Date
June 18, 2025, 6:43 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.807180] ================================================================== [ 22.807434] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.807605] Read of size 1 at addr fff00000c6063240 by task kunit_try_catch/241 [ 22.807719] [ 22.807846] CPU: 0 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc2-next-20250618 #1 PREEMPT [ 22.808233] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 22.808304] Hardware name: linux,dummy-virt (DT) [ 22.808375] Call trace: [ 22.808424] show_stack+0x20/0x38 (C) [ 22.808548] dump_stack_lvl+0x8c/0xd0 [ 22.808667] print_report+0x118/0x608 [ 22.808779] kasan_report+0xdc/0x128 [ 22.808887] __asan_report_load1_noabort+0x20/0x30 [ 22.809001] mempool_uaf_helper+0x314/0x340 [ 22.809128] mempool_slab_uaf+0xc0/0x118 [ 22.809230] kunit_try_run_case+0x170/0x3f0 [ 22.809342] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.809463] kthread+0x328/0x630 [ 22.809559] ret_from_fork+0x10/0x20 [ 22.809670] [ 22.809716] Allocated by task 241: [ 22.809777] kasan_save_stack+0x3c/0x68 [ 22.809872] kasan_save_track+0x20/0x40 [ 22.809955] kasan_save_alloc_info+0x40/0x58 [ 22.811268] __kasan_mempool_unpoison_object+0xbc/0x180 [ 22.811501] remove_element+0x16c/0x1f8 [ 22.811988] mempool_alloc_preallocated+0x58/0xc0 [ 22.812186] mempool_uaf_helper+0xa4/0x340 [ 22.812718] mempool_slab_uaf+0xc0/0x118 [ 22.812835] kunit_try_run_case+0x170/0x3f0 [ 22.812971] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.813123] kthread+0x328/0x630 [ 22.813212] ret_from_fork+0x10/0x20 [ 22.813610] [ 22.813656] Freed by task 241: [ 22.813722] kasan_save_stack+0x3c/0x68 [ 22.813806] kasan_save_track+0x20/0x40 [ 22.813885] kasan_save_free_info+0x4c/0x78 [ 22.813963] __kasan_mempool_poison_object+0xc0/0x150 [ 22.814068] mempool_free+0x28c/0x328 [ 22.814144] mempool_uaf_helper+0x104/0x340 [ 22.814224] mempool_slab_uaf+0xc0/0x118 [ 22.814813] kunit_try_run_case+0x170/0x3f0 [ 22.814918] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.815305] kthread+0x328/0x630 [ 22.815440] ret_from_fork+0x10/0x20 [ 22.815734] [ 22.815797] The buggy address belongs to the object at fff00000c6063240 [ 22.815797] which belongs to the cache test_cache of size 123 [ 22.816153] The buggy address is located 0 bytes inside of [ 22.816153] freed 123-byte region [fff00000c6063240, fff00000c60632bb) [ 22.816501] [ 22.816560] The buggy address belongs to the physical page: [ 22.816899] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106063 [ 22.817034] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.817369] page_type: f5(slab) [ 22.817473] raw: 0bfffe0000000000 fff00000c7790280 dead000000000122 0000000000000000 [ 22.817602] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 22.818012] page dumped because: kasan: bad access detected [ 22.818309] [ 22.818350] Memory state around the buggy address: [ 22.818651] fff00000c6063100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.819032] fff00000c6063180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.819158] >fff00000c6063200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 22.819242] ^ [ 22.819607] fff00000c6063280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.819758] fff00000c6063300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.819856] ================================================================== [ 22.733432] ================================================================== [ 22.733630] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.733782] Read of size 1 at addr fff00000c7791300 by task kunit_try_catch/237 [ 22.733894] [ 22.733974] CPU: 0 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc2-next-20250618 #1 PREEMPT [ 22.734272] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 22.734379] Hardware name: linux,dummy-virt (DT) [ 22.734471] Call trace: [ 22.734554] show_stack+0x20/0x38 (C) [ 22.734688] dump_stack_lvl+0x8c/0xd0 [ 22.734778] print_report+0x118/0x608 [ 22.735072] kasan_report+0xdc/0x128 [ 22.735183] __asan_report_load1_noabort+0x20/0x30 [ 22.735352] mempool_uaf_helper+0x314/0x340 [ 22.735500] mempool_kmalloc_uaf+0xc4/0x120 [ 22.735645] kunit_try_run_case+0x170/0x3f0 [ 22.735767] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.735892] kthread+0x328/0x630 [ 22.736032] ret_from_fork+0x10/0x20 [ 22.736137] [ 22.736179] Allocated by task 237: [ 22.736240] kasan_save_stack+0x3c/0x68 [ 22.736361] kasan_save_track+0x20/0x40 [ 22.736443] kasan_save_alloc_info+0x40/0x58 [ 22.736546] __kasan_mempool_unpoison_object+0x11c/0x180 [ 22.736697] remove_element+0x130/0x1f8 [ 22.736789] mempool_alloc_preallocated+0x58/0xc0 [ 22.736876] mempool_uaf_helper+0xa4/0x340 [ 22.736954] mempool_kmalloc_uaf+0xc4/0x120 [ 22.737087] kunit_try_run_case+0x170/0x3f0 [ 22.737227] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.737347] kthread+0x328/0x630 [ 22.737425] ret_from_fork+0x10/0x20 [ 22.737504] [ 22.737547] Freed by task 237: [ 22.737610] kasan_save_stack+0x3c/0x68 [ 22.737705] kasan_save_track+0x20/0x40 [ 22.737819] kasan_save_free_info+0x4c/0x78 [ 22.737904] __kasan_mempool_poison_object+0xc0/0x150 [ 22.738027] mempool_free+0x28c/0x328 [ 22.738112] mempool_uaf_helper+0x104/0x340 [ 22.738187] mempool_kmalloc_uaf+0xc4/0x120 [ 22.738321] kunit_try_run_case+0x170/0x3f0 [ 22.738413] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.738504] kthread+0x328/0x630 [ 22.738573] ret_from_fork+0x10/0x20 [ 22.738654] [ 22.738723] The buggy address belongs to the object at fff00000c7791300 [ 22.738723] which belongs to the cache kmalloc-128 of size 128 [ 22.738891] The buggy address is located 0 bytes inside of [ 22.738891] freed 128-byte region [fff00000c7791300, fff00000c7791380) [ 22.739106] [ 22.739170] The buggy address belongs to the physical page: [ 22.739242] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107791 [ 22.739360] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.739457] page_type: f5(slab) [ 22.739562] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 22.739671] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.739753] page dumped because: kasan: bad access detected [ 22.739819] [ 22.739853] Memory state around the buggy address: [ 22.740266] fff00000c7791200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.740410] fff00000c7791280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.740834] >fff00000c7791300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.741011] ^ [ 22.741135] fff00000c7791380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.741375] fff00000c7791400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.741476] ==================================================================
[ 12.630043] ================================================================== [ 12.630956] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.631202] Read of size 1 at addr ffff8881038fb200 by task kunit_try_catch/253 [ 12.633034] [ 12.633702] CPU: 1 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) [ 12.633763] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.633777] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.633802] Call Trace: [ 12.633816] <TASK> [ 12.633832] dump_stack_lvl+0x73/0xb0 [ 12.633871] print_report+0xd1/0x650 [ 12.633893] ? __virt_addr_valid+0x1db/0x2d0 [ 12.633917] ? mempool_uaf_helper+0x392/0x400 [ 12.633938] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.633963] ? mempool_uaf_helper+0x392/0x400 [ 12.633984] kasan_report+0x141/0x180 [ 12.634005] ? mempool_uaf_helper+0x392/0x400 [ 12.634029] __asan_report_load1_noabort+0x18/0x20 [ 12.634052] mempool_uaf_helper+0x392/0x400 [ 12.634073] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.634095] ? __kasan_check_write+0x18/0x20 [ 12.634117] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.634139] ? irqentry_exit+0x2a/0x60 [ 12.634160] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.634340] mempool_kmalloc_uaf+0xef/0x140 [ 12.634364] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.634388] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.634411] ? __pfx_mempool_kfree+0x10/0x10 [ 12.634434] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.634457] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.634480] kunit_try_run_case+0x1a5/0x480 [ 12.634505] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.634526] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.634548] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.634569] ? __kthread_parkme+0x82/0x180 [ 12.634590] ? preempt_count_sub+0x50/0x80 [ 12.634612] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.634634] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.634656] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.634678] kthread+0x337/0x6f0 [ 12.634697] ? trace_preempt_on+0x20/0xc0 [ 12.634719] ? __pfx_kthread+0x10/0x10 [ 12.634739] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.634758] ? calculate_sigpending+0x7b/0xa0 [ 12.634782] ? __pfx_kthread+0x10/0x10 [ 12.634801] ret_from_fork+0x116/0x1d0 [ 12.634821] ? __pfx_kthread+0x10/0x10 [ 12.634841] ret_from_fork_asm+0x1a/0x30 [ 12.634871] </TASK> [ 12.634882] [ 12.647905] Allocated by task 253: [ 12.648090] kasan_save_stack+0x45/0x70 [ 12.648530] kasan_save_track+0x18/0x40 [ 12.648882] kasan_save_alloc_info+0x3b/0x50 [ 12.649108] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.649550] remove_element+0x11e/0x190 [ 12.649889] mempool_alloc_preallocated+0x4d/0x90 [ 12.650260] mempool_uaf_helper+0x96/0x400 [ 12.650641] mempool_kmalloc_uaf+0xef/0x140 [ 12.650855] kunit_try_run_case+0x1a5/0x480 [ 12.651153] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.651426] kthread+0x337/0x6f0 [ 12.651789] ret_from_fork+0x116/0x1d0 [ 12.651993] ret_from_fork_asm+0x1a/0x30 [ 12.652329] [ 12.652424] Freed by task 253: [ 12.652622] kasan_save_stack+0x45/0x70 [ 12.652957] kasan_save_track+0x18/0x40 [ 12.653151] kasan_save_free_info+0x3f/0x60 [ 12.653310] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.653671] mempool_free+0x2ec/0x380 [ 12.653831] mempool_uaf_helper+0x11a/0x400 [ 12.654032] mempool_kmalloc_uaf+0xef/0x140 [ 12.654363] kunit_try_run_case+0x1a5/0x480 [ 12.654859] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.655160] kthread+0x337/0x6f0 [ 12.655298] ret_from_fork+0x116/0x1d0 [ 12.655478] ret_from_fork_asm+0x1a/0x30 [ 12.655943] [ 12.656048] The buggy address belongs to the object at ffff8881038fb200 [ 12.656048] which belongs to the cache kmalloc-128 of size 128 [ 12.656880] The buggy address is located 0 bytes inside of [ 12.656880] freed 128-byte region [ffff8881038fb200, ffff8881038fb280) [ 12.657451] [ 12.657731] The buggy address belongs to the physical page: [ 12.657969] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038fb [ 12.658576] flags: 0x200000000000000(node=0|zone=2) [ 12.658862] page_type: f5(slab) [ 12.659028] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.659550] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.659819] page dumped because: kasan: bad access detected [ 12.660187] [ 12.660353] Memory state around the buggy address: [ 12.660648] ffff8881038fb100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.660955] ffff8881038fb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.661248] >ffff8881038fb200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.661527] ^ [ 12.661659] ffff8881038fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.661937] ffff8881038fb300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.662631] ================================================================== [ 12.697991] ================================================================== [ 12.698913] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.699172] Read of size 1 at addr ffff88810262f240 by task kunit_try_catch/257 [ 12.699404] [ 12.700227] CPU: 0 UID: 0 PID: 257 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) [ 12.700283] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.700296] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.700319] Call Trace: [ 12.700333] <TASK> [ 12.700349] dump_stack_lvl+0x73/0xb0 [ 12.700381] print_report+0xd1/0x650 [ 12.700404] ? __virt_addr_valid+0x1db/0x2d0 [ 12.700427] ? mempool_uaf_helper+0x392/0x400 [ 12.700449] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.700475] ? mempool_uaf_helper+0x392/0x400 [ 12.700497] kasan_report+0x141/0x180 [ 12.700519] ? mempool_uaf_helper+0x392/0x400 [ 12.700546] __asan_report_load1_noabort+0x18/0x20 [ 12.700570] mempool_uaf_helper+0x392/0x400 [ 12.700593] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.700615] ? update_load_avg+0x1be/0x21b0 [ 12.700643] ? finish_task_switch.isra.0+0x153/0x700 [ 12.700675] mempool_slab_uaf+0xea/0x140 [ 12.700698] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 12.700724] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 12.700749] ? __pfx_mempool_free_slab+0x10/0x10 [ 12.700775] ? __pfx_read_tsc+0x10/0x10 [ 12.700798] ? ktime_get_ts64+0x86/0x230 [ 12.700824] kunit_try_run_case+0x1a5/0x480 [ 12.700849] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.700873] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.700897] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.700920] ? __kthread_parkme+0x82/0x180 [ 12.700941] ? preempt_count_sub+0x50/0x80 [ 12.700964] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.700989] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.701013] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.701038] kthread+0x337/0x6f0 [ 12.701057] ? trace_preempt_on+0x20/0xc0 [ 12.701080] ? __pfx_kthread+0x10/0x10 [ 12.701101] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.701122] ? calculate_sigpending+0x7b/0xa0 [ 12.701145] ? __pfx_kthread+0x10/0x10 [ 12.701167] ret_from_fork+0x116/0x1d0 [ 12.701185] ? __pfx_kthread+0x10/0x10 [ 12.701214] ret_from_fork_asm+0x1a/0x30 [ 12.701243] </TASK> [ 12.701255] [ 12.711375] Allocated by task 257: [ 12.711592] kasan_save_stack+0x45/0x70 [ 12.711822] kasan_save_track+0x18/0x40 [ 12.712001] kasan_save_alloc_info+0x3b/0x50 [ 12.712243] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 12.712509] remove_element+0x11e/0x190 [ 12.712850] mempool_alloc_preallocated+0x4d/0x90 [ 12.713015] mempool_uaf_helper+0x96/0x400 [ 12.713178] mempool_slab_uaf+0xea/0x140 [ 12.713380] kunit_try_run_case+0x1a5/0x480 [ 12.713847] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.714085] kthread+0x337/0x6f0 [ 12.714194] ret_from_fork+0x116/0x1d0 [ 12.714329] ret_from_fork_asm+0x1a/0x30 [ 12.714457] [ 12.714520] Freed by task 257: [ 12.714747] kasan_save_stack+0x45/0x70 [ 12.714969] kasan_save_track+0x18/0x40 [ 12.715248] kasan_save_free_info+0x3f/0x60 [ 12.715513] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.715828] mempool_free+0x2ec/0x380 [ 12.716152] mempool_uaf_helper+0x11a/0x400 [ 12.716377] mempool_slab_uaf+0xea/0x140 [ 12.716606] kunit_try_run_case+0x1a5/0x480 [ 12.716752] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.716952] kthread+0x337/0x6f0 [ 12.717151] ret_from_fork+0x116/0x1d0 [ 12.717385] ret_from_fork_asm+0x1a/0x30 [ 12.717648] [ 12.717914] The buggy address belongs to the object at ffff88810262f240 [ 12.717914] which belongs to the cache test_cache of size 123 [ 12.718574] The buggy address is located 0 bytes inside of [ 12.718574] freed 123-byte region [ffff88810262f240, ffff88810262f2bb) [ 12.719080] [ 12.719198] The buggy address belongs to the physical page: [ 12.719544] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262f [ 12.719803] flags: 0x200000000000000(node=0|zone=2) [ 12.719954] page_type: f5(slab) [ 12.720071] raw: 0200000000000000 ffff888102626280 dead000000000122 0000000000000000 [ 12.720689] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 12.721002] page dumped because: kasan: bad access detected [ 12.721352] [ 12.721420] Memory state around the buggy address: [ 12.721565] ffff88810262f100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.721766] ffff88810262f180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.721965] >ffff88810262f200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 12.722309] ^ [ 12.722662] ffff88810262f280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.723196] ffff88810262f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.723770] ==================================================================