Date
July 1, 2025, 3:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.918116] ================================================================== [ 18.918550] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.918677] Read of size 1 at addr fff00000c7bc0000 by task kunit_try_catch/230 [ 18.918890] [ 18.918940] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.919035] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.919062] Hardware name: linux,dummy-virt (DT) [ 18.919768] Call trace: [ 18.919810] show_stack+0x20/0x38 (C) [ 18.919865] dump_stack_lvl+0x8c/0xd0 [ 18.919923] print_report+0x118/0x608 [ 18.919969] kasan_report+0xdc/0x128 [ 18.920014] __asan_report_load1_noabort+0x20/0x30 [ 18.920065] mempool_uaf_helper+0x314/0x340 [ 18.920110] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.920159] kunit_try_run_case+0x170/0x3f0 [ 18.920205] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.920260] kthread+0x328/0x630 [ 18.920300] ret_from_fork+0x10/0x20 [ 18.920347] [ 18.920369] The buggy address belongs to the physical page: [ 18.920405] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107bc0 [ 18.920464] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.920513] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.920578] page_type: f8(unknown) [ 18.920740] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.920795] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.920846] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.921505] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.921697] head: 0bfffe0000000002 ffffc1ffc31ef001 00000000ffffffff 00000000ffffffff [ 18.921759] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.921809] page dumped because: kasan: bad access detected [ 18.922152] [ 18.922217] Memory state around the buggy address: [ 18.922287] fff00000c7bbff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.922380] fff00000c7bbff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.922601] >fff00000c7bc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.922824] ^ [ 18.922883] fff00000c7bc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.923043] fff00000c7bc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.923140] ================================================================== [ 18.983769] ================================================================== [ 18.983847] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.983916] Read of size 1 at addr fff00000c7bc4000 by task kunit_try_catch/234 [ 18.983965] [ 18.984006] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.984091] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.984238] Hardware name: linux,dummy-virt (DT) [ 18.984284] Call trace: [ 18.984308] show_stack+0x20/0x38 (C) [ 18.984364] dump_stack_lvl+0x8c/0xd0 [ 18.984415] print_report+0x118/0x608 [ 18.984461] kasan_report+0xdc/0x128 [ 18.984534] __asan_report_load1_noabort+0x20/0x30 [ 18.985391] mempool_uaf_helper+0x314/0x340 [ 18.985801] mempool_page_alloc_uaf+0xc0/0x118 [ 18.985895] kunit_try_run_case+0x170/0x3f0 [ 18.985964] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.986061] kthread+0x328/0x630 [ 18.986216] ret_from_fork+0x10/0x20 [ 18.986412] [ 18.986474] The buggy address belongs to the physical page: [ 18.986510] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107bc4 [ 18.986812] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.986946] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.987189] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.987352] page dumped because: kasan: bad access detected [ 18.987406] [ 18.987440] Memory state around the buggy address: [ 18.987489] fff00000c7bc3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.987598] fff00000c7bc3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.987875] >fff00000c7bc4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.987947] ^ [ 18.987999] fff00000c7bc4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.988173] fff00000c7bc4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.988274] ==================================================================
[ 13.241401] ================================================================== [ 13.241806] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.242056] Read of size 1 at addr ffff8881039c4000 by task kunit_try_catch/250 [ 13.242277] [ 13.242370] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.242418] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.242430] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.242452] Call Trace: [ 13.242464] <TASK> [ 13.242484] dump_stack_lvl+0x73/0xb0 [ 13.242511] print_report+0xd1/0x650 [ 13.242534] ? __virt_addr_valid+0x1db/0x2d0 [ 13.242557] ? mempool_uaf_helper+0x392/0x400 [ 13.242579] ? kasan_addr_to_slab+0x11/0xa0 [ 13.242598] ? mempool_uaf_helper+0x392/0x400 [ 13.242619] kasan_report+0x141/0x180 [ 13.242641] ? mempool_uaf_helper+0x392/0x400 [ 13.242666] __asan_report_load1_noabort+0x18/0x20 [ 13.242689] mempool_uaf_helper+0x392/0x400 [ 13.242712] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.242734] ? __kasan_check_write+0x18/0x20 [ 13.242753] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.242774] ? finish_task_switch.isra.0+0x153/0x700 [ 13.242799] mempool_page_alloc_uaf+0xed/0x140 [ 13.242821] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.242848] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.242869] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.242891] ? __pfx_read_tsc+0x10/0x10 [ 13.242913] ? ktime_get_ts64+0x86/0x230 [ 13.242937] kunit_try_run_case+0x1a5/0x480 [ 13.242962] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.242983] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.243007] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.243453] ? __kthread_parkme+0x82/0x180 [ 13.243485] ? preempt_count_sub+0x50/0x80 [ 13.243509] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.243533] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.243558] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.243833] kthread+0x337/0x6f0 [ 13.243859] ? trace_preempt_on+0x20/0xc0 [ 13.243884] ? __pfx_kthread+0x10/0x10 [ 13.243904] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.243926] ? calculate_sigpending+0x7b/0xa0 [ 13.243950] ? __pfx_kthread+0x10/0x10 [ 13.243971] ret_from_fork+0x116/0x1d0 [ 13.243990] ? __pfx_kthread+0x10/0x10 [ 13.244010] ret_from_fork_asm+0x1a/0x30 [ 13.244053] </TASK> [ 13.244066] [ 13.262998] The buggy address belongs to the physical page: [ 13.263509] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c4 [ 13.264058] flags: 0x200000000000000(node=0|zone=2) [ 13.264249] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.264481] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.264940] page dumped because: kasan: bad access detected [ 13.265422] [ 13.265585] Memory state around the buggy address: [ 13.266077] ffff8881039c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.266780] ffff8881039c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.267400] >ffff8881039c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.267999] ^ [ 13.268131] ffff8881039c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.268351] ffff8881039c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.268565] ================================================================== [ 13.177172] ================================================================== [ 13.177611] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.177956] Read of size 1 at addr ffff8881039c4000 by task kunit_try_catch/246 [ 13.178216] [ 13.178331] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.178376] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.178388] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.178411] Call Trace: [ 13.178423] <TASK> [ 13.178441] dump_stack_lvl+0x73/0xb0 [ 13.178468] print_report+0xd1/0x650 [ 13.178491] ? __virt_addr_valid+0x1db/0x2d0 [ 13.178514] ? mempool_uaf_helper+0x392/0x400 [ 13.178535] ? kasan_addr_to_slab+0x11/0xa0 [ 13.178556] ? mempool_uaf_helper+0x392/0x400 [ 13.178577] kasan_report+0x141/0x180 [ 13.178598] ? mempool_uaf_helper+0x392/0x400 [ 13.178623] __asan_report_load1_noabort+0x18/0x20 [ 13.178648] mempool_uaf_helper+0x392/0x400 [ 13.178670] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.178691] ? update_curr+0x5c1/0x810 [ 13.178719] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.178742] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.178764] ? schedule+0x7c/0x2e0 [ 13.178785] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.178909] ? __pfx_mempool_kfree+0x10/0x10 [ 13.178937] ? __pfx_read_tsc+0x10/0x10 [ 13.178958] ? ktime_get_ts64+0x86/0x230 [ 13.178981] kunit_try_run_case+0x1a5/0x480 [ 13.179005] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.179038] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.179063] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.179086] ? __kthread_parkme+0x82/0x180 [ 13.179106] ? preempt_count_sub+0x50/0x80 [ 13.179130] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.179154] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.179175] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.179198] kthread+0x337/0x6f0 [ 13.179216] ? trace_preempt_on+0x20/0xc0 [ 13.179239] ? __pfx_kthread+0x10/0x10 [ 13.179259] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.179280] ? calculate_sigpending+0x7b/0xa0 [ 13.179303] ? __pfx_kthread+0x10/0x10 [ 13.179323] ret_from_fork+0x116/0x1d0 [ 13.179341] ? __pfx_kthread+0x10/0x10 [ 13.179361] ret_from_fork_asm+0x1a/0x30 [ 13.179391] </TASK> [ 13.179402] [ 13.187979] The buggy address belongs to the physical page: [ 13.188290] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c4 [ 13.188592] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.189032] flags: 0x200000000000040(head|node=0|zone=2) [ 13.189291] page_type: f8(unknown) [ 13.189514] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.189962] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.190465] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.190809] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.191443] head: 0200000000000002 ffffea00040e7101 00000000ffffffff 00000000ffffffff [ 13.191999] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.192356] page dumped because: kasan: bad access detected [ 13.192617] [ 13.192788] Memory state around the buggy address: [ 13.192996] ffff8881039c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.193277] ffff8881039c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.193604] >ffff8881039c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.194121] ^ [ 13.194263] ffff8881039c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.194609] ffff8881039c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.195187] ==================================================================