Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 23.377097] ================================================================== [ 23.378323] BUG: KASAN: use-after-free in mempool_uaf_helper+0x320/0x348 [ 23.379138] Read of size 1 at addr fff00000c6a24000 by task kunit_try_catch/217 [ 23.380696] [ 23.381019] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 23.381396] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.381501] Hardware name: linux,dummy-virt (DT) [ 23.381564] Call trace: [ 23.381596] dump_backtrace+0x9c/0x128 [ 23.381653] show_stack+0x20/0x38 [ 23.381742] dump_stack_lvl+0x8c/0xd0 [ 23.381799] print_report+0x118/0x5f0 [ 23.381843] kasan_report+0xdc/0x128 [ 23.381885] __asan_report_load1_noabort+0x20/0x30 [ 23.381938] mempool_uaf_helper+0x320/0x348 [ 23.382017] mempool_kmalloc_large_uaf+0xc4/0x120 [ 23.382076] kunit_try_run_case+0x170/0x3f0 [ 23.382125] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.382179] kthread+0x24c/0x2d0 [ 23.382224] ret_from_fork+0x10/0x20 [ 23.382274] [ 23.390290] The buggy address belongs to the physical page: [ 23.391044] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106a24 [ 23.392256] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.393177] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 23.394039] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 23.394933] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.395947] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 23.396826] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.397627] head: 0bfffe0000000002 ffffc1ffc31a8901 ffffffffffffffff 0000000000000000 [ 23.398349] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 23.399286] page dumped because: kasan: bad access detected [ 23.400127] [ 23.400563] Memory state around the buggy address: [ 23.401131] fff00000c6a23f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.402130] fff00000c6a23f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.402892] >fff00000c6a24000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.403788] ^ [ 23.404431] fff00000c6a24080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.405235] fff00000c6a24100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.405885] ================================================================== [ 23.479726] ================================================================== [ 23.480900] BUG: KASAN: use-after-free in mempool_uaf_helper+0x320/0x348 [ 23.481602] Read of size 1 at addr fff00000c6a74000 by task kunit_try_catch/221 [ 23.482750] [ 23.483249] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 23.483668] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.483746] Hardware name: linux,dummy-virt (DT) [ 23.483830] Call trace: [ 23.483879] dump_backtrace+0x9c/0x128 [ 23.483939] show_stack+0x20/0x38 [ 23.484016] dump_stack_lvl+0x8c/0xd0 [ 23.484072] print_report+0x118/0x5f0 [ 23.484116] kasan_report+0xdc/0x128 [ 23.484160] __asan_report_load1_noabort+0x20/0x30 [ 23.484213] mempool_uaf_helper+0x320/0x348 [ 23.484262] mempool_page_alloc_uaf+0xc0/0x118 [ 23.484312] kunit_try_run_case+0x170/0x3f0 [ 23.484364] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.484419] kthread+0x24c/0x2d0 [ 23.484466] ret_from_fork+0x10/0x20 [ 23.484515] [ 23.492003] The buggy address belongs to the physical page: [ 23.492622] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106a74 [ 23.493675] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.494624] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 23.495860] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.496580] page dumped because: kasan: bad access detected [ 23.497223] [ 23.497523] Memory state around the buggy address: [ 23.498150] fff00000c6a73f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.498843] fff00000c6a73f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.500035] >fff00000c6a74000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.500787] ^ [ 23.501248] fff00000c6a74080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.502003] fff00000c6a74100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.502716] ==================================================================
[ 19.941158] ================================================================== [ 19.941819] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.942308] Read of size 1 at addr ffff888102bf4000 by task kunit_try_catch/234 [ 19.943036] [ 19.943428] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 19.943547] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.943580] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.943641] Call Trace: [ 19.943677] <TASK> [ 19.943726] dump_stack_lvl+0x73/0xb0 [ 19.943810] print_report+0xd1/0x640 [ 19.943889] ? __virt_addr_valid+0x1db/0x2d0 [ 19.943968] ? mempool_uaf_helper+0x394/0x400 [ 19.944036] ? kasan_addr_to_slab+0x11/0xa0 [ 19.944138] ? mempool_uaf_helper+0x394/0x400 [ 19.944208] kasan_report+0x140/0x180 [ 19.944305] ? mempool_uaf_helper+0x394/0x400 [ 19.944383] __asan_report_load1_noabort+0x18/0x20 [ 19.944455] mempool_uaf_helper+0x394/0x400 [ 19.944526] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.944604] ? finish_task_switch.isra.0+0x153/0x700 [ 19.944689] mempool_kmalloc_large_uaf+0xf0/0x140 [ 19.944775] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 19.944854] ? __pfx_mempool_kmalloc+0x10/0x10 [ 19.944924] ? __pfx_mempool_kfree+0x10/0x10 [ 19.944992] ? __pfx_read_tsc+0x10/0x10 [ 19.945053] ? ktime_get_ts64+0x84/0x230 [ 19.945132] kunit_try_run_case+0x1a6/0x480 [ 19.945172] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.945202] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.945262] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.945300] ? __kthread_parkme+0x82/0x160 [ 19.945330] ? preempt_count_sub+0x50/0x80 [ 19.945362] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.945392] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.945429] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.945570] kthread+0x257/0x310 [ 19.945604] ? __pfx_kthread+0x10/0x10 [ 19.945633] ret_from_fork+0x41/0x80 [ 19.945663] ? __pfx_kthread+0x10/0x10 [ 19.945690] ret_from_fork_asm+0x1a/0x30 [ 19.945733] </TASK> [ 19.945748] [ 19.965125] The buggy address belongs to the physical page: [ 19.965945] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bf4 [ 19.966900] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.967722] flags: 0x200000000000040(head|node=0|zone=2) [ 19.968313] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.969452] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.970273] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.971023] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.971909] head: 0200000000000002 ffffea00040afd01 ffffffffffffffff 0000000000000000 [ 19.972546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 19.973741] page dumped because: kasan: bad access detected [ 19.974305] [ 19.974535] Memory state around the buggy address: [ 19.975146] ffff888102bf3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.975787] ffff888102bf3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.976516] >ffff888102bf4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.977734] ^ [ 19.978027] ffff888102bf4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.978934] ffff888102bf4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.979534] ================================================================== [ 20.060162] ================================================================== [ 20.061180] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 20.062317] Read of size 1 at addr ffff888102c90000 by task kunit_try_catch/238 [ 20.063526] [ 20.063747] CPU: 1 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 20.063869] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.063908] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.063970] Call Trace: [ 20.064012] <TASK> [ 20.064059] dump_stack_lvl+0x73/0xb0 [ 20.064187] print_report+0xd1/0x640 [ 20.064313] ? __virt_addr_valid+0x1db/0x2d0 [ 20.064397] ? mempool_uaf_helper+0x394/0x400 [ 20.064466] ? kasan_addr_to_slab+0x11/0xa0 [ 20.064538] ? mempool_uaf_helper+0x394/0x400 [ 20.064602] kasan_report+0x140/0x180 [ 20.064681] ? mempool_uaf_helper+0x394/0x400 [ 20.064775] __asan_report_load1_noabort+0x18/0x20 [ 20.064827] mempool_uaf_helper+0x394/0x400 [ 20.064899] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.064940] ? finish_task_switch.isra.0+0x153/0x700 [ 20.064980] mempool_page_alloc_uaf+0xee/0x140 [ 20.065009] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 20.065041] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 20.065070] ? __pfx_mempool_free_pages+0x10/0x10 [ 20.065099] ? __pfx_read_tsc+0x10/0x10 [ 20.065127] ? ktime_get_ts64+0x84/0x230 [ 20.065163] kunit_try_run_case+0x1a6/0x480 [ 20.065196] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.065250] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 20.065286] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.065320] ? __kthread_parkme+0x82/0x160 [ 20.065348] ? preempt_count_sub+0x50/0x80 [ 20.065377] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.065405] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.065444] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.065592] kthread+0x257/0x310 [ 20.065620] ? __pfx_kthread+0x10/0x10 [ 20.065646] ret_from_fork+0x41/0x80 [ 20.065675] ? __pfx_kthread+0x10/0x10 [ 20.065699] ret_from_fork_asm+0x1a/0x30 [ 20.065744] </TASK> [ 20.065758] [ 20.086323] The buggy address belongs to the physical page: [ 20.087888] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c90 [ 20.089050] flags: 0x200000000000000(node=0|zone=2) [ 20.089814] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.090727] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.091865] page dumped because: kasan: bad access detected [ 20.092204] [ 20.092447] Memory state around the buggy address: [ 20.092925] ffff888102c8ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.093803] ffff888102c8ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.094330] >ffff888102c90000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.095712] ^ [ 20.096042] ffff888102c90080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.096655] ffff888102c90100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.097151] ==================================================================