Date
July 20, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.558263] ================================================================== [ 18.558341] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.558407] Read of size 1 at addr fff00000c3eddd00 by task kunit_try_catch/227 [ 18.558458] [ 18.558497] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.558585] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.558611] Hardware name: linux,dummy-virt (DT) [ 18.558653] Call trace: [ 18.558679] show_stack+0x20/0x38 (C) [ 18.558729] dump_stack_lvl+0x8c/0xd0 [ 18.558781] print_report+0x118/0x5d0 [ 18.558828] kasan_report+0xdc/0x128 [ 18.558873] __asan_report_load1_noabort+0x20/0x30 [ 18.558940] mempool_uaf_helper+0x314/0x340 [ 18.558987] mempool_kmalloc_uaf+0xc4/0x120 [ 18.559034] kunit_try_run_case+0x170/0x3f0 [ 18.559084] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.559137] kthread+0x328/0x630 [ 18.559181] ret_from_fork+0x10/0x20 [ 18.559230] [ 18.559250] Allocated by task 227: [ 18.559280] kasan_save_stack+0x3c/0x68 [ 18.559323] kasan_save_track+0x20/0x40 [ 18.559362] kasan_save_alloc_info+0x40/0x58 [ 18.559403] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.559448] remove_element+0x130/0x1f8 [ 18.559486] mempool_alloc_preallocated+0x58/0xc0 [ 18.559526] mempool_uaf_helper+0xa4/0x340 [ 18.559563] mempool_kmalloc_uaf+0xc4/0x120 [ 18.559601] kunit_try_run_case+0x170/0x3f0 [ 18.559640] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.559684] kthread+0x328/0x630 [ 18.559717] ret_from_fork+0x10/0x20 [ 18.559754] [ 18.559774] Freed by task 227: [ 18.559801] kasan_save_stack+0x3c/0x68 [ 18.559837] kasan_save_track+0x20/0x40 [ 18.559874] kasan_save_free_info+0x4c/0x78 [ 18.559926] __kasan_mempool_poison_object+0xc0/0x150 [ 18.559967] mempool_free+0x28c/0x328 [ 18.560001] mempool_uaf_helper+0x104/0x340 [ 18.560040] mempool_kmalloc_uaf+0xc4/0x120 [ 18.560078] kunit_try_run_case+0x170/0x3f0 [ 18.560115] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.560158] kthread+0x328/0x630 [ 18.560190] ret_from_fork+0x10/0x20 [ 18.560227] [ 18.560246] The buggy address belongs to the object at fff00000c3eddd00 [ 18.560246] which belongs to the cache kmalloc-128 of size 128 [ 18.560305] The buggy address is located 0 bytes inside of [ 18.560305] freed 128-byte region [fff00000c3eddd00, fff00000c3eddd80) [ 18.560366] [ 18.560387] The buggy address belongs to the physical page: [ 18.560421] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103edd [ 18.560475] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.560527] page_type: f5(slab) [ 18.560568] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.560621] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.560663] page dumped because: kasan: bad access detected [ 18.560696] [ 18.560714] Memory state around the buggy address: [ 18.560745] fff00000c3eddc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.560789] fff00000c3eddc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.560832] >fff00000c3eddd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.560873] ^ [ 18.560909] fff00000c3eddd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.560953] fff00000c3edde00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.560991] ================================================================== [ 18.593453] ================================================================== [ 18.593527] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.593592] Read of size 1 at addr fff00000c780a240 by task kunit_try_catch/231 [ 18.593650] [ 18.593685] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.593816] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.593867] Hardware name: linux,dummy-virt (DT) [ 18.594177] Call trace: [ 18.594218] show_stack+0x20/0x38 (C) [ 18.594275] dump_stack_lvl+0x8c/0xd0 [ 18.594323] print_report+0x118/0x5d0 [ 18.594408] kasan_report+0xdc/0x128 [ 18.594491] __asan_report_load1_noabort+0x20/0x30 [ 18.594578] mempool_uaf_helper+0x314/0x340 [ 18.594683] mempool_slab_uaf+0xc0/0x118 [ 18.594999] kunit_try_run_case+0x170/0x3f0 [ 18.595453] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.595551] kthread+0x328/0x630 [ 18.595684] ret_from_fork+0x10/0x20 [ 18.595783] [ 18.595810] Allocated by task 231: [ 18.596159] kasan_save_stack+0x3c/0x68 [ 18.596231] kasan_save_track+0x20/0x40 [ 18.596479] kasan_save_alloc_info+0x40/0x58 [ 18.596618] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.596783] remove_element+0x16c/0x1f8 [ 18.596829] mempool_alloc_preallocated+0x58/0xc0 [ 18.597149] mempool_uaf_helper+0xa4/0x340 [ 18.597235] mempool_slab_uaf+0xc0/0x118 [ 18.597420] kunit_try_run_case+0x170/0x3f0 [ 18.597814] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.597873] kthread+0x328/0x630 [ 18.597919] ret_from_fork+0x10/0x20 [ 18.598216] [ 18.598549] Freed by task 231: [ 18.598625] kasan_save_stack+0x3c/0x68 [ 18.599016] kasan_save_track+0x20/0x40 [ 18.599243] kasan_save_free_info+0x4c/0x78 [ 18.599301] __kasan_mempool_poison_object+0xc0/0x150 [ 18.599400] mempool_free+0x28c/0x328 [ 18.599447] mempool_uaf_helper+0x104/0x340 [ 18.599494] mempool_slab_uaf+0xc0/0x118 [ 18.599532] kunit_try_run_case+0x170/0x3f0 [ 18.599580] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.599625] kthread+0x328/0x630 [ 18.599659] ret_from_fork+0x10/0x20 [ 18.599695] [ 18.599726] The buggy address belongs to the object at fff00000c780a240 [ 18.599726] which belongs to the cache test_cache of size 123 [ 18.599797] The buggy address is located 0 bytes inside of [ 18.599797] freed 123-byte region [fff00000c780a240, fff00000c780a2bb) [ 18.599859] [ 18.599879] The buggy address belongs to the physical page: [ 18.599925] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10780a [ 18.599987] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.600050] page_type: f5(slab) [ 18.600105] raw: 0bfffe0000000000 fff00000c7882140 dead000000000122 0000000000000000 [ 18.600177] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.600219] page dumped because: kasan: bad access detected [ 18.600250] [ 18.600268] Memory state around the buggy address: [ 18.600317] fff00000c780a100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.600369] fff00000c780a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.600422] >fff00000c780a200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.600469] ^ [ 18.600508] fff00000c780a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.600550] fff00000c780a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.600589] ==================================================================
[ 18.674660] ================================================================== [ 18.674782] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.674853] Read of size 1 at addr fff00000c5b4c500 by task kunit_try_catch/227 [ 18.674927] [ 18.675001] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.675088] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.675116] Hardware name: linux,dummy-virt (DT) [ 18.675159] Call trace: [ 18.675184] show_stack+0x20/0x38 (C) [ 18.675240] dump_stack_lvl+0x8c/0xd0 [ 18.675292] print_report+0x118/0x5d0 [ 18.675355] kasan_report+0xdc/0x128 [ 18.675744] __asan_report_load1_noabort+0x20/0x30 [ 18.675835] mempool_uaf_helper+0x314/0x340 [ 18.675885] mempool_kmalloc_uaf+0xc4/0x120 [ 18.675932] kunit_try_run_case+0x170/0x3f0 [ 18.675983] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.676036] kthread+0x328/0x630 [ 18.676137] ret_from_fork+0x10/0x20 [ 18.676192] [ 18.676213] Allocated by task 227: [ 18.676304] kasan_save_stack+0x3c/0x68 [ 18.676365] kasan_save_track+0x20/0x40 [ 18.676404] kasan_save_alloc_info+0x40/0x58 [ 18.676450] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.676495] remove_element+0x130/0x1f8 [ 18.677013] mempool_alloc_preallocated+0x58/0xc0 [ 18.677185] mempool_uaf_helper+0xa4/0x340 [ 18.677613] mempool_kmalloc_uaf+0xc4/0x120 [ 18.677837] kunit_try_run_case+0x170/0x3f0 [ 18.677944] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.678081] kthread+0x328/0x630 [ 18.678118] ret_from_fork+0x10/0x20 [ 18.678187] [ 18.678389] Freed by task 227: [ 18.678466] kasan_save_stack+0x3c/0x68 [ 18.678659] kasan_save_track+0x20/0x40 [ 18.678714] kasan_save_free_info+0x4c/0x78 [ 18.678753] __kasan_mempool_poison_object+0xc0/0x150 [ 18.678795] mempool_free+0x28c/0x328 [ 18.678831] mempool_uaf_helper+0x104/0x340 [ 18.678868] mempool_kmalloc_uaf+0xc4/0x120 [ 18.678904] kunit_try_run_case+0x170/0x3f0 [ 18.678963] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.679017] kthread+0x328/0x630 [ 18.679050] ret_from_fork+0x10/0x20 [ 18.679085] [ 18.679116] The buggy address belongs to the object at fff00000c5b4c500 [ 18.679116] which belongs to the cache kmalloc-128 of size 128 [ 18.679178] The buggy address is located 0 bytes inside of [ 18.679178] freed 128-byte region [fff00000c5b4c500, fff00000c5b4c580) [ 18.679240] [ 18.679268] The buggy address belongs to the physical page: [ 18.679328] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b4c [ 18.679392] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.679446] page_type: f5(slab) [ 18.679498] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.679549] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.679611] page dumped because: kasan: bad access detected [ 18.680097] [ 18.680488] Memory state around the buggy address: [ 18.680562] fff00000c5b4c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.680798] fff00000c5b4c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.680865] >fff00000c5b4c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.681046] ^ [ 18.681091] fff00000c5b4c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.681150] fff00000c5b4c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.681195] ================================================================== [ 18.744220] ================================================================== [ 18.744306] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.744374] Read of size 1 at addr fff00000c5b44240 by task kunit_try_catch/231 [ 18.744427] [ 18.744465] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.744554] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.744580] Hardware name: linux,dummy-virt (DT) [ 18.744630] Call trace: [ 18.744656] show_stack+0x20/0x38 (C) [ 18.744708] dump_stack_lvl+0x8c/0xd0 [ 18.744756] print_report+0x118/0x5d0 [ 18.744805] kasan_report+0xdc/0x128 [ 18.744852] __asan_report_load1_noabort+0x20/0x30 [ 18.744904] mempool_uaf_helper+0x314/0x340 [ 18.744960] mempool_slab_uaf+0xc0/0x118 [ 18.745005] kunit_try_run_case+0x170/0x3f0 [ 18.745055] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.745109] kthread+0x328/0x630 [ 18.745151] ret_from_fork+0x10/0x20 [ 18.745200] [ 18.745221] Allocated by task 231: [ 18.745250] kasan_save_stack+0x3c/0x68 [ 18.745292] kasan_save_track+0x20/0x40 [ 18.745331] kasan_save_alloc_info+0x40/0x58 [ 18.745371] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.745415] remove_element+0x16c/0x1f8 [ 18.745453] mempool_alloc_preallocated+0x58/0xc0 [ 18.745493] mempool_uaf_helper+0xa4/0x340 [ 18.745531] mempool_slab_uaf+0xc0/0x118 [ 18.745568] kunit_try_run_case+0x170/0x3f0 [ 18.745607] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.746226] kthread+0x328/0x630 [ 18.746263] ret_from_fork+0x10/0x20 [ 18.746314] [ 18.746334] Freed by task 231: [ 18.746365] kasan_save_stack+0x3c/0x68 [ 18.746418] kasan_save_track+0x20/0x40 [ 18.746467] kasan_save_free_info+0x4c/0x78 [ 18.746507] __kasan_mempool_poison_object+0xc0/0x150 [ 18.746552] mempool_free+0x28c/0x328 [ 18.746589] mempool_uaf_helper+0x104/0x340 [ 18.746637] mempool_slab_uaf+0xc0/0x118 [ 18.746677] kunit_try_run_case+0x170/0x3f0 [ 18.746716] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.746760] kthread+0x328/0x630 [ 18.746794] ret_from_fork+0x10/0x20 [ 18.746832] [ 18.746851] The buggy address belongs to the object at fff00000c5b44240 [ 18.746851] which belongs to the cache test_cache of size 123 [ 18.746913] The buggy address is located 0 bytes inside of [ 18.746913] freed 123-byte region [fff00000c5b44240, fff00000c5b442bb) [ 18.746977] [ 18.746999] The buggy address belongs to the physical page: [ 18.747032] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b44 [ 18.747087] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.747138] page_type: f5(slab) [ 18.747182] raw: 0bfffe0000000000 fff00000c6670780 dead000000000122 0000000000000000 [ 18.747235] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.747277] page dumped because: kasan: bad access detected [ 18.747308] [ 18.747327] Memory state around the buggy address: [ 18.747360] fff00000c5b44100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.747405] fff00000c5b44180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.747448] >fff00000c5b44200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.747487] ^ [ 18.747521] fff00000c5b44280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.747563] fff00000c5b44300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.747602] ==================================================================
[ 14.245650] ================================================================== [ 14.246131] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.247103] Read of size 1 at addr ffff88810315c240 by task kunit_try_catch/249 [ 14.247926] [ 14.248109] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.248158] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.248170] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.248195] Call Trace: [ 14.248208] <TASK> [ 14.248227] dump_stack_lvl+0x73/0xb0 [ 14.248258] print_report+0xd1/0x610 [ 14.248281] ? __virt_addr_valid+0x1db/0x2d0 [ 14.248306] ? mempool_uaf_helper+0x392/0x400 [ 14.248328] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.248351] ? mempool_uaf_helper+0x392/0x400 [ 14.248374] kasan_report+0x141/0x180 [ 14.248409] ? mempool_uaf_helper+0x392/0x400 [ 14.248438] __asan_report_load1_noabort+0x18/0x20 [ 14.248462] mempool_uaf_helper+0x392/0x400 [ 14.248485] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.248511] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.248535] ? finish_task_switch.isra.0+0x153/0x700 [ 14.248562] mempool_slab_uaf+0xea/0x140 [ 14.248585] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.248611] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.248637] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.248663] ? __pfx_read_tsc+0x10/0x10 [ 14.248691] ? ktime_get_ts64+0x86/0x230 [ 14.248717] kunit_try_run_case+0x1a5/0x480 [ 14.248744] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.248767] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.248793] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.248817] ? __kthread_parkme+0x82/0x180 [ 14.248838] ? preempt_count_sub+0x50/0x80 [ 14.248862] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.248887] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.248911] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.248936] kthread+0x337/0x6f0 [ 14.248956] ? trace_preempt_on+0x20/0xc0 [ 14.248982] ? __pfx_kthread+0x10/0x10 [ 14.249003] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.249067] ? calculate_sigpending+0x7b/0xa0 [ 14.249094] ? __pfx_kthread+0x10/0x10 [ 14.249116] ret_from_fork+0x116/0x1d0 [ 14.249147] ? __pfx_kthread+0x10/0x10 [ 14.249169] ret_from_fork_asm+0x1a/0x30 [ 14.249203] </TASK> [ 14.249214] [ 14.261728] Allocated by task 249: [ 14.261918] kasan_save_stack+0x45/0x70 [ 14.262454] kasan_save_track+0x18/0x40 [ 14.262658] kasan_save_alloc_info+0x3b/0x50 [ 14.262815] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.262993] remove_element+0x11e/0x190 [ 14.263136] mempool_alloc_preallocated+0x4d/0x90 [ 14.263297] mempool_uaf_helper+0x96/0x400 [ 14.263958] mempool_slab_uaf+0xea/0x140 [ 14.264374] kunit_try_run_case+0x1a5/0x480 [ 14.264884] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.265315] kthread+0x337/0x6f0 [ 14.265515] ret_from_fork+0x116/0x1d0 [ 14.265697] ret_from_fork_asm+0x1a/0x30 [ 14.265876] [ 14.265968] Freed by task 249: [ 14.266119] kasan_save_stack+0x45/0x70 [ 14.266300] kasan_save_track+0x18/0x40 [ 14.267014] kasan_save_free_info+0x3f/0x60 [ 14.267618] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.268137] mempool_free+0x2ec/0x380 [ 14.268324] mempool_uaf_helper+0x11a/0x400 [ 14.268534] mempool_slab_uaf+0xea/0x140 [ 14.268963] kunit_try_run_case+0x1a5/0x480 [ 14.269379] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.269801] kthread+0x337/0x6f0 [ 14.269973] ret_from_fork+0x116/0x1d0 [ 14.270336] ret_from_fork_asm+0x1a/0x30 [ 14.270700] [ 14.270797] The buggy address belongs to the object at ffff88810315c240 [ 14.270797] which belongs to the cache test_cache of size 123 [ 14.271597] The buggy address is located 0 bytes inside of [ 14.271597] freed 123-byte region [ffff88810315c240, ffff88810315c2bb) [ 14.272274] [ 14.272543] The buggy address belongs to the physical page: [ 14.272946] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10315c [ 14.273422] flags: 0x200000000000000(node=0|zone=2) [ 14.273906] page_type: f5(slab) [ 14.274151] raw: 0200000000000000 ffff8881031533c0 dead000000000122 0000000000000000 [ 14.274755] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.275526] page dumped because: kasan: bad access detected [ 14.276018] [ 14.276304] Memory state around the buggy address: [ 14.276546] ffff88810315c100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.277431] ffff88810315c180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.278292] >ffff88810315c200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.278773] ^ [ 14.279013] ffff88810315c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.279974] ffff88810315c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.280423] ================================================================== [ 14.182344] ================================================================== [ 14.182832] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.183243] Read of size 1 at addr ffff88810313af00 by task kunit_try_catch/245 [ 14.183564] [ 14.183700] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.183748] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.183761] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.183784] Call Trace: [ 14.183798] <TASK> [ 14.183816] dump_stack_lvl+0x73/0xb0 [ 14.183849] print_report+0xd1/0x610 [ 14.183873] ? __virt_addr_valid+0x1db/0x2d0 [ 14.183897] ? mempool_uaf_helper+0x392/0x400 [ 14.183919] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.183942] ? mempool_uaf_helper+0x392/0x400 [ 14.183964] kasan_report+0x141/0x180 [ 14.183986] ? mempool_uaf_helper+0x392/0x400 [ 14.184073] __asan_report_load1_noabort+0x18/0x20 [ 14.184104] mempool_uaf_helper+0x392/0x400 [ 14.184128] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.184151] ? kasan_save_track+0x18/0x40 [ 14.184171] ? kasan_save_alloc_info+0x3b/0x50 [ 14.184194] ? kasan_save_stack+0x45/0x70 [ 14.184218] mempool_kmalloc_uaf+0xef/0x140 [ 14.184240] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.184266] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.184291] ? __pfx_mempool_kfree+0x10/0x10 [ 14.184316] ? __pfx_read_tsc+0x10/0x10 [ 14.184338] ? ktime_get_ts64+0x86/0x230 [ 14.184366] kunit_try_run_case+0x1a5/0x480 [ 14.184404] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.184428] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.184452] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.184476] ? __kthread_parkme+0x82/0x180 [ 14.184497] ? preempt_count_sub+0x50/0x80 [ 14.184523] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.184547] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.184589] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.184613] kthread+0x337/0x6f0 [ 14.184634] ? trace_preempt_on+0x20/0xc0 [ 14.184658] ? __pfx_kthread+0x10/0x10 [ 14.184683] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.184704] ? calculate_sigpending+0x7b/0xa0 [ 14.184729] ? __pfx_kthread+0x10/0x10 [ 14.184751] ret_from_fork+0x116/0x1d0 [ 14.184771] ? __pfx_kthread+0x10/0x10 [ 14.184791] ret_from_fork_asm+0x1a/0x30 [ 14.184824] </TASK> [ 14.184835] [ 14.192907] Allocated by task 245: [ 14.193192] kasan_save_stack+0x45/0x70 [ 14.193414] kasan_save_track+0x18/0x40 [ 14.193609] kasan_save_alloc_info+0x3b/0x50 [ 14.193857] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.194188] remove_element+0x11e/0x190 [ 14.194389] mempool_alloc_preallocated+0x4d/0x90 [ 14.194636] mempool_uaf_helper+0x96/0x400 [ 14.194825] mempool_kmalloc_uaf+0xef/0x140 [ 14.195072] kunit_try_run_case+0x1a5/0x480 [ 14.195255] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.195495] kthread+0x337/0x6f0 [ 14.195684] ret_from_fork+0x116/0x1d0 [ 14.195852] ret_from_fork_asm+0x1a/0x30 [ 14.195996] [ 14.196128] Freed by task 245: [ 14.196244] kasan_save_stack+0x45/0x70 [ 14.196383] kasan_save_track+0x18/0x40 [ 14.196588] kasan_save_free_info+0x3f/0x60 [ 14.196824] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.197131] mempool_free+0x2ec/0x380 [ 14.197322] mempool_uaf_helper+0x11a/0x400 [ 14.197536] mempool_kmalloc_uaf+0xef/0x140 [ 14.197766] kunit_try_run_case+0x1a5/0x480 [ 14.197973] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.198278] kthread+0x337/0x6f0 [ 14.198474] ret_from_fork+0x116/0x1d0 [ 14.198651] ret_from_fork_asm+0x1a/0x30 [ 14.198854] [ 14.198936] The buggy address belongs to the object at ffff88810313af00 [ 14.198936] which belongs to the cache kmalloc-128 of size 128 [ 14.199494] The buggy address is located 0 bytes inside of [ 14.199494] freed 128-byte region [ffff88810313af00, ffff88810313af80) [ 14.199976] [ 14.200143] The buggy address belongs to the physical page: [ 14.200385] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10313a [ 14.200753] flags: 0x200000000000000(node=0|zone=2) [ 14.200959] page_type: f5(slab) [ 14.201121] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.201490] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 14.201810] page dumped because: kasan: bad access detected [ 14.202123] [ 14.202203] Memory state around the buggy address: [ 14.202363] ffff88810313ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.202619] ffff88810313ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.202943] >ffff88810313af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.203346] ^ [ 14.203533] ffff88810313af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.203813] ffff88810313b000: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.204160] ==================================================================
[ 14.272650] ================================================================== [ 14.274110] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.275196] Read of size 1 at addr ffff8881027bc200 by task kunit_try_catch/245 [ 14.275976] [ 14.276083] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.276134] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.276158] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.276181] Call Trace: [ 14.276195] <TASK> [ 14.276213] dump_stack_lvl+0x73/0xb0 [ 14.276244] print_report+0xd1/0x610 [ 14.276268] ? __virt_addr_valid+0x1db/0x2d0 [ 14.276291] ? mempool_uaf_helper+0x392/0x400 [ 14.276312] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.276339] ? mempool_uaf_helper+0x392/0x400 [ 14.276361] kasan_report+0x141/0x180 [ 14.276382] ? mempool_uaf_helper+0x392/0x400 [ 14.276408] __asan_report_load1_noabort+0x18/0x20 [ 14.276432] mempool_uaf_helper+0x392/0x400 [ 14.276454] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.276477] ? __kasan_check_write+0x18/0x20 [ 14.276496] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.276520] ? finish_task_switch.isra.0+0x153/0x700 [ 14.276548] mempool_kmalloc_uaf+0xef/0x140 [ 14.276572] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.276598] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.276621] ? __pfx_mempool_kfree+0x10/0x10 [ 14.276646] ? __pfx_read_tsc+0x10/0x10 [ 14.276668] ? ktime_get_ts64+0x86/0x230 [ 14.276694] kunit_try_run_case+0x1a5/0x480 [ 14.276719] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.276741] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.276764] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.276786] ? __kthread_parkme+0x82/0x180 [ 14.276809] ? preempt_count_sub+0x50/0x80 [ 14.276832] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.276855] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.276879] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.276903] kthread+0x337/0x6f0 [ 14.276922] ? trace_preempt_on+0x20/0xc0 [ 14.276945] ? __pfx_kthread+0x10/0x10 [ 14.276965] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.276985] ? calculate_sigpending+0x7b/0xa0 [ 14.277010] ? __pfx_kthread+0x10/0x10 [ 14.277031] ret_from_fork+0x116/0x1d0 [ 14.277061] ? __pfx_kthread+0x10/0x10 [ 14.277081] ret_from_fork_asm+0x1a/0x30 [ 14.277113] </TASK> [ 14.277134] [ 14.289738] Allocated by task 245: [ 14.290102] kasan_save_stack+0x45/0x70 [ 14.290322] kasan_save_track+0x18/0x40 [ 14.290675] kasan_save_alloc_info+0x3b/0x50 [ 14.291013] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.291550] remove_element+0x11e/0x190 [ 14.291722] mempool_alloc_preallocated+0x4d/0x90 [ 14.292291] mempool_uaf_helper+0x96/0x400 [ 14.292642] mempool_kmalloc_uaf+0xef/0x140 [ 14.292845] kunit_try_run_case+0x1a5/0x480 [ 14.293324] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.293528] kthread+0x337/0x6f0 [ 14.293838] ret_from_fork+0x116/0x1d0 [ 14.294029] ret_from_fork_asm+0x1a/0x30 [ 14.294502] [ 14.294608] Freed by task 245: [ 14.295100] kasan_save_stack+0x45/0x70 [ 14.295321] kasan_save_track+0x18/0x40 [ 14.295727] kasan_save_free_info+0x3f/0x60 [ 14.296175] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.296607] mempool_free+0x2ec/0x380 [ 14.296800] mempool_uaf_helper+0x11a/0x400 [ 14.297140] mempool_kmalloc_uaf+0xef/0x140 [ 14.297337] kunit_try_run_case+0x1a5/0x480 [ 14.297760] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.298269] kthread+0x337/0x6f0 [ 14.298470] ret_from_fork+0x116/0x1d0 [ 14.298653] ret_from_fork_asm+0x1a/0x30 [ 14.299128] [ 14.299248] The buggy address belongs to the object at ffff8881027bc200 [ 14.299248] which belongs to the cache kmalloc-128 of size 128 [ 14.300039] The buggy address is located 0 bytes inside of [ 14.300039] freed 128-byte region [ffff8881027bc200, ffff8881027bc280) [ 14.300682] [ 14.301003] The buggy address belongs to the physical page: [ 14.301427] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027bc [ 14.301917] flags: 0x200000000000000(node=0|zone=2) [ 14.302162] page_type: f5(slab) [ 14.302432] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.302749] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.303458] page dumped because: kasan: bad access detected [ 14.303660] [ 14.303866] Memory state around the buggy address: [ 14.304337] ffff8881027bc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.304762] ffff8881027bc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.305259] >ffff8881027bc200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.305734] ^ [ 14.305907] ffff8881027bc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.306526] ffff8881027bc300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.307130] ================================================================== [ 14.343963] ================================================================== [ 14.344642] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.344987] Read of size 1 at addr ffff8881027c0240 by task kunit_try_catch/249 [ 14.345275] [ 14.345468] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.345518] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.345530] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.345559] Call Trace: [ 14.345572] <TASK> [ 14.345593] dump_stack_lvl+0x73/0xb0 [ 14.345625] print_report+0xd1/0x610 [ 14.345669] ? __virt_addr_valid+0x1db/0x2d0 [ 14.345695] ? mempool_uaf_helper+0x392/0x400 [ 14.345801] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.345826] ? mempool_uaf_helper+0x392/0x400 [ 14.345848] kasan_report+0x141/0x180 [ 14.345870] ? mempool_uaf_helper+0x392/0x400 [ 14.345896] __asan_report_load1_noabort+0x18/0x20 [ 14.345920] mempool_uaf_helper+0x392/0x400 [ 14.345953] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.345977] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.346001] ? finish_task_switch.isra.0+0x153/0x700 [ 14.346027] mempool_slab_uaf+0xea/0x140 [ 14.346201] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.346227] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.346253] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.346279] ? __pfx_read_tsc+0x10/0x10 [ 14.346301] ? ktime_get_ts64+0x86/0x230 [ 14.346398] kunit_try_run_case+0x1a5/0x480 [ 14.346427] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.346450] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.346475] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.346498] ? __kthread_parkme+0x82/0x180 [ 14.346519] ? preempt_count_sub+0x50/0x80 [ 14.346542] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.346565] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.346588] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.346612] kthread+0x337/0x6f0 [ 14.346631] ? trace_preempt_on+0x20/0xc0 [ 14.346655] ? __pfx_kthread+0x10/0x10 [ 14.346675] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.346697] ? calculate_sigpending+0x7b/0xa0 [ 14.346721] ? __pfx_kthread+0x10/0x10 [ 14.346743] ret_from_fork+0x116/0x1d0 [ 14.346762] ? __pfx_kthread+0x10/0x10 [ 14.346783] ret_from_fork_asm+0x1a/0x30 [ 14.346814] </TASK> [ 14.346825] [ 14.359533] Allocated by task 249: [ 14.359704] kasan_save_stack+0x45/0x70 [ 14.360366] kasan_save_track+0x18/0x40 [ 14.360659] kasan_save_alloc_info+0x3b/0x50 [ 14.361043] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.361315] remove_element+0x11e/0x190 [ 14.361494] mempool_alloc_preallocated+0x4d/0x90 [ 14.361700] mempool_uaf_helper+0x96/0x400 [ 14.362485] mempool_slab_uaf+0xea/0x140 [ 14.362912] kunit_try_run_case+0x1a5/0x480 [ 14.363256] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.363668] kthread+0x337/0x6f0 [ 14.363837] ret_from_fork+0x116/0x1d0 [ 14.364263] ret_from_fork_asm+0x1a/0x30 [ 14.364752] [ 14.365080] Freed by task 249: [ 14.365271] kasan_save_stack+0x45/0x70 [ 14.365611] kasan_save_track+0x18/0x40 [ 14.365796] kasan_save_free_info+0x3f/0x60 [ 14.366512] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.366757] mempool_free+0x2ec/0x380 [ 14.367442] mempool_uaf_helper+0x11a/0x400 [ 14.367912] mempool_slab_uaf+0xea/0x140 [ 14.368116] kunit_try_run_case+0x1a5/0x480 [ 14.368570] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.369000] kthread+0x337/0x6f0 [ 14.369187] ret_from_fork+0x116/0x1d0 [ 14.369668] ret_from_fork_asm+0x1a/0x30 [ 14.370221] [ 14.370337] The buggy address belongs to the object at ffff8881027c0240 [ 14.370337] which belongs to the cache test_cache of size 123 [ 14.370813] The buggy address is located 0 bytes inside of [ 14.370813] freed 123-byte region [ffff8881027c0240, ffff8881027c02bb) [ 14.372094] [ 14.372207] The buggy address belongs to the physical page: [ 14.372641] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027c0 [ 14.373276] flags: 0x200000000000000(node=0|zone=2) [ 14.373636] page_type: f5(slab) [ 14.373802] raw: 0200000000000000 ffff8881027b6140 dead000000000122 0000000000000000 [ 14.374684] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.375359] page dumped because: kasan: bad access detected [ 14.375671] [ 14.375911] Memory state around the buggy address: [ 14.376445] ffff8881027c0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.376757] ffff8881027c0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.377342] >ffff8881027c0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.378071] ^ [ 14.378349] ffff8881027c0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.378647] ffff8881027c0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.379455] ==================================================================