Date
July 17, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.528349] ================================================================== [ 17.528517] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.528672] Read of size 1 at addr fff00000c793d240 by task kunit_try_catch/232 [ 17.528722] [ 17.528913] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.529027] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.529054] Hardware name: linux,dummy-virt (DT) [ 17.529101] Call trace: [ 17.529176] show_stack+0x20/0x38 (C) [ 17.529551] dump_stack_lvl+0x8c/0xd0 [ 17.529646] print_report+0x118/0x5d0 [ 17.529724] kasan_report+0xdc/0x128 [ 17.529770] __asan_report_load1_noabort+0x20/0x30 [ 17.529821] mempool_uaf_helper+0x314/0x340 [ 17.529865] mempool_slab_uaf+0xc0/0x118 [ 17.529910] kunit_try_run_case+0x170/0x3f0 [ 17.529966] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.530028] kthread+0x328/0x630 [ 17.530551] ret_from_fork+0x10/0x20 [ 17.530613] [ 17.530634] Allocated by task 232: [ 17.530665] kasan_save_stack+0x3c/0x68 [ 17.530708] kasan_save_track+0x20/0x40 [ 17.530758] kasan_save_alloc_info+0x40/0x58 [ 17.530800] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.530999] remove_element+0x16c/0x1f8 [ 17.531038] mempool_alloc_preallocated+0x58/0xc0 [ 17.531078] mempool_uaf_helper+0xa4/0x340 [ 17.531115] mempool_slab_uaf+0xc0/0x118 [ 17.531633] kunit_try_run_case+0x170/0x3f0 [ 17.531674] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.531719] kthread+0x328/0x630 [ 17.532005] ret_from_fork+0x10/0x20 [ 17.532055] [ 17.532103] Freed by task 232: [ 17.532129] kasan_save_stack+0x3c/0x68 [ 17.532244] kasan_save_track+0x20/0x40 [ 17.532282] kasan_save_free_info+0x4c/0x78 [ 17.532322] __kasan_mempool_poison_object+0xc0/0x150 [ 17.532384] mempool_free+0x28c/0x328 [ 17.532420] mempool_uaf_helper+0x104/0x340 [ 17.532458] mempool_slab_uaf+0xc0/0x118 [ 17.532494] kunit_try_run_case+0x170/0x3f0 [ 17.532532] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.532641] kthread+0x328/0x630 [ 17.532675] ret_from_fork+0x10/0x20 [ 17.532718] [ 17.532775] The buggy address belongs to the object at fff00000c793d240 [ 17.532775] which belongs to the cache test_cache of size 123 [ 17.532914] The buggy address is located 0 bytes inside of [ 17.532914] freed 123-byte region [fff00000c793d240, fff00000c793d2bb) [ 17.533015] [ 17.533036] The buggy address belongs to the physical page: [ 17.533305] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10793d [ 17.533364] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.533414] page_type: f5(slab) [ 17.533451] raw: 0bfffe0000000000 fff00000c78a1500 dead000000000122 0000000000000000 [ 17.533502] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.533543] page dumped because: kasan: bad access detected [ 17.533575] [ 17.533592] Memory state around the buggy address: [ 17.533624] fff00000c793d100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.533971] fff00000c793d180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.534109] >fff00000c793d200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.534195] ^ [ 17.534271] fff00000c793d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.534337] fff00000c793d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.534376] ================================================================== [ 17.494195] ================================================================== [ 17.494263] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.494326] Read of size 1 at addr fff00000c786af00 by task kunit_try_catch/228 [ 17.494553] [ 17.494872] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.495127] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.495155] Hardware name: linux,dummy-virt (DT) [ 17.495187] Call trace: [ 17.495209] show_stack+0x20/0x38 (C) [ 17.495487] dump_stack_lvl+0x8c/0xd0 [ 17.495580] print_report+0x118/0x5d0 [ 17.495705] kasan_report+0xdc/0x128 [ 17.495851] __asan_report_load1_noabort+0x20/0x30 [ 17.495903] mempool_uaf_helper+0x314/0x340 [ 17.495949] mempool_kmalloc_uaf+0xc4/0x120 [ 17.496006] kunit_try_run_case+0x170/0x3f0 [ 17.496054] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.496107] kthread+0x328/0x630 [ 17.496155] ret_from_fork+0x10/0x20 [ 17.496400] [ 17.496424] Allocated by task 228: [ 17.496455] kasan_save_stack+0x3c/0x68 [ 17.496647] kasan_save_track+0x20/0x40 [ 17.496808] kasan_save_alloc_info+0x40/0x58 [ 17.497020] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.497103] remove_element+0x130/0x1f8 [ 17.497243] mempool_alloc_preallocated+0x58/0xc0 [ 17.497420] mempool_uaf_helper+0xa4/0x340 [ 17.497458] mempool_kmalloc_uaf+0xc4/0x120 [ 17.497496] kunit_try_run_case+0x170/0x3f0 [ 17.497533] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.497583] kthread+0x328/0x630 [ 17.497651] ret_from_fork+0x10/0x20 [ 17.497757] [ 17.497843] Freed by task 228: [ 17.497964] kasan_save_stack+0x3c/0x68 [ 17.498019] kasan_save_track+0x20/0x40 [ 17.498056] kasan_save_free_info+0x4c/0x78 [ 17.498094] __kasan_mempool_poison_object+0xc0/0x150 [ 17.498134] mempool_free+0x28c/0x328 [ 17.498169] mempool_uaf_helper+0x104/0x340 [ 17.498205] mempool_kmalloc_uaf+0xc4/0x120 [ 17.498254] kunit_try_run_case+0x170/0x3f0 [ 17.498597] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.498647] kthread+0x328/0x630 [ 17.498679] ret_from_fork+0x10/0x20 [ 17.498716] [ 17.498736] The buggy address belongs to the object at fff00000c786af00 [ 17.498736] which belongs to the cache kmalloc-128 of size 128 [ 17.498910] The buggy address is located 0 bytes inside of [ 17.498910] freed 128-byte region [fff00000c786af00, fff00000c786af80) [ 17.498975] [ 17.499014] The buggy address belongs to the physical page: [ 17.499191] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 17.499263] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.499312] page_type: f5(slab) [ 17.499352] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.499403] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 17.499450] page dumped because: kasan: bad access detected [ 17.499788] [ 17.499807] Memory state around the buggy address: [ 17.500084] fff00000c786ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.500174] fff00000c786ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.500303] >fff00000c786af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.500388] ^ [ 17.500511] fff00000c786af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.500590] fff00000c786b000: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.500693] ==================================================================
[ 14.633940] ================================================================== [ 14.634870] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.635973] Read of size 1 at addr ffff8881039b8240 by task kunit_try_catch/248 [ 14.636424] [ 14.636524] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.636582] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.636595] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.636618] Call Trace: [ 14.636632] <TASK> [ 14.636648] dump_stack_lvl+0x73/0xb0 [ 14.636681] print_report+0xd1/0x610 [ 14.636705] ? __virt_addr_valid+0x1db/0x2d0 [ 14.636728] ? mempool_uaf_helper+0x392/0x400 [ 14.636751] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.636776] ? mempool_uaf_helper+0x392/0x400 [ 14.636799] kasan_report+0x141/0x180 [ 14.636822] ? mempool_uaf_helper+0x392/0x400 [ 14.636849] __asan_report_load1_noabort+0x18/0x20 [ 14.636874] mempool_uaf_helper+0x392/0x400 [ 14.636898] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.636924] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.636948] ? finish_task_switch.isra.0+0x153/0x700 [ 14.636974] mempool_slab_uaf+0xea/0x140 [ 14.636998] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.637024] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.637051] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.637078] ? __pfx_read_tsc+0x10/0x10 [ 14.637099] ? ktime_get_ts64+0x86/0x230 [ 14.637125] kunit_try_run_case+0x1a5/0x480 [ 14.637150] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.637174] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.637199] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.637224] ? __kthread_parkme+0x82/0x180 [ 14.637245] ? preempt_count_sub+0x50/0x80 [ 14.637268] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.637292] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.637317] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.637344] kthread+0x337/0x6f0 [ 14.637363] ? trace_preempt_on+0x20/0xc0 [ 14.637386] ? __pfx_kthread+0x10/0x10 [ 14.637408] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.637429] ? calculate_sigpending+0x7b/0xa0 [ 14.637454] ? __pfx_kthread+0x10/0x10 [ 14.637476] ret_from_fork+0x116/0x1d0 [ 14.637495] ? __pfx_kthread+0x10/0x10 [ 14.637516] ret_from_fork_asm+0x1a/0x30 [ 14.637583] </TASK> [ 14.637596] [ 14.653638] Allocated by task 248: [ 14.654112] kasan_save_stack+0x45/0x70 [ 14.654590] kasan_save_track+0x18/0x40 [ 14.655020] kasan_save_alloc_info+0x3b/0x50 [ 14.655534] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.656115] remove_element+0x11e/0x190 [ 14.656574] mempool_alloc_preallocated+0x4d/0x90 [ 14.657080] mempool_uaf_helper+0x96/0x400 [ 14.657526] mempool_slab_uaf+0xea/0x140 [ 14.657968] kunit_try_run_case+0x1a5/0x480 [ 14.658421] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.659068] kthread+0x337/0x6f0 [ 14.659466] ret_from_fork+0x116/0x1d0 [ 14.659883] ret_from_fork_asm+0x1a/0x30 [ 14.660357] [ 14.660545] Freed by task 248: [ 14.660919] kasan_save_stack+0x45/0x70 [ 14.661136] kasan_save_track+0x18/0x40 [ 14.661277] kasan_save_free_info+0x3f/0x60 [ 14.661459] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.662066] mempool_free+0x2ec/0x380 [ 14.662492] mempool_uaf_helper+0x11a/0x400 [ 14.663072] mempool_slab_uaf+0xea/0x140 [ 14.663583] kunit_try_run_case+0x1a5/0x480 [ 14.664012] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.664434] kthread+0x337/0x6f0 [ 14.664841] ret_from_fork+0x116/0x1d0 [ 14.665177] ret_from_fork_asm+0x1a/0x30 [ 14.665356] [ 14.665457] The buggy address belongs to the object at ffff8881039b8240 [ 14.665457] which belongs to the cache test_cache of size 123 [ 14.666185] The buggy address is located 0 bytes inside of [ 14.666185] freed 123-byte region [ffff8881039b8240, ffff8881039b82bb) [ 14.666911] [ 14.667088] The buggy address belongs to the physical page: [ 14.667300] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039b8 [ 14.668139] flags: 0x200000000000000(node=0|zone=2) [ 14.668309] page_type: f5(slab) [ 14.668431] raw: 0200000000000000 ffff8881039b4140 dead000000000122 0000000000000000 [ 14.668882] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.669496] page dumped because: kasan: bad access detected [ 14.670199] [ 14.670469] Memory state around the buggy address: [ 14.670711] ffff8881039b8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.670931] ffff8881039b8180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.671147] >ffff8881039b8200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.671357] ^ [ 14.671528] ffff8881039b8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.671751] ffff8881039b8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.671966] ================================================================== [ 14.564063] ================================================================== [ 14.565004] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.565532] Read of size 1 at addr ffff8881025cc800 by task kunit_try_catch/244 [ 14.566003] [ 14.566108] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.566154] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.566166] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.566187] Call Trace: [ 14.566199] <TASK> [ 14.566214] dump_stack_lvl+0x73/0xb0 [ 14.566421] print_report+0xd1/0x610 [ 14.566450] ? __virt_addr_valid+0x1db/0x2d0 [ 14.566473] ? mempool_uaf_helper+0x392/0x400 [ 14.566496] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.566520] ? mempool_uaf_helper+0x392/0x400 [ 14.566543] kasan_report+0x141/0x180 [ 14.566578] ? mempool_uaf_helper+0x392/0x400 [ 14.566605] __asan_report_load1_noabort+0x18/0x20 [ 14.566631] mempool_uaf_helper+0x392/0x400 [ 14.566654] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.566679] ? __kasan_check_write+0x18/0x20 [ 14.566699] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.566721] ? finish_task_switch.isra.0+0x153/0x700 [ 14.566747] mempool_kmalloc_uaf+0xef/0x140 [ 14.566770] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.566796] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.566820] ? __pfx_mempool_kfree+0x10/0x10 [ 14.566845] ? __pfx_read_tsc+0x10/0x10 [ 14.566867] ? ktime_get_ts64+0x86/0x230 [ 14.566893] kunit_try_run_case+0x1a5/0x480 [ 14.566917] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.566941] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.566965] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.566990] ? __kthread_parkme+0x82/0x180 [ 14.567010] ? preempt_count_sub+0x50/0x80 [ 14.567033] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.567058] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.567083] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.567110] kthread+0x337/0x6f0 [ 14.567129] ? trace_preempt_on+0x20/0xc0 [ 14.567152] ? __pfx_kthread+0x10/0x10 [ 14.567172] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.567194] ? calculate_sigpending+0x7b/0xa0 [ 14.567218] ? __pfx_kthread+0x10/0x10 [ 14.567249] ret_from_fork+0x116/0x1d0 [ 14.567268] ? __pfx_kthread+0x10/0x10 [ 14.567290] ret_from_fork_asm+0x1a/0x30 [ 14.567320] </TASK> [ 14.567331] [ 14.582578] Allocated by task 244: [ 14.582766] kasan_save_stack+0x45/0x70 [ 14.582974] kasan_save_track+0x18/0x40 [ 14.583161] kasan_save_alloc_info+0x3b/0x50 [ 14.583307] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.583688] remove_element+0x11e/0x190 [ 14.583848] mempool_alloc_preallocated+0x4d/0x90 [ 14.584075] mempool_uaf_helper+0x96/0x400 [ 14.584280] mempool_kmalloc_uaf+0xef/0x140 [ 14.584497] kunit_try_run_case+0x1a5/0x480 [ 14.584679] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.584910] kthread+0x337/0x6f0 [ 14.585056] ret_from_fork+0x116/0x1d0 [ 14.585185] ret_from_fork_asm+0x1a/0x30 [ 14.585320] [ 14.585403] Freed by task 244: [ 14.585564] kasan_save_stack+0x45/0x70 [ 14.585924] kasan_save_track+0x18/0x40 [ 14.586057] kasan_save_free_info+0x3f/0x60 [ 14.586200] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.586377] mempool_free+0x2ec/0x380 [ 14.586740] mempool_uaf_helper+0x11a/0x400 [ 14.586955] mempool_kmalloc_uaf+0xef/0x140 [ 14.587160] kunit_try_run_case+0x1a5/0x480 [ 14.587510] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.587717] kthread+0x337/0x6f0 [ 14.587895] ret_from_fork+0x116/0x1d0 [ 14.588088] ret_from_fork_asm+0x1a/0x30 [ 14.588225] [ 14.588294] The buggy address belongs to the object at ffff8881025cc800 [ 14.588294] which belongs to the cache kmalloc-128 of size 128 [ 14.588844] The buggy address is located 0 bytes inside of [ 14.588844] freed 128-byte region [ffff8881025cc800, ffff8881025cc880) [ 14.589443] [ 14.589516] The buggy address belongs to the physical page: [ 14.589700] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025cc [ 14.590080] flags: 0x200000000000000(node=0|zone=2) [ 14.590316] page_type: f5(slab) [ 14.590717] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.591062] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.591425] page dumped because: kasan: bad access detected [ 14.591781] [ 14.591859] Memory state around the buggy address: [ 14.592100] ffff8881025cc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.592475] ffff8881025cc780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.592910] >ffff8881025cc800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.593153] ^ [ 14.593313] ffff8881025cc880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.593585] ffff8881025cc900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.593792] ==================================================================