Date
July 20, 2025, 8:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.220312] ================================================================== [ 17.220392] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.220719] Read of size 1 at addr fff00000c77ac000 by task kunit_try_catch/234 [ 17.220790] [ 17.220828] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.220992] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.221135] Hardware name: linux,dummy-virt (DT) [ 17.221218] Call trace: [ 17.221396] show_stack+0x20/0x38 (C) [ 17.221529] dump_stack_lvl+0x8c/0xd0 [ 17.221668] print_report+0x118/0x5d0 [ 17.221792] kasan_report+0xdc/0x128 [ 17.221841] __asan_report_load1_noabort+0x20/0x30 [ 17.221901] mempool_uaf_helper+0x314/0x340 [ 17.221949] mempool_page_alloc_uaf+0xc0/0x118 [ 17.221997] kunit_try_run_case+0x170/0x3f0 [ 17.222280] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.222440] kthread+0x328/0x630 [ 17.222510] ret_from_fork+0x10/0x20 [ 17.222582] [ 17.222610] The buggy address belongs to the physical page: [ 17.222666] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077ac [ 17.222721] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.222791] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 17.222842] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 17.222889] page dumped because: kasan: bad access detected [ 17.222933] [ 17.222951] Memory state around the buggy address: [ 17.223002] fff00000c77abf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.223052] fff00000c77abf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.223109] >fff00000c77ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.223147] ^ [ 17.223178] fff00000c77ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.223232] fff00000c77ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.223271] ================================================================== [ 17.171454] ================================================================== [ 17.171516] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.171566] Read of size 1 at addr fff00000c77ac000 by task kunit_try_catch/230 [ 17.171619] [ 17.172347] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.172859] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.173029] Hardware name: linux,dummy-virt (DT) [ 17.173068] Call trace: [ 17.173093] show_stack+0x20/0x38 (C) [ 17.173149] dump_stack_lvl+0x8c/0xd0 [ 17.173206] print_report+0x118/0x5d0 [ 17.173503] kasan_report+0xdc/0x128 [ 17.173556] __asan_report_load1_noabort+0x20/0x30 [ 17.173957] mempool_uaf_helper+0x314/0x340 [ 17.174012] mempool_kmalloc_large_uaf+0xc4/0x120 [ 17.174362] kunit_try_run_case+0x170/0x3f0 [ 17.174539] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.174602] kthread+0x328/0x630 [ 17.174971] ret_from_fork+0x10/0x20 [ 17.175024] [ 17.175231] The buggy address belongs to the physical page: [ 17.175267] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077ac [ 17.175672] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.175957] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 17.176252] page_type: f8(unknown) [ 17.176299] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 17.176594] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 17.176749] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 17.176829] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 17.177292] head: 0bfffe0000000002 ffffc1ffc31deb01 00000000ffffffff 00000000ffffffff [ 17.177457] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 17.177815] page dumped because: kasan: bad access detected [ 17.177856] [ 17.177875] Memory state around the buggy address: [ 17.178018] fff00000c77abf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.178088] fff00000c77abf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.178132] >fff00000c77ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.178497] ^ [ 17.178778] fff00000c77ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.178903] fff00000c77ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.178976] ==================================================================
[ 14.544299] ================================================================== [ 14.545634] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.547253] Read of size 1 at addr ffff8881039f0000 by task kunit_try_catch/251 [ 14.547589] [ 14.547691] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.547744] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.547756] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.547790] Call Trace: [ 14.547805] <TASK> [ 14.547825] dump_stack_lvl+0x73/0xb0 [ 14.547863] print_report+0xd1/0x610 [ 14.547887] ? __virt_addr_valid+0x1db/0x2d0 [ 14.547911] ? mempool_uaf_helper+0x392/0x400 [ 14.547936] ? kasan_addr_to_slab+0x11/0xa0 [ 14.547959] ? mempool_uaf_helper+0x392/0x400 [ 14.547983] kasan_report+0x141/0x180 [ 14.548005] ? mempool_uaf_helper+0x392/0x400 [ 14.548033] __asan_report_load1_noabort+0x18/0x20 [ 14.548059] mempool_uaf_helper+0x392/0x400 [ 14.548082] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.548106] ? __kasan_check_write+0x18/0x20 [ 14.548127] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.548150] ? finish_task_switch.isra.0+0x153/0x700 [ 14.548176] mempool_page_alloc_uaf+0xed/0x140 [ 14.548201] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.548228] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.548255] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.548282] ? __pfx_read_tsc+0x10/0x10 [ 14.548304] ? ktime_get_ts64+0x86/0x230 [ 14.548329] kunit_try_run_case+0x1a5/0x480 [ 14.548354] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.548377] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.548403] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.548427] ? __kthread_parkme+0x82/0x180 [ 14.548449] ? preempt_count_sub+0x50/0x80 [ 14.548482] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.548507] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.548531] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.548555] kthread+0x337/0x6f0 [ 14.548575] ? trace_preempt_on+0x20/0xc0 [ 14.548600] ? __pfx_kthread+0x10/0x10 [ 14.548621] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.548644] ? calculate_sigpending+0x7b/0xa0 [ 14.548669] ? __pfx_kthread+0x10/0x10 [ 14.548691] ret_from_fork+0x116/0x1d0 [ 14.548710] ? __pfx_kthread+0x10/0x10 [ 14.548731] ret_from_fork_asm+0x1a/0x30 [ 14.548762] </TASK> [ 14.548774] [ 14.563883] The buggy address belongs to the physical page: [ 14.564359] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f0 [ 14.564634] flags: 0x200000000000000(node=0|zone=2) [ 14.564869] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.565647] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.566434] page dumped because: kasan: bad access detected [ 14.566987] [ 14.567246] Memory state around the buggy address: [ 14.567699] ffff8881039eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.568070] ffff8881039eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.568299] >ffff8881039f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.568536] ^ [ 14.568668] ffff8881039f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.569146] ffff8881039f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.569482] ================================================================== [ 14.487834] ================================================================== [ 14.488316] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.488675] Read of size 1 at addr ffff8881039b8000 by task kunit_try_catch/247 [ 14.489034] [ 14.489131] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.489181] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.489194] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.489218] Call Trace: [ 14.489231] <TASK> [ 14.489249] dump_stack_lvl+0x73/0xb0 [ 14.489281] print_report+0xd1/0x610 [ 14.489305] ? __virt_addr_valid+0x1db/0x2d0 [ 14.489330] ? mempool_uaf_helper+0x392/0x400 [ 14.489353] ? kasan_addr_to_slab+0x11/0xa0 [ 14.489375] ? mempool_uaf_helper+0x392/0x400 [ 14.489398] kasan_report+0x141/0x180 [ 14.489420] ? mempool_uaf_helper+0x392/0x400 [ 14.489448] __asan_report_load1_noabort+0x18/0x20 [ 14.489485] mempool_uaf_helper+0x392/0x400 [ 14.489509] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.489533] ? __kasan_check_write+0x18/0x20 [ 14.489553] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.489578] ? finish_task_switch.isra.0+0x153/0x700 [ 14.489606] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.489632] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.489659] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.489685] ? __pfx_mempool_kfree+0x10/0x10 [ 14.489712] ? __pfx_read_tsc+0x10/0x10 [ 14.489734] ? ktime_get_ts64+0x86/0x230 [ 14.489761] kunit_try_run_case+0x1a5/0x480 [ 14.489846] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.489871] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.489896] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.489920] ? __kthread_parkme+0x82/0x180 [ 14.489943] ? preempt_count_sub+0x50/0x80 [ 14.489967] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.489991] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.490015] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.490040] kthread+0x337/0x6f0 [ 14.490060] ? trace_preempt_on+0x20/0xc0 [ 14.490085] ? __pfx_kthread+0x10/0x10 [ 14.490113] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.490135] ? calculate_sigpending+0x7b/0xa0 [ 14.490161] ? __pfx_kthread+0x10/0x10 [ 14.490183] ret_from_fork+0x116/0x1d0 [ 14.490203] ? __pfx_kthread+0x10/0x10 [ 14.490225] ret_from_fork_asm+0x1a/0x30 [ 14.490257] </TASK> [ 14.490269] [ 14.499517] The buggy address belongs to the physical page: [ 14.499730] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039b8 [ 14.500532] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.500837] flags: 0x200000000000040(head|node=0|zone=2) [ 14.501092] page_type: f8(unknown) [ 14.501491] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.501817] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.502184] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.502521] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.502836] head: 0200000000000002 ffffea00040e6e01 00000000ffffffff 00000000ffffffff [ 14.503331] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.503592] page dumped because: kasan: bad access detected [ 14.503892] [ 14.504003] Memory state around the buggy address: [ 14.504366] ffff8881039b7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.504643] ffff8881039b7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.505143] >ffff8881039b8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.505414] ^ [ 14.505601] ffff8881039b8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.505921] ffff8881039b8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.506292] ==================================================================