Date
July 12, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.922008] ================================================================== [ 21.922148] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.922348] Read of size 1 at addr fff00000c5943240 by task kunit_try_catch/232 [ 21.922460] [ 21.922855] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.923165] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.923302] Hardware name: linux,dummy-virt (DT) [ 21.923388] Call trace: [ 21.923441] show_stack+0x20/0x38 (C) [ 21.923801] dump_stack_lvl+0x8c/0xd0 [ 21.923987] print_report+0x118/0x608 [ 21.924103] kasan_report+0xdc/0x128 [ 21.924313] __asan_report_load1_noabort+0x20/0x30 [ 21.924434] mempool_uaf_helper+0x314/0x340 [ 21.924622] mempool_slab_uaf+0xc0/0x118 [ 21.924806] kunit_try_run_case+0x170/0x3f0 [ 21.924931] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.925392] kthread+0x328/0x630 [ 21.925615] ret_from_fork+0x10/0x20 [ 21.925751] [ 21.925801] Allocated by task 232: [ 21.925983] kasan_save_stack+0x3c/0x68 [ 21.926071] kasan_save_track+0x20/0x40 [ 21.926370] kasan_save_alloc_info+0x40/0x58 [ 21.926695] __kasan_mempool_unpoison_object+0xbc/0x180 [ 21.926815] remove_element+0x16c/0x1f8 [ 21.926911] mempool_alloc_preallocated+0x58/0xc0 [ 21.926993] mempool_uaf_helper+0xa4/0x340 [ 21.927068] mempool_slab_uaf+0xc0/0x118 [ 21.927424] kunit_try_run_case+0x170/0x3f0 [ 21.927661] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.927872] kthread+0x328/0x630 [ 21.928041] ret_from_fork+0x10/0x20 [ 21.928285] [ 21.928388] Freed by task 232: [ 21.928480] kasan_save_stack+0x3c/0x68 [ 21.928656] kasan_save_track+0x20/0x40 [ 21.928868] kasan_save_free_info+0x4c/0x78 [ 21.928962] __kasan_mempool_poison_object+0xc0/0x150 [ 21.929132] mempool_free+0x28c/0x328 [ 21.929207] mempool_uaf_helper+0x104/0x340 [ 21.929302] mempool_slab_uaf+0xc0/0x118 [ 21.929380] kunit_try_run_case+0x170/0x3f0 [ 21.929449] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.929521] kthread+0x328/0x630 [ 21.929581] ret_from_fork+0x10/0x20 [ 21.929652] [ 21.929983] The buggy address belongs to the object at fff00000c5943240 [ 21.929983] which belongs to the cache test_cache of size 123 [ 21.930365] The buggy address is located 0 bytes inside of [ 21.930365] freed 123-byte region [fff00000c5943240, fff00000c59432bb) [ 21.930542] [ 21.930683] The buggy address belongs to the physical page: [ 21.930746] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105943 [ 21.931116] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.931294] page_type: f5(slab) [ 21.931397] raw: 0bfffe0000000000 fff00000c3eaa500 dead000000000122 0000000000000000 [ 21.932202] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.932519] page dumped because: kasan: bad access detected [ 21.932604] [ 21.932657] Memory state around the buggy address: [ 21.932737] fff00000c5943100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.932946] fff00000c5943180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.933060] >fff00000c5943200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.933330] ^ [ 21.933858] fff00000c5943280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.934026] fff00000c5943300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.934272] ================================================================== [ 21.863521] ================================================================== [ 21.863630] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.863726] Read of size 1 at addr fff00000c6595d00 by task kunit_try_catch/228 [ 21.863786] [ 21.863858] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.863958] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.863989] Hardware name: linux,dummy-virt (DT) [ 21.864026] Call trace: [ 21.864054] show_stack+0x20/0x38 (C) [ 21.864116] dump_stack_lvl+0x8c/0xd0 [ 21.864173] print_report+0x118/0x608 [ 21.864228] kasan_report+0xdc/0x128 [ 21.864278] __asan_report_load1_noabort+0x20/0x30 [ 21.864335] mempool_uaf_helper+0x314/0x340 [ 21.864385] mempool_kmalloc_uaf+0xc4/0x120 [ 21.864437] kunit_try_run_case+0x170/0x3f0 [ 21.864491] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.864550] kthread+0x328/0x630 [ 21.864598] ret_from_fork+0x10/0x20 [ 21.864656] [ 21.864677] Allocated by task 228: [ 21.864709] kasan_save_stack+0x3c/0x68 [ 21.864758] kasan_save_track+0x20/0x40 [ 21.864800] kasan_save_alloc_info+0x40/0x58 [ 21.864862] __kasan_mempool_unpoison_object+0x11c/0x180 [ 21.864910] remove_element+0x130/0x1f8 [ 21.864953] mempool_alloc_preallocated+0x58/0xc0 [ 21.864994] mempool_uaf_helper+0xa4/0x340 [ 21.865035] mempool_kmalloc_uaf+0xc4/0x120 [ 21.865075] kunit_try_run_case+0x170/0x3f0 [ 21.865117] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.865236] kthread+0x328/0x630 [ 21.865302] ret_from_fork+0x10/0x20 [ 21.865377] [ 21.865415] Freed by task 228: [ 21.865466] kasan_save_stack+0x3c/0x68 [ 21.865540] kasan_save_track+0x20/0x40 [ 21.865609] kasan_save_free_info+0x4c/0x78 [ 21.865693] __kasan_mempool_poison_object+0xc0/0x150 [ 21.865782] mempool_free+0x28c/0x328 [ 21.865878] mempool_uaf_helper+0x104/0x340 [ 21.865962] mempool_kmalloc_uaf+0xc4/0x120 [ 21.866035] kunit_try_run_case+0x170/0x3f0 [ 21.866078] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.866126] kthread+0x328/0x630 [ 21.866162] ret_from_fork+0x10/0x20 [ 21.866203] [ 21.866227] The buggy address belongs to the object at fff00000c6595d00 [ 21.866227] which belongs to the cache kmalloc-128 of size 128 [ 21.866294] The buggy address is located 0 bytes inside of [ 21.866294] freed 128-byte region [fff00000c6595d00, fff00000c6595d80) [ 21.866361] [ 21.866385] The buggy address belongs to the physical page: [ 21.866420] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106595 [ 21.866483] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.866557] page_type: f5(slab) [ 21.866611] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.866670] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.866718] page dumped because: kasan: bad access detected [ 21.866753] [ 21.866774] Memory state around the buggy address: [ 21.866813] fff00000c6595c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.866885] fff00000c6595c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.866935] >fff00000c6595d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.866979] ^ [ 21.867012] fff00000c6595d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.867059] fff00000c6595e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.867101] ==================================================================
[ 14.130192] ================================================================== [ 14.130626] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.131713] Read of size 1 at addr ffff888102b92b00 by task kunit_try_catch/245 [ 14.132580] [ 14.132927] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.132977] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.132989] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.133008] Call Trace: [ 14.133022] <TASK> [ 14.133039] dump_stack_lvl+0x73/0xb0 [ 14.133071] print_report+0xd1/0x650 [ 14.133093] ? __virt_addr_valid+0x1db/0x2d0 [ 14.133117] ? mempool_uaf_helper+0x392/0x400 [ 14.133139] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.133162] ? mempool_uaf_helper+0x392/0x400 [ 14.133185] kasan_report+0x141/0x180 [ 14.133206] ? mempool_uaf_helper+0x392/0x400 [ 14.133234] __asan_report_load1_noabort+0x18/0x20 [ 14.133259] mempool_uaf_helper+0x392/0x400 [ 14.133282] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.133304] ? update_load_avg+0x1be/0x21b0 [ 14.133328] ? dequeue_entities+0x27e/0x1740 [ 14.133354] ? finish_task_switch.isra.0+0x153/0x700 [ 14.133381] mempool_kmalloc_uaf+0xef/0x140 [ 14.133403] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.133428] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.133452] ? __pfx_mempool_kfree+0x10/0x10 [ 14.133478] ? __pfx_read_tsc+0x10/0x10 [ 14.133499] ? ktime_get_ts64+0x86/0x230 [ 14.133523] kunit_try_run_case+0x1a5/0x480 [ 14.133548] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.133572] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.133596] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.133620] ? __kthread_parkme+0x82/0x180 [ 14.133641] ? preempt_count_sub+0x50/0x80 [ 14.133785] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.133812] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.133838] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.133865] kthread+0x337/0x6f0 [ 14.133884] ? trace_preempt_on+0x20/0xc0 [ 14.133943] ? __pfx_kthread+0x10/0x10 [ 14.133965] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.133986] ? calculate_sigpending+0x7b/0xa0 [ 14.134011] ? __pfx_kthread+0x10/0x10 [ 14.134033] ret_from_fork+0x116/0x1d0 [ 14.134052] ? __pfx_kthread+0x10/0x10 [ 14.134073] ret_from_fork_asm+0x1a/0x30 [ 14.134105] </TASK> [ 14.134116] [ 14.149480] Allocated by task 245: [ 14.149884] kasan_save_stack+0x45/0x70 [ 14.150268] kasan_save_track+0x18/0x40 [ 14.150638] kasan_save_alloc_info+0x3b/0x50 [ 14.151134] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.151599] remove_element+0x11e/0x190 [ 14.152015] mempool_alloc_preallocated+0x4d/0x90 [ 14.152429] mempool_uaf_helper+0x96/0x400 [ 14.152848] mempool_kmalloc_uaf+0xef/0x140 [ 14.153212] kunit_try_run_case+0x1a5/0x480 [ 14.153583] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.153904] kthread+0x337/0x6f0 [ 14.154024] ret_from_fork+0x116/0x1d0 [ 14.154154] ret_from_fork_asm+0x1a/0x30 [ 14.154291] [ 14.154365] Freed by task 245: [ 14.154475] kasan_save_stack+0x45/0x70 [ 14.154610] kasan_save_track+0x18/0x40 [ 14.154792] kasan_save_free_info+0x3f/0x60 [ 14.154992] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.155316] mempool_free+0x2ec/0x380 [ 14.155447] mempool_uaf_helper+0x11a/0x400 [ 14.155588] mempool_kmalloc_uaf+0xef/0x140 [ 14.155730] kunit_try_run_case+0x1a5/0x480 [ 14.155903] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.156362] kthread+0x337/0x6f0 [ 14.156658] ret_from_fork+0x116/0x1d0 [ 14.157003] ret_from_fork_asm+0x1a/0x30 [ 14.157348] [ 14.157511] The buggy address belongs to the object at ffff888102b92b00 [ 14.157511] which belongs to the cache kmalloc-128 of size 128 [ 14.158596] The buggy address is located 0 bytes inside of [ 14.158596] freed 128-byte region [ffff888102b92b00, ffff888102b92b80) [ 14.159770] [ 14.159848] The buggy address belongs to the physical page: [ 14.160020] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b92 [ 14.160256] flags: 0x200000000000000(node=0|zone=2) [ 14.160420] page_type: f5(slab) [ 14.160541] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.160794] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.161163] page dumped because: kasan: bad access detected [ 14.161408] [ 14.161480] Memory state around the buggy address: [ 14.161637] ffff888102b92a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.161971] ffff888102b92a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.162237] >ffff888102b92b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.162529] ^ [ 14.162683] ffff888102b92b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.162968] ffff888102b92c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.163177] ================================================================== [ 14.198729] ================================================================== [ 14.200290] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.200601] Read of size 1 at addr ffff88810266b240 by task kunit_try_catch/249 [ 14.201731] [ 14.202226] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.202276] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.202288] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.202308] Call Trace: [ 14.202319] <TASK> [ 14.202335] dump_stack_lvl+0x73/0xb0 [ 14.202373] print_report+0xd1/0x650 [ 14.202395] ? __virt_addr_valid+0x1db/0x2d0 [ 14.202418] ? mempool_uaf_helper+0x392/0x400 [ 14.202440] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.202464] ? mempool_uaf_helper+0x392/0x400 [ 14.202486] kasan_report+0x141/0x180 [ 14.202508] ? mempool_uaf_helper+0x392/0x400 [ 14.202535] __asan_report_load1_noabort+0x18/0x20 [ 14.202560] mempool_uaf_helper+0x392/0x400 [ 14.202583] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.202613] mempool_slab_uaf+0xea/0x140 [ 14.202636] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.202693] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.202719] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.202760] ? __pfx_read_tsc+0x10/0x10 [ 14.202782] ? ktime_get_ts64+0x86/0x230 [ 14.202806] kunit_try_run_case+0x1a5/0x480 [ 14.202833] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.202855] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.202879] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.202903] ? __kthread_parkme+0x82/0x180 [ 14.202924] ? preempt_count_sub+0x50/0x80 [ 14.202948] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.202972] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.202996] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.203022] kthread+0x337/0x6f0 [ 14.203041] ? trace_preempt_on+0x20/0xc0 [ 14.203064] ? __pfx_kthread+0x10/0x10 [ 14.203085] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.203107] ? calculate_sigpending+0x7b/0xa0 [ 14.203132] ? __pfx_kthread+0x10/0x10 [ 14.203153] ret_from_fork+0x116/0x1d0 [ 14.203172] ? __pfx_kthread+0x10/0x10 [ 14.203192] ret_from_fork_asm+0x1a/0x30 [ 14.203222] </TASK> [ 14.203232] [ 14.217797] Allocated by task 249: [ 14.217931] kasan_save_stack+0x45/0x70 [ 14.218454] kasan_save_track+0x18/0x40 [ 14.219018] kasan_save_alloc_info+0x3b/0x50 [ 14.219278] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.219510] remove_element+0x11e/0x190 [ 14.220014] mempool_alloc_preallocated+0x4d/0x90 [ 14.220247] mempool_uaf_helper+0x96/0x400 [ 14.220531] mempool_slab_uaf+0xea/0x140 [ 14.220834] kunit_try_run_case+0x1a5/0x480 [ 14.221187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.221524] kthread+0x337/0x6f0 [ 14.221720] ret_from_fork+0x116/0x1d0 [ 14.221907] ret_from_fork_asm+0x1a/0x30 [ 14.222095] [ 14.222185] Freed by task 249: [ 14.222332] kasan_save_stack+0x45/0x70 [ 14.222528] kasan_save_track+0x18/0x40 [ 14.223273] kasan_save_free_info+0x3f/0x60 [ 14.223494] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.223892] mempool_free+0x2ec/0x380 [ 14.224242] mempool_uaf_helper+0x11a/0x400 [ 14.224454] mempool_slab_uaf+0xea/0x140 [ 14.224814] kunit_try_run_case+0x1a5/0x480 [ 14.225023] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.225269] kthread+0x337/0x6f0 [ 14.225445] ret_from_fork+0x116/0x1d0 [ 14.225622] ret_from_fork_asm+0x1a/0x30 [ 14.226224] [ 14.226322] The buggy address belongs to the object at ffff88810266b240 [ 14.226322] which belongs to the cache test_cache of size 123 [ 14.227319] The buggy address is located 0 bytes inside of [ 14.227319] freed 123-byte region [ffff88810266b240, ffff88810266b2bb) [ 14.227869] [ 14.228235] The buggy address belongs to the physical page: [ 14.228572] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10266b [ 14.229141] flags: 0x200000000000000(node=0|zone=2) [ 14.229446] page_type: f5(slab) [ 14.229578] raw: 0200000000000000 ffff888101020b40 dead000000000122 0000000000000000 [ 14.229993] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.230331] page dumped because: kasan: bad access detected [ 14.230584] [ 14.230671] Memory state around the buggy address: [ 14.231293] ffff88810266b100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.231928] ffff88810266b180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.232224] >ffff88810266b200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.232540] ^ [ 14.233085] ffff88810266b280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.233452] ffff88810266b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.233905] ==================================================================