Date
July 2, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.135380] ================================================================== [ 20.135444] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.135497] Read of size 1 at addr fff00000c704e240 by task kunit_try_catch/231 [ 20.135546] [ 20.136749] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.137354] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.137443] Hardware name: linux,dummy-virt (DT) [ 20.137814] Call trace: [ 20.137962] show_stack+0x20/0x38 (C) [ 20.138048] dump_stack_lvl+0x8c/0xd0 [ 20.138231] print_report+0x118/0x608 [ 20.138339] kasan_report+0xdc/0x128 [ 20.138530] __asan_report_load1_noabort+0x20/0x30 [ 20.138597] mempool_uaf_helper+0x314/0x340 [ 20.138923] mempool_slab_uaf+0xc0/0x118 [ 20.139324] kunit_try_run_case+0x170/0x3f0 [ 20.139586] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.139682] kthread+0x328/0x630 [ 20.139886] ret_from_fork+0x10/0x20 [ 20.139958] [ 20.139977] Allocated by task 231: [ 20.140450] kasan_save_stack+0x3c/0x68 [ 20.140602] kasan_save_track+0x20/0x40 [ 20.140790] kasan_save_alloc_info+0x40/0x58 [ 20.140873] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.140960] remove_element+0x16c/0x1f8 [ 20.141008] mempool_alloc_preallocated+0x58/0xc0 [ 20.141265] mempool_uaf_helper+0xa4/0x340 [ 20.141538] mempool_slab_uaf+0xc0/0x118 [ 20.141716] kunit_try_run_case+0x170/0x3f0 [ 20.141771] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.141953] kthread+0x328/0x630 [ 20.142264] ret_from_fork+0x10/0x20 [ 20.142313] [ 20.142515] Freed by task 231: [ 20.142585] kasan_save_stack+0x3c/0x68 [ 20.142636] kasan_save_track+0x20/0x40 [ 20.142695] kasan_save_free_info+0x4c/0x78 [ 20.142737] __kasan_mempool_poison_object+0xc0/0x150 [ 20.142780] mempool_free+0x28c/0x328 [ 20.142824] mempool_uaf_helper+0x104/0x340 [ 20.142876] mempool_slab_uaf+0xc0/0x118 [ 20.142914] kunit_try_run_case+0x170/0x3f0 [ 20.142961] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.143006] kthread+0x328/0x630 [ 20.143054] ret_from_fork+0x10/0x20 [ 20.143095] [ 20.143124] The buggy address belongs to the object at fff00000c704e240 [ 20.143124] which belongs to the cache test_cache of size 123 [ 20.143186] The buggy address is located 0 bytes inside of [ 20.143186] freed 123-byte region [fff00000c704e240, fff00000c704e2bb) [ 20.143257] [ 20.143280] The buggy address belongs to the physical page: [ 20.143319] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10704e [ 20.143373] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.143432] page_type: f5(slab) [ 20.143471] raw: 0bfffe0000000000 fff00000c70453c0 dead000000000122 0000000000000000 [ 20.143521] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.143571] page dumped because: kasan: bad access detected [ 20.143644] [ 20.143691] Memory state around the buggy address: [ 20.144525] fff00000c704e100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.144621] fff00000c704e180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.144734] >fff00000c704e200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.145178] ^ [ 20.145269] fff00000c704e280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.145346] fff00000c704e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.145515] ================================================================== [ 20.097741] ================================================================== [ 20.098262] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.098349] Read of size 1 at addr fff00000c706fc00 by task kunit_try_catch/227 [ 20.098417] [ 20.098459] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.098629] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.098675] Hardware name: linux,dummy-virt (DT) [ 20.098711] Call trace: [ 20.098736] show_stack+0x20/0x38 (C) [ 20.099085] dump_stack_lvl+0x8c/0xd0 [ 20.099155] print_report+0x118/0x608 [ 20.099238] kasan_report+0xdc/0x128 [ 20.099323] __asan_report_load1_noabort+0x20/0x30 [ 20.099377] mempool_uaf_helper+0x314/0x340 [ 20.099597] mempool_kmalloc_uaf+0xc4/0x120 [ 20.099825] kunit_try_run_case+0x170/0x3f0 [ 20.099893] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.100085] kthread+0x328/0x630 [ 20.100283] ret_from_fork+0x10/0x20 [ 20.100405] [ 20.100507] Allocated by task 227: [ 20.100611] kasan_save_stack+0x3c/0x68 [ 20.100687] kasan_save_track+0x20/0x40 [ 20.100821] kasan_save_alloc_info+0x40/0x58 [ 20.101157] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.101260] remove_element+0x130/0x1f8 [ 20.101387] mempool_alloc_preallocated+0x58/0xc0 [ 20.101482] mempool_uaf_helper+0xa4/0x340 [ 20.101624] mempool_kmalloc_uaf+0xc4/0x120 [ 20.101710] kunit_try_run_case+0x170/0x3f0 [ 20.101795] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.101840] kthread+0x328/0x630 [ 20.101874] ret_from_fork+0x10/0x20 [ 20.102304] [ 20.102395] Freed by task 227: [ 20.102453] kasan_save_stack+0x3c/0x68 [ 20.102532] kasan_save_track+0x20/0x40 [ 20.102605] kasan_save_free_info+0x4c/0x78 [ 20.102818] __kasan_mempool_poison_object+0xc0/0x150 [ 20.103162] mempool_free+0x28c/0x328 [ 20.103601] mempool_uaf_helper+0x104/0x340 [ 20.103776] mempool_kmalloc_uaf+0xc4/0x120 [ 20.103912] kunit_try_run_case+0x170/0x3f0 [ 20.104059] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.104187] kthread+0x328/0x630 [ 20.104258] ret_from_fork+0x10/0x20 [ 20.104472] [ 20.104541] The buggy address belongs to the object at fff00000c706fc00 [ 20.104541] which belongs to the cache kmalloc-128 of size 128 [ 20.104754] The buggy address is located 0 bytes inside of [ 20.104754] freed 128-byte region [fff00000c706fc00, fff00000c706fc80) [ 20.104916] [ 20.104981] The buggy address belongs to the physical page: [ 20.105187] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10706f [ 20.105421] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.105597] page_type: f5(slab) [ 20.105762] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.105871] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.105976] page dumped because: kasan: bad access detected [ 20.106027] [ 20.106218] Memory state around the buggy address: [ 20.106641] fff00000c706fb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.106733] fff00000c706fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.106980] >fff00000c706fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.107084] ^ [ 20.107315] fff00000c706fc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.107398] fff00000c706fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.107437] ==================================================================
[ 12.921350] ================================================================== [ 12.922772] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.923022] Read of size 1 at addr ffff888102c8b500 by task kunit_try_catch/246 [ 12.923246] [ 12.923334] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.923389] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.923401] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.923421] Call Trace: [ 12.923434] <TASK> [ 12.923451] dump_stack_lvl+0x73/0xb0 [ 12.923477] print_report+0xd1/0x650 [ 12.923499] ? __virt_addr_valid+0x1db/0x2d0 [ 12.923521] ? mempool_uaf_helper+0x392/0x400 [ 12.923541] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.923563] ? mempool_uaf_helper+0x392/0x400 [ 12.923585] kasan_report+0x141/0x180 [ 12.923605] ? mempool_uaf_helper+0x392/0x400 [ 12.923630] __asan_report_load1_noabort+0x18/0x20 [ 12.923654] mempool_uaf_helper+0x392/0x400 [ 12.923681] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.923704] ? __kasan_check_write+0x18/0x20 [ 12.923735] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.923769] ? finish_task_switch.isra.0+0x153/0x700 [ 12.923805] mempool_kmalloc_uaf+0xef/0x140 [ 12.923826] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.923850] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.923874] ? __pfx_mempool_kfree+0x10/0x10 [ 12.923899] ? __pfx_read_tsc+0x10/0x10 [ 12.923920] ? ktime_get_ts64+0x86/0x230 [ 12.923943] kunit_try_run_case+0x1a5/0x480 [ 12.923967] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.923988] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.924010] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.924032] ? __kthread_parkme+0x82/0x180 [ 12.924052] ? preempt_count_sub+0x50/0x80 [ 12.924075] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.924098] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.924120] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.924141] kthread+0x337/0x6f0 [ 12.924160] ? trace_preempt_on+0x20/0xc0 [ 12.924182] ? __pfx_kthread+0x10/0x10 [ 12.924202] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.924222] ? calculate_sigpending+0x7b/0xa0 [ 12.924254] ? __pfx_kthread+0x10/0x10 [ 12.924274] ret_from_fork+0x116/0x1d0 [ 12.924292] ? __pfx_kthread+0x10/0x10 [ 12.924321] ret_from_fork_asm+0x1a/0x30 [ 12.924352] </TASK> [ 12.924372] [ 12.935648] Allocated by task 246: [ 12.936356] kasan_save_stack+0x45/0x70 [ 12.936856] kasan_save_track+0x18/0x40 [ 12.937053] kasan_save_alloc_info+0x3b/0x50 [ 12.937212] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.937476] remove_element+0x11e/0x190 [ 12.937978] mempool_alloc_preallocated+0x4d/0x90 [ 12.938171] mempool_uaf_helper+0x96/0x400 [ 12.938648] mempool_kmalloc_uaf+0xef/0x140 [ 12.938958] kunit_try_run_case+0x1a5/0x480 [ 12.939140] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.939407] kthread+0x337/0x6f0 [ 12.939951] ret_from_fork+0x116/0x1d0 [ 12.940148] ret_from_fork_asm+0x1a/0x30 [ 12.940497] [ 12.940682] Freed by task 246: [ 12.940974] kasan_save_stack+0x45/0x70 [ 12.941293] kasan_save_track+0x18/0x40 [ 12.941639] kasan_save_free_info+0x3f/0x60 [ 12.941980] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.942376] mempool_free+0x2ec/0x380 [ 12.942746] mempool_uaf_helper+0x11a/0x400 [ 12.942919] mempool_kmalloc_uaf+0xef/0x140 [ 12.943303] kunit_try_run_case+0x1a5/0x480 [ 12.943562] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.943871] kthread+0x337/0x6f0 [ 12.944011] ret_from_fork+0x116/0x1d0 [ 12.944201] ret_from_fork_asm+0x1a/0x30 [ 12.944409] [ 12.944506] The buggy address belongs to the object at ffff888102c8b500 [ 12.944506] which belongs to the cache kmalloc-128 of size 128 [ 12.945466] The buggy address is located 0 bytes inside of [ 12.945466] freed 128-byte region [ffff888102c8b500, ffff888102c8b580) [ 12.946336] [ 12.946433] The buggy address belongs to the physical page: [ 12.946998] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c8b [ 12.947494] flags: 0x200000000000000(node=0|zone=2) [ 12.947829] page_type: f5(slab) [ 12.947994] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.948321] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.948664] page dumped because: kasan: bad access detected [ 12.949242] [ 12.949334] Memory state around the buggy address: [ 12.949762] ffff888102c8b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.950330] ffff888102c8b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.950877] >ffff888102c8b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.951280] ^ [ 12.951535] ffff888102c8b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.952160] ffff888102c8b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.952462] ================================================================== [ 12.987293] ================================================================== [ 12.988021] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.988382] Read of size 1 at addr ffff888103987240 by task kunit_try_catch/250 [ 12.988721] [ 12.988826] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.988871] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.988884] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.988906] Call Trace: [ 12.988919] <TASK> [ 12.988934] dump_stack_lvl+0x73/0xb0 [ 12.988963] print_report+0xd1/0x650 [ 12.988985] ? __virt_addr_valid+0x1db/0x2d0 [ 12.989008] ? mempool_uaf_helper+0x392/0x400 [ 12.989028] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.989049] ? mempool_uaf_helper+0x392/0x400 [ 12.989071] kasan_report+0x141/0x180 [ 12.989092] ? mempool_uaf_helper+0x392/0x400 [ 12.989117] __asan_report_load1_noabort+0x18/0x20 [ 12.989142] mempool_uaf_helper+0x392/0x400 [ 12.989164] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.989187] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.989211] ? finish_task_switch.isra.0+0x153/0x700 [ 12.989237] mempool_slab_uaf+0xea/0x140 [ 12.989293] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 12.989318] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 12.989338] ? __pfx_mempool_free_slab+0x10/0x10 [ 12.989380] ? __pfx_read_tsc+0x10/0x10 [ 12.989401] ? ktime_get_ts64+0x86/0x230 [ 12.989425] kunit_try_run_case+0x1a5/0x480 [ 12.989449] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.989470] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.989493] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.989516] ? __kthread_parkme+0x82/0x180 [ 12.989536] ? preempt_count_sub+0x50/0x80 [ 12.989558] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.989580] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.989602] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.989626] kthread+0x337/0x6f0 [ 12.989644] ? trace_preempt_on+0x20/0xc0 [ 12.989667] ? __pfx_kthread+0x10/0x10 [ 12.989687] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.989707] ? calculate_sigpending+0x7b/0xa0 [ 12.989730] ? __pfx_kthread+0x10/0x10 [ 12.989751] ret_from_fork+0x116/0x1d0 [ 12.989769] ? __pfx_kthread+0x10/0x10 [ 12.989790] ret_from_fork_asm+0x1a/0x30 [ 12.989820] </TASK> [ 12.989831] [ 13.001418] Allocated by task 250: [ 13.001852] kasan_save_stack+0x45/0x70 [ 13.002062] kasan_save_track+0x18/0x40 [ 13.002247] kasan_save_alloc_info+0x3b/0x50 [ 13.002452] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.002681] remove_element+0x11e/0x190 [ 13.003379] mempool_alloc_preallocated+0x4d/0x90 [ 13.003554] mempool_uaf_helper+0x96/0x400 [ 13.004003] mempool_slab_uaf+0xea/0x140 [ 13.004165] kunit_try_run_case+0x1a5/0x480 [ 13.004380] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.004973] kthread+0x337/0x6f0 [ 13.005138] ret_from_fork+0x116/0x1d0 [ 13.005512] ret_from_fork_asm+0x1a/0x30 [ 13.005946] [ 13.006160] Freed by task 250: [ 13.006282] kasan_save_stack+0x45/0x70 [ 13.006901] kasan_save_track+0x18/0x40 [ 13.007114] kasan_save_free_info+0x3f/0x60 [ 13.007423] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.007888] mempool_free+0x2ec/0x380 [ 13.008201] mempool_uaf_helper+0x11a/0x400 [ 13.008518] mempool_slab_uaf+0xea/0x140 [ 13.008745] kunit_try_run_case+0x1a5/0x480 [ 13.009069] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.009333] kthread+0x337/0x6f0 [ 13.009506] ret_from_fork+0x116/0x1d0 [ 13.010088] ret_from_fork_asm+0x1a/0x30 [ 13.010277] [ 13.010353] The buggy address belongs to the object at ffff888103987240 [ 13.010353] which belongs to the cache test_cache of size 123 [ 13.011443] The buggy address is located 0 bytes inside of [ 13.011443] freed 123-byte region [ffff888103987240, ffff8881039872bb) [ 13.012347] [ 13.012460] The buggy address belongs to the physical page: [ 13.012953] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103987 [ 13.013324] flags: 0x200000000000000(node=0|zone=2) [ 13.013557] page_type: f5(slab) [ 13.014148] raw: 0200000000000000 ffff888100faeb40 dead000000000122 0000000000000000 [ 13.014658] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.015130] page dumped because: kasan: bad access detected [ 13.015503] [ 13.015802] Memory state around the buggy address: [ 13.016186] ffff888103987100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.016657] ffff888103987180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.017183] >ffff888103987200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.017520] ^ [ 13.018017] ffff888103987280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.018439] ffff888103987300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.018991] ==================================================================