Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.945002] ================================================================== [ 17.945062] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.945113] Read of size 1 at addr fff00000c58c2240 by task kunit_try_catch/232 [ 17.945161] [ 17.945192] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.945389] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.945477] Hardware name: linux,dummy-virt (DT) [ 17.945511] Call trace: [ 17.945561] show_stack+0x20/0x38 (C) [ 17.945613] dump_stack_lvl+0x8c/0xd0 [ 17.945698] print_report+0x118/0x5d0 [ 17.945743] kasan_report+0xdc/0x128 [ 17.945839] __asan_report_load1_noabort+0x20/0x30 [ 17.945888] mempool_uaf_helper+0x314/0x340 [ 17.945934] mempool_slab_uaf+0xc0/0x118 [ 17.945977] kunit_try_run_case+0x170/0x3f0 [ 17.946024] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.946074] kthread+0x328/0x630 [ 17.946143] ret_from_fork+0x10/0x20 [ 17.946188] [ 17.946219] Allocated by task 232: [ 17.946247] kasan_save_stack+0x3c/0x68 [ 17.946286] kasan_save_track+0x20/0x40 [ 17.946367] kasan_save_alloc_info+0x40/0x58 [ 17.946406] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.946448] remove_element+0x16c/0x1f8 [ 17.946512] mempool_alloc_preallocated+0x58/0xc0 [ 17.946588] mempool_uaf_helper+0xa4/0x340 [ 17.946655] mempool_slab_uaf+0xc0/0x118 [ 17.946718] kunit_try_run_case+0x170/0x3f0 [ 17.946775] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.946820] kthread+0x328/0x630 [ 17.946893] ret_from_fork+0x10/0x20 [ 17.946938] [ 17.946956] Freed by task 232: [ 17.946980] kasan_save_stack+0x3c/0x68 [ 17.947017] kasan_save_track+0x20/0x40 [ 17.947052] kasan_save_free_info+0x4c/0x78 [ 17.947101] __kasan_mempool_poison_object+0xc0/0x150 [ 17.947143] mempool_free+0x28c/0x328 [ 17.947176] mempool_uaf_helper+0x104/0x340 [ 17.947223] mempool_slab_uaf+0xc0/0x118 [ 17.947257] kunit_try_run_case+0x170/0x3f0 [ 17.947295] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.947356] kthread+0x328/0x630 [ 17.947388] ret_from_fork+0x10/0x20 [ 17.947422] [ 17.947461] The buggy address belongs to the object at fff00000c58c2240 [ 17.947461] which belongs to the cache test_cache of size 123 [ 17.947521] The buggy address is located 0 bytes inside of [ 17.947521] freed 123-byte region [fff00000c58c2240, fff00000c58c22bb) [ 17.947602] [ 17.947639] The buggy address belongs to the physical page: [ 17.947672] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058c2 [ 17.947866] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.947947] page_type: f5(slab) [ 17.948088] raw: 0bfffe0000000000 fff00000c708c640 dead000000000122 0000000000000000 [ 17.948154] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.948342] page dumped because: kasan: bad access detected [ 17.948458] [ 17.948546] Memory state around the buggy address: [ 17.948615] fff00000c58c2100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.948660] fff00000c58c2180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.948713] >fff00000c58c2200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.948752] ^ [ 17.948789] fff00000c58c2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.948832] fff00000c58c2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.949224] ================================================================== [ 17.921643] ================================================================== [ 17.921713] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.921775] Read of size 1 at addr fff00000c5866e00 by task kunit_try_catch/228 [ 17.921826] [ 17.921867] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.921953] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.921979] Hardware name: linux,dummy-virt (DT) [ 17.922014] Call trace: [ 17.922037] show_stack+0x20/0x38 (C) [ 17.922088] dump_stack_lvl+0x8c/0xd0 [ 17.922136] print_report+0x118/0x5d0 [ 17.922184] kasan_report+0xdc/0x128 [ 17.922254] __asan_report_load1_noabort+0x20/0x30 [ 17.922305] mempool_uaf_helper+0x314/0x340 [ 17.922351] mempool_kmalloc_uaf+0xc4/0x120 [ 17.922396] kunit_try_run_case+0x170/0x3f0 [ 17.922444] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.922497] kthread+0x328/0x630 [ 17.922538] ret_from_fork+0x10/0x20 [ 17.922585] [ 17.922604] Allocated by task 228: [ 17.922634] kasan_save_stack+0x3c/0x68 [ 17.922674] kasan_save_track+0x20/0x40 [ 17.922712] kasan_save_alloc_info+0x40/0x58 [ 17.922752] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.922797] remove_element+0x130/0x1f8 [ 17.922833] mempool_alloc_preallocated+0x58/0xc0 [ 17.922873] mempool_uaf_helper+0xa4/0x340 [ 17.922909] mempool_kmalloc_uaf+0xc4/0x120 [ 17.922946] kunit_try_run_case+0x170/0x3f0 [ 17.922985] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.923029] kthread+0x328/0x630 [ 17.923061] ret_from_fork+0x10/0x20 [ 17.923098] [ 17.923115] Freed by task 228: [ 17.923142] kasan_save_stack+0x3c/0x68 [ 17.923178] kasan_save_track+0x20/0x40 [ 17.923227] kasan_save_free_info+0x4c/0x78 [ 17.923267] __kasan_mempool_poison_object+0xc0/0x150 [ 17.923310] mempool_free+0x28c/0x328 [ 17.923345] mempool_uaf_helper+0x104/0x340 [ 17.923385] mempool_kmalloc_uaf+0xc4/0x120 [ 17.923422] kunit_try_run_case+0x170/0x3f0 [ 17.923460] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.923504] kthread+0x328/0x630 [ 17.923537] ret_from_fork+0x10/0x20 [ 17.923573] [ 17.923592] The buggy address belongs to the object at fff00000c5866e00 [ 17.923592] which belongs to the cache kmalloc-128 of size 128 [ 17.923654] The buggy address is located 0 bytes inside of [ 17.923654] freed 128-byte region [fff00000c5866e00, fff00000c5866e80) [ 17.923718] [ 17.923739] The buggy address belongs to the physical page: [ 17.923773] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105866 [ 17.923830] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.923883] page_type: f5(slab) [ 17.923923] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.923975] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.924015] page dumped because: kasan: bad access detected [ 17.924047] [ 17.924064] Memory state around the buggy address: [ 17.924096] fff00000c5866d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.924170] fff00000c5866d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.924223] >fff00000c5866e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.924262] ^ [ 17.924288] fff00000c5866e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.924331] fff00000c5866f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.924371] ==================================================================
[ 18.647085] ================================================================== [ 18.647275] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.647356] Read of size 1 at addr fff00000c5aaee00 by task kunit_try_catch/228 [ 18.647432] [ 18.647467] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.647752] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.647781] Hardware name: linux,dummy-virt (DT) [ 18.647813] Call trace: [ 18.647947] show_stack+0x20/0x38 (C) [ 18.648040] dump_stack_lvl+0x8c/0xd0 [ 18.648113] print_report+0x118/0x5d0 [ 18.648160] kasan_report+0xdc/0x128 [ 18.648217] __asan_report_load1_noabort+0x20/0x30 [ 18.648269] mempool_uaf_helper+0x314/0x340 [ 18.648315] mempool_kmalloc_uaf+0xc4/0x120 [ 18.648361] kunit_try_run_case+0x170/0x3f0 [ 18.648409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.648501] kthread+0x328/0x630 [ 18.648711] ret_from_fork+0x10/0x20 [ 18.648935] [ 18.648982] Allocated by task 228: [ 18.649027] kasan_save_stack+0x3c/0x68 [ 18.649069] kasan_save_track+0x20/0x40 [ 18.649127] kasan_save_alloc_info+0x40/0x58 [ 18.649503] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.649782] remove_element+0x130/0x1f8 [ 18.649906] mempool_alloc_preallocated+0x58/0xc0 [ 18.649956] mempool_uaf_helper+0xa4/0x340 [ 18.650001] mempool_kmalloc_uaf+0xc4/0x120 [ 18.650060] kunit_try_run_case+0x170/0x3f0 [ 18.650105] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.650148] kthread+0x328/0x630 [ 18.650547] ret_from_fork+0x10/0x20 [ 18.650590] [ 18.650622] Freed by task 228: [ 18.650650] kasan_save_stack+0x3c/0x68 [ 18.650688] kasan_save_track+0x20/0x40 [ 18.650725] kasan_save_free_info+0x4c/0x78 [ 18.650850] __kasan_mempool_poison_object+0xc0/0x150 [ 18.651134] mempool_free+0x28c/0x328 [ 18.651279] mempool_uaf_helper+0x104/0x340 [ 18.651339] mempool_kmalloc_uaf+0xc4/0x120 [ 18.651382] kunit_try_run_case+0x170/0x3f0 [ 18.651422] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.651467] kthread+0x328/0x630 [ 18.651498] ret_from_fork+0x10/0x20 [ 18.651534] [ 18.651564] The buggy address belongs to the object at fff00000c5aaee00 [ 18.651564] which belongs to the cache kmalloc-128 of size 128 [ 18.651625] The buggy address is located 0 bytes inside of [ 18.651625] freed 128-byte region [fff00000c5aaee00, fff00000c5aaee80) [ 18.651687] [ 18.651822] The buggy address belongs to the physical page: [ 18.651953] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aae [ 18.652071] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.652122] page_type: f5(slab) [ 18.652278] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.652330] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.652411] page dumped because: kasan: bad access detected [ 18.652497] [ 18.652517] Memory state around the buggy address: [ 18.652605] fff00000c5aaed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.652752] fff00000c5aaed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.652795] >fff00000c5aaee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.652878] ^ [ 18.652906] fff00000c5aaee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.652950] fff00000c5aaef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.652994] ================================================================== [ 18.673394] ================================================================== [ 18.673457] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.673510] Read of size 1 at addr fff00000c5ae0240 by task kunit_try_catch/232 [ 18.673573] [ 18.673743] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.673961] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.674108] Hardware name: linux,dummy-virt (DT) [ 18.674197] Call trace: [ 18.674221] show_stack+0x20/0x38 (C) [ 18.674267] dump_stack_lvl+0x8c/0xd0 [ 18.674314] print_report+0x118/0x5d0 [ 18.674358] kasan_report+0xdc/0x128 [ 18.674402] __asan_report_load1_noabort+0x20/0x30 [ 18.674451] mempool_uaf_helper+0x314/0x340 [ 18.674496] mempool_slab_uaf+0xc0/0x118 [ 18.674539] kunit_try_run_case+0x170/0x3f0 [ 18.674584] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.674992] kthread+0x328/0x630 [ 18.675457] ret_from_fork+0x10/0x20 [ 18.675576] [ 18.675757] Allocated by task 232: [ 18.675898] kasan_save_stack+0x3c/0x68 [ 18.675944] kasan_save_track+0x20/0x40 [ 18.676151] kasan_save_alloc_info+0x40/0x58 [ 18.676211] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.676672] remove_element+0x16c/0x1f8 [ 18.676782] mempool_alloc_preallocated+0x58/0xc0 [ 18.676823] mempool_uaf_helper+0xa4/0x340 [ 18.676863] mempool_slab_uaf+0xc0/0x118 [ 18.677159] kunit_try_run_case+0x170/0x3f0 [ 18.677342] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.677388] kthread+0x328/0x630 [ 18.677421] ret_from_fork+0x10/0x20 [ 18.677456] [ 18.677478] Freed by task 232: [ 18.677506] kasan_save_stack+0x3c/0x68 [ 18.677542] kasan_save_track+0x20/0x40 [ 18.677580] kasan_save_free_info+0x4c/0x78 [ 18.677629] __kasan_mempool_poison_object+0xc0/0x150 [ 18.677674] mempool_free+0x28c/0x328 [ 18.677903] mempool_uaf_helper+0x104/0x340 [ 18.678235] mempool_slab_uaf+0xc0/0x118 [ 18.678342] kunit_try_run_case+0x170/0x3f0 [ 18.678481] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.678526] kthread+0x328/0x630 [ 18.678820] ret_from_fork+0x10/0x20 [ 18.678862] [ 18.678902] The buggy address belongs to the object at fff00000c5ae0240 [ 18.678902] which belongs to the cache test_cache of size 123 [ 18.679131] The buggy address is located 0 bytes inside of [ 18.679131] freed 123-byte region [fff00000c5ae0240, fff00000c5ae02bb) [ 18.679216] [ 18.679236] The buggy address belongs to the physical page: [ 18.679266] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ae0 [ 18.679320] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.679369] page_type: f5(slab) [ 18.679409] raw: 0bfffe0000000000 fff00000c5add000 dead000000000122 0000000000000000 [ 18.679459] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.679499] page dumped because: kasan: bad access detected [ 18.679531] [ 18.679548] Memory state around the buggy address: [ 18.679580] fff00000c5ae0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.679630] fff00000c5ae0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.679673] >fff00000c5ae0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.679711] ^ [ 18.679746] fff00000c5ae0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.679788] fff00000c5ae0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.679835] ==================================================================
[ 14.190356] ================================================================== [ 14.190946] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.191275] Read of size 1 at addr ffff888103434300 by task kunit_try_catch/244 [ 14.191954] [ 14.192090] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.192140] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.192152] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.192176] Call Trace: [ 14.192189] <TASK> [ 14.192206] dump_stack_lvl+0x73/0xb0 [ 14.192240] print_report+0xd1/0x610 [ 14.192264] ? __virt_addr_valid+0x1db/0x2d0 [ 14.192295] ? mempool_uaf_helper+0x392/0x400 [ 14.192318] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.192343] ? mempool_uaf_helper+0x392/0x400 [ 14.192366] kasan_report+0x141/0x180 [ 14.192388] ? mempool_uaf_helper+0x392/0x400 [ 14.192415] __asan_report_load1_noabort+0x18/0x20 [ 14.192468] mempool_uaf_helper+0x392/0x400 [ 14.192491] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.192514] ? update_load_avg+0x1be/0x21b0 [ 14.192540] ? dequeue_entities+0x27e/0x1740 [ 14.192566] ? finish_task_switch.isra.0+0x153/0x700 [ 14.192593] mempool_kmalloc_uaf+0xef/0x140 [ 14.192624] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.192650] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.192676] ? __pfx_mempool_kfree+0x10/0x10 [ 14.192701] ? __pfx_read_tsc+0x10/0x10 [ 14.192724] ? ktime_get_ts64+0x86/0x230 [ 14.192750] kunit_try_run_case+0x1a5/0x480 [ 14.192777] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.192800] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.192826] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.192850] ? __kthread_parkme+0x82/0x180 [ 14.192873] ? preempt_count_sub+0x50/0x80 [ 14.192896] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.192921] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.192946] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.192972] kthread+0x337/0x6f0 [ 14.192992] ? trace_preempt_on+0x20/0xc0 [ 14.193016] ? __pfx_kthread+0x10/0x10 [ 14.193037] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.193058] ? calculate_sigpending+0x7b/0xa0 [ 14.193083] ? __pfx_kthread+0x10/0x10 [ 14.193105] ret_from_fork+0x116/0x1d0 [ 14.193124] ? __pfx_kthread+0x10/0x10 [ 14.193145] ret_from_fork_asm+0x1a/0x30 [ 14.193177] </TASK> [ 14.193187] [ 14.201747] Allocated by task 244: [ 14.201922] kasan_save_stack+0x45/0x70 [ 14.202070] kasan_save_track+0x18/0x40 [ 14.202206] kasan_save_alloc_info+0x3b/0x50 [ 14.202430] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.202702] remove_element+0x11e/0x190 [ 14.202904] mempool_alloc_preallocated+0x4d/0x90 [ 14.203134] mempool_uaf_helper+0x96/0x400 [ 14.203400] mempool_kmalloc_uaf+0xef/0x140 [ 14.203611] kunit_try_run_case+0x1a5/0x480 [ 14.203854] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.204052] kthread+0x337/0x6f0 [ 14.204171] ret_from_fork+0x116/0x1d0 [ 14.204363] ret_from_fork_asm+0x1a/0x30 [ 14.204752] [ 14.204833] Freed by task 244: [ 14.204944] kasan_save_stack+0x45/0x70 [ 14.205135] kasan_save_track+0x18/0x40 [ 14.205319] kasan_save_free_info+0x3f/0x60 [ 14.205554] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.205764] mempool_free+0x2ec/0x380 [ 14.205990] mempool_uaf_helper+0x11a/0x400 [ 14.206178] mempool_kmalloc_uaf+0xef/0x140 [ 14.206376] kunit_try_run_case+0x1a5/0x480 [ 14.206579] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.206755] kthread+0x337/0x6f0 [ 14.206877] ret_from_fork+0x116/0x1d0 [ 14.207010] ret_from_fork_asm+0x1a/0x30 [ 14.207149] [ 14.207219] The buggy address belongs to the object at ffff888103434300 [ 14.207219] which belongs to the cache kmalloc-128 of size 128 [ 14.207723] The buggy address is located 0 bytes inside of [ 14.207723] freed 128-byte region [ffff888103434300, ffff888103434380) [ 14.208679] [ 14.208778] The buggy address belongs to the physical page: [ 14.209028] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103434 [ 14.209302] flags: 0x200000000000000(node=0|zone=2) [ 14.209644] page_type: f5(slab) [ 14.209931] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.210161] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.210386] page dumped because: kasan: bad access detected [ 14.210785] [ 14.210933] Memory state around the buggy address: [ 14.211159] ffff888103434200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.211510] ffff888103434280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.211822] >ffff888103434300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.212102] ^ [ 14.212346] ffff888103434380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.212910] ffff888103434400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.213149] ================================================================== [ 14.240294] ================================================================== [ 14.241952] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.242286] Read of size 1 at addr ffff8881026d3240 by task kunit_try_catch/248 [ 14.242609] [ 14.242716] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.242761] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.242773] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.242794] Call Trace: [ 14.242807] <TASK> [ 14.242822] dump_stack_lvl+0x73/0xb0 [ 14.242852] print_report+0xd1/0x610 [ 14.242875] ? __virt_addr_valid+0x1db/0x2d0 [ 14.242898] ? mempool_uaf_helper+0x392/0x400 [ 14.242921] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.242946] ? mempool_uaf_helper+0x392/0x400 [ 14.242968] kasan_report+0x141/0x180 [ 14.242990] ? mempool_uaf_helper+0x392/0x400 [ 14.243018] __asan_report_load1_noabort+0x18/0x20 [ 14.243043] mempool_uaf_helper+0x392/0x400 [ 14.243067] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.243089] ? update_load_avg+0x1be/0x21b0 [ 14.243117] ? finish_task_switch.isra.0+0x153/0x700 [ 14.243143] mempool_slab_uaf+0xea/0x140 [ 14.243165] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.243192] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.243219] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.243246] ? __pfx_read_tsc+0x10/0x10 [ 14.243267] ? ktime_get_ts64+0x86/0x230 [ 14.243291] kunit_try_run_case+0x1a5/0x480 [ 14.243316] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.243340] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.243364] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.243389] ? __kthread_parkme+0x82/0x180 [ 14.243410] ? preempt_count_sub+0x50/0x80 [ 14.243434] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.243622] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.243652] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.243679] kthread+0x337/0x6f0 [ 14.243698] ? trace_preempt_on+0x20/0xc0 [ 14.243723] ? __pfx_kthread+0x10/0x10 [ 14.243744] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.243766] ? calculate_sigpending+0x7b/0xa0 [ 14.243792] ? __pfx_kthread+0x10/0x10 [ 14.243813] ret_from_fork+0x116/0x1d0 [ 14.243832] ? __pfx_kthread+0x10/0x10 [ 14.243853] ret_from_fork_asm+0x1a/0x30 [ 14.243884] </TASK> [ 14.243894] [ 14.251965] Allocated by task 248: [ 14.252093] kasan_save_stack+0x45/0x70 [ 14.252237] kasan_save_track+0x18/0x40 [ 14.252404] kasan_save_alloc_info+0x3b/0x50 [ 14.254368] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.254656] remove_element+0x11e/0x190 [ 14.254859] mempool_alloc_preallocated+0x4d/0x90 [ 14.255043] mempool_uaf_helper+0x96/0x400 [ 14.255279] mempool_slab_uaf+0xea/0x140 [ 14.255469] kunit_try_run_case+0x1a5/0x480 [ 14.255645] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.255823] kthread+0x337/0x6f0 [ 14.255988] ret_from_fork+0x116/0x1d0 [ 14.256175] ret_from_fork_asm+0x1a/0x30 [ 14.256377] [ 14.256485] Freed by task 248: [ 14.256609] kasan_save_stack+0x45/0x70 [ 14.256803] kasan_save_track+0x18/0x40 [ 14.256959] kasan_save_free_info+0x3f/0x60 [ 14.257154] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.257324] mempool_free+0x2ec/0x380 [ 14.257831] mempool_uaf_helper+0x11a/0x400 [ 14.258051] mempool_slab_uaf+0xea/0x140 [ 14.258250] kunit_try_run_case+0x1a5/0x480 [ 14.258503] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.258808] kthread+0x337/0x6f0 [ 14.258951] ret_from_fork+0x116/0x1d0 [ 14.259096] ret_from_fork_asm+0x1a/0x30 [ 14.259296] [ 14.259410] The buggy address belongs to the object at ffff8881026d3240 [ 14.259410] which belongs to the cache test_cache of size 123 [ 14.259993] The buggy address is located 0 bytes inside of [ 14.259993] freed 123-byte region [ffff8881026d3240, ffff8881026d32bb) [ 14.260366] [ 14.260476] The buggy address belongs to the physical page: [ 14.260927] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026d3 [ 14.261290] flags: 0x200000000000000(node=0|zone=2) [ 14.261472] page_type: f5(slab) [ 14.261729] raw: 0200000000000000 ffff8881009fcb40 dead000000000122 0000000000000000 [ 14.262053] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.262344] page dumped because: kasan: bad access detected [ 14.262693] [ 14.262786] Memory state around the buggy address: [ 14.262997] ffff8881026d3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.263263] ffff8881026d3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.263661] >ffff8881026d3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.263877] ^ [ 14.264121] ffff8881026d3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.264463] ffff8881026d3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.264982] ==================================================================
[ 14.449206] ================================================================== [ 14.450008] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.451611] Read of size 1 at addr ffff888102b50240 by task kunit_try_catch/249 [ 14.451994] [ 14.452115] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.452172] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.452184] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.452206] Call Trace: [ 14.452218] <TASK> [ 14.452234] dump_stack_lvl+0x73/0xb0 [ 14.452267] print_report+0xd1/0x610 [ 14.452291] ? __virt_addr_valid+0x1db/0x2d0 [ 14.452315] ? mempool_uaf_helper+0x392/0x400 [ 14.452338] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.452362] ? mempool_uaf_helper+0x392/0x400 [ 14.452386] kasan_report+0x141/0x180 [ 14.452409] ? mempool_uaf_helper+0x392/0x400 [ 14.452436] __asan_report_load1_noabort+0x18/0x20 [ 14.452463] mempool_uaf_helper+0x392/0x400 [ 14.452486] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.452513] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.452537] ? finish_task_switch.isra.0+0x153/0x700 [ 14.452564] mempool_slab_uaf+0xea/0x140 [ 14.452587] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.452614] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.452640] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.452741] ? __pfx_read_tsc+0x10/0x10 [ 14.452766] ? ktime_get_ts64+0x86/0x230 [ 14.452791] kunit_try_run_case+0x1a5/0x480 [ 14.452818] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.452841] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.452866] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.452890] ? __kthread_parkme+0x82/0x180 [ 14.452911] ? preempt_count_sub+0x50/0x80 [ 14.452935] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.452960] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.452985] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.453011] kthread+0x337/0x6f0 [ 14.453030] ? trace_preempt_on+0x20/0xc0 [ 14.453069] ? __pfx_kthread+0x10/0x10 [ 14.453089] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.453112] ? calculate_sigpending+0x7b/0xa0 [ 14.453148] ? __pfx_kthread+0x10/0x10 [ 14.453169] ret_from_fork+0x116/0x1d0 [ 14.453190] ? __pfx_kthread+0x10/0x10 [ 14.453210] ret_from_fork_asm+0x1a/0x30 [ 14.453242] </TASK> [ 14.453252] [ 14.461437] Allocated by task 249: [ 14.461571] kasan_save_stack+0x45/0x70 [ 14.461836] kasan_save_track+0x18/0x40 [ 14.462086] kasan_save_alloc_info+0x3b/0x50 [ 14.462313] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.462572] remove_element+0x11e/0x190 [ 14.462892] mempool_alloc_preallocated+0x4d/0x90 [ 14.463136] mempool_uaf_helper+0x96/0x400 [ 14.463296] mempool_slab_uaf+0xea/0x140 [ 14.463438] kunit_try_run_case+0x1a5/0x480 [ 14.463586] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.464150] kthread+0x337/0x6f0 [ 14.464325] ret_from_fork+0x116/0x1d0 [ 14.464520] ret_from_fork_asm+0x1a/0x30 [ 14.464807] [ 14.464900] Freed by task 249: [ 14.465033] kasan_save_stack+0x45/0x70 [ 14.465185] kasan_save_track+0x18/0x40 [ 14.465320] kasan_save_free_info+0x3f/0x60 [ 14.465467] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.465671] mempool_free+0x2ec/0x380 [ 14.465856] mempool_uaf_helper+0x11a/0x400 [ 14.466071] mempool_slab_uaf+0xea/0x140 [ 14.466390] kunit_try_run_case+0x1a5/0x480 [ 14.466541] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.466936] kthread+0x337/0x6f0 [ 14.467122] ret_from_fork+0x116/0x1d0 [ 14.467323] ret_from_fork_asm+0x1a/0x30 [ 14.467517] [ 14.467589] The buggy address belongs to the object at ffff888102b50240 [ 14.467589] which belongs to the cache test_cache of size 123 [ 14.468331] The buggy address is located 0 bytes inside of [ 14.468331] freed 123-byte region [ffff888102b50240, ffff888102b502bb) [ 14.468883] [ 14.468990] The buggy address belongs to the physical page: [ 14.469276] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b50 [ 14.469540] flags: 0x200000000000000(node=0|zone=2) [ 14.469817] page_type: f5(slab) [ 14.469996] raw: 0200000000000000 ffff888101b19dc0 dead000000000122 0000000000000000 [ 14.470355] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.470722] page dumped because: kasan: bad access detected [ 14.470894] [ 14.470964] Memory state around the buggy address: [ 14.471304] ffff888102b50100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.471833] ffff888102b50180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.472066] >ffff888102b50200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.472334] ^ [ 14.472580] ffff888102b50280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.472978] ffff888102b50300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.473307] ================================================================== [ 14.399550] ================================================================== [ 14.400879] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.401205] Read of size 1 at addr ffff888102594900 by task kunit_try_catch/245 [ 14.401433] [ 14.401529] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.401577] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.401590] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.401612] Call Trace: [ 14.401626] <TASK> [ 14.401643] dump_stack_lvl+0x73/0xb0 [ 14.401676] print_report+0xd1/0x610 [ 14.401699] ? __virt_addr_valid+0x1db/0x2d0 [ 14.401725] ? mempool_uaf_helper+0x392/0x400 [ 14.401748] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.401772] ? mempool_uaf_helper+0x392/0x400 [ 14.401796] kasan_report+0x141/0x180 [ 14.401818] ? mempool_uaf_helper+0x392/0x400 [ 14.401846] __asan_report_load1_noabort+0x18/0x20 [ 14.401871] mempool_uaf_helper+0x392/0x400 [ 14.401895] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.401920] ? __kasan_check_write+0x18/0x20 [ 14.401941] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.401965] ? finish_task_switch.isra.0+0x153/0x700 [ 14.401993] mempool_kmalloc_uaf+0xef/0x140 [ 14.402016] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.402043] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.402080] ? __pfx_mempool_kfree+0x10/0x10 [ 14.402127] ? __pfx_read_tsc+0x10/0x10 [ 14.402150] ? ktime_get_ts64+0x86/0x230 [ 14.402176] kunit_try_run_case+0x1a5/0x480 [ 14.402203] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.402227] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.402253] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.402277] ? __kthread_parkme+0x82/0x180 [ 14.402365] ? preempt_count_sub+0x50/0x80 [ 14.402394] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.402420] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.402446] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.402472] kthread+0x337/0x6f0 [ 14.402492] ? trace_preempt_on+0x20/0xc0 [ 14.402518] ? __pfx_kthread+0x10/0x10 [ 14.402539] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.402562] ? calculate_sigpending+0x7b/0xa0 [ 14.402604] ? __pfx_kthread+0x10/0x10 [ 14.402625] ret_from_fork+0x116/0x1d0 [ 14.402685] ? __pfx_kthread+0x10/0x10 [ 14.402714] ret_from_fork_asm+0x1a/0x30 [ 14.402747] </TASK> [ 14.402758] [ 14.411126] Allocated by task 245: [ 14.411330] kasan_save_stack+0x45/0x70 [ 14.411538] kasan_save_track+0x18/0x40 [ 14.411879] kasan_save_alloc_info+0x3b/0x50 [ 14.412116] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.412385] remove_element+0x11e/0x190 [ 14.412583] mempool_alloc_preallocated+0x4d/0x90 [ 14.412838] mempool_uaf_helper+0x96/0x400 [ 14.413036] mempool_kmalloc_uaf+0xef/0x140 [ 14.413257] kunit_try_run_case+0x1a5/0x480 [ 14.413406] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.413583] kthread+0x337/0x6f0 [ 14.413705] ret_from_fork+0x116/0x1d0 [ 14.413877] ret_from_fork_asm+0x1a/0x30 [ 14.414084] [ 14.414181] Freed by task 245: [ 14.414345] kasan_save_stack+0x45/0x70 [ 14.414813] kasan_save_track+0x18/0x40 [ 14.414972] kasan_save_free_info+0x3f/0x60 [ 14.415211] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.415460] mempool_free+0x2ec/0x380 [ 14.415616] mempool_uaf_helper+0x11a/0x400 [ 14.415897] mempool_kmalloc_uaf+0xef/0x140 [ 14.416094] kunit_try_run_case+0x1a5/0x480 [ 14.416375] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.416608] kthread+0x337/0x6f0 [ 14.416897] ret_from_fork+0x116/0x1d0 [ 14.417035] ret_from_fork_asm+0x1a/0x30 [ 14.417189] [ 14.417353] The buggy address belongs to the object at ffff888102594900 [ 14.417353] which belongs to the cache kmalloc-128 of size 128 [ 14.417896] The buggy address is located 0 bytes inside of [ 14.417896] freed 128-byte region [ffff888102594900, ffff888102594980) [ 14.418502] [ 14.418597] The buggy address belongs to the physical page: [ 14.418883] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102594 [ 14.419144] flags: 0x200000000000000(node=0|zone=2) [ 14.419313] page_type: f5(slab) [ 14.419503] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.419843] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.420190] page dumped because: kasan: bad access detected [ 14.420442] [ 14.420535] Memory state around the buggy address: [ 14.420973] ffff888102594800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.421340] ffff888102594880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.421623] >ffff888102594900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.421905] ^ [ 14.422021] ffff888102594980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.422517] ffff888102594a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.423002] ==================================================================