Date
June 23, 2025, 7:07 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 35.544244] ================================================================== [ 35.544375] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.544518] Read of size 1 at addr fff00000c76da000 by task kunit_try_catch/239 [ 35.544647] [ 35.544806] CPU: 0 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250623 #1 PREEMPT [ 35.545542] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.545627] Hardware name: linux,dummy-virt (DT) [ 35.545712] Call trace: [ 35.545772] show_stack+0x20/0x38 (C) [ 35.546070] dump_stack_lvl+0x8c/0xd0 [ 35.546258] print_report+0x118/0x608 [ 35.546439] kasan_report+0xdc/0x128 [ 35.546673] __asan_report_load1_noabort+0x20/0x30 [ 35.546807] mempool_uaf_helper+0x314/0x340 [ 35.546923] mempool_kmalloc_uaf+0xc4/0x120 [ 35.547050] kunit_try_run_case+0x170/0x3f0 [ 35.547178] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.547301] kthread+0x328/0x630 [ 35.547408] ret_from_fork+0x10/0x20 [ 35.547523] [ 35.547566] Allocated by task 239: [ 35.547634] kasan_save_stack+0x3c/0x68 [ 35.547733] kasan_save_track+0x20/0x40 [ 35.547822] kasan_save_alloc_info+0x40/0x58 [ 35.547912] __kasan_mempool_unpoison_object+0x11c/0x180 [ 35.549176] remove_element+0x130/0x1f8 [ 35.549288] mempool_alloc_preallocated+0x58/0xc0 [ 35.549396] mempool_uaf_helper+0xa4/0x340 [ 35.549614] mempool_kmalloc_uaf+0xc4/0x120 [ 35.549719] kunit_try_run_case+0x170/0x3f0 [ 35.549812] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.549919] kthread+0x328/0x630 [ 35.550993] ret_from_fork+0x10/0x20 [ 35.551536] [ 35.551729] Freed by task 239: [ 35.551812] kasan_save_stack+0x3c/0x68 [ 35.552020] kasan_save_track+0x20/0x40 [ 35.552831] kasan_save_free_info+0x4c/0x78 [ 35.553196] __kasan_mempool_poison_object+0xc0/0x150 [ 35.553587] mempool_free+0x28c/0x328 [ 35.553982] mempool_uaf_helper+0x104/0x340 [ 35.554111] mempool_kmalloc_uaf+0xc4/0x120 [ 35.554211] kunit_try_run_case+0x170/0x3f0 [ 35.554303] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.554407] kthread+0x328/0x630 [ 35.554487] ret_from_fork+0x10/0x20 [ 35.555046] [ 35.555114] The buggy address belongs to the object at fff00000c76da000 [ 35.555114] which belongs to the cache kmalloc-128 of size 128 [ 35.555249] The buggy address is located 0 bytes inside of [ 35.555249] freed 128-byte region [fff00000c76da000, fff00000c76da080) [ 35.555584] [ 35.555648] The buggy address belongs to the physical page: [ 35.555730] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076da [ 35.556336] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.556507] page_type: f5(slab) [ 35.556821] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 35.556977] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 35.557364] page dumped because: kasan: bad access detected [ 35.557539] [ 35.557617] Memory state around the buggy address: [ 35.557862] fff00000c76d9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.557996] fff00000c76d9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.558319] >fff00000c76da000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.558446] ^ [ 35.558659] fff00000c76da080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.558983] fff00000c76da100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.559100] ================================================================== [ 35.611521] ================================================================== [ 35.611754] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.611947] Read of size 1 at addr fff00000c76dc240 by task kunit_try_catch/243 [ 35.612463] [ 35.612613] CPU: 0 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250623 #1 PREEMPT [ 35.612810] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.613616] Hardware name: linux,dummy-virt (DT) [ 35.613724] Call trace: [ 35.613789] show_stack+0x20/0x38 (C) [ 35.614277] dump_stack_lvl+0x8c/0xd0 [ 35.614739] print_report+0x118/0x608 [ 35.615024] kasan_report+0xdc/0x128 [ 35.615238] __asan_report_load1_noabort+0x20/0x30 [ 35.615495] mempool_uaf_helper+0x314/0x340 [ 35.615730] mempool_slab_uaf+0xc0/0x118 [ 35.615866] kunit_try_run_case+0x170/0x3f0 [ 35.616111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.616262] kthread+0x328/0x630 [ 35.616387] ret_from_fork+0x10/0x20 [ 35.617041] [ 35.617110] Allocated by task 243: [ 35.617295] kasan_save_stack+0x3c/0x68 [ 35.617438] kasan_save_track+0x20/0x40 [ 35.617643] kasan_save_alloc_info+0x40/0x58 [ 35.617761] __kasan_mempool_unpoison_object+0xbc/0x180 [ 35.617965] remove_element+0x16c/0x1f8 [ 35.618186] mempool_alloc_preallocated+0x58/0xc0 [ 35.618305] mempool_uaf_helper+0xa4/0x340 [ 35.618657] mempool_slab_uaf+0xc0/0x118 [ 35.618861] kunit_try_run_case+0x170/0x3f0 [ 35.619159] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.619410] kthread+0x328/0x630 [ 35.619557] ret_from_fork+0x10/0x20 [ 35.619664] [ 35.619833] Freed by task 243: [ 35.619963] kasan_save_stack+0x3c/0x68 [ 35.620333] kasan_save_track+0x20/0x40 [ 35.620492] kasan_save_free_info+0x4c/0x78 [ 35.620838] __kasan_mempool_poison_object+0xc0/0x150 [ 35.621105] mempool_free+0x28c/0x328 [ 35.621330] mempool_uaf_helper+0x104/0x340 [ 35.621677] mempool_slab_uaf+0xc0/0x118 [ 35.621793] kunit_try_run_case+0x170/0x3f0 [ 35.622066] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.622373] kthread+0x328/0x630 [ 35.622525] ret_from_fork+0x10/0x20 [ 35.622777] [ 35.622844] The buggy address belongs to the object at fff00000c76dc240 [ 35.622844] which belongs to the cache test_cache of size 123 [ 35.623009] The buggy address is located 0 bytes inside of [ 35.623009] freed 123-byte region [fff00000c76dc240, fff00000c76dc2bb) [ 35.623175] [ 35.623231] The buggy address belongs to the physical page: [ 35.623735] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076dc [ 35.623899] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.624154] page_type: f5(slab) [ 35.624447] raw: 0bfffe0000000000 fff00000c598fb40 dead000000000122 0000000000000000 [ 35.624571] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 35.624669] page dumped because: kasan: bad access detected [ 35.625637] [ 35.625795] Memory state around the buggy address: [ 35.625876] fff00000c76dc100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.625972] fff00000c76dc180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.626100] >fff00000c76dc200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.626202] ^ [ 35.626295] fff00000c76dc280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.626399] fff00000c76dc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.626486] ==================================================================
[ 23.384514] ================================================================== [ 23.384935] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 23.385477] Read of size 1 at addr ffff8881023ac900 by task kunit_try_catch/256 [ 23.386125] [ 23.386342] CPU: 0 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250623 #1 PREEMPT(voluntary) [ 23.386451] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.386478] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.386519] Call Trace: [ 23.386544] <TASK> [ 23.386573] dump_stack_lvl+0x73/0xb0 [ 23.386637] print_report+0xd1/0x650 [ 23.386677] ? __virt_addr_valid+0x1db/0x2d0 [ 23.386727] ? mempool_uaf_helper+0x392/0x400 [ 23.386771] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.386807] ? mempool_uaf_helper+0x392/0x400 [ 23.386832] kasan_report+0x141/0x180 [ 23.386864] ? mempool_uaf_helper+0x392/0x400 [ 23.386889] __asan_report_load1_noabort+0x18/0x20 [ 23.386913] mempool_uaf_helper+0x392/0x400 [ 23.386935] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.386970] ? __kasan_check_write+0x18/0x20 [ 23.387007] ? __pfx_sched_clock_cpu+0x10/0x10 [ 23.387050] ? finish_task_switch.isra.0+0x153/0x700 [ 23.387095] mempool_kmalloc_uaf+0xef/0x140 [ 23.387134] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 23.387179] ? __pfx_mempool_kmalloc+0x10/0x10 [ 23.387219] ? __pfx_mempool_kfree+0x10/0x10 [ 23.387261] ? __pfx_read_tsc+0x10/0x10 [ 23.387299] ? ktime_get_ts64+0x86/0x230 [ 23.387346] kunit_try_run_case+0x1a5/0x480 [ 23.388019] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.388074] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.388112] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.388142] ? __kthread_parkme+0x82/0x180 [ 23.388173] ? preempt_count_sub+0x50/0x80 [ 23.388205] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.388238] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.388272] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.388304] kthread+0x337/0x6f0 [ 23.388332] ? trace_preempt_on+0x20/0xc0 [ 23.388367] ? __pfx_kthread+0x10/0x10 [ 23.388413] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.388437] ? calculate_sigpending+0x7b/0xa0 [ 23.388459] ? __pfx_kthread+0x10/0x10 [ 23.388478] ret_from_fork+0x116/0x1d0 [ 23.388495] ? __pfx_kthread+0x10/0x10 [ 23.388513] ret_from_fork_asm+0x1a/0x30 [ 23.388542] </TASK> [ 23.388553] [ 23.403306] Allocated by task 256: [ 23.403498] kasan_save_stack+0x45/0x70 [ 23.403692] kasan_save_track+0x18/0x40 [ 23.404479] kasan_save_alloc_info+0x3b/0x50 [ 23.404672] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 23.404976] remove_element+0x11e/0x190 [ 23.405365] mempool_alloc_preallocated+0x4d/0x90 [ 23.406080] mempool_uaf_helper+0x96/0x400 [ 23.406282] mempool_kmalloc_uaf+0xef/0x140 [ 23.406569] kunit_try_run_case+0x1a5/0x480 [ 23.407112] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.407586] kthread+0x337/0x6f0 [ 23.407769] ret_from_fork+0x116/0x1d0 [ 23.408528] ret_from_fork_asm+0x1a/0x30 [ 23.408754] [ 23.409084] Freed by task 256: [ 23.409469] kasan_save_stack+0x45/0x70 [ 23.409698] kasan_save_track+0x18/0x40 [ 23.410179] kasan_save_free_info+0x3f/0x60 [ 23.410431] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.410656] mempool_free+0x2ec/0x380 [ 23.410829] mempool_uaf_helper+0x11a/0x400 [ 23.411592] mempool_kmalloc_uaf+0xef/0x140 [ 23.411778] kunit_try_run_case+0x1a5/0x480 [ 23.412615] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.412810] kthread+0x337/0x6f0 [ 23.413389] ret_from_fork+0x116/0x1d0 [ 23.413606] ret_from_fork_asm+0x1a/0x30 [ 23.413738] [ 23.413816] The buggy address belongs to the object at ffff8881023ac900 [ 23.413816] which belongs to the cache kmalloc-128 of size 128 [ 23.414396] The buggy address is located 0 bytes inside of [ 23.414396] freed 128-byte region [ffff8881023ac900, ffff8881023ac980) [ 23.415174] [ 23.416252] The buggy address belongs to the physical page: [ 23.416499] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1023ac [ 23.416718] flags: 0x200000000000000(node=0|zone=2) [ 23.417113] page_type: f5(slab) [ 23.417644] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.418088] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.418619] page dumped because: kasan: bad access detected [ 23.419022] [ 23.419102] Memory state around the buggy address: [ 23.419679] ffff8881023ac800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.419970] ffff8881023ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.420517] >ffff8881023ac900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.420803] ^ [ 23.421563] ffff8881023ac980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.421850] ffff8881023aca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.422413] ================================================================== [ 23.458944] ================================================================== [ 23.459821] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 23.460188] Read of size 1 at addr ffff888102c1c240 by task kunit_try_catch/260 [ 23.460689] [ 23.460830] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250623 #1 PREEMPT(voluntary) [ 23.460919] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.460940] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.460972] Call Trace: [ 23.460994] <TASK> [ 23.461021] dump_stack_lvl+0x73/0xb0 [ 23.461071] print_report+0xd1/0x650 [ 23.461207] ? __virt_addr_valid+0x1db/0x2d0 [ 23.461244] ? mempool_uaf_helper+0x392/0x400 [ 23.461278] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.461317] ? mempool_uaf_helper+0x392/0x400 [ 23.461349] kasan_report+0x141/0x180 [ 23.461398] ? mempool_uaf_helper+0x392/0x400 [ 23.461442] __asan_report_load1_noabort+0x18/0x20 [ 23.461481] mempool_uaf_helper+0x392/0x400 [ 23.461521] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.461566] ? __pfx_sched_clock_cpu+0x10/0x10 [ 23.461604] ? finish_task_switch.isra.0+0x153/0x700 [ 23.461653] mempool_slab_uaf+0xea/0x140 [ 23.461690] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 23.461731] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 23.461766] ? __pfx_mempool_free_slab+0x10/0x10 [ 23.461802] ? __pfx_read_tsc+0x10/0x10 [ 23.461833] ? ktime_get_ts64+0x86/0x230 [ 23.461881] kunit_try_run_case+0x1a5/0x480 [ 23.461921] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.461958] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.461989] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.462018] ? __kthread_parkme+0x82/0x180 [ 23.462041] ? preempt_count_sub+0x50/0x80 [ 23.462063] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.462097] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.462130] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.462162] kthread+0x337/0x6f0 [ 23.462190] ? trace_preempt_on+0x20/0xc0 [ 23.462214] ? __pfx_kthread+0x10/0x10 [ 23.462234] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.462252] ? calculate_sigpending+0x7b/0xa0 [ 23.462271] ? __pfx_kthread+0x10/0x10 [ 23.462289] ret_from_fork+0x116/0x1d0 [ 23.462305] ? __pfx_kthread+0x10/0x10 [ 23.462322] ret_from_fork_asm+0x1a/0x30 [ 23.462351] </TASK> [ 23.462364] [ 23.471562] Allocated by task 260: [ 23.471715] kasan_save_stack+0x45/0x70 [ 23.471873] kasan_save_track+0x18/0x40 [ 23.472015] kasan_save_alloc_info+0x3b/0x50 [ 23.472173] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 23.472348] remove_element+0x11e/0x190 [ 23.472624] mempool_alloc_preallocated+0x4d/0x90 [ 23.472943] mempool_uaf_helper+0x96/0x400 [ 23.473236] mempool_slab_uaf+0xea/0x140 [ 23.473639] kunit_try_run_case+0x1a5/0x480 [ 23.474031] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.474585] kthread+0x337/0x6f0 [ 23.474901] ret_from_fork+0x116/0x1d0 [ 23.475353] ret_from_fork_asm+0x1a/0x30 [ 23.475693] [ 23.475841] Freed by task 260: [ 23.476670] kasan_save_stack+0x45/0x70 [ 23.476931] kasan_save_track+0x18/0x40 [ 23.477182] kasan_save_free_info+0x3f/0x60 [ 23.477343] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.477721] mempool_free+0x2ec/0x380 [ 23.478213] mempool_uaf_helper+0x11a/0x400 [ 23.478574] mempool_slab_uaf+0xea/0x140 [ 23.478905] kunit_try_run_case+0x1a5/0x480 [ 23.479265] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.479649] kthread+0x337/0x6f0 [ 23.479897] ret_from_fork+0x116/0x1d0 [ 23.480073] ret_from_fork_asm+0x1a/0x30 [ 23.480225] [ 23.480372] The buggy address belongs to the object at ffff888102c1c240 [ 23.480372] which belongs to the cache test_cache of size 123 [ 23.481481] The buggy address is located 0 bytes inside of [ 23.481481] freed 123-byte region [ffff888102c1c240, ffff888102c1c2bb) [ 23.482565] [ 23.482787] The buggy address belongs to the physical page: [ 23.483018] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c1c [ 23.483741] flags: 0x200000000000000(node=0|zone=2) [ 23.483941] page_type: f5(slab) [ 23.484080] raw: 0200000000000000 ffff888102c11280 dead000000000122 0000000000000000 [ 23.484313] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 23.484546] page dumped because: kasan: bad access detected [ 23.484719] [ 23.484800] Memory state around the buggy address: [ 23.484960] ffff888102c1c100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.485332] ffff888102c1c180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.486247] >ffff888102c1c200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 23.486787] ^ [ 23.487284] ffff888102c1c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.487763] ffff888102c1c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.488648] ==================================================================