Date
July 10, 2025, 9:07 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.567240] ================================================================== [ 31.567413] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.567476] Read of size 1 at addr fff00000c9af0c00 by task kunit_try_catch/258 [ 31.567563] [ 31.567601] CPU: 0 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT [ 31.567692] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.567737] Hardware name: linux,dummy-virt (DT) [ 31.567797] Call trace: [ 31.567885] show_stack+0x20/0x38 (C) [ 31.567954] dump_stack_lvl+0x8c/0xd0 [ 31.568019] print_report+0x118/0x5d0 [ 31.568061] kasan_report+0xdc/0x128 [ 31.568122] __asan_report_load1_noabort+0x20/0x30 [ 31.568185] mempool_uaf_helper+0x314/0x340 [ 31.568231] mempool_kmalloc_uaf+0xc4/0x120 [ 31.568278] kunit_try_run_case+0x170/0x3f0 [ 31.568345] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.568437] kthread+0x328/0x630 [ 31.568496] ret_from_fork+0x10/0x20 [ 31.568552] [ 31.568626] Allocated by task 258: [ 31.568655] kasan_save_stack+0x3c/0x68 [ 31.568696] kasan_save_track+0x20/0x40 [ 31.568744] kasan_save_alloc_info+0x40/0x58 [ 31.568783] __kasan_mempool_unpoison_object+0x11c/0x180 [ 31.568829] remove_element+0x130/0x1f8 [ 31.568869] mempool_alloc_preallocated+0x58/0xc0 [ 31.568907] mempool_uaf_helper+0xa4/0x340 [ 31.568945] mempool_kmalloc_uaf+0xc4/0x120 [ 31.569090] kunit_try_run_case+0x170/0x3f0 [ 31.569167] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.569234] kthread+0x328/0x630 [ 31.569269] ret_from_fork+0x10/0x20 [ 31.569325] [ 31.569386] Freed by task 258: [ 31.569415] kasan_save_stack+0x3c/0x68 [ 31.569471] kasan_save_track+0x20/0x40 [ 31.569528] kasan_save_free_info+0x4c/0x78 [ 31.569613] __kasan_mempool_poison_object+0xc0/0x150 [ 31.569657] mempool_free+0x28c/0x328 [ 31.569694] mempool_uaf_helper+0x104/0x340 [ 31.569733] mempool_kmalloc_uaf+0xc4/0x120 [ 31.569778] kunit_try_run_case+0x170/0x3f0 [ 31.569836] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.569902] kthread+0x328/0x630 [ 31.569934] ret_from_fork+0x10/0x20 [ 31.569968] [ 31.570000] The buggy address belongs to the object at fff00000c9af0c00 [ 31.570000] which belongs to the cache kmalloc-128 of size 128 [ 31.570245] The buggy address is located 0 bytes inside of [ 31.570245] freed 128-byte region [fff00000c9af0c00, fff00000c9af0c80) [ 31.570344] [ 31.570384] The buggy address belongs to the physical page: [ 31.570434] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109af0 [ 31.570508] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.570565] page_type: f5(slab) [ 31.570622] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.570689] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.570819] page dumped because: kasan: bad access detected [ 31.570879] [ 31.570932] Memory state around the buggy address: [ 31.570964] fff00000c9af0b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.571008] fff00000c9af0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.571072] >fff00000c9af0c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.571111] ^ [ 31.571147] fff00000c9af0c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.571190] fff00000c9af0d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.571230] ================================================================== [ 31.585869] ================================================================== [ 31.585934] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.586002] Read of size 1 at addr fff00000c9bc0240 by task kunit_try_catch/262 [ 31.586054] [ 31.586301] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT [ 31.586412] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.586439] Hardware name: linux,dummy-virt (DT) [ 31.586491] Call trace: [ 31.586530] show_stack+0x20/0x38 (C) [ 31.586610] dump_stack_lvl+0x8c/0xd0 [ 31.586662] print_report+0x118/0x5d0 [ 31.586802] kasan_report+0xdc/0x128 [ 31.586848] __asan_report_load1_noabort+0x20/0x30 [ 31.586895] mempool_uaf_helper+0x314/0x340 [ 31.586942] mempool_slab_uaf+0xc0/0x118 [ 31.586988] kunit_try_run_case+0x170/0x3f0 [ 31.587037] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.587198] kthread+0x328/0x630 [ 31.587245] ret_from_fork+0x10/0x20 [ 31.587292] [ 31.587311] Allocated by task 262: [ 31.587339] kasan_save_stack+0x3c/0x68 [ 31.587383] kasan_save_track+0x20/0x40 [ 31.587442] kasan_save_alloc_info+0x40/0x58 [ 31.587536] __kasan_mempool_unpoison_object+0xbc/0x180 [ 31.587630] remove_element+0x16c/0x1f8 [ 31.587709] mempool_alloc_preallocated+0x58/0xc0 [ 31.587806] mempool_uaf_helper+0xa4/0x340 [ 31.587886] mempool_slab_uaf+0xc0/0x118 [ 31.587973] kunit_try_run_case+0x170/0x3f0 [ 31.588060] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.588108] kthread+0x328/0x630 [ 31.588150] ret_from_fork+0x10/0x20 [ 31.588186] [ 31.588206] Freed by task 262: [ 31.588232] kasan_save_stack+0x3c/0x68 [ 31.588388] kasan_save_track+0x20/0x40 [ 31.588449] kasan_save_free_info+0x4c/0x78 [ 31.588528] __kasan_mempool_poison_object+0xc0/0x150 [ 31.588595] mempool_free+0x28c/0x328 [ 31.588667] mempool_uaf_helper+0x104/0x340 [ 31.588707] mempool_slab_uaf+0xc0/0x118 [ 31.588939] kunit_try_run_case+0x170/0x3f0 [ 31.589029] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.589145] kthread+0x328/0x630 [ 31.589215] ret_from_fork+0x10/0x20 [ 31.589318] [ 31.589368] The buggy address belongs to the object at fff00000c9bc0240 [ 31.589368] which belongs to the cache test_cache of size 123 [ 31.589450] The buggy address is located 0 bytes inside of [ 31.589450] freed 123-byte region [fff00000c9bc0240, fff00000c9bc02bb) [ 31.589711] [ 31.589771] The buggy address belongs to the physical page: [ 31.589809] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bc0 [ 31.589869] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.589933] page_type: f5(slab) [ 31.589972] raw: 0bfffe0000000000 fff00000ffed2f00 dead000000000122 0000000000000000 [ 31.590023] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 31.590075] page dumped because: kasan: bad access detected [ 31.590116] [ 31.590155] Memory state around the buggy address: [ 31.590204] fff00000c9bc0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.590248] fff00000c9bc0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.590301] >fff00000c9bc0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.590351] ^ [ 31.590397] fff00000c9bc0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.590458] fff00000c9bc0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.590499] ==================================================================
[ 26.692734] ================================================================== [ 26.693380] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.694904] Read of size 1 at addr ffff888104398240 by task kunit_try_catch/279 [ 26.695891] [ 26.695996] CPU: 1 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) [ 26.696050] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.696063] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.696088] Call Trace: [ 26.696102] <TASK> [ 26.696123] dump_stack_lvl+0x73/0xb0 [ 26.696155] print_report+0xd1/0x610 [ 26.696178] ? __virt_addr_valid+0x1db/0x2d0 [ 26.696204] ? mempool_uaf_helper+0x392/0x400 [ 26.696226] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.696253] ? mempool_uaf_helper+0x392/0x400 [ 26.696275] kasan_report+0x141/0x180 [ 26.696297] ? mempool_uaf_helper+0x392/0x400 [ 26.696323] __asan_report_load1_noabort+0x18/0x20 [ 26.696346] mempool_uaf_helper+0x392/0x400 [ 26.696370] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.696392] ? update_load_avg+0x1be/0x21b0 [ 26.696420] ? finish_task_switch.isra.0+0x153/0x700 [ 26.696447] mempool_slab_uaf+0xea/0x140 [ 26.696470] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 26.696514] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 26.696540] ? __pfx_mempool_free_slab+0x10/0x10 [ 26.696566] ? __pfx_read_tsc+0x10/0x10 [ 26.696590] ? ktime_get_ts64+0x86/0x230 [ 26.696615] kunit_try_run_case+0x1a5/0x480 [ 26.696638] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.696659] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.696683] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.696720] ? __kthread_parkme+0x82/0x180 [ 26.696741] ? preempt_count_sub+0x50/0x80 [ 26.696764] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.696787] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.696812] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.696838] kthread+0x337/0x6f0 [ 26.696858] ? trace_preempt_on+0x20/0xc0 [ 26.696881] ? __pfx_kthread+0x10/0x10 [ 26.696902] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.696923] ? calculate_sigpending+0x7b/0xa0 [ 26.696947] ? __pfx_kthread+0x10/0x10 [ 26.696969] ret_from_fork+0x116/0x1d0 [ 26.696989] ? __pfx_kthread+0x10/0x10 [ 26.697010] ret_from_fork_asm+0x1a/0x30 [ 26.697041] </TASK> [ 26.697054] [ 26.705091] Allocated by task 279: [ 26.705256] kasan_save_stack+0x45/0x70 [ 26.705446] kasan_save_track+0x18/0x40 [ 26.705935] kasan_save_alloc_info+0x3b/0x50 [ 26.706138] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 26.706366] remove_element+0x11e/0x190 [ 26.707247] mempool_alloc_preallocated+0x4d/0x90 [ 26.708173] mempool_uaf_helper+0x96/0x400 [ 26.708335] mempool_slab_uaf+0xea/0x140 [ 26.708478] kunit_try_run_case+0x1a5/0x480 [ 26.708693] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.709451] kthread+0x337/0x6f0 [ 26.709915] ret_from_fork+0x116/0x1d0 [ 26.710198] ret_from_fork_asm+0x1a/0x30 [ 26.710397] [ 26.710486] Freed by task 279: [ 26.711146] kasan_save_stack+0x45/0x70 [ 26.711359] kasan_save_track+0x18/0x40 [ 26.711682] kasan_save_free_info+0x3f/0x60 [ 26.711944] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.712181] mempool_free+0x2ec/0x380 [ 26.712343] mempool_uaf_helper+0x11a/0x400 [ 26.712806] mempool_slab_uaf+0xea/0x140 [ 26.713319] kunit_try_run_case+0x1a5/0x480 [ 26.713690] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.714353] kthread+0x337/0x6f0 [ 26.714663] ret_from_fork+0x116/0x1d0 [ 26.714978] ret_from_fork_asm+0x1a/0x30 [ 26.715171] [ 26.715256] The buggy address belongs to the object at ffff888104398240 [ 26.715256] which belongs to the cache test_cache of size 123 [ 26.716231] The buggy address is located 0 bytes inside of [ 26.716231] freed 123-byte region [ffff888104398240, ffff8881043982bb) [ 26.717323] [ 26.717431] The buggy address belongs to the physical page: [ 26.717871] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104398 [ 26.718368] flags: 0x200000000000000(node=0|zone=2) [ 26.718785] page_type: f5(slab) [ 26.719141] raw: 0200000000000000 ffff888101d98dc0 dead000000000122 0000000000000000 [ 26.719607] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 26.720310] page dumped because: kasan: bad access detected [ 26.720832] [ 26.721088] Memory state around the buggy address: [ 26.721438] ffff888104398100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.722113] ffff888104398180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.722657] >ffff888104398200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 26.723232] ^ [ 26.723779] ffff888104398280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.724180] ffff888104398300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.724465] ================================================================== [ 26.631714] ================================================================== [ 26.632427] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.633187] Read of size 1 at addr ffff8881060c3400 by task kunit_try_catch/275 [ 26.633909] [ 26.634005] CPU: 1 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) [ 26.634060] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.634073] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.634097] Call Trace: [ 26.634110] <TASK> [ 26.634130] dump_stack_lvl+0x73/0xb0 [ 26.634162] print_report+0xd1/0x610 [ 26.634186] ? __virt_addr_valid+0x1db/0x2d0 [ 26.634214] ? mempool_uaf_helper+0x392/0x400 [ 26.634235] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.634261] ? mempool_uaf_helper+0x392/0x400 [ 26.634284] kasan_report+0x141/0x180 [ 26.634307] ? mempool_uaf_helper+0x392/0x400 [ 26.634334] __asan_report_load1_noabort+0x18/0x20 [ 26.634359] mempool_uaf_helper+0x392/0x400 [ 26.634382] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.634406] ? __kasan_check_write+0x18/0x20 [ 26.634429] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.634453] ? finish_task_switch.isra.0+0x153/0x700 [ 26.634489] mempool_kmalloc_uaf+0xef/0x140 [ 26.634512] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.634537] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.634562] ? __pfx_mempool_kfree+0x10/0x10 [ 26.634586] ? __pfx_read_tsc+0x10/0x10 [ 26.634609] ? ktime_get_ts64+0x86/0x230 [ 26.634634] kunit_try_run_case+0x1a5/0x480 [ 26.634658] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.634679] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.634714] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.634739] ? __kthread_parkme+0x82/0x180 [ 26.634761] ? preempt_count_sub+0x50/0x80 [ 26.634783] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.634805] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.634831] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.634857] kthread+0x337/0x6f0 [ 26.634878] ? trace_preempt_on+0x20/0xc0 [ 26.634933] ? __pfx_kthread+0x10/0x10 [ 26.634956] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.634978] ? calculate_sigpending+0x7b/0xa0 [ 26.635016] ? __pfx_kthread+0x10/0x10 [ 26.635037] ret_from_fork+0x116/0x1d0 [ 26.635058] ? __pfx_kthread+0x10/0x10 [ 26.635079] ret_from_fork_asm+0x1a/0x30 [ 26.635111] </TASK> [ 26.635123] [ 26.648213] Allocated by task 275: [ 26.648470] kasan_save_stack+0x45/0x70 [ 26.648634] kasan_save_track+0x18/0x40 [ 26.648926] kasan_save_alloc_info+0x3b/0x50 [ 26.649132] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 26.649391] remove_element+0x11e/0x190 [ 26.649621] mempool_alloc_preallocated+0x4d/0x90 [ 26.649797] mempool_uaf_helper+0x96/0x400 [ 26.649946] mempool_kmalloc_uaf+0xef/0x140 [ 26.650143] kunit_try_run_case+0x1a5/0x480 [ 26.650440] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.650831] kthread+0x337/0x6f0 [ 26.650958] ret_from_fork+0x116/0x1d0 [ 26.651265] ret_from_fork_asm+0x1a/0x30 [ 26.651466] [ 26.652155] Freed by task 275: [ 26.652313] kasan_save_stack+0x45/0x70 [ 26.652506] kasan_save_track+0x18/0x40 [ 26.652686] kasan_save_free_info+0x3f/0x60 [ 26.652940] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.653167] mempool_free+0x2ec/0x380 [ 26.653333] mempool_uaf_helper+0x11a/0x400 [ 26.653910] mempool_kmalloc_uaf+0xef/0x140 [ 26.654353] kunit_try_run_case+0x1a5/0x480 [ 26.654679] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.655007] kthread+0x337/0x6f0 [ 26.655173] ret_from_fork+0x116/0x1d0 [ 26.655342] ret_from_fork_asm+0x1a/0x30 [ 26.655969] [ 26.656082] The buggy address belongs to the object at ffff8881060c3400 [ 26.656082] which belongs to the cache kmalloc-128 of size 128 [ 26.656925] The buggy address is located 0 bytes inside of [ 26.656925] freed 128-byte region [ffff8881060c3400, ffff8881060c3480) [ 26.657751] [ 26.657919] The buggy address belongs to the physical page: [ 26.658153] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060c3 [ 26.658474] flags: 0x200000000000000(node=0|zone=2) [ 26.659217] page_type: f5(slab) [ 26.659395] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.660013] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.660336] page dumped because: kasan: bad access detected [ 26.660770] [ 26.661155] Memory state around the buggy address: [ 26.661373] ffff8881060c3300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.662014] ffff8881060c3380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.662323] >ffff8881060c3400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.663020] ^ [ 26.663194] ffff8881060c3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.663486] ffff8881060c3500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.664114] ==================================================================