Date
July 25, 2025, 3:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.337692] ================================================================== [ 34.338000] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.338171] Read of size 1 at addr fff00000c8636c00 by task kunit_try_catch/259 [ 34.338306] [ 34.338385] CPU: 0 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 34.338486] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 34.338632] Hardware name: linux,dummy-virt (DT) [ 34.338684] Call trace: [ 34.338710] show_stack+0x20/0x38 (C) [ 34.338762] dump_stack_lvl+0x8c/0xd0 [ 34.338810] print_report+0x118/0x5e8 [ 34.338854] kasan_report+0xdc/0x128 [ 34.338897] __asan_report_load1_noabort+0x20/0x30 [ 34.338954] mempool_uaf_helper+0x314/0x340 [ 34.339310] mempool_kmalloc_uaf+0xc4/0x120 [ 34.339557] kunit_try_run_case+0x170/0x3f0 [ 34.339609] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.339679] kthread+0x328/0x630 [ 34.339723] ret_from_fork+0x10/0x20 [ 34.339771] [ 34.339791] Allocated by task 259: [ 34.339821] kasan_save_stack+0x3c/0x68 [ 34.339924] kasan_save_track+0x20/0x40 [ 34.339973] kasan_save_alloc_info+0x40/0x58 [ 34.340011] __kasan_mempool_unpoison_object+0x11c/0x180 [ 34.340053] remove_element+0x130/0x1f8 [ 34.340091] mempool_alloc_preallocated+0x58/0xc0 [ 34.340130] mempool_uaf_helper+0xa4/0x340 [ 34.340168] mempool_kmalloc_uaf+0xc4/0x120 [ 34.340205] kunit_try_run_case+0x170/0x3f0 [ 34.340240] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.340284] kthread+0x328/0x630 [ 34.340341] ret_from_fork+0x10/0x20 [ 34.340377] [ 34.340397] Freed by task 259: [ 34.340429] kasan_save_stack+0x3c/0x68 [ 34.340500] kasan_save_track+0x20/0x40 [ 34.340590] kasan_save_free_info+0x4c/0x78 [ 34.340628] __kasan_mempool_poison_object+0xc0/0x150 [ 34.340684] mempool_free+0x3f4/0x5f0 [ 34.340720] mempool_uaf_helper+0x104/0x340 [ 34.340766] mempool_kmalloc_uaf+0xc4/0x120 [ 34.340805] kunit_try_run_case+0x170/0x3f0 [ 34.340840] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.340934] kthread+0x328/0x630 [ 34.340980] ret_from_fork+0x10/0x20 [ 34.341017] [ 34.341036] The buggy address belongs to the object at fff00000c8636c00 [ 34.341036] which belongs to the cache kmalloc-128 of size 128 [ 34.341097] The buggy address is located 0 bytes inside of [ 34.341097] freed 128-byte region [fff00000c8636c00, fff00000c8636c80) [ 34.341342] [ 34.341364] The buggy address belongs to the physical page: [ 34.341475] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108636 [ 34.341549] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.341630] page_type: f5(slab) [ 34.341682] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.341731] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 34.341781] page dumped because: kasan: bad access detected [ 34.341836] [ 34.341854] Memory state around the buggy address: [ 34.342089] fff00000c8636b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.342137] fff00000c8636b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.342301] >fff00000c8636c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.342375] ^ [ 34.342403] fff00000c8636c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.342447] fff00000c8636d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.342536] ================================================================== [ 34.374378] ================================================================== [ 34.374893] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.375058] Read of size 1 at addr fff00000c9a8d240 by task kunit_try_catch/263 [ 34.375108] [ 34.375144] CPU: 0 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 34.375232] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 34.375263] Hardware name: linux,dummy-virt (DT) [ 34.375938] Call trace: [ 34.375973] show_stack+0x20/0x38 (C) [ 34.376025] dump_stack_lvl+0x8c/0xd0 [ 34.376075] print_report+0x118/0x5e8 [ 34.376118] kasan_report+0xdc/0x128 [ 34.376172] __asan_report_load1_noabort+0x20/0x30 [ 34.376220] mempool_uaf_helper+0x314/0x340 [ 34.376614] mempool_slab_uaf+0xc0/0x118 [ 34.376706] kunit_try_run_case+0x170/0x3f0 [ 34.376756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.376825] kthread+0x328/0x630 [ 34.376868] ret_from_fork+0x10/0x20 [ 34.376917] [ 34.376936] Allocated by task 263: [ 34.376965] kasan_save_stack+0x3c/0x68 [ 34.377198] kasan_save_track+0x20/0x40 [ 34.377299] kasan_save_alloc_info+0x40/0x58 [ 34.377343] __kasan_mempool_unpoison_object+0xbc/0x180 [ 34.377384] remove_element+0x16c/0x1f8 [ 34.377603] mempool_alloc_preallocated+0x58/0xc0 [ 34.377831] mempool_uaf_helper+0xa4/0x340 [ 34.377877] mempool_slab_uaf+0xc0/0x118 [ 34.378272] kunit_try_run_case+0x170/0x3f0 [ 34.378506] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.378563] kthread+0x328/0x630 [ 34.378599] ret_from_fork+0x10/0x20 [ 34.378635] [ 34.378667] Freed by task 263: [ 34.378705] kasan_save_stack+0x3c/0x68 [ 34.378748] kasan_save_track+0x20/0x40 [ 34.378797] kasan_save_free_info+0x4c/0x78 [ 34.378967] __kasan_mempool_poison_object+0xc0/0x150 [ 34.379009] mempool_free+0x3f4/0x5f0 [ 34.379046] mempool_uaf_helper+0x104/0x340 [ 34.379388] mempool_slab_uaf+0xc0/0x118 [ 34.379568] kunit_try_run_case+0x170/0x3f0 [ 34.379629] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.379684] kthread+0x328/0x630 [ 34.379716] ret_from_fork+0x10/0x20 [ 34.379751] [ 34.379775] The buggy address belongs to the object at fff00000c9a8d240 [ 34.379775] which belongs to the cache test_cache of size 123 [ 34.379939] The buggy address is located 0 bytes inside of [ 34.379939] freed 123-byte region [fff00000c9a8d240, fff00000c9a8d2bb) [ 34.380248] [ 34.380311] The buggy address belongs to the physical page: [ 34.380345] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a8d [ 34.380418] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.380489] page_type: f5(slab) [ 34.380530] raw: 0bfffe0000000000 fff00000c45178c0 dead000000000122 0000000000000000 [ 34.380580] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 34.380662] page dumped because: kasan: bad access detected [ 34.381002] [ 34.381025] Memory state around the buggy address: [ 34.381149] fff00000c9a8d100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.381261] fff00000c9a8d180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.381385] >fff00000c9a8d200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 34.381423] ^ [ 34.381519] fff00000c9a8d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.381621] fff00000c9a8d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.381950] ==================================================================
[ 27.336153] ================================================================== [ 27.336554] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 27.336788] Read of size 1 at addr ffff888105800c00 by task kunit_try_catch/276 [ 27.337621] [ 27.338156] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 27.338218] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.338232] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.338255] Call Trace: [ 27.338318] <TASK> [ 27.338340] dump_stack_lvl+0x73/0xb0 [ 27.338394] print_report+0xd1/0x640 [ 27.338419] ? __virt_addr_valid+0x1db/0x2d0 [ 27.338446] ? mempool_uaf_helper+0x392/0x400 [ 27.338468] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.338495] ? mempool_uaf_helper+0x392/0x400 [ 27.338518] kasan_report+0x141/0x180 [ 27.338541] ? mempool_uaf_helper+0x392/0x400 [ 27.338570] __asan_report_load1_noabort+0x18/0x20 [ 27.338595] mempool_uaf_helper+0x392/0x400 [ 27.338619] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.338643] ? dequeue_entities+0x23f/0x1630 [ 27.338669] ? __kasan_check_write+0x18/0x20 [ 27.338693] ? __pfx_sched_clock_cpu+0x10/0x10 [ 27.338715] ? finish_task_switch.isra.0+0x153/0x700 [ 27.338743] mempool_kmalloc_uaf+0xef/0x140 [ 27.338767] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 27.338875] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.338902] ? __pfx_mempool_kfree+0x10/0x10 [ 27.338928] ? __pfx_read_tsc+0x10/0x10 [ 27.338964] ? ktime_get_ts64+0x86/0x230 [ 27.338990] kunit_try_run_case+0x1a5/0x480 [ 27.339015] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.339039] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.339073] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.339100] ? __kthread_parkme+0x82/0x180 [ 27.339124] ? preempt_count_sub+0x50/0x80 [ 27.339150] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.339176] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.339203] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.339228] kthread+0x337/0x6f0 [ 27.339250] ? trace_preempt_on+0x20/0xc0 [ 27.339275] ? __pfx_kthread+0x10/0x10 [ 27.339296] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.339322] ? calculate_sigpending+0x7b/0xa0 [ 27.339347] ? __pfx_kthread+0x10/0x10 [ 27.339370] ret_from_fork+0x116/0x1d0 [ 27.339391] ? __pfx_kthread+0x10/0x10 [ 27.339413] ret_from_fork_asm+0x1a/0x30 [ 27.339447] </TASK> [ 27.339459] [ 27.355822] Allocated by task 276: [ 27.356284] kasan_save_stack+0x45/0x70 [ 27.356447] kasan_save_track+0x18/0x40 [ 27.356588] kasan_save_alloc_info+0x3b/0x50 [ 27.356740] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 27.357366] remove_element+0x11e/0x190 [ 27.357774] mempool_alloc_preallocated+0x4d/0x90 [ 27.358448] mempool_uaf_helper+0x96/0x400 [ 27.358882] mempool_kmalloc_uaf+0xef/0x140 [ 27.359369] kunit_try_run_case+0x1a5/0x480 [ 27.359744] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.360226] kthread+0x337/0x6f0 [ 27.360560] ret_from_fork+0x116/0x1d0 [ 27.360701] ret_from_fork_asm+0x1a/0x30 [ 27.361114] [ 27.361327] Freed by task 276: [ 27.361658] kasan_save_stack+0x45/0x70 [ 27.362125] kasan_save_track+0x18/0x40 [ 27.362274] kasan_save_free_info+0x3f/0x60 [ 27.362424] __kasan_mempool_poison_object+0x131/0x1d0 [ 27.362595] mempool_free+0x490/0x640 [ 27.362732] mempool_uaf_helper+0x11a/0x400 [ 27.362882] mempool_kmalloc_uaf+0xef/0x140 [ 27.363707] kunit_try_run_case+0x1a5/0x480 [ 27.363933] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.364170] kthread+0x337/0x6f0 [ 27.364316] ret_from_fork+0x116/0x1d0 [ 27.364495] ret_from_fork_asm+0x1a/0x30 [ 27.364673] [ 27.364760] The buggy address belongs to the object at ffff888105800c00 [ 27.364760] which belongs to the cache kmalloc-128 of size 128 [ 27.365270] The buggy address is located 0 bytes inside of [ 27.365270] freed 128-byte region [ffff888105800c00, ffff888105800c80) [ 27.365732] [ 27.365815] The buggy address belongs to the physical page: [ 27.367168] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105800 [ 27.367494] flags: 0x200000000000000(node=0|zone=2) [ 27.367664] page_type: f5(slab) [ 27.368302] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.369009] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.369939] page dumped because: kasan: bad access detected [ 27.370634] [ 27.370714] Memory state around the buggy address: [ 27.371416] ffff888105800b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.372215] ffff888105800b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.372451] >ffff888105800c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.372673] ^ [ 27.372835] ffff888105800c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.374080] ffff888105800d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.374913] ================================================================== [ 27.413449] ================================================================== [ 27.413982] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 27.414384] Read of size 1 at addr ffff888106266240 by task kunit_try_catch/280 [ 27.414698] [ 27.414798] CPU: 1 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 27.414851] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.414863] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.414887] Call Trace: [ 27.414900] <TASK> [ 27.414918] dump_stack_lvl+0x73/0xb0 [ 27.414962] print_report+0xd1/0x640 [ 27.414986] ? __virt_addr_valid+0x1db/0x2d0 [ 27.415012] ? mempool_uaf_helper+0x392/0x400 [ 27.415036] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.415159] ? mempool_uaf_helper+0x392/0x400 [ 27.415196] kasan_report+0x141/0x180 [ 27.415220] ? mempool_uaf_helper+0x392/0x400 [ 27.415248] __asan_report_load1_noabort+0x18/0x20 [ 27.415274] mempool_uaf_helper+0x392/0x400 [ 27.415300] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.415327] ? finish_task_switch.isra.0+0x153/0x700 [ 27.415355] mempool_slab_uaf+0xea/0x140 [ 27.415381] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 27.415408] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 27.415435] ? __pfx_mempool_free_slab+0x10/0x10 [ 27.415462] ? __pfx_read_tsc+0x10/0x10 [ 27.415485] ? ktime_get_ts64+0x86/0x230 [ 27.415512] kunit_try_run_case+0x1a5/0x480 [ 27.415539] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.415563] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.415587] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.415615] ? __kthread_parkme+0x82/0x180 [ 27.415636] ? preempt_count_sub+0x50/0x80 [ 27.415660] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.415685] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.415710] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.415735] kthread+0x337/0x6f0 [ 27.415756] ? trace_preempt_on+0x20/0xc0 [ 27.415833] ? __pfx_kthread+0x10/0x10 [ 27.415859] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.415885] ? calculate_sigpending+0x7b/0xa0 [ 27.415910] ? __pfx_kthread+0x10/0x10 [ 27.415933] ret_from_fork+0x116/0x1d0 [ 27.415966] ? __pfx_kthread+0x10/0x10 [ 27.415987] ret_from_fork_asm+0x1a/0x30 [ 27.416020] </TASK> [ 27.416032] [ 27.428420] Allocated by task 280: [ 27.428591] kasan_save_stack+0x45/0x70 [ 27.428963] kasan_save_track+0x18/0x40 [ 27.429147] kasan_save_alloc_info+0x3b/0x50 [ 27.429305] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 27.429485] remove_element+0x11e/0x190 [ 27.429624] mempool_alloc_preallocated+0x4d/0x90 [ 27.429785] mempool_uaf_helper+0x96/0x400 [ 27.429926] mempool_slab_uaf+0xea/0x140 [ 27.431106] kunit_try_run_case+0x1a5/0x480 [ 27.431587] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.431791] kthread+0x337/0x6f0 [ 27.432392] ret_from_fork+0x116/0x1d0 [ 27.432908] ret_from_fork_asm+0x1a/0x30 [ 27.433462] [ 27.433771] Freed by task 280: [ 27.433930] kasan_save_stack+0x45/0x70 [ 27.434157] kasan_save_track+0x18/0x40 [ 27.434588] kasan_save_free_info+0x3f/0x60 [ 27.434750] __kasan_mempool_poison_object+0x131/0x1d0 [ 27.435612] mempool_free+0x490/0x640 [ 27.436152] mempool_uaf_helper+0x11a/0x400 [ 27.436770] mempool_slab_uaf+0xea/0x140 [ 27.437274] kunit_try_run_case+0x1a5/0x480 [ 27.437622] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.437837] kthread+0x337/0x6f0 [ 27.438385] ret_from_fork+0x116/0x1d0 [ 27.438675] ret_from_fork_asm+0x1a/0x30 [ 27.439043] [ 27.439436] The buggy address belongs to the object at ffff888106266240 [ 27.439436] which belongs to the cache test_cache of size 123 [ 27.440662] The buggy address is located 0 bytes inside of [ 27.440662] freed 123-byte region [ffff888106266240, ffff8881062662bb) [ 27.441562] [ 27.441645] The buggy address belongs to the physical page: [ 27.441855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106266 [ 27.442652] flags: 0x200000000000000(node=0|zone=2) [ 27.442996] page_type: f5(slab) [ 27.443553] raw: 0200000000000000 ffff88815a898f00 dead000000000122 0000000000000000 [ 27.444388] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 27.445160] page dumped because: kasan: bad access detected [ 27.445679] [ 27.445757] Memory state around the buggy address: [ 27.445932] ffff888106266100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.446855] ffff888106266180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.447683] >ffff888106266200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.448367] ^ [ 27.448557] ffff888106266280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.448782] ffff888106266300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.449647] ==================================================================