Date
July 3, 2025, 6:13 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.902163] ================================================================== [ 18.902239] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.902306] Read of size 1 at addr fff00000c5fbc000 by task kunit_try_catch/233 [ 18.902355] [ 18.902392] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.902476] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.902502] Hardware name: linux,dummy-virt (DT) [ 18.902535] Call trace: [ 18.902557] show_stack+0x20/0x38 (C) [ 18.902608] dump_stack_lvl+0x8c/0xd0 [ 18.902657] print_report+0x118/0x608 [ 18.902703] kasan_report+0xdc/0x128 [ 18.902748] __asan_report_load1_noabort+0x20/0x30 [ 18.902798] mempool_uaf_helper+0x314/0x340 [ 18.902842] mempool_page_alloc_uaf+0xc0/0x118 [ 18.902888] kunit_try_run_case+0x170/0x3f0 [ 18.902935] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.902987] kthread+0x328/0x630 [ 18.903043] ret_from_fork+0x10/0x20 [ 18.903091] [ 18.903114] The buggy address belongs to the physical page: [ 18.903146] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105fbc [ 18.903200] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.903266] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.903316] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.903357] page dumped because: kasan: bad access detected [ 18.903389] [ 18.903407] Memory state around the buggy address: [ 18.903439] fff00000c5fbbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.903482] fff00000c5fbbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.903525] >fff00000c5fbc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.903564] ^ [ 18.903591] fff00000c5fbc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.903634] fff00000c5fbc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.903671] ================================================================== [ 18.832047] ================================================================== [ 18.832109] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.832803] Read of size 1 at addr fff00000c7938000 by task kunit_try_catch/229 [ 18.832872] [ 18.832906] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.833469] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.833755] Hardware name: linux,dummy-virt (DT) [ 18.833789] Call trace: [ 18.833870] show_stack+0x20/0x38 (C) [ 18.833944] dump_stack_lvl+0x8c/0xd0 [ 18.833990] print_report+0x118/0x608 [ 18.834044] kasan_report+0xdc/0x128 [ 18.834088] __asan_report_load1_noabort+0x20/0x30 [ 18.834138] mempool_uaf_helper+0x314/0x340 [ 18.834184] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.834231] kunit_try_run_case+0x170/0x3f0 [ 18.834281] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.835235] kthread+0x328/0x630 [ 18.835302] ret_from_fork+0x10/0x20 [ 18.835385] [ 18.835521] The buggy address belongs to the physical page: [ 18.835781] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107938 [ 18.835970] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.836019] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.836489] page_type: f8(unknown) [ 18.836697] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.836837] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.836930] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.837079] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.837314] head: 0bfffe0000000002 ffffc1ffc31e4e01 00000000ffffffff 00000000ffffffff [ 18.837573] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.837742] page dumped because: kasan: bad access detected [ 18.837776] [ 18.837923] Memory state around the buggy address: [ 18.837958] fff00000c7937f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.838249] fff00000c7937f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.838313] >fff00000c7938000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.838351] ^ [ 18.838749] fff00000c7938080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.838903] fff00000c7938100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.839143] ==================================================================
[ 13.039884] ================================================================== [ 13.040463] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.040838] Read of size 1 at addr ffff8881039c0000 by task kunit_try_catch/251 [ 13.041126] [ 13.041247] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.041295] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.041307] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.041329] Call Trace: [ 13.041344] <TASK> [ 13.041362] dump_stack_lvl+0x73/0xb0 [ 13.041390] print_report+0xd1/0x650 [ 13.041412] ? __virt_addr_valid+0x1db/0x2d0 [ 13.041437] ? mempool_uaf_helper+0x392/0x400 [ 13.041459] ? kasan_addr_to_slab+0x11/0xa0 [ 13.041479] ? mempool_uaf_helper+0x392/0x400 [ 13.041501] kasan_report+0x141/0x180 [ 13.041523] ? mempool_uaf_helper+0x392/0x400 [ 13.041550] __asan_report_load1_noabort+0x18/0x20 [ 13.041574] mempool_uaf_helper+0x392/0x400 [ 13.041597] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.041620] ? __kasan_check_write+0x18/0x20 [ 13.041639] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.041662] ? finish_task_switch.isra.0+0x153/0x700 [ 13.041687] mempool_page_alloc_uaf+0xed/0x140 [ 13.041711] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.041735] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.041756] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.041777] ? __pfx_read_tsc+0x10/0x10 [ 13.041798] ? ktime_get_ts64+0x86/0x230 [ 13.041823] kunit_try_run_case+0x1a5/0x480 [ 13.041848] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.041869] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.041909] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.041931] ? __kthread_parkme+0x82/0x180 [ 13.041952] ? preempt_count_sub+0x50/0x80 [ 13.041973] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.041996] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.042018] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.042041] kthread+0x337/0x6f0 [ 13.042059] ? trace_preempt_on+0x20/0xc0 [ 13.042087] ? __pfx_kthread+0x10/0x10 [ 13.042118] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.042138] ? calculate_sigpending+0x7b/0xa0 [ 13.042161] ? __pfx_kthread+0x10/0x10 [ 13.042182] ret_from_fork+0x116/0x1d0 [ 13.042200] ? __pfx_kthread+0x10/0x10 [ 13.042219] ret_from_fork_asm+0x1a/0x30 [ 13.042249] </TASK> [ 13.042260] [ 13.051084] The buggy address belongs to the physical page: [ 13.051422] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c0 [ 13.051679] flags: 0x200000000000000(node=0|zone=2) [ 13.051858] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.052458] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.052824] page dumped because: kasan: bad access detected [ 13.053019] [ 13.053117] Memory state around the buggy address: [ 13.053473] ffff8881039bff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.053757] ffff8881039bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.054069] >ffff8881039c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.054496] ^ [ 13.054651] ffff8881039c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.054933] ffff8881039c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.055207] ================================================================== [ 12.963960] ================================================================== [ 12.964470] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.964761] Read of size 1 at addr ffff888102a14000 by task kunit_try_catch/247 [ 12.965113] [ 12.965262] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.965307] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.965338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.965360] Call Trace: [ 12.965372] <TASK> [ 12.965389] dump_stack_lvl+0x73/0xb0 [ 12.965416] print_report+0xd1/0x650 [ 12.965437] ? __virt_addr_valid+0x1db/0x2d0 [ 12.965460] ? mempool_uaf_helper+0x392/0x400 [ 12.965482] ? kasan_addr_to_slab+0x11/0xa0 [ 12.965512] ? mempool_uaf_helper+0x392/0x400 [ 12.965534] kasan_report+0x141/0x180 [ 12.965556] ? mempool_uaf_helper+0x392/0x400 [ 12.965593] __asan_report_load1_noabort+0x18/0x20 [ 12.965617] mempool_uaf_helper+0x392/0x400 [ 12.965640] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.965661] ? update_load_avg+0x1be/0x21b0 [ 12.965687] ? finish_task_switch.isra.0+0x153/0x700 [ 12.965710] mempool_kmalloc_large_uaf+0xef/0x140 [ 12.965733] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.965772] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.965795] ? __pfx_mempool_kfree+0x10/0x10 [ 12.965819] ? __pfx_read_tsc+0x10/0x10 [ 12.965839] ? ktime_get_ts64+0x86/0x230 [ 12.965861] kunit_try_run_case+0x1a5/0x480 [ 12.965885] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.965907] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.965928] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.965961] ? __kthread_parkme+0x82/0x180 [ 12.965980] ? preempt_count_sub+0x50/0x80 [ 12.966002] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.966036] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.966058] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.966081] kthread+0x337/0x6f0 [ 12.966108] ? trace_preempt_on+0x20/0xc0 [ 12.966154] ? __pfx_kthread+0x10/0x10 [ 12.966175] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.966206] ? calculate_sigpending+0x7b/0xa0 [ 12.966229] ? __pfx_kthread+0x10/0x10 [ 12.966249] ret_from_fork+0x116/0x1d0 [ 12.966267] ? __pfx_kthread+0x10/0x10 [ 12.966287] ret_from_fork_asm+0x1a/0x30 [ 12.966330] </TASK> [ 12.966342] [ 12.980486] The buggy address belongs to the physical page: [ 12.980746] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a14 [ 12.981403] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.981868] flags: 0x200000000000040(head|node=0|zone=2) [ 12.982057] page_type: f8(unknown) [ 12.982384] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.983057] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.983815] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.984552] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.984796] head: 0200000000000002 ffffea00040a8501 00000000ffffffff 00000000ffffffff [ 12.985033] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 12.985735] page dumped because: kasan: bad access detected [ 12.986451] [ 12.986667] Memory state around the buggy address: [ 12.987117] ffff888102a13f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.987890] ffff888102a13f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.988685] >ffff888102a14000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.989205] ^ [ 12.989564] ffff888102a14080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.990115] ffff888102a14100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.990741] ==================================================================