Date
June 5, 2025, 7:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 28.278617] ================================================================== [ 28.278755] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.278955] Read of size 1 at addr fff00000c6419f00 by task kunit_try_catch/227 [ 28.279100] [ 28.279237] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT [ 28.279544] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.279629] Hardware name: linux,dummy-virt (DT) [ 28.279774] Call trace: [ 28.279902] show_stack+0x20/0x38 (C) [ 28.280176] dump_stack_lvl+0x8c/0xd0 [ 28.280517] print_report+0x118/0x608 [ 28.280783] kasan_report+0xdc/0x128 [ 28.280953] __asan_report_load1_noabort+0x20/0x30 [ 28.281025] mempool_uaf_helper+0x314/0x340 [ 28.281140] mempool_kmalloc_uaf+0xc4/0x120 [ 28.281221] kunit_try_run_case+0x170/0x3f0 [ 28.281309] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.281451] kthread+0x328/0x630 [ 28.281512] ret_from_fork+0x10/0x20 [ 28.281574] [ 28.281597] Allocated by task 227: [ 28.281634] kasan_save_stack+0x3c/0x68 [ 28.281687] kasan_save_track+0x20/0x40 [ 28.281735] kasan_save_alloc_info+0x40/0x58 [ 28.281786] __kasan_mempool_unpoison_object+0x11c/0x180 [ 28.281841] remove_element+0x130/0x1f8 [ 28.281893] mempool_alloc_preallocated+0x58/0xc0 [ 28.281940] mempool_uaf_helper+0xa4/0x340 [ 28.281986] mempool_kmalloc_uaf+0xc4/0x120 [ 28.282033] kunit_try_run_case+0x170/0x3f0 [ 28.282079] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.282132] kthread+0x328/0x630 [ 28.282175] ret_from_fork+0x10/0x20 [ 28.282218] [ 28.282243] Freed by task 227: [ 28.282275] kasan_save_stack+0x3c/0x68 [ 28.282322] kasan_save_track+0x20/0x40 [ 28.282591] kasan_save_free_info+0x4c/0x78 [ 28.282773] __kasan_mempool_poison_object+0xc0/0x150 [ 28.282880] mempool_free+0x28c/0x328 [ 28.282976] mempool_uaf_helper+0x104/0x340 [ 28.283259] mempool_kmalloc_uaf+0xc4/0x120 [ 28.284263] kunit_try_run_case+0x170/0x3f0 [ 28.284874] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.285449] kthread+0x328/0x630 [ 28.285672] ret_from_fork+0x10/0x20 [ 28.285795] [ 28.285909] The buggy address belongs to the object at fff00000c6419f00 [ 28.285909] which belongs to the cache kmalloc-128 of size 128 [ 28.286095] The buggy address is located 0 bytes inside of [ 28.286095] freed 128-byte region [fff00000c6419f00, fff00000c6419f80) [ 28.286250] [ 28.286308] The buggy address belongs to the physical page: [ 28.286426] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106419 [ 28.286632] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.286777] page_type: f5(slab) [ 28.287322] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.287813] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 28.287928] page dumped because: kasan: bad access detected [ 28.288019] [ 28.288072] Memory state around the buggy address: [ 28.288497] fff00000c6419e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.288857] fff00000c6419e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.289044] >fff00000c6419f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.289210] ^ [ 28.289310] fff00000c6419f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.289671] fff00000c641a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.289781] ================================================================== [ 28.345596] ================================================================== [ 28.345730] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.345862] Read of size 1 at addr fff00000c7715180 by task kunit_try_catch/231 [ 28.346201] [ 28.346717] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT [ 28.347416] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.347514] Hardware name: linux,dummy-virt (DT) [ 28.347650] Call trace: [ 28.347731] show_stack+0x20/0x38 (C) [ 28.347887] dump_stack_lvl+0x8c/0xd0 [ 28.348110] print_report+0x118/0x608 [ 28.348245] kasan_report+0xdc/0x128 [ 28.348399] __asan_report_load1_noabort+0x20/0x30 [ 28.348676] mempool_uaf_helper+0x314/0x340 [ 28.348831] mempool_slab_uaf+0xc0/0x118 [ 28.349134] kunit_try_run_case+0x170/0x3f0 [ 28.349316] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.349523] kthread+0x328/0x630 [ 28.349756] ret_from_fork+0x10/0x20 [ 28.349901] [ 28.350016] Allocated by task 231: [ 28.350166] kasan_save_stack+0x3c/0x68 [ 28.350398] kasan_save_track+0x20/0x40 [ 28.350509] kasan_save_alloc_info+0x40/0x58 [ 28.350614] __kasan_mempool_unpoison_object+0xbc/0x180 [ 28.350720] remove_element+0x16c/0x1f8 [ 28.350827] mempool_alloc_preallocated+0x58/0xc0 [ 28.351025] mempool_uaf_helper+0xa4/0x340 [ 28.351235] mempool_slab_uaf+0xc0/0x118 [ 28.351433] kunit_try_run_case+0x170/0x3f0 [ 28.351539] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.351659] kthread+0x328/0x630 [ 28.351764] ret_from_fork+0x10/0x20 [ 28.351879] [ 28.351933] Freed by task 231: [ 28.352105] kasan_save_stack+0x3c/0x68 [ 28.352223] kasan_save_track+0x20/0x40 [ 28.352519] kasan_save_free_info+0x4c/0x78 [ 28.352771] __kasan_mempool_poison_object+0xc0/0x150 [ 28.352894] mempool_free+0x28c/0x328 [ 28.352993] mempool_uaf_helper+0x104/0x340 [ 28.353101] mempool_slab_uaf+0xc0/0x118 [ 28.353203] kunit_try_run_case+0x170/0x3f0 [ 28.353313] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.353460] kthread+0x328/0x630 [ 28.353565] ret_from_fork+0x10/0x20 [ 28.353717] [ 28.353772] The buggy address belongs to the object at fff00000c7715180 [ 28.353772] which belongs to the cache test_cache of size 123 [ 28.354070] The buggy address is located 0 bytes inside of [ 28.354070] freed 123-byte region [fff00000c7715180, fff00000c77151fb) [ 28.354251] [ 28.354355] The buggy address belongs to the physical page: [ 28.354437] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107715 [ 28.354580] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.354809] page_type: f5(slab) [ 28.354958] raw: 0bfffe0000000000 fff00000c772c280 dead000000000122 0000000000000000 [ 28.355230] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.355435] page dumped because: kasan: bad access detected [ 28.355532] [ 28.355580] Memory state around the buggy address: [ 28.356353] fff00000c7715080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.356955] fff00000c7715100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.357525] >fff00000c7715180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.357822] ^ [ 28.357901] fff00000c7715200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.358005] fff00000c7715280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.358100] ==================================================================
[ 13.005230] ================================================================== [ 13.005727] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.006615] Read of size 1 at addr ffff888102791240 by task kunit_try_catch/248 [ 13.007060] [ 13.007459] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT(voluntary) [ 13.007509] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.007523] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.007544] Call Trace: [ 13.007556] <TASK> [ 13.007571] dump_stack_lvl+0x73/0xb0 [ 13.007600] print_report+0xd1/0x650 [ 13.007622] ? __virt_addr_valid+0x1db/0x2d0 [ 13.007646] ? mempool_uaf_helper+0x392/0x400 [ 13.007668] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.007691] ? mempool_uaf_helper+0x392/0x400 [ 13.007714] kasan_report+0x141/0x180 [ 13.007736] ? mempool_uaf_helper+0x392/0x400 [ 13.007762] __asan_report_load1_noabort+0x18/0x20 [ 13.007786] mempool_uaf_helper+0x392/0x400 [ 13.007809] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.007834] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.007855] ? finish_task_switch.isra.0+0x153/0x700 [ 13.007882] mempool_slab_uaf+0xea/0x140 [ 13.007919] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.008018] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.008044] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.008066] ? __pfx_read_tsc+0x10/0x10 [ 13.008086] ? ktime_get_ts64+0x86/0x230 [ 13.008111] kunit_try_run_case+0x1a5/0x480 [ 13.008132] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.008151] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.008176] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.008201] ? __kthread_parkme+0x82/0x180 [ 13.008223] ? preempt_count_sub+0x50/0x80 [ 13.008246] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.008267] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.008291] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.008315] kthread+0x337/0x6f0 [ 13.008334] ? trace_preempt_on+0x20/0xc0 [ 13.008356] ? __pfx_kthread+0x10/0x10 [ 13.008378] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.008399] ? calculate_sigpending+0x7b/0xa0 [ 13.008423] ? __pfx_kthread+0x10/0x10 [ 13.008444] ret_from_fork+0x116/0x1d0 [ 13.008462] ? __pfx_kthread+0x10/0x10 [ 13.008481] ret_from_fork_asm+0x1a/0x30 [ 13.008512] </TASK> [ 13.008524] [ 13.021204] Allocated by task 248: [ 13.021399] kasan_save_stack+0x45/0x70 [ 13.021593] kasan_save_track+0x18/0x40 [ 13.022034] kasan_save_alloc_info+0x3b/0x50 [ 13.022207] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.022376] remove_element+0x11e/0x190 [ 13.022506] mempool_alloc_preallocated+0x4d/0x90 [ 13.022655] mempool_uaf_helper+0x96/0x400 [ 13.022792] mempool_slab_uaf+0xea/0x140 [ 13.023291] kunit_try_run_case+0x1a5/0x480 [ 13.023935] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.024413] kthread+0x337/0x6f0 [ 13.024554] ret_from_fork+0x116/0x1d0 [ 13.024695] ret_from_fork_asm+0x1a/0x30 [ 13.025146] [ 13.025322] Freed by task 248: [ 13.025653] kasan_save_stack+0x45/0x70 [ 13.026079] kasan_save_track+0x18/0x40 [ 13.026547] kasan_save_free_info+0x3f/0x60 [ 13.027036] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.027513] mempool_free+0x2ec/0x380 [ 13.027863] mempool_uaf_helper+0x11a/0x400 [ 13.028031] mempool_slab_uaf+0xea/0x140 [ 13.028509] kunit_try_run_case+0x1a5/0x480 [ 13.028954] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.029165] kthread+0x337/0x6f0 [ 13.029496] ret_from_fork+0x116/0x1d0 [ 13.029916] ret_from_fork_asm+0x1a/0x30 [ 13.030322] [ 13.030498] The buggy address belongs to the object at ffff888102791240 [ 13.030498] which belongs to the cache test_cache of size 123 [ 13.030940] The buggy address is located 0 bytes inside of [ 13.030940] freed 123-byte region [ffff888102791240, ffff8881027912bb) [ 13.031444] [ 13.031547] The buggy address belongs to the physical page: [ 13.031781] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102791 [ 13.032191] flags: 0x200000000000000(node=0|zone=2) [ 13.032401] page_type: f5(slab) [ 13.032554] raw: 0200000000000000 ffff8881018ce640 dead000000000122 0000000000000000 [ 13.033189] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.033496] page dumped because: kasan: bad access detected [ 13.033798] [ 13.033906] Memory state around the buggy address: [ 13.034244] ffff888102791100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.034567] ffff888102791180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.034912] >ffff888102791200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.035193] ^ [ 13.035436] ffff888102791280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.035826] ffff888102791300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.036195] ================================================================== [ 12.936426] ================================================================== [ 12.936838] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.937097] Read of size 1 at addr ffff888102b2d800 by task kunit_try_catch/244 [ 12.937319] [ 12.937405] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250605 #1 PREEMPT(voluntary) [ 12.937450] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.937461] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.937481] Call Trace: [ 12.937493] <TASK> [ 12.937508] dump_stack_lvl+0x73/0xb0 [ 12.937534] print_report+0xd1/0x650 [ 12.937556] ? __virt_addr_valid+0x1db/0x2d0 [ 12.937579] ? mempool_uaf_helper+0x392/0x400 [ 12.937600] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.937623] ? mempool_uaf_helper+0x392/0x400 [ 12.937645] kasan_report+0x141/0x180 [ 12.937666] ? mempool_uaf_helper+0x392/0x400 [ 12.937693] __asan_report_load1_noabort+0x18/0x20 [ 12.937716] mempool_uaf_helper+0x392/0x400 [ 12.937739] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.937763] ? __kasan_check_write+0x18/0x20 [ 12.937783] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.937805] ? finish_task_switch.isra.0+0x153/0x700 [ 12.937832] mempool_kmalloc_uaf+0xef/0x140 [ 12.937854] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.937878] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.938711] ? __pfx_mempool_kfree+0x10/0x10 [ 12.938754] ? __pfx_read_tsc+0x10/0x10 [ 12.938779] ? ktime_get_ts64+0x86/0x230 [ 12.938804] kunit_try_run_case+0x1a5/0x480 [ 12.938829] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.938849] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.938875] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.938909] ? __kthread_parkme+0x82/0x180 [ 12.938935] ? preempt_count_sub+0x50/0x80 [ 12.938958] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.938979] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.939003] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.939027] kthread+0x337/0x6f0 [ 12.939046] ? trace_preempt_on+0x20/0xc0 [ 12.939069] ? __pfx_kthread+0x10/0x10 [ 12.939089] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.939111] ? calculate_sigpending+0x7b/0xa0 [ 12.939135] ? __pfx_kthread+0x10/0x10 [ 12.939156] ret_from_fork+0x116/0x1d0 [ 12.939175] ? __pfx_kthread+0x10/0x10 [ 12.939195] ret_from_fork_asm+0x1a/0x30 [ 12.939225] </TASK> [ 12.939236] [ 12.949072] Allocated by task 244: [ 12.949264] kasan_save_stack+0x45/0x70 [ 12.949411] kasan_save_track+0x18/0x40 [ 12.949555] kasan_save_alloc_info+0x3b/0x50 [ 12.949810] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.950135] remove_element+0x11e/0x190 [ 12.950457] mempool_alloc_preallocated+0x4d/0x90 [ 12.950648] mempool_uaf_helper+0x96/0x400 [ 12.950857] mempool_kmalloc_uaf+0xef/0x140 [ 12.951132] kunit_try_run_case+0x1a5/0x480 [ 12.951375] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.951637] kthread+0x337/0x6f0 [ 12.951813] ret_from_fork+0x116/0x1d0 [ 12.951954] ret_from_fork_asm+0x1a/0x30 [ 12.952103] [ 12.952281] Freed by task 244: [ 12.952443] kasan_save_stack+0x45/0x70 [ 12.952635] kasan_save_track+0x18/0x40 [ 12.952793] kasan_save_free_info+0x3f/0x60 [ 12.952951] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.953444] mempool_free+0x2ec/0x380 [ 12.953587] mempool_uaf_helper+0x11a/0x400 [ 12.955052] mempool_kmalloc_uaf+0xef/0x140 [ 12.956085] kunit_try_run_case+0x1a5/0x480 [ 12.956975] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.957751] kthread+0x337/0x6f0 [ 12.958457] ret_from_fork+0x116/0x1d0 [ 12.959221] ret_from_fork_asm+0x1a/0x30 [ 12.959378] [ 12.959452] The buggy address belongs to the object at ffff888102b2d800 [ 12.959452] which belongs to the cache kmalloc-128 of size 128 [ 12.959863] The buggy address is located 0 bytes inside of [ 12.959863] freed 128-byte region [ffff888102b2d800, ffff888102b2d880) [ 12.960217] [ 12.960291] The buggy address belongs to the physical page: [ 12.960466] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b2d [ 12.960714] flags: 0x200000000000000(node=0|zone=2) [ 12.960882] page_type: f5(slab) [ 12.962671] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.964096] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.965413] page dumped because: kasan: bad access detected [ 12.966252] [ 12.966585] Memory state around the buggy address: [ 12.967437] ffff888102b2d700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.968539] ffff888102b2d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.969580] >ffff888102b2d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.970776] ^ [ 12.971365] ffff888102b2d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.972183] ffff888102b2d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.973072] ==================================================================