb0 [ 13.741611] print_report+0xd1/0x640 [ 13.741648] ? __virt_addr_valid+0x1db/0x2d0 [ 13.741696] ? mempool_uaf_helper+0x394/0x400 [ 13.741715] ? kasan_addr_to_slab+0x11/0xa0 [ 13.741735] ? mempool_uaf_helper+0x394/0x400 [ 13.741753] kasan_report+0x140/0x180 [ 13.741775] ? mempool_uaf_helper+0x394/0x400 [ 13.741797] __asan_report_load1_noabort+0x18/0x20 [ 13.741817] mempool_uaf_helper+0x394/0x400 [ 13.741835] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.741858] ? finish_task_switch.isra.0+0x153/0x700 [ 13.741883] mempool_page_alloc_uaf+0xee/0x140 [ 13.741912] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.741937] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.741959] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.741981] ? __pfx_read_tsc+0x10/0x10 [ 13.742001] ? ktime_get_ts64+0x84/0x230 [ 13.742027] kunit_try_run_case+0x1a6/0x480 [ 13.742050] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.742185] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.742212] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.742236] ? __kthread_parkme+0x82/0x160 [ 13.742255] ? preempt_count_sub+0x50/0x80 [ 13.742275] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.742294] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.742316] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.742340] kthread+0x257/0x310 [ 13.742358] ? __pfx_kthread+0x10/0x10 [ 13.742375] ret_from_fork+0x41/0x80 [ 13.742393] ? __pfx_kthread+0x10/0x10 [ 13.742411] ret_from_fork_asm+0x1a/0x30 [ 13.742440] </TASK> [ 13.742452] [ 13.755001] The buggy address belongs to the physical page: [ 13.755300] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b90 [ 13.755566] flags: 0x200000000000000(node=0|zone=2) [ 13.755791] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.756036] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.756624] page dumped because: kasan: bad access detected [ 13.756811] [ 13.756939] Memory state around the buggy address: [ 13.757401] ffff888102b8ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.757956] ffff888102b8ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.758619] >ffff888102b90000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.759408] ^ [ 13.759705] ffff888102b90080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.760249] ffff888102b90100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.760655] ================================================================== [ 13.667601] ================================================================== [ 13.668080] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 13.668796] Read of size 1 at addr ffff88810258c000 by task kunit_try_catch/234 [ 13.669516] [ 13.669799] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 13.669891] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.669929] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.670019] Call Trace: [ 13.670049] <TASK> [ 13.670082] dump_stack_lvl+0x73/0xb0 [ 13.670251] print_report+0xd1/0x640 [ 13.670279] ? __virt_addr_valid+0x1db/0x2d0 [ 13.670304] ? mempool_uaf_helper+0x394/0x400 [ 13.670323] ? kasan_addr_to_slab+0x11/0xa0 [ 13.670344] ? mempool_uaf_helper+0x394/0x400 [ 13.670363] kasan_report+0x140/0x180 [ 13.670386] ? mempool_uaf_helper+0x394/0x400 [ 13.670410] __asan_report_load1_noabort+0x18/0x20 [ 13.670431] mempool_uaf_helper+0x394/0x400 [ 13.670449] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.670472] ? finish_task_switch.isra.0+0x153/0x700 [ 13.670495] mempool_kmalloc_large_uaf+0xf0/0x140 [ 13.670515] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.670537] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.670555] ? __pfx_mempool_kfree+0x10/0x10 [ 13.670575] ? __pfx_read_tsc+0x10/0x10 [ 13.670594] ? ktime_get_ts64+0x84/0x230 [ 13.670619] kunit_try_run_case+0x1a6/0x480 [ 13.670641] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.670680] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.670707] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.670731] ? __kthread_parkme+0x82/0x160 [ 13.670751] ? preempt_count_sub+0x50/0x80 [ 13.670771] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.670791] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.670815] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.670868] kthread+0x257/0x310 [ 13.670886] ? __pfx_kthread+0x10/0x10 [ 13.670904] ret_from_fork+0x41/0x80 [ 13.670924] ? __pfx_kthread+0x10/0x10 [ 13.670941] ret_from_fork_asm+0x1a/0x30 [ 13.670973] </TASK> [ 13.670984] [ 13.682888] The buggy address belongs to the physical page: [ 13.683773] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10258c [ 13.684324] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.684814] flags: 0x200000000000040(head|node=0|zone=2) [ 13.685339] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.685734] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.686361] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.686863] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.687441] head: 0200000000000002 ffffea0004096301 ffffffffffffffff 0000000000000000 [ 13.687847] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 13.688633] page dumped because: kasan: bad access detected [ 13.688853] [ 13.689026] Memory state around the buggy address: [ 13.689529] ffff88810258bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.689829] ffff88810258bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.690384] >ffff88810258c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.690859] ^ [ 13.691043] ffff88810258c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.691703] ffff88810258c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.692334] ==================================================================