Date
July 4, 2025, 11:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.116240] ================================================================== [ 20.116313] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.116375] Read of size 1 at addr fff00000c6f42240 by task kunit_try_catch/231 [ 20.116424] [ 20.116454] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.116534] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.116571] Hardware name: linux,dummy-virt (DT) [ 20.116601] Call trace: [ 20.116625] show_stack+0x20/0x38 (C) [ 20.116673] dump_stack_lvl+0x8c/0xd0 [ 20.116719] print_report+0x118/0x608 [ 20.116765] kasan_report+0xdc/0x128 [ 20.116824] __asan_report_load1_noabort+0x20/0x30 [ 20.116875] mempool_uaf_helper+0x314/0x340 [ 20.116920] mempool_slab_uaf+0xc0/0x118 [ 20.116965] kunit_try_run_case+0x170/0x3f0 [ 20.117013] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.117065] kthread+0x328/0x630 [ 20.117106] ret_from_fork+0x10/0x20 [ 20.117153] [ 20.117171] Allocated by task 231: [ 20.117216] kasan_save_stack+0x3c/0x68 [ 20.117258] kasan_save_track+0x20/0x40 [ 20.117297] kasan_save_alloc_info+0x40/0x58 [ 20.117337] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.117600] remove_element+0x16c/0x1f8 [ 20.117874] mempool_alloc_preallocated+0x58/0xc0 [ 20.117926] mempool_uaf_helper+0xa4/0x340 [ 20.117964] mempool_slab_uaf+0xc0/0x118 [ 20.118001] kunit_try_run_case+0x170/0x3f0 [ 20.118038] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.118082] kthread+0x328/0x630 [ 20.118115] ret_from_fork+0x10/0x20 [ 20.118151] [ 20.118170] Freed by task 231: [ 20.118197] kasan_save_stack+0x3c/0x68 [ 20.118236] kasan_save_track+0x20/0x40 [ 20.118282] kasan_save_free_info+0x4c/0x78 [ 20.118320] __kasan_mempool_poison_object+0xc0/0x150 [ 20.118675] mempool_free+0x28c/0x328 [ 20.118716] mempool_uaf_helper+0x104/0x340 [ 20.118752] mempool_slab_uaf+0xc0/0x118 [ 20.118790] kunit_try_run_case+0x170/0x3f0 [ 20.118838] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.118891] kthread+0x328/0x630 [ 20.118949] ret_from_fork+0x10/0x20 [ 20.119326] [ 20.119346] The buggy address belongs to the object at fff00000c6f42240 [ 20.119346] which belongs to the cache test_cache of size 123 [ 20.119413] The buggy address is located 0 bytes inside of [ 20.119413] freed 123-byte region [fff00000c6f42240, fff00000c6f422bb) [ 20.119614] [ 20.119634] The buggy address belongs to the physical page: [ 20.119669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106f42 [ 20.119749] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.119796] page_type: f5(slab) [ 20.119866] raw: 0bfffe0000000000 fff00000c6f47140 dead000000000122 0000000000000000 [ 20.119920] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.119959] page dumped because: kasan: bad access detected [ 20.119990] [ 20.120009] Memory state around the buggy address: [ 20.120040] fff00000c6f42100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.120282] fff00000c6f42180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.120330] >fff00000c6f42200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.120482] ^ [ 20.120550] fff00000c6f42280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.120592] fff00000c6f42300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.120630] ================================================================== [ 20.092215] ================================================================== [ 20.092447] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.092636] Read of size 1 at addr fff00000c76c4500 by task kunit_try_catch/227 [ 20.092721] [ 20.092843] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.092934] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.092963] Hardware name: linux,dummy-virt (DT) [ 20.093004] Call trace: [ 20.093028] show_stack+0x20/0x38 (C) [ 20.093082] dump_stack_lvl+0x8c/0xd0 [ 20.093132] print_report+0x118/0x608 [ 20.093180] kasan_report+0xdc/0x128 [ 20.093225] __asan_report_load1_noabort+0x20/0x30 [ 20.093275] mempool_uaf_helper+0x314/0x340 [ 20.093321] mempool_kmalloc_uaf+0xc4/0x120 [ 20.093387] kunit_try_run_case+0x170/0x3f0 [ 20.093438] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.093501] kthread+0x328/0x630 [ 20.093545] ret_from_fork+0x10/0x20 [ 20.093602] [ 20.093623] Allocated by task 227: [ 20.093650] kasan_save_stack+0x3c/0x68 [ 20.093698] kasan_save_track+0x20/0x40 [ 20.093746] kasan_save_alloc_info+0x40/0x58 [ 20.093793] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.094159] remove_element+0x130/0x1f8 [ 20.094349] mempool_alloc_preallocated+0x58/0xc0 [ 20.094478] mempool_uaf_helper+0xa4/0x340 [ 20.094522] mempool_kmalloc_uaf+0xc4/0x120 [ 20.094560] kunit_try_run_case+0x170/0x3f0 [ 20.094604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.094816] kthread+0x328/0x630 [ 20.095070] ret_from_fork+0x10/0x20 [ 20.095188] [ 20.095241] Freed by task 227: [ 20.095271] kasan_save_stack+0x3c/0x68 [ 20.095311] kasan_save_track+0x20/0x40 [ 20.095604] kasan_save_free_info+0x4c/0x78 [ 20.095730] __kasan_mempool_poison_object+0xc0/0x150 [ 20.095894] mempool_free+0x28c/0x328 [ 20.096011] mempool_uaf_helper+0x104/0x340 [ 20.096054] mempool_kmalloc_uaf+0xc4/0x120 [ 20.096267] kunit_try_run_case+0x170/0x3f0 [ 20.096347] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.096389] kthread+0x328/0x630 [ 20.096454] ret_from_fork+0x10/0x20 [ 20.096616] [ 20.096645] The buggy address belongs to the object at fff00000c76c4500 [ 20.096645] which belongs to the cache kmalloc-128 of size 128 [ 20.096957] The buggy address is located 0 bytes inside of [ 20.096957] freed 128-byte region [fff00000c76c4500, fff00000c76c4580) [ 20.097167] [ 20.097302] The buggy address belongs to the physical page: [ 20.097392] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c4 [ 20.097577] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.097666] page_type: f5(slab) [ 20.097707] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.097826] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.097972] page dumped because: kasan: bad access detected [ 20.098072] [ 20.098139] Memory state around the buggy address: [ 20.098173] fff00000c76c4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.098363] fff00000c76c4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.098412] >fff00000c76c4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.098546] ^ [ 20.098651] fff00000c76c4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.098796] fff00000c76c4600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.098879] ==================================================================
[ 13.562930] ================================================================== [ 13.563756] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.564017] Read of size 1 at addr ffff888103994240 by task kunit_try_catch/248 [ 13.564391] [ 13.564660] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.564714] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.564727] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.564751] Call Trace: [ 13.564769] <TASK> [ 13.564800] dump_stack_lvl+0x73/0xb0 [ 13.564835] print_report+0xd1/0x650 [ 13.564858] ? __virt_addr_valid+0x1db/0x2d0 [ 13.564882] ? mempool_uaf_helper+0x392/0x400 [ 13.564903] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.564925] ? mempool_uaf_helper+0x392/0x400 [ 13.564946] kasan_report+0x141/0x180 [ 13.564967] ? mempool_uaf_helper+0x392/0x400 [ 13.564992] __asan_report_load1_noabort+0x18/0x20 [ 13.565016] mempool_uaf_helper+0x392/0x400 [ 13.565038] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.565057] ? update_load_avg+0x1be/0x21b0 [ 13.565084] ? finish_task_switch.isra.0+0x153/0x700 [ 13.565108] mempool_slab_uaf+0xea/0x140 [ 13.565129] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.565155] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.565177] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.565197] ? __pfx_read_tsc+0x10/0x10 [ 13.565235] ? ktime_get_ts64+0x86/0x230 [ 13.565259] kunit_try_run_case+0x1a5/0x480 [ 13.565284] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.565305] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.565328] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.565351] ? __kthread_parkme+0x82/0x180 [ 13.565370] ? preempt_count_sub+0x50/0x80 [ 13.565391] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.565414] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.565436] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.565458] kthread+0x337/0x6f0 [ 13.565476] ? trace_preempt_on+0x20/0xc0 [ 13.565499] ? __pfx_kthread+0x10/0x10 [ 13.565518] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.565538] ? calculate_sigpending+0x7b/0xa0 [ 13.565562] ? __pfx_kthread+0x10/0x10 [ 13.565581] ret_from_fork+0x116/0x1d0 [ 13.565599] ? __pfx_kthread+0x10/0x10 [ 13.565619] ret_from_fork_asm+0x1a/0x30 [ 13.565648] </TASK> [ 13.565659] [ 13.580608] Allocated by task 248: [ 13.580976] kasan_save_stack+0x45/0x70 [ 13.581552] kasan_save_track+0x18/0x40 [ 13.581983] kasan_save_alloc_info+0x3b/0x50 [ 13.582471] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.583030] remove_element+0x11e/0x190 [ 13.583512] mempool_alloc_preallocated+0x4d/0x90 [ 13.583692] mempool_uaf_helper+0x96/0x400 [ 13.583858] mempool_slab_uaf+0xea/0x140 [ 13.584038] kunit_try_run_case+0x1a5/0x480 [ 13.584721] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.585622] kthread+0x337/0x6f0 [ 13.585929] ret_from_fork+0x116/0x1d0 [ 13.586064] ret_from_fork_asm+0x1a/0x30 [ 13.586216] [ 13.586495] Freed by task 248: [ 13.586782] kasan_save_stack+0x45/0x70 [ 13.587160] kasan_save_track+0x18/0x40 [ 13.587929] kasan_save_free_info+0x3f/0x60 [ 13.588324] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.588678] mempool_free+0x2ec/0x380 [ 13.588816] mempool_uaf_helper+0x11a/0x400 [ 13.588957] mempool_slab_uaf+0xea/0x140 [ 13.589100] kunit_try_run_case+0x1a5/0x480 [ 13.589471] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.589945] kthread+0x337/0x6f0 [ 13.590352] ret_from_fork+0x116/0x1d0 [ 13.590697] ret_from_fork_asm+0x1a/0x30 [ 13.591059] [ 13.591527] The buggy address belongs to the object at ffff888103994240 [ 13.591527] which belongs to the cache test_cache of size 123 [ 13.592669] The buggy address is located 0 bytes inside of [ 13.592669] freed 123-byte region [ffff888103994240, ffff8881039942bb) [ 13.593318] [ 13.593512] The buggy address belongs to the physical page: [ 13.594010] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103994 [ 13.595244] flags: 0x200000000000000(node=0|zone=2) [ 13.595456] page_type: f5(slab) [ 13.595587] raw: 0200000000000000 ffff888101d0cb40 dead000000000122 0000000000000000 [ 13.595817] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.596043] page dumped because: kasan: bad access detected [ 13.596214] [ 13.596871] Memory state around the buggy address: [ 13.597315] ffff888103994100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.597898] ffff888103994180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.598573] >ffff888103994200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.599902] ^ [ 13.600654] ffff888103994280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.601975] ffff888103994300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.603004] ================================================================== [ 13.496109] ================================================================== [ 13.496752] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.497053] Read of size 1 at addr ffff888103980700 by task kunit_try_catch/244 [ 13.497444] [ 13.497566] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.497635] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.497647] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.497684] Call Trace: [ 13.497699] <TASK> [ 13.497719] dump_stack_lvl+0x73/0xb0 [ 13.497751] print_report+0xd1/0x650 [ 13.497774] ? __virt_addr_valid+0x1db/0x2d0 [ 13.497798] ? mempool_uaf_helper+0x392/0x400 [ 13.497819] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.497840] ? mempool_uaf_helper+0x392/0x400 [ 13.497861] kasan_report+0x141/0x180 [ 13.497882] ? mempool_uaf_helper+0x392/0x400 [ 13.497907] __asan_report_load1_noabort+0x18/0x20 [ 13.497930] mempool_uaf_helper+0x392/0x400 [ 13.497951] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.497974] ? __kasan_check_write+0x18/0x20 [ 13.497992] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.498025] ? finish_task_switch.isra.0+0x153/0x700 [ 13.498049] mempool_kmalloc_uaf+0xef/0x140 [ 13.498070] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.498105] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.498132] ? __pfx_mempool_kfree+0x10/0x10 [ 13.498158] ? __pfx_read_tsc+0x10/0x10 [ 13.498178] ? ktime_get_ts64+0x86/0x230 [ 13.498201] kunit_try_run_case+0x1a5/0x480 [ 13.498237] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.498270] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.498293] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.498315] ? __kthread_parkme+0x82/0x180 [ 13.498336] ? preempt_count_sub+0x50/0x80 [ 13.498357] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.498380] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.498402] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.498424] kthread+0x337/0x6f0 [ 13.498445] ? trace_preempt_on+0x20/0xc0 [ 13.498469] ? __pfx_kthread+0x10/0x10 [ 13.498490] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.498511] ? calculate_sigpending+0x7b/0xa0 [ 13.498534] ? __pfx_kthread+0x10/0x10 [ 13.498555] ret_from_fork+0x116/0x1d0 [ 13.498572] ? __pfx_kthread+0x10/0x10 [ 13.498593] ret_from_fork_asm+0x1a/0x30 [ 13.498624] </TASK> [ 13.498635] [ 13.512088] Allocated by task 244: [ 13.512492] kasan_save_stack+0x45/0x70 [ 13.512713] kasan_save_track+0x18/0x40 [ 13.512894] kasan_save_alloc_info+0x3b/0x50 [ 13.513090] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.513716] remove_element+0x11e/0x190 [ 13.513904] mempool_alloc_preallocated+0x4d/0x90 [ 13.514117] mempool_uaf_helper+0x96/0x400 [ 13.514781] mempool_kmalloc_uaf+0xef/0x140 [ 13.514991] kunit_try_run_case+0x1a5/0x480 [ 13.515192] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.515381] kthread+0x337/0x6f0 [ 13.515576] ret_from_fork+0x116/0x1d0 [ 13.515787] ret_from_fork_asm+0x1a/0x30 [ 13.515984] [ 13.516084] Freed by task 244: [ 13.516303] kasan_save_stack+0x45/0x70 [ 13.516466] kasan_save_track+0x18/0x40 [ 13.516630] kasan_save_free_info+0x3f/0x60 [ 13.516941] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.517151] mempool_free+0x2ec/0x380 [ 13.517294] mempool_uaf_helper+0x11a/0x400 [ 13.517494] mempool_kmalloc_uaf+0xef/0x140 [ 13.517880] kunit_try_run_case+0x1a5/0x480 [ 13.518201] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.518657] kthread+0x337/0x6f0 [ 13.518850] ret_from_fork+0x116/0x1d0 [ 13.519028] ret_from_fork_asm+0x1a/0x30 [ 13.519276] [ 13.519389] The buggy address belongs to the object at ffff888103980700 [ 13.519389] which belongs to the cache kmalloc-128 of size 128 [ 13.520057] The buggy address is located 0 bytes inside of [ 13.520057] freed 128-byte region [ffff888103980700, ffff888103980780) [ 13.520658] [ 13.520763] The buggy address belongs to the physical page: [ 13.521028] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103980 [ 13.521302] flags: 0x200000000000000(node=0|zone=2) [ 13.521472] page_type: f5(slab) [ 13.521770] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.522135] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.522633] page dumped because: kasan: bad access detected [ 13.522812] [ 13.522881] Memory state around the buggy address: [ 13.523040] ffff888103980600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.523511] ffff888103980680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.523835] >ffff888103980700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.524160] ^ [ 13.524566] ffff888103980780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.524910] ffff888103980800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.525309] ==================================================================