Date
July 18, 2025, 1:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.609443] ================================================================== [ 33.609600] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.609689] Read of size 1 at addr fff00000c3fed500 by task kunit_try_catch/258 [ 33.610061] [ 33.610127] CPU: 0 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT [ 33.610272] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.610320] Hardware name: linux,dummy-virt (DT) [ 33.610355] Call trace: [ 33.610534] show_stack+0x20/0x38 (C) [ 33.610648] dump_stack_lvl+0x8c/0xd0 [ 33.610710] print_report+0x118/0x5e8 [ 33.610904] kasan_report+0xdc/0x128 [ 33.610996] __asan_report_load1_noabort+0x20/0x30 [ 33.611063] mempool_uaf_helper+0x314/0x340 [ 33.611163] mempool_kmalloc_uaf+0xc4/0x120 [ 33.611243] kunit_try_run_case+0x170/0x3f0 [ 33.611297] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.611385] kthread+0x328/0x630 [ 33.611502] ret_from_fork+0x10/0x20 [ 33.611551] [ 33.611736] Allocated by task 258: [ 33.611926] kasan_save_stack+0x3c/0x68 [ 33.612010] kasan_save_track+0x20/0x40 [ 33.612075] kasan_save_alloc_info+0x40/0x58 [ 33.612232] __kasan_mempool_unpoison_object+0x11c/0x180 [ 33.612308] remove_element+0x130/0x1f8 [ 33.612412] mempool_alloc_preallocated+0x58/0xc0 [ 33.612488] mempool_uaf_helper+0xa4/0x340 [ 33.612691] mempool_kmalloc_uaf+0xc4/0x120 [ 33.612741] kunit_try_run_case+0x170/0x3f0 [ 33.612794] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.612840] kthread+0x328/0x630 [ 33.612938] ret_from_fork+0x10/0x20 [ 33.613018] [ 33.613127] Freed by task 258: [ 33.613185] kasan_save_stack+0x3c/0x68 [ 33.613265] kasan_save_track+0x20/0x40 [ 33.613399] kasan_save_free_info+0x4c/0x78 [ 33.613486] __kasan_mempool_poison_object+0xc0/0x150 [ 33.613643] mempool_free+0x28c/0x328 [ 33.613888] mempool_uaf_helper+0x104/0x340 [ 33.614060] mempool_kmalloc_uaf+0xc4/0x120 [ 33.614143] kunit_try_run_case+0x170/0x3f0 [ 33.614255] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.614401] kthread+0x328/0x630 [ 33.614477] ret_from_fork+0x10/0x20 [ 33.614549] [ 33.614661] The buggy address belongs to the object at fff00000c3fed500 [ 33.614661] which belongs to the cache kmalloc-128 of size 128 [ 33.614759] The buggy address is located 0 bytes inside of [ 33.614759] freed 128-byte region [fff00000c3fed500, fff00000c3fed580) [ 33.615034] [ 33.615112] The buggy address belongs to the physical page: [ 33.615172] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103fed [ 33.615264] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.615332] page_type: f5(slab) [ 33.615372] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.615665] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.615760] page dumped because: kasan: bad access detected [ 33.615883] [ 33.615943] Memory state around the buggy address: [ 33.616016] fff00000c3fed400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.616144] fff00000c3fed480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.616217] >fff00000c3fed500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.616335] ^ [ 33.616376] fff00000c3fed580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.616420] fff00000c3fed600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.616473] ================================================================== [ 33.635490] ================================================================== [ 33.635600] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.635653] Read of size 1 at addr fff00000c9b2e240 by task kunit_try_catch/262 [ 33.635767] [ 33.635828] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT [ 33.635993] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.636022] Hardware name: linux,dummy-virt (DT) [ 33.636068] Call trace: [ 33.636437] show_stack+0x20/0x38 (C) [ 33.636531] dump_stack_lvl+0x8c/0xd0 [ 33.636648] print_report+0x118/0x5e8 [ 33.636727] kasan_report+0xdc/0x128 [ 33.636990] __asan_report_load1_noabort+0x20/0x30 [ 33.637111] mempool_uaf_helper+0x314/0x340 [ 33.637191] mempool_slab_uaf+0xc0/0x118 [ 33.637356] kunit_try_run_case+0x170/0x3f0 [ 33.637443] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.637697] kthread+0x328/0x630 [ 33.637770] ret_from_fork+0x10/0x20 [ 33.637918] [ 33.637988] Allocated by task 262: [ 33.638119] kasan_save_stack+0x3c/0x68 [ 33.638205] kasan_save_track+0x20/0x40 [ 33.638534] kasan_save_alloc_info+0x40/0x58 [ 33.638604] __kasan_mempool_unpoison_object+0xbc/0x180 [ 33.638729] remove_element+0x16c/0x1f8 [ 33.638797] mempool_alloc_preallocated+0x58/0xc0 [ 33.638891] mempool_uaf_helper+0xa4/0x340 [ 33.639049] mempool_slab_uaf+0xc0/0x118 [ 33.639108] kunit_try_run_case+0x170/0x3f0 [ 33.639307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.639394] kthread+0x328/0x630 [ 33.639493] ret_from_fork+0x10/0x20 [ 33.639565] [ 33.639621] Freed by task 262: [ 33.639654] kasan_save_stack+0x3c/0x68 [ 33.639939] kasan_save_track+0x20/0x40 [ 33.640016] kasan_save_free_info+0x4c/0x78 [ 33.640148] __kasan_mempool_poison_object+0xc0/0x150 [ 33.640309] mempool_free+0x28c/0x328 [ 33.640408] mempool_uaf_helper+0x104/0x340 [ 33.640621] mempool_slab_uaf+0xc0/0x118 [ 33.640674] kunit_try_run_case+0x170/0x3f0 [ 33.640920] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.641000] kthread+0x328/0x630 [ 33.641126] ret_from_fork+0x10/0x20 [ 33.641197] [ 33.641251] The buggy address belongs to the object at fff00000c9b2e240 [ 33.641251] which belongs to the cache test_cache of size 123 [ 33.641482] The buggy address is located 0 bytes inside of [ 33.641482] freed 123-byte region [fff00000c9b2e240, fff00000c9b2e2bb) [ 33.641698] [ 33.641749] The buggy address belongs to the physical page: [ 33.641798] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b2e [ 33.641866] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.642204] page_type: f5(slab) [ 33.642280] raw: 0bfffe0000000000 fff00000c4743dc0 dead000000000122 0000000000000000 [ 33.642346] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 33.642564] page dumped because: kasan: bad access detected [ 33.642688] [ 33.642748] Memory state around the buggy address: [ 33.642821] fff00000c9b2e100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.642868] fff00000c9b2e180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.642910] >fff00000c9b2e200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 33.642948] ^ [ 33.642984] fff00000c9b2e280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.643025] fff00000c9b2e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.643063] ==================================================================
[ 26.428136] ================================================================== [ 26.429190] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.429553] Read of size 1 at addr ffff88810618b240 by task kunit_try_catch/279 [ 26.429835] [ 26.430011] CPU: 1 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT(voluntary) [ 26.430063] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.430076] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.430099] Call Trace: [ 26.430112] <TASK> [ 26.430131] dump_stack_lvl+0x73/0xb0 [ 26.430165] print_report+0xd1/0x640 [ 26.430188] ? __virt_addr_valid+0x1db/0x2d0 [ 26.430214] ? mempool_uaf_helper+0x392/0x400 [ 26.430235] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.430273] ? mempool_uaf_helper+0x392/0x400 [ 26.430295] kasan_report+0x141/0x180 [ 26.430316] ? mempool_uaf_helper+0x392/0x400 [ 26.430342] __asan_report_load1_noabort+0x18/0x20 [ 26.430367] mempool_uaf_helper+0x392/0x400 [ 26.430389] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.430413] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.430436] ? finish_task_switch.isra.0+0x153/0x700 [ 26.430461] mempool_slab_uaf+0xea/0x140 [ 26.430484] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 26.430508] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 26.430534] ? __pfx_mempool_free_slab+0x10/0x10 [ 26.430559] ? __pfx_read_tsc+0x10/0x10 [ 26.430581] ? ktime_get_ts64+0x86/0x230 [ 26.430607] kunit_try_run_case+0x1a5/0x480 [ 26.430632] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.430659] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.430695] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.430727] ? __kthread_parkme+0x82/0x180 [ 26.430749] ? preempt_count_sub+0x50/0x80 [ 26.430771] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.430795] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.430833] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.430856] kthread+0x337/0x6f0 [ 26.430876] ? trace_preempt_on+0x20/0xc0 [ 26.430899] ? __pfx_kthread+0x10/0x10 [ 26.430919] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.430949] ? calculate_sigpending+0x7b/0xa0 [ 26.430972] ? __pfx_kthread+0x10/0x10 [ 26.430993] ret_from_fork+0x116/0x1d0 [ 26.431012] ? __pfx_kthread+0x10/0x10 [ 26.431032] ret_from_fork_asm+0x1a/0x30 [ 26.431063] </TASK> [ 26.431074] [ 26.440669] Allocated by task 279: [ 26.441116] kasan_save_stack+0x45/0x70 [ 26.441677] kasan_save_track+0x18/0x40 [ 26.442402] kasan_save_alloc_info+0x3b/0x50 [ 26.442689] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 26.443188] remove_element+0x11e/0x190 [ 26.443598] mempool_alloc_preallocated+0x4d/0x90 [ 26.444048] mempool_uaf_helper+0x96/0x400 [ 26.444490] mempool_slab_uaf+0xea/0x140 [ 26.445017] kunit_try_run_case+0x1a5/0x480 [ 26.445361] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.445943] kthread+0x337/0x6f0 [ 26.446126] ret_from_fork+0x116/0x1d0 [ 26.446304] ret_from_fork_asm+0x1a/0x30 [ 26.446483] [ 26.446563] Freed by task 279: [ 26.446708] kasan_save_stack+0x45/0x70 [ 26.447384] kasan_save_track+0x18/0x40 [ 26.447574] kasan_save_free_info+0x3f/0x60 [ 26.447763] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.448087] mempool_free+0x2ec/0x380 [ 26.448272] mempool_uaf_helper+0x11a/0x400 [ 26.448454] mempool_slab_uaf+0xea/0x140 [ 26.448619] kunit_try_run_case+0x1a5/0x480 [ 26.449390] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.449785] kthread+0x337/0x6f0 [ 26.450007] ret_from_fork+0x116/0x1d0 [ 26.450178] ret_from_fork_asm+0x1a/0x30 [ 26.450362] [ 26.450446] The buggy address belongs to the object at ffff88810618b240 [ 26.450446] which belongs to the cache test_cache of size 123 [ 26.451478] The buggy address is located 0 bytes inside of [ 26.451478] freed 123-byte region [ffff88810618b240, ffff88810618b2bb) [ 26.452484] [ 26.452603] The buggy address belongs to the physical page: [ 26.453101] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10618b [ 26.453439] flags: 0x200000000000000(node=0|zone=2) [ 26.453654] page_type: f5(slab) [ 26.454163] raw: 0200000000000000 ffff8881012b1a00 dead000000000122 0000000000000000 [ 26.454528] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 26.455322] page dumped because: kasan: bad access detected [ 26.455655] [ 26.456000] Memory state around the buggy address: [ 26.456218] ffff88810618b100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.456523] ffff88810618b180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.457204] >ffff88810618b200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 26.457614] ^ [ 26.458147] ffff88810618b280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.458625] ffff88810618b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.459476] ================================================================== [ 26.374545] ================================================================== [ 26.376208] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.376573] Read of size 1 at addr ffff888102b06700 by task kunit_try_catch/275 [ 26.377444] [ 26.377549] CPU: 1 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT(voluntary) [ 26.377602] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.377613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.377636] Call Trace: [ 26.377648] <TASK> [ 26.377666] dump_stack_lvl+0x73/0xb0 [ 26.377701] print_report+0xd1/0x640 [ 26.377724] ? __virt_addr_valid+0x1db/0x2d0 [ 26.377748] ? mempool_uaf_helper+0x392/0x400 [ 26.377770] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.377795] ? mempool_uaf_helper+0x392/0x400 [ 26.377901] kasan_report+0x141/0x180 [ 26.377924] ? mempool_uaf_helper+0x392/0x400 [ 26.377949] __asan_report_load1_noabort+0x18/0x20 [ 26.377973] mempool_uaf_helper+0x392/0x400 [ 26.377995] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.378017] ? dequeue_entities+0x23f/0x1630 [ 26.378040] ? __kasan_check_write+0x18/0x20 [ 26.378062] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.378083] ? finish_task_switch.isra.0+0x153/0x700 [ 26.378108] mempool_kmalloc_uaf+0xef/0x140 [ 26.378129] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.378153] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.378177] ? __pfx_mempool_kfree+0x10/0x10 [ 26.378200] ? __pfx_read_tsc+0x10/0x10 [ 26.378222] ? ktime_get_ts64+0x86/0x230 [ 26.378246] kunit_try_run_case+0x1a5/0x480 [ 26.378286] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.378307] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.378331] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.378354] ? __kthread_parkme+0x82/0x180 [ 26.378375] ? preempt_count_sub+0x50/0x80 [ 26.378397] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.378420] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.378443] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.378465] kthread+0x337/0x6f0 [ 26.378484] ? trace_preempt_on+0x20/0xc0 [ 26.378507] ? __pfx_kthread+0x10/0x10 [ 26.378527] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.378548] ? calculate_sigpending+0x7b/0xa0 [ 26.378573] ? __pfx_kthread+0x10/0x10 [ 26.378593] ret_from_fork+0x116/0x1d0 [ 26.378612] ? __pfx_kthread+0x10/0x10 [ 26.378632] ret_from_fork_asm+0x1a/0x30 [ 26.378670] </TASK> [ 26.378681] [ 26.386834] Allocated by task 275: [ 26.386977] kasan_save_stack+0x45/0x70 [ 26.387123] kasan_save_track+0x18/0x40 [ 26.387309] kasan_save_alloc_info+0x3b/0x50 [ 26.387516] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 26.387762] remove_element+0x11e/0x190 [ 26.387954] mempool_alloc_preallocated+0x4d/0x90 [ 26.388183] mempool_uaf_helper+0x96/0x400 [ 26.388466] mempool_kmalloc_uaf+0xef/0x140 [ 26.388664] kunit_try_run_case+0x1a5/0x480 [ 26.388945] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.389169] kthread+0x337/0x6f0 [ 26.389308] ret_from_fork+0x116/0x1d0 [ 26.389495] ret_from_fork_asm+0x1a/0x30 [ 26.389678] [ 26.389747] Freed by task 275: [ 26.389945] kasan_save_stack+0x45/0x70 [ 26.390126] kasan_save_track+0x18/0x40 [ 26.390301] kasan_save_free_info+0x3f/0x60 [ 26.390471] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.390677] mempool_free+0x2ec/0x380 [ 26.390828] mempool_uaf_helper+0x11a/0x400 [ 26.390967] mempool_kmalloc_uaf+0xef/0x140 [ 26.391104] kunit_try_run_case+0x1a5/0x480 [ 26.391246] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.391422] kthread+0x337/0x6f0 [ 26.391536] ret_from_fork+0x116/0x1d0 [ 26.391662] ret_from_fork_asm+0x1a/0x30 [ 26.391794] [ 26.391857] The buggy address belongs to the object at ffff888102b06700 [ 26.391857] which belongs to the cache kmalloc-128 of size 128 [ 26.392470] The buggy address is located 0 bytes inside of [ 26.392470] freed 128-byte region [ffff888102b06700, ffff888102b06780) [ 26.392987] [ 26.393077] The buggy address belongs to the physical page: [ 26.393366] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b06 [ 26.393757] flags: 0x200000000000000(node=0|zone=2) [ 26.393915] page_type: f5(slab) [ 26.394033] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.394263] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.394522] page dumped because: kasan: bad access detected [ 26.394953] [ 26.395050] Memory state around the buggy address: [ 26.395281] ffff888102b06600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.395607] ffff888102b06680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.396138] >ffff888102b06700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.396463] ^ [ 26.396616] ffff888102b06780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.397040] ffff888102b06800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.397331] ==================================================================