Date
July 20, 2025, 11:12 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.358689] ================================================================== [ 17.359124] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.359181] Read of size 1 at addr fff00000c78ad240 by task kunit_try_catch/231 [ 17.359231] [ 17.359381] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.359541] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.359569] Hardware name: linux,dummy-virt (DT) [ 17.359599] Call trace: [ 17.359622] show_stack+0x20/0x38 (C) [ 17.359679] dump_stack_lvl+0x8c/0xd0 [ 17.359735] print_report+0x118/0x5d0 [ 17.359781] kasan_report+0xdc/0x128 [ 17.359825] __asan_report_load1_noabort+0x20/0x30 [ 17.359874] mempool_uaf_helper+0x314/0x340 [ 17.360152] mempool_slab_uaf+0xc0/0x118 [ 17.360210] kunit_try_run_case+0x170/0x3f0 [ 17.360257] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.360759] kthread+0x328/0x630 [ 17.360824] ret_from_fork+0x10/0x20 [ 17.360874] [ 17.360893] Allocated by task 231: [ 17.360935] kasan_save_stack+0x3c/0x68 [ 17.360979] kasan_save_track+0x20/0x40 [ 17.361017] kasan_save_alloc_info+0x40/0x58 [ 17.361411] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.361610] remove_element+0x16c/0x1f8 [ 17.361684] mempool_alloc_preallocated+0x58/0xc0 [ 17.361734] mempool_uaf_helper+0xa4/0x340 [ 17.361844] mempool_slab_uaf+0xc0/0x118 [ 17.361879] kunit_try_run_case+0x170/0x3f0 [ 17.361918] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.361963] kthread+0x328/0x630 [ 17.361994] ret_from_fork+0x10/0x20 [ 17.362158] [ 17.362182] Freed by task 231: [ 17.362423] kasan_save_stack+0x3c/0x68 [ 17.362466] kasan_save_track+0x20/0x40 [ 17.362511] kasan_save_free_info+0x4c/0x78 [ 17.362609] __kasan_mempool_poison_object+0xc0/0x150 [ 17.362742] mempool_free+0x28c/0x328 [ 17.362794] mempool_uaf_helper+0x104/0x340 [ 17.362842] mempool_slab_uaf+0xc0/0x118 [ 17.363106] kunit_try_run_case+0x170/0x3f0 [ 17.363299] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.363349] kthread+0x328/0x630 [ 17.363381] ret_from_fork+0x10/0x20 [ 17.363416] [ 17.363469] The buggy address belongs to the object at fff00000c78ad240 [ 17.363469] which belongs to the cache test_cache of size 123 [ 17.363554] The buggy address is located 0 bytes inside of [ 17.363554] freed 123-byte region [fff00000c78ad240, fff00000c78ad2bb) [ 17.363775] [ 17.363797] The buggy address belongs to the physical page: [ 17.363948] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078ad [ 17.364231] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.364283] page_type: f5(slab) [ 17.364323] raw: 0bfffe0000000000 fff00000c700b500 dead000000000122 0000000000000000 [ 17.364617] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.364739] page dumped because: kasan: bad access detected [ 17.364774] [ 17.364792] Memory state around the buggy address: [ 17.364882] fff00000c78ad100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.364925] fff00000c78ad180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.364967] >fff00000c78ad200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.365010] ^ [ 17.365045] fff00000c78ad280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.365088] fff00000c78ad300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.365126] ================================================================== [ 17.310401] ================================================================== [ 17.310485] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.310555] Read of size 1 at addr fff00000c7001500 by task kunit_try_catch/227 [ 17.310610] [ 17.310649] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.310753] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.310781] Hardware name: linux,dummy-virt (DT) [ 17.310813] Call trace: [ 17.310838] show_stack+0x20/0x38 (C) [ 17.310890] dump_stack_lvl+0x8c/0xd0 [ 17.310941] print_report+0x118/0x5d0 [ 17.310988] kasan_report+0xdc/0x128 [ 17.311046] __asan_report_load1_noabort+0x20/0x30 [ 17.311097] mempool_uaf_helper+0x314/0x340 [ 17.311143] mempool_kmalloc_uaf+0xc4/0x120 [ 17.311188] kunit_try_run_case+0x170/0x3f0 [ 17.311239] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.311291] kthread+0x328/0x630 [ 17.311334] ret_from_fork+0x10/0x20 [ 17.311383] [ 17.311402] Allocated by task 227: [ 17.311432] kasan_save_stack+0x3c/0x68 [ 17.311476] kasan_save_track+0x20/0x40 [ 17.311515] kasan_save_alloc_info+0x40/0x58 [ 17.311556] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.311601] remove_element+0x130/0x1f8 [ 17.311637] mempool_alloc_preallocated+0x58/0xc0 [ 17.311689] mempool_uaf_helper+0xa4/0x340 [ 17.311726] mempool_kmalloc_uaf+0xc4/0x120 [ 17.311764] kunit_try_run_case+0x170/0x3f0 [ 17.311800] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.311844] kthread+0x328/0x630 [ 17.311875] ret_from_fork+0x10/0x20 [ 17.311911] [ 17.311929] Freed by task 227: [ 17.311957] kasan_save_stack+0x3c/0x68 [ 17.311996] kasan_save_track+0x20/0x40 [ 17.312033] kasan_save_free_info+0x4c/0x78 [ 17.312072] __kasan_mempool_poison_object+0xc0/0x150 [ 17.312114] mempool_free+0x28c/0x328 [ 17.312148] mempool_uaf_helper+0x104/0x340 [ 17.312185] mempool_kmalloc_uaf+0xc4/0x120 [ 17.312224] kunit_try_run_case+0x170/0x3f0 [ 17.312265] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.312308] kthread+0x328/0x630 [ 17.312343] ret_from_fork+0x10/0x20 [ 17.312385] [ 17.312406] The buggy address belongs to the object at fff00000c7001500 [ 17.312406] which belongs to the cache kmalloc-128 of size 128 [ 17.312466] The buggy address is located 0 bytes inside of [ 17.312466] freed 128-byte region [fff00000c7001500, fff00000c7001580) [ 17.312524] [ 17.312545] The buggy address belongs to the physical page: [ 17.312578] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107001 [ 17.312632] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.312695] page_type: f5(slab) [ 17.312737] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.312786] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.312827] page dumped because: kasan: bad access detected [ 17.312858] [ 17.312876] Memory state around the buggy address: [ 17.312909] fff00000c7001400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.312951] fff00000c7001480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.312993] >fff00000c7001500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.313031] ^ [ 17.313059] fff00000c7001580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.313100] fff00000c7001600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.313139] ==================================================================
[ 13.819949] ================================================================== [ 13.820448] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.820857] Read of size 1 at addr ffff888102ad4700 by task kunit_try_catch/244 [ 13.821709] [ 13.821937] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.822092] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.822108] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.822131] Call Trace: [ 13.822144] <TASK> [ 13.822160] dump_stack_lvl+0x73/0xb0 [ 13.822192] print_report+0xd1/0x610 [ 13.822214] ? __virt_addr_valid+0x1db/0x2d0 [ 13.822237] ? mempool_uaf_helper+0x392/0x400 [ 13.822258] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.822279] ? mempool_uaf_helper+0x392/0x400 [ 13.822301] kasan_report+0x141/0x180 [ 13.822322] ? mempool_uaf_helper+0x392/0x400 [ 13.822348] __asan_report_load1_noabort+0x18/0x20 [ 13.822383] mempool_uaf_helper+0x392/0x400 [ 13.822406] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.822429] ? __kasan_check_write+0x18/0x20 [ 13.822447] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.822468] ? finish_task_switch.isra.0+0x153/0x700 [ 13.822493] mempool_kmalloc_uaf+0xef/0x140 [ 13.822514] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.822538] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.822560] ? __pfx_mempool_kfree+0x10/0x10 [ 13.822584] ? __pfx_read_tsc+0x10/0x10 [ 13.822604] ? ktime_get_ts64+0x86/0x230 [ 13.822628] kunit_try_run_case+0x1a5/0x480 [ 13.822651] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.822673] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.822696] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.822719] ? __kthread_parkme+0x82/0x180 [ 13.822739] ? preempt_count_sub+0x50/0x80 [ 13.822761] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.822783] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.822805] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.822828] kthread+0x337/0x6f0 [ 13.822846] ? trace_preempt_on+0x20/0xc0 [ 13.822869] ? __pfx_kthread+0x10/0x10 [ 13.822889] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.822923] ? calculate_sigpending+0x7b/0xa0 [ 13.822947] ? __pfx_kthread+0x10/0x10 [ 13.822967] ret_from_fork+0x116/0x1d0 [ 13.822985] ? __pfx_kthread+0x10/0x10 [ 13.823004] ret_from_fork_asm+0x1a/0x30 [ 13.823034] </TASK> [ 13.823045] [ 13.835519] Allocated by task 244: [ 13.835656] kasan_save_stack+0x45/0x70 [ 13.835807] kasan_save_track+0x18/0x40 [ 13.836056] kasan_save_alloc_info+0x3b/0x50 [ 13.836517] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.836799] remove_element+0x11e/0x190 [ 13.837220] mempool_alloc_preallocated+0x4d/0x90 [ 13.837644] mempool_uaf_helper+0x96/0x400 [ 13.838026] mempool_kmalloc_uaf+0xef/0x140 [ 13.838174] kunit_try_run_case+0x1a5/0x480 [ 13.838320] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.838898] kthread+0x337/0x6f0 [ 13.839235] ret_from_fork+0x116/0x1d0 [ 13.839654] ret_from_fork_asm+0x1a/0x30 [ 13.840037] [ 13.840110] Freed by task 244: [ 13.840224] kasan_save_stack+0x45/0x70 [ 13.840630] kasan_save_track+0x18/0x40 [ 13.841048] kasan_save_free_info+0x3f/0x60 [ 13.841511] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.842010] mempool_free+0x2ec/0x380 [ 13.842249] mempool_uaf_helper+0x11a/0x400 [ 13.842566] mempool_kmalloc_uaf+0xef/0x140 [ 13.842839] kunit_try_run_case+0x1a5/0x480 [ 13.843255] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.843651] kthread+0x337/0x6f0 [ 13.844007] ret_from_fork+0x116/0x1d0 [ 13.844188] ret_from_fork_asm+0x1a/0x30 [ 13.844589] [ 13.844783] The buggy address belongs to the object at ffff888102ad4700 [ 13.844783] which belongs to the cache kmalloc-128 of size 128 [ 13.845257] The buggy address is located 0 bytes inside of [ 13.845257] freed 128-byte region [ffff888102ad4700, ffff888102ad4780) [ 13.846471] [ 13.846639] The buggy address belongs to the physical page: [ 13.847153] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ad4 [ 13.847616] flags: 0x200000000000000(node=0|zone=2) [ 13.848094] page_type: f5(slab) [ 13.848457] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.848775] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.849469] page dumped because: kasan: bad access detected [ 13.849845] [ 13.849991] Memory state around the buggy address: [ 13.850313] ffff888102ad4600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.850943] ffff888102ad4680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.851361] >ffff888102ad4700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.851574] ^ [ 13.851689] ffff888102ad4780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.851914] ffff888102ad4800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.852193] ================================================================== [ 13.883945] ================================================================== [ 13.884435] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.885018] Read of size 1 at addr ffff888103af1240 by task kunit_try_catch/248 [ 13.885318] [ 13.885533] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.885579] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.885591] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.885613] Call Trace: [ 13.885626] <TASK> [ 13.885640] dump_stack_lvl+0x73/0xb0 [ 13.885670] print_report+0xd1/0x610 [ 13.885692] ? __virt_addr_valid+0x1db/0x2d0 [ 13.885715] ? mempool_uaf_helper+0x392/0x400 [ 13.885737] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.885758] ? mempool_uaf_helper+0x392/0x400 [ 13.885780] kasan_report+0x141/0x180 [ 13.885801] ? mempool_uaf_helper+0x392/0x400 [ 13.885827] __asan_report_load1_noabort+0x18/0x20 [ 13.885850] mempool_uaf_helper+0x392/0x400 [ 13.885872] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.885901] mempool_slab_uaf+0xea/0x140 [ 13.885937] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.885959] ? schedule+0x7c/0x2e0 [ 13.885980] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.886005] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.886030] ? __pfx_read_tsc+0x10/0x10 [ 13.886050] ? ktime_get_ts64+0x86/0x230 [ 13.886074] kunit_try_run_case+0x1a5/0x480 [ 13.886098] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.886120] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.886143] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.886165] ? __kthread_parkme+0x82/0x180 [ 13.886185] ? preempt_count_sub+0x50/0x80 [ 13.886208] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.886232] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.886254] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.886277] kthread+0x337/0x6f0 [ 13.886296] ? trace_preempt_on+0x20/0xc0 [ 13.886318] ? __pfx_kthread+0x10/0x10 [ 13.886338] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.886400] ? calculate_sigpending+0x7b/0xa0 [ 13.886424] ? __pfx_kthread+0x10/0x10 [ 13.886445] ret_from_fork+0x116/0x1d0 [ 13.886463] ? __pfx_kthread+0x10/0x10 [ 13.886484] ret_from_fork_asm+0x1a/0x30 [ 13.886515] </TASK> [ 13.886525] [ 13.893919] Allocated by task 248: [ 13.894374] kasan_save_stack+0x45/0x70 [ 13.894596] kasan_save_track+0x18/0x40 [ 13.894990] kasan_save_alloc_info+0x3b/0x50 [ 13.895219] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.895667] remove_element+0x11e/0x190 [ 13.895885] mempool_alloc_preallocated+0x4d/0x90 [ 13.896132] mempool_uaf_helper+0x96/0x400 [ 13.896312] mempool_slab_uaf+0xea/0x140 [ 13.896612] kunit_try_run_case+0x1a5/0x480 [ 13.896983] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.897185] kthread+0x337/0x6f0 [ 13.897307] ret_from_fork+0x116/0x1d0 [ 13.897438] ret_from_fork_asm+0x1a/0x30 [ 13.897577] [ 13.897647] Freed by task 248: [ 13.897773] kasan_save_stack+0x45/0x70 [ 13.897975] kasan_save_track+0x18/0x40 [ 13.898170] kasan_save_free_info+0x3f/0x60 [ 13.898597] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.898803] mempool_free+0x2ec/0x380 [ 13.898972] mempool_uaf_helper+0x11a/0x400 [ 13.899122] mempool_slab_uaf+0xea/0x140 [ 13.899262] kunit_try_run_case+0x1a5/0x480 [ 13.899408] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.900033] kthread+0x337/0x6f0 [ 13.900227] ret_from_fork+0x116/0x1d0 [ 13.900528] ret_from_fork_asm+0x1a/0x30 [ 13.900763] [ 13.900860] The buggy address belongs to the object at ffff888103af1240 [ 13.900860] which belongs to the cache test_cache of size 123 [ 13.901466] The buggy address is located 0 bytes inside of [ 13.901466] freed 123-byte region [ffff888103af1240, ffff888103af12bb) [ 13.902171] [ 13.902247] The buggy address belongs to the physical page: [ 13.902423] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103af1 [ 13.902781] flags: 0x200000000000000(node=0|zone=2) [ 13.903057] page_type: f5(slab) [ 13.903228] raw: 0200000000000000 ffff8881015acc80 dead000000000122 0000000000000000 [ 13.903568] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.903796] page dumped because: kasan: bad access detected [ 13.904051] [ 13.904142] Memory state around the buggy address: [ 13.904409] ffff888103af1100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.904770] ffff888103af1180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.905012] >ffff888103af1200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.905232] ^ [ 13.905402] ffff888103af1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.905719] ffff888103af1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.906240] ==================================================================