Date
June 20, 2025, 12:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.619311] ================================================================== [ 34.619485] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.619581] Read of size 1 at addr fff00000c7686240 by task kunit_try_catch/242 [ 34.619965] [ 34.620232] CPU: 1 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 34.621199] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.621302] Hardware name: linux,dummy-virt (DT) [ 34.621395] Call trace: [ 34.621461] show_stack+0x20/0x38 (C) [ 34.621603] dump_stack_lvl+0x8c/0xd0 [ 34.621731] print_report+0x118/0x608 [ 34.621968] kasan_report+0xdc/0x128 [ 34.622373] __asan_report_load1_noabort+0x20/0x30 [ 34.622591] mempool_uaf_helper+0x314/0x340 [ 34.622882] mempool_slab_uaf+0xc0/0x118 [ 34.622988] kunit_try_run_case+0x170/0x3f0 [ 34.623769] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.624072] kthread+0x328/0x630 [ 34.624277] ret_from_fork+0x10/0x20 [ 34.624542] [ 34.624662] Allocated by task 242: [ 34.624735] kasan_save_stack+0x3c/0x68 [ 34.624943] kasan_save_track+0x20/0x40 [ 34.625126] kasan_save_alloc_info+0x40/0x58 [ 34.625314] __kasan_mempool_unpoison_object+0xbc/0x180 [ 34.625653] remove_element+0x16c/0x1f8 [ 34.625813] mempool_alloc_preallocated+0x58/0xc0 [ 34.625984] mempool_uaf_helper+0xa4/0x340 [ 34.626178] mempool_slab_uaf+0xc0/0x118 [ 34.626361] kunit_try_run_case+0x170/0x3f0 [ 34.626757] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.626894] kthread+0x328/0x630 [ 34.626969] ret_from_fork+0x10/0x20 [ 34.627015] [ 34.627040] Freed by task 242: [ 34.627076] kasan_save_stack+0x3c/0x68 [ 34.627120] kasan_save_track+0x20/0x40 [ 34.627164] kasan_save_free_info+0x4c/0x78 [ 34.627209] __kasan_mempool_poison_object+0xc0/0x150 [ 34.627256] mempool_free+0x28c/0x328 [ 34.627296] mempool_uaf_helper+0x104/0x340 [ 34.627339] mempool_slab_uaf+0xc0/0x118 [ 34.627379] kunit_try_run_case+0x170/0x3f0 [ 34.627441] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.627503] kthread+0x328/0x630 [ 34.627540] ret_from_fork+0x10/0x20 [ 34.627581] [ 34.627606] The buggy address belongs to the object at fff00000c7686240 [ 34.627606] which belongs to the cache test_cache of size 123 [ 34.627896] The buggy address is located 0 bytes inside of [ 34.627896] freed 123-byte region [fff00000c7686240, fff00000c76862bb) [ 34.628224] [ 34.628282] The buggy address belongs to the physical page: [ 34.628738] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107686 [ 34.629012] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.629436] page_type: f5(slab) [ 34.629589] raw: 0bfffe0000000000 fff00000c59f3500 dead000000000122 0000000000000000 [ 34.629927] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 34.630064] page dumped because: kasan: bad access detected [ 34.630157] [ 34.630922] Memory state around the buggy address: [ 34.631259] fff00000c7686100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.632149] fff00000c7686180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.632352] >fff00000c7686200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 34.632816] ^ [ 34.632929] fff00000c7686280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.633043] fff00000c7686300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.633123] ================================================================== [ 34.558589] ================================================================== [ 34.558813] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.558991] Read of size 1 at addr fff00000c59fb300 by task kunit_try_catch/238 [ 34.559130] [ 34.559231] CPU: 1 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 34.559492] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.559564] Hardware name: linux,dummy-virt (DT) [ 34.559653] Call trace: [ 34.559714] show_stack+0x20/0x38 (C) [ 34.559835] dump_stack_lvl+0x8c/0xd0 [ 34.559967] print_report+0x118/0x608 [ 34.560082] kasan_report+0xdc/0x128 [ 34.560189] __asan_report_load1_noabort+0x20/0x30 [ 34.560835] mempool_uaf_helper+0x314/0x340 [ 34.561009] mempool_kmalloc_uaf+0xc4/0x120 [ 34.561175] kunit_try_run_case+0x170/0x3f0 [ 34.561324] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.561450] kthread+0x328/0x630 [ 34.561550] ret_from_fork+0x10/0x20 [ 34.561670] [ 34.561711] Allocated by task 238: [ 34.561779] kasan_save_stack+0x3c/0x68 [ 34.561866] kasan_save_track+0x20/0x40 [ 34.561973] kasan_save_alloc_info+0x40/0x58 [ 34.562061] __kasan_mempool_unpoison_object+0x11c/0x180 [ 34.562356] remove_element+0x130/0x1f8 [ 34.562467] mempool_alloc_preallocated+0x58/0xc0 [ 34.562572] mempool_uaf_helper+0xa4/0x340 [ 34.562727] mempool_kmalloc_uaf+0xc4/0x120 [ 34.562834] kunit_try_run_case+0x170/0x3f0 [ 34.562929] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.563052] kthread+0x328/0x630 [ 34.563179] ret_from_fork+0x10/0x20 [ 34.563310] [ 34.563378] Freed by task 238: [ 34.563501] kasan_save_stack+0x3c/0x68 [ 34.564004] kasan_save_track+0x20/0x40 [ 34.564122] kasan_save_free_info+0x4c/0x78 [ 34.564224] __kasan_mempool_poison_object+0xc0/0x150 [ 34.564783] mempool_free+0x28c/0x328 [ 34.564924] mempool_uaf_helper+0x104/0x340 [ 34.565092] mempool_kmalloc_uaf+0xc4/0x120 [ 34.565256] kunit_try_run_case+0x170/0x3f0 [ 34.565346] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.565447] kthread+0x328/0x630 [ 34.565530] ret_from_fork+0x10/0x20 [ 34.565857] [ 34.565910] The buggy address belongs to the object at fff00000c59fb300 [ 34.565910] which belongs to the cache kmalloc-128 of size 128 [ 34.566122] The buggy address is located 0 bytes inside of [ 34.566122] freed 128-byte region [fff00000c59fb300, fff00000c59fb380) [ 34.566340] [ 34.566402] The buggy address belongs to the physical page: [ 34.566527] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059fb [ 34.566719] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.566862] page_type: f5(slab) [ 34.566963] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.567100] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 34.567213] page dumped because: kasan: bad access detected [ 34.567298] [ 34.567350] Memory state around the buggy address: [ 34.567488] fff00000c59fb200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.567645] fff00000c59fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.567753] >fff00000c59fb300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.567895] ^ [ 34.568052] fff00000c59fb380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.568407] fff00000c59fb400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.568765] ==================================================================
[ 27.369935] ================================================================== [ 27.371075] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 27.371317] Read of size 1 at addr ffff8881024dd240 by task kunit_try_catch/260 [ 27.371491] [ 27.371583] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 27.371644] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.371658] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.371683] Call Trace: [ 27.371700] <TASK> [ 27.371722] dump_stack_lvl+0x73/0xb0 [ 27.371755] print_report+0xd1/0x650 [ 27.371779] ? __virt_addr_valid+0x1db/0x2d0 [ 27.371804] ? mempool_uaf_helper+0x392/0x400 [ 27.371826] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.371853] ? mempool_uaf_helper+0x392/0x400 [ 27.371877] kasan_report+0x141/0x180 [ 27.371899] ? mempool_uaf_helper+0x392/0x400 [ 27.371926] __asan_report_load1_noabort+0x18/0x20 [ 27.371951] mempool_uaf_helper+0x392/0x400 [ 27.371974] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.372000] ? __pfx_sched_clock_cpu+0x10/0x10 [ 27.372024] ? finish_task_switch.isra.0+0x153/0x700 [ 27.372051] mempool_slab_uaf+0xea/0x140 [ 27.372076] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 27.372102] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 27.372127] ? __pfx_mempool_free_slab+0x10/0x10 [ 27.372166] ? __pfx_read_tsc+0x10/0x10 [ 27.372204] ? ktime_get_ts64+0x86/0x230 [ 27.372249] kunit_try_run_case+0x1a5/0x480 [ 27.372293] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.372337] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.372378] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.372427] ? __kthread_parkme+0x82/0x180 [ 27.372485] ? preempt_count_sub+0x50/0x80 [ 27.372537] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.372589] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.372639] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.372679] kthread+0x337/0x6f0 [ 27.372714] ? trace_preempt_on+0x20/0xc0 [ 27.372751] ? __pfx_kthread+0x10/0x10 [ 27.372787] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.372828] ? calculate_sigpending+0x7b/0xa0 [ 27.372872] ? __pfx_kthread+0x10/0x10 [ 27.372918] ret_from_fork+0x116/0x1d0 [ 27.372961] ? __pfx_kthread+0x10/0x10 [ 27.373006] ret_from_fork_asm+0x1a/0x30 [ 27.373077] </TASK> [ 27.373104] [ 27.382387] Allocated by task 260: [ 27.382735] kasan_save_stack+0x45/0x70 [ 27.383109] kasan_save_track+0x18/0x40 [ 27.383454] kasan_save_alloc_info+0x3b/0x50 [ 27.384344] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 27.384854] remove_element+0x11e/0x190 [ 27.386572] mempool_alloc_preallocated+0x4d/0x90 [ 27.387054] mempool_uaf_helper+0x96/0x400 [ 27.387553] mempool_slab_uaf+0xea/0x140 [ 27.387752] kunit_try_run_case+0x1a5/0x480 [ 27.387949] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.388166] kthread+0x337/0x6f0 [ 27.388315] ret_from_fork+0x116/0x1d0 [ 27.388500] ret_from_fork_asm+0x1a/0x30 [ 27.388812] [ 27.388982] Freed by task 260: [ 27.389251] kasan_save_stack+0x45/0x70 [ 27.389723] kasan_save_track+0x18/0x40 [ 27.390052] kasan_save_free_info+0x3f/0x60 [ 27.391232] __kasan_mempool_poison_object+0x131/0x1d0 [ 27.391703] mempool_free+0x2ec/0x380 [ 27.391901] mempool_uaf_helper+0x11a/0x400 [ 27.392067] mempool_slab_uaf+0xea/0x140 [ 27.392397] kunit_try_run_case+0x1a5/0x480 [ 27.392768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.393045] kthread+0x337/0x6f0 [ 27.393232] ret_from_fork+0x116/0x1d0 [ 27.393556] ret_from_fork_asm+0x1a/0x30 [ 27.393877] [ 27.393982] The buggy address belongs to the object at ffff8881024dd240 [ 27.393982] which belongs to the cache test_cache of size 123 [ 27.394722] The buggy address is located 0 bytes inside of [ 27.394722] freed 123-byte region [ffff8881024dd240, ffff8881024dd2bb) [ 27.395384] [ 27.395594] The buggy address belongs to the physical page: [ 27.395891] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024dd [ 27.396382] flags: 0x200000000000000(node=0|zone=2) [ 27.396685] page_type: f5(slab) [ 27.396860] raw: 0200000000000000 ffff888101a688c0 dead000000000122 0000000000000000 [ 27.397135] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 27.397722] page dumped because: kasan: bad access detected [ 27.398108] [ 27.398303] Memory state around the buggy address: [ 27.398578] ffff8881024dd100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.399011] ffff8881024dd180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.399492] >ffff8881024dd200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.399892] ^ [ 27.400251] ffff8881024dd280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.400529] ffff8881024dd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.400860] ================================================================== [ 27.281968] ================================================================== [ 27.282589] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 27.283788] Read of size 1 at addr ffff88810232a600 by task kunit_try_catch/256 [ 27.284638] [ 27.285285] CPU: 0 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 27.285406] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.285432] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.285491] Call Trace: [ 27.285521] <TASK> [ 27.285554] dump_stack_lvl+0x73/0xb0 [ 27.285623] print_report+0xd1/0x650 [ 27.285664] ? __virt_addr_valid+0x1db/0x2d0 [ 27.285709] ? mempool_uaf_helper+0x392/0x400 [ 27.285749] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.285795] ? mempool_uaf_helper+0x392/0x400 [ 27.285835] kasan_report+0x141/0x180 [ 27.285871] ? mempool_uaf_helper+0x392/0x400 [ 27.285916] __asan_report_load1_noabort+0x18/0x20 [ 27.285989] mempool_uaf_helper+0x392/0x400 [ 27.286060] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.286106] ? update_load_avg+0x1be/0x21b0 [ 27.286193] ? update_load_avg+0x1be/0x21b0 [ 27.286244] ? update_curr+0x80/0x810 [ 27.286283] ? __kasan_check_write+0x18/0x20 [ 27.286316] ? finish_task_switch.isra.0+0x153/0x700 [ 27.286346] mempool_kmalloc_uaf+0xef/0x140 [ 27.286370] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 27.286397] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.286425] ? __pfx_mempool_kfree+0x10/0x10 [ 27.286477] ? __pfx_read_tsc+0x10/0x10 [ 27.286503] ? ktime_get_ts64+0x86/0x230 [ 27.286534] kunit_try_run_case+0x1a5/0x480 [ 27.286593] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.286630] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.286670] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.286712] ? __kthread_parkme+0x82/0x180 [ 27.286738] ? preempt_count_sub+0x50/0x80 [ 27.286763] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.286789] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.286816] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.286841] kthread+0x337/0x6f0 [ 27.286863] ? trace_preempt_on+0x20/0xc0 [ 27.286891] ? __pfx_kthread+0x10/0x10 [ 27.286913] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.286937] ? calculate_sigpending+0x7b/0xa0 [ 27.286964] ? __pfx_kthread+0x10/0x10 [ 27.286987] ret_from_fork+0x116/0x1d0 [ 27.287008] ? __pfx_kthread+0x10/0x10 [ 27.287030] ret_from_fork_asm+0x1a/0x30 [ 27.287064] </TASK> [ 27.287078] [ 27.303471] Allocated by task 256: [ 27.304077] kasan_save_stack+0x45/0x70 [ 27.305082] kasan_save_track+0x18/0x40 [ 27.305535] kasan_save_alloc_info+0x3b/0x50 [ 27.305779] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 27.306489] remove_element+0x11e/0x190 [ 27.306803] mempool_alloc_preallocated+0x4d/0x90 [ 27.307352] mempool_uaf_helper+0x96/0x400 [ 27.307853] mempool_kmalloc_uaf+0xef/0x140 [ 27.308053] kunit_try_run_case+0x1a5/0x480 [ 27.308212] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.308415] kthread+0x337/0x6f0 [ 27.309242] ret_from_fork+0x116/0x1d0 [ 27.309592] ret_from_fork_asm+0x1a/0x30 [ 27.309937] [ 27.310355] Freed by task 256: [ 27.310676] kasan_save_stack+0x45/0x70 [ 27.311201] kasan_save_track+0x18/0x40 [ 27.311836] kasan_save_free_info+0x3f/0x60 [ 27.312051] __kasan_mempool_poison_object+0x131/0x1d0 [ 27.312547] mempool_free+0x2ec/0x380 [ 27.312748] mempool_uaf_helper+0x11a/0x400 [ 27.313435] mempool_kmalloc_uaf+0xef/0x140 [ 27.313724] kunit_try_run_case+0x1a5/0x480 [ 27.314226] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.314537] kthread+0x337/0x6f0 [ 27.314893] ret_from_fork+0x116/0x1d0 [ 27.315293] ret_from_fork_asm+0x1a/0x30 [ 27.315631] [ 27.315740] The buggy address belongs to the object at ffff88810232a600 [ 27.315740] which belongs to the cache kmalloc-128 of size 128 [ 27.317013] The buggy address is located 0 bytes inside of [ 27.317013] freed 128-byte region [ffff88810232a600, ffff88810232a680) [ 27.317749] [ 27.317872] The buggy address belongs to the physical page: [ 27.318808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10232a [ 27.319460] flags: 0x200000000000000(node=0|zone=2) [ 27.319911] page_type: f5(slab) [ 27.320085] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.320653] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.321270] page dumped because: kasan: bad access detected [ 27.321486] [ 27.321645] Memory state around the buggy address: [ 27.322157] ffff88810232a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.322489] ffff88810232a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.322798] >ffff88810232a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.323555] ^ [ 27.323779] ffff88810232a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.324045] ffff88810232a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.324955] ==================================================================