Date
July 24, 2025, 4:41 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.520484] ================================================================== [ 34.520565] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.520639] Read of size 1 at addr fff00000c9a8bd00 by task kunit_try_catch/258 [ 34.520692] [ 34.520735] CPU: 0 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250724 #1 PREEMPT [ 34.520846] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.520876] Hardware name: linux,dummy-virt (DT) [ 34.520910] Call trace: [ 34.520937] show_stack+0x20/0x38 (C) [ 34.520989] dump_stack_lvl+0x8c/0xd0 [ 34.521039] print_report+0x118/0x5e8 [ 34.521083] kasan_report+0xdc/0x128 [ 34.521125] __asan_report_load1_noabort+0x20/0x30 [ 34.521174] mempool_uaf_helper+0x314/0x340 [ 34.521221] mempool_kmalloc_uaf+0xc4/0x120 [ 34.521268] kunit_try_run_case+0x170/0x3f0 [ 34.521318] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.521370] kthread+0x328/0x630 [ 34.521413] ret_from_fork+0x10/0x20 [ 34.521463] [ 34.521482] Allocated by task 258: [ 34.521510] kasan_save_stack+0x3c/0x68 [ 34.521548] kasan_save_track+0x20/0x40 [ 34.521583] kasan_save_alloc_info+0x40/0x58 [ 34.521620] __kasan_mempool_unpoison_object+0x11c/0x180 [ 34.521662] remove_element+0x130/0x1f8 [ 34.521702] mempool_alloc_preallocated+0x58/0xc0 [ 34.521742] mempool_uaf_helper+0xa4/0x340 [ 34.521790] mempool_kmalloc_uaf+0xc4/0x120 [ 34.521829] kunit_try_run_case+0x170/0x3f0 [ 34.521865] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.521908] kthread+0x328/0x630 [ 34.521940] ret_from_fork+0x10/0x20 [ 34.521976] [ 34.521996] Freed by task 258: [ 34.522021] kasan_save_stack+0x3c/0x68 [ 34.522055] kasan_save_track+0x20/0x40 [ 34.522090] kasan_save_free_info+0x4c/0x78 [ 34.522133] __kasan_mempool_poison_object+0xc0/0x150 [ 34.522174] mempool_free+0x3f4/0x5f0 [ 34.522209] mempool_uaf_helper+0x104/0x340 [ 34.522247] mempool_kmalloc_uaf+0xc4/0x120 [ 34.522286] kunit_try_run_case+0x170/0x3f0 [ 34.522322] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.522365] kthread+0x328/0x630 [ 34.522397] ret_from_fork+0x10/0x20 [ 34.522433] [ 34.522452] The buggy address belongs to the object at fff00000c9a8bd00 [ 34.522452] which belongs to the cache kmalloc-128 of size 128 [ 34.522512] The buggy address is located 0 bytes inside of [ 34.522512] freed 128-byte region [fff00000c9a8bd00, fff00000c9a8bd80) [ 34.522572] [ 34.522594] The buggy address belongs to the physical page: [ 34.522634] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a8b [ 34.522691] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.522743] page_type: f5(slab) [ 34.522795] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.522847] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 34.522887] page dumped because: kasan: bad access detected [ 34.522919] [ 34.522937] Memory state around the buggy address: [ 34.523087] fff00000c9a8bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.523135] fff00000c9a8bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.523179] >fff00000c9a8bd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.523218] ^ [ 34.523245] fff00000c9a8bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.523290] fff00000c9a8be00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.523330] ================================================================== [ 34.585005] ================================================================== [ 34.585107] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.585186] Read of size 1 at addr fff00000c9b5e240 by task kunit_try_catch/262 [ 34.585239] [ 34.585283] CPU: 1 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250724 #1 PREEMPT [ 34.585375] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.585402] Hardware name: linux,dummy-virt (DT) [ 34.585438] Call trace: [ 34.585464] show_stack+0x20/0x38 (C) [ 34.585516] dump_stack_lvl+0x8c/0xd0 [ 34.585568] print_report+0x118/0x5e8 [ 34.585612] kasan_report+0xdc/0x128 [ 34.585655] __asan_report_load1_noabort+0x20/0x30 [ 34.585704] mempool_uaf_helper+0x314/0x340 [ 34.585766] mempool_slab_uaf+0xc0/0x118 [ 34.585812] kunit_try_run_case+0x170/0x3f0 [ 34.585862] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.585914] kthread+0x328/0x630 [ 34.585957] ret_from_fork+0x10/0x20 [ 34.586007] [ 34.586026] Allocated by task 262: [ 34.586056] kasan_save_stack+0x3c/0x68 [ 34.586096] kasan_save_track+0x20/0x40 [ 34.586138] kasan_save_alloc_info+0x40/0x58 [ 34.586177] __kasan_mempool_unpoison_object+0xbc/0x180 [ 34.586220] remove_element+0x16c/0x1f8 [ 34.586259] mempool_alloc_preallocated+0x58/0xc0 [ 34.586301] mempool_uaf_helper+0xa4/0x340 [ 34.586341] mempool_slab_uaf+0xc0/0x118 [ 34.586379] kunit_try_run_case+0x170/0x3f0 [ 34.586417] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.586461] kthread+0x328/0x630 [ 34.586493] ret_from_fork+0x10/0x20 [ 34.586530] [ 34.586550] Freed by task 262: [ 34.586577] kasan_save_stack+0x3c/0x68 [ 34.586613] kasan_save_track+0x20/0x40 [ 34.586647] kasan_save_free_info+0x4c/0x78 [ 34.586688] __kasan_mempool_poison_object+0xc0/0x150 [ 34.586729] mempool_free+0x3f4/0x5f0 [ 34.586773] mempool_uaf_helper+0x104/0x340 [ 34.586811] mempool_slab_uaf+0xc0/0x118 [ 34.586850] kunit_try_run_case+0x170/0x3f0 [ 34.586888] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.586929] kthread+0x328/0x630 [ 34.586982] ret_from_fork+0x10/0x20 [ 34.587017] [ 34.587037] The buggy address belongs to the object at fff00000c9b5e240 [ 34.587037] which belongs to the cache test_cache of size 123 [ 34.587096] The buggy address is located 0 bytes inside of [ 34.587096] freed 123-byte region [fff00000c9b5e240, fff00000c9b5e2bb) [ 34.587157] [ 34.587180] The buggy address belongs to the physical page: [ 34.587236] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b5e [ 34.587294] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.587347] page_type: f5(slab) [ 34.587391] raw: 0bfffe0000000000 fff00000ffee4f00 dead000000000122 0000000000000000 [ 34.587441] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 34.587483] page dumped because: kasan: bad access detected [ 34.587516] [ 34.587534] Memory state around the buggy address: [ 34.587568] fff00000c9b5e100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.587613] fff00000c9b5e180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.587656] >fff00000c9b5e200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 34.587694] ^ [ 34.587730] fff00000c9b5e280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.587788] fff00000c9b5e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.587827] ==================================================================
[ 28.401503] ================================================================== [ 28.401971] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.402653] Read of size 1 at addr ffff888105454c00 by task kunit_try_catch/275 [ 28.403328] [ 28.403449] CPU: 0 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) [ 28.403758] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 28.403776] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.403818] Call Trace: [ 28.403832] <TASK> [ 28.403854] dump_stack_lvl+0x73/0xb0 [ 28.403888] print_report+0xd1/0x640 [ 28.403911] ? __virt_addr_valid+0x1db/0x2d0 [ 28.403953] ? mempool_uaf_helper+0x392/0x400 [ 28.403975] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.404001] ? mempool_uaf_helper+0x392/0x400 [ 28.404024] kasan_report+0x141/0x180 [ 28.404046] ? mempool_uaf_helper+0x392/0x400 [ 28.404072] __asan_report_load1_noabort+0x18/0x20 [ 28.404097] mempool_uaf_helper+0x392/0x400 [ 28.404120] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.404146] ? finish_task_switch.isra.0+0x153/0x700 [ 28.404171] mempool_kmalloc_uaf+0xef/0x140 [ 28.404193] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 28.404218] ? __pfx_mempool_kmalloc+0x10/0x10 [ 28.404243] ? __pfx_mempool_kfree+0x10/0x10 [ 28.404267] ? __pfx_read_tsc+0x10/0x10 [ 28.404290] ? ktime_get_ts64+0x86/0x230 [ 28.404316] kunit_try_run_case+0x1a5/0x480 [ 28.404344] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.404366] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.404392] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.404417] ? __kthread_parkme+0x82/0x180 [ 28.404438] ? preempt_count_sub+0x50/0x80 [ 28.404462] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.404486] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.404509] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.404532] kthread+0x337/0x6f0 [ 28.404552] ? trace_preempt_on+0x20/0xc0 [ 28.404586] ? __pfx_kthread+0x10/0x10 [ 28.404606] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.404629] ? calculate_sigpending+0x7b/0xa0 [ 28.404653] ? __pfx_kthread+0x10/0x10 [ 28.404674] ret_from_fork+0x116/0x1d0 [ 28.404694] ? __pfx_kthread+0x10/0x10 [ 28.404714] ret_from_fork_asm+0x1a/0x30 [ 28.404745] </TASK> [ 28.404756] [ 28.415101] Allocated by task 275: [ 28.415245] kasan_save_stack+0x45/0x70 [ 28.415398] kasan_save_track+0x18/0x40 [ 28.415641] kasan_save_alloc_info+0x3b/0x50 [ 28.415990] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 28.416311] remove_element+0x11e/0x190 [ 28.416550] mempool_alloc_preallocated+0x4d/0x90 [ 28.416743] mempool_uaf_helper+0x96/0x400 [ 28.417284] mempool_kmalloc_uaf+0xef/0x140 [ 28.417540] kunit_try_run_case+0x1a5/0x480 [ 28.417758] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.418033] kthread+0x337/0x6f0 [ 28.418349] ret_from_fork+0x116/0x1d0 [ 28.418672] ret_from_fork_asm+0x1a/0x30 [ 28.418922] [ 28.419000] Freed by task 275: [ 28.419106] kasan_save_stack+0x45/0x70 [ 28.419237] kasan_save_track+0x18/0x40 [ 28.419368] kasan_save_free_info+0x3f/0x60 [ 28.419552] __kasan_mempool_poison_object+0x131/0x1d0 [ 28.419813] mempool_free+0x490/0x640 [ 28.420144] mempool_uaf_helper+0x11a/0x400 [ 28.420353] mempool_kmalloc_uaf+0xef/0x140 [ 28.420550] kunit_try_run_case+0x1a5/0x480 [ 28.420764] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.421262] kthread+0x337/0x6f0 [ 28.421429] ret_from_fork+0x116/0x1d0 [ 28.421552] ret_from_fork_asm+0x1a/0x30 [ 28.421692] [ 28.421757] The buggy address belongs to the object at ffff888105454c00 [ 28.421757] which belongs to the cache kmalloc-128 of size 128 [ 28.422216] The buggy address is located 0 bytes inside of [ 28.422216] freed 128-byte region [ffff888105454c00, ffff888105454c80) [ 28.422794] [ 28.422878] The buggy address belongs to the physical page: [ 28.423075] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105454 [ 28.423356] flags: 0x200000000000000(node=0|zone=2) [ 28.423701] page_type: f5(slab) [ 28.423873] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 28.424282] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.425029] page dumped because: kasan: bad access detected [ 28.425304] [ 28.425391] Memory state around the buggy address: [ 28.425661] ffff888105454b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.426284] ffff888105454b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.426561] >ffff888105454c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.426767] ^ [ 28.427048] ffff888105454c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.427419] ffff888105454d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.427741] ================================================================== [ 28.462444] ================================================================== [ 28.462891] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.463132] Read of size 1 at addr ffff88810604d240 by task kunit_try_catch/279 [ 28.463356] [ 28.463442] CPU: 1 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) [ 28.463495] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 28.463510] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.463533] Call Trace: [ 28.463545] <TASK> [ 28.463564] dump_stack_lvl+0x73/0xb0 [ 28.464461] print_report+0xd1/0x640 [ 28.464489] ? __virt_addr_valid+0x1db/0x2d0 [ 28.464517] ? mempool_uaf_helper+0x392/0x400 [ 28.464539] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.464565] ? mempool_uaf_helper+0x392/0x400 [ 28.464601] kasan_report+0x141/0x180 [ 28.464623] ? mempool_uaf_helper+0x392/0x400 [ 28.464651] __asan_report_load1_noabort+0x18/0x20 [ 28.464675] mempool_uaf_helper+0x392/0x400 [ 28.464698] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.464723] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.464745] ? finish_task_switch.isra.0+0x153/0x700 [ 28.464779] mempool_slab_uaf+0xea/0x140 [ 28.464801] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 28.464825] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 28.464851] ? __pfx_mempool_free_slab+0x10/0x10 [ 28.464877] ? __pfx_read_tsc+0x10/0x10 [ 28.464899] ? ktime_get_ts64+0x86/0x230 [ 28.464925] kunit_try_run_case+0x1a5/0x480 [ 28.464952] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.464974] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.465000] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.465025] ? __kthread_parkme+0x82/0x180 [ 28.465046] ? preempt_count_sub+0x50/0x80 [ 28.465069] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.465093] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.465117] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.465141] kthread+0x337/0x6f0 [ 28.465162] ? trace_preempt_on+0x20/0xc0 [ 28.465187] ? __pfx_kthread+0x10/0x10 [ 28.465207] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.465230] ? calculate_sigpending+0x7b/0xa0 [ 28.465255] ? __pfx_kthread+0x10/0x10 [ 28.465276] ret_from_fork+0x116/0x1d0 [ 28.465296] ? __pfx_kthread+0x10/0x10 [ 28.465316] ret_from_fork_asm+0x1a/0x30 [ 28.465349] </TASK> [ 28.465360] [ 28.479919] Allocated by task 279: [ 28.480439] kasan_save_stack+0x45/0x70 [ 28.480680] kasan_save_track+0x18/0x40 [ 28.480929] kasan_save_alloc_info+0x3b/0x50 [ 28.481304] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 28.481557] remove_element+0x11e/0x190 [ 28.481759] mempool_alloc_preallocated+0x4d/0x90 [ 28.482375] mempool_uaf_helper+0x96/0x400 [ 28.482561] mempool_slab_uaf+0xea/0x140 [ 28.482959] kunit_try_run_case+0x1a5/0x480 [ 28.483246] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.483497] kthread+0x337/0x6f0 [ 28.483659] ret_from_fork+0x116/0x1d0 [ 28.484086] ret_from_fork_asm+0x1a/0x30 [ 28.484275] [ 28.484439] Freed by task 279: [ 28.484631] kasan_save_stack+0x45/0x70 [ 28.484837] kasan_save_track+0x18/0x40 [ 28.485276] kasan_save_free_info+0x3f/0x60 [ 28.485440] __kasan_mempool_poison_object+0x131/0x1d0 [ 28.485699] mempool_free+0x490/0x640 [ 28.485867] mempool_uaf_helper+0x11a/0x400 [ 28.486420] mempool_slab_uaf+0xea/0x140 [ 28.486584] kunit_try_run_case+0x1a5/0x480 [ 28.486790] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.487247] kthread+0x337/0x6f0 [ 28.487547] ret_from_fork+0x116/0x1d0 [ 28.487709] ret_from_fork_asm+0x1a/0x30 [ 28.487996] [ 28.488227] The buggy address belongs to the object at ffff88810604d240 [ 28.488227] which belongs to the cache test_cache of size 123 [ 28.488731] The buggy address is located 0 bytes inside of [ 28.488731] freed 123-byte region [ffff88810604d240, ffff88810604d2bb) [ 28.489408] [ 28.489588] The buggy address belongs to the physical page: [ 28.490157] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10604d [ 28.490608] flags: 0x200000000000000(node=0|zone=2) [ 28.490839] page_type: f5(slab) [ 28.491124] raw: 0200000000000000 ffff888100fbe8c0 dead000000000122 0000000000000000 [ 28.491441] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.491760] page dumped because: kasan: bad access detected [ 28.492034] [ 28.492449] Memory state around the buggy address: [ 28.492668] ffff88810604d100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.493165] ffff88810604d180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.493549] >ffff88810604d200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.493828] ^ [ 28.494350] ffff88810604d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.494750] ffff88810604d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.495257] ==================================================================