Date
June 24, 2025, 12:47 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 26.918705] ================================================================== [ 26.918842] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 26.918979] Read of size 1 at addr fff00000c78ac000 by task kunit_try_catch/231 [ 26.921524] [ 26.921661] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc2 #1 PREEMPT [ 26.921897] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.921970] Hardware name: linux,dummy-virt (DT) [ 26.922055] Call trace: [ 26.922118] show_stack+0x20/0x38 (C) [ 26.922307] dump_stack_lvl+0x8c/0xd0 [ 26.922456] print_report+0x118/0x608 [ 26.922586] kasan_report+0xdc/0x128 [ 26.922708] __asan_report_load1_noabort+0x20/0x30 [ 26.922839] mempool_uaf_helper+0x314/0x340 [ 26.922957] mempool_kmalloc_large_uaf+0xc4/0x120 [ 26.923145] kunit_try_run_case+0x170/0x3f0 [ 26.923400] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.923777] kthread+0x328/0x630 [ 26.924433] ret_from_fork+0x10/0x20 [ 26.924610] [ 26.924663] The buggy address belongs to the physical page: [ 26.924896] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078ac [ 26.925029] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.925139] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.926302] page_type: f8(unknown) [ 26.926455] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.926780] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 26.926913] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.927040] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 26.928365] head: 0bfffe0000000002 ffffc1ffc31e2b01 00000000ffffffff 00000000ffffffff [ 26.929258] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.929468] page dumped because: kasan: bad access detected [ 26.929718] [ 26.929768] Memory state around the buggy address: [ 26.930090] fff00000c78abf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.930565] fff00000c78abf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.930694] >fff00000c78ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.930796] ^ [ 26.931041] fff00000c78ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.931666] fff00000c78ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.931932] ================================================================== [ 27.018829] ================================================================== [ 27.018992] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 27.019149] Read of size 1 at addr fff00000c78ac000 by task kunit_try_catch/235 [ 27.019266] [ 27.019352] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc2 #1 PREEMPT [ 27.021354] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.021572] Hardware name: linux,dummy-virt (DT) [ 27.021666] Call trace: [ 27.021728] show_stack+0x20/0x38 (C) [ 27.021866] dump_stack_lvl+0x8c/0xd0 [ 27.021995] print_report+0x118/0x608 [ 27.022115] kasan_report+0xdc/0x128 [ 27.022229] __asan_report_load1_noabort+0x20/0x30 [ 27.022400] mempool_uaf_helper+0x314/0x340 [ 27.022606] mempool_page_alloc_uaf+0xc0/0x118 [ 27.022752] kunit_try_run_case+0x170/0x3f0 [ 27.022975] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.023117] kthread+0x328/0x630 [ 27.023256] ret_from_fork+0x10/0x20 [ 27.023486] [ 27.023550] The buggy address belongs to the physical page: [ 27.023640] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078ac [ 27.023897] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.024195] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 27.025468] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.025964] page dumped because: kasan: bad access detected [ 27.026043] [ 27.026275] Memory state around the buggy address: [ 27.027340] fff00000c78abf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.027474] fff00000c78abf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.028129] >fff00000c78ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.029526] ^ [ 27.029613] fff00000c78ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.029731] fff00000c78ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.029827] ==================================================================
[ 13.498401] ================================================================== [ 13.499059] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.500216] Read of size 1 at addr ffff888103b68000 by task kunit_try_catch/249 [ 13.500470] [ 13.500618] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc2 #1 PREEMPT(voluntary) [ 13.501041] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.501100] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.501149] Call Trace: [ 13.501178] <TASK> [ 13.501216] dump_stack_lvl+0x73/0xb0 [ 13.501359] print_report+0xd1/0x650 [ 13.501405] ? __virt_addr_valid+0x1db/0x2d0 [ 13.501455] ? mempool_uaf_helper+0x392/0x400 [ 13.501497] ? kasan_addr_to_slab+0x11/0xa0 [ 13.501591] ? mempool_uaf_helper+0x392/0x400 [ 13.501768] kasan_report+0x141/0x180 [ 13.501816] ? mempool_uaf_helper+0x392/0x400 [ 13.501845] __asan_report_load1_noabort+0x18/0x20 [ 13.501867] mempool_uaf_helper+0x392/0x400 [ 13.501890] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.501912] ? dequeue_entities+0x852/0x1740 [ 13.501939] ? finish_task_switch.isra.0+0x153/0x700 [ 13.501982] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.502007] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.502031] ? dequeue_task_fair+0x166/0x4e0 [ 13.502054] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.502079] ? __pfx_mempool_kfree+0x10/0x10 [ 13.502101] ? __pfx_read_tsc+0x10/0x10 [ 13.502123] ? ktime_get_ts64+0x86/0x230 [ 13.502149] kunit_try_run_case+0x1a5/0x480 [ 13.502177] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.502200] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.502225] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.502248] ? __kthread_parkme+0x82/0x180 [ 13.502270] ? preempt_count_sub+0x50/0x80 [ 13.502327] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.502362] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.502397] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.502421] kthread+0x337/0x6f0 [ 13.502439] ? trace_preempt_on+0x20/0xc0 [ 13.502464] ? __pfx_kthread+0x10/0x10 [ 13.502482] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.502503] ? calculate_sigpending+0x7b/0xa0 [ 13.502524] ? __pfx_kthread+0x10/0x10 [ 13.502545] ret_from_fork+0x41/0x80 [ 13.502571] ? __pfx_kthread+0x10/0x10 [ 13.502588] ret_from_fork_asm+0x1a/0x30 [ 13.502619] </TASK> [ 13.502650] [ 13.516242] The buggy address belongs to the physical page: [ 13.516915] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b68 [ 13.517309] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.517884] flags: 0x200000000000040(head|node=0|zone=2) [ 13.518257] page_type: f8(unknown) [ 13.518550] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.519157] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.519489] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.519902] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.520364] head: 0200000000000002 ffffea00040eda01 00000000ffffffff 00000000ffffffff [ 13.520787] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.522039] page dumped because: kasan: bad access detected [ 13.522317] [ 13.522474] Memory state around the buggy address: [ 13.523117] ffff888103b67f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.523555] ffff888103b67f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.524074] >ffff888103b68000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.524604] ^ [ 13.525134] ffff888103b68080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.525560] ffff888103b68100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.525751] ================================================================== [ 13.581955] ================================================================== [ 13.582999] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.583553] Read of size 1 at addr ffff888103b68000 by task kunit_try_catch/253 [ 13.584037] [ 13.584186] CPU: 0 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc2 #1 PREEMPT(voluntary) [ 13.584402] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.584435] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.584475] Call Trace: [ 13.584504] <TASK> [ 13.584541] dump_stack_lvl+0x73/0xb0 [ 13.584613] print_report+0xd1/0x650 [ 13.584683] ? __virt_addr_valid+0x1db/0x2d0 [ 13.584719] ? mempool_uaf_helper+0x392/0x400 [ 13.584774] ? kasan_addr_to_slab+0x11/0xa0 [ 13.584812] ? mempool_uaf_helper+0x392/0x400 [ 13.584858] kasan_report+0x141/0x180 [ 13.584903] ? mempool_uaf_helper+0x392/0x400 [ 13.584958] __asan_report_load1_noabort+0x18/0x20 [ 13.585003] mempool_uaf_helper+0x392/0x400 [ 13.585040] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.585078] ? dequeue_entities+0x852/0x1740 [ 13.585121] ? irqentry_exit+0x2a/0x60 [ 13.585155] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.585215] mempool_page_alloc_uaf+0xed/0x140 [ 13.585271] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.585311] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.585350] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.585390] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.585672] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.585739] kunit_try_run_case+0x1a5/0x480 [ 13.585781] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.585814] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.585849] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.585881] ? __kthread_parkme+0x82/0x180 [ 13.585914] ? preempt_count_sub+0x50/0x80 [ 13.585967] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.585995] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.586020] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.586043] kthread+0x337/0x6f0 [ 13.586062] ? trace_preempt_on+0x20/0xc0 [ 13.586087] ? __pfx_kthread+0x10/0x10 [ 13.586105] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.586126] ? calculate_sigpending+0x7b/0xa0 [ 13.586148] ? __pfx_kthread+0x10/0x10 [ 13.586166] ret_from_fork+0x41/0x80 [ 13.586189] ? __pfx_kthread+0x10/0x10 [ 13.586206] ret_from_fork_asm+0x1a/0x30 [ 13.586235] </TASK> [ 13.586248] [ 13.598937] The buggy address belongs to the physical page: [ 13.599708] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b68 [ 13.600208] flags: 0x200000000000000(node=0|zone=2) [ 13.600799] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.601412] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.601963] page dumped because: kasan: bad access detected [ 13.602424] [ 13.602607] Memory state around the buggy address: [ 13.603149] ffff888103b67f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.603500] ffff888103b67f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.604011] >ffff888103b68000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.604505] ^ [ 13.604828] ffff888103b68080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.605506] ffff888103b68100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.606054] ==================================================================