Date
May 23, 2025, 11:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.365951] ================================================================== [ 30.366163] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 30.366395] Read of size 1 at addr fff00000c775a400 by task kunit_try_catch/229 [ 30.367587] [ 30.367763] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 30.368140] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.368213] Hardware name: linux,dummy-virt (DT) [ 30.368294] Call trace: [ 30.368363] show_stack+0x20/0x38 (C) [ 30.369089] dump_stack_lvl+0x8c/0xd0 [ 30.369269] print_report+0x118/0x608 [ 30.369399] kasan_report+0xdc/0x128 [ 30.369548] __asan_report_load1_noabort+0x20/0x30 [ 30.369699] mempool_uaf_helper+0x314/0x340 [ 30.369841] mempool_kmalloc_uaf+0xc4/0x120 [ 30.369989] kunit_try_run_case+0x170/0x3f0 [ 30.370146] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.370308] kthread+0x328/0x630 [ 30.370485] ret_from_fork+0x10/0x20 [ 30.370691] [ 30.370769] Allocated by task 229: [ 30.370890] kasan_save_stack+0x3c/0x68 [ 30.371008] kasan_save_track+0x20/0x40 [ 30.371111] kasan_save_alloc_info+0x40/0x58 [ 30.371232] __kasan_mempool_unpoison_object+0x11c/0x180 [ 30.371361] remove_element+0x130/0x1f8 [ 30.371500] mempool_alloc_preallocated+0x58/0xc0 [ 30.371621] mempool_uaf_helper+0xa4/0x340 [ 30.371739] mempool_kmalloc_uaf+0xc4/0x120 [ 30.372402] kunit_try_run_case+0x170/0x3f0 [ 30.372602] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.372732] kthread+0x328/0x630 [ 30.373020] ret_from_fork+0x10/0x20 [ 30.373139] [ 30.373212] Freed by task 229: [ 30.373292] kasan_save_stack+0x3c/0x68 [ 30.373460] kasan_save_track+0x20/0x40 [ 30.373637] kasan_save_free_info+0x4c/0x78 [ 30.373892] __kasan_mempool_poison_object+0xc0/0x150 [ 30.374035] mempool_free+0x28c/0x328 [ 30.374246] mempool_uaf_helper+0x104/0x340 [ 30.374969] mempool_kmalloc_uaf+0xc4/0x120 [ 30.375184] kunit_try_run_case+0x170/0x3f0 [ 30.375864] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.376026] kthread+0x328/0x630 [ 30.376119] ret_from_fork+0x10/0x20 [ 30.376209] [ 30.376265] The buggy address belongs to the object at fff00000c775a400 [ 30.376265] which belongs to the cache kmalloc-128 of size 128 [ 30.377286] The buggy address is located 0 bytes inside of [ 30.377286] freed 128-byte region [fff00000c775a400, fff00000c775a480) [ 30.377861] [ 30.377926] The buggy address belongs to the physical page: [ 30.378027] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10775a [ 30.378179] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.378327] page_type: f5(slab) [ 30.378465] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.378619] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.378745] page dumped because: kasan: bad access detected [ 30.378836] [ 30.378894] Memory state around the buggy address: [ 30.378992] fff00000c775a300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.379126] fff00000c775a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.379260] >fff00000c775a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.381133] ^ [ 30.381237] fff00000c775a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.381922] fff00000c775a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.382047] ================================================================== [ 30.463926] ================================================================== [ 30.464992] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 30.465377] Read of size 1 at addr fff00000c77a1240 by task kunit_try_catch/233 [ 30.465521] [ 30.465611] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 30.467243] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.467347] Hardware name: linux,dummy-virt (DT) [ 30.467791] Call trace: [ 30.468026] show_stack+0x20/0x38 (C) [ 30.468266] dump_stack_lvl+0x8c/0xd0 [ 30.468392] print_report+0x118/0x608 [ 30.468512] kasan_report+0xdc/0x128 [ 30.468647] __asan_report_load1_noabort+0x20/0x30 [ 30.468780] mempool_uaf_helper+0x314/0x340 [ 30.468920] mempool_slab_uaf+0xc0/0x118 [ 30.469043] kunit_try_run_case+0x170/0x3f0 [ 30.469186] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.469338] kthread+0x328/0x630 [ 30.469469] ret_from_fork+0x10/0x20 [ 30.469634] [ 30.469722] Allocated by task 233: [ 30.469850] kasan_save_stack+0x3c/0x68 [ 30.470015] kasan_save_track+0x20/0x40 [ 30.470176] kasan_save_alloc_info+0x40/0x58 [ 30.470329] __kasan_mempool_unpoison_object+0xbc/0x180 [ 30.470518] remove_element+0x16c/0x1f8 [ 30.470644] mempool_alloc_preallocated+0x58/0xc0 [ 30.470765] mempool_uaf_helper+0xa4/0x340 [ 30.470887] mempool_slab_uaf+0xc0/0x118 [ 30.470991] kunit_try_run_case+0x170/0x3f0 [ 30.471126] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.471290] kthread+0x328/0x630 [ 30.471423] ret_from_fork+0x10/0x20 [ 30.471579] [ 30.471634] Freed by task 233: [ 30.471709] kasan_save_stack+0x3c/0x68 [ 30.471815] kasan_save_track+0x20/0x40 [ 30.471936] kasan_save_free_info+0x4c/0x78 [ 30.472044] __kasan_mempool_poison_object+0xc0/0x150 [ 30.472150] mempool_free+0x28c/0x328 [ 30.472261] mempool_uaf_helper+0x104/0x340 [ 30.472424] mempool_slab_uaf+0xc0/0x118 [ 30.472560] kunit_try_run_case+0x170/0x3f0 [ 30.472691] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.472881] kthread+0x328/0x630 [ 30.472981] ret_from_fork+0x10/0x20 [ 30.473066] [ 30.473110] The buggy address belongs to the object at fff00000c77a1240 [ 30.473110] which belongs to the cache test_cache of size 123 [ 30.473267] The buggy address is located 0 bytes inside of [ 30.473267] freed 123-byte region [fff00000c77a1240, fff00000c77a12bb) [ 30.473484] [ 30.473551] The buggy address belongs to the physical page: [ 30.473641] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077a1 [ 30.473785] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.473947] page_type: f5(slab) [ 30.474059] raw: 0bfffe0000000000 fff00000c11fdc80 dead000000000122 0000000000000000 [ 30.474200] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 30.474323] page dumped because: kasan: bad access detected [ 30.474420] [ 30.474492] Memory state around the buggy address: [ 30.474597] fff00000c77a1100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.474731] fff00000c77a1180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.474864] >fff00000c77a1200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 30.474980] ^ [ 30.475082] fff00000c77a1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.475199] fff00000c77a1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.475309] ==================================================================
[ 14.216708] ================================================================== [ 14.217285] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.217718] Read of size 1 at addr ffff888102a49240 by task kunit_try_catch/250 [ 14.218100] [ 14.218205] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 14.218254] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.218266] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.218288] Call Trace: [ 14.218314] <TASK> [ 14.218332] dump_stack_lvl+0x73/0xb0 [ 14.218363] print_report+0xd1/0x650 [ 14.218386] ? __virt_addr_valid+0x1db/0x2d0 [ 14.218409] ? mempool_uaf_helper+0x392/0x400 [ 14.218432] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.218456] ? mempool_uaf_helper+0x392/0x400 [ 14.218488] kasan_report+0x141/0x180 [ 14.218511] ? mempool_uaf_helper+0x392/0x400 [ 14.218538] __asan_report_load1_noabort+0x18/0x20 [ 14.218560] mempool_uaf_helper+0x392/0x400 [ 14.218583] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.218610] ? finish_task_switch.isra.0+0x153/0x700 [ 14.218639] mempool_slab_uaf+0xea/0x140 [ 14.218659] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.218684] ? dequeue_task_fair+0x166/0x4e0 [ 14.218708] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.218731] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.218753] ? __pfx_read_tsc+0x10/0x10 [ 14.218773] ? ktime_get_ts64+0x86/0x230 [ 14.218799] kunit_try_run_case+0x1a5/0x480 [ 14.218824] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.218845] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.218869] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.218892] ? __kthread_parkme+0x82/0x180 [ 14.218915] ? preempt_count_sub+0x50/0x80 [ 14.218938] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.218961] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.218984] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.219006] kthread+0x337/0x6f0 [ 14.219023] ? trace_preempt_on+0x20/0xc0 [ 14.219047] ? __pfx_kthread+0x10/0x10 [ 14.219065] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.219086] ? calculate_sigpending+0x7b/0xa0 [ 14.219108] ? __pfx_kthread+0x10/0x10 [ 14.219127] ret_from_fork+0x41/0x80 [ 14.219149] ? __pfx_kthread+0x10/0x10 [ 14.219167] ret_from_fork_asm+0x1a/0x30 [ 14.219199] </TASK> [ 14.219209] [ 14.227637] Allocated by task 250: [ 14.227819] kasan_save_stack+0x45/0x70 [ 14.228106] kasan_save_track+0x18/0x40 [ 14.228244] kasan_save_alloc_info+0x3b/0x50 [ 14.228820] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.229114] remove_element+0x11e/0x190 [ 14.229278] mempool_alloc_preallocated+0x4d/0x90 [ 14.229580] mempool_uaf_helper+0x96/0x400 [ 14.229787] mempool_slab_uaf+0xea/0x140 [ 14.229993] kunit_try_run_case+0x1a5/0x480 [ 14.230207] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.230579] kthread+0x337/0x6f0 [ 14.230763] ret_from_fork+0x41/0x80 [ 14.230937] ret_from_fork_asm+0x1a/0x30 [ 14.231114] [ 14.231188] Freed by task 250: [ 14.231358] kasan_save_stack+0x45/0x70 [ 14.231522] kasan_save_track+0x18/0x40 [ 14.231788] kasan_save_free_info+0x3f/0x60 [ 14.231956] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.232130] mempool_free+0x2ec/0x380 [ 14.232261] mempool_uaf_helper+0x11a/0x400 [ 14.232419] mempool_slab_uaf+0xea/0x140 [ 14.232616] kunit_try_run_case+0x1a5/0x480 [ 14.232824] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.233076] kthread+0x337/0x6f0 [ 14.233243] ret_from_fork+0x41/0x80 [ 14.233495] ret_from_fork_asm+0x1a/0x30 [ 14.233640] [ 14.233713] The buggy address belongs to the object at ffff888102a49240 [ 14.233713] which belongs to the cache test_cache of size 123 [ 14.234459] The buggy address is located 0 bytes inside of [ 14.234459] freed 123-byte region [ffff888102a49240, ffff888102a492bb) [ 14.234996] [ 14.235278] The buggy address belongs to the physical page: [ 14.235609] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a49 [ 14.235924] flags: 0x200000000000000(node=0|zone=2) [ 14.236180] page_type: f5(slab) [ 14.236354] raw: 0200000000000000 ffff8881020d6780 dead000000000122 0000000000000000 [ 14.236774] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.237208] page dumped because: kasan: bad access detected [ 14.237398] [ 14.237471] Memory state around the buggy address: [ 14.237700] ffff888102a49100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.238192] ffff888102a49180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.238663] >ffff888102a49200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.238889] ^ [ 14.239059] ffff888102a49280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.239654] ffff888102a49300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.239983] ================================================================== [ 14.160243] ================================================================== [ 14.160860] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.161248] Read of size 1 at addr ffff888102a2de00 by task kunit_try_catch/246 [ 14.161569] [ 14.161712] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 14.161762] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.161775] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.161798] Call Trace: [ 14.161810] <TASK> [ 14.161829] dump_stack_lvl+0x73/0xb0 [ 14.161858] print_report+0xd1/0x650 [ 14.161881] ? __virt_addr_valid+0x1db/0x2d0 [ 14.161905] ? mempool_uaf_helper+0x392/0x400 [ 14.161927] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.161950] ? mempool_uaf_helper+0x392/0x400 [ 14.161973] kasan_report+0x141/0x180 [ 14.161995] ? mempool_uaf_helper+0x392/0x400 [ 14.162022] __asan_report_load1_noabort+0x18/0x20 [ 14.162043] mempool_uaf_helper+0x392/0x400 [ 14.162066] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.162088] ? update_load_avg+0x1be/0x21b0 [ 14.162112] ? irqentry_exit+0x2a/0x60 [ 14.162135] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 14.162160] mempool_kmalloc_uaf+0xef/0x140 [ 14.162183] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.162209] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.162230] ? __pfx_mempool_kfree+0x10/0x10 [ 14.162251] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.162276] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.162313] kunit_try_run_case+0x1a5/0x480 [ 14.162338] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.162359] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.162383] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.162405] ? __kthread_parkme+0x82/0x180 [ 14.162427] ? preempt_count_sub+0x50/0x80 [ 14.162453] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.162477] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.162699] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.162733] kthread+0x337/0x6f0 [ 14.162751] ? trace_preempt_on+0x20/0xc0 [ 14.162776] ? __pfx_kthread+0x10/0x10 [ 14.162795] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.162816] ? calculate_sigpending+0x7b/0xa0 [ 14.162838] ? __pfx_kthread+0x10/0x10 [ 14.162857] ret_from_fork+0x41/0x80 [ 14.162878] ? __pfx_kthread+0x10/0x10 [ 14.162896] ret_from_fork_asm+0x1a/0x30 [ 14.162928] </TASK> [ 14.162941] [ 14.170962] Allocated by task 246: [ 14.171164] kasan_save_stack+0x45/0x70 [ 14.171356] kasan_save_track+0x18/0x40 [ 14.171544] kasan_save_alloc_info+0x3b/0x50 [ 14.171697] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.171959] remove_element+0x11e/0x190 [ 14.172176] mempool_alloc_preallocated+0x4d/0x90 [ 14.172420] mempool_uaf_helper+0x96/0x400 [ 14.172618] mempool_kmalloc_uaf+0xef/0x140 [ 14.172831] kunit_try_run_case+0x1a5/0x480 [ 14.173020] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.173270] kthread+0x337/0x6f0 [ 14.173455] ret_from_fork+0x41/0x80 [ 14.173632] ret_from_fork_asm+0x1a/0x30 [ 14.173842] [ 14.173938] Freed by task 246: [ 14.174087] kasan_save_stack+0x45/0x70 [ 14.174318] kasan_save_track+0x18/0x40 [ 14.174530] kasan_save_free_info+0x3f/0x60 [ 14.174765] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.174976] mempool_free+0x2ec/0x380 [ 14.175109] mempool_uaf_helper+0x11a/0x400 [ 14.175259] mempool_kmalloc_uaf+0xef/0x140 [ 14.175424] kunit_try_run_case+0x1a5/0x480 [ 14.175666] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.175941] kthread+0x337/0x6f0 [ 14.176110] ret_from_fork+0x41/0x80 [ 14.176320] ret_from_fork_asm+0x1a/0x30 [ 14.176638] [ 14.176738] The buggy address belongs to the object at ffff888102a2de00 [ 14.176738] which belongs to the cache kmalloc-128 of size 128 [ 14.177237] The buggy address is located 0 bytes inside of [ 14.177237] freed 128-byte region [ffff888102a2de00, ffff888102a2de80) [ 14.177818] [ 14.177937] The buggy address belongs to the physical page: [ 14.178158] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a2d [ 14.178415] flags: 0x200000000000000(node=0|zone=2) [ 14.178584] page_type: f5(slab) [ 14.178744] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.179094] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.179557] page dumped because: kasan: bad access detected [ 14.179822] [ 14.179894] Memory state around the buggy address: [ 14.180141] ffff888102a2dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.180465] ffff888102a2dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.180742] >ffff888102a2de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.180956] ^ [ 14.181072] ffff888102a2de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.181354] ffff888102a2df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.182016] ==================================================================