Date
June 2, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.632205] ================================================================== [ 21.632820] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x320/0x348 [ 21.633264] Read of size 1 at addr fff00000c5d36e00 by task kunit_try_catch/214 [ 21.633639] [ 21.633843] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 21.633955] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.633990] Hardware name: linux,dummy-virt (DT) [ 21.634030] Call trace: [ 21.634058] dump_backtrace+0x9c/0x128 [ 21.634116] show_stack+0x20/0x38 [ 21.634158] dump_stack_lvl+0x8c/0xd0 [ 21.634207] print_report+0x118/0x5f0 [ 21.634269] kasan_report+0xdc/0x128 [ 21.634316] __asan_report_load1_noabort+0x20/0x30 [ 21.634366] mempool_uaf_helper+0x320/0x348 [ 21.634412] mempool_kmalloc_uaf+0xc4/0x120 [ 21.634460] kunit_try_run_case+0x170/0x3f0 [ 21.634506] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.634556] kthread+0x24c/0x2d0 [ 21.634599] ret_from_fork+0x10/0x20 [ 21.634645] [ 21.638012] Allocated by task 214: [ 21.638273] kasan_save_stack+0x3c/0x68 [ 21.638647] kasan_save_track+0x20/0x40 [ 21.638928] kasan_save_alloc_info+0x40/0x58 [ 21.639490] __kasan_mempool_unpoison_object+0x11c/0x180 [ 21.639796] remove_element+0x130/0x1f8 [ 21.640383] mempool_alloc_preallocated+0x58/0xc0 [ 21.640645] mempool_uaf_helper+0xa4/0x348 [ 21.640864] mempool_kmalloc_uaf+0xc4/0x120 [ 21.641039] kunit_try_run_case+0x170/0x3f0 [ 21.641424] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.641752] kthread+0x24c/0x2d0 [ 21.641989] ret_from_fork+0x10/0x20 [ 21.642147] [ 21.642353] Freed by task 214: [ 21.642612] kasan_save_stack+0x3c/0x68 [ 21.642914] kasan_save_track+0x20/0x40 [ 21.643082] kasan_save_free_info+0x4c/0x78 [ 21.643587] __kasan_mempool_poison_object+0xc0/0x150 [ 21.644012] mempool_free+0x28c/0x328 [ 21.644296] mempool_uaf_helper+0x108/0x348 [ 21.644610] mempool_kmalloc_uaf+0xc4/0x120 [ 21.644825] kunit_try_run_case+0x170/0x3f0 [ 21.644998] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.645264] kthread+0x24c/0x2d0 [ 21.645586] ret_from_fork+0x10/0x20 [ 21.645909] [ 21.646086] The buggy address belongs to the object at fff00000c5d36e00 [ 21.646086] which belongs to the cache kmalloc-128 of size 128 [ 21.646625] The buggy address is located 0 bytes inside of [ 21.646625] freed 128-byte region [fff00000c5d36e00, fff00000c5d36e80) [ 21.647559] [ 21.647754] The buggy address belongs to the physical page: [ 21.647959] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105d36 [ 21.648627] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.649013] page_type: f5(slab) [ 21.649362] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.649695] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 21.650215] page dumped because: kasan: bad access detected [ 21.650499] [ 21.650697] Memory state around the buggy address: [ 21.650954] fff00000c5d36d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.651376] fff00000c5d36d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.652052] >fff00000c5d36e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.652559] ^ [ 21.652816] fff00000c5d36e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.653141] fff00000c5d36f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.653391] ================================================================== [ 21.683917] ================================================================== [ 21.684610] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x320/0x348 [ 21.685080] Read of size 1 at addr fff00000c6d00240 by task kunit_try_catch/218 [ 21.685608] [ 21.685740] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 21.685847] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.685881] Hardware name: linux,dummy-virt (DT) [ 21.685920] Call trace: [ 21.685946] dump_backtrace+0x9c/0x128 [ 21.686001] show_stack+0x20/0x38 [ 21.686044] dump_stack_lvl+0x8c/0xd0 [ 21.686094] print_report+0x118/0x5f0 [ 21.686137] kasan_report+0xdc/0x128 [ 21.686177] __asan_report_load1_noabort+0x20/0x30 [ 21.686225] mempool_uaf_helper+0x320/0x348 [ 21.686288] mempool_slab_uaf+0xc0/0x118 [ 21.686333] kunit_try_run_case+0x170/0x3f0 [ 21.686381] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.686433] kthread+0x24c/0x2d0 [ 21.686477] ret_from_fork+0x10/0x20 [ 21.686525] [ 21.690959] Allocated by task 218: [ 21.693149] kasan_save_stack+0x3c/0x68 [ 21.693987] kasan_save_track+0x20/0x40 [ 21.694694] kasan_save_alloc_info+0x40/0x58 [ 21.695647] __kasan_mempool_unpoison_object+0xbc/0x180 [ 21.695885] remove_element+0x16c/0x1f8 [ 21.696069] mempool_alloc_preallocated+0x58/0xc0 [ 21.696311] mempool_uaf_helper+0xa4/0x348 [ 21.696493] mempool_slab_uaf+0xc0/0x118 [ 21.696667] kunit_try_run_case+0x170/0x3f0 [ 21.696846] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.697053] kthread+0x24c/0x2d0 [ 21.697208] ret_from_fork+0x10/0x20 [ 21.698323] [ 21.698503] Freed by task 218: [ 21.698790] kasan_save_stack+0x3c/0x68 [ 21.699284] kasan_save_track+0x20/0x40 [ 21.699535] kasan_save_free_info+0x4c/0x78 [ 21.700288] __kasan_mempool_poison_object+0xc0/0x150 [ 21.700584] mempool_free+0x28c/0x328 [ 21.700962] mempool_uaf_helper+0x108/0x348 [ 21.701226] mempool_slab_uaf+0xc0/0x118 [ 21.701549] kunit_try_run_case+0x170/0x3f0 [ 21.701760] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.702097] kthread+0x24c/0x2d0 [ 21.702440] ret_from_fork+0x10/0x20 [ 21.702719] [ 21.702874] The buggy address belongs to the object at fff00000c6d00240 [ 21.702874] which belongs to the cache test_cache of size 123 [ 21.704016] The buggy address is located 0 bytes inside of [ 21.704016] freed 123-byte region [fff00000c6d00240, fff00000c6d002bb) [ 21.704865] [ 21.705083] The buggy address belongs to the physical page: [ 21.705362] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106d00 [ 21.705921] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.706363] page_type: f5(slab) [ 21.706669] raw: 0bfffe0000000000 fff00000c6cca000 dead000000000122 0000000000000000 [ 21.707386] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 21.707879] page dumped because: kasan: bad access detected [ 21.708226] [ 21.708423] Memory state around the buggy address: [ 21.708683] fff00000c6d00100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.709154] fff00000c6d00180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.709894] >fff00000c6d00200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.710326] ^ [ 21.710614] fff00000c6d00280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.711005] fff00000c6d00300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.711615] ==================================================================
[ 13.633048] ================================================================== [ 13.633568] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 13.634236] Read of size 1 at addr ffff88810262b700 by task kunit_try_catch/232 [ 13.634584] [ 13.634802] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 13.634936] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.634976] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.635017] Call Trace: [ 13.635067] <TASK> [ 13.635102] dump_stack_lvl+0x73/0xb0 [ 13.635212] print_report+0xd1/0x640 [ 13.635261] ? __virt_addr_valid+0x1db/0x2d0 [ 13.635310] ? mempool_uaf_helper+0x394/0x400 [ 13.635346] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.635386] ? mempool_uaf_helper+0x394/0x400 [ 13.635416] kasan_report+0x140/0x180 [ 13.635440] ? mempool_uaf_helper+0x394/0x400 [ 13.635462] __asan_report_load1_noabort+0x18/0x20 [ 13.635482] mempool_uaf_helper+0x394/0x400 [ 13.635500] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.635522] ? finish_task_switch.isra.0+0x153/0x700 [ 13.635552] mempool_kmalloc_uaf+0xf0/0x140 [ 13.635581] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.635612] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.635631] ? __pfx_mempool_kfree+0x10/0x10 [ 13.635651] ? __pfx_read_tsc+0x10/0x10 [ 13.635691] ? ktime_get_ts64+0x84/0x230 [ 13.635718] kunit_try_run_case+0x1a6/0x480 [ 13.635741] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.635759] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.635780] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.635803] ? __kthread_parkme+0x82/0x160 [ 13.635822] ? preempt_count_sub+0x50/0x80 [ 13.635842] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.635860] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.635883] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.635906] kthread+0x257/0x310 [ 13.635923] ? __pfx_kthread+0x10/0x10 [ 13.635941] ret_from_fork+0x41/0x80 [ 13.635959] ? __pfx_kthread+0x10/0x10 [ 13.635976] ret_from_fork_asm+0x1a/0x30 [ 13.636005] </TASK> [ 13.636017] [ 13.645307] Allocated by task 232: [ 13.645609] kasan_save_stack+0x45/0x70 [ 13.645847] kasan_save_track+0x18/0x40 [ 13.646188] kasan_save_alloc_info+0x3b/0x50 [ 13.646374] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.646629] remove_element+0x11e/0x190 [ 13.646964] mempool_alloc_preallocated+0x4d/0x90 [ 13.647342] mempool_uaf_helper+0x97/0x400 [ 13.647570] mempool_kmalloc_uaf+0xf0/0x140 [ 13.647897] kunit_try_run_case+0x1a6/0x480 [ 13.648240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.648465] kthread+0x257/0x310 [ 13.648748] ret_from_fork+0x41/0x80 [ 13.648942] ret_from_fork_asm+0x1a/0x30 [ 13.649193] [ 13.649363] Freed by task 232: [ 13.649610] kasan_save_stack+0x45/0x70 [ 13.649902] kasan_save_track+0x18/0x40 [ 13.650115] kasan_save_free_info+0x3f/0x60 [ 13.650376] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.650780] mempool_free+0x2ec/0x380 [ 13.651111] mempool_uaf_helper+0x11b/0x400 [ 13.651416] mempool_kmalloc_uaf+0xf0/0x140 [ 13.651589] kunit_try_run_case+0x1a6/0x480 [ 13.651771] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.652153] kthread+0x257/0x310 [ 13.652449] ret_from_fork+0x41/0x80 [ 13.652731] ret_from_fork_asm+0x1a/0x30 [ 13.653044] [ 13.653211] The buggy address belongs to the object at ffff88810262b700 [ 13.653211] which belongs to the cache kmalloc-128 of size 128 [ 13.653786] The buggy address is located 0 bytes inside of [ 13.653786] freed 128-byte region [ffff88810262b700, ffff88810262b780) [ 13.654254] [ 13.654409] The buggy address belongs to the physical page: [ 13.654808] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262b [ 13.655375] flags: 0x200000000000000(node=0|zone=2) [ 13.655756] page_type: f5(slab) [ 13.655933] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.656386] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 13.656806] page dumped because: kasan: bad access detected [ 13.657192] [ 13.657358] Memory state around the buggy address: [ 13.657562] ffff88810262b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.658526] ffff88810262b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.658797] >ffff88810262b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.659233] ^ [ 13.659504] ffff88810262b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.659967] ffff88810262b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.660401] ================================================================== [ 13.699318] ================================================================== [ 13.699842] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 13.700514] Read of size 1 at addr ffff888102631240 by task kunit_try_catch/236 [ 13.700839] [ 13.700963] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 13.701015] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.701027] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.701049] Call Trace: [ 13.701068] <TASK> [ 13.701392] dump_stack_lvl+0x73/0xb0 [ 13.701480] print_report+0xd1/0x640 [ 13.701523] ? __virt_addr_valid+0x1db/0x2d0 [ 13.701568] ? mempool_uaf_helper+0x394/0x400 [ 13.701604] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.701645] ? mempool_uaf_helper+0x394/0x400 [ 13.701697] kasan_report+0x140/0x180 [ 13.701739] ? mempool_uaf_helper+0x394/0x400 [ 13.701780] __asan_report_load1_noabort+0x18/0x20 [ 13.701819] mempool_uaf_helper+0x394/0x400 [ 13.701857] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.701922] ? finish_task_switch.isra.0+0x153/0x700 [ 13.701986] mempool_slab_uaf+0xeb/0x140 [ 13.702027] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.702067] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.702107] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.702183] ? __pfx_read_tsc+0x10/0x10 [ 13.702227] ? ktime_get_ts64+0x84/0x230 [ 13.702279] kunit_try_run_case+0x1a6/0x480 [ 13.702307] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.702328] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.702350] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.702375] ? __kthread_parkme+0x82/0x160 [ 13.702396] ? preempt_count_sub+0x50/0x80 [ 13.702418] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.702437] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.702462] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.702487] kthread+0x257/0x310 [ 13.702505] ? __pfx_kthread+0x10/0x10 [ 13.702524] ret_from_fork+0x41/0x80 [ 13.702544] ? __pfx_kthread+0x10/0x10 [ 13.702562] ret_from_fork_asm+0x1a/0x30 [ 13.702593] </TASK> [ 13.702605] [ 13.712427] Allocated by task 236: [ 13.712785] kasan_save_stack+0x45/0x70 [ 13.713132] kasan_save_track+0x18/0x40 [ 13.713426] kasan_save_alloc_info+0x3b/0x50 [ 13.713605] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.713814] remove_element+0x11e/0x190 [ 13.713988] mempool_alloc_preallocated+0x4d/0x90 [ 13.714600] mempool_uaf_helper+0x97/0x400 [ 13.714981] mempool_slab_uaf+0xeb/0x140 [ 13.715367] kunit_try_run_case+0x1a6/0x480 [ 13.715699] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.716195] kthread+0x257/0x310 [ 13.716472] ret_from_fork+0x41/0x80 [ 13.716711] ret_from_fork_asm+0x1a/0x30 [ 13.717107] [ 13.717270] Freed by task 236: [ 13.717569] kasan_save_stack+0x45/0x70 [ 13.717887] kasan_save_track+0x18/0x40 [ 13.718115] kasan_save_free_info+0x3f/0x60 [ 13.718300] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.718820] mempool_free+0x2ec/0x380 [ 13.719165] mempool_uaf_helper+0x11b/0x400 [ 13.719536] mempool_slab_uaf+0xeb/0x140 [ 13.719848] kunit_try_run_case+0x1a6/0x480 [ 13.720237] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.720669] kthread+0x257/0x310 [ 13.720828] ret_from_fork+0x41/0x80 [ 13.721182] ret_from_fork_asm+0x1a/0x30 [ 13.721510] [ 13.721674] The buggy address belongs to the object at ffff888102631240 [ 13.721674] which belongs to the cache test_cache of size 123 [ 13.722406] The buggy address is located 0 bytes inside of [ 13.722406] freed 123-byte region [ffff888102631240, ffff8881026312bb) [ 13.723278] [ 13.723444] The buggy address belongs to the physical page: [ 13.723688] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102631 [ 13.724388] flags: 0x200000000000000(node=0|zone=2) [ 13.724616] page_type: f5(slab) [ 13.724848] raw: 0200000000000000 ffff888102621640 dead000000000122 0000000000000000 [ 13.725439] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 13.725872] page dumped because: kasan: bad access detected [ 13.726328] [ 13.726486] Memory state around the buggy address: [ 13.726841] ffff888102631100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.727388] ffff888102631180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.727876] >ffff888102631200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.728381] ^ [ 13.728635] ffff888102631280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.729184] ffff888102631300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.729597] ==================================================================