Date
June 3, 2025, 7:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.410524] ================================================================== [ 20.410608] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.410682] Read of size 1 at addr fff00000c65b1900 by task kunit_try_catch/227 [ 20.410735] [ 20.410793] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 20.410883] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.410910] Hardware name: linux,dummy-virt (DT) [ 20.410943] Call trace: [ 20.411031] show_stack+0x20/0x38 (C) [ 20.411085] dump_stack_lvl+0x8c/0xd0 [ 20.411152] print_report+0x118/0x608 [ 20.411205] kasan_report+0xdc/0x128 [ 20.411281] __asan_report_load1_noabort+0x20/0x30 [ 20.411336] mempool_uaf_helper+0x314/0x340 [ 20.411413] mempool_kmalloc_uaf+0xc4/0x120 [ 20.411550] kunit_try_run_case+0x170/0x3f0 [ 20.411601] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.411677] kthread+0x328/0x630 [ 20.411721] ret_from_fork+0x10/0x20 [ 20.411773] [ 20.412180] Allocated by task 227: [ 20.412292] kasan_save_stack+0x3c/0x68 [ 20.412334] kasan_save_track+0x20/0x40 [ 20.412372] kasan_save_alloc_info+0x40/0x58 [ 20.412408] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.412464] remove_element+0x130/0x1f8 [ 20.412503] mempool_alloc_preallocated+0x58/0xc0 [ 20.412541] mempool_uaf_helper+0xa4/0x340 [ 20.412576] mempool_kmalloc_uaf+0xc4/0x120 [ 20.412614] kunit_try_run_case+0x170/0x3f0 [ 20.412650] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.412694] kthread+0x328/0x630 [ 20.412726] ret_from_fork+0x10/0x20 [ 20.412762] [ 20.412780] Freed by task 227: [ 20.412846] kasan_save_stack+0x3c/0x68 [ 20.412885] kasan_save_track+0x20/0x40 [ 20.412921] kasan_save_free_info+0x4c/0x78 [ 20.412998] __kasan_mempool_poison_object+0xc0/0x150 [ 20.413297] mempool_free+0x28c/0x328 [ 20.413332] mempool_uaf_helper+0x104/0x340 [ 20.413369] mempool_kmalloc_uaf+0xc4/0x120 [ 20.413518] kunit_try_run_case+0x170/0x3f0 [ 20.413604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.413675] kthread+0x328/0x630 [ 20.413723] ret_from_fork+0x10/0x20 [ 20.413769] [ 20.413801] The buggy address belongs to the object at fff00000c65b1900 [ 20.413801] which belongs to the cache kmalloc-128 of size 128 [ 20.413897] The buggy address is located 0 bytes inside of [ 20.413897] freed 128-byte region [fff00000c65b1900, fff00000c65b1980) [ 20.414016] [ 20.414068] The buggy address belongs to the physical page: [ 20.414144] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b1 [ 20.414216] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.414269] page_type: f5(slab) [ 20.414309] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.414358] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.414399] page dumped because: kasan: bad access detected [ 20.414441] [ 20.414459] Memory state around the buggy address: [ 20.414492] fff00000c65b1800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.414657] fff00000c65b1880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.414781] >fff00000c65b1900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.414904] ^ [ 20.414964] fff00000c65b1980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.415249] fff00000c65b1a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.415442] ================================================================== [ 20.431068] ================================================================== [ 20.431135] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.431220] Read of size 1 at addr fff00000c58a5240 by task kunit_try_catch/231 [ 20.431271] [ 20.431335] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 20.431500] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.431599] Hardware name: linux,dummy-virt (DT) [ 20.431660] Call trace: [ 20.431682] show_stack+0x20/0x38 (C) [ 20.431754] dump_stack_lvl+0x8c/0xd0 [ 20.431802] print_report+0x118/0x608 [ 20.431849] kasan_report+0xdc/0x128 [ 20.431984] __asan_report_load1_noabort+0x20/0x30 [ 20.432033] mempool_uaf_helper+0x314/0x340 [ 20.432110] mempool_slab_uaf+0xc0/0x118 [ 20.432272] kunit_try_run_case+0x170/0x3f0 [ 20.432404] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.432571] kthread+0x328/0x630 [ 20.432674] ret_from_fork+0x10/0x20 [ 20.432835] [ 20.432874] Allocated by task 231: [ 20.432904] kasan_save_stack+0x3c/0x68 [ 20.433001] kasan_save_track+0x20/0x40 [ 20.433266] kasan_save_alloc_info+0x40/0x58 [ 20.433360] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.433508] remove_element+0x16c/0x1f8 [ 20.433595] mempool_alloc_preallocated+0x58/0xc0 [ 20.433655] mempool_uaf_helper+0xa4/0x340 [ 20.433938] mempool_slab_uaf+0xc0/0x118 [ 20.434006] kunit_try_run_case+0x170/0x3f0 [ 20.434104] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.434221] kthread+0x328/0x630 [ 20.434306] ret_from_fork+0x10/0x20 [ 20.434393] [ 20.434500] Freed by task 231: [ 20.434528] kasan_save_stack+0x3c/0x68 [ 20.434566] kasan_save_track+0x20/0x40 [ 20.434774] kasan_save_free_info+0x4c/0x78 [ 20.434858] __kasan_mempool_poison_object+0xc0/0x150 [ 20.434939] mempool_free+0x28c/0x328 [ 20.435064] mempool_uaf_helper+0x104/0x340 [ 20.435143] mempool_slab_uaf+0xc0/0x118 [ 20.435180] kunit_try_run_case+0x170/0x3f0 [ 20.435216] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.435259] kthread+0x328/0x630 [ 20.435290] ret_from_fork+0x10/0x20 [ 20.435324] [ 20.435343] The buggy address belongs to the object at fff00000c58a5240 [ 20.435343] which belongs to the cache test_cache of size 123 [ 20.435445] The buggy address is located 0 bytes inside of [ 20.435445] freed 123-byte region [fff00000c58a5240, fff00000c58a52bb) [ 20.435505] [ 20.435526] The buggy address belongs to the physical page: [ 20.435570] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058a5 [ 20.435713] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.435790] page_type: f5(slab) [ 20.435885] raw: 0bfffe0000000000 fff00000c65c9640 dead000000000122 0000000000000000 [ 20.435973] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.436042] page dumped because: kasan: bad access detected [ 20.436072] [ 20.436091] Memory state around the buggy address: [ 20.436147] fff00000c58a5100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.436191] fff00000c58a5180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.436232] >fff00000c58a5200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.436555] ^ [ 20.436718] fff00000c58a5280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.436851] fff00000c58a5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.436917] ==================================================================
[ 16.414636] ================================================================== [ 16.415553] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 16.416170] Read of size 1 at addr ffff888103349240 by task kunit_try_catch/248 [ 16.416450] [ 16.416616] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 16.416723] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.416755] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 16.416805] Call Trace: [ 16.416839] <TASK> [ 16.416883] dump_stack_lvl+0x73/0xb0 [ 16.416953] print_report+0xd1/0x650 [ 16.417045] ? __virt_addr_valid+0x1db/0x2d0 [ 16.417092] ? mempool_uaf_helper+0x392/0x400 [ 16.417132] ? kasan_complete_mode_report_info+0x64/0x200 [ 16.417172] ? mempool_uaf_helper+0x392/0x400 [ 16.417215] kasan_report+0x141/0x180 [ 16.417262] ? mempool_uaf_helper+0x392/0x400 [ 16.417336] __asan_report_load1_noabort+0x18/0x20 [ 16.417384] mempool_uaf_helper+0x392/0x400 [ 16.417443] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 16.417506] ? __pfx_sched_clock_cpu+0x10/0x10 [ 16.417548] ? finish_task_switch.isra.0+0x153/0x700 [ 16.417628] mempool_slab_uaf+0xea/0x140 [ 16.417693] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 16.417747] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 16.417799] ? __pfx_mempool_free_slab+0x10/0x10 [ 16.417855] ? __pfx_read_tsc+0x10/0x10 [ 16.417908] ? ktime_get_ts64+0x86/0x230 [ 16.417967] kunit_try_run_case+0x1a5/0x480 [ 16.418023] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.418072] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 16.418129] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 16.418187] ? __kthread_parkme+0x82/0x180 [ 16.418292] ? preempt_count_sub+0x50/0x80 [ 16.418353] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.418391] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.418420] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 16.418447] kthread+0x337/0x6f0 [ 16.418495] ? trace_preempt_on+0x20/0xc0 [ 16.418523] ? __pfx_kthread+0x10/0x10 [ 16.418546] ? _raw_spin_unlock_irq+0x47/0x80 [ 16.418570] ? calculate_sigpending+0x7b/0xa0 [ 16.418597] ? __pfx_kthread+0x10/0x10 [ 16.418621] ret_from_fork+0x116/0x1d0 [ 16.418642] ? __pfx_kthread+0x10/0x10 [ 16.418665] ret_from_fork_asm+0x1a/0x30 [ 16.418745] </TASK> [ 16.418772] [ 16.435378] Allocated by task 248: [ 16.435649] kasan_save_stack+0x45/0x70 [ 16.436270] kasan_save_track+0x18/0x40 [ 16.436757] kasan_save_alloc_info+0x3b/0x50 [ 16.437131] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 16.437395] remove_element+0x11e/0x190 [ 16.437891] mempool_alloc_preallocated+0x4d/0x90 [ 16.439172] mempool_uaf_helper+0x96/0x400 [ 16.439433] mempool_slab_uaf+0xea/0x140 [ 16.439629] kunit_try_run_case+0x1a5/0x480 [ 16.439996] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.440260] kthread+0x337/0x6f0 [ 16.441070] ret_from_fork+0x116/0x1d0 [ 16.441543] ret_from_fork_asm+0x1a/0x30 [ 16.441910] [ 16.442470] Freed by task 248: [ 16.442830] kasan_save_stack+0x45/0x70 [ 16.443655] kasan_save_track+0x18/0x40 [ 16.444233] kasan_save_free_info+0x3f/0x60 [ 16.444861] __kasan_mempool_poison_object+0x131/0x1d0 [ 16.445443] mempool_free+0x2ec/0x380 [ 16.446054] mempool_uaf_helper+0x11a/0x400 [ 16.446304] mempool_slab_uaf+0xea/0x140 [ 16.447199] kunit_try_run_case+0x1a5/0x480 [ 16.447440] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.447909] kthread+0x337/0x6f0 [ 16.448169] ret_from_fork+0x116/0x1d0 [ 16.449342] ret_from_fork_asm+0x1a/0x30 [ 16.449702] [ 16.449975] The buggy address belongs to the object at ffff888103349240 [ 16.449975] which belongs to the cache test_cache of size 123 [ 16.450965] The buggy address is located 0 bytes inside of [ 16.450965] freed 123-byte region [ffff888103349240, ffff8881033492bb) [ 16.452320] [ 16.452725] The buggy address belongs to the physical page: [ 16.453387] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103349 [ 16.454082] flags: 0x200000000000000(node=0|zone=2) [ 16.454631] page_type: f5(slab) [ 16.454932] raw: 0200000000000000 ffff888103342140 dead000000000122 0000000000000000 [ 16.455434] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 16.455744] page dumped because: kasan: bad access detected [ 16.455946] [ 16.456028] Memory state around the buggy address: [ 16.456203] ffff888103349100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.456435] ffff888103349180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.456700] >ffff888103349200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 16.457172] ^ [ 16.457836] ffff888103349280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.458491] ffff888103349300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.459077] ================================================================== [ 16.307737] ================================================================== [ 16.308537] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 16.310118] Read of size 1 at addr ffff8881033dc500 by task kunit_try_catch/244 [ 16.310633] [ 16.310871] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 16.310968] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.310992] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 16.311038] Call Trace: [ 16.311071] <TASK> [ 16.311115] dump_stack_lvl+0x73/0xb0 [ 16.311192] print_report+0xd1/0x650 [ 16.311237] ? __virt_addr_valid+0x1db/0x2d0 [ 16.311283] ? mempool_uaf_helper+0x392/0x400 [ 16.311325] ? kasan_complete_mode_report_info+0x64/0x200 [ 16.311402] ? mempool_uaf_helper+0x392/0x400 [ 16.311448] kasan_report+0x141/0x180 [ 16.311512] ? mempool_uaf_helper+0x392/0x400 [ 16.311564] __asan_report_load1_noabort+0x18/0x20 [ 16.311605] mempool_uaf_helper+0x392/0x400 [ 16.311655] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 16.311708] ? __kasan_check_write+0x18/0x20 [ 16.311748] ? __pfx_sched_clock_cpu+0x10/0x10 [ 16.311790] ? finish_task_switch.isra.0+0x153/0x700 [ 16.311823] mempool_kmalloc_uaf+0xef/0x140 [ 16.311849] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 16.311878] ? __pfx_mempool_kmalloc+0x10/0x10 [ 16.311903] ? __pfx_mempool_kfree+0x10/0x10 [ 16.311928] ? __pfx_read_tsc+0x10/0x10 [ 16.311954] ? ktime_get_ts64+0x86/0x230 [ 16.311983] kunit_try_run_case+0x1a5/0x480 [ 16.312010] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.312032] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 16.312062] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 16.312090] ? __kthread_parkme+0x82/0x180 [ 16.312113] ? preempt_count_sub+0x50/0x80 [ 16.312139] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.312164] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.312190] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 16.312218] kthread+0x337/0x6f0 [ 16.312240] ? trace_preempt_on+0x20/0xc0 [ 16.312268] ? __pfx_kthread+0x10/0x10 [ 16.312291] ? _raw_spin_unlock_irq+0x47/0x80 [ 16.312316] ? calculate_sigpending+0x7b/0xa0 [ 16.312344] ? __pfx_kthread+0x10/0x10 [ 16.312368] ret_from_fork+0x116/0x1d0 [ 16.312390] ? __pfx_kthread+0x10/0x10 [ 16.312414] ret_from_fork_asm+0x1a/0x30 [ 16.312451] </TASK> [ 16.312517] [ 16.336332] Allocated by task 244: [ 16.336972] kasan_save_stack+0x45/0x70 [ 16.337657] kasan_save_track+0x18/0x40 [ 16.338002] kasan_save_alloc_info+0x3b/0x50 [ 16.338246] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 16.338442] remove_element+0x11e/0x190 [ 16.338686] mempool_alloc_preallocated+0x4d/0x90 [ 16.339792] mempool_uaf_helper+0x96/0x400 [ 16.340277] mempool_kmalloc_uaf+0xef/0x140 [ 16.340896] kunit_try_run_case+0x1a5/0x480 [ 16.341345] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.341778] kthread+0x337/0x6f0 [ 16.342116] ret_from_fork+0x116/0x1d0 [ 16.342524] ret_from_fork_asm+0x1a/0x30 [ 16.343099] [ 16.343308] Freed by task 244: [ 16.344112] kasan_save_stack+0x45/0x70 [ 16.344359] kasan_save_track+0x18/0x40 [ 16.344781] kasan_save_free_info+0x3f/0x60 [ 16.345389] __kasan_mempool_poison_object+0x131/0x1d0 [ 16.346013] mempool_free+0x2ec/0x380 [ 16.346562] mempool_uaf_helper+0x11a/0x400 [ 16.347123] mempool_kmalloc_uaf+0xef/0x140 [ 16.347646] kunit_try_run_case+0x1a5/0x480 [ 16.348352] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.348752] kthread+0x337/0x6f0 [ 16.349048] ret_from_fork+0x116/0x1d0 [ 16.349997] ret_from_fork_asm+0x1a/0x30 [ 16.350446] [ 16.350586] The buggy address belongs to the object at ffff8881033dc500 [ 16.350586] which belongs to the cache kmalloc-128 of size 128 [ 16.351598] The buggy address is located 0 bytes inside of [ 16.351598] freed 128-byte region [ffff8881033dc500, ffff8881033dc580) [ 16.352697] [ 16.352927] The buggy address belongs to the physical page: [ 16.353328] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033dc [ 16.353861] flags: 0x200000000000000(node=0|zone=2) [ 16.355251] page_type: f5(slab) [ 16.355565] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 16.356013] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.356811] page dumped because: kasan: bad access detected [ 16.357160] [ 16.357563] Memory state around the buggy address: [ 16.357824] ffff8881033dc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.358276] ffff8881033dc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.358744] >ffff8881033dc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.359119] ^ [ 16.359922] ffff8881033dc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.360867] ffff8881033dc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.362093] ==================================================================