Date
June 25, 2025, 8:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 28.678545] ================================================================== [ 28.678616] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.678671] Read of size 1 at addr fff00000c7868240 by task kunit_try_catch/243 [ 28.678720] [ 28.678751] CPU: 0 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT [ 28.678835] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.678860] Hardware name: linux,dummy-virt (DT) [ 28.678891] Call trace: [ 28.678911] show_stack+0x20/0x38 (C) [ 28.678959] dump_stack_lvl+0x8c/0xd0 [ 28.679005] print_report+0x118/0x608 [ 28.679050] kasan_report+0xdc/0x128 [ 28.679096] __asan_report_load1_noabort+0x20/0x30 [ 28.679144] mempool_uaf_helper+0x314/0x340 [ 28.679189] mempool_slab_uaf+0xc0/0x118 [ 28.679232] kunit_try_run_case+0x170/0x3f0 [ 28.679279] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.679331] kthread+0x328/0x630 [ 28.679370] ret_from_fork+0x10/0x20 [ 28.679500] [ 28.679617] Allocated by task 243: [ 28.679663] kasan_save_stack+0x3c/0x68 [ 28.679705] kasan_save_track+0x20/0x40 [ 28.679761] kasan_save_alloc_info+0x40/0x58 [ 28.679798] __kasan_mempool_unpoison_object+0xbc/0x180 [ 28.679842] remove_element+0x16c/0x1f8 [ 28.679908] mempool_alloc_preallocated+0x58/0xc0 [ 28.680017] mempool_uaf_helper+0xa4/0x340 [ 28.680055] mempool_slab_uaf+0xc0/0x118 [ 28.680092] kunit_try_run_case+0x170/0x3f0 [ 28.680167] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.680211] kthread+0x328/0x630 [ 28.680243] ret_from_fork+0x10/0x20 [ 28.680279] [ 28.680299] Freed by task 243: [ 28.680349] kasan_save_stack+0x3c/0x68 [ 28.680388] kasan_save_track+0x20/0x40 [ 28.680576] kasan_save_free_info+0x4c/0x78 [ 28.680751] __kasan_mempool_poison_object+0xc0/0x150 [ 28.680794] mempool_free+0x28c/0x328 [ 28.680827] mempool_uaf_helper+0x104/0x340 [ 28.680863] mempool_slab_uaf+0xc0/0x118 [ 28.680901] kunit_try_run_case+0x170/0x3f0 [ 28.680985] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.681167] kthread+0x328/0x630 [ 28.681200] ret_from_fork+0x10/0x20 [ 28.681356] [ 28.682052] The buggy address belongs to the object at fff00000c7868240 [ 28.682052] which belongs to the cache test_cache of size 123 [ 28.682390] The buggy address is located 0 bytes inside of [ 28.682390] freed 123-byte region [fff00000c7868240, fff00000c78682bb) [ 28.682518] [ 28.682580] The buggy address belongs to the physical page: [ 28.682613] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107868 [ 28.682713] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.682759] page_type: f5(slab) [ 28.682911] raw: 0bfffe0000000000 fff00000c790a3c0 dead000000000122 0000000000000000 [ 28.683072] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.683116] page dumped because: kasan: bad access detected [ 28.683149] [ 28.683166] Memory state around the buggy address: [ 28.683198] fff00000c7868100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.683356] fff00000c7868180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.683577] >fff00000c7868200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.683648] ^ [ 28.683724] fff00000c7868280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.683768] fff00000c7868300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.683942] ================================================================== [ 28.657220] ================================================================== [ 28.657342] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.657422] Read of size 1 at addr fff00000c786a000 by task kunit_try_catch/239 [ 28.657499] [ 28.657538] CPU: 0 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT [ 28.657637] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.657719] Hardware name: linux,dummy-virt (DT) [ 28.657853] Call trace: [ 28.657887] show_stack+0x20/0x38 (C) [ 28.658025] dump_stack_lvl+0x8c/0xd0 [ 28.658171] print_report+0x118/0x608 [ 28.658217] kasan_report+0xdc/0x128 [ 28.658262] __asan_report_load1_noabort+0x20/0x30 [ 28.658313] mempool_uaf_helper+0x314/0x340 [ 28.658359] mempool_kmalloc_uaf+0xc4/0x120 [ 28.658414] kunit_try_run_case+0x170/0x3f0 [ 28.658464] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.658517] kthread+0x328/0x630 [ 28.658559] ret_from_fork+0x10/0x20 [ 28.658670] [ 28.658689] Allocated by task 239: [ 28.658717] kasan_save_stack+0x3c/0x68 [ 28.658763] kasan_save_track+0x20/0x40 [ 28.658927] kasan_save_alloc_info+0x40/0x58 [ 28.658963] __kasan_mempool_unpoison_object+0x11c/0x180 [ 28.659110] remove_element+0x130/0x1f8 [ 28.659155] mempool_alloc_preallocated+0x58/0xc0 [ 28.659320] mempool_uaf_helper+0xa4/0x340 [ 28.659356] mempool_kmalloc_uaf+0xc4/0x120 [ 28.659403] kunit_try_run_case+0x170/0x3f0 [ 28.659440] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.659484] kthread+0x328/0x630 [ 28.659539] ret_from_fork+0x10/0x20 [ 28.659592] [ 28.659612] Freed by task 239: [ 28.659638] kasan_save_stack+0x3c/0x68 [ 28.659675] kasan_save_track+0x20/0x40 [ 28.659713] kasan_save_free_info+0x4c/0x78 [ 28.659747] __kasan_mempool_poison_object+0xc0/0x150 [ 28.659790] mempool_free+0x28c/0x328 [ 28.659853] mempool_uaf_helper+0x104/0x340 [ 28.660050] mempool_kmalloc_uaf+0xc4/0x120 [ 28.660089] kunit_try_run_case+0x170/0x3f0 [ 28.660125] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.660192] kthread+0x328/0x630 [ 28.660223] ret_from_fork+0x10/0x20 [ 28.660259] [ 28.660302] The buggy address belongs to the object at fff00000c786a000 [ 28.660302] which belongs to the cache kmalloc-128 of size 128 [ 28.660364] The buggy address is located 0 bytes inside of [ 28.660364] freed 128-byte region [fff00000c786a000, fff00000c786a080) [ 28.660434] [ 28.660456] The buggy address belongs to the physical page: [ 28.660490] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 28.660621] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.660807] page_type: f5(slab) [ 28.660996] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.661073] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.661113] page dumped because: kasan: bad access detected [ 28.661144] [ 28.661162] Memory state around the buggy address: [ 28.661203] fff00000c7869f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.661303] fff00000c7869f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.661500] >fff00000c786a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.661540] ^ [ 28.661568] fff00000c786a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.661612] fff00000c786a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.661650] ==================================================================
[ 23.362165] ================================================================== [ 23.362619] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 23.363058] Read of size 1 at addr ffff888102597300 by task kunit_try_catch/256 [ 23.363844] [ 23.364132] CPU: 0 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT(voluntary) [ 23.364209] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.364226] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.364429] Call Trace: [ 23.364447] <TASK> [ 23.364467] dump_stack_lvl+0x73/0xb0 [ 23.364502] print_report+0xd1/0x650 [ 23.364526] ? __virt_addr_valid+0x1db/0x2d0 [ 23.364556] ? mempool_uaf_helper+0x392/0x400 [ 23.364580] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.364612] ? mempool_uaf_helper+0x392/0x400 [ 23.364636] kasan_report+0x141/0x180 [ 23.364659] ? mempool_uaf_helper+0x392/0x400 [ 23.364688] __asan_report_load1_noabort+0x18/0x20 [ 23.364715] mempool_uaf_helper+0x392/0x400 [ 23.364740] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.364767] ? __kasan_check_write+0x18/0x20 [ 23.364793] ? __pfx_sched_clock_cpu+0x10/0x10 [ 23.364869] ? finish_task_switch.isra.0+0x153/0x700 [ 23.364901] mempool_kmalloc_uaf+0xef/0x140 [ 23.364926] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 23.364966] ? __pfx_mempool_kmalloc+0x10/0x10 [ 23.364994] ? __pfx_mempool_kfree+0x10/0x10 [ 23.365021] ? __pfx_read_tsc+0x10/0x10 [ 23.365046] ? ktime_get_ts64+0x86/0x230 [ 23.365074] kunit_try_run_case+0x1a5/0x480 [ 23.365104] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.365130] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.365156] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.365186] ? __kthread_parkme+0x82/0x180 [ 23.365211] ? preempt_count_sub+0x50/0x80 [ 23.365236] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.365263] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.365292] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.365323] kthread+0x337/0x6f0 [ 23.365343] ? trace_preempt_on+0x20/0xc0 [ 23.365369] ? __pfx_kthread+0x10/0x10 [ 23.365391] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.365417] ? calculate_sigpending+0x7b/0xa0 [ 23.365444] ? __pfx_kthread+0x10/0x10 [ 23.365467] ret_from_fork+0x116/0x1d0 [ 23.365487] ? __pfx_kthread+0x10/0x10 [ 23.365509] ret_from_fork_asm+0x1a/0x30 [ 23.365542] </TASK> [ 23.365553] [ 23.378973] Allocated by task 256: [ 23.379253] kasan_save_stack+0x45/0x70 [ 23.379634] kasan_save_track+0x18/0x40 [ 23.380002] kasan_save_alloc_info+0x3b/0x50 [ 23.380356] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 23.380696] remove_element+0x11e/0x190 [ 23.380989] mempool_alloc_preallocated+0x4d/0x90 [ 23.381414] mempool_uaf_helper+0x96/0x400 [ 23.381716] mempool_kmalloc_uaf+0xef/0x140 [ 23.381962] kunit_try_run_case+0x1a5/0x480 [ 23.382388] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.382695] kthread+0x337/0x6f0 [ 23.383027] ret_from_fork+0x116/0x1d0 [ 23.383445] ret_from_fork_asm+0x1a/0x30 [ 23.383679] [ 23.383752] Freed by task 256: [ 23.384190] kasan_save_stack+0x45/0x70 [ 23.384521] kasan_save_track+0x18/0x40 [ 23.384904] kasan_save_free_info+0x3f/0x60 [ 23.385366] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.385613] mempool_free+0x2ec/0x380 [ 23.385781] mempool_uaf_helper+0x11a/0x400 [ 23.386008] mempool_kmalloc_uaf+0xef/0x140 [ 23.386365] kunit_try_run_case+0x1a5/0x480 [ 23.386705] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.387052] kthread+0x337/0x6f0 [ 23.387464] ret_from_fork+0x116/0x1d0 [ 23.387632] ret_from_fork_asm+0x1a/0x30 [ 23.387880] [ 23.388028] The buggy address belongs to the object at ffff888102597300 [ 23.388028] which belongs to the cache kmalloc-128 of size 128 [ 23.388665] The buggy address is located 0 bytes inside of [ 23.388665] freed 128-byte region [ffff888102597300, ffff888102597380) [ 23.389214] [ 23.389476] The buggy address belongs to the physical page: [ 23.389790] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102597 [ 23.390119] flags: 0x200000000000000(node=0|zone=2) [ 23.390382] page_type: f5(slab) [ 23.390630] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.391098] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.391501] page dumped because: kasan: bad access detected [ 23.391816] [ 23.391935] Memory state around the buggy address: [ 23.392216] ffff888102597200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.392784] ffff888102597280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.393116] >ffff888102597300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.393438] ^ [ 23.393595] ffff888102597380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.394035] ffff888102597400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.394427] ================================================================== [ 23.430407] ================================================================== [ 23.430901] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 23.431285] Read of size 1 at addr ffff8881039e9240 by task kunit_try_catch/260 [ 23.431564] [ 23.431672] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT(voluntary) [ 23.431721] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.431734] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.431756] Call Trace: [ 23.431769] <TASK> [ 23.431787] dump_stack_lvl+0x73/0xb0 [ 23.431814] print_report+0xd1/0x650 [ 23.431834] ? __virt_addr_valid+0x1db/0x2d0 [ 23.431859] ? mempool_uaf_helper+0x392/0x400 [ 23.431879] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.431904] ? mempool_uaf_helper+0x392/0x400 [ 23.431925] kasan_report+0x141/0x180 [ 23.431955] ? mempool_uaf_helper+0x392/0x400 [ 23.431980] __asan_report_load1_noabort+0x18/0x20 [ 23.432002] mempool_uaf_helper+0x392/0x400 [ 23.432023] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.432046] ? __pfx_sched_clock_cpu+0x10/0x10 [ 23.432068] ? finish_task_switch.isra.0+0x153/0x700 [ 23.432093] mempool_slab_uaf+0xea/0x140 [ 23.432114] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 23.432138] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 23.432161] ? __pfx_mempool_free_slab+0x10/0x10 [ 23.432185] ? __pfx_read_tsc+0x10/0x10 [ 23.432206] ? ktime_get_ts64+0x86/0x230 [ 23.432230] kunit_try_run_case+0x1a5/0x480 [ 23.432256] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.432278] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.432300] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.432325] ? __kthread_parkme+0x82/0x180 [ 23.432349] ? preempt_count_sub+0x50/0x80 [ 23.432370] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.432393] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.432416] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.432439] kthread+0x337/0x6f0 [ 23.432457] ? trace_preempt_on+0x20/0xc0 [ 23.432480] ? __pfx_kthread+0x10/0x10 [ 23.432499] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.432522] ? calculate_sigpending+0x7b/0xa0 [ 23.432545] ? __pfx_kthread+0x10/0x10 [ 23.432581] ret_from_fork+0x116/0x1d0 [ 23.432609] ? __pfx_kthread+0x10/0x10 [ 23.432629] ret_from_fork_asm+0x1a/0x30 [ 23.432657] </TASK> [ 23.432668] [ 23.440281] Allocated by task 260: [ 23.440439] kasan_save_stack+0x45/0x70 [ 23.440711] kasan_save_track+0x18/0x40 [ 23.440896] kasan_save_alloc_info+0x3b/0x50 [ 23.441105] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 23.441534] remove_element+0x11e/0x190 [ 23.441668] mempool_alloc_preallocated+0x4d/0x90 [ 23.441842] mempool_uaf_helper+0x96/0x400 [ 23.442047] mempool_slab_uaf+0xea/0x140 [ 23.442394] kunit_try_run_case+0x1a5/0x480 [ 23.442638] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.442952] kthread+0x337/0x6f0 [ 23.443069] ret_from_fork+0x116/0x1d0 [ 23.443193] ret_from_fork_asm+0x1a/0x30 [ 23.443322] [ 23.443384] Freed by task 260: [ 23.443486] kasan_save_stack+0x45/0x70 [ 23.443664] kasan_save_track+0x18/0x40 [ 23.443843] kasan_save_free_info+0x3f/0x60 [ 23.444167] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.444387] mempool_free+0x2ec/0x380 [ 23.444511] mempool_uaf_helper+0x11a/0x400 [ 23.444645] mempool_slab_uaf+0xea/0x140 [ 23.444773] kunit_try_run_case+0x1a5/0x480 [ 23.445211] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.445456] kthread+0x337/0x6f0 [ 23.445616] ret_from_fork+0x116/0x1d0 [ 23.445792] ret_from_fork_asm+0x1a/0x30 [ 23.445990] [ 23.446065] The buggy address belongs to the object at ffff8881039e9240 [ 23.446065] which belongs to the cache test_cache of size 123 [ 23.446608] The buggy address is located 0 bytes inside of [ 23.446608] freed 123-byte region [ffff8881039e9240, ffff8881039e92bb) [ 23.447251] [ 23.447341] The buggy address belongs to the physical page: [ 23.447510] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039e9 [ 23.447869] flags: 0x200000000000000(node=0|zone=2) [ 23.448121] page_type: f5(slab) [ 23.448297] raw: 0200000000000000 ffff888103ae53c0 dead000000000122 0000000000000000 [ 23.448618] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 23.449057] page dumped because: kasan: bad access detected [ 23.449285] [ 23.449393] Memory state around the buggy address: [ 23.449593] ffff8881039e9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.449822] ffff8881039e9180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.450146] >ffff8881039e9200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 23.450468] ^ [ 23.450639] ffff8881039e9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.451175] ffff8881039e9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.451431] ==================================================================