Date
July 19, 2025, 11:11 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.297004] ================================================================== [ 17.297290] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.297353] Read of size 1 at addr fff00000c6e65800 by task kunit_try_catch/228 [ 17.297402] [ 17.297436] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.297933] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.298009] Hardware name: linux,dummy-virt (DT) [ 17.298043] Call trace: [ 17.298202] show_stack+0x20/0x38 (C) [ 17.298264] dump_stack_lvl+0x8c/0xd0 [ 17.298327] print_report+0x118/0x5d0 [ 17.298375] kasan_report+0xdc/0x128 [ 17.298427] __asan_report_load1_noabort+0x20/0x30 [ 17.298629] mempool_uaf_helper+0x314/0x340 [ 17.298678] mempool_kmalloc_uaf+0xc4/0x120 [ 17.298725] kunit_try_run_case+0x170/0x3f0 [ 17.298776] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.298828] kthread+0x328/0x630 [ 17.298946] ret_from_fork+0x10/0x20 [ 17.299083] [ 17.299153] Allocated by task 228: [ 17.299196] kasan_save_stack+0x3c/0x68 [ 17.299309] kasan_save_track+0x20/0x40 [ 17.299395] kasan_save_alloc_info+0x40/0x58 [ 17.299437] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.299480] remove_element+0x130/0x1f8 [ 17.299551] mempool_alloc_preallocated+0x58/0xc0 [ 17.299594] mempool_uaf_helper+0xa4/0x340 [ 17.299679] mempool_kmalloc_uaf+0xc4/0x120 [ 17.299718] kunit_try_run_case+0x170/0x3f0 [ 17.299802] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.299860] kthread+0x328/0x630 [ 17.299895] ret_from_fork+0x10/0x20 [ 17.299977] [ 17.300032] Freed by task 228: [ 17.300104] kasan_save_stack+0x3c/0x68 [ 17.300181] kasan_save_track+0x20/0x40 [ 17.300217] kasan_save_free_info+0x4c/0x78 [ 17.300297] __kasan_mempool_poison_object+0xc0/0x150 [ 17.300454] mempool_free+0x28c/0x328 [ 17.300488] mempool_uaf_helper+0x104/0x340 [ 17.301009] mempool_kmalloc_uaf+0xc4/0x120 [ 17.301242] kunit_try_run_case+0x170/0x3f0 [ 17.301490] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.301601] kthread+0x328/0x630 [ 17.301635] ret_from_fork+0x10/0x20 [ 17.301671] [ 17.301691] The buggy address belongs to the object at fff00000c6e65800 [ 17.301691] which belongs to the cache kmalloc-128 of size 128 [ 17.301958] The buggy address is located 0 bytes inside of [ 17.301958] freed 128-byte region [fff00000c6e65800, fff00000c6e65880) [ 17.302285] [ 17.302351] The buggy address belongs to the physical page: [ 17.302423] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e65 [ 17.302478] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.302546] page_type: f5(slab) [ 17.302590] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.302642] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.302696] page dumped because: kasan: bad access detected [ 17.302732] [ 17.302756] Memory state around the buggy address: [ 17.302885] fff00000c6e65700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.303021] fff00000c6e65780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.303116] >fff00000c6e65800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.303166] ^ [ 17.303255] fff00000c6e65880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.303297] fff00000c6e65900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.303335] ================================================================== [ 17.331859] ================================================================== [ 17.331989] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.332086] Read of size 1 at addr fff00000c6e5f240 by task kunit_try_catch/232 [ 17.332137] [ 17.332172] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.332355] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.332435] Hardware name: linux,dummy-virt (DT) [ 17.332511] Call trace: [ 17.332592] show_stack+0x20/0x38 (C) [ 17.332678] dump_stack_lvl+0x8c/0xd0 [ 17.332734] print_report+0x118/0x5d0 [ 17.332814] kasan_report+0xdc/0x128 [ 17.332861] __asan_report_load1_noabort+0x20/0x30 [ 17.332946] mempool_uaf_helper+0x314/0x340 [ 17.332995] mempool_slab_uaf+0xc0/0x118 [ 17.333059] kunit_try_run_case+0x170/0x3f0 [ 17.333147] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.333290] kthread+0x328/0x630 [ 17.333333] ret_from_fork+0x10/0x20 [ 17.333410] [ 17.333475] Allocated by task 232: [ 17.333527] kasan_save_stack+0x3c/0x68 [ 17.333577] kasan_save_track+0x20/0x40 [ 17.333624] kasan_save_alloc_info+0x40/0x58 [ 17.333698] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.334102] remove_element+0x16c/0x1f8 [ 17.334215] mempool_alloc_preallocated+0x58/0xc0 [ 17.334346] mempool_uaf_helper+0xa4/0x340 [ 17.334451] mempool_slab_uaf+0xc0/0x118 [ 17.334605] kunit_try_run_case+0x170/0x3f0 [ 17.334703] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.334861] kthread+0x328/0x630 [ 17.334907] ret_from_fork+0x10/0x20 [ 17.334943] [ 17.334962] Freed by task 232: [ 17.334991] kasan_save_stack+0x3c/0x68 [ 17.335282] kasan_save_track+0x20/0x40 [ 17.335325] kasan_save_free_info+0x4c/0x78 [ 17.335428] __kasan_mempool_poison_object+0xc0/0x150 [ 17.335507] mempool_free+0x28c/0x328 [ 17.335650] mempool_uaf_helper+0x104/0x340 [ 17.335729] mempool_slab_uaf+0xc0/0x118 [ 17.335830] kunit_try_run_case+0x170/0x3f0 [ 17.335919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.336056] kthread+0x328/0x630 [ 17.336115] ret_from_fork+0x10/0x20 [ 17.336202] [ 17.336222] The buggy address belongs to the object at fff00000c6e5f240 [ 17.336222] which belongs to the cache test_cache of size 123 [ 17.336627] The buggy address is located 0 bytes inside of [ 17.336627] freed 123-byte region [fff00000c6e5f240, fff00000c6e5f2bb) [ 17.336875] [ 17.336992] The buggy address belongs to the physical page: [ 17.337077] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e5f [ 17.337206] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.337322] page_type: f5(slab) [ 17.337475] raw: 0bfffe0000000000 fff00000c5b79b40 dead000000000122 0000000000000000 [ 17.337590] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.337633] page dumped because: kasan: bad access detected [ 17.337674] [ 17.337692] Memory state around the buggy address: [ 17.337733] fff00000c6e5f100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.337777] fff00000c6e5f180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.337819] >fff00000c6e5f200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.338039] ^ [ 17.338138] fff00000c6e5f280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.338301] fff00000c6e5f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.338425] ==================================================================
[ 13.550179] ================================================================== [ 13.550635] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.551017] Read of size 1 at addr ffff8881027e4c00 by task kunit_try_catch/245 [ 13.551362] [ 13.551480] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.551537] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.551549] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.551572] Call Trace: [ 13.551586] <TASK> [ 13.551604] dump_stack_lvl+0x73/0xb0 [ 13.551636] print_report+0xd1/0x610 [ 13.551658] ? __virt_addr_valid+0x1db/0x2d0 [ 13.551682] ? mempool_uaf_helper+0x392/0x400 [ 13.551704] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.551728] ? mempool_uaf_helper+0x392/0x400 [ 13.551750] kasan_report+0x141/0x180 [ 13.551771] ? mempool_uaf_helper+0x392/0x400 [ 13.551798] __asan_report_load1_noabort+0x18/0x20 [ 13.551823] mempool_uaf_helper+0x392/0x400 [ 13.551845] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.551869] ? __kasan_check_write+0x18/0x20 [ 13.551955] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.551979] ? finish_task_switch.isra.0+0x153/0x700 [ 13.552006] mempool_kmalloc_uaf+0xef/0x140 [ 13.552028] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.552054] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.552078] ? __pfx_mempool_kfree+0x10/0x10 [ 13.552103] ? __pfx_read_tsc+0x10/0x10 [ 13.552124] ? ktime_get_ts64+0x86/0x230 [ 13.552149] kunit_try_run_case+0x1a5/0x480 [ 13.552174] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.552197] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.552222] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.552262] ? __kthread_parkme+0x82/0x180 [ 13.552283] ? preempt_count_sub+0x50/0x80 [ 13.552306] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.552330] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.552354] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.552378] kthread+0x337/0x6f0 [ 13.552397] ? trace_preempt_on+0x20/0xc0 [ 13.552420] ? __pfx_kthread+0x10/0x10 [ 13.552441] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.552462] ? calculate_sigpending+0x7b/0xa0 [ 13.552487] ? __pfx_kthread+0x10/0x10 [ 13.552519] ret_from_fork+0x116/0x1d0 [ 13.552538] ? __pfx_kthread+0x10/0x10 [ 13.552558] ret_from_fork_asm+0x1a/0x30 [ 13.552589] </TASK> [ 13.552600] [ 13.560565] Allocated by task 245: [ 13.560745] kasan_save_stack+0x45/0x70 [ 13.560905] kasan_save_track+0x18/0x40 [ 13.561189] kasan_save_alloc_info+0x3b/0x50 [ 13.561368] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.561554] remove_element+0x11e/0x190 [ 13.561692] mempool_alloc_preallocated+0x4d/0x90 [ 13.561877] mempool_uaf_helper+0x96/0x400 [ 13.562080] mempool_kmalloc_uaf+0xef/0x140 [ 13.562287] kunit_try_run_case+0x1a5/0x480 [ 13.562490] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.562961] kthread+0x337/0x6f0 [ 13.563121] ret_from_fork+0x116/0x1d0 [ 13.563266] ret_from_fork_asm+0x1a/0x30 [ 13.563404] [ 13.563571] Freed by task 245: [ 13.563730] kasan_save_stack+0x45/0x70 [ 13.563923] kasan_save_track+0x18/0x40 [ 13.564194] kasan_save_free_info+0x3f/0x60 [ 13.564386] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.564601] mempool_free+0x2ec/0x380 [ 13.564763] mempool_uaf_helper+0x11a/0x400 [ 13.564968] mempool_kmalloc_uaf+0xef/0x140 [ 13.565268] kunit_try_run_case+0x1a5/0x480 [ 13.565443] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.565711] kthread+0x337/0x6f0 [ 13.565874] ret_from_fork+0x116/0x1d0 [ 13.566009] ret_from_fork_asm+0x1a/0x30 [ 13.566312] [ 13.566383] The buggy address belongs to the object at ffff8881027e4c00 [ 13.566383] which belongs to the cache kmalloc-128 of size 128 [ 13.566894] The buggy address is located 0 bytes inside of [ 13.566894] freed 128-byte region [ffff8881027e4c00, ffff8881027e4c80) [ 13.567430] [ 13.567518] The buggy address belongs to the physical page: [ 13.567693] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e4 [ 13.567943] flags: 0x200000000000000(node=0|zone=2) [ 13.568155] page_type: f5(slab) [ 13.568398] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.568740] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.569150] page dumped because: kasan: bad access detected [ 13.569394] [ 13.569527] Memory state around the buggy address: [ 13.569698] ffff8881027e4b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.569929] ffff8881027e4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.570204] >ffff8881027e4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.570533] ^ [ 13.570701] ffff8881027e4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.571019] ffff8881027e4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.571560] ================================================================== [ 13.607329] ================================================================== [ 13.607806] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.608157] Read of size 1 at addr ffff8881039f8240 by task kunit_try_catch/249 [ 13.608423] [ 13.608559] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.608609] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.608621] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.608643] Call Trace: [ 13.608656] <TASK> [ 13.608673] dump_stack_lvl+0x73/0xb0 [ 13.608704] print_report+0xd1/0x610 [ 13.608727] ? __virt_addr_valid+0x1db/0x2d0 [ 13.608751] ? mempool_uaf_helper+0x392/0x400 [ 13.608773] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.608795] ? mempool_uaf_helper+0x392/0x400 [ 13.608818] kasan_report+0x141/0x180 [ 13.608839] ? mempool_uaf_helper+0x392/0x400 [ 13.608866] __asan_report_load1_noabort+0x18/0x20 [ 13.608891] mempool_uaf_helper+0x392/0x400 [ 13.608914] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.608935] ? update_load_avg+0x1be/0x21b0 [ 13.608962] ? finish_task_switch.isra.0+0x153/0x700 [ 13.608989] mempool_slab_uaf+0xea/0x140 [ 13.609013] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.609039] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.609064] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.609089] ? __pfx_read_tsc+0x10/0x10 [ 13.609110] ? ktime_get_ts64+0x86/0x230 [ 13.609136] kunit_try_run_case+0x1a5/0x480 [ 13.609172] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.609195] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.609220] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.609243] ? __kthread_parkme+0x82/0x180 [ 13.609264] ? preempt_count_sub+0x50/0x80 [ 13.609287] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.609311] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.609335] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.609358] kthread+0x337/0x6f0 [ 13.609377] ? trace_preempt_on+0x20/0xc0 [ 13.609400] ? __pfx_kthread+0x10/0x10 [ 13.609419] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.609441] ? calculate_sigpending+0x7b/0xa0 [ 13.609465] ? __pfx_kthread+0x10/0x10 [ 13.609486] ret_from_fork+0x116/0x1d0 [ 13.609515] ? __pfx_kthread+0x10/0x10 [ 13.609536] ret_from_fork_asm+0x1a/0x30 [ 13.609566] </TASK> [ 13.609577] [ 13.617392] Allocated by task 249: [ 13.617571] kasan_save_stack+0x45/0x70 [ 13.617716] kasan_save_track+0x18/0x40 [ 13.617855] kasan_save_alloc_info+0x3b/0x50 [ 13.618066] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.618454] remove_element+0x11e/0x190 [ 13.618643] mempool_alloc_preallocated+0x4d/0x90 [ 13.618847] mempool_uaf_helper+0x96/0x400 [ 13.619019] mempool_slab_uaf+0xea/0x140 [ 13.619193] kunit_try_run_case+0x1a5/0x480 [ 13.619401] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.619644] kthread+0x337/0x6f0 [ 13.619796] ret_from_fork+0x116/0x1d0 [ 13.619967] ret_from_fork_asm+0x1a/0x30 [ 13.620138] [ 13.620236] Freed by task 249: [ 13.620357] kasan_save_stack+0x45/0x70 [ 13.620535] kasan_save_track+0x18/0x40 [ 13.620717] kasan_save_free_info+0x3f/0x60 [ 13.620892] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.621097] mempool_free+0x2ec/0x380 [ 13.621231] mempool_uaf_helper+0x11a/0x400 [ 13.621377] mempool_slab_uaf+0xea/0x140 [ 13.621524] kunit_try_run_case+0x1a5/0x480 [ 13.621671] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.621846] kthread+0x337/0x6f0 [ 13.621966] ret_from_fork+0x116/0x1d0 [ 13.622150] ret_from_fork_asm+0x1a/0x30 [ 13.622450] [ 13.622560] The buggy address belongs to the object at ffff8881039f8240 [ 13.622560] which belongs to the cache test_cache of size 123 [ 13.623079] The buggy address is located 0 bytes inside of [ 13.623079] freed 123-byte region [ffff8881039f8240, ffff8881039f82bb) [ 13.623431] [ 13.623511] The buggy address belongs to the physical page: [ 13.623686] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f8 [ 13.623934] flags: 0x200000000000000(node=0|zone=2) [ 13.624200] page_type: f5(slab) [ 13.624371] raw: 0200000000000000 ffff8881018a9c80 dead000000000122 0000000000000000 [ 13.624719] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.625072] page dumped because: kasan: bad access detected [ 13.625575] [ 13.625669] Memory state around the buggy address: [ 13.625887] ffff8881039f8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.626175] ffff8881039f8180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.626409] >ffff8881039f8200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.626737] ^ [ 13.626938] ffff8881039f8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.627154] ffff8881039f8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.627465] ==================================================================