Date
July 3, 2025, 11:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.196315] ================================================================== [ 22.196639] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.197076] Read of size 1 at addr fff00000c636e240 by task kunit_try_catch/231 [ 22.197279] [ 22.197380] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 22.197936] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.198157] Hardware name: linux,dummy-virt (DT) [ 22.198290] Call trace: [ 22.198348] show_stack+0x20/0x38 (C) [ 22.198661] dump_stack_lvl+0x8c/0xd0 [ 22.198827] print_report+0x118/0x608 [ 22.199089] kasan_report+0xdc/0x128 [ 22.199326] __asan_report_load1_noabort+0x20/0x30 [ 22.199605] mempool_uaf_helper+0x314/0x340 [ 22.199777] mempool_slab_uaf+0xc0/0x118 [ 22.199982] kunit_try_run_case+0x170/0x3f0 [ 22.200218] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.200572] kthread+0x328/0x630 [ 22.200689] ret_from_fork+0x10/0x20 [ 22.200868] [ 22.201104] Allocated by task 231: [ 22.201275] kasan_save_stack+0x3c/0x68 [ 22.201414] kasan_save_track+0x20/0x40 [ 22.201501] kasan_save_alloc_info+0x40/0x58 [ 22.201939] __kasan_mempool_unpoison_object+0xbc/0x180 [ 22.202058] remove_element+0x16c/0x1f8 [ 22.202284] mempool_alloc_preallocated+0x58/0xc0 [ 22.202451] mempool_uaf_helper+0xa4/0x340 [ 22.202764] mempool_slab_uaf+0xc0/0x118 [ 22.202946] kunit_try_run_case+0x170/0x3f0 [ 22.203101] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.203319] kthread+0x328/0x630 [ 22.203387] ret_from_fork+0x10/0x20 [ 22.203685] [ 22.203742] Freed by task 231: [ 22.203877] kasan_save_stack+0x3c/0x68 [ 22.204115] kasan_save_track+0x20/0x40 [ 22.204318] kasan_save_free_info+0x4c/0x78 [ 22.204480] __kasan_mempool_poison_object+0xc0/0x150 [ 22.204637] mempool_free+0x28c/0x328 [ 22.205062] mempool_uaf_helper+0x104/0x340 [ 22.205173] mempool_slab_uaf+0xc0/0x118 [ 22.205301] kunit_try_run_case+0x170/0x3f0 [ 22.205544] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.205741] kthread+0x328/0x630 [ 22.205976] ret_from_fork+0x10/0x20 [ 22.206061] [ 22.206298] The buggy address belongs to the object at fff00000c636e240 [ 22.206298] which belongs to the cache test_cache of size 123 [ 22.206502] The buggy address is located 0 bytes inside of [ 22.206502] freed 123-byte region [fff00000c636e240, fff00000c636e2bb) [ 22.206763] [ 22.206908] The buggy address belongs to the physical page: [ 22.207011] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10636e [ 22.207148] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.207555] page_type: f5(slab) [ 22.207667] raw: 0bfffe0000000000 fff00000c6de68c0 dead000000000122 0000000000000000 [ 22.207870] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 22.208139] page dumped because: kasan: bad access detected [ 22.208239] [ 22.208517] Memory state around the buggy address: [ 22.208668] fff00000c636e100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.208763] fff00000c636e180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.208955] >fff00000c636e200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 22.209134] ^ [ 22.209233] fff00000c636e280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.209415] fff00000c636e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.209508] ================================================================== [ 22.131373] ================================================================== [ 22.131524] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.131673] Read of size 1 at addr fff00000c77ef600 by task kunit_try_catch/227 [ 22.131791] [ 22.131884] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 22.132478] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.132622] Hardware name: linux,dummy-virt (DT) [ 22.132744] Call trace: [ 22.132828] show_stack+0x20/0x38 (C) [ 22.133011] dump_stack_lvl+0x8c/0xd0 [ 22.133205] print_report+0x118/0x608 [ 22.133358] kasan_report+0xdc/0x128 [ 22.133508] __asan_report_load1_noabort+0x20/0x30 [ 22.133610] mempool_uaf_helper+0x314/0x340 [ 22.133739] mempool_kmalloc_uaf+0xc4/0x120 [ 22.133839] kunit_try_run_case+0x170/0x3f0 [ 22.134013] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.134149] kthread+0x328/0x630 [ 22.134251] ret_from_fork+0x10/0x20 [ 22.134368] [ 22.134437] Allocated by task 227: [ 22.134524] kasan_save_stack+0x3c/0x68 [ 22.134611] kasan_save_track+0x20/0x40 [ 22.134741] kasan_save_alloc_info+0x40/0x58 [ 22.134849] __kasan_mempool_unpoison_object+0x11c/0x180 [ 22.134948] remove_element+0x130/0x1f8 [ 22.135041] mempool_alloc_preallocated+0x58/0xc0 [ 22.135118] mempool_uaf_helper+0xa4/0x340 [ 22.135223] mempool_kmalloc_uaf+0xc4/0x120 [ 22.135300] kunit_try_run_case+0x170/0x3f0 [ 22.135417] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.135560] kthread+0x328/0x630 [ 22.135650] ret_from_fork+0x10/0x20 [ 22.135735] [ 22.135779] Freed by task 227: [ 22.135873] kasan_save_stack+0x3c/0x68 [ 22.135972] kasan_save_track+0x20/0x40 [ 22.136086] kasan_save_free_info+0x4c/0x78 [ 22.136177] __kasan_mempool_poison_object+0xc0/0x150 [ 22.136270] mempool_free+0x28c/0x328 [ 22.136351] mempool_uaf_helper+0x104/0x340 [ 22.136437] mempool_kmalloc_uaf+0xc4/0x120 [ 22.136585] kunit_try_run_case+0x170/0x3f0 [ 22.136712] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.136817] kthread+0x328/0x630 [ 22.136892] ret_from_fork+0x10/0x20 [ 22.136973] [ 22.137019] The buggy address belongs to the object at fff00000c77ef600 [ 22.137019] which belongs to the cache kmalloc-128 of size 128 [ 22.137158] The buggy address is located 0 bytes inside of [ 22.137158] freed 128-byte region [fff00000c77ef600, fff00000c77ef680) [ 22.137406] [ 22.137456] The buggy address belongs to the physical page: [ 22.137616] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077ef [ 22.137798] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.137921] page_type: f5(slab) [ 22.138007] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 22.138134] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.138271] page dumped because: kasan: bad access detected [ 22.138336] [ 22.138377] Memory state around the buggy address: [ 22.138455] fff00000c77ef500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.138594] fff00000c77ef580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.138908] >fff00000c77ef600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.139000] ^ [ 22.139075] fff00000c77ef680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.139167] fff00000c77ef700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.139258] ==================================================================
[ 13.101639] ================================================================== [ 13.102102] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.103075] Read of size 1 at addr ffff88810319c240 by task kunit_try_catch/248 [ 13.103878] [ 13.103983] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.104031] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.104044] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.104066] Call Trace: [ 13.104079] <TASK> [ 13.104093] dump_stack_lvl+0x73/0xb0 [ 13.104136] print_report+0xd1/0x650 [ 13.104159] ? __virt_addr_valid+0x1db/0x2d0 [ 13.104184] ? mempool_uaf_helper+0x392/0x400 [ 13.104206] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.104229] ? mempool_uaf_helper+0x392/0x400 [ 13.104250] kasan_report+0x141/0x180 [ 13.104271] ? mempool_uaf_helper+0x392/0x400 [ 13.104296] __asan_report_load1_noabort+0x18/0x20 [ 13.104320] mempool_uaf_helper+0x392/0x400 [ 13.104342] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.104363] ? update_load_avg+0x1be/0x21b0 [ 13.104391] ? finish_task_switch.isra.0+0x153/0x700 [ 13.104416] mempool_slab_uaf+0xea/0x140 [ 13.104439] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.104463] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.104484] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.104548] ? __pfx_read_tsc+0x10/0x10 [ 13.104570] ? ktime_get_ts64+0x86/0x230 [ 13.104595] kunit_try_run_case+0x1a5/0x480 [ 13.104621] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.104643] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.104667] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.104689] ? __kthread_parkme+0x82/0x180 [ 13.104710] ? preempt_count_sub+0x50/0x80 [ 13.104732] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.104754] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.104777] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.104800] kthread+0x337/0x6f0 [ 13.104818] ? trace_preempt_on+0x20/0xc0 [ 13.104841] ? __pfx_kthread+0x10/0x10 [ 13.104861] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.104881] ? calculate_sigpending+0x7b/0xa0 [ 13.104904] ? __pfx_kthread+0x10/0x10 [ 13.104925] ret_from_fork+0x116/0x1d0 [ 13.104943] ? __pfx_kthread+0x10/0x10 [ 13.104963] ret_from_fork_asm+0x1a/0x30 [ 13.104993] </TASK> [ 13.105005] [ 13.116301] Allocated by task 248: [ 13.116543] kasan_save_stack+0x45/0x70 [ 13.116739] kasan_save_track+0x18/0x40 [ 13.116916] kasan_save_alloc_info+0x3b/0x50 [ 13.117111] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.117788] remove_element+0x11e/0x190 [ 13.117984] mempool_alloc_preallocated+0x4d/0x90 [ 13.118523] mempool_uaf_helper+0x96/0x400 [ 13.118780] mempool_slab_uaf+0xea/0x140 [ 13.119079] kunit_try_run_case+0x1a5/0x480 [ 13.119535] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.119781] kthread+0x337/0x6f0 [ 13.119935] ret_from_fork+0x116/0x1d0 [ 13.120107] ret_from_fork_asm+0x1a/0x30 [ 13.120289] [ 13.120691] Freed by task 248: [ 13.120848] kasan_save_stack+0x45/0x70 [ 13.121025] kasan_save_track+0x18/0x40 [ 13.121577] kasan_save_free_info+0x3f/0x60 [ 13.121865] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.122408] mempool_free+0x2ec/0x380 [ 13.122598] mempool_uaf_helper+0x11a/0x400 [ 13.122785] mempool_slab_uaf+0xea/0x140 [ 13.122967] kunit_try_run_case+0x1a5/0x480 [ 13.123401] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.123841] kthread+0x337/0x6f0 [ 13.124151] ret_from_fork+0x116/0x1d0 [ 13.124460] ret_from_fork_asm+0x1a/0x30 [ 13.124845] [ 13.124942] The buggy address belongs to the object at ffff88810319c240 [ 13.124942] which belongs to the cache test_cache of size 123 [ 13.125957] The buggy address is located 0 bytes inside of [ 13.125957] freed 123-byte region [ffff88810319c240, ffff88810319c2bb) [ 13.126833] [ 13.126933] The buggy address belongs to the physical page: [ 13.127456] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10319c [ 13.127913] flags: 0x200000000000000(node=0|zone=2) [ 13.128402] page_type: f5(slab) [ 13.128595] raw: 0200000000000000 ffff888100c16b40 dead000000000122 0000000000000000 [ 13.128909] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.129395] page dumped because: kasan: bad access detected [ 13.129900] [ 13.130143] Memory state around the buggy address: [ 13.130503] ffff88810319c100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.130815] ffff88810319c180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.131107] >ffff88810319c200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.131758] ^ [ 13.131986] ffff88810319c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.132710] ffff88810319c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.133439] ================================================================== [ 13.040080] ================================================================== [ 13.041377] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.041649] Read of size 1 at addr ffff88810319a200 by task kunit_try_catch/244 [ 13.041877] [ 13.041963] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.042008] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.042020] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.042042] Call Trace: [ 13.042054] <TASK> [ 13.042069] dump_stack_lvl+0x73/0xb0 [ 13.042096] print_report+0xd1/0x650 [ 13.042118] ? __virt_addr_valid+0x1db/0x2d0 [ 13.042155] ? mempool_uaf_helper+0x392/0x400 [ 13.042176] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.042197] ? mempool_uaf_helper+0x392/0x400 [ 13.042218] kasan_report+0x141/0x180 [ 13.042240] ? mempool_uaf_helper+0x392/0x400 [ 13.042327] __asan_report_load1_noabort+0x18/0x20 [ 13.042352] mempool_uaf_helper+0x392/0x400 [ 13.042531] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.042559] ? __kasan_check_write+0x18/0x20 [ 13.042578] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.042601] ? finish_task_switch.isra.0+0x153/0x700 [ 13.042626] mempool_kmalloc_uaf+0xef/0x140 [ 13.042648] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.042671] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.042694] ? __pfx_mempool_kfree+0x10/0x10 [ 13.042719] ? __pfx_read_tsc+0x10/0x10 [ 13.042741] ? ktime_get_ts64+0x86/0x230 [ 13.042764] kunit_try_run_case+0x1a5/0x480 [ 13.042788] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.042809] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.042832] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.042854] ? __kthread_parkme+0x82/0x180 [ 13.042875] ? preempt_count_sub+0x50/0x80 [ 13.042897] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.042919] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.042941] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.042963] kthread+0x337/0x6f0 [ 13.043246] ? trace_preempt_on+0x20/0xc0 [ 13.043271] ? __pfx_kthread+0x10/0x10 [ 13.043293] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.043324] ? calculate_sigpending+0x7b/0xa0 [ 13.043346] ? __pfx_kthread+0x10/0x10 [ 13.043368] ret_from_fork+0x116/0x1d0 [ 13.043385] ? __pfx_kthread+0x10/0x10 [ 13.043405] ret_from_fork_asm+0x1a/0x30 [ 13.043436] </TASK> [ 13.043447] [ 13.056012] Allocated by task 244: [ 13.056160] kasan_save_stack+0x45/0x70 [ 13.056309] kasan_save_track+0x18/0x40 [ 13.056682] kasan_save_alloc_info+0x3b/0x50 [ 13.056904] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.057166] remove_element+0x11e/0x190 [ 13.057302] mempool_alloc_preallocated+0x4d/0x90 [ 13.057480] mempool_uaf_helper+0x96/0x400 [ 13.057726] mempool_kmalloc_uaf+0xef/0x140 [ 13.057930] kunit_try_run_case+0x1a5/0x480 [ 13.058160] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.058431] kthread+0x337/0x6f0 [ 13.058599] ret_from_fork+0x116/0x1d0 [ 13.058733] ret_from_fork_asm+0x1a/0x30 [ 13.058883] [ 13.058976] Freed by task 244: [ 13.059157] kasan_save_stack+0x45/0x70 [ 13.059432] kasan_save_track+0x18/0x40 [ 13.059618] kasan_save_free_info+0x3f/0x60 [ 13.059799] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.060033] mempool_free+0x2ec/0x380 [ 13.060256] mempool_uaf_helper+0x11a/0x400 [ 13.060579] mempool_kmalloc_uaf+0xef/0x140 [ 13.060775] kunit_try_run_case+0x1a5/0x480 [ 13.060952] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.061242] kthread+0x337/0x6f0 [ 13.061423] ret_from_fork+0x116/0x1d0 [ 13.061554] ret_from_fork_asm+0x1a/0x30 [ 13.061693] [ 13.061840] The buggy address belongs to the object at ffff88810319a200 [ 13.061840] which belongs to the cache kmalloc-128 of size 128 [ 13.062382] The buggy address is located 0 bytes inside of [ 13.062382] freed 128-byte region [ffff88810319a200, ffff88810319a280) [ 13.062829] [ 13.062932] The buggy address belongs to the physical page: [ 13.063266] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10319a [ 13.063600] flags: 0x200000000000000(node=0|zone=2) [ 13.063768] page_type: f5(slab) [ 13.063890] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.065029] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.065564] page dumped because: kasan: bad access detected [ 13.065741] [ 13.065833] Memory state around the buggy address: [ 13.066058] ffff88810319a100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.066343] ffff88810319a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.067093] >ffff88810319a200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.067451] ^ [ 13.067636] ffff88810319a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.067895] ffff88810319a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.068403] ==================================================================