Date
July 18, 2025, 11:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.378484] ================================================================== [ 17.378546] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.378605] Read of size 1 at addr fff00000c7711500 by task kunit_try_catch/227 [ 17.378789] [ 17.378855] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.379437] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.379630] Hardware name: linux,dummy-virt (DT) [ 17.379671] Call trace: [ 17.379696] show_stack+0x20/0x38 (C) [ 17.379749] dump_stack_lvl+0x8c/0xd0 [ 17.379798] print_report+0x118/0x5d0 [ 17.380014] kasan_report+0xdc/0x128 [ 17.380195] __asan_report_load1_noabort+0x20/0x30 [ 17.380284] mempool_uaf_helper+0x314/0x340 [ 17.380346] mempool_kmalloc_uaf+0xc4/0x120 [ 17.380488] kunit_try_run_case+0x170/0x3f0 [ 17.380563] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.380627] kthread+0x328/0x630 [ 17.380896] ret_from_fork+0x10/0x20 [ 17.381035] [ 17.381061] Allocated by task 227: [ 17.381138] kasan_save_stack+0x3c/0x68 [ 17.381236] kasan_save_track+0x20/0x40 [ 17.381487] kasan_save_alloc_info+0x40/0x58 [ 17.381752] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.382085] remove_element+0x130/0x1f8 [ 17.382170] mempool_alloc_preallocated+0x58/0xc0 [ 17.382315] mempool_uaf_helper+0xa4/0x340 [ 17.382512] mempool_kmalloc_uaf+0xc4/0x120 [ 17.382630] kunit_try_run_case+0x170/0x3f0 [ 17.382759] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.383064] kthread+0x328/0x630 [ 17.383130] ret_from_fork+0x10/0x20 [ 17.383199] [ 17.383468] Freed by task 227: [ 17.383525] kasan_save_stack+0x3c/0x68 [ 17.383586] kasan_save_track+0x20/0x40 [ 17.383634] kasan_save_free_info+0x4c/0x78 [ 17.383705] __kasan_mempool_poison_object+0xc0/0x150 [ 17.383771] mempool_free+0x28c/0x328 [ 17.383808] mempool_uaf_helper+0x104/0x340 [ 17.383850] mempool_kmalloc_uaf+0xc4/0x120 [ 17.383889] kunit_try_run_case+0x170/0x3f0 [ 17.383926] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.383973] kthread+0x328/0x630 [ 17.384007] ret_from_fork+0x10/0x20 [ 17.384052] [ 17.384092] The buggy address belongs to the object at fff00000c7711500 [ 17.384092] which belongs to the cache kmalloc-128 of size 128 [ 17.384153] The buggy address is located 0 bytes inside of [ 17.384153] freed 128-byte region [fff00000c7711500, fff00000c7711580) [ 17.384227] [ 17.384262] The buggy address belongs to the physical page: [ 17.384306] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107711 [ 17.384782] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.384868] page_type: f5(slab) [ 17.385076] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.385233] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.385533] page dumped because: kasan: bad access detected [ 17.385612] [ 17.385631] Memory state around the buggy address: [ 17.385695] fff00000c7711400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.385942] fff00000c7711480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.386027] >fff00000c7711500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.386177] ^ [ 17.386241] fff00000c7711580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.386347] fff00000c7711600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.386710] ================================================================== [ 17.413042] ================================================================== [ 17.413135] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.413197] Read of size 1 at addr fff00000c784b240 by task kunit_try_catch/231 [ 17.413507] [ 17.413575] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.413788] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.413878] Hardware name: linux,dummy-virt (DT) [ 17.414061] Call trace: [ 17.414116] show_stack+0x20/0x38 (C) [ 17.414306] dump_stack_lvl+0x8c/0xd0 [ 17.414410] print_report+0x118/0x5d0 [ 17.414459] kasan_report+0xdc/0x128 [ 17.414854] __asan_report_load1_noabort+0x20/0x30 [ 17.415001] mempool_uaf_helper+0x314/0x340 [ 17.415099] mempool_slab_uaf+0xc0/0x118 [ 17.415282] kunit_try_run_case+0x170/0x3f0 [ 17.415639] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.415739] kthread+0x328/0x630 [ 17.415801] ret_from_fork+0x10/0x20 [ 17.416565] [ 17.416619] Allocated by task 231: [ 17.416685] kasan_save_stack+0x3c/0x68 [ 17.416831] kasan_save_track+0x20/0x40 [ 17.416945] kasan_save_alloc_info+0x40/0x58 [ 17.416988] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.417043] remove_element+0x16c/0x1f8 [ 17.417129] mempool_alloc_preallocated+0x58/0xc0 [ 17.417366] mempool_uaf_helper+0xa4/0x340 [ 17.417489] mempool_slab_uaf+0xc0/0x118 [ 17.417781] kunit_try_run_case+0x170/0x3f0 [ 17.417958] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.418146] kthread+0x328/0x630 [ 17.418350] ret_from_fork+0x10/0x20 [ 17.418934] [ 17.418995] Freed by task 231: [ 17.419073] kasan_save_stack+0x3c/0x68 [ 17.419181] kasan_save_track+0x20/0x40 [ 17.419443] kasan_save_free_info+0x4c/0x78 [ 17.419531] __kasan_mempool_poison_object+0xc0/0x150 [ 17.419919] mempool_free+0x28c/0x328 [ 17.419975] mempool_uaf_helper+0x104/0x340 [ 17.420030] mempool_slab_uaf+0xc0/0x118 [ 17.420069] kunit_try_run_case+0x170/0x3f0 [ 17.420159] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.420211] kthread+0x328/0x630 [ 17.420245] ret_from_fork+0x10/0x20 [ 17.420296] [ 17.420345] The buggy address belongs to the object at fff00000c784b240 [ 17.420345] which belongs to the cache test_cache of size 123 [ 17.420416] The buggy address is located 0 bytes inside of [ 17.420416] freed 123-byte region [fff00000c784b240, fff00000c784b2bb) [ 17.420477] [ 17.420505] The buggy address belongs to the physical page: [ 17.420539] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10784b [ 17.420601] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.420657] page_type: f5(slab) [ 17.420696] raw: 0bfffe0000000000 fff00000c5a563c0 dead000000000122 0000000000000000 [ 17.420745] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.420786] page dumped because: kasan: bad access detected [ 17.420828] [ 17.420847] Memory state around the buggy address: [ 17.420880] fff00000c784b100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.420940] fff00000c784b180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.420984] >fff00000c784b200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.421039] ^ [ 17.421074] fff00000c784b280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.421125] fff00000c784b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.421163] ==================================================================
[ 13.727284] ================================================================== [ 13.727942] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.728265] Read of size 1 at addr ffff8881039eb180 by task kunit_try_catch/250 [ 13.729103] [ 13.729312] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.729356] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.729367] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.729389] Call Trace: [ 13.729402] <TASK> [ 13.729417] dump_stack_lvl+0x73/0xb0 [ 13.729447] print_report+0xd1/0x610 [ 13.729469] ? __virt_addr_valid+0x1db/0x2d0 [ 13.729493] ? mempool_uaf_helper+0x392/0x400 [ 13.729514] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.729536] ? mempool_uaf_helper+0x392/0x400 [ 13.729558] kasan_report+0x141/0x180 [ 13.729611] ? mempool_uaf_helper+0x392/0x400 [ 13.729638] __asan_report_load1_noabort+0x18/0x20 [ 13.729661] mempool_uaf_helper+0x392/0x400 [ 13.729691] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.729715] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.729737] ? finish_task_switch.isra.0+0x153/0x700 [ 13.729764] mempool_slab_uaf+0xea/0x140 [ 13.729786] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.729811] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.729835] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.729860] ? __pfx_read_tsc+0x10/0x10 [ 13.729880] ? ktime_get_ts64+0x86/0x230 [ 13.729904] kunit_try_run_case+0x1a5/0x480 [ 13.729929] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.729951] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.729975] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.729998] ? __kthread_parkme+0x82/0x180 [ 13.730018] ? preempt_count_sub+0x50/0x80 [ 13.730051] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.730074] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.730098] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.730122] kthread+0x337/0x6f0 [ 13.730141] ? trace_preempt_on+0x20/0xc0 [ 13.730163] ? __pfx_kthread+0x10/0x10 [ 13.730183] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.730204] ? calculate_sigpending+0x7b/0xa0 [ 13.730227] ? __pfx_kthread+0x10/0x10 [ 13.730248] ret_from_fork+0x116/0x1d0 [ 13.730266] ? __pfx_kthread+0x10/0x10 [ 13.730285] ret_from_fork_asm+0x1a/0x30 [ 13.730325] </TASK> [ 13.730335] [ 13.745065] Allocated by task 250: [ 13.745525] kasan_save_stack+0x45/0x70 [ 13.746047] kasan_save_track+0x18/0x40 [ 13.746218] kasan_save_alloc_info+0x3b/0x50 [ 13.746687] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.747024] remove_element+0x11e/0x190 [ 13.747195] mempool_alloc_preallocated+0x4d/0x90 [ 13.747685] mempool_uaf_helper+0x96/0x400 [ 13.748121] mempool_slab_uaf+0xea/0x140 [ 13.748514] kunit_try_run_case+0x1a5/0x480 [ 13.748776] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.748956] kthread+0x337/0x6f0 [ 13.749122] ret_from_fork+0x116/0x1d0 [ 13.749561] ret_from_fork_asm+0x1a/0x30 [ 13.749968] [ 13.750167] Freed by task 250: [ 13.750531] kasan_save_stack+0x45/0x70 [ 13.751000] kasan_save_track+0x18/0x40 [ 13.751419] kasan_save_free_info+0x3f/0x60 [ 13.751764] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.751942] mempool_free+0x2ec/0x380 [ 13.752229] mempool_uaf_helper+0x11a/0x400 [ 13.752671] mempool_slab_uaf+0xea/0x140 [ 13.753178] kunit_try_run_case+0x1a5/0x480 [ 13.753684] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.754233] kthread+0x337/0x6f0 [ 13.754413] ret_from_fork+0x116/0x1d0 [ 13.754799] ret_from_fork_asm+0x1a/0x30 [ 13.755099] [ 13.755284] The buggy address belongs to the object at ffff8881039eb180 [ 13.755284] which belongs to the cache test_cache of size 123 [ 13.755845] The buggy address is located 0 bytes inside of [ 13.755845] freed 123-byte region [ffff8881039eb180, ffff8881039eb1fb) [ 13.756625] [ 13.756800] The buggy address belongs to the physical page: [ 13.757381] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039eb [ 13.758331] flags: 0x200000000000000(node=0|zone=2) [ 13.758801] page_type: f5(slab) [ 13.758926] raw: 0200000000000000 ffff888101093dc0 dead000000000122 0000000000000000 [ 13.759561] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.760263] page dumped because: kasan: bad access detected [ 13.760520] [ 13.760695] Memory state around the buggy address: [ 13.761190] ffff8881039eb080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.761424] ffff8881039eb100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.761970] >ffff8881039eb180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.762720] ^ [ 13.763027] ffff8881039eb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.763570] ffff8881039eb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.763790] ================================================================== [ 13.657761] ================================================================== [ 13.658166] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.658711] Read of size 1 at addr ffff8881029ce700 by task kunit_try_catch/246 [ 13.660272] [ 13.660777] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.660832] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.660847] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.660870] Call Trace: [ 13.660886] <TASK> [ 13.660926] dump_stack_lvl+0x73/0xb0 [ 13.660967] print_report+0xd1/0x610 [ 13.660991] ? __virt_addr_valid+0x1db/0x2d0 [ 13.661014] ? mempool_uaf_helper+0x392/0x400 [ 13.661037] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.661060] ? mempool_uaf_helper+0x392/0x400 [ 13.661083] kasan_report+0x141/0x180 [ 13.661106] ? mempool_uaf_helper+0x392/0x400 [ 13.661133] __asan_report_load1_noabort+0x18/0x20 [ 13.661159] mempool_uaf_helper+0x392/0x400 [ 13.661181] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.661205] ? __kasan_check_write+0x18/0x20 [ 13.661224] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.661247] ? finish_task_switch.isra.0+0x153/0x700 [ 13.661272] mempool_kmalloc_uaf+0xef/0x140 [ 13.661307] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.661332] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.661355] ? __pfx_mempool_kfree+0x10/0x10 [ 13.661379] ? __pfx_read_tsc+0x10/0x10 [ 13.661400] ? ktime_get_ts64+0x86/0x230 [ 13.661424] kunit_try_run_case+0x1a5/0x480 [ 13.661448] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.661625] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.661655] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.661680] ? __kthread_parkme+0x82/0x180 [ 13.661701] ? preempt_count_sub+0x50/0x80 [ 13.661725] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.661750] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.661774] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.661799] kthread+0x337/0x6f0 [ 13.661818] ? trace_preempt_on+0x20/0xc0 [ 13.661840] ? __pfx_kthread+0x10/0x10 [ 13.661861] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.661882] ? calculate_sigpending+0x7b/0xa0 [ 13.661906] ? __pfx_kthread+0x10/0x10 [ 13.661926] ret_from_fork+0x116/0x1d0 [ 13.661945] ? __pfx_kthread+0x10/0x10 [ 13.661965] ret_from_fork_asm+0x1a/0x30 [ 13.661995] </TASK> [ 13.662006] [ 13.673585] Allocated by task 246: [ 13.673934] kasan_save_stack+0x45/0x70 [ 13.674351] kasan_save_track+0x18/0x40 [ 13.674700] kasan_save_alloc_info+0x3b/0x50 [ 13.675000] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.675226] remove_element+0x11e/0x190 [ 13.675427] mempool_alloc_preallocated+0x4d/0x90 [ 13.676008] mempool_uaf_helper+0x96/0x400 [ 13.676262] mempool_kmalloc_uaf+0xef/0x140 [ 13.676521] kunit_try_run_case+0x1a5/0x480 [ 13.676794] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.677226] kthread+0x337/0x6f0 [ 13.677378] ret_from_fork+0x116/0x1d0 [ 13.677835] ret_from_fork_asm+0x1a/0x30 [ 13.678234] [ 13.678354] Freed by task 246: [ 13.678534] kasan_save_stack+0x45/0x70 [ 13.678684] kasan_save_track+0x18/0x40 [ 13.678874] kasan_save_free_info+0x3f/0x60 [ 13.679078] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.679683] mempool_free+0x2ec/0x380 [ 13.679837] mempool_uaf_helper+0x11a/0x400 [ 13.680253] mempool_kmalloc_uaf+0xef/0x140 [ 13.680803] kunit_try_run_case+0x1a5/0x480 [ 13.681423] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.682009] kthread+0x337/0x6f0 [ 13.682491] ret_from_fork+0x116/0x1d0 [ 13.683092] ret_from_fork_asm+0x1a/0x30 [ 13.683623] [ 13.683941] The buggy address belongs to the object at ffff8881029ce700 [ 13.683941] which belongs to the cache kmalloc-128 of size 128 [ 13.684895] The buggy address is located 0 bytes inside of [ 13.684895] freed 128-byte region [ffff8881029ce700, ffff8881029ce780) [ 13.686109] [ 13.686407] The buggy address belongs to the physical page: [ 13.687092] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ce [ 13.687928] flags: 0x200000000000000(node=0|zone=2) [ 13.688592] page_type: f5(slab) [ 13.688977] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.689756] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.689997] page dumped because: kasan: bad access detected [ 13.690172] [ 13.690243] Memory state around the buggy address: [ 13.690418] ffff8881029ce600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.691284] ffff8881029ce680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.691599] >ffff8881029ce700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.691989] ^ [ 13.692217] ffff8881029ce780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.692794] ffff8881029ce800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.693381] ==================================================================