Date
July 9, 2025, 11:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.582362] ================================================================== [ 18.582435] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.584572] Read of size 1 at addr fff00000c6cff240 by task kunit_try_catch/231 [ 18.585953] [ 18.586020] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.586132] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.586160] Hardware name: linux,dummy-virt (DT) [ 18.586192] Call trace: [ 18.586218] show_stack+0x20/0x38 (C) [ 18.586275] dump_stack_lvl+0x8c/0xd0 [ 18.586324] print_report+0x118/0x608 [ 18.586370] kasan_report+0xdc/0x128 [ 18.586416] __asan_report_load1_noabort+0x20/0x30 [ 18.586468] mempool_uaf_helper+0x314/0x340 [ 18.586516] mempool_slab_uaf+0xc0/0x118 [ 18.586561] kunit_try_run_case+0x170/0x3f0 [ 18.587432] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.587489] kthread+0x328/0x630 [ 18.589481] ret_from_fork+0x10/0x20 [ 18.589584] [ 18.589605] Allocated by task 231: [ 18.589875] kasan_save_stack+0x3c/0x68 [ 18.590195] kasan_save_track+0x20/0x40 [ 18.590403] kasan_save_alloc_info+0x40/0x58 [ 18.590449] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.590672] remove_element+0x16c/0x1f8 [ 18.590834] mempool_alloc_preallocated+0x58/0xc0 [ 18.591198] mempool_uaf_helper+0xa4/0x340 [ 18.591291] mempool_slab_uaf+0xc0/0x118 [ 18.591491] kunit_try_run_case+0x170/0x3f0 [ 18.591625] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.591800] kthread+0x328/0x630 [ 18.591915] ret_from_fork+0x10/0x20 [ 18.591956] [ 18.591976] Freed by task 231: [ 18.592004] kasan_save_stack+0x3c/0x68 [ 18.592367] kasan_save_track+0x20/0x40 [ 18.592540] kasan_save_free_info+0x4c/0x78 [ 18.592646] __kasan_mempool_poison_object+0xc0/0x150 [ 18.592892] mempool_free+0x28c/0x328 [ 18.593052] mempool_uaf_helper+0x104/0x340 [ 18.593220] mempool_slab_uaf+0xc0/0x118 [ 18.593277] kunit_try_run_case+0x170/0x3f0 [ 18.593521] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.593973] kthread+0x328/0x630 [ 18.594082] ret_from_fork+0x10/0x20 [ 18.594209] [ 18.594236] The buggy address belongs to the object at fff00000c6cff240 [ 18.594236] which belongs to the cache test_cache of size 123 [ 18.594569] The buggy address is located 0 bytes inside of [ 18.594569] freed 123-byte region [fff00000c6cff240, fff00000c6cff2bb) [ 18.594700] [ 18.594724] The buggy address belongs to the physical page: [ 18.594974] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106cff [ 18.595189] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.595543] page_type: f5(slab) [ 18.595634] raw: 0bfffe0000000000 fff00000c59bf280 dead000000000122 0000000000000000 [ 18.595695] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.595738] page dumped because: kasan: bad access detected [ 18.595955] [ 18.595978] Memory state around the buggy address: [ 18.596019] fff00000c6cff100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.596269] fff00000c6cff180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.596502] >fff00000c6cff200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.596698] ^ [ 18.596776] fff00000c6cff280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.596927] fff00000c6cff300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.596980] ================================================================== [ 18.538101] ================================================================== [ 18.538201] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.538277] Read of size 1 at addr fff00000c76af200 by task kunit_try_catch/227 [ 18.538329] [ 18.538375] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.538468] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.538494] Hardware name: linux,dummy-virt (DT) [ 18.538530] Call trace: [ 18.538557] show_stack+0x20/0x38 (C) [ 18.538610] dump_stack_lvl+0x8c/0xd0 [ 18.538663] print_report+0x118/0x608 [ 18.538712] kasan_report+0xdc/0x128 [ 18.538758] __asan_report_load1_noabort+0x20/0x30 [ 18.538809] mempool_uaf_helper+0x314/0x340 [ 18.538856] mempool_kmalloc_uaf+0xc4/0x120 [ 18.538902] kunit_try_run_case+0x170/0x3f0 [ 18.538953] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.539006] kthread+0x328/0x630 [ 18.539050] ret_from_fork+0x10/0x20 [ 18.539101] [ 18.539131] Allocated by task 227: [ 18.539162] kasan_save_stack+0x3c/0x68 [ 18.539206] kasan_save_track+0x20/0x40 [ 18.539246] kasan_save_alloc_info+0x40/0x58 [ 18.539287] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.539331] remove_element+0x130/0x1f8 [ 18.539371] mempool_alloc_preallocated+0x58/0xc0 [ 18.539410] mempool_uaf_helper+0xa4/0x340 [ 18.539448] mempool_kmalloc_uaf+0xc4/0x120 [ 18.539486] kunit_try_run_case+0x170/0x3f0 [ 18.539524] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.539568] kthread+0x328/0x630 [ 18.539602] ret_from_fork+0x10/0x20 [ 18.539639] [ 18.539660] Freed by task 227: [ 18.540068] kasan_save_stack+0x3c/0x68 [ 18.540137] kasan_save_track+0x20/0x40 [ 18.540176] kasan_save_free_info+0x4c/0x78 [ 18.540217] __kasan_mempool_poison_object+0xc0/0x150 [ 18.540259] mempool_free+0x28c/0x328 [ 18.540294] mempool_uaf_helper+0x104/0x340 [ 18.540333] mempool_kmalloc_uaf+0xc4/0x120 [ 18.540371] kunit_try_run_case+0x170/0x3f0 [ 18.540409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.540453] kthread+0x328/0x630 [ 18.540486] ret_from_fork+0x10/0x20 [ 18.540524] [ 18.540544] The buggy address belongs to the object at fff00000c76af200 [ 18.540544] which belongs to the cache kmalloc-128 of size 128 [ 18.540605] The buggy address is located 0 bytes inside of [ 18.540605] freed 128-byte region [fff00000c76af200, fff00000c76af280) [ 18.540666] [ 18.540688] The buggy address belongs to the physical page: [ 18.540723] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076af [ 18.540778] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.540832] page_type: f5(slab) [ 18.540875] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.540926] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.540967] page dumped because: kasan: bad access detected [ 18.541001] [ 18.541019] Memory state around the buggy address: [ 18.541051] fff00000c76af100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.541094] fff00000c76af180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.541146] >fff00000c76af200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.541185] ^ [ 18.541213] fff00000c76af280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.541254] fff00000c76af300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.541293] ==================================================================
[ 14.055195] ================================================================== [ 14.055663] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.055988] Read of size 1 at addr ffff88810291d500 by task kunit_try_catch/244 [ 14.056311] [ 14.056429] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.056471] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.056483] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.056504] Call Trace: [ 14.056516] <TASK> [ 14.056532] dump_stack_lvl+0x73/0xb0 [ 14.056561] print_report+0xd1/0x650 [ 14.056582] ? __virt_addr_valid+0x1db/0x2d0 [ 14.056605] ? mempool_uaf_helper+0x392/0x400 [ 14.056626] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.056648] ? mempool_uaf_helper+0x392/0x400 [ 14.056670] kasan_report+0x141/0x180 [ 14.056690] ? mempool_uaf_helper+0x392/0x400 [ 14.056767] __asan_report_load1_noabort+0x18/0x20 [ 14.056795] mempool_uaf_helper+0x392/0x400 [ 14.056853] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.056878] ? __kasan_check_write+0x18/0x20 [ 14.056898] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.056922] ? finish_task_switch.isra.0+0x153/0x700 [ 14.056949] mempool_kmalloc_uaf+0xef/0x140 [ 14.056971] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.056996] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.057028] ? __pfx_mempool_kfree+0x10/0x10 [ 14.057053] ? __pfx_read_tsc+0x10/0x10 [ 14.057075] ? ktime_get_ts64+0x86/0x230 [ 14.057100] kunit_try_run_case+0x1a5/0x480 [ 14.057126] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.057149] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.057173] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.057197] ? __kthread_parkme+0x82/0x180 [ 14.057217] ? preempt_count_sub+0x50/0x80 [ 14.057241] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.057265] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.057290] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.057316] kthread+0x337/0x6f0 [ 14.057334] ? trace_preempt_on+0x20/0xc0 [ 14.057358] ? __pfx_kthread+0x10/0x10 [ 14.057378] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.057400] ? calculate_sigpending+0x7b/0xa0 [ 14.057424] ? __pfx_kthread+0x10/0x10 [ 14.057445] ret_from_fork+0x116/0x1d0 [ 14.057464] ? __pfx_kthread+0x10/0x10 [ 14.057484] ret_from_fork_asm+0x1a/0x30 [ 14.057516] </TASK> [ 14.057527] [ 14.065823] Allocated by task 244: [ 14.066006] kasan_save_stack+0x45/0x70 [ 14.066298] kasan_save_track+0x18/0x40 [ 14.066493] kasan_save_alloc_info+0x3b/0x50 [ 14.066686] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.066939] remove_element+0x11e/0x190 [ 14.067232] mempool_alloc_preallocated+0x4d/0x90 [ 14.067459] mempool_uaf_helper+0x96/0x400 [ 14.067671] mempool_kmalloc_uaf+0xef/0x140 [ 14.067881] kunit_try_run_case+0x1a5/0x480 [ 14.068206] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.068400] kthread+0x337/0x6f0 [ 14.068519] ret_from_fork+0x116/0x1d0 [ 14.068650] ret_from_fork_asm+0x1a/0x30 [ 14.068885] [ 14.068977] Freed by task 244: [ 14.069212] kasan_save_stack+0x45/0x70 [ 14.069409] kasan_save_track+0x18/0x40 [ 14.069597] kasan_save_free_info+0x3f/0x60 [ 14.069817] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.070147] mempool_free+0x2ec/0x380 [ 14.070298] mempool_uaf_helper+0x11a/0x400 [ 14.070469] mempool_kmalloc_uaf+0xef/0x140 [ 14.070691] kunit_try_run_case+0x1a5/0x480 [ 14.070915] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.071270] kthread+0x337/0x6f0 [ 14.071426] ret_from_fork+0x116/0x1d0 [ 14.071625] ret_from_fork_asm+0x1a/0x30 [ 14.071827] [ 14.071927] The buggy address belongs to the object at ffff88810291d500 [ 14.071927] which belongs to the cache kmalloc-128 of size 128 [ 14.072573] The buggy address is located 0 bytes inside of [ 14.072573] freed 128-byte region [ffff88810291d500, ffff88810291d580) [ 14.073164] [ 14.073242] The buggy address belongs to the physical page: [ 14.073415] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10291d [ 14.073795] flags: 0x200000000000000(node=0|zone=2) [ 14.074109] page_type: f5(slab) [ 14.074280] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.074547] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.074797] page dumped because: kasan: bad access detected [ 14.075125] [ 14.075233] Memory state around the buggy address: [ 14.075469] ffff88810291d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.075796] ffff88810291d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.076101] >ffff88810291d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.076465] ^ [ 14.076632] ffff88810291d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.076952] ffff88810291d600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.077346] ================================================================== [ 14.110671] ================================================================== [ 14.111661] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.112517] Read of size 1 at addr ffff8881038e3240 by task kunit_try_catch/248 [ 14.112968] [ 14.113066] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.113126] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.113138] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.113159] Call Trace: [ 14.113171] <TASK> [ 14.113188] dump_stack_lvl+0x73/0xb0 [ 14.113217] print_report+0xd1/0x650 [ 14.113240] ? __virt_addr_valid+0x1db/0x2d0 [ 14.113275] ? mempool_uaf_helper+0x392/0x400 [ 14.113299] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.113323] ? mempool_uaf_helper+0x392/0x400 [ 14.113357] kasan_report+0x141/0x180 [ 14.113379] ? mempool_uaf_helper+0x392/0x400 [ 14.113408] __asan_report_load1_noabort+0x18/0x20 [ 14.113434] mempool_uaf_helper+0x392/0x400 [ 14.113457] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.113493] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.113515] ? finish_task_switch.isra.0+0x153/0x700 [ 14.113552] mempool_slab_uaf+0xea/0x140 [ 14.113576] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.113602] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.113628] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.113655] ? __pfx_read_tsc+0x10/0x10 [ 14.113677] ? ktime_get_ts64+0x86/0x230 [ 14.113710] kunit_try_run_case+0x1a5/0x480 [ 14.113734] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.113757] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.113781] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.113805] ? __kthread_parkme+0x82/0x180 [ 14.113826] ? preempt_count_sub+0x50/0x80 [ 14.113849] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.113874] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.113898] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.113923] kthread+0x337/0x6f0 [ 14.113942] ? trace_preempt_on+0x20/0xc0 [ 14.113965] ? __pfx_kthread+0x10/0x10 [ 14.113986] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.114008] ? calculate_sigpending+0x7b/0xa0 [ 14.114054] ? __pfx_kthread+0x10/0x10 [ 14.114076] ret_from_fork+0x116/0x1d0 [ 14.114112] ? __pfx_kthread+0x10/0x10 [ 14.114133] ret_from_fork_asm+0x1a/0x30 [ 14.114164] </TASK> [ 14.114174] [ 14.128883] Allocated by task 248: [ 14.129498] kasan_save_stack+0x45/0x70 [ 14.129910] kasan_save_track+0x18/0x40 [ 14.130358] kasan_save_alloc_info+0x3b/0x50 [ 14.130831] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.131371] remove_element+0x11e/0x190 [ 14.131827] mempool_alloc_preallocated+0x4d/0x90 [ 14.132303] mempool_uaf_helper+0x96/0x400 [ 14.132669] mempool_slab_uaf+0xea/0x140 [ 14.132953] kunit_try_run_case+0x1a5/0x480 [ 14.133284] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.133810] kthread+0x337/0x6f0 [ 14.133943] ret_from_fork+0x116/0x1d0 [ 14.134270] ret_from_fork_asm+0x1a/0x30 [ 14.134676] [ 14.134849] Freed by task 248: [ 14.135194] kasan_save_stack+0x45/0x70 [ 14.135639] kasan_save_track+0x18/0x40 [ 14.136026] kasan_save_free_info+0x3f/0x60 [ 14.136359] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.136532] mempool_free+0x2ec/0x380 [ 14.136664] mempool_uaf_helper+0x11a/0x400 [ 14.136817] mempool_slab_uaf+0xea/0x140 [ 14.136956] kunit_try_run_case+0x1a5/0x480 [ 14.137313] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.137550] kthread+0x337/0x6f0 [ 14.137671] ret_from_fork+0x116/0x1d0 [ 14.137819] ret_from_fork_asm+0x1a/0x30 [ 14.137958] [ 14.138029] The buggy address belongs to the object at ffff8881038e3240 [ 14.138029] which belongs to the cache test_cache of size 123 [ 14.139268] The buggy address is located 0 bytes inside of [ 14.139268] freed 123-byte region [ffff8881038e3240, ffff8881038e32bb) [ 14.140607] [ 14.140795] The buggy address belongs to the physical page: [ 14.141385] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038e3 [ 14.142054] flags: 0x200000000000000(node=0|zone=2) [ 14.142354] page_type: f5(slab) [ 14.142727] raw: 0200000000000000 ffff888101dbddc0 dead000000000122 0000000000000000 [ 14.143198] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.144491] page dumped because: kasan: bad access detected [ 14.144679] [ 14.144767] Memory state around the buggy address: [ 14.144926] ffff8881038e3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.145154] ffff8881038e3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.145370] >ffff8881038e3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.145587] ^ [ 14.146767] ffff8881038e3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.147003] ffff8881038e3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.147816] ==================================================================