Date
June 2, 2025, 2:13 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.540124] ================================================================== [ 20.540753] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.541221] Read of size 1 at addr fff00000c6604000 by task kunit_try_catch/223 [ 20.541705] [ 20.541834] CPU: 1 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 20.541961] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.541997] Hardware name: linux,dummy-virt (DT) [ 20.542051] Call trace: [ 20.542083] show_stack+0x20/0x38 (C) [ 20.542150] dump_stack_lvl+0x8c/0xd0 [ 20.542276] print_report+0x118/0x608 [ 20.542337] kasan_report+0xdc/0x128 [ 20.542393] __asan_report_load1_noabort+0x20/0x30 [ 20.542449] mempool_uaf_helper+0x314/0x340 [ 20.542505] mempool_page_alloc_uaf+0xc0/0x118 [ 20.542561] kunit_try_run_case+0x170/0x3f0 [ 20.542621] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.542674] kthread+0x318/0x620 [ 20.542723] ret_from_fork+0x10/0x20 [ 20.542775] [ 20.546711] The buggy address belongs to the physical page: [ 20.547053] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106604 [ 20.547498] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.547887] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.548337] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.548778] page dumped because: kasan: bad access detected [ 20.549093] [ 20.549255] Memory state around the buggy address: [ 20.549454] fff00000c6603f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.549701] fff00000c6603f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.550365] >fff00000c6604000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.551458] ^ [ 20.551717] fff00000c6604080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.552133] fff00000c6604100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.552513] ================================================================== [ 20.478385] ================================================================== [ 20.478979] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.479448] Read of size 1 at addr fff00000c6698000 by task kunit_try_catch/219 [ 20.479653] [ 20.479761] CPU: 0 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 20.479850] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.479880] Hardware name: linux,dummy-virt (DT) [ 20.479916] Call trace: [ 20.479941] show_stack+0x20/0x38 (C) [ 20.479992] dump_stack_lvl+0x8c/0xd0 [ 20.480043] print_report+0x118/0x608 [ 20.480089] kasan_report+0xdc/0x128 [ 20.480135] __asan_report_load1_noabort+0x20/0x30 [ 20.480211] mempool_uaf_helper+0x314/0x340 [ 20.480258] mempool_kmalloc_large_uaf+0xc4/0x120 [ 20.480307] kunit_try_run_case+0x170/0x3f0 [ 20.480355] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.480409] kthread+0x318/0x620 [ 20.480454] ret_from_fork+0x10/0x20 [ 20.480506] [ 20.484378] The buggy address belongs to the physical page: [ 20.484626] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106698 [ 20.484930] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.486987] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 20.487473] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.487819] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.488321] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.488796] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.489272] head: 0bfffe0000000002 ffffc1ffc319a601 ffffffffffffffff 0000000000000000 [ 20.489794] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 20.490323] page dumped because: kasan: bad access detected [ 20.490544] [ 20.490671] Memory state around the buggy address: [ 20.490854] fff00000c6697f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.491193] fff00000c6697f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.491516] >fff00000c6698000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.491816] ^ [ 20.491999] fff00000c6698080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.492779] fff00000c6698100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.493551] ==================================================================
[ 14.283880] ================================================================== [ 14.284764] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 14.286318] Read of size 1 at addr ffff888102898000 by task kunit_try_catch/241 [ 14.286836] [ 14.287241] CPU: 1 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 14.287288] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.287301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.287439] Call Trace: [ 14.287455] <TASK> [ 14.287472] dump_stack_lvl+0x73/0xb0 [ 14.287501] print_report+0xd1/0x650 [ 14.287521] ? __virt_addr_valid+0x1db/0x2d0 [ 14.287610] ? mempool_uaf_helper+0x394/0x400 [ 14.287637] ? kasan_addr_to_slab+0x11/0xa0 [ 14.287657] ? mempool_uaf_helper+0x394/0x400 [ 14.287691] kasan_report+0x140/0x180 [ 14.287711] ? mempool_uaf_helper+0x394/0x400 [ 14.287737] __asan_report_load1_noabort+0x18/0x20 [ 14.287760] mempool_uaf_helper+0x394/0x400 [ 14.287781] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.287806] ? finish_task_switch.isra.0+0x153/0x700 [ 14.287833] mempool_page_alloc_uaf+0xee/0x140 [ 14.287855] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.287881] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.287902] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.287924] ? __pfx_read_tsc+0x10/0x10 [ 14.287946] ? ktime_get_ts64+0x86/0x230 [ 14.287971] kunit_try_run_case+0x1a6/0x480 [ 14.287993] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.288023] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 14.288047] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.288070] ? __kthread_parkme+0x82/0x160 [ 14.288092] ? preempt_count_sub+0x50/0x80 [ 14.288115] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.288137] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.288162] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.288187] kthread+0x324/0x6e0 [ 14.288208] ? trace_preempt_on+0x20/0xc0 [ 14.288231] ? __pfx_kthread+0x10/0x10 [ 14.288253] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.288275] ? calculate_sigpending+0x7b/0xa0 [ 14.288297] ? __pfx_kthread+0x10/0x10 [ 14.288319] ret_from_fork+0x41/0x80 [ 14.288338] ? __pfx_kthread+0x10/0x10 [ 14.288359] ret_from_fork_asm+0x1a/0x30 [ 14.288389] </TASK> [ 14.288401] [ 14.303352] The buggy address belongs to the physical page: [ 14.303828] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102898 [ 14.304244] flags: 0x200000000000000(node=0|zone=2) [ 14.304782] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.305479] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.306105] page dumped because: kasan: bad access detected [ 14.306699] [ 14.306858] Memory state around the buggy address: [ 14.307365] ffff888102897f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.307835] ffff888102897f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.308067] >ffff888102898000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.308275] ^ [ 14.308391] ffff888102898080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.308713] ffff888102898100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.309392] ================================================================== [ 14.221706] ================================================================== [ 14.222197] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 14.222423] Read of size 1 at addr ffff888102898000 by task kunit_try_catch/237 [ 14.222926] [ 14.223141] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 14.223185] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.223197] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.223218] Call Trace: [ 14.223230] <TASK> [ 14.223247] dump_stack_lvl+0x73/0xb0 [ 14.223274] print_report+0xd1/0x650 [ 14.223295] ? __virt_addr_valid+0x1db/0x2d0 [ 14.223317] ? mempool_uaf_helper+0x394/0x400 [ 14.223338] ? kasan_addr_to_slab+0x11/0xa0 [ 14.223359] ? mempool_uaf_helper+0x394/0x400 [ 14.223382] kasan_report+0x140/0x180 [ 14.223403] ? mempool_uaf_helper+0x394/0x400 [ 14.223429] __asan_report_load1_noabort+0x18/0x20 [ 14.223452] mempool_uaf_helper+0x394/0x400 [ 14.223473] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.223498] ? finish_task_switch.isra.0+0x153/0x700 [ 14.223526] mempool_kmalloc_large_uaf+0xf0/0x140 [ 14.223556] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.223580] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.223600] ? __pfx_mempool_kfree+0x10/0x10 [ 14.223622] ? __pfx_read_tsc+0x10/0x10 [ 14.223643] ? ktime_get_ts64+0x86/0x230 [ 14.223668] kunit_try_run_case+0x1a6/0x480 [ 14.223691] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.223711] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 14.223736] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.223759] ? __kthread_parkme+0x82/0x160 [ 14.223781] ? preempt_count_sub+0x50/0x80 [ 14.223805] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.223827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.223853] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.223879] kthread+0x324/0x6e0 [ 14.223899] ? trace_preempt_on+0x20/0xc0 [ 14.223923] ? __pfx_kthread+0x10/0x10 [ 14.223944] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.223966] ? calculate_sigpending+0x7b/0xa0 [ 14.223987] ? __pfx_kthread+0x10/0x10 [ 14.224009] ret_from_fork+0x41/0x80 [ 14.224037] ? __pfx_kthread+0x10/0x10 [ 14.224058] ret_from_fork_asm+0x1a/0x30 [ 14.224089] </TASK> [ 14.224099] [ 14.236594] The buggy address belongs to the physical page: [ 14.237153] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102898 [ 14.237906] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.238153] flags: 0x200000000000040(head|node=0|zone=2) [ 14.238342] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.238618] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.239294] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.240067] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.240809] head: 0200000000000002 ffffea00040a2601 ffffffffffffffff 0000000000000000 [ 14.241478] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 14.242253] page dumped because: kasan: bad access detected [ 14.242824] [ 14.242904] Memory state around the buggy address: [ 14.243073] ffff888102897f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.243288] ffff888102897f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.243506] >ffff888102898000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.243749] ^ [ 14.243929] ffff888102898080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.244244] ffff888102898100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.244478] ==================================================================