Date
July 11, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.676183] ================================================================== [ 18.676253] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.677819] Read of size 1 at addr fff00000c5872b00 by task kunit_try_catch/228 [ 18.677905] [ 18.677948] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.678490] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.678518] Hardware name: linux,dummy-virt (DT) [ 18.678552] Call trace: [ 18.678576] show_stack+0x20/0x38 (C) [ 18.678634] dump_stack_lvl+0x8c/0xd0 [ 18.678684] print_report+0x118/0x608 [ 18.679182] kasan_report+0xdc/0x128 [ 18.679251] __asan_report_load1_noabort+0x20/0x30 [ 18.679805] mempool_uaf_helper+0x314/0x340 [ 18.679971] mempool_kmalloc_uaf+0xc4/0x120 [ 18.680022] kunit_try_run_case+0x170/0x3f0 [ 18.680075] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.680952] kthread+0x328/0x630 [ 18.681223] ret_from_fork+0x10/0x20 [ 18.681423] [ 18.681522] Allocated by task 228: [ 18.681907] kasan_save_stack+0x3c/0x68 [ 18.681967] kasan_save_track+0x20/0x40 [ 18.682007] kasan_save_alloc_info+0x40/0x58 [ 18.682306] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.682417] remove_element+0x130/0x1f8 [ 18.682519] mempool_alloc_preallocated+0x58/0xc0 [ 18.682560] mempool_uaf_helper+0xa4/0x340 [ 18.682891] mempool_kmalloc_uaf+0xc4/0x120 [ 18.683203] kunit_try_run_case+0x170/0x3f0 [ 18.683372] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.683617] kthread+0x328/0x630 [ 18.683901] ret_from_fork+0x10/0x20 [ 18.684425] [ 18.684597] Freed by task 228: [ 18.684727] kasan_save_stack+0x3c/0x68 [ 18.684783] kasan_save_track+0x20/0x40 [ 18.684819] kasan_save_free_info+0x4c/0x78 [ 18.684868] __kasan_mempool_poison_object+0xc0/0x150 [ 18.684908] mempool_free+0x28c/0x328 [ 18.684941] mempool_uaf_helper+0x104/0x340 [ 18.684979] mempool_kmalloc_uaf+0xc4/0x120 [ 18.685016] kunit_try_run_case+0x170/0x3f0 [ 18.685052] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.685094] kthread+0x328/0x630 [ 18.686174] ret_from_fork+0x10/0x20 [ 18.686226] [ 18.686248] The buggy address belongs to the object at fff00000c5872b00 [ 18.686248] which belongs to the cache kmalloc-128 of size 128 [ 18.686390] The buggy address is located 0 bytes inside of [ 18.686390] freed 128-byte region [fff00000c5872b00, fff00000c5872b80) [ 18.686648] [ 18.686672] The buggy address belongs to the physical page: [ 18.686703] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105872 [ 18.687090] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.687342] page_type: f5(slab) [ 18.687500] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.687552] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.687645] page dumped because: kasan: bad access detected [ 18.688052] [ 18.688077] Memory state around the buggy address: [ 18.688308] fff00000c5872a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.688557] fff00000c5872a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.688603] >fff00000c5872b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.688908] ^ [ 18.689134] fff00000c5872b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.689520] fff00000c5872c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.689569] ================================================================== [ 18.740242] ================================================================== [ 18.740336] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.740403] Read of size 1 at addr fff00000c5901240 by task kunit_try_catch/232 [ 18.740453] [ 18.740492] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.740578] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.740605] Hardware name: linux,dummy-virt (DT) [ 18.740637] Call trace: [ 18.740662] show_stack+0x20/0x38 (C) [ 18.740710] dump_stack_lvl+0x8c/0xd0 [ 18.740759] print_report+0x118/0x608 [ 18.740804] kasan_report+0xdc/0x128 [ 18.740866] __asan_report_load1_noabort+0x20/0x30 [ 18.740915] mempool_uaf_helper+0x314/0x340 [ 18.740962] mempool_slab_uaf+0xc0/0x118 [ 18.741006] kunit_try_run_case+0x170/0x3f0 [ 18.741056] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.741108] kthread+0x328/0x630 [ 18.741150] ret_from_fork+0x10/0x20 [ 18.741201] [ 18.741221] Allocated by task 232: [ 18.741249] kasan_save_stack+0x3c/0x68 [ 18.741288] kasan_save_track+0x20/0x40 [ 18.741326] kasan_save_alloc_info+0x40/0x58 [ 18.741366] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.741410] remove_element+0x16c/0x1f8 [ 18.741448] mempool_alloc_preallocated+0x58/0xc0 [ 18.741487] mempool_uaf_helper+0xa4/0x340 [ 18.741524] mempool_slab_uaf+0xc0/0x118 [ 18.741561] kunit_try_run_case+0x170/0x3f0 [ 18.741598] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.741641] kthread+0x328/0x630 [ 18.741672] ret_from_fork+0x10/0x20 [ 18.741709] [ 18.741728] Freed by task 232: [ 18.741753] kasan_save_stack+0x3c/0x68 [ 18.741790] kasan_save_track+0x20/0x40 [ 18.741827] kasan_save_free_info+0x4c/0x78 [ 18.741879] __kasan_mempool_poison_object+0xc0/0x150 [ 18.741921] mempool_free+0x28c/0x328 [ 18.741955] mempool_uaf_helper+0x104/0x340 [ 18.741992] mempool_slab_uaf+0xc0/0x118 [ 18.742028] kunit_try_run_case+0x170/0x3f0 [ 18.742066] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.742109] kthread+0x328/0x630 [ 18.742140] ret_from_fork+0x10/0x20 [ 18.742176] [ 18.742196] The buggy address belongs to the object at fff00000c5901240 [ 18.742196] which belongs to the cache test_cache of size 123 [ 18.742254] The buggy address is located 0 bytes inside of [ 18.742254] freed 123-byte region [fff00000c5901240, fff00000c59012bb) [ 18.742314] [ 18.742335] The buggy address belongs to the physical page: [ 18.742368] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105901 [ 18.742420] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.742472] page_type: f5(slab) [ 18.742511] raw: 0bfffe0000000000 fff00000c6f4f280 dead000000000122 0000000000000000 [ 18.742561] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.742601] page dumped because: kasan: bad access detected [ 18.742632] [ 18.742651] Memory state around the buggy address: [ 18.742681] fff00000c5901100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.742724] fff00000c5901180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.743215] >fff00000c5901200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.743257] ^ [ 18.743293] fff00000c5901280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.743342] fff00000c5901300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.743380] ==================================================================
[ 13.932897] ================================================================== [ 13.933484] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.933724] Read of size 1 at addr ffff888103956240 by task kunit_try_catch/248 [ 13.934008] [ 13.934096] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.934159] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.934174] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.934197] Call Trace: [ 13.934208] <TASK> [ 13.934224] dump_stack_lvl+0x73/0xb0 [ 13.934254] print_report+0xd1/0x650 [ 13.934277] ? __virt_addr_valid+0x1db/0x2d0 [ 13.934301] ? mempool_uaf_helper+0x392/0x400 [ 13.934323] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.934347] ? mempool_uaf_helper+0x392/0x400 [ 13.934369] kasan_report+0x141/0x180 [ 13.934392] ? mempool_uaf_helper+0x392/0x400 [ 13.934420] __asan_report_load1_noabort+0x18/0x20 [ 13.934445] mempool_uaf_helper+0x392/0x400 [ 13.934469] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.934491] ? update_load_avg+0x1be/0x21b0 [ 13.934526] ? finish_task_switch.isra.0+0x153/0x700 [ 13.934552] mempool_slab_uaf+0xea/0x140 [ 13.934576] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.934604] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.934632] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.934660] ? __pfx_read_tsc+0x10/0x10 [ 13.934682] ? ktime_get_ts64+0x86/0x230 [ 13.934706] kunit_try_run_case+0x1a5/0x480 [ 13.934731] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.935343] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.935378] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.935405] ? __kthread_parkme+0x82/0x180 [ 13.935429] ? preempt_count_sub+0x50/0x80 [ 13.935454] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.935481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.935508] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.935534] kthread+0x337/0x6f0 [ 13.935554] ? trace_preempt_on+0x20/0xc0 [ 13.935579] ? __pfx_kthread+0x10/0x10 [ 13.935601] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.935623] ? calculate_sigpending+0x7b/0xa0 [ 13.935647] ? __pfx_kthread+0x10/0x10 [ 13.935669] ret_from_fork+0x116/0x1d0 [ 13.935687] ? __pfx_kthread+0x10/0x10 [ 13.935707] ret_from_fork_asm+0x1a/0x30 [ 13.935738] </TASK> [ 13.935802] [ 13.954690] Allocated by task 248: [ 13.955158] kasan_save_stack+0x45/0x70 [ 13.955630] kasan_save_track+0x18/0x40 [ 13.955781] kasan_save_alloc_info+0x3b/0x50 [ 13.956527] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.957114] remove_element+0x11e/0x190 [ 13.957610] mempool_alloc_preallocated+0x4d/0x90 [ 13.958029] mempool_uaf_helper+0x96/0x400 [ 13.958448] mempool_slab_uaf+0xea/0x140 [ 13.958610] kunit_try_run_case+0x1a5/0x480 [ 13.958761] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.958955] kthread+0x337/0x6f0 [ 13.959130] ret_from_fork+0x116/0x1d0 [ 13.959331] ret_from_fork_asm+0x1a/0x30 [ 13.959538] [ 13.959632] Freed by task 248: [ 13.960333] kasan_save_stack+0x45/0x70 [ 13.960616] kasan_save_track+0x18/0x40 [ 13.960876] kasan_save_free_info+0x3f/0x60 [ 13.961219] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.961656] mempool_free+0x2ec/0x380 [ 13.962217] mempool_uaf_helper+0x11a/0x400 [ 13.962438] mempool_slab_uaf+0xea/0x140 [ 13.962937] kunit_try_run_case+0x1a5/0x480 [ 13.963158] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.963842] kthread+0x337/0x6f0 [ 13.964348] ret_from_fork+0x116/0x1d0 [ 13.964489] ret_from_fork_asm+0x1a/0x30 [ 13.964626] [ 13.964697] The buggy address belongs to the object at ffff888103956240 [ 13.964697] which belongs to the cache test_cache of size 123 [ 13.966152] The buggy address is located 0 bytes inside of [ 13.966152] freed 123-byte region [ffff888103956240, ffff8881039562bb) [ 13.966887] [ 13.967051] The buggy address belongs to the physical page: [ 13.967646] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103956 [ 13.968429] flags: 0x200000000000000(node=0|zone=2) [ 13.968979] page_type: f5(slab) [ 13.969305] raw: 0200000000000000 ffff88810394a500 dead000000000122 0000000000000000 [ 13.970192] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.970417] page dumped because: kasan: bad access detected [ 13.970591] [ 13.970659] Memory state around the buggy address: [ 13.971296] ffff888103956100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.972130] ffff888103956180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.972947] >ffff888103956200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.973784] ^ [ 13.974259] ffff888103956280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.974700] ffff888103956300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.975478] ================================================================== [ 13.883863] ================================================================== [ 13.884595] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.884965] Read of size 1 at addr ffff888103953200 by task kunit_try_catch/244 [ 13.885274] [ 13.885362] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.885485] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.885501] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.885537] Call Trace: [ 13.885550] <TASK> [ 13.885566] dump_stack_lvl+0x73/0xb0 [ 13.885598] print_report+0xd1/0x650 [ 13.885620] ? __virt_addr_valid+0x1db/0x2d0 [ 13.885645] ? mempool_uaf_helper+0x392/0x400 [ 13.885666] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.885689] ? mempool_uaf_helper+0x392/0x400 [ 13.885712] kasan_report+0x141/0x180 [ 13.885734] ? mempool_uaf_helper+0x392/0x400 [ 13.885770] __asan_report_load1_noabort+0x18/0x20 [ 13.885795] mempool_uaf_helper+0x392/0x400 [ 13.885818] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.885865] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.885888] ? finish_task_switch.isra.0+0x153/0x700 [ 13.885914] mempool_kmalloc_uaf+0xef/0x140 [ 13.885949] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.885975] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.886000] ? __pfx_mempool_kfree+0x10/0x10 [ 13.886025] ? __pfx_read_tsc+0x10/0x10 [ 13.886097] ? ktime_get_ts64+0x86/0x230 [ 13.886125] kunit_try_run_case+0x1a5/0x480 [ 13.886150] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.886173] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.886197] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.886222] ? __kthread_parkme+0x82/0x180 [ 13.886242] ? preempt_count_sub+0x50/0x80 [ 13.886266] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.886290] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.886314] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.886340] kthread+0x337/0x6f0 [ 13.886359] ? trace_preempt_on+0x20/0xc0 [ 13.886383] ? __pfx_kthread+0x10/0x10 [ 13.886403] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.886425] ? calculate_sigpending+0x7b/0xa0 [ 13.886449] ? __pfx_kthread+0x10/0x10 [ 13.886471] ret_from_fork+0x116/0x1d0 [ 13.886489] ? __pfx_kthread+0x10/0x10 [ 13.886516] ret_from_fork_asm+0x1a/0x30 [ 13.886549] </TASK> [ 13.886558] [ 13.894913] Allocated by task 244: [ 13.895059] kasan_save_stack+0x45/0x70 [ 13.895277] kasan_save_track+0x18/0x40 [ 13.895470] kasan_save_alloc_info+0x3b/0x50 [ 13.895766] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.895994] remove_element+0x11e/0x190 [ 13.896136] mempool_alloc_preallocated+0x4d/0x90 [ 13.896294] mempool_uaf_helper+0x96/0x400 [ 13.896491] mempool_kmalloc_uaf+0xef/0x140 [ 13.896696] kunit_try_run_case+0x1a5/0x480 [ 13.897057] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.897313] kthread+0x337/0x6f0 [ 13.897479] ret_from_fork+0x116/0x1d0 [ 13.897635] ret_from_fork_asm+0x1a/0x30 [ 13.897905] [ 13.898109] Freed by task 244: [ 13.898279] kasan_save_stack+0x45/0x70 [ 13.898438] kasan_save_track+0x18/0x40 [ 13.898611] kasan_save_free_info+0x3f/0x60 [ 13.898847] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.899183] mempool_free+0x2ec/0x380 [ 13.899383] mempool_uaf_helper+0x11a/0x400 [ 13.899570] mempool_kmalloc_uaf+0xef/0x140 [ 13.899836] kunit_try_run_case+0x1a5/0x480 [ 13.900011] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.900187] kthread+0x337/0x6f0 [ 13.900307] ret_from_fork+0x116/0x1d0 [ 13.900507] ret_from_fork_asm+0x1a/0x30 [ 13.900708] [ 13.900878] The buggy address belongs to the object at ffff888103953200 [ 13.900878] which belongs to the cache kmalloc-128 of size 128 [ 13.901725] The buggy address is located 0 bytes inside of [ 13.901725] freed 128-byte region [ffff888103953200, ffff888103953280) [ 13.902309] [ 13.902387] The buggy address belongs to the physical page: [ 13.902629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103953 [ 13.903149] flags: 0x200000000000000(node=0|zone=2) [ 13.903363] page_type: f5(slab) [ 13.903579] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.903832] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.904070] page dumped because: kasan: bad access detected [ 13.904241] [ 13.904322] Memory state around the buggy address: [ 13.904574] ffff888103953100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.904901] ffff888103953180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.905517] >ffff888103953200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.905852] ^ [ 13.905978] ffff888103953280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.906635] ffff888103953300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.907003] ==================================================================