Date
July 18, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.030628] ================================================================== [ 19.030736] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.031081] Read of size 1 at addr fff00000c7a00000 by task kunit_try_catch/229 [ 19.031131] [ 19.031173] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 19.031257] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.031688] Hardware name: linux,dummy-virt (DT) [ 19.032199] Call trace: [ 19.032228] show_stack+0x20/0x38 (C) [ 19.032792] dump_stack_lvl+0x8c/0xd0 [ 19.032867] print_report+0x118/0x5d0 [ 19.033340] kasan_report+0xdc/0x128 [ 19.033418] __asan_report_load1_noabort+0x20/0x30 [ 19.033779] mempool_uaf_helper+0x314/0x340 [ 19.034300] mempool_kmalloc_large_uaf+0xc4/0x120 [ 19.034360] kunit_try_run_case+0x170/0x3f0 [ 19.034581] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.035083] kthread+0x328/0x630 [ 19.035156] ret_from_fork+0x10/0x20 [ 19.035216] [ 19.035239] The buggy address belongs to the physical page: [ 19.035618] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a00 [ 19.035955] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.036177] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 19.036529] page_type: f8(unknown) [ 19.036604] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.036655] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.036704] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.037458] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.037751] head: 0bfffe0000000002 ffffc1ffc31e8001 00000000ffffffff 00000000ffffffff [ 19.037808] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 19.038285] page dumped because: kasan: bad access detected [ 19.038337] [ 19.038378] Memory state around the buggy address: [ 19.038417] fff00000c79fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.038461] fff00000c79fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.039067] >fff00000c7a00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.039177] ^ [ 19.039211] fff00000c7a00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.039540] fff00000c7a00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.039587] ================================================================== [ 19.081349] ================================================================== [ 19.081439] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.081809] Read of size 1 at addr fff00000c7a00000 by task kunit_try_catch/233 [ 19.081894] [ 19.082100] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 19.082233] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.082264] Hardware name: linux,dummy-virt (DT) [ 19.082347] Call trace: [ 19.082375] show_stack+0x20/0x38 (C) [ 19.082534] dump_stack_lvl+0x8c/0xd0 [ 19.082603] print_report+0x118/0x5d0 [ 19.082729] kasan_report+0xdc/0x128 [ 19.082779] __asan_report_load1_noabort+0x20/0x30 [ 19.082829] mempool_uaf_helper+0x314/0x340 [ 19.083045] mempool_page_alloc_uaf+0xc0/0x118 [ 19.083095] kunit_try_run_case+0x170/0x3f0 [ 19.083148] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.083202] kthread+0x328/0x630 [ 19.083244] ret_from_fork+0x10/0x20 [ 19.083549] [ 19.083756] The buggy address belongs to the physical page: [ 19.083920] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a00 [ 19.083992] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.084390] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 19.084557] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 19.084741] page dumped because: kasan: bad access detected [ 19.084811] [ 19.084988] Memory state around the buggy address: [ 19.085066] fff00000c79fff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.085234] fff00000c79fff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.085562] >fff00000c7a00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.085727] ^ [ 19.085807] fff00000c7a00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.085949] fff00000c7a00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.086000] ==================================================================
[ 18.684233] ================================================================== [ 18.684303] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.684436] Read of size 1 at addr fff00000c7a6c000 by task kunit_try_catch/229 [ 18.684579] [ 18.684745] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.684865] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.684893] Hardware name: linux,dummy-virt (DT) [ 18.684951] Call trace: [ 18.684978] show_stack+0x20/0x38 (C) [ 18.685030] dump_stack_lvl+0x8c/0xd0 [ 18.685188] print_report+0x118/0x5d0 [ 18.685299] kasan_report+0xdc/0x128 [ 18.685413] __asan_report_load1_noabort+0x20/0x30 [ 18.685526] mempool_uaf_helper+0x314/0x340 [ 18.685584] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.685632] kunit_try_run_case+0x170/0x3f0 [ 18.685679] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.685733] kthread+0x328/0x630 [ 18.685912] ret_from_fork+0x10/0x20 [ 18.686047] [ 18.686186] The buggy address belongs to the physical page: [ 18.686291] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a6c [ 18.686460] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.686517] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.686579] page_type: f8(unknown) [ 18.686619] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.686669] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.686741] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.686797] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.686855] head: 0bfffe0000000002 ffffc1ffc31e9b01 00000000ffffffff 00000000ffffffff [ 18.686904] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.686944] page dumped because: kasan: bad access detected [ 18.686976] [ 18.686993] Memory state around the buggy address: [ 18.687025] fff00000c7a6bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.687078] fff00000c7a6bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.687125] >fff00000c7a6c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.687162] ^ [ 18.687189] fff00000c7a6c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.687230] fff00000c7a6c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.687268] ================================================================== [ 18.738564] ================================================================== [ 18.738688] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.738887] Read of size 1 at addr fff00000c7a74000 by task kunit_try_catch/233 [ 18.739062] [ 18.739116] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.739200] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.739238] Hardware name: linux,dummy-virt (DT) [ 18.739271] Call trace: [ 18.739305] show_stack+0x20/0x38 (C) [ 18.739630] dump_stack_lvl+0x8c/0xd0 [ 18.739720] print_report+0x118/0x5d0 [ 18.739768] kasan_report+0xdc/0x128 [ 18.739814] __asan_report_load1_noabort+0x20/0x30 [ 18.740128] mempool_uaf_helper+0x314/0x340 [ 18.740212] mempool_page_alloc_uaf+0xc0/0x118 [ 18.740284] kunit_try_run_case+0x170/0x3f0 [ 18.740345] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.740614] kthread+0x328/0x630 [ 18.740803] ret_from_fork+0x10/0x20 [ 18.740966] [ 18.740993] The buggy address belongs to the physical page: [ 18.741050] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a74 [ 18.741115] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.741468] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.745148] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.745200] page dumped because: kasan: bad access detected [ 18.745234] [ 18.745253] Memory state around the buggy address: [ 18.745288] fff00000c7a73f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.745345] fff00000c7a73f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.745391] >fff00000c7a74000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.745430] ^ [ 18.745458] fff00000c7a74080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.745500] fff00000c7a74100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.745537] ==================================================================
[ 18.611957] ================================================================== [ 18.612143] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.612247] Read of size 1 at addr fff00000c7800000 by task kunit_try_catch/229 [ 18.612299] [ 18.612353] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.612464] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.612513] Hardware name: linux,dummy-virt (DT) [ 18.612591] Call trace: [ 18.612617] show_stack+0x20/0x38 (C) [ 18.612751] dump_stack_lvl+0x8c/0xd0 [ 18.612837] print_report+0x118/0x5d0 [ 18.612891] kasan_report+0xdc/0x128 [ 18.612936] __asan_report_load1_noabort+0x20/0x30 [ 18.613002] mempool_uaf_helper+0x314/0x340 [ 18.613050] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.613097] kunit_try_run_case+0x170/0x3f0 [ 18.613141] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.613278] kthread+0x328/0x630 [ 18.613329] ret_from_fork+0x10/0x20 [ 18.613375] [ 18.613396] The buggy address belongs to the physical page: [ 18.613457] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107800 [ 18.613560] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.613639] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.613693] page_type: f8(unknown) [ 18.613742] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.613820] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.613872] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.613921] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.613994] head: 0bfffe0000000002 ffffc1ffc31e0001 00000000ffffffff 00000000ffffffff [ 18.614049] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.614089] page dumped because: kasan: bad access detected [ 18.614216] [ 18.614236] Memory state around the buggy address: [ 18.614269] fff00000c77fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.614328] fff00000c77fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.614370] >fff00000c7800000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.614408] ^ [ 18.614456] fff00000c7800080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.614499] fff00000c7800100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.614537] ================================================================== [ 18.644021] ================================================================== [ 18.644127] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.644233] Read of size 1 at addr fff00000c7800000 by task kunit_try_catch/233 [ 18.644285] [ 18.644342] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.644465] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.644639] Hardware name: linux,dummy-virt (DT) [ 18.644732] Call trace: [ 18.644812] show_stack+0x20/0x38 (C) [ 18.644867] dump_stack_lvl+0x8c/0xd0 [ 18.644963] print_report+0x118/0x5d0 [ 18.645020] kasan_report+0xdc/0x128 [ 18.645128] __asan_report_load1_noabort+0x20/0x30 [ 18.645179] mempool_uaf_helper+0x314/0x340 [ 18.645257] mempool_page_alloc_uaf+0xc0/0x118 [ 18.645443] kunit_try_run_case+0x170/0x3f0 [ 18.645531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.645602] kthread+0x328/0x630 [ 18.645686] ret_from_fork+0x10/0x20 [ 18.645743] [ 18.645821] The buggy address belongs to the physical page: [ 18.645897] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107800 [ 18.646001] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.646067] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.646118] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.646157] page dumped because: kasan: bad access detected [ 18.646207] [ 18.646226] Memory state around the buggy address: [ 18.646259] fff00000c77fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.646410] fff00000c77fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.646498] >fff00000c7800000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.646568] ^ [ 18.646651] fff00000c7800080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.646694] fff00000c7800100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.646742] ==================================================================
[ 13.770307] ================================================================== [ 13.770831] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.771228] Read of size 1 at addr ffff8881039f8000 by task kunit_try_catch/246 [ 13.771809] [ 13.771951] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.772001] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.772013] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.772047] Call Trace: [ 13.772058] <TASK> [ 13.772076] dump_stack_lvl+0x73/0xb0 [ 13.772122] print_report+0xd1/0x610 [ 13.772147] ? __virt_addr_valid+0x1db/0x2d0 [ 13.772172] ? mempool_uaf_helper+0x392/0x400 [ 13.772206] ? kasan_addr_to_slab+0x11/0xa0 [ 13.772227] ? mempool_uaf_helper+0x392/0x400 [ 13.772250] kasan_report+0x141/0x180 [ 13.772272] ? mempool_uaf_helper+0x392/0x400 [ 13.772300] __asan_report_load1_noabort+0x18/0x20 [ 13.772323] mempool_uaf_helper+0x392/0x400 [ 13.772347] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.772378] ? update_load_avg+0x1be/0x21b0 [ 13.772408] ? finish_task_switch.isra.0+0x153/0x700 [ 13.772435] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.772470] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.772498] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.772524] ? __pfx_mempool_kfree+0x10/0x10 [ 13.772550] ? __pfx_read_tsc+0x10/0x10 [ 13.772572] ? ktime_get_ts64+0x86/0x230 [ 13.772645] kunit_try_run_case+0x1a5/0x480 [ 13.772673] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.772695] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.772721] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.772745] ? __kthread_parkme+0x82/0x180 [ 13.772766] ? preempt_count_sub+0x50/0x80 [ 13.772790] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.772816] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.772841] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.772866] kthread+0x337/0x6f0 [ 13.772884] ? trace_preempt_on+0x20/0xc0 [ 13.772924] ? __pfx_kthread+0x10/0x10 [ 13.772944] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.772966] ? calculate_sigpending+0x7b/0xa0 [ 13.772991] ? __pfx_kthread+0x10/0x10 [ 13.773013] ret_from_fork+0x116/0x1d0 [ 13.773032] ? __pfx_kthread+0x10/0x10 [ 13.773053] ret_from_fork_asm+0x1a/0x30 [ 13.773086] </TASK> [ 13.773098] [ 13.781955] The buggy address belongs to the physical page: [ 13.782278] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f8 [ 13.782587] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.783001] flags: 0x200000000000040(head|node=0|zone=2) [ 13.783243] page_type: f8(unknown) [ 13.783415] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.783787] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.784139] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.784481] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.784911] head: 0200000000000002 ffffea00040e7e01 00000000ffffffff 00000000ffffffff [ 13.785156] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.785385] page dumped because: kasan: bad access detected [ 13.785558] [ 13.785651] Memory state around the buggy address: [ 13.786041] ffff8881039f7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.786424] ffff8881039f7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.786815] >ffff8881039f8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.787389] ^ [ 13.787584] ffff8881039f8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.787910] ffff8881039f8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.788245] ================================================================== [ 13.827094] ================================================================== [ 13.827552] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.827968] Read of size 1 at addr ffff888103a20000 by task kunit_try_catch/250 [ 13.828315] [ 13.828585] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.828640] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.828755] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.828779] Call Trace: [ 13.828790] <TASK> [ 13.828807] dump_stack_lvl+0x73/0xb0 [ 13.828837] print_report+0xd1/0x610 [ 13.828860] ? __virt_addr_valid+0x1db/0x2d0 [ 13.828884] ? mempool_uaf_helper+0x392/0x400 [ 13.829276] ? kasan_addr_to_slab+0x11/0xa0 [ 13.829300] ? mempool_uaf_helper+0x392/0x400 [ 13.829332] kasan_report+0x141/0x180 [ 13.829355] ? mempool_uaf_helper+0x392/0x400 [ 13.829384] __asan_report_load1_noabort+0x18/0x20 [ 13.829421] mempool_uaf_helper+0x392/0x400 [ 13.829445] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.829468] ? __kasan_check_write+0x18/0x20 [ 13.829488] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.829510] ? finish_task_switch.isra.0+0x153/0x700 [ 13.829579] mempool_page_alloc_uaf+0xed/0x140 [ 13.829604] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.829629] ? __kasan_check_write+0x18/0x20 [ 13.829689] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.829714] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.829740] ? __pfx_read_tsc+0x10/0x10 [ 13.829761] ? ktime_get_ts64+0x86/0x230 [ 13.829782] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.829810] kunit_try_run_case+0x1a5/0x480 [ 13.829836] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.829861] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.829886] ? __kthread_parkme+0x82/0x180 [ 13.829918] ? preempt_count_sub+0x50/0x80 [ 13.829941] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.829965] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.829996] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.830021] kthread+0x337/0x6f0 [ 13.830040] ? trace_preempt_on+0x20/0xc0 [ 13.830063] ? __pfx_kthread+0x10/0x10 [ 13.830083] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.830105] ? calculate_sigpending+0x7b/0xa0 [ 13.830129] ? __pfx_kthread+0x10/0x10 [ 13.830150] ret_from_fork+0x116/0x1d0 [ 13.830168] ? __pfx_kthread+0x10/0x10 [ 13.830188] ret_from_fork_asm+0x1a/0x30 [ 13.830220] </TASK> [ 13.830232] [ 13.839800] The buggy address belongs to the physical page: [ 13.840088] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a20 [ 13.840360] flags: 0x200000000000000(node=0|zone=2) [ 13.840729] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.841236] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.841530] page dumped because: kasan: bad access detected [ 13.841746] [ 13.841815] Memory state around the buggy address: [ 13.842145] ffff888103a1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.842448] ffff888103a1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.842924] >ffff888103a20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.843235] ^ [ 13.843356] ffff888103a20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.843570] ffff888103a20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.843811] ==================================================================
[ 13.605771] ================================================================== [ 13.606400] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.606877] Read of size 1 at addr ffff888102bf8000 by task kunit_try_catch/247 [ 13.607171] [ 13.607291] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.607338] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.607349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.607373] Call Trace: [ 13.607385] <TASK> [ 13.607403] dump_stack_lvl+0x73/0xb0 [ 13.607445] print_report+0xd1/0x610 [ 13.607491] ? __virt_addr_valid+0x1db/0x2d0 [ 13.607529] ? mempool_uaf_helper+0x392/0x400 [ 13.607552] ? kasan_addr_to_slab+0x11/0xa0 [ 13.607573] ? mempool_uaf_helper+0x392/0x400 [ 13.607596] kasan_report+0x141/0x180 [ 13.607618] ? mempool_uaf_helper+0x392/0x400 [ 13.607646] __asan_report_load1_noabort+0x18/0x20 [ 13.607671] mempool_uaf_helper+0x392/0x400 [ 13.607694] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.607721] ? finish_task_switch.isra.0+0x153/0x700 [ 13.607750] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.607774] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.607799] ? __kasan_check_write+0x18/0x20 [ 13.607819] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.607860] ? __pfx_mempool_kfree+0x10/0x10 [ 13.607886] ? __pfx_read_tsc+0x10/0x10 [ 13.607907] ? ktime_get_ts64+0x86/0x230 [ 13.607930] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.607976] kunit_try_run_case+0x1a5/0x480 [ 13.608003] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.608027] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.608054] ? __kthread_parkme+0x82/0x180 [ 13.608076] ? preempt_count_sub+0x50/0x80 [ 13.608099] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.608124] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.608148] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.608173] kthread+0x337/0x6f0 [ 13.608191] ? trace_preempt_on+0x20/0xc0 [ 13.608215] ? __pfx_kthread+0x10/0x10 [ 13.608235] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.608257] ? calculate_sigpending+0x7b/0xa0 [ 13.608283] ? __pfx_kthread+0x10/0x10 [ 13.608305] ret_from_fork+0x116/0x1d0 [ 13.608322] ? __pfx_kthread+0x10/0x10 [ 13.608343] ret_from_fork_asm+0x1a/0x30 [ 13.608377] </TASK> [ 13.608388] [ 13.616790] The buggy address belongs to the physical page: [ 13.617025] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bf8 [ 13.617386] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.617736] flags: 0x200000000000040(head|node=0|zone=2) [ 13.618010] page_type: f8(unknown) [ 13.618186] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.618500] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.618980] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.619298] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.619670] head: 0200000000000002 ffffea00040afe01 00000000ffffffff 00000000ffffffff [ 13.619983] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.620293] page dumped because: kasan: bad access detected [ 13.620556] [ 13.620650] Memory state around the buggy address: [ 13.620887] ffff888102bf7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.621219] ffff888102bf7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.621539] >ffff888102bf8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.621843] ^ [ 13.622001] ffff888102bf8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.622306] ffff888102bf8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.622677] ================================================================== [ 13.658972] ================================================================== [ 13.660227] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.661739] Read of size 1 at addr ffff888103af8000 by task kunit_try_catch/251 [ 13.662608] [ 13.663090] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.663183] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.663196] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.663220] Call Trace: [ 13.663233] <TASK> [ 13.663252] dump_stack_lvl+0x73/0xb0 [ 13.663286] print_report+0xd1/0x610 [ 13.663310] ? __virt_addr_valid+0x1db/0x2d0 [ 13.663337] ? mempool_uaf_helper+0x392/0x400 [ 13.663359] ? kasan_addr_to_slab+0x11/0xa0 [ 13.663382] ? mempool_uaf_helper+0x392/0x400 [ 13.663417] kasan_report+0x141/0x180 [ 13.663450] ? mempool_uaf_helper+0x392/0x400 [ 13.663479] __asan_report_load1_noabort+0x18/0x20 [ 13.663504] mempool_uaf_helper+0x392/0x400 [ 13.663528] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.663550] ? update_load_avg+0x1be/0x21b0 [ 13.663576] ? dequeue_entities+0x27e/0x1740 [ 13.663602] ? finish_task_switch.isra.0+0x153/0x700 [ 13.663630] mempool_page_alloc_uaf+0xed/0x140 [ 13.663655] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.663682] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.663708] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.663734] ? __pfx_read_tsc+0x10/0x10 [ 13.663756] ? ktime_get_ts64+0x86/0x230 [ 13.663781] kunit_try_run_case+0x1a5/0x480 [ 13.663808] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.663831] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.663857] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.663880] ? __kthread_parkme+0x82/0x180 [ 13.663901] ? preempt_count_sub+0x50/0x80 [ 13.663925] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.663948] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.663972] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.663996] kthread+0x337/0x6f0 [ 13.664015] ? trace_preempt_on+0x20/0xc0 [ 13.664038] ? __pfx_kthread+0x10/0x10 [ 13.664059] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.664080] ? calculate_sigpending+0x7b/0xa0 [ 13.664104] ? __pfx_kthread+0x10/0x10 [ 13.664126] ret_from_fork+0x116/0x1d0 [ 13.664144] ? __pfx_kthread+0x10/0x10 [ 13.664164] ret_from_fork_asm+0x1a/0x30 [ 13.664198] </TASK> [ 13.664208] [ 13.680358] The buggy address belongs to the physical page: [ 13.681134] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103af8 [ 13.682035] flags: 0x200000000000000(node=0|zone=2) [ 13.682730] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.683352] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.683852] page dumped because: kasan: bad access detected [ 13.684685] [ 13.684856] Memory state around the buggy address: [ 13.685626] ffff888103af7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.686422] ffff888103af7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.687317] >ffff888103af8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.688014] ^ [ 13.688355] ffff888103af8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.688993] ffff888103af8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.689219] ==================================================================
[ 13.909409] ================================================================== [ 13.909955] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.910217] Read of size 1 at addr ffff888102a18000 by task kunit_try_catch/250 [ 13.910470] [ 13.910647] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.911255] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.911269] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.911293] Call Trace: [ 13.911307] <TASK> [ 13.911326] dump_stack_lvl+0x73/0xb0 [ 13.911363] print_report+0xd1/0x610 [ 13.911386] ? __virt_addr_valid+0x1db/0x2d0 [ 13.911411] ? mempool_uaf_helper+0x392/0x400 [ 13.911688] ? kasan_addr_to_slab+0x11/0xa0 [ 13.911712] ? mempool_uaf_helper+0x392/0x400 [ 13.911735] kasan_report+0x141/0x180 [ 13.911757] ? mempool_uaf_helper+0x392/0x400 [ 13.911784] __asan_report_load1_noabort+0x18/0x20 [ 13.911809] mempool_uaf_helper+0x392/0x400 [ 13.911832] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.911857] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.911881] ? finish_task_switch.isra.0+0x153/0x700 [ 13.911908] mempool_page_alloc_uaf+0xed/0x140 [ 13.911932] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.911959] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.911985] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.912025] ? __pfx_read_tsc+0x10/0x10 [ 13.912051] ? ktime_get_ts64+0x86/0x230 [ 13.912078] kunit_try_run_case+0x1a5/0x480 [ 13.912105] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.912127] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.912153] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.912176] ? __kthread_parkme+0x82/0x180 [ 13.912198] ? preempt_count_sub+0x50/0x80 [ 13.912221] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.912244] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.912268] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.912292] kthread+0x337/0x6f0 [ 13.912311] ? trace_preempt_on+0x20/0xc0 [ 13.912335] ? __pfx_kthread+0x10/0x10 [ 13.912354] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.912375] ? calculate_sigpending+0x7b/0xa0 [ 13.912400] ? __pfx_kthread+0x10/0x10 [ 13.912421] ret_from_fork+0x116/0x1d0 [ 13.912440] ? __pfx_kthread+0x10/0x10 [ 13.912460] ret_from_fork_asm+0x1a/0x30 [ 13.912491] </TASK> [ 13.912502] [ 13.927652] The buggy address belongs to the physical page: [ 13.928262] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a18 [ 13.928734] flags: 0x200000000000000(node=0|zone=2) [ 13.929195] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.929709] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.930337] page dumped because: kasan: bad access detected [ 13.930710] [ 13.930976] Memory state around the buggy address: [ 13.931259] ffff888102a17f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.931778] ffff888102a17f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.932288] >ffff888102a18000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.932788] ^ [ 13.932964] ffff888102a18080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.933268] ffff888102a18100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.933923] ================================================================== [ 13.822421] ================================================================== [ 13.823340] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.823597] Read of size 1 at addr ffff8881039c0000 by task kunit_try_catch/246 [ 13.824174] [ 13.824271] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.824321] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.824333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.824357] Call Trace: [ 13.824372] <TASK> [ 13.824393] dump_stack_lvl+0x73/0xb0 [ 13.824426] print_report+0xd1/0x610 [ 13.824448] ? __virt_addr_valid+0x1db/0x2d0 [ 13.824474] ? mempool_uaf_helper+0x392/0x400 [ 13.824496] ? kasan_addr_to_slab+0x11/0xa0 [ 13.824518] ? mempool_uaf_helper+0x392/0x400 [ 13.824539] kasan_report+0x141/0x180 [ 13.824561] ? mempool_uaf_helper+0x392/0x400 [ 13.824588] __asan_report_load1_noabort+0x18/0x20 [ 13.824612] mempool_uaf_helper+0x392/0x400 [ 13.824635] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.824657] ? update_load_avg+0x1be/0x21b0 [ 13.824685] ? finish_task_switch.isra.0+0x153/0x700 [ 13.824711] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.824734] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.824760] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.824785] ? __pfx_mempool_kfree+0x10/0x10 [ 13.824809] ? __pfx_read_tsc+0x10/0x10 [ 13.824831] ? ktime_get_ts64+0x86/0x230 [ 13.824861] kunit_try_run_case+0x1a5/0x480 [ 13.824889] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.824913] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.824939] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.824963] ? __kthread_parkme+0x82/0x180 [ 13.824985] ? preempt_count_sub+0x50/0x80 [ 13.825020] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.825046] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.825070] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.825094] kthread+0x337/0x6f0 [ 13.825113] ? trace_preempt_on+0x20/0xc0 [ 13.825137] ? __pfx_kthread+0x10/0x10 [ 13.825157] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.825178] ? calculate_sigpending+0x7b/0xa0 [ 13.825203] ? __pfx_kthread+0x10/0x10 [ 13.825243] ret_from_fork+0x116/0x1d0 [ 13.825262] ? __pfx_kthread+0x10/0x10 [ 13.825283] ret_from_fork_asm+0x1a/0x30 [ 13.825315] </TASK> [ 13.825326] [ 13.840488] The buggy address belongs to the physical page: [ 13.841039] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c0 [ 13.841871] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.842271] flags: 0x200000000000040(head|node=0|zone=2) [ 13.842889] page_type: f8(unknown) [ 13.843339] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.844069] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.844919] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.845520] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.845762] head: 0200000000000002 ffffea00040e7001 00000000ffffffff 00000000ffffffff [ 13.845997] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.846297] page dumped because: kasan: bad access detected [ 13.846487] [ 13.846561] Memory state around the buggy address: [ 13.846788] ffff8881039bff00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.847500] ffff8881039bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.847875] >ffff8881039c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.848418] ^ [ 13.848594] ffff8881039c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.848870] ffff8881039c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.849223] ==================================================================