Date
July 17, 2025, 11:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.666609] ================================================================== [ 18.666680] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.667221] Read of size 1 at addr fff00000c656a600 by task kunit_try_catch/227 [ 18.667440] [ 18.667527] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.667666] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.667693] Hardware name: linux,dummy-virt (DT) [ 18.667839] Call trace: [ 18.668131] show_stack+0x20/0x38 (C) [ 18.668326] dump_stack_lvl+0x8c/0xd0 [ 18.668516] print_report+0x118/0x5d0 [ 18.668884] kasan_report+0xdc/0x128 [ 18.668971] __asan_report_load1_noabort+0x20/0x30 [ 18.669157] mempool_uaf_helper+0x314/0x340 [ 18.669349] mempool_kmalloc_uaf+0xc4/0x120 [ 18.669399] kunit_try_run_case+0x170/0x3f0 [ 18.669482] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.669537] kthread+0x328/0x630 [ 18.669580] ret_from_fork+0x10/0x20 [ 18.669860] [ 18.670244] Allocated by task 227: [ 18.670307] kasan_save_stack+0x3c/0x68 [ 18.670355] kasan_save_track+0x20/0x40 [ 18.670412] kasan_save_alloc_info+0x40/0x58 [ 18.670453] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.670505] remove_element+0x130/0x1f8 [ 18.670554] mempool_alloc_preallocated+0x58/0xc0 [ 18.670603] mempool_uaf_helper+0xa4/0x340 [ 18.670654] mempool_kmalloc_uaf+0xc4/0x120 [ 18.670708] kunit_try_run_case+0x170/0x3f0 [ 18.670745] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.670788] kthread+0x328/0x630 [ 18.670821] ret_from_fork+0x10/0x20 [ 18.670857] [ 18.670899] Freed by task 227: [ 18.670934] kasan_save_stack+0x3c/0x68 [ 18.670970] kasan_save_track+0x20/0x40 [ 18.671014] kasan_save_free_info+0x4c/0x78 [ 18.671076] __kasan_mempool_poison_object+0xc0/0x150 [ 18.671126] mempool_free+0x28c/0x328 [ 18.671159] mempool_uaf_helper+0x104/0x340 [ 18.671197] mempool_kmalloc_uaf+0xc4/0x120 [ 18.671237] kunit_try_run_case+0x170/0x3f0 [ 18.671289] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.671342] kthread+0x328/0x630 [ 18.671373] ret_from_fork+0x10/0x20 [ 18.671420] [ 18.671439] The buggy address belongs to the object at fff00000c656a600 [ 18.671439] which belongs to the cache kmalloc-128 of size 128 [ 18.671507] The buggy address is located 0 bytes inside of [ 18.671507] freed 128-byte region [fff00000c656a600, fff00000c656a680) [ 18.671566] [ 18.671597] The buggy address belongs to the physical page: [ 18.671628] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10656a [ 18.671691] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.671750] page_type: f5(slab) [ 18.672140] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.672297] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.672906] page dumped because: kasan: bad access detected [ 18.672975] [ 18.673030] Memory state around the buggy address: [ 18.673129] fff00000c656a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.673288] fff00000c656a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.673435] >fff00000c656a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.673600] ^ [ 18.673940] fff00000c656a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.673996] fff00000c656a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.674117] ================================================================== [ 18.700524] ================================================================== [ 18.700886] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.700962] Read of size 1 at addr fff00000c78e2240 by task kunit_try_catch/231 [ 18.701052] [ 18.701092] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.701428] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.701473] Hardware name: linux,dummy-virt (DT) [ 18.701527] Call trace: [ 18.701553] show_stack+0x20/0x38 (C) [ 18.701775] dump_stack_lvl+0x8c/0xd0 [ 18.702180] print_report+0x118/0x5d0 [ 18.702250] kasan_report+0xdc/0x128 [ 18.702588] __asan_report_load1_noabort+0x20/0x30 [ 18.702710] mempool_uaf_helper+0x314/0x340 [ 18.702841] mempool_slab_uaf+0xc0/0x118 [ 18.702903] kunit_try_run_case+0x170/0x3f0 [ 18.703174] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.703263] kthread+0x328/0x630 [ 18.703307] ret_from_fork+0x10/0x20 [ 18.703356] [ 18.703423] Allocated by task 231: [ 18.703455] kasan_save_stack+0x3c/0x68 [ 18.703496] kasan_save_track+0x20/0x40 [ 18.703534] kasan_save_alloc_info+0x40/0x58 [ 18.703574] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.703617] remove_element+0x16c/0x1f8 [ 18.703654] mempool_alloc_preallocated+0x58/0xc0 [ 18.703693] mempool_uaf_helper+0xa4/0x340 [ 18.703729] mempool_slab_uaf+0xc0/0x118 [ 18.704261] kunit_try_run_case+0x170/0x3f0 [ 18.704302] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.704345] kthread+0x328/0x630 [ 18.704385] ret_from_fork+0x10/0x20 [ 18.704421] [ 18.704675] Freed by task 231: [ 18.704745] kasan_save_stack+0x3c/0x68 [ 18.704935] kasan_save_track+0x20/0x40 [ 18.705210] kasan_save_free_info+0x4c/0x78 [ 18.705320] __kasan_mempool_poison_object+0xc0/0x150 [ 18.705383] mempool_free+0x28c/0x328 [ 18.705528] mempool_uaf_helper+0x104/0x340 [ 18.705614] mempool_slab_uaf+0xc0/0x118 [ 18.706135] kunit_try_run_case+0x170/0x3f0 [ 18.706205] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.706528] kthread+0x328/0x630 [ 18.706592] ret_from_fork+0x10/0x20 [ 18.706696] [ 18.706787] The buggy address belongs to the object at fff00000c78e2240 [ 18.706787] which belongs to the cache test_cache of size 123 [ 18.706946] The buggy address is located 0 bytes inside of [ 18.706946] freed 123-byte region [fff00000c78e2240, fff00000c78e22bb) [ 18.707618] [ 18.707815] The buggy address belongs to the physical page: [ 18.707879] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e2 [ 18.708080] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.708139] page_type: f5(slab) [ 18.708180] raw: 0bfffe0000000000 fff00000c5875780 dead000000000122 0000000000000000 [ 18.708239] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.708280] page dumped because: kasan: bad access detected [ 18.708312] [ 18.708332] Memory state around the buggy address: [ 18.708365] fff00000c78e2100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.708407] fff00000c78e2180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.708449] >fff00000c78e2200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.708486] ^ [ 18.708521] fff00000c78e2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.708560] fff00000c78e2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.708597] ==================================================================
[ 13.892657] ================================================================== [ 13.893823] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.894148] Read of size 1 at addr ffff888102f56240 by task kunit_try_catch/248 [ 13.894375] [ 13.894472] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.894520] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.894532] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.894555] Call Trace: [ 13.894600] <TASK> [ 13.894619] dump_stack_lvl+0x73/0xb0 [ 13.894652] print_report+0xd1/0x610 [ 13.894675] ? __virt_addr_valid+0x1db/0x2d0 [ 13.894701] ? mempool_uaf_helper+0x392/0x400 [ 13.894723] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.894746] ? mempool_uaf_helper+0x392/0x400 [ 13.894768] kasan_report+0x141/0x180 [ 13.894809] ? mempool_uaf_helper+0x392/0x400 [ 13.894837] __asan_report_load1_noabort+0x18/0x20 [ 13.894862] mempool_uaf_helper+0x392/0x400 [ 13.894884] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.894910] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.894933] ? finish_task_switch.isra.0+0x153/0x700 [ 13.894961] mempool_slab_uaf+0xea/0x140 [ 13.894984] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.895010] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.895035] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.895070] ? __pfx_read_tsc+0x10/0x10 [ 13.895092] ? ktime_get_ts64+0x86/0x230 [ 13.895118] kunit_try_run_case+0x1a5/0x480 [ 13.895145] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.895166] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.895192] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.895215] ? __kthread_parkme+0x82/0x180 [ 13.895237] ? preempt_count_sub+0x50/0x80 [ 13.895260] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.895283] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.895307] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.895331] kthread+0x337/0x6f0 [ 13.895349] ? trace_preempt_on+0x20/0xc0 [ 13.895373] ? __pfx_kthread+0x10/0x10 [ 13.895393] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.895414] ? calculate_sigpending+0x7b/0xa0 [ 13.895439] ? __pfx_kthread+0x10/0x10 [ 13.895459] ret_from_fork+0x116/0x1d0 [ 13.895479] ? __pfx_kthread+0x10/0x10 [ 13.895498] ret_from_fork_asm+0x1a/0x30 [ 13.895532] </TASK> [ 13.895542] [ 13.909210] Allocated by task 248: [ 13.909344] kasan_save_stack+0x45/0x70 [ 13.909500] kasan_save_track+0x18/0x40 [ 13.909751] kasan_save_alloc_info+0x3b/0x50 [ 13.910241] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.910753] remove_element+0x11e/0x190 [ 13.911200] mempool_alloc_preallocated+0x4d/0x90 [ 13.911651] mempool_uaf_helper+0x96/0x400 [ 13.912085] mempool_slab_uaf+0xea/0x140 [ 13.912252] kunit_try_run_case+0x1a5/0x480 [ 13.912401] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.912579] kthread+0x337/0x6f0 [ 13.912961] ret_from_fork+0x116/0x1d0 [ 13.913314] ret_from_fork_asm+0x1a/0x30 [ 13.913737] [ 13.913964] Freed by task 248: [ 13.914277] kasan_save_stack+0x45/0x70 [ 13.914636] kasan_save_track+0x18/0x40 [ 13.914824] kasan_save_free_info+0x3f/0x60 [ 13.914974] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.915156] mempool_free+0x2ec/0x380 [ 13.915291] mempool_uaf_helper+0x11a/0x400 [ 13.915461] mempool_slab_uaf+0xea/0x140 [ 13.915672] kunit_try_run_case+0x1a5/0x480 [ 13.916167] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.916381] kthread+0x337/0x6f0 [ 13.916557] ret_from_fork+0x116/0x1d0 [ 13.916792] ret_from_fork_asm+0x1a/0x30 [ 13.917024] [ 13.917136] The buggy address belongs to the object at ffff888102f56240 [ 13.917136] which belongs to the cache test_cache of size 123 [ 13.917677] The buggy address is located 0 bytes inside of [ 13.917677] freed 123-byte region [ffff888102f56240, ffff888102f562bb) [ 13.918069] [ 13.918186] The buggy address belongs to the physical page: [ 13.918445] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f56 [ 13.919011] flags: 0x200000000000000(node=0|zone=2) [ 13.919276] page_type: f5(slab) [ 13.919404] raw: 0200000000000000 ffff888101a30a00 dead000000000122 0000000000000000 [ 13.919922] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.920229] page dumped because: kasan: bad access detected [ 13.920431] [ 13.920524] Memory state around the buggy address: [ 13.920753] ffff888102f56100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.921101] ffff888102f56180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.921434] >ffff888102f56200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.921714] ^ [ 13.921884] ffff888102f56280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.922382] ffff888102f56300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.922632] ================================================================== [ 13.807104] ================================================================== [ 13.808864] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.809922] Read of size 1 at addr ffff8881026a6f00 by task kunit_try_catch/244 [ 13.810205] [ 13.810312] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.810362] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.810374] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.810399] Call Trace: [ 13.810415] <TASK> [ 13.810437] dump_stack_lvl+0x73/0xb0 [ 13.810473] print_report+0xd1/0x610 [ 13.810498] ? __virt_addr_valid+0x1db/0x2d0 [ 13.810523] ? mempool_uaf_helper+0x392/0x400 [ 13.810544] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.810567] ? mempool_uaf_helper+0x392/0x400 [ 13.810600] kasan_report+0x141/0x180 [ 13.810621] ? mempool_uaf_helper+0x392/0x400 [ 13.810649] __asan_report_load1_noabort+0x18/0x20 [ 13.810673] mempool_uaf_helper+0x392/0x400 [ 13.810695] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.810718] ? kasan_save_track+0x18/0x40 [ 13.810737] ? kasan_save_alloc_info+0x3b/0x50 [ 13.810759] ? kasan_save_stack+0x45/0x70 [ 13.810783] mempool_kmalloc_uaf+0xef/0x140 [ 13.810805] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.810830] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.810855] ? __pfx_mempool_kfree+0x10/0x10 [ 13.810879] ? __pfx_read_tsc+0x10/0x10 [ 13.810901] ? ktime_get_ts64+0x86/0x230 [ 13.810926] kunit_try_run_case+0x1a5/0x480 [ 13.810952] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.810974] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.811000] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.811023] ? __kthread_parkme+0x82/0x180 [ 13.811044] ? preempt_count_sub+0x50/0x80 [ 13.811300] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.811327] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.811351] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.811374] kthread+0x337/0x6f0 [ 13.811394] ? trace_preempt_on+0x20/0xc0 [ 13.811704] ? __pfx_kthread+0x10/0x10 [ 13.811730] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.811769] ? calculate_sigpending+0x7b/0xa0 [ 13.811795] ? __pfx_kthread+0x10/0x10 [ 13.811818] ret_from_fork+0x116/0x1d0 [ 13.811839] ? __pfx_kthread+0x10/0x10 [ 13.811859] ret_from_fork_asm+0x1a/0x30 [ 13.811892] </TASK> [ 13.811903] [ 13.834234] Allocated by task 244: [ 13.834928] kasan_save_stack+0x45/0x70 [ 13.835479] kasan_save_track+0x18/0x40 [ 13.835997] kasan_save_alloc_info+0x3b/0x50 [ 13.836584] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.836993] remove_element+0x11e/0x190 [ 13.837526] mempool_alloc_preallocated+0x4d/0x90 [ 13.838149] mempool_uaf_helper+0x96/0x400 [ 13.838557] mempool_kmalloc_uaf+0xef/0x140 [ 13.839189] kunit_try_run_case+0x1a5/0x480 [ 13.839376] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.839557] kthread+0x337/0x6f0 [ 13.840314] ret_from_fork+0x116/0x1d0 [ 13.840936] ret_from_fork_asm+0x1a/0x30 [ 13.841525] [ 13.841897] Freed by task 244: [ 13.842264] kasan_save_stack+0x45/0x70 [ 13.842445] kasan_save_track+0x18/0x40 [ 13.842584] kasan_save_free_info+0x3f/0x60 [ 13.842732] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.843196] mempool_free+0x2ec/0x380 [ 13.843627] mempool_uaf_helper+0x11a/0x400 [ 13.844015] mempool_kmalloc_uaf+0xef/0x140 [ 13.844438] kunit_try_run_case+0x1a5/0x480 [ 13.844894] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.845431] kthread+0x337/0x6f0 [ 13.845565] ret_from_fork+0x116/0x1d0 [ 13.845709] ret_from_fork_asm+0x1a/0x30 [ 13.846153] [ 13.846318] The buggy address belongs to the object at ffff8881026a6f00 [ 13.846318] which belongs to the cache kmalloc-128 of size 128 [ 13.847280] The buggy address is located 0 bytes inside of [ 13.847280] freed 128-byte region [ffff8881026a6f00, ffff8881026a6f80) [ 13.848256] [ 13.848342] The buggy address belongs to the physical page: [ 13.848564] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a6 [ 13.849350] flags: 0x200000000000000(node=0|zone=2) [ 13.849907] page_type: f5(slab) [ 13.850242] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.850862] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 13.851575] page dumped because: kasan: bad access detected [ 13.852138] [ 13.852286] Memory state around the buggy address: [ 13.852577] ffff8881026a6e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.852851] ffff8881026a6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.853445] >ffff8881026a6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.853890] ^ [ 13.854263] ffff8881026a6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.854728] ffff8881026a7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.854946] ==================================================================