Date
June 16, 2025, 7:07 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.923457] ================================================================== [ 21.923552] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.923639] Read of size 1 at addr fff00000c6e15240 by task kunit_try_catch/240 [ 21.923742] [ 21.923803] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT [ 21.923988] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.924225] Hardware name: linux,dummy-virt (DT) [ 21.924275] Call trace: [ 21.924312] show_stack+0x20/0x38 (C) [ 21.924379] dump_stack_lvl+0x8c/0xd0 [ 21.924437] print_report+0x118/0x608 [ 21.924778] kasan_report+0xdc/0x128 [ 21.925102] __asan_report_load1_noabort+0x20/0x30 [ 21.925183] mempool_uaf_helper+0x314/0x340 [ 21.925251] mempool_slab_uaf+0xc0/0x118 [ 21.925308] kunit_try_run_case+0x170/0x3f0 [ 21.925367] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.925429] kthread+0x328/0x630 [ 21.925525] ret_from_fork+0x10/0x20 [ 21.925797] [ 21.925938] Allocated by task 240: [ 21.926066] kasan_save_stack+0x3c/0x68 [ 21.926129] kasan_save_track+0x20/0x40 [ 21.926178] kasan_save_alloc_info+0x40/0x58 [ 21.926498] __kasan_mempool_unpoison_object+0xbc/0x180 [ 21.926610] remove_element+0x16c/0x1f8 [ 21.926660] mempool_alloc_preallocated+0x58/0xc0 [ 21.927159] mempool_uaf_helper+0xa4/0x340 [ 21.927280] mempool_slab_uaf+0xc0/0x118 [ 21.927343] kunit_try_run_case+0x170/0x3f0 [ 21.927393] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.927447] kthread+0x328/0x630 [ 21.927489] ret_from_fork+0x10/0x20 [ 21.927536] [ 21.927563] Freed by task 240: [ 21.927598] kasan_save_stack+0x3c/0x68 [ 21.927644] kasan_save_track+0x20/0x40 [ 21.927691] kasan_save_free_info+0x4c/0x78 [ 21.927733] __kasan_mempool_poison_object+0xc0/0x150 [ 21.927781] mempool_free+0x28c/0x328 [ 21.928150] mempool_uaf_helper+0x104/0x340 [ 21.928243] mempool_slab_uaf+0xc0/0x118 [ 21.928350] kunit_try_run_case+0x170/0x3f0 [ 21.928528] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.928755] kthread+0x328/0x630 [ 21.928885] ret_from_fork+0x10/0x20 [ 21.928947] [ 21.928976] The buggy address belongs to the object at fff00000c6e15240 [ 21.928976] which belongs to the cache test_cache of size 123 [ 21.929130] The buggy address is located 0 bytes inside of [ 21.929130] freed 123-byte region [fff00000c6e15240, fff00000c6e152bb) [ 21.929207] [ 21.929360] The buggy address belongs to the physical page: [ 21.929423] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e15 [ 21.929507] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.929572] page_type: f5(slab) [ 21.929630] raw: 0bfffe0000000000 fff00000c6419280 dead000000000122 0000000000000000 [ 21.929694] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.929747] page dumped because: kasan: bad access detected [ 21.929788] [ 21.929908] Memory state around the buggy address: [ 21.930007] fff00000c6e15100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.930180] fff00000c6e15180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.930321] >fff00000c6e15200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.930374] ^ [ 21.930770] fff00000c6e15280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.931047] fff00000c6e15300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.931162] ================================================================== [ 21.896253] ================================================================== [ 21.896404] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.896566] Read of size 1 at addr fff00000c6408a00 by task kunit_try_catch/236 [ 21.896626] [ 21.896675] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT [ 21.896777] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.896809] Hardware name: linux,dummy-virt (DT) [ 21.896863] Call trace: [ 21.896896] show_stack+0x20/0x38 (C) [ 21.896968] dump_stack_lvl+0x8c/0xd0 [ 21.897022] print_report+0x118/0x608 [ 21.897076] kasan_report+0xdc/0x128 [ 21.897126] __asan_report_load1_noabort+0x20/0x30 [ 21.897177] mempool_uaf_helper+0x314/0x340 [ 21.897226] mempool_kmalloc_uaf+0xc4/0x120 [ 21.897277] kunit_try_run_case+0x170/0x3f0 [ 21.897332] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.897390] kthread+0x328/0x630 [ 21.897436] ret_from_fork+0x10/0x20 [ 21.897490] [ 21.897512] Allocated by task 236: [ 21.897549] kasan_save_stack+0x3c/0x68 [ 21.897597] kasan_save_track+0x20/0x40 [ 21.897638] kasan_save_alloc_info+0x40/0x58 [ 21.897726] __kasan_mempool_unpoison_object+0x11c/0x180 [ 21.897827] remove_element+0x130/0x1f8 [ 21.897937] mempool_alloc_preallocated+0x58/0xc0 [ 21.897990] mempool_uaf_helper+0xa4/0x340 [ 21.898035] mempool_kmalloc_uaf+0xc4/0x120 [ 21.898448] kunit_try_run_case+0x170/0x3f0 [ 21.898502] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.898585] kthread+0x328/0x630 [ 21.898634] ret_from_fork+0x10/0x20 [ 21.898685] [ 21.898753] Freed by task 236: [ 21.898800] kasan_save_stack+0x3c/0x68 [ 21.898875] kasan_save_track+0x20/0x40 [ 21.898922] kasan_save_free_info+0x4c/0x78 [ 21.898970] __kasan_mempool_poison_object+0xc0/0x150 [ 21.899309] mempool_free+0x28c/0x328 [ 21.899375] mempool_uaf_helper+0x104/0x340 [ 21.899478] mempool_kmalloc_uaf+0xc4/0x120 [ 21.899521] kunit_try_run_case+0x170/0x3f0 [ 21.899565] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.899613] kthread+0x328/0x630 [ 21.899649] ret_from_fork+0x10/0x20 [ 21.899691] [ 21.899715] The buggy address belongs to the object at fff00000c6408a00 [ 21.899715] which belongs to the cache kmalloc-128 of size 128 [ 21.899884] The buggy address is located 0 bytes inside of [ 21.899884] freed 128-byte region [fff00000c6408a00, fff00000c6408a80) [ 21.900087] [ 21.900116] The buggy address belongs to the physical page: [ 21.900159] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106408 [ 21.900229] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.900288] page_type: f5(slab) [ 21.900338] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.900396] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.900918] page dumped because: kasan: bad access detected [ 21.900979] [ 21.901175] Memory state around the buggy address: [ 21.901233] fff00000c6408900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.901290] fff00000c6408980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.901338] >fff00000c6408a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.901389] ^ [ 21.901425] fff00000c6408a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.901471] fff00000c6408b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.901617] ==================================================================
[ 13.046252] ================================================================== [ 13.047316] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.048079] Read of size 1 at addr ffff888102a37240 by task kunit_try_catch/256 [ 13.048309] [ 13.048398] CPU: 0 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT(voluntary) [ 13.048450] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.048462] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.048484] Call Trace: [ 13.048497] <TASK> [ 13.048518] dump_stack_lvl+0x73/0xb0 [ 13.048551] print_report+0xd1/0x650 [ 13.048575] ? __virt_addr_valid+0x1db/0x2d0 [ 13.048600] ? mempool_uaf_helper+0x392/0x400 [ 13.048621] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.048642] ? mempool_uaf_helper+0x392/0x400 [ 13.048664] kasan_report+0x141/0x180 [ 13.048704] ? mempool_uaf_helper+0x392/0x400 [ 13.048730] __asan_report_load1_noabort+0x18/0x20 [ 13.048767] mempool_uaf_helper+0x392/0x400 [ 13.048789] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.048813] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.048848] ? finish_task_switch.isra.0+0x153/0x700 [ 13.048875] mempool_slab_uaf+0xea/0x140 [ 13.048897] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.048939] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.048965] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.049001] ? __pfx_read_tsc+0x10/0x10 [ 13.049025] ? ktime_get_ts64+0x86/0x230 [ 13.049049] kunit_try_run_case+0x1a5/0x480 [ 13.049087] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.049108] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.049131] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.049163] ? __kthread_parkme+0x82/0x180 [ 13.049185] ? preempt_count_sub+0x50/0x80 [ 13.049207] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.049241] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.049265] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.049288] kthread+0x337/0x6f0 [ 13.049307] ? trace_preempt_on+0x20/0xc0 [ 13.049331] ? __pfx_kthread+0x10/0x10 [ 13.049353] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.049373] ? calculate_sigpending+0x7b/0xa0 [ 13.049463] ? __pfx_kthread+0x10/0x10 [ 13.049489] ret_from_fork+0x116/0x1d0 [ 13.049508] ? __pfx_kthread+0x10/0x10 [ 13.049529] ret_from_fork_asm+0x1a/0x30 [ 13.049561] </TASK> [ 13.049572] [ 13.062759] Allocated by task 256: [ 13.063129] kasan_save_stack+0x45/0x70 [ 13.063599] kasan_save_track+0x18/0x40 [ 13.063742] kasan_save_alloc_info+0x3b/0x50 [ 13.063993] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.064522] remove_element+0x11e/0x190 [ 13.064921] mempool_alloc_preallocated+0x4d/0x90 [ 13.065095] mempool_uaf_helper+0x96/0x400 [ 13.065230] mempool_slab_uaf+0xea/0x140 [ 13.065362] kunit_try_run_case+0x1a5/0x480 [ 13.065806] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.066308] kthread+0x337/0x6f0 [ 13.066817] ret_from_fork+0x116/0x1d0 [ 13.067198] ret_from_fork_asm+0x1a/0x30 [ 13.067597] [ 13.067859] Freed by task 256: [ 13.068172] kasan_save_stack+0x45/0x70 [ 13.068304] kasan_save_track+0x18/0x40 [ 13.068485] kasan_save_free_info+0x3f/0x60 [ 13.068889] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.069351] mempool_free+0x2ec/0x380 [ 13.069793] mempool_uaf_helper+0x11a/0x400 [ 13.070106] mempool_slab_uaf+0xea/0x140 [ 13.070332] kunit_try_run_case+0x1a5/0x480 [ 13.070807] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.071044] kthread+0x337/0x6f0 [ 13.071365] ret_from_fork+0x116/0x1d0 [ 13.071807] ret_from_fork_asm+0x1a/0x30 [ 13.071967] [ 13.072036] The buggy address belongs to the object at ffff888102a37240 [ 13.072036] which belongs to the cache test_cache of size 123 [ 13.072382] The buggy address is located 0 bytes inside of [ 13.072382] freed 123-byte region [ffff888102a37240, ffff888102a372bb) [ 13.072782] [ 13.072872] The buggy address belongs to the physical page: [ 13.073131] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a37 [ 13.073537] flags: 0x200000000000000(node=0|zone=2) [ 13.073747] page_type: f5(slab) [ 13.073920] raw: 0200000000000000 ffff888101d34a00 dead000000000122 0000000000000000 [ 13.074217] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.074635] page dumped because: kasan: bad access detected [ 13.075151] [ 13.075226] Memory state around the buggy address: [ 13.075891] ffff888102a37100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.076220] ffff888102a37180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.076730] >ffff888102a37200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.077156] ^ [ 13.077665] ffff888102a37280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.077985] ffff888102a37300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.078289] ================================================================== [ 12.978540] ================================================================== [ 12.979007] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.979415] Read of size 1 at addr ffff888102a34000 by task kunit_try_catch/252 [ 12.979729] [ 12.979823] CPU: 0 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT(voluntary) [ 12.979875] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.980330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.980359] Call Trace: [ 12.980372] <TASK> [ 12.980393] dump_stack_lvl+0x73/0xb0 [ 12.980447] print_report+0xd1/0x650 [ 12.980487] ? __virt_addr_valid+0x1db/0x2d0 [ 12.980512] ? mempool_uaf_helper+0x392/0x400 [ 12.980533] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.980555] ? mempool_uaf_helper+0x392/0x400 [ 12.980576] kasan_report+0x141/0x180 [ 12.980597] ? mempool_uaf_helper+0x392/0x400 [ 12.980623] __asan_report_load1_noabort+0x18/0x20 [ 12.980648] mempool_uaf_helper+0x392/0x400 [ 12.980670] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.980693] ? __kasan_check_write+0x18/0x20 [ 12.980713] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.980736] ? finish_task_switch.isra.0+0x153/0x700 [ 12.980764] mempool_kmalloc_uaf+0xef/0x140 [ 12.980785] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.980809] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.980833] ? __pfx_mempool_kfree+0x10/0x10 [ 12.980858] ? __pfx_read_tsc+0x10/0x10 [ 12.980880] ? ktime_get_ts64+0x86/0x230 [ 12.980906] kunit_try_run_case+0x1a5/0x480 [ 12.980943] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.980965] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.980988] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.981010] ? __kthread_parkme+0x82/0x180 [ 12.981031] ? preempt_count_sub+0x50/0x80 [ 12.981053] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.981076] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.981099] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.981121] kthread+0x337/0x6f0 [ 12.981140] ? trace_preempt_on+0x20/0xc0 [ 12.981164] ? __pfx_kthread+0x10/0x10 [ 12.981186] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.981205] ? calculate_sigpending+0x7b/0xa0 [ 12.981230] ? __pfx_kthread+0x10/0x10 [ 12.981251] ret_from_fork+0x116/0x1d0 [ 12.981270] ? __pfx_kthread+0x10/0x10 [ 12.981291] ret_from_fork_asm+0x1a/0x30 [ 12.981322] </TASK> [ 12.981334] [ 12.992083] Allocated by task 252: [ 12.992223] kasan_save_stack+0x45/0x70 [ 12.992382] kasan_save_track+0x18/0x40 [ 12.992513] kasan_save_alloc_info+0x3b/0x50 [ 12.992657] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.992822] remove_element+0x11e/0x190 [ 12.993076] mempool_alloc_preallocated+0x4d/0x90 [ 12.993271] mempool_uaf_helper+0x96/0x400 [ 12.993705] mempool_kmalloc_uaf+0xef/0x140 [ 12.993998] kunit_try_run_case+0x1a5/0x480 [ 12.994206] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.994747] kthread+0x337/0x6f0 [ 12.995014] ret_from_fork+0x116/0x1d0 [ 12.995158] ret_from_fork_asm+0x1a/0x30 [ 12.995329] [ 12.995826] Freed by task 252: [ 12.996128] kasan_save_stack+0x45/0x70 [ 12.996573] kasan_save_track+0x18/0x40 [ 12.996738] kasan_save_free_info+0x3f/0x60 [ 12.996967] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.997479] mempool_free+0x2ec/0x380 [ 12.997792] mempool_uaf_helper+0x11a/0x400 [ 12.997940] mempool_kmalloc_uaf+0xef/0x140 [ 12.998076] kunit_try_run_case+0x1a5/0x480 [ 12.998212] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.998433] kthread+0x337/0x6f0 [ 12.998761] ret_from_fork+0x116/0x1d0 [ 12.999129] ret_from_fork_asm+0x1a/0x30 [ 12.999547] [ 12.999707] The buggy address belongs to the object at ffff888102a34000 [ 12.999707] which belongs to the cache kmalloc-128 of size 128 [ 13.001021] The buggy address is located 0 bytes inside of [ 13.001021] freed 128-byte region [ffff888102a34000, ffff888102a34080) [ 13.001999] [ 13.002190] The buggy address belongs to the physical page: [ 13.002562] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a34 [ 13.002803] flags: 0x200000000000000(node=0|zone=2) [ 13.002978] page_type: f5(slab) [ 13.003097] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.003319] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.003563] page dumped because: kasan: bad access detected [ 13.003859] [ 13.004028] Memory state around the buggy address: [ 13.004876] ffff888102a33f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.005248] ffff888102a33f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.005922] >ffff888102a34000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.006336] ^ [ 13.006459] ffff888102a34080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.007133] ffff888102a34100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.007679] ==================================================================