Date
July 5, 2025, 11:09 a.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 21.587256] ================================================================== [ 21.587404] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.587557] Read of size 1 at addr fff00000c7938600 by task kunit_try_catch/228 [ 21.587707] [ 21.587804] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 21.588058] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.588141] Hardware name: linux,dummy-virt (DT) [ 21.588241] Call trace: [ 21.588316] show_stack+0x20/0x38 (C) [ 21.588468] dump_stack_lvl+0x8c/0xd0 [ 21.588574] print_report+0x118/0x608 [ 21.588728] kasan_report+0xdc/0x128 [ 21.588864] __asan_report_load1_noabort+0x20/0x30 [ 21.589021] mempool_uaf_helper+0x314/0x340 [ 21.589166] mempool_kmalloc_uaf+0xc4/0x120 [ 21.589313] kunit_try_run_case+0x170/0x3f0 [ 21.589420] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.589530] kthread+0x328/0x630 [ 21.589631] ret_from_fork+0x10/0x20 [ 21.589748] [ 21.589791] Allocated by task 228: [ 21.589853] kasan_save_stack+0x3c/0x68 [ 21.589974] kasan_save_track+0x20/0x40 [ 21.590106] kasan_save_alloc_info+0x40/0x58 [ 21.590193] __kasan_mempool_unpoison_object+0x11c/0x180 [ 21.590278] remove_element+0x130/0x1f8 [ 21.590350] mempool_alloc_preallocated+0x58/0xc0 [ 21.590460] mempool_uaf_helper+0xa4/0x340 [ 21.590545] mempool_kmalloc_uaf+0xc4/0x120 [ 21.590647] kunit_try_run_case+0x170/0x3f0 [ 21.590732] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.590838] kthread+0x328/0x630 [ 21.590911] ret_from_fork+0x10/0x20 [ 21.590986] [ 21.591044] Freed by task 228: [ 21.591131] kasan_save_stack+0x3c/0x68 [ 21.591235] kasan_save_track+0x20/0x40 [ 21.591345] kasan_save_free_info+0x4c/0x78 [ 21.591451] __kasan_mempool_poison_object+0xc0/0x150 [ 21.591548] mempool_free+0x28c/0x328 [ 21.591628] mempool_uaf_helper+0x104/0x340 [ 21.591715] mempool_kmalloc_uaf+0xc4/0x120 [ 21.591805] kunit_try_run_case+0x170/0x3f0 [ 21.591894] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.591999] kthread+0x328/0x630 [ 21.592072] ret_from_fork+0x10/0x20 [ 21.592146] [ 21.592196] The buggy address belongs to the object at fff00000c7938600 [ 21.592196] which belongs to the cache kmalloc-128 of size 128 [ 21.592342] The buggy address is located 0 bytes inside of [ 21.592342] freed 128-byte region [fff00000c7938600, fff00000c7938680) [ 21.592500] [ 21.592581] The buggy address belongs to the physical page: [ 21.592655] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107938 [ 21.592775] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.592886] page_type: f5(slab) [ 21.592963] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.593075] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.593171] page dumped because: kasan: bad access detected [ 21.593267] [ 21.593327] Memory state around the buggy address: [ 21.593412] fff00000c7938500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.593539] fff00000c7938580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.593685] >fff00000c7938600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.593841] ^ [ 21.593935] fff00000c7938680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.594086] fff00000c7938700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.594187] ================================================================== [ 21.637234] ================================================================== [ 21.637374] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.637756] Read of size 1 at addr fff00000c79ca240 by task kunit_try_catch/232 [ 21.637879] [ 21.637987] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 21.638210] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.638269] Hardware name: linux,dummy-virt (DT) [ 21.638369] Call trace: [ 21.638426] show_stack+0x20/0x38 (C) [ 21.638540] dump_stack_lvl+0x8c/0xd0 [ 21.638657] print_report+0x118/0x608 [ 21.638798] kasan_report+0xdc/0x128 [ 21.638892] __asan_report_load1_noabort+0x20/0x30 [ 21.638988] mempool_uaf_helper+0x314/0x340 [ 21.639238] mempool_slab_uaf+0xc0/0x118 [ 21.639350] kunit_try_run_case+0x170/0x3f0 [ 21.639466] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.639763] kthread+0x328/0x630 [ 21.639912] ret_from_fork+0x10/0x20 [ 21.640024] [ 21.640081] Allocated by task 232: [ 21.640143] kasan_save_stack+0x3c/0x68 [ 21.640237] kasan_save_track+0x20/0x40 [ 21.640371] kasan_save_alloc_info+0x40/0x58 [ 21.640478] __kasan_mempool_unpoison_object+0xbc/0x180 [ 21.640645] remove_element+0x16c/0x1f8 [ 21.640757] mempool_alloc_preallocated+0x58/0xc0 [ 21.640833] mempool_uaf_helper+0xa4/0x340 [ 21.640909] mempool_slab_uaf+0xc0/0x118 [ 21.641177] kunit_try_run_case+0x170/0x3f0 [ 21.641319] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.641438] kthread+0x328/0x630 [ 21.641542] ret_from_fork+0x10/0x20 [ 21.641614] [ 21.641655] Freed by task 232: [ 21.641724] kasan_save_stack+0x3c/0x68 [ 21.641838] kasan_save_track+0x20/0x40 [ 21.641935] kasan_save_free_info+0x4c/0x78 [ 21.642025] __kasan_mempool_poison_object+0xc0/0x150 [ 21.642104] mempool_free+0x28c/0x328 [ 21.642173] mempool_uaf_helper+0x104/0x340 [ 21.642462] mempool_slab_uaf+0xc0/0x118 [ 21.642538] kunit_try_run_case+0x170/0x3f0 [ 21.642625] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.642717] kthread+0x328/0x630 [ 21.642789] ret_from_fork+0x10/0x20 [ 21.642865] [ 21.642906] The buggy address belongs to the object at fff00000c79ca240 [ 21.642906] which belongs to the cache test_cache of size 123 [ 21.643042] The buggy address is located 0 bytes inside of [ 21.643042] freed 123-byte region [fff00000c79ca240, fff00000c79ca2bb) [ 21.643203] [ 21.643247] The buggy address belongs to the physical page: [ 21.643317] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1079ca [ 21.643446] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.643561] page_type: f5(slab) [ 21.643673] raw: 0bfffe0000000000 fff00000c7936280 dead000000000122 0000000000000000 [ 21.643810] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.643905] page dumped because: kasan: bad access detected [ 21.644009] [ 21.644068] Memory state around the buggy address: [ 21.644142] fff00000c79ca100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.644240] fff00000c79ca180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.644336] >fff00000c79ca200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.644793] ^ [ 21.644926] fff00000c79ca280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.645066] fff00000c79ca300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.645142] ==================================================================
[ 15.351350] ================================================================== [ 15.352235] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.352663] Read of size 1 at addr ffff888103347240 by task kunit_try_catch/249 [ 15.353194] [ 15.353365] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 15.353427] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.353443] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.353472] Call Trace: [ 15.353488] <TASK> [ 15.353512] dump_stack_lvl+0x73/0xb0 [ 15.353550] print_report+0xd1/0x650 [ 15.353578] ? __virt_addr_valid+0x1db/0x2d0 [ 15.353664] ? mempool_uaf_helper+0x392/0x400 [ 15.353694] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.353721] ? mempool_uaf_helper+0x392/0x400 [ 15.353748] kasan_report+0x141/0x180 [ 15.353790] ? mempool_uaf_helper+0x392/0x400 [ 15.353823] __asan_report_load1_noabort+0x18/0x20 [ 15.353850] mempool_uaf_helper+0x392/0x400 [ 15.353878] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.354004] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.354037] ? irqentry_exit+0x2a/0x60 [ 15.354064] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 15.354095] mempool_slab_uaf+0xea/0x140 [ 15.354124] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.354201] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 15.354227] ? __pfx_mempool_free_slab+0x10/0x10 [ 15.354253] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.354283] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.354312] kunit_try_run_case+0x1a5/0x480 [ 15.354344] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.354371] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.354400] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.354436] ? __kthread_parkme+0x82/0x180 [ 15.354462] ? preempt_count_sub+0x50/0x80 [ 15.354490] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.354518] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.354547] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.354573] kthread+0x337/0x6f0 [ 15.354595] ? trace_preempt_on+0x20/0xc0 [ 15.354624] ? __pfx_kthread+0x10/0x10 [ 15.354661] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.354686] ? calculate_sigpending+0x7b/0xa0 [ 15.354717] ? __pfx_kthread+0x10/0x10 [ 15.354741] ret_from_fork+0x116/0x1d0 [ 15.354766] ? __pfx_kthread+0x10/0x10 [ 15.354789] ret_from_fork_asm+0x1a/0x30 [ 15.354872] </TASK> [ 15.354886] [ 15.367271] Allocated by task 249: [ 15.367449] kasan_save_stack+0x45/0x70 [ 15.368113] kasan_save_track+0x18/0x40 [ 15.368416] kasan_save_alloc_info+0x3b/0x50 [ 15.368686] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 15.369096] remove_element+0x11e/0x190 [ 15.369320] mempool_alloc_preallocated+0x4d/0x90 [ 15.369581] mempool_uaf_helper+0x96/0x400 [ 15.369817] mempool_slab_uaf+0xea/0x140 [ 15.370036] kunit_try_run_case+0x1a5/0x480 [ 15.370619] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.371018] kthread+0x337/0x6f0 [ 15.371228] ret_from_fork+0x116/0x1d0 [ 15.371443] ret_from_fork_asm+0x1a/0x30 [ 15.371631] [ 15.371742] Freed by task 249: [ 15.371950] kasan_save_stack+0x45/0x70 [ 15.372210] kasan_save_track+0x18/0x40 [ 15.372483] kasan_save_free_info+0x3f/0x60 [ 15.372662] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.373268] mempool_free+0x2ec/0x380 [ 15.373489] mempool_uaf_helper+0x11a/0x400 [ 15.373733] mempool_slab_uaf+0xea/0x140 [ 15.373962] kunit_try_run_case+0x1a5/0x480 [ 15.374268] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.374543] kthread+0x337/0x6f0 [ 15.374772] ret_from_fork+0x116/0x1d0 [ 15.375012] ret_from_fork_asm+0x1a/0x30 [ 15.375180] [ 15.375301] The buggy address belongs to the object at ffff888103347240 [ 15.375301] which belongs to the cache test_cache of size 123 [ 15.375992] The buggy address is located 0 bytes inside of [ 15.375992] freed 123-byte region [ffff888103347240, ffff8881033472bb) [ 15.376541] [ 15.376735] The buggy address belongs to the physical page: [ 15.377186] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103347 [ 15.377621] flags: 0x200000000000000(node=0|zone=2) [ 15.378119] page_type: f5(slab) [ 15.378276] raw: 0200000000000000 ffff88810333c3c0 dead000000000122 0000000000000000 [ 15.378756] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 15.379242] page dumped because: kasan: bad access detected [ 15.379588] [ 15.379697] Memory state around the buggy address: [ 15.380032] ffff888103347100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.380497] ffff888103347180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.380866] >ffff888103347200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 15.381310] ^ [ 15.381623] ffff888103347280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.382265] ffff888103347300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.382603] ================================================================== [ 15.282801] ================================================================== [ 15.283957] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.284261] Read of size 1 at addr ffff888103332a00 by task kunit_try_catch/245 [ 15.284532] [ 15.284668] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 15.284728] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.284744] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.284772] Call Trace: [ 15.284789] <TASK> [ 15.284815] dump_stack_lvl+0x73/0xb0 [ 15.284869] print_report+0xd1/0x650 [ 15.284897] ? __virt_addr_valid+0x1db/0x2d0 [ 15.284944] ? mempool_uaf_helper+0x392/0x400 [ 15.284972] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.284999] ? mempool_uaf_helper+0x392/0x400 [ 15.285026] kasan_report+0x141/0x180 [ 15.285063] ? mempool_uaf_helper+0x392/0x400 [ 15.285096] __asan_report_load1_noabort+0x18/0x20 [ 15.285126] mempool_uaf_helper+0x392/0x400 [ 15.285165] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.285196] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.285225] ? finish_task_switch.isra.0+0x153/0x700 [ 15.285258] mempool_kmalloc_uaf+0xef/0x140 [ 15.285285] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 15.285316] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.285347] ? __pfx_mempool_kfree+0x10/0x10 [ 15.285378] ? __pfx_read_tsc+0x10/0x10 [ 15.285405] ? ktime_get_ts64+0x86/0x230 [ 15.285436] kunit_try_run_case+0x1a5/0x480 [ 15.285469] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.285497] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.285528] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.285567] ? __kthread_parkme+0x82/0x180 [ 15.285593] ? preempt_count_sub+0x50/0x80 [ 15.285634] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.285673] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.285701] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.285729] kthread+0x337/0x6f0 [ 15.285752] ? trace_preempt_on+0x20/0xc0 [ 15.285800] ? __pfx_kthread+0x10/0x10 [ 15.285837] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.285862] ? calculate_sigpending+0x7b/0xa0 [ 15.285904] ? __pfx_kthread+0x10/0x10 [ 15.285931] ret_from_fork+0x116/0x1d0 [ 15.285953] ? __pfx_kthread+0x10/0x10 [ 15.285979] ret_from_fork_asm+0x1a/0x30 [ 15.286018] </TASK> [ 15.286033] [ 15.300400] Allocated by task 245: [ 15.300586] kasan_save_stack+0x45/0x70 [ 15.300860] kasan_save_track+0x18/0x40 [ 15.301718] kasan_save_alloc_info+0x3b/0x50 [ 15.302114] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 15.302414] remove_element+0x11e/0x190 [ 15.302839] mempool_alloc_preallocated+0x4d/0x90 [ 15.303222] mempool_uaf_helper+0x96/0x400 [ 15.303567] mempool_kmalloc_uaf+0xef/0x140 [ 15.303974] kunit_try_run_case+0x1a5/0x480 [ 15.304341] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.304765] kthread+0x337/0x6f0 [ 15.304930] ret_from_fork+0x116/0x1d0 [ 15.305159] ret_from_fork_asm+0x1a/0x30 [ 15.305373] [ 15.305485] Freed by task 245: [ 15.305699] kasan_save_stack+0x45/0x70 [ 15.306313] kasan_save_track+0x18/0x40 [ 15.306532] kasan_save_free_info+0x3f/0x60 [ 15.306993] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.307401] mempool_free+0x2ec/0x380 [ 15.307603] mempool_uaf_helper+0x11a/0x400 [ 15.308060] mempool_kmalloc_uaf+0xef/0x140 [ 15.308420] kunit_try_run_case+0x1a5/0x480 [ 15.308771] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.309146] kthread+0x337/0x6f0 [ 15.309497] ret_from_fork+0x116/0x1d0 [ 15.309747] ret_from_fork_asm+0x1a/0x30 [ 15.310160] [ 15.310265] The buggy address belongs to the object at ffff888103332a00 [ 15.310265] which belongs to the cache kmalloc-128 of size 128 [ 15.311269] The buggy address is located 0 bytes inside of [ 15.311269] freed 128-byte region [ffff888103332a00, ffff888103332a80) [ 15.312120] [ 15.312246] The buggy address belongs to the physical page: [ 15.312497] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103332 [ 15.313254] flags: 0x200000000000000(node=0|zone=2) [ 15.313615] page_type: f5(slab) [ 15.313964] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.314457] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.315038] page dumped because: kasan: bad access detected [ 15.315434] [ 15.315559] Memory state around the buggy address: [ 15.316004] ffff888103332900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.316384] ffff888103332980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.316775] >ffff888103332a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.317453] ^ [ 15.317993] ffff888103332a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.318876] ffff888103332b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 15.319725] ==================================================================