Date
July 1, 2025, 11:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.657813] ================================================================== [ 20.657926] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.658410] Read of size 1 at addr fff00000c76c3240 by task kunit_try_catch/232 [ 20.658798] [ 20.658925] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.659026] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.659063] Hardware name: linux,dummy-virt (DT) [ 20.659103] Call trace: [ 20.659349] show_stack+0x20/0x38 (C) [ 20.659582] dump_stack_lvl+0x8c/0xd0 [ 20.659644] print_report+0x118/0x608 [ 20.659697] kasan_report+0xdc/0x128 [ 20.659748] __asan_report_load1_noabort+0x20/0x30 [ 20.659980] mempool_uaf_helper+0x314/0x340 [ 20.660241] mempool_slab_uaf+0xc0/0x118 [ 20.660410] kunit_try_run_case+0x170/0x3f0 [ 20.660638] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.660808] kthread+0x328/0x630 [ 20.660887] ret_from_fork+0x10/0x20 [ 20.661125] [ 20.661196] Allocated by task 232: [ 20.661234] kasan_save_stack+0x3c/0x68 [ 20.661295] kasan_save_track+0x20/0x40 [ 20.661339] kasan_save_alloc_info+0x40/0x58 [ 20.661384] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.661452] remove_element+0x16c/0x1f8 [ 20.661495] mempool_alloc_preallocated+0x58/0xc0 [ 20.661545] mempool_uaf_helper+0xa4/0x340 [ 20.661591] mempool_slab_uaf+0xc0/0x118 [ 20.661631] kunit_try_run_case+0x170/0x3f0 [ 20.661675] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.661733] kthread+0x328/0x630 [ 20.661779] ret_from_fork+0x10/0x20 [ 20.661827] [ 20.661860] Freed by task 232: [ 20.661899] kasan_save_stack+0x3c/0x68 [ 20.661952] kasan_save_track+0x20/0x40 [ 20.662011] kasan_save_free_info+0x4c/0x78 [ 20.662055] __kasan_mempool_poison_object+0xc0/0x150 [ 20.662100] mempool_free+0x28c/0x328 [ 20.662330] mempool_uaf_helper+0x104/0x340 [ 20.662685] mempool_slab_uaf+0xc0/0x118 [ 20.662993] kunit_try_run_case+0x170/0x3f0 [ 20.663122] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.663390] kthread+0x328/0x630 [ 20.663437] ret_from_fork+0x10/0x20 [ 20.663477] [ 20.663500] The buggy address belongs to the object at fff00000c76c3240 [ 20.663500] which belongs to the cache test_cache of size 123 [ 20.663570] The buggy address is located 0 bytes inside of [ 20.663570] freed 123-byte region [fff00000c76c3240, fff00000c76c32bb) [ 20.663742] [ 20.663852] The buggy address belongs to the physical page: [ 20.664182] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c3 [ 20.664252] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.664488] page_type: f5(slab) [ 20.664799] raw: 0bfffe0000000000 fff00000c63f5280 dead000000000122 0000000000000000 [ 20.664944] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.665034] page dumped because: kasan: bad access detected [ 20.665073] [ 20.665407] Memory state around the buggy address: [ 20.665567] fff00000c76c3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.665713] fff00000c76c3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.665784] >fff00000c76c3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.665978] ^ [ 20.666343] fff00000c76c3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.666419] fff00000c76c3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.666676] ================================================================== [ 20.618649] ================================================================== [ 20.618756] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.618843] Read of size 1 at addr fff00000c6026d00 by task kunit_try_catch/228 [ 20.619104] [ 20.619605] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.619842] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.619904] Hardware name: linux,dummy-virt (DT) [ 20.619943] Call trace: [ 20.619971] show_stack+0x20/0x38 (C) [ 20.620035] dump_stack_lvl+0x8c/0xd0 [ 20.620405] print_report+0x118/0x608 [ 20.620620] kasan_report+0xdc/0x128 [ 20.620781] __asan_report_load1_noabort+0x20/0x30 [ 20.620927] mempool_uaf_helper+0x314/0x340 [ 20.621040] mempool_kmalloc_uaf+0xc4/0x120 [ 20.621090] kunit_try_run_case+0x170/0x3f0 [ 20.621498] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.621641] kthread+0x328/0x630 [ 20.621801] ret_from_fork+0x10/0x20 [ 20.621899] [ 20.621919] Allocated by task 228: [ 20.621955] kasan_save_stack+0x3c/0x68 [ 20.622347] kasan_save_track+0x20/0x40 [ 20.622475] kasan_save_alloc_info+0x40/0x58 [ 20.622575] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.622701] remove_element+0x130/0x1f8 [ 20.622747] mempool_alloc_preallocated+0x58/0xc0 [ 20.622808] mempool_uaf_helper+0xa4/0x340 [ 20.623190] mempool_kmalloc_uaf+0xc4/0x120 [ 20.623326] kunit_try_run_case+0x170/0x3f0 [ 20.623509] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.623664] kthread+0x328/0x630 [ 20.623756] ret_from_fork+0x10/0x20 [ 20.623796] [ 20.623817] Freed by task 228: [ 20.623847] kasan_save_stack+0x3c/0x68 [ 20.623889] kasan_save_track+0x20/0x40 [ 20.624179] kasan_save_free_info+0x4c/0x78 [ 20.624273] __kasan_mempool_poison_object+0xc0/0x150 [ 20.624323] mempool_free+0x28c/0x328 [ 20.624371] mempool_uaf_helper+0x104/0x340 [ 20.624412] mempool_kmalloc_uaf+0xc4/0x120 [ 20.624452] kunit_try_run_case+0x170/0x3f0 [ 20.624504] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.624558] kthread+0x328/0x630 [ 20.624592] ret_from_fork+0x10/0x20 [ 20.624653] [ 20.624687] The buggy address belongs to the object at fff00000c6026d00 [ 20.624687] which belongs to the cache kmalloc-128 of size 128 [ 20.624760] The buggy address is located 0 bytes inside of [ 20.624760] freed 128-byte region [fff00000c6026d00, fff00000c6026d80) [ 20.624839] [ 20.624866] The buggy address belongs to the physical page: [ 20.624916] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106026 [ 20.624985] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.625050] page_type: f5(slab) [ 20.625098] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.625417] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.625711] page dumped because: kasan: bad access detected [ 20.625899] [ 20.625922] Memory state around the buggy address: [ 20.625961] fff00000c6026c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.626049] fff00000c6026c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.626293] >fff00000c6026d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.626449] ^ [ 20.626562] fff00000c6026d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.626653] fff00000c6026e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.626718] ==================================================================
[ 13.024233] ================================================================== [ 13.025328] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.026218] Read of size 1 at addr ffff88810258d600 by task kunit_try_catch/244 [ 13.026760] [ 13.027283] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.027337] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.027349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.027371] Call Trace: [ 13.027397] <TASK> [ 13.027415] dump_stack_lvl+0x73/0xb0 [ 13.027456] print_report+0xd1/0x650 [ 13.027480] ? __virt_addr_valid+0x1db/0x2d0 [ 13.027503] ? mempool_uaf_helper+0x392/0x400 [ 13.027536] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.027557] ? mempool_uaf_helper+0x392/0x400 [ 13.027580] kasan_report+0x141/0x180 [ 13.027602] ? mempool_uaf_helper+0x392/0x400 [ 13.027628] __asan_report_load1_noabort+0x18/0x20 [ 13.027652] mempool_uaf_helper+0x392/0x400 [ 13.027674] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.027697] ? __kasan_check_write+0x18/0x20 [ 13.027716] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.027739] ? finish_task_switch.isra.0+0x153/0x700 [ 13.027763] mempool_kmalloc_uaf+0xef/0x140 [ 13.027784] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.027808] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.027832] ? __pfx_mempool_kfree+0x10/0x10 [ 13.027855] ? __pfx_read_tsc+0x10/0x10 [ 13.027877] ? ktime_get_ts64+0x86/0x230 [ 13.027901] kunit_try_run_case+0x1a5/0x480 [ 13.027928] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.027949] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.027972] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.027995] ? __kthread_parkme+0x82/0x180 [ 13.028015] ? preempt_count_sub+0x50/0x80 [ 13.028037] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.028060] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.028081] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.028103] kthread+0x337/0x6f0 [ 13.028121] ? trace_preempt_on+0x20/0xc0 [ 13.028143] ? __pfx_kthread+0x10/0x10 [ 13.028163] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.028182] ? calculate_sigpending+0x7b/0xa0 [ 13.028206] ? __pfx_kthread+0x10/0x10 [ 13.028227] ret_from_fork+0x116/0x1d0 [ 13.028245] ? __pfx_kthread+0x10/0x10 [ 13.028264] ret_from_fork_asm+0x1a/0x30 [ 13.028295] </TASK> [ 13.028306] [ 13.043182] Allocated by task 244: [ 13.043553] kasan_save_stack+0x45/0x70 [ 13.043759] kasan_save_track+0x18/0x40 [ 13.044190] kasan_save_alloc_info+0x3b/0x50 [ 13.044717] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.045256] remove_element+0x11e/0x190 [ 13.045692] mempool_alloc_preallocated+0x4d/0x90 [ 13.045849] mempool_uaf_helper+0x96/0x400 [ 13.046141] mempool_kmalloc_uaf+0xef/0x140 [ 13.046450] kunit_try_run_case+0x1a5/0x480 [ 13.046835] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.047446] kthread+0x337/0x6f0 [ 13.047815] ret_from_fork+0x116/0x1d0 [ 13.048166] ret_from_fork_asm+0x1a/0x30 [ 13.048539] [ 13.048724] Freed by task 244: [ 13.048835] kasan_save_stack+0x45/0x70 [ 13.049254] kasan_save_track+0x18/0x40 [ 13.049769] kasan_save_free_info+0x3f/0x60 [ 13.049944] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.050531] mempool_free+0x2ec/0x380 [ 13.050923] mempool_uaf_helper+0x11a/0x400 [ 13.051280] mempool_kmalloc_uaf+0xef/0x140 [ 13.051589] kunit_try_run_case+0x1a5/0x480 [ 13.052008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.052614] kthread+0x337/0x6f0 [ 13.052836] ret_from_fork+0x116/0x1d0 [ 13.053278] ret_from_fork_asm+0x1a/0x30 [ 13.053650] [ 13.053824] The buggy address belongs to the object at ffff88810258d600 [ 13.053824] which belongs to the cache kmalloc-128 of size 128 [ 13.054809] The buggy address is located 0 bytes inside of [ 13.054809] freed 128-byte region [ffff88810258d600, ffff88810258d680) [ 13.055855] [ 13.056038] The buggy address belongs to the physical page: [ 13.056539] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10258d [ 13.056980] flags: 0x200000000000000(node=0|zone=2) [ 13.057435] page_type: f5(slab) [ 13.057791] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.058466] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.059049] page dumped because: kasan: bad access detected [ 13.059506] [ 13.059694] Memory state around the buggy address: [ 13.060218] ffff88810258d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.060677] ffff88810258d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.061343] >ffff88810258d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.061986] ^ [ 13.062335] ffff88810258d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.062658] ffff88810258d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.063325] ================================================================== [ 13.103141] ================================================================== [ 13.103658] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.104221] Read of size 1 at addr ffff888103aac240 by task kunit_try_catch/248 [ 13.104524] [ 13.104681] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.104731] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.104744] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.104767] Call Trace: [ 13.104781] <TASK> [ 13.104800] dump_stack_lvl+0x73/0xb0 [ 13.104833] print_report+0xd1/0x650 [ 13.104856] ? __virt_addr_valid+0x1db/0x2d0 [ 13.104882] ? mempool_uaf_helper+0x392/0x400 [ 13.104904] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.104924] ? mempool_uaf_helper+0x392/0x400 [ 13.104947] kasan_report+0x141/0x180 [ 13.104968] ? mempool_uaf_helper+0x392/0x400 [ 13.105192] __asan_report_load1_noabort+0x18/0x20 [ 13.105223] mempool_uaf_helper+0x392/0x400 [ 13.105247] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.105271] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.105295] ? finish_task_switch.isra.0+0x153/0x700 [ 13.105321] mempool_slab_uaf+0xea/0x140 [ 13.105344] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.105367] ? __kasan_check_write+0x18/0x20 [ 13.105402] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.105424] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.105446] ? __pfx_read_tsc+0x10/0x10 [ 13.105468] ? ktime_get_ts64+0x86/0x230 [ 13.105490] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.105518] kunit_try_run_case+0x1a5/0x480 [ 13.105544] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.105568] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.105593] ? __kthread_parkme+0x82/0x180 [ 13.105615] ? preempt_count_sub+0x50/0x80 [ 13.105637] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.105660] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.105683] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.105706] kthread+0x337/0x6f0 [ 13.105724] ? trace_preempt_on+0x20/0xc0 [ 13.105749] ? __pfx_kthread+0x10/0x10 [ 13.105770] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.105792] ? calculate_sigpending+0x7b/0xa0 [ 13.105819] ? __pfx_kthread+0x10/0x10 [ 13.105841] ret_from_fork+0x116/0x1d0 [ 13.105861] ? __pfx_kthread+0x10/0x10 [ 13.105882] ret_from_fork_asm+0x1a/0x30 [ 13.105915] </TASK> [ 13.105969] [ 13.115181] Allocated by task 248: [ 13.115335] kasan_save_stack+0x45/0x70 [ 13.115499] kasan_save_track+0x18/0x40 [ 13.115636] kasan_save_alloc_info+0x3b/0x50 [ 13.115847] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.116397] remove_element+0x11e/0x190 [ 13.116584] mempool_alloc_preallocated+0x4d/0x90 [ 13.116828] mempool_uaf_helper+0x96/0x400 [ 13.117201] mempool_slab_uaf+0xea/0x140 [ 13.117361] kunit_try_run_case+0x1a5/0x480 [ 13.117520] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.118015] kthread+0x337/0x6f0 [ 13.118141] ret_from_fork+0x116/0x1d0 [ 13.118273] ret_from_fork_asm+0x1a/0x30 [ 13.118422] [ 13.118521] Freed by task 248: [ 13.118733] kasan_save_stack+0x45/0x70 [ 13.118958] kasan_save_track+0x18/0x40 [ 13.119154] kasan_save_free_info+0x3f/0x60 [ 13.119365] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.119628] mempool_free+0x2ec/0x380 [ 13.119814] mempool_uaf_helper+0x11a/0x400 [ 13.120314] mempool_slab_uaf+0xea/0x140 [ 13.120483] kunit_try_run_case+0x1a5/0x480 [ 13.120632] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.120808] kthread+0x337/0x6f0 [ 13.121098] ret_from_fork+0x116/0x1d0 [ 13.121294] ret_from_fork_asm+0x1a/0x30 [ 13.121519] [ 13.121644] The buggy address belongs to the object at ffff888103aac240 [ 13.121644] which belongs to the cache test_cache of size 123 [ 13.122561] The buggy address is located 0 bytes inside of [ 13.122561] freed 123-byte region [ffff888103aac240, ffff888103aac2bb) [ 13.123656] [ 13.123753] The buggy address belongs to the physical page: [ 13.124101] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103aac [ 13.124468] flags: 0x200000000000000(node=0|zone=2) [ 13.125347] page_type: f5(slab) [ 13.125535] raw: 0200000000000000 ffff888101a2cdc0 dead000000000122 0000000000000000 [ 13.126023] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.126361] page dumped because: kasan: bad access detected [ 13.126801] [ 13.126885] Memory state around the buggy address: [ 13.127356] ffff888103aac100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.127673] ffff888103aac180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.128210] >ffff888103aac200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.128651] ^ [ 13.128884] ffff888103aac280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.129402] ffff888103aac300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.129811] ==================================================================