Date
June 19, 2025, 12:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.924118] ================================================================== [ 32.924398] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.924511] Read of size 1 at addr fff00000c7744240 by task kunit_try_catch/242 [ 32.924777] [ 32.924963] CPU: 0 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 32.925076] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.925107] Hardware name: linux,dummy-virt (DT) [ 32.925144] Call trace: [ 32.925173] show_stack+0x20/0x38 (C) [ 32.925238] dump_stack_lvl+0x8c/0xd0 [ 32.925296] print_report+0x118/0x608 [ 32.925349] kasan_report+0xdc/0x128 [ 32.925401] __asan_report_load1_noabort+0x20/0x30 [ 32.926059] mempool_uaf_helper+0x314/0x340 [ 32.926545] mempool_slab_uaf+0xc0/0x118 [ 32.926607] kunit_try_run_case+0x170/0x3f0 [ 32.926665] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.926726] kthread+0x328/0x630 [ 32.926844] ret_from_fork+0x10/0x20 [ 32.926923] [ 32.926955] Allocated by task 242: [ 32.927024] kasan_save_stack+0x3c/0x68 [ 32.927130] kasan_save_track+0x20/0x40 [ 32.927179] kasan_save_alloc_info+0x40/0x58 [ 32.927233] __kasan_mempool_unpoison_object+0xbc/0x180 [ 32.927642] remove_element+0x16c/0x1f8 [ 32.927700] mempool_alloc_preallocated+0x58/0xc0 [ 32.927909] mempool_uaf_helper+0xa4/0x340 [ 32.928215] mempool_slab_uaf+0xc0/0x118 [ 32.928550] kunit_try_run_case+0x170/0x3f0 [ 32.928628] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.928800] kthread+0x328/0x630 [ 32.929107] ret_from_fork+0x10/0x20 [ 32.929451] [ 32.929548] Freed by task 242: [ 32.929589] kasan_save_stack+0x3c/0x68 [ 32.929705] kasan_save_track+0x20/0x40 [ 32.929751] kasan_save_free_info+0x4c/0x78 [ 32.929796] __kasan_mempool_poison_object+0xc0/0x150 [ 32.929847] mempool_free+0x28c/0x328 [ 32.929922] mempool_uaf_helper+0x104/0x340 [ 32.929970] mempool_slab_uaf+0xc0/0x118 [ 32.930013] kunit_try_run_case+0x170/0x3f0 [ 32.930073] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.930134] kthread+0x328/0x630 [ 32.930172] ret_from_fork+0x10/0x20 [ 32.930215] [ 32.930277] The buggy address belongs to the object at fff00000c7744240 [ 32.930277] which belongs to the cache test_cache of size 123 [ 32.930350] The buggy address is located 0 bytes inside of [ 32.930350] freed 123-byte region [fff00000c7744240, fff00000c77442bb) [ 32.930429] [ 32.930460] The buggy address belongs to the physical page: [ 32.930495] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107744 [ 32.930564] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.930626] page_type: f5(slab) [ 32.930678] raw: 0bfffe0000000000 fff00000c76a5280 dead000000000122 0000000000000000 [ 32.930736] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 32.930784] page dumped because: kasan: bad access detected [ 32.930824] [ 32.930847] Memory state around the buggy address: [ 32.930902] fff00000c7744100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.930982] fff00000c7744180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.931035] >fff00000c7744200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 32.931079] ^ [ 32.931122] fff00000c7744280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.931202] fff00000c7744300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.931314] ================================================================== [ 32.887328] ================================================================== [ 32.887434] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.887538] Read of size 1 at addr fff00000c649d700 by task kunit_try_catch/238 [ 32.887598] [ 32.887651] CPU: 0 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 32.887758] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.887792] Hardware name: linux,dummy-virt (DT) [ 32.887835] Call trace: [ 32.887864] show_stack+0x20/0x38 (C) [ 32.887956] dump_stack_lvl+0x8c/0xd0 [ 32.888017] print_report+0x118/0x608 [ 32.888073] kasan_report+0xdc/0x128 [ 32.888125] __asan_report_load1_noabort+0x20/0x30 [ 32.888182] mempool_uaf_helper+0x314/0x340 [ 32.888330] mempool_kmalloc_uaf+0xc4/0x120 [ 32.888411] kunit_try_run_case+0x170/0x3f0 [ 32.888472] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.888531] kthread+0x328/0x630 [ 32.888581] ret_from_fork+0x10/0x20 [ 32.888700] [ 32.888751] Allocated by task 238: [ 32.888829] kasan_save_stack+0x3c/0x68 [ 32.888892] kasan_save_track+0x20/0x40 [ 32.888940] kasan_save_alloc_info+0x40/0x58 [ 32.888983] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.889030] remove_element+0x130/0x1f8 [ 32.889075] mempool_alloc_preallocated+0x58/0xc0 [ 32.889154] mempool_uaf_helper+0xa4/0x340 [ 32.889220] mempool_kmalloc_uaf+0xc4/0x120 [ 32.889294] kunit_try_run_case+0x170/0x3f0 [ 32.889363] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.889409] kthread+0x328/0x630 [ 32.889516] ret_from_fork+0x10/0x20 [ 32.889620] [ 32.889649] Freed by task 238: [ 32.889682] kasan_save_stack+0x3c/0x68 [ 32.889725] kasan_save_track+0x20/0x40 [ 32.889785] kasan_save_free_info+0x4c/0x78 [ 32.889868] __kasan_mempool_poison_object+0xc0/0x150 [ 32.889985] mempool_free+0x28c/0x328 [ 32.890039] mempool_uaf_helper+0x104/0x340 [ 32.890082] mempool_kmalloc_uaf+0xc4/0x120 [ 32.890122] kunit_try_run_case+0x170/0x3f0 [ 32.890174] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.890359] kthread+0x328/0x630 [ 32.890401] ret_from_fork+0x10/0x20 [ 32.890440] [ 32.890464] The buggy address belongs to the object at fff00000c649d700 [ 32.890464] which belongs to the cache kmalloc-128 of size 128 [ 32.890534] The buggy address is located 0 bytes inside of [ 32.890534] freed 128-byte region [fff00000c649d700, fff00000c649d780) [ 32.890601] [ 32.890627] The buggy address belongs to the physical page: [ 32.890665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10649d [ 32.890726] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.890787] page_type: f5(slab) [ 32.890838] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.891115] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.891169] page dumped because: kasan: bad access detected [ 32.891455] [ 32.891490] Memory state around the buggy address: [ 32.891535] fff00000c649d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.891869] fff00000c649d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.891967] >fff00000c649d700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.892013] ^ [ 32.892237] fff00000c649d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.892312] fff00000c649d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.892561] ==================================================================
[ 28.753836] ================================================================== [ 28.755082] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.755674] Read of size 1 at addr ffff888103777400 by task kunit_try_catch/256 [ 28.756321] [ 28.756583] CPU: 1 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 28.756701] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.756732] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.756778] Call Trace: [ 28.756799] <TASK> [ 28.756833] dump_stack_lvl+0x73/0xb0 [ 28.756892] print_report+0xd1/0x650 [ 28.756950] ? __virt_addr_valid+0x1db/0x2d0 [ 28.756991] ? mempool_uaf_helper+0x392/0x400 [ 28.757035] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.757086] ? mempool_uaf_helper+0x392/0x400 [ 28.757201] kasan_report+0x141/0x180 [ 28.757249] ? mempool_uaf_helper+0x392/0x400 [ 28.757294] __asan_report_load1_noabort+0x18/0x20 [ 28.757338] mempool_uaf_helper+0x392/0x400 [ 28.757388] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.757436] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.757488] ? finish_task_switch.isra.0+0x153/0x700 [ 28.757567] mempool_kmalloc_uaf+0xef/0x140 [ 28.757615] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 28.757670] ? __pfx_mempool_kmalloc+0x10/0x10 [ 28.757713] ? __pfx_mempool_kfree+0x10/0x10 [ 28.757743] ? __pfx_read_tsc+0x10/0x10 [ 28.757767] ? ktime_get_ts64+0x86/0x230 [ 28.757795] kunit_try_run_case+0x1a5/0x480 [ 28.757825] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.757856] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.757927] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.757978] ? __kthread_parkme+0x82/0x180 [ 28.758021] ? preempt_count_sub+0x50/0x80 [ 28.758097] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.758156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.758207] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.758252] kthread+0x337/0x6f0 [ 28.758294] ? trace_preempt_on+0x20/0xc0 [ 28.758362] ? __pfx_kthread+0x10/0x10 [ 28.758408] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.758453] ? calculate_sigpending+0x7b/0xa0 [ 28.758499] ? __pfx_kthread+0x10/0x10 [ 28.758541] ret_from_fork+0x116/0x1d0 [ 28.758577] ? __pfx_kthread+0x10/0x10 [ 28.758603] ret_from_fork_asm+0x1a/0x30 [ 28.758635] </TASK> [ 28.758648] [ 28.768510] Allocated by task 256: [ 28.768746] kasan_save_stack+0x45/0x70 [ 28.769018] kasan_save_track+0x18/0x40 [ 28.769206] kasan_save_alloc_info+0x3b/0x50 [ 28.769487] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 28.769929] remove_element+0x11e/0x190 [ 28.770278] mempool_alloc_preallocated+0x4d/0x90 [ 28.770675] mempool_uaf_helper+0x96/0x400 [ 28.770924] mempool_kmalloc_uaf+0xef/0x140 [ 28.771252] kunit_try_run_case+0x1a5/0x480 [ 28.771532] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.771794] kthread+0x337/0x6f0 [ 28.772086] ret_from_fork+0x116/0x1d0 [ 28.772286] ret_from_fork_asm+0x1a/0x30 [ 28.772470] [ 28.772570] Freed by task 256: [ 28.772721] kasan_save_stack+0x45/0x70 [ 28.772928] kasan_save_track+0x18/0x40 [ 28.773114] kasan_save_free_info+0x3f/0x60 [ 28.773302] __kasan_mempool_poison_object+0x131/0x1d0 [ 28.773727] mempool_free+0x2ec/0x380 [ 28.774088] mempool_uaf_helper+0x11a/0x400 [ 28.774460] mempool_kmalloc_uaf+0xef/0x140 [ 28.774817] kunit_try_run_case+0x1a5/0x480 [ 28.775204] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.775655] kthread+0x337/0x6f0 [ 28.775983] ret_from_fork+0x116/0x1d0 [ 28.776334] ret_from_fork_asm+0x1a/0x30 [ 28.776673] [ 28.776848] The buggy address belongs to the object at ffff888103777400 [ 28.776848] which belongs to the cache kmalloc-128 of size 128 [ 28.777635] The buggy address is located 0 bytes inside of [ 28.777635] freed 128-byte region [ffff888103777400, ffff888103777480) [ 28.778060] [ 28.778177] The buggy address belongs to the physical page: [ 28.778390] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103777 [ 28.778828] flags: 0x200000000000000(node=0|zone=2) [ 28.779296] page_type: f5(slab) [ 28.779608] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 28.780235] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.780806] page dumped because: kasan: bad access detected [ 28.781263] [ 28.781427] Memory state around the buggy address: [ 28.781683] ffff888103777300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.781983] ffff888103777380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.782442] >ffff888103777400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.782989] ^ [ 28.783309] ffff888103777480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.783629] ffff888103777500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.783891] ================================================================== [ 28.827938] ================================================================== [ 28.828589] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.829219] Read of size 1 at addr ffff8881024da240 by task kunit_try_catch/260 [ 28.829724] [ 28.829895] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 28.829984] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.830000] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.830026] Call Trace: [ 28.830044] <TASK> [ 28.830072] dump_stack_lvl+0x73/0xb0 [ 28.830248] print_report+0xd1/0x650 [ 28.830309] ? __virt_addr_valid+0x1db/0x2d0 [ 28.830356] ? mempool_uaf_helper+0x392/0x400 [ 28.830394] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.830449] ? mempool_uaf_helper+0x392/0x400 [ 28.830496] kasan_report+0x141/0x180 [ 28.830542] ? mempool_uaf_helper+0x392/0x400 [ 28.830601] __asan_report_load1_noabort+0x18/0x20 [ 28.830656] mempool_uaf_helper+0x392/0x400 [ 28.830707] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.830764] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.830816] ? finish_task_switch.isra.0+0x153/0x700 [ 28.830870] mempool_slab_uaf+0xea/0x140 [ 28.830913] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 28.831019] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 28.831126] ? __pfx_mempool_free_slab+0x10/0x10 [ 28.831210] ? __pfx_read_tsc+0x10/0x10 [ 28.831255] ? ktime_get_ts64+0x86/0x230 [ 28.831312] kunit_try_run_case+0x1a5/0x480 [ 28.831369] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.831417] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.831453] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.831478] ? __kthread_parkme+0x82/0x180 [ 28.831500] ? preempt_count_sub+0x50/0x80 [ 28.831526] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.831550] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.831576] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.831599] kthread+0x337/0x6f0 [ 28.831620] ? trace_preempt_on+0x20/0xc0 [ 28.831645] ? __pfx_kthread+0x10/0x10 [ 28.831666] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.831689] ? calculate_sigpending+0x7b/0xa0 [ 28.831715] ? __pfx_kthread+0x10/0x10 [ 28.831738] ret_from_fork+0x116/0x1d0 [ 28.831758] ? __pfx_kthread+0x10/0x10 [ 28.831780] ret_from_fork_asm+0x1a/0x30 [ 28.831812] </TASK> [ 28.831825] [ 28.846024] Allocated by task 260: [ 28.848463] kasan_save_stack+0x45/0x70 [ 28.848736] kasan_save_track+0x18/0x40 [ 28.849188] kasan_save_alloc_info+0x3b/0x50 [ 28.849418] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 28.849768] remove_element+0x11e/0x190 [ 28.850222] mempool_alloc_preallocated+0x4d/0x90 [ 28.850456] mempool_uaf_helper+0x96/0x400 [ 28.850627] mempool_slab_uaf+0xea/0x140 [ 28.851052] kunit_try_run_case+0x1a5/0x480 [ 28.851280] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.851806] kthread+0x337/0x6f0 [ 28.852336] ret_from_fork+0x116/0x1d0 [ 28.852522] ret_from_fork_asm+0x1a/0x30 [ 28.852848] [ 28.853004] Freed by task 260: [ 28.853285] kasan_save_stack+0x45/0x70 [ 28.853503] kasan_save_track+0x18/0x40 [ 28.853769] kasan_save_free_info+0x3f/0x60 [ 28.854787] __kasan_mempool_poison_object+0x131/0x1d0 [ 28.855223] mempool_free+0x2ec/0x380 [ 28.855411] mempool_uaf_helper+0x11a/0x400 [ 28.855583] mempool_slab_uaf+0xea/0x140 [ 28.856501] kunit_try_run_case+0x1a5/0x480 [ 28.856912] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.857341] kthread+0x337/0x6f0 [ 28.857632] ret_from_fork+0x116/0x1d0 [ 28.857863] ret_from_fork_asm+0x1a/0x30 [ 28.858209] [ 28.858321] The buggy address belongs to the object at ffff8881024da240 [ 28.858321] which belongs to the cache test_cache of size 123 [ 28.859556] The buggy address is located 0 bytes inside of [ 28.859556] freed 123-byte region [ffff8881024da240, ffff8881024da2bb) [ 28.859993] [ 28.860158] The buggy address belongs to the physical page: [ 28.860595] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024da [ 28.861474] flags: 0x200000000000000(node=0|zone=2) [ 28.861775] page_type: f5(slab) [ 28.861933] raw: 0200000000000000 ffff88810376a280 dead000000000122 0000000000000000 [ 28.862650] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.863202] page dumped because: kasan: bad access detected [ 28.863674] [ 28.863861] Memory state around the buggy address: [ 28.864324] ffff8881024da100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.864648] ffff8881024da180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.865469] >ffff8881024da200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.866087] ^ [ 28.866793] ffff8881024da280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.867207] ffff8881024da300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.867858] ==================================================================