Date
July 4, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.765750] ================================================================== [ 31.765815] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.765870] Read of size 1 at addr fff00000c5aea240 by task kunit_try_catch/264 [ 31.765934] [ 31.766125] CPU: 1 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 31.766306] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.766344] Hardware name: linux,dummy-virt (DT) [ 31.766426] Call trace: [ 31.766495] show_stack+0x20/0x38 (C) [ 31.766547] dump_stack_lvl+0x8c/0xd0 [ 31.766831] print_report+0x118/0x608 [ 31.766980] kasan_report+0xdc/0x128 [ 31.767051] __asan_report_load1_noabort+0x20/0x30 [ 31.767125] mempool_uaf_helper+0x314/0x340 [ 31.767266] mempool_slab_uaf+0xc0/0x118 [ 31.767341] kunit_try_run_case+0x170/0x3f0 [ 31.767488] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.767587] kthread+0x328/0x630 [ 31.767656] ret_from_fork+0x10/0x20 [ 31.767707] [ 31.767727] Allocated by task 264: [ 31.767784] kasan_save_stack+0x3c/0x68 [ 31.767833] kasan_save_track+0x20/0x40 [ 31.768245] kasan_save_alloc_info+0x40/0x58 [ 31.768557] __kasan_mempool_unpoison_object+0xbc/0x180 [ 31.768818] remove_element+0x16c/0x1f8 [ 31.769124] mempool_alloc_preallocated+0x58/0xc0 [ 31.769194] mempool_uaf_helper+0xa4/0x340 [ 31.769234] mempool_slab_uaf+0xc0/0x118 [ 31.769551] kunit_try_run_case+0x170/0x3f0 [ 31.769629] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.769675] kthread+0x328/0x630 [ 31.769709] ret_from_fork+0x10/0x20 [ 31.769747] [ 31.769766] Freed by task 264: [ 31.770066] kasan_save_stack+0x3c/0x68 [ 31.770114] kasan_save_track+0x20/0x40 [ 31.770154] kasan_save_free_info+0x4c/0x78 [ 31.770201] __kasan_mempool_poison_object+0xc0/0x150 [ 31.770278] mempool_free+0x28c/0x328 [ 31.770316] mempool_uaf_helper+0x104/0x340 [ 31.770353] mempool_slab_uaf+0xc0/0x118 [ 31.770392] kunit_try_run_case+0x170/0x3f0 [ 31.770430] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.770474] kthread+0x328/0x630 [ 31.770507] ret_from_fork+0x10/0x20 [ 31.770943] [ 31.770970] The buggy address belongs to the object at fff00000c5aea240 [ 31.770970] which belongs to the cache test_cache of size 123 [ 31.771031] The buggy address is located 0 bytes inside of [ 31.771031] freed 123-byte region [fff00000c5aea240, fff00000c5aea2bb) [ 31.771102] [ 31.771125] The buggy address belongs to the physical page: [ 31.771155] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aea [ 31.771571] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.771675] page_type: f5(slab) [ 31.772116] raw: 0bfffe0000000000 fff00000c3f32640 dead000000000122 0000000000000000 [ 31.772290] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 31.772332] page dumped because: kasan: bad access detected [ 31.772392] [ 31.772412] Memory state around the buggy address: [ 31.772446] fff00000c5aea100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.772525] fff00000c5aea180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.772568] >fff00000c5aea200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.772746] ^ [ 31.772871] fff00000c5aea280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.772925] fff00000c5aea300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.772965] ================================================================== [ 31.731628] ================================================================== [ 31.731692] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.731754] Read of size 1 at addr fff00000c929f700 by task kunit_try_catch/260 [ 31.731812] [ 31.732022] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 31.732311] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.732419] Hardware name: linux,dummy-virt (DT) [ 31.732454] Call trace: [ 31.732478] show_stack+0x20/0x38 (C) [ 31.732535] dump_stack_lvl+0x8c/0xd0 [ 31.732793] print_report+0x118/0x608 [ 31.733504] kasan_report+0xdc/0x128 [ 31.733554] __asan_report_load1_noabort+0x20/0x30 [ 31.733603] mempool_uaf_helper+0x314/0x340 [ 31.733650] mempool_kmalloc_uaf+0xc4/0x120 [ 31.733698] kunit_try_run_case+0x170/0x3f0 [ 31.733748] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.733815] kthread+0x328/0x630 [ 31.733877] ret_from_fork+0x10/0x20 [ 31.733934] [ 31.733952] Allocated by task 260: [ 31.733982] kasan_save_stack+0x3c/0x68 [ 31.734024] kasan_save_track+0x20/0x40 [ 31.734131] kasan_save_alloc_info+0x40/0x58 [ 31.734171] __kasan_mempool_unpoison_object+0x11c/0x180 [ 31.734295] remove_element+0x130/0x1f8 [ 31.734334] mempool_alloc_preallocated+0x58/0xc0 [ 31.734380] mempool_uaf_helper+0xa4/0x340 [ 31.734452] mempool_kmalloc_uaf+0xc4/0x120 [ 31.734491] kunit_try_run_case+0x170/0x3f0 [ 31.734529] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.734585] kthread+0x328/0x630 [ 31.734617] ret_from_fork+0x10/0x20 [ 31.734664] [ 31.734684] Freed by task 260: [ 31.734711] kasan_save_stack+0x3c/0x68 [ 31.734749] kasan_save_track+0x20/0x40 [ 31.734788] kasan_save_free_info+0x4c/0x78 [ 31.734908] __kasan_mempool_poison_object+0xc0/0x150 [ 31.735024] mempool_free+0x28c/0x328 [ 31.735059] mempool_uaf_helper+0x104/0x340 [ 31.735098] mempool_kmalloc_uaf+0xc4/0x120 [ 31.735200] kunit_try_run_case+0x170/0x3f0 [ 31.735238] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.735283] kthread+0x328/0x630 [ 31.735315] ret_from_fork+0x10/0x20 [ 31.735696] [ 31.735762] The buggy address belongs to the object at fff00000c929f700 [ 31.735762] which belongs to the cache kmalloc-128 of size 128 [ 31.735828] The buggy address is located 0 bytes inside of [ 31.735828] freed 128-byte region [fff00000c929f700, fff00000c929f780) [ 31.735905] [ 31.735927] The buggy address belongs to the physical page: [ 31.735961] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10929f [ 31.736015] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.736305] page_type: f5(slab) [ 31.736474] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.736717] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.736761] page dumped because: kasan: bad access detected [ 31.736819] [ 31.736838] Memory state around the buggy address: [ 31.736919] fff00000c929f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.737096] fff00000c929f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.737184] >fff00000c929f700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.737318] ^ [ 31.737347] fff00000c929f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.737391] fff00000c929f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.737430] ==================================================================
[ 26.616647] ================================================================== [ 26.617998] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.618424] Read of size 1 at addr ffff888105abc240 by task kunit_try_catch/280 [ 26.619743] [ 26.620094] CPU: 0 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 26.620163] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.620180] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.620209] Call Trace: [ 26.620234] <TASK> [ 26.620364] dump_stack_lvl+0x73/0xb0 [ 26.620425] print_report+0xd1/0x650 [ 26.620454] ? __virt_addr_valid+0x1db/0x2d0 [ 26.620484] ? mempool_uaf_helper+0x392/0x400 [ 26.620508] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.620539] ? mempool_uaf_helper+0x392/0x400 [ 26.620565] kasan_report+0x141/0x180 [ 26.620590] ? mempool_uaf_helper+0x392/0x400 [ 26.620620] __asan_report_load1_noabort+0x18/0x20 [ 26.620648] mempool_uaf_helper+0x392/0x400 [ 26.620674] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.620704] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.620732] ? finish_task_switch.isra.0+0x153/0x700 [ 26.620765] mempool_slab_uaf+0xea/0x140 [ 26.620792] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 26.620821] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 26.620850] ? __pfx_mempool_free_slab+0x10/0x10 [ 26.620879] ? __pfx_read_tsc+0x10/0x10 [ 26.620906] ? ktime_get_ts64+0x86/0x230 [ 26.620936] kunit_try_run_case+0x1a5/0x480 [ 26.620968] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.620995] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.621025] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.621054] ? __kthread_parkme+0x82/0x180 [ 26.621078] ? preempt_count_sub+0x50/0x80 [ 26.621104] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.621133] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.621160] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.621191] kthread+0x337/0x6f0 [ 26.621213] ? trace_preempt_on+0x20/0xc0 [ 26.621242] ? __pfx_kthread+0x10/0x10 [ 26.621265] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.621291] ? calculate_sigpending+0x7b/0xa0 [ 26.621320] ? __pfx_kthread+0x10/0x10 [ 26.621363] ret_from_fork+0x116/0x1d0 [ 26.621385] ? __pfx_kthread+0x10/0x10 [ 26.621418] ret_from_fork_asm+0x1a/0x30 [ 26.621454] </TASK> [ 26.621470] [ 26.635869] Allocated by task 280: [ 26.636260] kasan_save_stack+0x45/0x70 [ 26.636454] kasan_save_track+0x18/0x40 [ 26.636600] kasan_save_alloc_info+0x3b/0x50 [ 26.636757] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 26.637141] remove_element+0x11e/0x190 [ 26.637579] mempool_alloc_preallocated+0x4d/0x90 [ 26.638480] mempool_uaf_helper+0x96/0x400 [ 26.638967] mempool_slab_uaf+0xea/0x140 [ 26.639519] kunit_try_run_case+0x1a5/0x480 [ 26.639954] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.640573] kthread+0x337/0x6f0 [ 26.641013] ret_from_fork+0x116/0x1d0 [ 26.641259] ret_from_fork_asm+0x1a/0x30 [ 26.641647] [ 26.641753] Freed by task 280: [ 26.641872] kasan_save_stack+0x45/0x70 [ 26.642016] kasan_save_track+0x18/0x40 [ 26.642332] kasan_save_free_info+0x3f/0x60 [ 26.642763] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.643326] mempool_free+0x2ec/0x380 [ 26.643699] mempool_uaf_helper+0x11a/0x400 [ 26.644099] mempool_slab_uaf+0xea/0x140 [ 26.644559] kunit_try_run_case+0x1a5/0x480 [ 26.644910] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.645345] kthread+0x337/0x6f0 [ 26.645582] ret_from_fork+0x116/0x1d0 [ 26.645723] ret_from_fork_asm+0x1a/0x30 [ 26.645869] [ 26.646046] The buggy address belongs to the object at ffff888105abc240 [ 26.646046] which belongs to the cache test_cache of size 123 [ 26.647496] The buggy address is located 0 bytes inside of [ 26.647496] freed 123-byte region [ffff888105abc240, ffff888105abc2bb) [ 26.648155] [ 26.648415] The buggy address belongs to the physical page: [ 26.648953] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105abc [ 26.649445] flags: 0x200000000000000(node=0|zone=2) [ 26.649954] page_type: f5(slab) [ 26.650480] raw: 0200000000000000 ffff888101d9e780 dead000000000122 0000000000000000 [ 26.650788] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 26.651090] page dumped because: kasan: bad access detected [ 26.651671] [ 26.651850] Memory state around the buggy address: [ 26.652438] ffff888105abc100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.653334] ffff888105abc180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.654257] >ffff888105abc200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 26.654700] ^ [ 26.654894] ffff888105abc280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.655490] ffff888105abc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.656250] ================================================================== [ 26.544660] ================================================================== [ 26.545504] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.546610] Read of size 1 at addr ffff888106258200 by task kunit_try_catch/276 [ 26.547519] [ 26.547934] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 26.548008] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.548024] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.548053] Call Trace: [ 26.548072] <TASK> [ 26.548098] dump_stack_lvl+0x73/0xb0 [ 26.548147] print_report+0xd1/0x650 [ 26.548176] ? __virt_addr_valid+0x1db/0x2d0 [ 26.548206] ? mempool_uaf_helper+0x392/0x400 [ 26.548237] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.548267] ? mempool_uaf_helper+0x392/0x400 [ 26.548292] kasan_report+0x141/0x180 [ 26.548317] ? mempool_uaf_helper+0x392/0x400 [ 26.548348] __asan_report_load1_noabort+0x18/0x20 [ 26.548376] mempool_uaf_helper+0x392/0x400 [ 26.548415] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.548509] ? __kasan_check_write+0x18/0x20 [ 26.548536] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.548564] ? irqentry_exit+0x2a/0x60 [ 26.548591] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 26.548623] mempool_kmalloc_uaf+0xef/0x140 [ 26.548649] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.548677] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.548706] ? __pfx_mempool_kfree+0x10/0x10 [ 26.548734] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.548762] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.548790] kunit_try_run_case+0x1a5/0x480 [ 26.548823] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.548850] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.548880] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.548908] ? __kthread_parkme+0x82/0x180 [ 26.548934] ? preempt_count_sub+0x50/0x80 [ 26.548962] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.548994] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.549024] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.549054] kthread+0x337/0x6f0 [ 26.549077] ? trace_preempt_on+0x20/0xc0 [ 26.549106] ? __pfx_kthread+0x10/0x10 [ 26.549130] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.549158] ? calculate_sigpending+0x7b/0xa0 [ 26.549188] ? __pfx_kthread+0x10/0x10 [ 26.549213] ret_from_fork+0x116/0x1d0 [ 26.549238] ? __pfx_kthread+0x10/0x10 [ 26.549263] ret_from_fork_asm+0x1a/0x30 [ 26.549301] </TASK> [ 26.549316] [ 26.562764] Allocated by task 276: [ 26.563582] kasan_save_stack+0x45/0x70 [ 26.563816] kasan_save_track+0x18/0x40 [ 26.564140] kasan_save_alloc_info+0x3b/0x50 [ 26.564492] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 26.564769] remove_element+0x11e/0x190 [ 26.565284] mempool_alloc_preallocated+0x4d/0x90 [ 26.565544] mempool_uaf_helper+0x96/0x400 [ 26.565939] mempool_kmalloc_uaf+0xef/0x140 [ 26.566365] kunit_try_run_case+0x1a5/0x480 [ 26.566618] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.567260] kthread+0x337/0x6f0 [ 26.567981] ret_from_fork+0x116/0x1d0 [ 26.568587] ret_from_fork_asm+0x1a/0x30 [ 26.569012] [ 26.569097] Freed by task 276: [ 26.569621] kasan_save_stack+0x45/0x70 [ 26.570162] kasan_save_track+0x18/0x40 [ 26.570592] kasan_save_free_info+0x3f/0x60 [ 26.570770] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.571183] mempool_free+0x2ec/0x380 [ 26.571679] mempool_uaf_helper+0x11a/0x400 [ 26.572190] mempool_kmalloc_uaf+0xef/0x140 [ 26.572972] kunit_try_run_case+0x1a5/0x480 [ 26.573200] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.573417] kthread+0x337/0x6f0 [ 26.573576] ret_from_fork+0x116/0x1d0 [ 26.573735] ret_from_fork_asm+0x1a/0x30 [ 26.573956] [ 26.574048] The buggy address belongs to the object at ffff888106258200 [ 26.574048] which belongs to the cache kmalloc-128 of size 128 [ 26.574658] The buggy address is located 0 bytes inside of [ 26.574658] freed 128-byte region [ffff888106258200, ffff888106258280) [ 26.575149] [ 26.575290] The buggy address belongs to the physical page: [ 26.575754] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106258 [ 26.576069] flags: 0x200000000000000(node=0|zone=2) [ 26.576796] page_type: f5(slab) [ 26.577022] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.577457] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.577845] page dumped because: kasan: bad access detected [ 26.578655] [ 26.578758] Memory state around the buggy address: [ 26.579001] ffff888106258100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.579474] ffff888106258180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.579821] >ffff888106258200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.580507] ^ [ 26.580654] ffff888106258280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.581276] ffff888106258300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.581731] ==================================================================