Date
June 17, 2025, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.989467] ================================================================== [ 18.989548] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.989643] Read of size 1 at addr fff00000c4fd8300 by task kunit_try_catch/236 [ 18.989696] [ 18.989739] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT [ 18.989832] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.989864] Hardware name: linux,dummy-virt (DT) [ 18.989899] Call trace: [ 18.989938] show_stack+0x20/0x38 (C) [ 18.989992] dump_stack_lvl+0x8c/0xd0 [ 18.990060] print_report+0x118/0x608 [ 18.990110] kasan_report+0xdc/0x128 [ 18.990157] __asan_report_load1_noabort+0x20/0x30 [ 18.990207] mempool_uaf_helper+0x314/0x340 [ 18.990254] mempool_kmalloc_uaf+0xc4/0x120 [ 18.990301] kunit_try_run_case+0x170/0x3f0 [ 18.990353] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.990407] kthread+0x328/0x630 [ 18.990466] ret_from_fork+0x10/0x20 [ 18.990517] [ 18.990536] Allocated by task 236: [ 18.990566] kasan_save_stack+0x3c/0x68 [ 18.990609] kasan_save_track+0x20/0x40 [ 18.990648] kasan_save_alloc_info+0x40/0x58 [ 18.990684] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.990729] remove_element+0x130/0x1f8 [ 18.990769] mempool_alloc_preallocated+0x58/0xc0 [ 18.990809] mempool_uaf_helper+0xa4/0x340 [ 18.990846] mempool_kmalloc_uaf+0xc4/0x120 [ 18.990885] kunit_try_run_case+0x170/0x3f0 [ 18.990922] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.990984] kthread+0x328/0x630 [ 18.991016] ret_from_fork+0x10/0x20 [ 18.991053] [ 18.991073] Freed by task 236: [ 18.991099] kasan_save_stack+0x3c/0x68 [ 18.991136] kasan_save_track+0x20/0x40 [ 18.991174] kasan_save_free_info+0x4c/0x78 [ 18.991210] __kasan_mempool_poison_object+0xc0/0x150 [ 18.991253] mempool_free+0x28c/0x328 [ 18.991287] mempool_uaf_helper+0x104/0x340 [ 18.991325] mempool_kmalloc_uaf+0xc4/0x120 [ 18.991364] kunit_try_run_case+0x170/0x3f0 [ 18.991401] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.991446] kthread+0x328/0x630 [ 18.991478] ret_from_fork+0x10/0x20 [ 18.991515] [ 18.991534] The buggy address belongs to the object at fff00000c4fd8300 [ 18.991534] which belongs to the cache kmalloc-128 of size 128 [ 18.991595] The buggy address is located 0 bytes inside of [ 18.991595] freed 128-byte region [fff00000c4fd8300, fff00000c4fd8380) [ 18.991658] [ 18.991679] The buggy address belongs to the physical page: [ 18.991714] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104fd8 [ 18.991770] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.991822] page_type: f5(slab) [ 18.991865] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.991915] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.991967] page dumped because: kasan: bad access detected [ 18.991999] [ 18.992017] Memory state around the buggy address: [ 18.992049] fff00000c4fd8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.992093] fff00000c4fd8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.992137] >fff00000c4fd8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.992176] ^ [ 18.992203] fff00000c4fd8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.992247] fff00000c4fd8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.992287] ================================================================== [ 19.043339] ================================================================== [ 19.043846] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.043950] Read of size 1 at addr fff00000c5227240 by task kunit_try_catch/240 [ 19.044003] [ 19.044045] CPU: 1 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT [ 19.044138] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.044164] Hardware name: linux,dummy-virt (DT) [ 19.044197] Call trace: [ 19.044220] show_stack+0x20/0x38 (C) [ 19.044272] dump_stack_lvl+0x8c/0xd0 [ 19.046033] print_report+0x118/0x608 [ 19.046699] kasan_report+0xdc/0x128 [ 19.046759] __asan_report_load1_noabort+0x20/0x30 [ 19.046810] mempool_uaf_helper+0x314/0x340 [ 19.047176] mempool_slab_uaf+0xc0/0x118 [ 19.047606] kunit_try_run_case+0x170/0x3f0 [ 19.047661] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.047717] kthread+0x328/0x630 [ 19.047760] ret_from_fork+0x10/0x20 [ 19.047811] [ 19.047833] Allocated by task 240: [ 19.049179] kasan_save_stack+0x3c/0x68 [ 19.049591] kasan_save_track+0x20/0x40 [ 19.050093] kasan_save_alloc_info+0x40/0x58 [ 19.050512] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.050807] remove_element+0x16c/0x1f8 [ 19.050856] mempool_alloc_preallocated+0x58/0xc0 [ 19.050900] mempool_uaf_helper+0xa4/0x340 [ 19.051547] mempool_slab_uaf+0xc0/0x118 [ 19.052103] kunit_try_run_case+0x170/0x3f0 [ 19.052388] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.052746] kthread+0x328/0x630 [ 19.053130] ret_from_fork+0x10/0x20 [ 19.053414] [ 19.053563] Freed by task 240: [ 19.053602] kasan_save_stack+0x3c/0x68 [ 19.053951] kasan_save_track+0x20/0x40 [ 19.054000] kasan_save_free_info+0x4c/0x78 [ 19.054618] __kasan_mempool_poison_object+0xc0/0x150 [ 19.054672] mempool_free+0x28c/0x328 [ 19.054921] mempool_uaf_helper+0x104/0x340 [ 19.055000] mempool_slab_uaf+0xc0/0x118 [ 19.055841] kunit_try_run_case+0x170/0x3f0 [ 19.055940] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.055986] kthread+0x328/0x630 [ 19.056743] ret_from_fork+0x10/0x20 [ 19.056999] [ 19.057036] The buggy address belongs to the object at fff00000c5227240 [ 19.057036] which belongs to the cache test_cache of size 123 [ 19.057590] The buggy address is located 0 bytes inside of [ 19.057590] freed 123-byte region [fff00000c5227240, fff00000c52272bb) [ 19.058182] [ 19.058209] The buggy address belongs to the physical page: [ 19.058246] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105227 [ 19.058307] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.059276] page_type: f5(slab) [ 19.059535] raw: 0bfffe0000000000 fff00000c115db40 dead000000000122 0000000000000000 [ 19.059589] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.060519] page dumped because: kasan: bad access detected [ 19.060808] [ 19.061073] Memory state around the buggy address: [ 19.061226] fff00000c5227100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.061506] fff00000c5227180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.061956] >fff00000c5227200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.062734] ^ [ 19.062823] fff00000c5227280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.063317] fff00000c5227300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.063815] ==================================================================
[ 20.094918] ================================================================== [ 20.096141] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.096610] Read of size 1 at addr ffff888103393f00 by task kunit_try_catch/254 [ 20.097671] [ 20.097898] CPU: 0 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) [ 20.098032] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.098073] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.098133] Call Trace: [ 20.098171] <TASK> [ 20.098236] dump_stack_lvl+0x73/0xb0 [ 20.098322] print_report+0xd1/0x650 [ 20.098402] ? __virt_addr_valid+0x1db/0x2d0 [ 20.098482] ? mempool_uaf_helper+0x392/0x400 [ 20.098550] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.098620] ? mempool_uaf_helper+0x392/0x400 [ 20.098689] kasan_report+0x141/0x180 [ 20.098759] ? mempool_uaf_helper+0x392/0x400 [ 20.098859] __asan_report_load1_noabort+0x18/0x20 [ 20.098979] mempool_uaf_helper+0x392/0x400 [ 20.099063] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.099139] ? __kasan_check_write+0x18/0x20 [ 20.099204] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.099275] ? irqentry_exit+0x2a/0x60 [ 20.099350] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 20.099426] mempool_kmalloc_uaf+0xef/0x140 [ 20.099482] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 20.099520] ? __pfx_mempool_kmalloc+0x10/0x10 [ 20.099568] ? __pfx_mempool_kfree+0x10/0x10 [ 20.099604] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 20.099638] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 20.099671] kunit_try_run_case+0x1a5/0x480 [ 20.099710] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.099743] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.099771] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.099809] ? __kthread_parkme+0x82/0x180 [ 20.099864] ? preempt_count_sub+0x50/0x80 [ 20.099903] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.099937] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.099971] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.100003] kthread+0x337/0x6f0 [ 20.100030] ? trace_preempt_on+0x20/0xc0 [ 20.100063] ? __pfx_kthread+0x10/0x10 [ 20.100094] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.100126] ? calculate_sigpending+0x7b/0xa0 [ 20.100160] ? __pfx_kthread+0x10/0x10 [ 20.100190] ret_from_fork+0x116/0x1d0 [ 20.100221] ? __pfx_kthread+0x10/0x10 [ 20.100293] ret_from_fork_asm+0x1a/0x30 [ 20.100369] </TASK> [ 20.100388] [ 20.120957] Allocated by task 254: [ 20.121276] kasan_save_stack+0x45/0x70 [ 20.121799] kasan_save_track+0x18/0x40 [ 20.122345] kasan_save_alloc_info+0x3b/0x50 [ 20.122927] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 20.123668] remove_element+0x11e/0x190 [ 20.124034] mempool_alloc_preallocated+0x4d/0x90 [ 20.124748] mempool_uaf_helper+0x96/0x400 [ 20.125156] mempool_kmalloc_uaf+0xef/0x140 [ 20.125632] kunit_try_run_case+0x1a5/0x480 [ 20.126030] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.126745] kthread+0x337/0x6f0 [ 20.127025] ret_from_fork+0x116/0x1d0 [ 20.127523] ret_from_fork_asm+0x1a/0x30 [ 20.127960] [ 20.128205] Freed by task 254: [ 20.128501] kasan_save_stack+0x45/0x70 [ 20.128884] kasan_save_track+0x18/0x40 [ 20.129637] kasan_save_free_info+0x3f/0x60 [ 20.130149] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.130647] mempool_free+0x2ec/0x380 [ 20.131083] mempool_uaf_helper+0x11a/0x400 [ 20.131448] mempool_kmalloc_uaf+0xef/0x140 [ 20.132035] kunit_try_run_case+0x1a5/0x480 [ 20.132926] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.133295] kthread+0x337/0x6f0 [ 20.133694] ret_from_fork+0x116/0x1d0 [ 20.134157] ret_from_fork_asm+0x1a/0x30 [ 20.134632] [ 20.134884] The buggy address belongs to the object at ffff888103393f00 [ 20.134884] which belongs to the cache kmalloc-128 of size 128 [ 20.135755] The buggy address is located 0 bytes inside of [ 20.135755] freed 128-byte region [ffff888103393f00, ffff888103393f80) [ 20.136493] [ 20.136640] The buggy address belongs to the physical page: [ 20.137684] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103393 [ 20.138344] flags: 0x200000000000000(node=0|zone=2) [ 20.140142] page_type: f5(slab) [ 20.141107] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 20.142354] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 20.142765] page dumped because: kasan: bad access detected [ 20.145700] [ 20.146287] Memory state around the buggy address: [ 20.148246] ffff888103393e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.149202] ffff888103393e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.150457] >ffff888103393f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.150959] ^ [ 20.151592] ffff888103393f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.152300] ffff888103394000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.153015] ================================================================== [ 20.203728] ================================================================== [ 20.204800] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.205548] Read of size 1 at addr ffff88810383f240 by task kunit_try_catch/258 [ 20.206416] [ 20.206683] CPU: 1 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) [ 20.206812] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.206865] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.206927] Call Trace: [ 20.206963] <TASK> [ 20.207046] dump_stack_lvl+0x73/0xb0 [ 20.207134] print_report+0xd1/0x650 [ 20.207348] ? __virt_addr_valid+0x1db/0x2d0 [ 20.207433] ? mempool_uaf_helper+0x392/0x400 [ 20.207506] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.207591] ? mempool_uaf_helper+0x392/0x400 [ 20.207666] kasan_report+0x141/0x180 [ 20.207739] ? mempool_uaf_helper+0x392/0x400 [ 20.207825] __asan_report_load1_noabort+0x18/0x20 [ 20.207927] mempool_uaf_helper+0x392/0x400 [ 20.208001] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.208083] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.208185] ? finish_task_switch.isra.0+0x153/0x700 [ 20.208402] mempool_slab_uaf+0xea/0x140 [ 20.208477] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 20.208560] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 20.208635] ? __pfx_mempool_free_slab+0x10/0x10 [ 20.208681] ? __pfx_read_tsc+0x10/0x10 [ 20.208714] ? ktime_get_ts64+0x86/0x230 [ 20.208749] kunit_try_run_case+0x1a5/0x480 [ 20.208787] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.208819] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.208878] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.208920] ? __kthread_parkme+0x82/0x180 [ 20.208949] ? preempt_count_sub+0x50/0x80 [ 20.208982] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.209017] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.209051] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.209085] kthread+0x337/0x6f0 [ 20.209113] ? trace_preempt_on+0x20/0xc0 [ 20.209147] ? __pfx_kthread+0x10/0x10 [ 20.209176] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.209211] ? calculate_sigpending+0x7b/0xa0 [ 20.209248] ? __pfx_kthread+0x10/0x10 [ 20.209279] ret_from_fork+0x116/0x1d0 [ 20.209367] ? __pfx_kthread+0x10/0x10 [ 20.209447] ret_from_fork_asm+0x1a/0x30 [ 20.209541] </TASK> [ 20.209578] [ 20.229825] Allocated by task 258: [ 20.230208] kasan_save_stack+0x45/0x70 [ 20.230673] kasan_save_track+0x18/0x40 [ 20.231134] kasan_save_alloc_info+0x3b/0x50 [ 20.231915] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 20.232475] remove_element+0x11e/0x190 [ 20.232881] mempool_alloc_preallocated+0x4d/0x90 [ 20.233608] mempool_uaf_helper+0x96/0x400 [ 20.233930] mempool_slab_uaf+0xea/0x140 [ 20.234541] kunit_try_run_case+0x1a5/0x480 [ 20.234969] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.236306] kthread+0x337/0x6f0 [ 20.236891] ret_from_fork+0x116/0x1d0 [ 20.237532] ret_from_fork_asm+0x1a/0x30 [ 20.238158] [ 20.238321] Freed by task 258: [ 20.238638] kasan_save_stack+0x45/0x70 [ 20.239012] kasan_save_track+0x18/0x40 [ 20.239394] kasan_save_free_info+0x3f/0x60 [ 20.240725] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.241231] mempool_free+0x2ec/0x380 [ 20.241701] mempool_uaf_helper+0x11a/0x400 [ 20.242046] mempool_slab_uaf+0xea/0x140 [ 20.243016] kunit_try_run_case+0x1a5/0x480 [ 20.243380] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.244630] kthread+0x337/0x6f0 [ 20.245138] ret_from_fork+0x116/0x1d0 [ 20.245505] ret_from_fork_asm+0x1a/0x30 [ 20.245864] [ 20.246066] The buggy address belongs to the object at ffff88810383f240 [ 20.246066] which belongs to the cache test_cache of size 123 [ 20.247636] The buggy address is located 0 bytes inside of [ 20.247636] freed 123-byte region [ffff88810383f240, ffff88810383f2bb) [ 20.248593] [ 20.248778] The buggy address belongs to the physical page: [ 20.249856] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10383f [ 20.250898] flags: 0x200000000000000(node=0|zone=2) [ 20.251302] page_type: f5(slab) [ 20.251792] raw: 0200000000000000 ffff888101db3b40 dead000000000122 0000000000000000 [ 20.252349] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.253096] page dumped because: kasan: bad access detected [ 20.253691] [ 20.253936] Memory state around the buggy address: [ 20.254474] ffff88810383f100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.255035] ffff88810383f180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.255751] >ffff88810383f200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.256495] ^ [ 20.256883] ffff88810383f280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.257633] ffff88810383f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.258584] ==================================================================