Date
July 16, 2025, 12:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.723451] ================================================================== [ 32.723522] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.723577] Read of size 1 at addr fff00000c9ba6240 by task kunit_try_catch/262 [ 32.723627] [ 32.723658] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT [ 32.723757] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.723792] Hardware name: linux,dummy-virt (DT) [ 32.723822] Call trace: [ 32.724543] show_stack+0x20/0x38 (C) [ 32.724685] dump_stack_lvl+0x8c/0xd0 [ 32.724736] print_report+0x118/0x5d0 [ 32.724781] kasan_report+0xdc/0x128 [ 32.724823] __asan_report_load1_noabort+0x20/0x30 [ 32.724874] mempool_uaf_helper+0x314/0x340 [ 32.724923] mempool_slab_uaf+0xc0/0x118 [ 32.724970] kunit_try_run_case+0x170/0x3f0 [ 32.726031] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.726172] kthread+0x328/0x630 [ 32.726256] ret_from_fork+0x10/0x20 [ 32.726322] [ 32.726341] Allocated by task 262: [ 32.726382] kasan_save_stack+0x3c/0x68 [ 32.726471] kasan_save_track+0x20/0x40 [ 32.726839] kasan_save_alloc_info+0x40/0x58 [ 32.726892] __kasan_mempool_unpoison_object+0xbc/0x180 [ 32.726937] remove_element+0x16c/0x1f8 [ 32.726977] mempool_alloc_preallocated+0x58/0xc0 [ 32.727301] mempool_uaf_helper+0xa4/0x340 [ 32.727427] mempool_slab_uaf+0xc0/0x118 [ 32.727468] kunit_try_run_case+0x170/0x3f0 [ 32.727517] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.727564] kthread+0x328/0x630 [ 32.727597] ret_from_fork+0x10/0x20 [ 32.728046] [ 32.728161] Freed by task 262: [ 32.728239] kasan_save_stack+0x3c/0x68 [ 32.728282] kasan_save_track+0x20/0x40 [ 32.728347] kasan_save_free_info+0x4c/0x78 [ 32.728388] __kasan_mempool_poison_object+0xc0/0x150 [ 32.728430] mempool_free+0x28c/0x328 [ 32.728738] mempool_uaf_helper+0x104/0x340 [ 32.728830] mempool_slab_uaf+0xc0/0x118 [ 32.728871] kunit_try_run_case+0x170/0x3f0 [ 32.728911] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.728954] kthread+0x328/0x630 [ 32.728989] ret_from_fork+0x10/0x20 [ 32.729026] [ 32.729056] The buggy address belongs to the object at fff00000c9ba6240 [ 32.729056] which belongs to the cache test_cache of size 123 [ 32.729316] The buggy address is located 0 bytes inside of [ 32.729316] freed 123-byte region [fff00000c9ba6240, fff00000c9ba62bb) [ 32.729785] [ 32.729807] The buggy address belongs to the physical page: [ 32.729866] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ba6 [ 32.729919] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.730237] page_type: f5(slab) [ 32.730280] raw: 0bfffe0000000000 fff00000c56a1dc0 dead000000000122 0000000000000000 [ 32.730332] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 32.730691] page dumped because: kasan: bad access detected [ 32.730733] [ 32.730751] Memory state around the buggy address: [ 32.730784] fff00000c9ba6100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.730828] fff00000c9ba6180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.730881] >fff00000c9ba6200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 32.730920] ^ [ 32.731200] fff00000c9ba6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.731248] fff00000c9ba6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.731754] ================================================================== [ 32.689993] ================================================================== [ 32.690339] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.690409] Read of size 1 at addr fff00000c9ba2600 by task kunit_try_catch/258 [ 32.690460] [ 32.690497] CPU: 0 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT [ 32.690597] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.690625] Hardware name: linux,dummy-virt (DT) [ 32.690659] Call trace: [ 32.690694] show_stack+0x20/0x38 (C) [ 32.690742] dump_stack_lvl+0x8c/0xd0 [ 32.691113] print_report+0x118/0x5d0 [ 32.691463] kasan_report+0xdc/0x128 [ 32.691520] __asan_report_load1_noabort+0x20/0x30 [ 32.691837] mempool_uaf_helper+0x314/0x340 [ 32.692243] mempool_kmalloc_uaf+0xc4/0x120 [ 32.692297] kunit_try_run_case+0x170/0x3f0 [ 32.692347] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.692426] kthread+0x328/0x630 [ 32.692672] ret_from_fork+0x10/0x20 [ 32.692725] [ 32.692743] Allocated by task 258: [ 32.692877] kasan_save_stack+0x3c/0x68 [ 32.693239] kasan_save_track+0x20/0x40 [ 32.693291] kasan_save_alloc_info+0x40/0x58 [ 32.693433] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.693478] remove_element+0x130/0x1f8 [ 32.693527] mempool_alloc_preallocated+0x58/0xc0 [ 32.693579] mempool_uaf_helper+0xa4/0x340 [ 32.693787] mempool_kmalloc_uaf+0xc4/0x120 [ 32.693827] kunit_try_run_case+0x170/0x3f0 [ 32.693866] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.693909] kthread+0x328/0x630 [ 32.693941] ret_from_fork+0x10/0x20 [ 32.693978] [ 32.694008] Freed by task 258: [ 32.694034] kasan_save_stack+0x3c/0x68 [ 32.694070] kasan_save_track+0x20/0x40 [ 32.694403] kasan_save_free_info+0x4c/0x78 [ 32.694487] __kasan_mempool_poison_object+0xc0/0x150 [ 32.694538] mempool_free+0x28c/0x328 [ 32.694579] mempool_uaf_helper+0x104/0x340 [ 32.694617] mempool_kmalloc_uaf+0xc4/0x120 [ 32.694657] kunit_try_run_case+0x170/0x3f0 [ 32.694693] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.694742] kthread+0x328/0x630 [ 32.694933] ret_from_fork+0x10/0x20 [ 32.694970] [ 32.695016] The buggy address belongs to the object at fff00000c9ba2600 [ 32.695016] which belongs to the cache kmalloc-128 of size 128 [ 32.695115] The buggy address is located 0 bytes inside of [ 32.695115] freed 128-byte region [fff00000c9ba2600, fff00000c9ba2680) [ 32.695178] [ 32.695236] The buggy address belongs to the physical page: [ 32.695269] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ba2 [ 32.695483] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.695561] page_type: f5(slab) [ 32.695599] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.695649] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.695691] page dumped because: kasan: bad access detected [ 32.695847] [ 32.695868] Memory state around the buggy address: [ 32.695901] fff00000c9ba2500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.696324] fff00000c9ba2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.696497] >fff00000c9ba2600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.696552] ^ [ 32.696633] fff00000c9ba2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.696785] fff00000c9ba2700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.697062] ==================================================================
[ 24.862562] ================================================================== [ 24.863244] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.863564] Read of size 1 at addr ffff888106090240 by task kunit_try_catch/280 [ 24.863878] [ 24.863979] CPU: 1 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) [ 24.864033] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.864046] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.864068] Call Trace: [ 24.864082] <TASK> [ 24.864101] dump_stack_lvl+0x73/0xb0 [ 24.864135] print_report+0xd1/0x610 [ 24.864160] ? __virt_addr_valid+0x1db/0x2d0 [ 24.864186] ? mempool_uaf_helper+0x392/0x400 [ 24.864208] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.864235] ? mempool_uaf_helper+0x392/0x400 [ 24.864257] kasan_report+0x141/0x180 [ 24.864279] ? mempool_uaf_helper+0x392/0x400 [ 24.864318] __asan_report_load1_noabort+0x18/0x20 [ 24.864343] mempool_uaf_helper+0x392/0x400 [ 24.864366] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.864390] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.864413] ? finish_task_switch.isra.0+0x153/0x700 [ 24.864441] mempool_slab_uaf+0xea/0x140 [ 24.864464] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 24.864490] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 24.864515] ? __pfx_mempool_free_slab+0x10/0x10 [ 24.864541] ? __pfx_read_tsc+0x10/0x10 [ 24.864564] ? ktime_get_ts64+0x86/0x230 [ 24.864591] kunit_try_run_case+0x1a5/0x480 [ 24.864617] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.864639] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.864664] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.864687] ? __kthread_parkme+0x82/0x180 [ 24.864709] ? preempt_count_sub+0x50/0x80 [ 24.864732] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.864768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.864794] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.864821] kthread+0x337/0x6f0 [ 24.864840] ? trace_preempt_on+0x20/0xc0 [ 24.864865] ? __pfx_kthread+0x10/0x10 [ 24.864886] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.864907] ? calculate_sigpending+0x7b/0xa0 [ 24.864932] ? __pfx_kthread+0x10/0x10 [ 24.864952] ret_from_fork+0x116/0x1d0 [ 24.864972] ? __pfx_kthread+0x10/0x10 [ 24.864993] ret_from_fork_asm+0x1a/0x30 [ 24.865026] </TASK> [ 24.865037] [ 24.872426] Allocated by task 280: [ 24.872553] kasan_save_stack+0x45/0x70 [ 24.872761] kasan_save_track+0x18/0x40 [ 24.872951] kasan_save_alloc_info+0x3b/0x50 [ 24.873157] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 24.873414] remove_element+0x11e/0x190 [ 24.873567] mempool_alloc_preallocated+0x4d/0x90 [ 24.873785] mempool_uaf_helper+0x96/0x400 [ 24.873922] mempool_slab_uaf+0xea/0x140 [ 24.874053] kunit_try_run_case+0x1a5/0x480 [ 24.874235] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.874447] kthread+0x337/0x6f0 [ 24.874623] ret_from_fork+0x116/0x1d0 [ 24.874781] ret_from_fork_asm+0x1a/0x30 [ 24.874971] [ 24.875054] Freed by task 280: [ 24.875191] kasan_save_stack+0x45/0x70 [ 24.875362] kasan_save_track+0x18/0x40 [ 24.875531] kasan_save_free_info+0x3f/0x60 [ 24.875706] __kasan_mempool_poison_object+0x131/0x1d0 [ 24.875870] mempool_free+0x2ec/0x380 [ 24.875996] mempool_uaf_helper+0x11a/0x400 [ 24.876132] mempool_slab_uaf+0xea/0x140 [ 24.876262] kunit_try_run_case+0x1a5/0x480 [ 24.876438] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.876686] kthread+0x337/0x6f0 [ 24.876849] ret_from_fork+0x116/0x1d0 [ 24.877028] ret_from_fork_asm+0x1a/0x30 [ 24.877391] [ 24.877479] The buggy address belongs to the object at ffff888106090240 [ 24.877479] which belongs to the cache test_cache of size 123 [ 24.878012] The buggy address is located 0 bytes inside of [ 24.878012] freed 123-byte region [ffff888106090240, ffff8881060902bb) [ 24.878365] [ 24.878434] The buggy address belongs to the physical page: [ 24.878681] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106090 [ 24.879040] flags: 0x200000000000000(node=0|zone=2) [ 24.879277] page_type: f5(slab) [ 24.879458] raw: 0200000000000000 ffff888106085500 dead000000000122 0000000000000000 [ 24.880107] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 24.880454] page dumped because: kasan: bad access detected [ 24.880681] [ 24.880772] Memory state around the buggy address: [ 24.880957] ffff888106090100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.881168] ffff888106090180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.881469] >ffff888106090200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 24.882086] ^ [ 24.882346] ffff888106090280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.882654] ffff888106090300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.882871] ================================================================== [ 24.810861] ================================================================== [ 24.811375] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.811895] Read of size 1 at addr ffff888104a24d00 by task kunit_try_catch/276 [ 24.812170] [ 24.812259] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) [ 24.812327] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.812340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.812362] Call Trace: [ 24.812377] <TASK> [ 24.812398] dump_stack_lvl+0x73/0xb0 [ 24.812431] print_report+0xd1/0x610 [ 24.812457] ? __virt_addr_valid+0x1db/0x2d0 [ 24.812482] ? mempool_uaf_helper+0x392/0x400 [ 24.812505] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.812532] ? mempool_uaf_helper+0x392/0x400 [ 24.812554] kasan_report+0x141/0x180 [ 24.812577] ? mempool_uaf_helper+0x392/0x400 [ 24.812632] __asan_report_load1_noabort+0x18/0x20 [ 24.812658] mempool_uaf_helper+0x392/0x400 [ 24.812680] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.812706] ? finish_task_switch.isra.0+0x153/0x700 [ 24.812734] mempool_kmalloc_uaf+0xef/0x140 [ 24.812756] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 24.812782] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.812808] ? __pfx_mempool_kfree+0x10/0x10 [ 24.812833] ? __pfx_read_tsc+0x10/0x10 [ 24.812856] ? ktime_get_ts64+0x86/0x230 [ 24.812885] kunit_try_run_case+0x1a5/0x480 [ 24.812911] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.812934] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.812958] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.812982] ? __kthread_parkme+0x82/0x180 [ 24.813006] ? preempt_count_sub+0x50/0x80 [ 24.813029] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.813055] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.813083] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.813111] kthread+0x337/0x6f0 [ 24.813131] ? trace_preempt_on+0x20/0xc0 [ 24.813157] ? __pfx_kthread+0x10/0x10 [ 24.813178] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.813199] ? calculate_sigpending+0x7b/0xa0 [ 24.813225] ? __pfx_kthread+0x10/0x10 [ 24.813246] ret_from_fork+0x116/0x1d0 [ 24.813266] ? __pfx_kthread+0x10/0x10 [ 24.813287] ret_from_fork_asm+0x1a/0x30 [ 24.813330] </TASK> [ 24.813342] [ 24.821714] Allocated by task 276: [ 24.821978] kasan_save_stack+0x45/0x70 [ 24.822251] kasan_save_track+0x18/0x40 [ 24.822474] kasan_save_alloc_info+0x3b/0x50 [ 24.822778] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 24.822963] remove_element+0x11e/0x190 [ 24.823101] mempool_alloc_preallocated+0x4d/0x90 [ 24.823439] mempool_uaf_helper+0x96/0x400 [ 24.823608] mempool_kmalloc_uaf+0xef/0x140 [ 24.823757] kunit_try_run_case+0x1a5/0x480 [ 24.824078] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.824390] kthread+0x337/0x6f0 [ 24.824535] ret_from_fork+0x116/0x1d0 [ 24.824665] ret_from_fork_asm+0x1a/0x30 [ 24.824937] [ 24.825098] Freed by task 276: [ 24.825425] kasan_save_stack+0x45/0x70 [ 24.825579] kasan_save_track+0x18/0x40 [ 24.825717] kasan_save_free_info+0x3f/0x60 [ 24.825857] __kasan_mempool_poison_object+0x131/0x1d0 [ 24.826018] mempool_free+0x2ec/0x380 [ 24.826151] mempool_uaf_helper+0x11a/0x400 [ 24.826435] mempool_kmalloc_uaf+0xef/0x140 [ 24.826635] kunit_try_run_case+0x1a5/0x480 [ 24.826833] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.827080] kthread+0x337/0x6f0 [ 24.827319] ret_from_fork+0x116/0x1d0 [ 24.827635] ret_from_fork_asm+0x1a/0x30 [ 24.827778] [ 24.827845] The buggy address belongs to the object at ffff888104a24d00 [ 24.827845] which belongs to the cache kmalloc-128 of size 128 [ 24.828392] The buggy address is located 0 bytes inside of [ 24.828392] freed 128-byte region [ffff888104a24d00, ffff888104a24d80) [ 24.828965] [ 24.829040] The buggy address belongs to the physical page: [ 24.829276] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104a24 [ 24.829590] flags: 0x200000000000000(node=0|zone=2) [ 24.829824] page_type: f5(slab) [ 24.829973] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.830197] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.830492] page dumped because: kasan: bad access detected [ 24.830945] [ 24.831282] Memory state around the buggy address: [ 24.831517] ffff888104a24c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.831851] ffff888104a24c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.832125] >ffff888104a24d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.832449] ^ [ 24.832605] ffff888104a24d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.832872] ffff888104a24e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.833321] ==================================================================