Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 25.107547] ================================================================== [ 25.110477] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 25.111910] Read of size 1 at addr fff00000c6594000 by task kunit_try_catch/222 [ 25.112465] [ 25.112718] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 25.112921] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.112984] Hardware name: linux,dummy-virt (DT) [ 25.114155] Call trace: [ 25.114222] show_stack+0x20/0x38 (C) [ 25.114339] dump_stack_lvl+0x8c/0xd0 [ 25.114455] print_report+0x118/0x608 [ 25.114562] kasan_report+0xdc/0x128 [ 25.114674] __asan_report_load1_noabort+0x20/0x30 [ 25.114789] mempool_uaf_helper+0x314/0x340 [ 25.115381] mempool_page_alloc_uaf+0xc0/0x118 [ 25.115513] kunit_try_run_case+0x170/0x3f0 [ 25.115623] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.115748] kthread+0x318/0x620 [ 25.115855] ret_from_fork+0x10/0x20 [ 25.115988] [ 25.129817] The buggy address belongs to the physical page: [ 25.131520] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106594 [ 25.132141] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.132696] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 25.135284] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 25.136766] page dumped because: kasan: bad access detected [ 25.138278] [ 25.138647] Memory state around the buggy address: [ 25.139968] fff00000c6593f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.142285] fff00000c6593f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.142926] >fff00000c6594000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.144553] ^ [ 25.145456] fff00000c6594080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.146817] fff00000c6594100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.147624] ================================================================== [ 24.916650] ================================================================== [ 24.918241] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.919055] Read of size 1 at addr fff00000c6590000 by task kunit_try_catch/218 [ 24.919782] [ 24.920268] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 24.920440] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.920481] Hardware name: linux,dummy-virt (DT) [ 24.920521] Call trace: [ 24.920574] show_stack+0x20/0x38 (C) [ 24.920712] dump_stack_lvl+0x8c/0xd0 [ 24.920848] print_report+0x118/0x608 [ 24.921000] kasan_report+0xdc/0x128 [ 24.921150] __asan_report_load1_noabort+0x20/0x30 [ 24.921295] mempool_uaf_helper+0x314/0x340 [ 24.921421] mempool_kmalloc_large_uaf+0xc4/0x120 [ 24.921547] kunit_try_run_case+0x170/0x3f0 [ 24.921635] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.921704] kthread+0x318/0x620 [ 24.921756] ret_from_fork+0x10/0x20 [ 24.921815] [ 24.928962] The buggy address belongs to the physical page: [ 24.929797] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106590 [ 24.931024] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.931676] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 24.932432] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.933380] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.934374] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.935217] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.935996] head: 0bfffe0000000002 ffffc1ffc3196401 ffffffffffffffff 0000000000000000 [ 24.936754] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 24.937624] page dumped because: kasan: bad access detected [ 24.938534] [ 24.938842] Memory state around the buggy address: [ 24.939420] fff00000c658ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.941079] fff00000c658ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.942331] >fff00000c6590000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.942861] ^ [ 24.943217] fff00000c6590080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.943758] fff00000c6590100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.947721] ==================================================================
[ 19.634986] ================================================================== [ 19.636094] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.637264] Read of size 1 at addr ffff888102cb8000 by task kunit_try_catch/237 [ 19.637959] [ 19.638217] CPU: 0 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 19.638328] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.638359] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.638413] Call Trace: [ 19.638455] <TASK> [ 19.638494] dump_stack_lvl+0x73/0xb0 [ 19.638580] print_report+0xd1/0x650 [ 19.638635] ? __virt_addr_valid+0x1db/0x2d0 [ 19.638690] ? mempool_uaf_helper+0x394/0x400 [ 19.638741] ? kasan_addr_to_slab+0x11/0xa0 [ 19.638786] ? mempool_uaf_helper+0x394/0x400 [ 19.638832] kasan_report+0x140/0x180 [ 19.638906] ? mempool_uaf_helper+0x394/0x400 [ 19.638971] __asan_report_load1_noabort+0x18/0x20 [ 19.639034] mempool_uaf_helper+0x394/0x400 [ 19.639095] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.639156] ? irqentry_exit+0x2a/0x60 [ 19.639212] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 19.639286] mempool_kmalloc_large_uaf+0xf0/0x140 [ 19.639352] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 19.639418] ? __pfx_mempool_kmalloc+0x10/0x10 [ 19.639454] ? __pfx_mempool_kfree+0x10/0x10 [ 19.639481] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 19.639516] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 19.639550] kunit_try_run_case+0x1a6/0x480 [ 19.639583] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.639612] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.639643] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.639673] ? __kthread_parkme+0x82/0x160 [ 19.639717] ? preempt_count_sub+0x50/0x80 [ 19.639749] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.639779] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.639813] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.639845] kthread+0x324/0x6e0 [ 19.639894] ? trace_preempt_on+0x20/0xc0 [ 19.639926] ? __pfx_kthread+0x10/0x10 [ 19.639954] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.639983] ? calculate_sigpending+0x7b/0xa0 [ 19.640011] ? __pfx_kthread+0x10/0x10 [ 19.640039] ret_from_fork+0x41/0x80 [ 19.640065] ? __pfx_kthread+0x10/0x10 [ 19.640092] ret_from_fork_asm+0x1a/0x30 [ 19.640134] </TASK> [ 19.640148] [ 19.652031] The buggy address belongs to the physical page: [ 19.652617] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102cb8 [ 19.653379] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.654036] flags: 0x200000000000040(head|node=0|zone=2) [ 19.654602] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.655154] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.655559] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.656211] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.656907] head: 0200000000000002 ffffea00040b2e01 ffffffffffffffff 0000000000000000 [ 19.657628] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 19.658213] page dumped because: kasan: bad access detected [ 19.658493] [ 19.658687] Memory state around the buggy address: [ 19.659157] ffff888102cb7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.659706] ffff888102cb7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.660159] >ffff888102cb8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.660704] ^ [ 19.660948] ffff888102cb8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.661289] ffff888102cb8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.661649] ================================================================== [ 19.728929] ================================================================== [ 19.729564] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.730620] Read of size 1 at addr ffff888102cbc000 by task kunit_try_catch/241 [ 19.732219] [ 19.732408] CPU: 0 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 19.732716] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.732749] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.732798] Call Trace: [ 19.732836] <TASK> [ 19.732893] dump_stack_lvl+0x73/0xb0 [ 19.732992] print_report+0xd1/0x650 [ 19.733050] ? __virt_addr_valid+0x1db/0x2d0 [ 19.733107] ? mempool_uaf_helper+0x394/0x400 [ 19.733167] ? kasan_addr_to_slab+0x11/0xa0 [ 19.733218] ? mempool_uaf_helper+0x394/0x400 [ 19.733271] kasan_report+0x140/0x180 [ 19.733327] ? mempool_uaf_helper+0x394/0x400 [ 19.733369] __asan_report_load1_noabort+0x18/0x20 [ 19.733403] mempool_uaf_helper+0x394/0x400 [ 19.733444] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.733502] ? finish_task_switch.isra.0+0x153/0x700 [ 19.733563] mempool_page_alloc_uaf+0xee/0x140 [ 19.733600] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 19.733636] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 19.733666] ? __pfx_mempool_free_pages+0x10/0x10 [ 19.733696] ? __pfx_read_tsc+0x10/0x10 [ 19.733726] ? ktime_get_ts64+0x86/0x230 [ 19.733761] kunit_try_run_case+0x1a6/0x480 [ 19.733795] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.733824] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.733881] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.733916] ? __kthread_parkme+0x82/0x160 [ 19.733948] ? preempt_count_sub+0x50/0x80 [ 19.733979] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.734010] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.734044] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.734077] kthread+0x324/0x6e0 [ 19.734106] ? trace_preempt_on+0x20/0xc0 [ 19.734138] ? __pfx_kthread+0x10/0x10 [ 19.734167] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.734197] ? calculate_sigpending+0x7b/0xa0 [ 19.734227] ? __pfx_kthread+0x10/0x10 [ 19.734257] ret_from_fork+0x41/0x80 [ 19.734282] ? __pfx_kthread+0x10/0x10 [ 19.734325] ret_from_fork_asm+0x1a/0x30 [ 19.734371] </TASK> [ 19.734388] [ 19.751841] The buggy address belongs to the physical page: [ 19.752395] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102cbc [ 19.753470] flags: 0x200000000000000(node=0|zone=2) [ 19.753813] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 19.754144] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.754852] page dumped because: kasan: bad access detected [ 19.755739] [ 19.756022] Memory state around the buggy address: [ 19.756900] ffff888102cbbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.757395] ffff888102cbbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.758025] >ffff888102cbc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.758527] ^ [ 19.758882] ffff888102cbc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.760084] ffff888102cbc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.760738] ==================================================================