Date
July 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.250290] ================================================================== [ 21.250420] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.250479] Read of size 1 at addr fff00000c7706600 by task kunit_try_catch/227 [ 21.250530] [ 21.250563] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.250645] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.250670] Hardware name: linux,dummy-virt (DT) [ 21.250702] Call trace: [ 21.250726] show_stack+0x20/0x38 (C) [ 21.250780] dump_stack_lvl+0x8c/0xd0 [ 21.251000] print_report+0x118/0x608 [ 21.251095] kasan_report+0xdc/0x128 [ 21.251353] __asan_report_load1_noabort+0x20/0x30 [ 21.251555] mempool_uaf_helper+0x314/0x340 [ 21.251603] mempool_kmalloc_uaf+0xc4/0x120 [ 21.251652] kunit_try_run_case+0x170/0x3f0 [ 21.251802] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.252062] kthread+0x328/0x630 [ 21.252135] ret_from_fork+0x10/0x20 [ 21.252216] [ 21.252236] Allocated by task 227: [ 21.252265] kasan_save_stack+0x3c/0x68 [ 21.252306] kasan_save_track+0x20/0x40 [ 21.252344] kasan_save_alloc_info+0x40/0x58 [ 21.252629] __kasan_mempool_unpoison_object+0x11c/0x180 [ 21.252675] remove_element+0x130/0x1f8 [ 21.252721] mempool_alloc_preallocated+0x58/0xc0 [ 21.252813] mempool_uaf_helper+0xa4/0x340 [ 21.252974] mempool_kmalloc_uaf+0xc4/0x120 [ 21.253028] kunit_try_run_case+0x170/0x3f0 [ 21.253136] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.253225] kthread+0x328/0x630 [ 21.253257] ret_from_fork+0x10/0x20 [ 21.253294] [ 21.253313] Freed by task 227: [ 21.253339] kasan_save_stack+0x3c/0x68 [ 21.253384] kasan_save_track+0x20/0x40 [ 21.253546] kasan_save_free_info+0x4c/0x78 [ 21.253735] __kasan_mempool_poison_object+0xc0/0x150 [ 21.253842] mempool_free+0x28c/0x328 [ 21.253876] mempool_uaf_helper+0x104/0x340 [ 21.253913] mempool_kmalloc_uaf+0xc4/0x120 [ 21.253950] kunit_try_run_case+0x170/0x3f0 [ 21.253988] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.254031] kthread+0x328/0x630 [ 21.254064] ret_from_fork+0x10/0x20 [ 21.254102] [ 21.254122] The buggy address belongs to the object at fff00000c7706600 [ 21.254122] which belongs to the cache kmalloc-128 of size 128 [ 21.254190] The buggy address is located 0 bytes inside of [ 21.254190] freed 128-byte region [fff00000c7706600, fff00000c7706680) [ 21.254253] [ 21.254272] The buggy address belongs to the physical page: [ 21.254304] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107706 [ 21.254356] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.257859] page_type: f5(slab) [ 21.257920] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.257972] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.258013] page dumped because: kasan: bad access detected [ 21.258045] [ 21.258063] Memory state around the buggy address: [ 21.258420] fff00000c7706500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.258471] fff00000c7706580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.258542] >fff00000c7706600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.258582] ^ [ 21.258612] fff00000c7706680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.258745] fff00000c7706700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.258787] ================================================================== [ 21.288149] ================================================================== [ 21.288232] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.288292] Read of size 1 at addr fff00000c63d1240 by task kunit_try_catch/231 [ 21.288343] [ 21.288381] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.288555] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.288582] Hardware name: linux,dummy-virt (DT) [ 21.288672] Call trace: [ 21.288780] show_stack+0x20/0x38 (C) [ 21.288831] dump_stack_lvl+0x8c/0xd0 [ 21.288924] print_report+0x118/0x608 [ 21.288988] kasan_report+0xdc/0x128 [ 21.289126] __asan_report_load1_noabort+0x20/0x30 [ 21.289299] mempool_uaf_helper+0x314/0x340 [ 21.289345] mempool_slab_uaf+0xc0/0x118 [ 21.289434] kunit_try_run_case+0x170/0x3f0 [ 21.289484] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.289567] kthread+0x328/0x630 [ 21.289609] ret_from_fork+0x10/0x20 [ 21.289715] [ 21.289793] Allocated by task 231: [ 21.289846] kasan_save_stack+0x3c/0x68 [ 21.289948] kasan_save_track+0x20/0x40 [ 21.290018] kasan_save_alloc_info+0x40/0x58 [ 21.290059] __kasan_mempool_unpoison_object+0xbc/0x180 [ 21.290141] remove_element+0x16c/0x1f8 [ 21.290199] mempool_alloc_preallocated+0x58/0xc0 [ 21.290238] mempool_uaf_helper+0xa4/0x340 [ 21.290275] mempool_slab_uaf+0xc0/0x118 [ 21.290312] kunit_try_run_case+0x170/0x3f0 [ 21.290349] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.290394] kthread+0x328/0x630 [ 21.290425] ret_from_fork+0x10/0x20 [ 21.290460] [ 21.290480] Freed by task 231: [ 21.290532] kasan_save_stack+0x3c/0x68 [ 21.290569] kasan_save_track+0x20/0x40 [ 21.290606] kasan_save_free_info+0x4c/0x78 [ 21.290645] __kasan_mempool_poison_object+0xc0/0x150 [ 21.290687] mempool_free+0x28c/0x328 [ 21.290722] mempool_uaf_helper+0x104/0x340 [ 21.290758] mempool_slab_uaf+0xc0/0x118 [ 21.290809] kunit_try_run_case+0x170/0x3f0 [ 21.290900] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.290946] kthread+0x328/0x630 [ 21.291254] ret_from_fork+0x10/0x20 [ 21.291296] [ 21.291322] The buggy address belongs to the object at fff00000c63d1240 [ 21.291322] which belongs to the cache test_cache of size 123 [ 21.291389] The buggy address is located 0 bytes inside of [ 21.291389] freed 123-byte region [fff00000c63d1240, fff00000c63d12bb) [ 21.291596] [ 21.291653] The buggy address belongs to the physical page: [ 21.291692] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063d1 [ 21.291822] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.292100] page_type: f5(slab) [ 21.292184] raw: 0bfffe0000000000 fff00000c1757c80 dead000000000122 0000000000000000 [ 21.292300] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.292360] page dumped because: kasan: bad access detected [ 21.292392] [ 21.292449] Memory state around the buggy address: [ 21.292489] fff00000c63d1100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.292638] fff00000c63d1180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.292681] >fff00000c63d1200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.292720] ^ [ 21.292755] fff00000c63d1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.292821] fff00000c63d1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.292859] ==================================================================
[ 14.130260] ================================================================== [ 14.130948] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.131372] Read of size 1 at addr ffff888102b9f240 by task kunit_try_catch/249 [ 14.131738] [ 14.131840] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.131908] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.131920] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.131944] Call Trace: [ 14.131956] <TASK> [ 14.132150] dump_stack_lvl+0x73/0xb0 [ 14.132189] print_report+0xd1/0x650 [ 14.132213] ? __virt_addr_valid+0x1db/0x2d0 [ 14.132239] ? mempool_uaf_helper+0x392/0x400 [ 14.132260] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.132284] ? mempool_uaf_helper+0x392/0x400 [ 14.132308] kasan_report+0x141/0x180 [ 14.132333] ? mempool_uaf_helper+0x392/0x400 [ 14.132363] __asan_report_load1_noabort+0x18/0x20 [ 14.132388] mempool_uaf_helper+0x392/0x400 [ 14.132411] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.132444] mempool_slab_uaf+0xea/0x140 [ 14.132466] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.132490] ? schedule+0x7c/0x2e0 [ 14.132627] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.132659] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.132685] ? __pfx_read_tsc+0x10/0x10 [ 14.132707] ? ktime_get_ts64+0x86/0x230 [ 14.132733] kunit_try_run_case+0x1a5/0x480 [ 14.132759] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.132782] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.132807] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.132831] ? __kthread_parkme+0x82/0x180 [ 14.132853] ? preempt_count_sub+0x50/0x80 [ 14.132878] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.132903] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.132986] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.133015] kthread+0x337/0x6f0 [ 14.133034] ? trace_preempt_on+0x20/0xc0 [ 14.133059] ? __pfx_kthread+0x10/0x10 [ 14.133079] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.133101] ? calculate_sigpending+0x7b/0xa0 [ 14.133125] ? __pfx_kthread+0x10/0x10 [ 14.133149] ret_from_fork+0x116/0x1d0 [ 14.133171] ? __pfx_kthread+0x10/0x10 [ 14.133193] ret_from_fork_asm+0x1a/0x30 [ 14.133225] </TASK> [ 14.133237] [ 14.142118] Allocated by task 249: [ 14.142348] kasan_save_stack+0x45/0x70 [ 14.142550] kasan_save_track+0x18/0x40 [ 14.142741] kasan_save_alloc_info+0x3b/0x50 [ 14.142933] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.143282] remove_element+0x11e/0x190 [ 14.143487] mempool_alloc_preallocated+0x4d/0x90 [ 14.143652] mempool_uaf_helper+0x96/0x400 [ 14.143874] mempool_slab_uaf+0xea/0x140 [ 14.144321] kunit_try_run_case+0x1a5/0x480 [ 14.144638] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.144868] kthread+0x337/0x6f0 [ 14.145130] ret_from_fork+0x116/0x1d0 [ 14.145289] ret_from_fork_asm+0x1a/0x30 [ 14.145724] [ 14.145853] Freed by task 249: [ 14.146017] kasan_save_stack+0x45/0x70 [ 14.146242] kasan_save_track+0x18/0x40 [ 14.146437] kasan_save_free_info+0x3f/0x60 [ 14.146658] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.147042] mempool_free+0x2ec/0x380 [ 14.147302] mempool_uaf_helper+0x11a/0x400 [ 14.147458] mempool_slab_uaf+0xea/0x140 [ 14.147826] kunit_try_run_case+0x1a5/0x480 [ 14.148123] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.148362] kthread+0x337/0x6f0 [ 14.148548] ret_from_fork+0x116/0x1d0 [ 14.148769] ret_from_fork_asm+0x1a/0x30 [ 14.148970] [ 14.149063] The buggy address belongs to the object at ffff888102b9f240 [ 14.149063] which belongs to the cache test_cache of size 123 [ 14.149594] The buggy address is located 0 bytes inside of [ 14.149594] freed 123-byte region [ffff888102b9f240, ffff888102b9f2bb) [ 14.149952] [ 14.150238] The buggy address belongs to the physical page: [ 14.150562] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b9f [ 14.151067] flags: 0x200000000000000(node=0|zone=2) [ 14.151364] page_type: f5(slab) [ 14.151508] raw: 0200000000000000 ffff888102b91500 dead000000000122 0000000000000000 [ 14.151871] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.152252] page dumped because: kasan: bad access detected [ 14.152485] [ 14.152649] Memory state around the buggy address: [ 14.152804] ffff888102b9f100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.153085] ffff888102b9f180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.153632] >ffff888102b9f200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.153943] ^ [ 14.154212] ffff888102b9f280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.154738] ffff888102b9f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.154959] ================================================================== [ 14.061046] ================================================================== [ 14.061499] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.062230] Read of size 1 at addr ffff888102675700 by task kunit_try_catch/245 [ 14.063060] [ 14.063423] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.063475] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.063487] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.063522] Call Trace: [ 14.063536] <TASK> [ 14.063553] dump_stack_lvl+0x73/0xb0 [ 14.063633] print_report+0xd1/0x650 [ 14.063658] ? __virt_addr_valid+0x1db/0x2d0 [ 14.063683] ? mempool_uaf_helper+0x392/0x400 [ 14.063706] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.063729] ? mempool_uaf_helper+0x392/0x400 [ 14.063752] kasan_report+0x141/0x180 [ 14.063774] ? mempool_uaf_helper+0x392/0x400 [ 14.063801] __asan_report_load1_noabort+0x18/0x20 [ 14.063826] mempool_uaf_helper+0x392/0x400 [ 14.063848] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.063873] ? __kasan_check_write+0x18/0x20 [ 14.063893] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.063917] ? finish_task_switch.isra.0+0x153/0x700 [ 14.064072] mempool_kmalloc_uaf+0xef/0x140 [ 14.064098] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.064125] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.064149] ? __pfx_mempool_kfree+0x10/0x10 [ 14.064175] ? __pfx_read_tsc+0x10/0x10 [ 14.064197] ? ktime_get_ts64+0x86/0x230 [ 14.064222] kunit_try_run_case+0x1a5/0x480 [ 14.064247] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.064270] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.064296] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.064321] ? __kthread_parkme+0x82/0x180 [ 14.064342] ? preempt_count_sub+0x50/0x80 [ 14.064365] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.064390] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.064414] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.064438] kthread+0x337/0x6f0 [ 14.064457] ? trace_preempt_on+0x20/0xc0 [ 14.064482] ? __pfx_kthread+0x10/0x10 [ 14.064515] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.064539] ? calculate_sigpending+0x7b/0xa0 [ 14.064564] ? __pfx_kthread+0x10/0x10 [ 14.064586] ret_from_fork+0x116/0x1d0 [ 14.064614] ? __pfx_kthread+0x10/0x10 [ 14.064634] ret_from_fork_asm+0x1a/0x30 [ 14.064667] </TASK> [ 14.064678] [ 14.077740] Allocated by task 245: [ 14.078216] kasan_save_stack+0x45/0x70 [ 14.078428] kasan_save_track+0x18/0x40 [ 14.078581] kasan_save_alloc_info+0x3b/0x50 [ 14.079097] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.079453] remove_element+0x11e/0x190 [ 14.079782] mempool_alloc_preallocated+0x4d/0x90 [ 14.079997] mempool_uaf_helper+0x96/0x400 [ 14.080337] mempool_kmalloc_uaf+0xef/0x140 [ 14.080544] kunit_try_run_case+0x1a5/0x480 [ 14.081152] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.081403] kthread+0x337/0x6f0 [ 14.081770] ret_from_fork+0x116/0x1d0 [ 14.082103] ret_from_fork_asm+0x1a/0x30 [ 14.082397] [ 14.082501] Freed by task 245: [ 14.082667] kasan_save_stack+0x45/0x70 [ 14.083091] kasan_save_track+0x18/0x40 [ 14.083293] kasan_save_free_info+0x3f/0x60 [ 14.083493] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.083741] mempool_free+0x2ec/0x380 [ 14.083921] mempool_uaf_helper+0x11a/0x400 [ 14.084114] mempool_kmalloc_uaf+0xef/0x140 [ 14.084304] kunit_try_run_case+0x1a5/0x480 [ 14.085034] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.085299] kthread+0x337/0x6f0 [ 14.085427] ret_from_fork+0x116/0x1d0 [ 14.085567] ret_from_fork_asm+0x1a/0x30 [ 14.086305] [ 14.086782] The buggy address belongs to the object at ffff888102675700 [ 14.086782] which belongs to the cache kmalloc-128 of size 128 [ 14.088473] The buggy address is located 0 bytes inside of [ 14.088473] freed 128-byte region [ffff888102675700, ffff888102675780) [ 14.089764] [ 14.089847] The buggy address belongs to the physical page: [ 14.090468] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102675 [ 14.091458] flags: 0x200000000000000(node=0|zone=2) [ 14.091739] page_type: f5(slab) [ 14.091883] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.092659] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.093563] page dumped because: kasan: bad access detected [ 14.093760] [ 14.093830] Memory state around the buggy address: [ 14.094176] ffff888102675600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.094958] ffff888102675680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.095766] >ffff888102675700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.096684] ^ [ 14.096940] ffff888102675780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.097424] ffff888102675800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.097692] ==================================================================