Date
May 15, 2025, 10:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.957958] ================================================================== [ 19.958108] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.958216] Read of size 1 at addr fff00000c1729240 by task kunit_try_catch/231 [ 19.958322] [ 19.958362] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 19.958447] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.958498] Hardware name: linux,dummy-virt (DT) [ 19.958527] Call trace: [ 19.958550] show_stack+0x20/0x38 (C) [ 19.958599] dump_stack_lvl+0x8c/0xd0 [ 19.958916] print_report+0x118/0x608 [ 19.959083] kasan_report+0xdc/0x128 [ 19.959205] __asan_report_load1_noabort+0x20/0x30 [ 19.959334] mempool_uaf_helper+0x314/0x340 [ 19.959476] mempool_slab_uaf+0xc0/0x118 [ 19.959623] kunit_try_run_case+0x170/0x3f0 [ 19.959667] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.959753] kthread+0x328/0x630 [ 19.959918] ret_from_fork+0x10/0x20 [ 19.959974] [ 19.959994] Allocated by task 231: [ 19.960020] kasan_save_stack+0x3c/0x68 [ 19.960291] kasan_save_track+0x20/0x40 [ 19.960366] kasan_save_alloc_info+0x40/0x58 [ 19.960408] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.960620] remove_element+0x16c/0x1f8 [ 19.960789] mempool_alloc_preallocated+0x58/0xc0 [ 19.960914] mempool_uaf_helper+0xa4/0x340 [ 19.961004] mempool_slab_uaf+0xc0/0x118 [ 19.961101] kunit_try_run_case+0x170/0x3f0 [ 19.961207] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.961250] kthread+0x328/0x630 [ 19.961291] ret_from_fork+0x10/0x20 [ 19.961326] [ 19.961346] Freed by task 231: [ 19.961372] kasan_save_stack+0x3c/0x68 [ 19.961419] kasan_save_track+0x20/0x40 [ 19.961462] kasan_save_free_info+0x4c/0x78 [ 19.961508] __kasan_mempool_poison_object+0xc0/0x150 [ 19.961547] mempool_free+0x28c/0x328 [ 19.961586] mempool_uaf_helper+0x104/0x340 [ 19.961629] mempool_slab_uaf+0xc0/0x118 [ 19.961681] kunit_try_run_case+0x170/0x3f0 [ 19.961726] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.961777] kthread+0x328/0x630 [ 19.961812] ret_from_fork+0x10/0x20 [ 19.961846] [ 19.961865] The buggy address belongs to the object at fff00000c1729240 [ 19.961865] which belongs to the cache test_cache of size 123 [ 19.961933] The buggy address is located 0 bytes inside of [ 19.961933] freed 123-byte region [fff00000c1729240, fff00000c17292bb) [ 19.961992] [ 19.962012] The buggy address belongs to the physical page: [ 19.962066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101729 [ 19.962133] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.962207] page_type: f5(slab) [ 19.962249] raw: 0bfffe0000000000 fff00000c1736a00 dead000000000122 0000000000000000 [ 19.962299] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.962356] page dumped because: kasan: bad access detected [ 19.962400] [ 19.962418] Memory state around the buggy address: [ 19.962463] fff00000c1729100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.962506] fff00000c1729180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.962548] >fff00000c1729200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.962585] ^ [ 19.962625] fff00000c1729280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.962667] fff00000c1729300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.962711] ================================================================== [ 19.934765] ================================================================== [ 19.934887] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.935059] Read of size 1 at addr fff00000c1718d00 by task kunit_try_catch/227 [ 19.935179] [ 19.935217] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 19.935304] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.935331] Hardware name: linux,dummy-virt (DT) [ 19.935365] Call trace: [ 19.935388] show_stack+0x20/0x38 (C) [ 19.935442] dump_stack_lvl+0x8c/0xd0 [ 19.935515] print_report+0x118/0x608 [ 19.935563] kasan_report+0xdc/0x128 [ 19.935607] __asan_report_load1_noabort+0x20/0x30 [ 19.935658] mempool_uaf_helper+0x314/0x340 [ 19.935702] mempool_kmalloc_uaf+0xc4/0x120 [ 19.935748] kunit_try_run_case+0x170/0x3f0 [ 19.935822] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.935942] kthread+0x328/0x630 [ 19.936008] ret_from_fork+0x10/0x20 [ 19.936190] [ 19.936281] Allocated by task 227: [ 19.936343] kasan_save_stack+0x3c/0x68 [ 19.936431] kasan_save_track+0x20/0x40 [ 19.936579] kasan_save_alloc_info+0x40/0x58 [ 19.936702] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.936862] remove_element+0x130/0x1f8 [ 19.936920] mempool_alloc_preallocated+0x58/0xc0 [ 19.936959] mempool_uaf_helper+0xa4/0x340 [ 19.936995] mempool_kmalloc_uaf+0xc4/0x120 [ 19.937053] kunit_try_run_case+0x170/0x3f0 [ 19.937089] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.937132] kthread+0x328/0x630 [ 19.937176] ret_from_fork+0x10/0x20 [ 19.937214] [ 19.937232] Freed by task 227: [ 19.937259] kasan_save_stack+0x3c/0x68 [ 19.937370] kasan_save_track+0x20/0x40 [ 19.937534] kasan_save_free_info+0x4c/0x78 [ 19.937698] __kasan_mempool_poison_object+0xc0/0x150 [ 19.937816] mempool_free+0x28c/0x328 [ 19.937965] mempool_uaf_helper+0x104/0x340 [ 19.938093] mempool_kmalloc_uaf+0xc4/0x120 [ 19.938132] kunit_try_run_case+0x170/0x3f0 [ 19.938177] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.938249] kthread+0x328/0x630 [ 19.938286] ret_from_fork+0x10/0x20 [ 19.938323] [ 19.938354] The buggy address belongs to the object at fff00000c1718d00 [ 19.938354] which belongs to the cache kmalloc-128 of size 128 [ 19.938421] The buggy address is located 0 bytes inside of [ 19.938421] freed 128-byte region [fff00000c1718d00, fff00000c1718d80) [ 19.938481] [ 19.938501] The buggy address belongs to the physical page: [ 19.938534] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101718 [ 19.938588] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.938663] page_type: f5(slab) [ 19.938706] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.938762] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.938800] page dumped because: kasan: bad access detected [ 19.938832] [ 19.938849] Memory state around the buggy address: [ 19.938883] fff00000c1718c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.938925] fff00000c1718c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.938980] >fff00000c1718d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.939061] ^ [ 19.939118] fff00000c1718d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.939187] fff00000c1718e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.939279] ==================================================================
[ 15.805408] ================================================================== [ 15.806446] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.807328] Read of size 1 at addr ffff888102b6a240 by task kunit_try_catch/249 [ 15.807655] [ 15.807821] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT(voluntary) [ 15.807982] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.808011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.808054] Call Trace: [ 15.808084] <TASK> [ 15.808122] dump_stack_lvl+0x73/0xb0 [ 15.808189] print_report+0xd1/0x650 [ 15.808256] ? __virt_addr_valid+0x1db/0x2d0 [ 15.808312] ? mempool_uaf_helper+0x392/0x400 [ 15.808353] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.808405] ? mempool_uaf_helper+0x392/0x400 [ 15.808652] kasan_report+0x141/0x180 [ 15.808718] ? mempool_uaf_helper+0x392/0x400 [ 15.808780] __asan_report_load1_noabort+0x18/0x20 [ 15.808818] mempool_uaf_helper+0x392/0x400 [ 15.808858] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.808916] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.808947] ? finish_task_switch.isra.0+0x153/0x700 [ 15.808976] mempool_slab_uaf+0xea/0x140 [ 15.808999] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.809023] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 15.809048] ? __pfx_mempool_free_slab+0x10/0x10 [ 15.809072] ? __pfx_read_tsc+0x10/0x10 [ 15.809095] ? ktime_get_ts64+0x86/0x230 [ 15.809123] kunit_try_run_case+0x1a5/0x480 [ 15.809152] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.809175] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.809200] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.809245] ? __kthread_parkme+0x82/0x180 [ 15.809272] ? preempt_count_sub+0x50/0x80 [ 15.809297] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.809322] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.809346] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.809370] kthread+0x337/0x6f0 [ 15.809391] ? trace_preempt_on+0x20/0xc0 [ 15.809417] ? __pfx_kthread+0x10/0x10 [ 15.809438] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.809465] ? calculate_sigpending+0x7b/0xa0 [ 15.809512] ? __pfx_kthread+0x10/0x10 [ 15.809546] ret_from_fork+0x116/0x1d0 [ 15.809576] ? __pfx_kthread+0x10/0x10 [ 15.809619] ret_from_fork_asm+0x1a/0x30 [ 15.809655] </TASK> [ 15.809669] [ 15.821046] Allocated by task 249: [ 15.821208] kasan_save_stack+0x45/0x70 [ 15.822388] kasan_save_track+0x18/0x40 [ 15.822601] kasan_save_alloc_info+0x3b/0x50 [ 15.822752] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 15.824219] remove_element+0x11e/0x190 [ 15.824681] mempool_alloc_preallocated+0x4d/0x90 [ 15.824988] mempool_uaf_helper+0x96/0x400 [ 15.825219] mempool_slab_uaf+0xea/0x140 [ 15.825436] kunit_try_run_case+0x1a5/0x480 [ 15.825664] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.825983] kthread+0x337/0x6f0 [ 15.826186] ret_from_fork+0x116/0x1d0 [ 15.826423] ret_from_fork_asm+0x1a/0x30 [ 15.826621] [ 15.826731] Freed by task 249: [ 15.826885] kasan_save_stack+0x45/0x70 [ 15.827177] kasan_save_track+0x18/0x40 [ 15.827517] kasan_save_free_info+0x3f/0x60 [ 15.827922] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.829068] mempool_free+0x2ec/0x380 [ 15.829398] mempool_uaf_helper+0x11a/0x400 [ 15.829908] mempool_slab_uaf+0xea/0x140 [ 15.830174] kunit_try_run_case+0x1a5/0x480 [ 15.830738] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.831137] kthread+0x337/0x6f0 [ 15.831357] ret_from_fork+0x116/0x1d0 [ 15.832050] ret_from_fork_asm+0x1a/0x30 [ 15.832450] [ 15.832892] The buggy address belongs to the object at ffff888102b6a240 [ 15.832892] which belongs to the cache test_cache of size 123 [ 15.833781] The buggy address is located 0 bytes inside of [ 15.833781] freed 123-byte region [ffff888102b6a240, ffff888102b6a2bb) [ 15.834429] [ 15.834853] The buggy address belongs to the physical page: [ 15.835262] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b6a [ 15.835667] flags: 0x200000000000000(node=0|zone=2) [ 15.835922] page_type: f5(slab) [ 15.836203] raw: 0200000000000000 ffff8881009b3dc0 dead000000000122 0000000000000000 [ 15.837285] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 15.837933] page dumped because: kasan: bad access detected [ 15.838510] [ 15.838857] Memory state around the buggy address: [ 15.839293] ffff888102b6a100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.840160] ffff888102b6a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.840631] >ffff888102b6a200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 15.841069] ^ [ 15.841604] ffff888102b6a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.842014] ffff888102b6a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.842342] ================================================================== [ 15.731092] ================================================================== [ 15.731578] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.732529] Read of size 1 at addr ffff88810231a200 by task kunit_try_catch/245 [ 15.732934] [ 15.733386] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT(voluntary) [ 15.733493] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.733515] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.733554] Call Trace: [ 15.733576] <TASK> [ 15.733608] dump_stack_lvl+0x73/0xb0 [ 15.733660] print_report+0xd1/0x650 [ 15.733702] ? __virt_addr_valid+0x1db/0x2d0 [ 15.733744] ? mempool_uaf_helper+0x392/0x400 [ 15.733777] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.733817] ? mempool_uaf_helper+0x392/0x400 [ 15.733857] kasan_report+0x141/0x180 [ 15.733899] ? mempool_uaf_helper+0x392/0x400 [ 15.733949] __asan_report_load1_noabort+0x18/0x20 [ 15.733983] mempool_uaf_helper+0x392/0x400 [ 15.734025] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.734070] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.734109] ? irqentry_exit+0x2a/0x60 [ 15.734150] mempool_kmalloc_uaf+0xef/0x140 [ 15.734185] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 15.734212] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 15.734265] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.734298] ? __pfx_mempool_kfree+0x10/0x10 [ 15.734342] ? __pfx_read_tsc+0x10/0x10 [ 15.734383] ? ktime_get_ts64+0x86/0x230 [ 15.734433] kunit_try_run_case+0x1a5/0x480 [ 15.734473] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.734563] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.734642] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.734686] ? __kthread_parkme+0x82/0x180 [ 15.734717] ? preempt_count_sub+0x50/0x80 [ 15.734741] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.734763] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.734785] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.734806] kthread+0x337/0x6f0 [ 15.734825] ? trace_preempt_on+0x20/0xc0 [ 15.734848] ? __pfx_kthread+0x10/0x10 [ 15.734867] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.734887] ? calculate_sigpending+0x7b/0xa0 [ 15.734910] ? __pfx_kthread+0x10/0x10 [ 15.734930] ret_from_fork+0x116/0x1d0 [ 15.734948] ? __pfx_kthread+0x10/0x10 [ 15.734966] ret_from_fork_asm+0x1a/0x30 [ 15.734996] </TASK> [ 15.735010] [ 15.745304] Allocated by task 245: [ 15.745489] kasan_save_stack+0x45/0x70 [ 15.745688] kasan_save_track+0x18/0x40 [ 15.745859] kasan_save_alloc_info+0x3b/0x50 [ 15.746031] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 15.746406] remove_element+0x11e/0x190 [ 15.746693] mempool_alloc_preallocated+0x4d/0x90 [ 15.747038] mempool_uaf_helper+0x96/0x400 [ 15.747945] mempool_kmalloc_uaf+0xef/0x140 [ 15.748292] kunit_try_run_case+0x1a5/0x480 [ 15.748759] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.749002] kthread+0x337/0x6f0 [ 15.749168] ret_from_fork+0x116/0x1d0 [ 15.749899] ret_from_fork_asm+0x1a/0x30 [ 15.750252] [ 15.750423] Freed by task 245: [ 15.750839] kasan_save_stack+0x45/0x70 [ 15.751156] kasan_save_track+0x18/0x40 [ 15.751351] kasan_save_free_info+0x3f/0x60 [ 15.751792] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.752062] mempool_free+0x2ec/0x380 [ 15.752325] mempool_uaf_helper+0x11a/0x400 [ 15.752662] mempool_kmalloc_uaf+0xef/0x140 [ 15.752996] kunit_try_run_case+0x1a5/0x480 [ 15.753230] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.753434] kthread+0x337/0x6f0 [ 15.755448] ret_from_fork+0x116/0x1d0 [ 15.756250] ret_from_fork_asm+0x1a/0x30 [ 15.757153] [ 15.757638] The buggy address belongs to the object at ffff88810231a200 [ 15.757638] which belongs to the cache kmalloc-128 of size 128 [ 15.759663] The buggy address is located 0 bytes inside of [ 15.759663] freed 128-byte region [ffff88810231a200, ffff88810231a280) [ 15.760197] [ 15.760326] The buggy address belongs to the physical page: [ 15.760604] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10231a [ 15.760933] flags: 0x200000000000000(node=0|zone=2) [ 15.761923] page_type: f5(slab) [ 15.762183] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.762647] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.763147] page dumped because: kasan: bad access detected [ 15.763356] [ 15.764034] Memory state around the buggy address: [ 15.764366] ffff88810231a100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.764801] ffff88810231a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.765268] >ffff88810231a200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.765546] ^ [ 15.765790] ffff88810231a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.766030] ffff88810231a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 15.766504] ==================================================================