Date
July 12, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.482507] ================================================================== [ 18.482572] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.482628] Read of size 1 at addr fff00000c65c4240 by task kunit_try_catch/231 [ 18.482678] [ 18.482710] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.482794] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.482820] Hardware name: linux,dummy-virt (DT) [ 18.486820] Call trace: [ 18.488050] show_stack+0x20/0x38 (C) [ 18.488623] dump_stack_lvl+0x8c/0xd0 [ 18.489257] print_report+0x118/0x5d0 [ 18.489471] kasan_report+0xdc/0x128 [ 18.489518] __asan_report_load1_noabort+0x20/0x30 [ 18.490383] mempool_uaf_helper+0x314/0x340 [ 18.490519] mempool_slab_uaf+0xc0/0x118 [ 18.490564] kunit_try_run_case+0x170/0x3f0 [ 18.490611] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.491748] kthread+0x328/0x630 [ 18.492106] ret_from_fork+0x10/0x20 [ 18.492695] [ 18.492786] Allocated by task 231: [ 18.493029] kasan_save_stack+0x3c/0x68 [ 18.493335] kasan_save_track+0x20/0x40 [ 18.493375] kasan_save_alloc_info+0x40/0x58 [ 18.493417] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.494144] remove_element+0x16c/0x1f8 [ 18.494203] mempool_alloc_preallocated+0x58/0xc0 [ 18.494244] mempool_uaf_helper+0xa4/0x340 [ 18.494281] mempool_slab_uaf+0xc0/0x118 [ 18.494318] kunit_try_run_case+0x170/0x3f0 [ 18.494356] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.494401] kthread+0x328/0x630 [ 18.494434] ret_from_fork+0x10/0x20 [ 18.494470] [ 18.494489] Freed by task 231: [ 18.494518] kasan_save_stack+0x3c/0x68 [ 18.494556] kasan_save_track+0x20/0x40 [ 18.496907] kasan_save_free_info+0x4c/0x78 [ 18.497000] __kasan_mempool_poison_object+0xc0/0x150 [ 18.497047] mempool_free+0x28c/0x328 [ 18.497723] mempool_uaf_helper+0x104/0x340 [ 18.498179] mempool_slab_uaf+0xc0/0x118 [ 18.498904] kunit_try_run_case+0x170/0x3f0 [ 18.499010] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.499621] kthread+0x328/0x630 [ 18.500076] ret_from_fork+0x10/0x20 [ 18.500434] [ 18.500464] The buggy address belongs to the object at fff00000c65c4240 [ 18.500464] which belongs to the cache test_cache of size 123 [ 18.501337] The buggy address is located 0 bytes inside of [ 18.501337] freed 123-byte region [fff00000c65c4240, fff00000c65c42bb) [ 18.502221] [ 18.502429] The buggy address belongs to the physical page: [ 18.502665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065c4 [ 18.502910] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.503526] page_type: f5(slab) [ 18.503642] raw: 0bfffe0000000000 fff00000c66fd280 dead000000000122 0000000000000000 [ 18.503744] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.503864] page dumped because: kasan: bad access detected [ 18.504619] [ 18.504644] Memory state around the buggy address: [ 18.504940] fff00000c65c4100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.505706] fff00000c65c4180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.505832] >fff00000c65c4200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.506316] ^ [ 18.507155] fff00000c65c4280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.507288] fff00000c65c4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.507328] ================================================================== [ 18.428157] ================================================================== [ 18.428238] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.428298] Read of size 1 at addr fff00000c7897700 by task kunit_try_catch/227 [ 18.428348] [ 18.428383] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.428469] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.428765] Hardware name: linux,dummy-virt (DT) [ 18.429107] Call trace: [ 18.429364] show_stack+0x20/0x38 (C) [ 18.429697] dump_stack_lvl+0x8c/0xd0 [ 18.430030] print_report+0x118/0x5d0 [ 18.430344] kasan_report+0xdc/0x128 [ 18.430500] __asan_report_load1_noabort+0x20/0x30 [ 18.430668] mempool_uaf_helper+0x314/0x340 [ 18.430902] mempool_kmalloc_uaf+0xc4/0x120 [ 18.430978] kunit_try_run_case+0x170/0x3f0 [ 18.431029] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.431082] kthread+0x328/0x630 [ 18.431124] ret_from_fork+0x10/0x20 [ 18.431528] [ 18.431564] Allocated by task 227: [ 18.431599] kasan_save_stack+0x3c/0x68 [ 18.431984] kasan_save_track+0x20/0x40 [ 18.432062] kasan_save_alloc_info+0x40/0x58 [ 18.432103] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.432149] remove_element+0x130/0x1f8 [ 18.432201] mempool_alloc_preallocated+0x58/0xc0 [ 18.432242] mempool_uaf_helper+0xa4/0x340 [ 18.432280] mempool_kmalloc_uaf+0xc4/0x120 [ 18.432319] kunit_try_run_case+0x170/0x3f0 [ 18.432357] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.432743] kthread+0x328/0x630 [ 18.432896] ret_from_fork+0x10/0x20 [ 18.432952] [ 18.432973] Freed by task 227: [ 18.433000] kasan_save_stack+0x3c/0x68 [ 18.433038] kasan_save_track+0x20/0x40 [ 18.433303] kasan_save_free_info+0x4c/0x78 [ 18.433394] __kasan_mempool_poison_object+0xc0/0x150 [ 18.433476] mempool_free+0x28c/0x328 [ 18.433510] mempool_uaf_helper+0x104/0x340 [ 18.433582] mempool_kmalloc_uaf+0xc4/0x120 [ 18.433618] kunit_try_run_case+0x170/0x3f0 [ 18.433949] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.433999] kthread+0x328/0x630 [ 18.434030] ret_from_fork+0x10/0x20 [ 18.434279] [ 18.434305] The buggy address belongs to the object at fff00000c7897700 [ 18.434305] which belongs to the cache kmalloc-128 of size 128 [ 18.434369] The buggy address is located 0 bytes inside of [ 18.434369] freed 128-byte region [fff00000c7897700, fff00000c7897780) [ 18.434432] [ 18.434608] The buggy address belongs to the physical page: [ 18.434734] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107897 [ 18.434864] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.435285] page_type: f5(slab) [ 18.435334] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.435501] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.435544] page dumped because: kasan: bad access detected [ 18.435864] [ 18.435934] Memory state around the buggy address: [ 18.435967] fff00000c7897600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.436012] fff00000c7897680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.436066] >fff00000c7897700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.436104] ^ [ 18.436132] fff00000c7897780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.436347] fff00000c7897800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.436651] ==================================================================
[ 14.501178] ================================================================== [ 14.502607] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.502876] Read of size 1 at addr ffff8881027ebc00 by task kunit_try_catch/244 [ 14.503509] [ 14.504047] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.504189] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.504205] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.504228] Call Trace: [ 14.504242] <TASK> [ 14.504260] dump_stack_lvl+0x73/0xb0 [ 14.504306] print_report+0xd1/0x610 [ 14.504330] ? __virt_addr_valid+0x1db/0x2d0 [ 14.504355] ? mempool_uaf_helper+0x392/0x400 [ 14.504378] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.504402] ? mempool_uaf_helper+0x392/0x400 [ 14.504425] kasan_report+0x141/0x180 [ 14.504447] ? mempool_uaf_helper+0x392/0x400 [ 14.504474] __asan_report_load1_noabort+0x18/0x20 [ 14.504500] mempool_uaf_helper+0x392/0x400 [ 14.504523] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.504550] ? __kasan_check_write+0x18/0x20 [ 14.504569] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.504593] ? finish_task_switch.isra.0+0x153/0x700 [ 14.504621] mempool_kmalloc_uaf+0xef/0x140 [ 14.504644] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.504670] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.504696] ? __pfx_mempool_kfree+0x10/0x10 [ 14.504721] ? __pfx_read_tsc+0x10/0x10 [ 14.504743] ? ktime_get_ts64+0x86/0x230 [ 14.504767] kunit_try_run_case+0x1a5/0x480 [ 14.504794] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.504819] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.504847] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.504872] ? __kthread_parkme+0x82/0x180 [ 14.504893] ? preempt_count_sub+0x50/0x80 [ 14.504917] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.504943] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.504968] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.505007] kthread+0x337/0x6f0 [ 14.505040] ? trace_preempt_on+0x20/0xc0 [ 14.505072] ? __pfx_kthread+0x10/0x10 [ 14.505093] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.505117] ? calculate_sigpending+0x7b/0xa0 [ 14.505144] ? __pfx_kthread+0x10/0x10 [ 14.505165] ret_from_fork+0x116/0x1d0 [ 14.505184] ? __pfx_kthread+0x10/0x10 [ 14.505205] ret_from_fork_asm+0x1a/0x30 [ 14.505236] </TASK> [ 14.505247] [ 14.520665] Allocated by task 244: [ 14.521033] kasan_save_stack+0x45/0x70 [ 14.521484] kasan_save_track+0x18/0x40 [ 14.521869] kasan_save_alloc_info+0x3b/0x50 [ 14.522368] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.522554] remove_element+0x11e/0x190 [ 14.522696] mempool_alloc_preallocated+0x4d/0x90 [ 14.522860] mempool_uaf_helper+0x96/0x400 [ 14.523132] mempool_kmalloc_uaf+0xef/0x140 [ 14.523594] kunit_try_run_case+0x1a5/0x480 [ 14.524057] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.524584] kthread+0x337/0x6f0 [ 14.524921] ret_from_fork+0x116/0x1d0 [ 14.525392] ret_from_fork_asm+0x1a/0x30 [ 14.525911] [ 14.526134] Freed by task 244: [ 14.526479] kasan_save_stack+0x45/0x70 [ 14.526624] kasan_save_track+0x18/0x40 [ 14.526761] kasan_save_free_info+0x3f/0x60 [ 14.526905] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.527086] mempool_free+0x2ec/0x380 [ 14.527347] mempool_uaf_helper+0x11a/0x400 [ 14.527500] mempool_kmalloc_uaf+0xef/0x140 [ 14.527720] kunit_try_run_case+0x1a5/0x480 [ 14.527934] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.528312] kthread+0x337/0x6f0 [ 14.528470] ret_from_fork+0x116/0x1d0 [ 14.528636] ret_from_fork_asm+0x1a/0x30 [ 14.528880] [ 14.529032] The buggy address belongs to the object at ffff8881027ebc00 [ 14.529032] which belongs to the cache kmalloc-128 of size 128 [ 14.529465] The buggy address is located 0 bytes inside of [ 14.529465] freed 128-byte region [ffff8881027ebc00, ffff8881027ebc80) [ 14.529943] [ 14.530039] The buggy address belongs to the physical page: [ 14.530244] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027eb [ 14.530516] flags: 0x200000000000000(node=0|zone=2) [ 14.530755] page_type: f5(slab) [ 14.530925] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.531344] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.531713] page dumped because: kasan: bad access detected [ 14.531950] [ 14.532097] Memory state around the buggy address: [ 14.532309] ffff8881027ebb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.532652] ffff8881027ebb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.532875] >ffff8881027ebc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.533199] ^ [ 14.533369] ffff8881027ebc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.533578] ffff8881027ebd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.534192] ================================================================== [ 14.565948] ================================================================== [ 14.566593] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.566935] Read of size 1 at addr ffff888103a66240 by task kunit_try_catch/248 [ 14.567310] [ 14.567434] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.567494] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.567506] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.567527] Call Trace: [ 14.567541] <TASK> [ 14.567557] dump_stack_lvl+0x73/0xb0 [ 14.567602] print_report+0xd1/0x610 [ 14.567627] ? __virt_addr_valid+0x1db/0x2d0 [ 14.567653] ? mempool_uaf_helper+0x392/0x400 [ 14.567677] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.567703] ? mempool_uaf_helper+0x392/0x400 [ 14.567726] kasan_report+0x141/0x180 [ 14.567759] ? mempool_uaf_helper+0x392/0x400 [ 14.567788] __asan_report_load1_noabort+0x18/0x20 [ 14.567825] mempool_uaf_helper+0x392/0x400 [ 14.567850] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.567878] ? finish_task_switch.isra.0+0x153/0x700 [ 14.567917] mempool_slab_uaf+0xea/0x140 [ 14.567942] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.568055] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.568089] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.568117] ? __pfx_read_tsc+0x10/0x10 [ 14.568141] ? ktime_get_ts64+0x86/0x230 [ 14.568168] kunit_try_run_case+0x1a5/0x480 [ 14.568196] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.568221] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.568248] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.568287] ? __kthread_parkme+0x82/0x180 [ 14.568310] ? preempt_count_sub+0x50/0x80 [ 14.568336] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.568362] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.568388] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.568415] kthread+0x337/0x6f0 [ 14.568436] ? trace_preempt_on+0x20/0xc0 [ 14.568462] ? __pfx_kthread+0x10/0x10 [ 14.568483] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.568507] ? calculate_sigpending+0x7b/0xa0 [ 14.568534] ? __pfx_kthread+0x10/0x10 [ 14.568557] ret_from_fork+0x116/0x1d0 [ 14.568577] ? __pfx_kthread+0x10/0x10 [ 14.568599] ret_from_fork_asm+0x1a/0x30 [ 14.568632] </TASK> [ 14.568645] [ 14.577917] Allocated by task 248: [ 14.578277] kasan_save_stack+0x45/0x70 [ 14.578509] kasan_save_track+0x18/0x40 [ 14.578659] kasan_save_alloc_info+0x3b/0x50 [ 14.578911] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.579136] remove_element+0x11e/0x190 [ 14.579427] mempool_alloc_preallocated+0x4d/0x90 [ 14.579647] mempool_uaf_helper+0x96/0x400 [ 14.579849] mempool_slab_uaf+0xea/0x140 [ 14.580044] kunit_try_run_case+0x1a5/0x480 [ 14.580194] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.580412] kthread+0x337/0x6f0 [ 14.580677] ret_from_fork+0x116/0x1d0 [ 14.580930] ret_from_fork_asm+0x1a/0x30 [ 14.581134] [ 14.581350] Freed by task 248: [ 14.581514] kasan_save_stack+0x45/0x70 [ 14.581716] kasan_save_track+0x18/0x40 [ 14.581911] kasan_save_free_info+0x3f/0x60 [ 14.582238] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.582470] mempool_free+0x2ec/0x380 [ 14.582681] mempool_uaf_helper+0x11a/0x400 [ 14.582938] mempool_slab_uaf+0xea/0x140 [ 14.583401] kunit_try_run_case+0x1a5/0x480 [ 14.583580] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.583856] kthread+0x337/0x6f0 [ 14.584129] ret_from_fork+0x116/0x1d0 [ 14.584340] ret_from_fork_asm+0x1a/0x30 [ 14.584548] [ 14.584649] The buggy address belongs to the object at ffff888103a66240 [ 14.584649] which belongs to the cache test_cache of size 123 [ 14.585243] The buggy address is located 0 bytes inside of [ 14.585243] freed 123-byte region [ffff888103a66240, ffff888103a662bb) [ 14.585732] [ 14.585806] The buggy address belongs to the physical page: [ 14.585982] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a66 [ 14.586334] flags: 0x200000000000000(node=0|zone=2) [ 14.586768] page_type: f5(slab) [ 14.586907] raw: 0200000000000000 ffff888103a56500 dead000000000122 0000000000000000 [ 14.587138] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.587763] page dumped because: kasan: bad access detected [ 14.588025] [ 14.588121] Memory state around the buggy address: [ 14.588470] ffff888103a66100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.588786] ffff888103a66180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.589154] >ffff888103a66200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.589481] ^ [ 14.589720] ffff888103a66280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.590097] ffff888103a66300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.590415] ==================================================================