Date
July 8, 2025, 4:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.867542] ================================================================== [ 19.867640] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.867703] Read of size 1 at addr fff00000c78e0000 by task kunit_try_catch/235 [ 19.867775] [ 19.867829] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT [ 19.867914] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.867941] Hardware name: linux,dummy-virt (DT) [ 19.867974] Call trace: [ 19.867997] show_stack+0x20/0x38 (C) [ 19.868044] dump_stack_lvl+0x8c/0xd0 [ 19.868130] print_report+0x118/0x608 [ 19.868179] kasan_report+0xdc/0x128 [ 19.868322] __asan_report_load1_noabort+0x20/0x30 [ 19.868411] mempool_uaf_helper+0x314/0x340 [ 19.868484] mempool_page_alloc_uaf+0xc0/0x118 [ 19.868531] kunit_try_run_case+0x170/0x3f0 [ 19.868590] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.868644] kthread+0x328/0x630 [ 19.868805] ret_from_fork+0x10/0x20 [ 19.868855] [ 19.868876] The buggy address belongs to the physical page: [ 19.868907] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e0 [ 19.868961] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.869153] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 19.869258] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.869347] page dumped because: kasan: bad access detected [ 19.869400] [ 19.869448] Memory state around the buggy address: [ 19.869546] fff00000c78dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.869619] fff00000c78dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.869664] >fff00000c78e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.869924] ^ [ 19.869994] fff00000c78e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.870083] fff00000c78e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.870233] ================================================================== [ 19.835816] ================================================================== [ 19.835872] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.835926] Read of size 1 at addr fff00000c78e0000 by task kunit_try_catch/231 [ 19.835976] [ 19.836005] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT [ 19.836086] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.836113] Hardware name: linux,dummy-virt (DT) [ 19.836142] Call trace: [ 19.836163] show_stack+0x20/0x38 (C) [ 19.836210] dump_stack_lvl+0x8c/0xd0 [ 19.836814] print_report+0x118/0x608 [ 19.836927] kasan_report+0xdc/0x128 [ 19.837005] __asan_report_load1_noabort+0x20/0x30 [ 19.837115] mempool_uaf_helper+0x314/0x340 [ 19.837416] mempool_kmalloc_large_uaf+0xc4/0x120 [ 19.837478] kunit_try_run_case+0x170/0x3f0 [ 19.837527] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.837842] kthread+0x328/0x630 [ 19.837951] ret_from_fork+0x10/0x20 [ 19.838071] [ 19.838130] The buggy address belongs to the physical page: [ 19.838190] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e0 [ 19.838283] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.838413] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 19.838515] page_type: f8(unknown) [ 19.838639] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.838722] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.839001] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.839105] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.839244] head: 0bfffe0000000002 ffffc1ffc31e3801 00000000ffffffff 00000000ffffffff [ 19.839364] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 19.839475] page dumped because: kasan: bad access detected [ 19.839553] [ 19.839590] Memory state around the buggy address: [ 19.839759] fff00000c78dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.839804] fff00000c78dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.839978] >fff00000c78e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.840080] ^ [ 19.840109] fff00000c78e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.840159] fff00000c78e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.840399] ==================================================================
[ 12.939700] ================================================================== [ 12.940924] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.941232] Read of size 1 at addr ffff888103cac000 by task kunit_try_catch/253 [ 12.942079] [ 12.942203] CPU: 1 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT(voluntary) [ 12.942254] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.942267] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.942292] Call Trace: [ 12.942306] <TASK> [ 12.942324] dump_stack_lvl+0x73/0xb0 [ 12.942354] print_report+0xd1/0x650 [ 12.942379] ? __virt_addr_valid+0x1db/0x2d0 [ 12.942404] ? mempool_uaf_helper+0x392/0x400 [ 12.942427] ? kasan_addr_to_slab+0x11/0xa0 [ 12.942449] ? mempool_uaf_helper+0x392/0x400 [ 12.942473] kasan_report+0x141/0x180 [ 12.942497] ? mempool_uaf_helper+0x392/0x400 [ 12.942525] __asan_report_load1_noabort+0x18/0x20 [ 12.942546] mempool_uaf_helper+0x392/0x400 [ 12.942570] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.942594] ? dequeue_entities+0x852/0x1740 [ 12.942621] ? finish_task_switch.isra.0+0x153/0x700 [ 12.942649] mempool_page_alloc_uaf+0xed/0x140 [ 12.942669] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 12.942691] ? dequeue_task_fair+0x166/0x4e0 [ 12.942714] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 12.942737] ? __pfx_mempool_free_pages+0x10/0x10 [ 12.942761] ? __pfx_read_tsc+0x10/0x10 [ 12.942782] ? ktime_get_ts64+0x86/0x230 [ 12.942809] kunit_try_run_case+0x1a5/0x480 [ 12.942832] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.942852] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.942946] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.942978] ? __kthread_parkme+0x82/0x180 [ 12.943002] ? preempt_count_sub+0x50/0x80 [ 12.943027] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.943050] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.943074] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.943099] kthread+0x337/0x6f0 [ 12.943117] ? trace_preempt_on+0x20/0xc0 [ 12.943142] ? __pfx_kthread+0x10/0x10 [ 12.943161] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.943185] ? calculate_sigpending+0x7b/0xa0 [ 12.943208] ? __pfx_kthread+0x10/0x10 [ 12.943228] ret_from_fork+0x41/0x80 [ 12.943248] ? __pfx_kthread+0x10/0x10 [ 12.943267] ret_from_fork_asm+0x1a/0x30 [ 12.943298] </TASK> [ 12.943310] [ 12.951660] The buggy address belongs to the physical page: [ 12.951924] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103cac [ 12.952173] flags: 0x200000000000000(node=0|zone=2) [ 12.952507] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 12.952819] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 12.953251] page dumped because: kasan: bad access detected [ 12.953524] [ 12.953624] Memory state around the buggy address: [ 12.953851] ffff888103cabf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.954209] ffff888103cabf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.954475] >ffff888103cac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.954691] ^ [ 12.954810] ffff888103cac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.955122] ffff888103cac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.955438] ================================================================== [ 12.870110] ================================================================== [ 12.871187] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.871415] Read of size 1 at addr ffff888103ce8000 by task kunit_try_catch/249 [ 12.872012] [ 12.872304] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT(voluntary) [ 12.872357] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.872370] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.872394] Call Trace: [ 12.872407] <TASK> [ 12.872426] dump_stack_lvl+0x73/0xb0 [ 12.872492] print_report+0xd1/0x650 [ 12.872518] ? __virt_addr_valid+0x1db/0x2d0 [ 12.872554] ? mempool_uaf_helper+0x392/0x400 [ 12.872587] ? kasan_addr_to_slab+0x11/0xa0 [ 12.872609] ? mempool_uaf_helper+0x392/0x400 [ 12.872633] kasan_report+0x141/0x180 [ 12.872657] ? mempool_uaf_helper+0x392/0x400 [ 12.872685] __asan_report_load1_noabort+0x18/0x20 [ 12.872707] mempool_uaf_helper+0x392/0x400 [ 12.872732] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.872755] ? update_load_avg+0x1be/0x21b0 [ 12.872778] ? update_load_avg+0x1be/0x21b0 [ 12.872797] ? update_curr+0x80/0x810 [ 12.872818] ? finish_task_switch.isra.0+0x153/0x700 [ 12.872910] mempool_kmalloc_large_uaf+0xef/0x140 [ 12.872940] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.872964] ? dequeue_task_fair+0x156/0x4e0 [ 12.872988] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.873012] ? __pfx_mempool_kfree+0x10/0x10 [ 12.873037] ? __pfx_read_tsc+0x10/0x10 [ 12.873058] ? ktime_get_ts64+0x86/0x230 [ 12.873089] kunit_try_run_case+0x1a5/0x480 [ 12.873114] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.873134] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.873162] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.873187] ? __kthread_parkme+0x82/0x180 [ 12.873211] ? preempt_count_sub+0x50/0x80 [ 12.873236] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.873257] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.873282] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.873307] kthread+0x337/0x6f0 [ 12.873324] ? trace_preempt_on+0x20/0xc0 [ 12.873350] ? __pfx_kthread+0x10/0x10 [ 12.873369] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.873392] ? calculate_sigpending+0x7b/0xa0 [ 12.873416] ? __pfx_kthread+0x10/0x10 [ 12.873435] ret_from_fork+0x41/0x80 [ 12.873456] ? __pfx_kthread+0x10/0x10 [ 12.873475] ret_from_fork_asm+0x1a/0x30 [ 12.873517] </TASK> [ 12.873529] [ 12.890326] The buggy address belongs to the physical page: [ 12.891007] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ce8 [ 12.891491] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.891738] flags: 0x200000000000040(head|node=0|zone=2) [ 12.891975] page_type: f8(unknown) [ 12.892269] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.892677] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.893107] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.893452] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.894051] head: 0200000000000002 ffffea00040f3a01 00000000ffffffff 00000000ffffffff [ 12.894407] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 12.894828] page dumped because: kasan: bad access detected [ 12.895283] [ 12.895404] Memory state around the buggy address: [ 12.895795] ffff888103ce7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.896239] ffff888103ce7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.896463] >ffff888103ce8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.897169] ^ [ 12.897564] ffff888103ce8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.898439] ffff888103ce8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.898988] ==================================================================