Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 23.417794] ================================================================== [ 23.418915] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x320/0x348 [ 23.419876] Read of size 1 at addr fff00000c4222240 by task kunit_try_catch/219 [ 23.421573] [ 23.421933] CPU: 1 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 23.422162] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.422229] Hardware name: linux,dummy-virt (DT) [ 23.422303] Call trace: [ 23.422358] dump_backtrace+0x9c/0x128 [ 23.422464] show_stack+0x20/0x38 [ 23.422556] dump_stack_lvl+0x8c/0xd0 [ 23.422672] print_report+0x118/0x5f0 [ 23.422782] kasan_report+0xdc/0x128 [ 23.422896] __asan_report_load1_noabort+0x20/0x30 [ 23.423037] mempool_uaf_helper+0x320/0x348 [ 23.423128] mempool_slab_uaf+0xc0/0x118 [ 23.423182] kunit_try_run_case+0x170/0x3f0 [ 23.423231] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.423285] kthread+0x24c/0x2d0 [ 23.423330] ret_from_fork+0x10/0x20 [ 23.423460] [ 23.431516] Allocated by task 219: [ 23.432017] kasan_save_stack+0x3c/0x68 [ 23.432719] kasan_save_track+0x20/0x40 [ 23.433401] kasan_save_alloc_info+0x40/0x58 [ 23.434035] __kasan_mempool_unpoison_object+0xbc/0x180 [ 23.434650] remove_element+0x16c/0x1f8 [ 23.435105] mempool_alloc_preallocated+0x58/0xc0 [ 23.435801] mempool_uaf_helper+0xa4/0x348 [ 23.436412] mempool_slab_uaf+0xc0/0x118 [ 23.437442] kunit_try_run_case+0x170/0x3f0 [ 23.438115] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.438844] kthread+0x24c/0x2d0 [ 23.439451] ret_from_fork+0x10/0x20 [ 23.440296] [ 23.440755] Freed by task 219: [ 23.441378] kasan_save_stack+0x3c/0x68 [ 23.442039] kasan_save_track+0x20/0x40 [ 23.442505] kasan_save_free_info+0x4c/0x78 [ 23.443066] __kasan_mempool_poison_object+0xc0/0x150 [ 23.444177] mempool_free+0x28c/0x328 [ 23.444670] mempool_uaf_helper+0x108/0x348 [ 23.445207] mempool_slab_uaf+0xc0/0x118 [ 23.445673] kunit_try_run_case+0x170/0x3f0 [ 23.446451] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.447071] kthread+0x24c/0x2d0 [ 23.447760] ret_from_fork+0x10/0x20 [ 23.448404] [ 23.448845] The buggy address belongs to the object at fff00000c4222240 [ 23.448845] which belongs to the cache test_cache of size 123 [ 23.450063] The buggy address is located 0 bytes inside of [ 23.450063] freed 123-byte region [fff00000c4222240, fff00000c42222bb) [ 23.451148] [ 23.452153] The buggy address belongs to the physical page: [ 23.452647] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104222 [ 23.453599] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.454400] page_type: f5(slab) [ 23.454882] raw: 0bfffe0000000000 fff00000c4182500 dead000000000122 0000000000000000 [ 23.455816] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 23.456904] page dumped because: kasan: bad access detected [ 23.457616] [ 23.458072] Memory state around the buggy address: [ 23.458511] fff00000c4222100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.459167] fff00000c4222180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.460148] >fff00000c4222200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 23.461372] ^ [ 23.461847] fff00000c4222280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.462688] fff00000c4222300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.463675] ================================================================== [ 23.324539] ================================================================== [ 23.325788] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x320/0x348 [ 23.326459] Read of size 1 at addr fff00000c420b400 by task kunit_try_catch/215 [ 23.327733] [ 23.328305] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 23.328695] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.328773] Hardware name: linux,dummy-virt (DT) [ 23.328853] Call trace: [ 23.328913] dump_backtrace+0x9c/0x128 [ 23.329048] show_stack+0x20/0x38 [ 23.329109] dump_stack_lvl+0x8c/0xd0 [ 23.329162] print_report+0x118/0x5f0 [ 23.329207] kasan_report+0xdc/0x128 [ 23.329251] __asan_report_load1_noabort+0x20/0x30 [ 23.329303] mempool_uaf_helper+0x320/0x348 [ 23.329351] mempool_kmalloc_uaf+0xc4/0x120 [ 23.329400] kunit_try_run_case+0x170/0x3f0 [ 23.329448] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.329499] kthread+0x24c/0x2d0 [ 23.329549] ret_from_fork+0x10/0x20 [ 23.329597] [ 23.337573] Allocated by task 215: [ 23.338261] kasan_save_stack+0x3c/0x68 [ 23.338945] kasan_save_track+0x20/0x40 [ 23.340116] kasan_save_alloc_info+0x40/0x58 [ 23.340745] __kasan_mempool_unpoison_object+0x11c/0x180 [ 23.341464] remove_element+0x130/0x1f8 [ 23.342075] mempool_alloc_preallocated+0x58/0xc0 [ 23.342737] mempool_uaf_helper+0xa4/0x348 [ 23.343354] mempool_kmalloc_uaf+0xc4/0x120 [ 23.344197] kunit_try_run_case+0x170/0x3f0 [ 23.344848] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.345555] kthread+0x24c/0x2d0 [ 23.346124] ret_from_fork+0x10/0x20 [ 23.346723] [ 23.347088] Freed by task 215: [ 23.347851] kasan_save_stack+0x3c/0x68 [ 23.348520] kasan_save_track+0x20/0x40 [ 23.349121] kasan_save_free_info+0x4c/0x78 [ 23.349763] __kasan_mempool_poison_object+0xc0/0x150 [ 23.350513] mempool_free+0x28c/0x328 [ 23.351100] mempool_uaf_helper+0x108/0x348 [ 23.351933] mempool_kmalloc_uaf+0xc4/0x120 [ 23.352540] kunit_try_run_case+0x170/0x3f0 [ 23.353235] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.353928] kthread+0x24c/0x2d0 [ 23.354517] ret_from_fork+0x10/0x20 [ 23.355085] [ 23.355536] The buggy address belongs to the object at fff00000c420b400 [ 23.355536] which belongs to the cache kmalloc-128 of size 128 [ 23.356803] The buggy address is located 0 bytes inside of [ 23.356803] freed 128-byte region [fff00000c420b400, fff00000c420b480) [ 23.357878] [ 23.358475] The buggy address belongs to the physical page: [ 23.359245] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10420b [ 23.360503] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.361215] page_type: f5(slab) [ 23.361670] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 23.362530] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 23.363326] page dumped because: kasan: bad access detected [ 23.363946] [ 23.364498] Memory state around the buggy address: [ 23.365246] fff00000c420b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.366031] fff00000c420b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.366352] >fff00000c420b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.366657] ^ [ 23.366843] fff00000c420b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.367729] fff00000c420b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.368506] ==================================================================
[ 19.987834] ================================================================== [ 19.989134] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.990035] Read of size 1 at addr ffff888102935240 by task kunit_try_catch/236 [ 19.990674] [ 19.992004] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 19.992101] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.992119] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.992153] Call Trace: [ 19.992172] <TASK> [ 19.992197] dump_stack_lvl+0x73/0xb0 [ 19.992266] print_report+0xd1/0x640 [ 19.992303] ? __virt_addr_valid+0x1db/0x2d0 [ 19.992339] ? mempool_uaf_helper+0x394/0x400 [ 19.992365] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.992398] ? mempool_uaf_helper+0x394/0x400 [ 19.992424] kasan_report+0x140/0x180 [ 19.992484] ? mempool_uaf_helper+0x394/0x400 [ 19.992571] __asan_report_load1_noabort+0x18/0x20 [ 19.992610] mempool_uaf_helper+0x394/0x400 [ 19.992638] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.992671] ? finish_task_switch.isra.0+0x153/0x700 [ 19.992707] mempool_slab_uaf+0xeb/0x140 [ 19.992734] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 19.992767] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 19.992794] ? __pfx_mempool_free_slab+0x10/0x10 [ 19.992844] ? __pfx_read_tsc+0x10/0x10 [ 19.992881] ? ktime_get_ts64+0x84/0x230 [ 19.992919] kunit_try_run_case+0x1a6/0x480 [ 19.992953] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.992981] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.993012] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.993048] ? __kthread_parkme+0x82/0x160 [ 19.993075] ? preempt_count_sub+0x50/0x80 [ 19.993105] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.993135] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.993174] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.993212] kthread+0x257/0x310 [ 19.993263] ? __pfx_kthread+0x10/0x10 [ 19.993290] ret_from_fork+0x41/0x80 [ 19.993319] ? __pfx_kthread+0x10/0x10 [ 19.993344] ret_from_fork_asm+0x1a/0x30 [ 19.993387] </TASK> [ 19.993401] [ 20.014295] Allocated by task 236: [ 20.017343] kasan_save_stack+0x45/0x70 [ 20.018282] kasan_save_track+0x18/0x40 [ 20.019769] kasan_save_alloc_info+0x3b/0x50 [ 20.021661] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 20.023036] remove_element+0x11e/0x190 [ 20.023504] mempool_alloc_preallocated+0x4d/0x90 [ 20.024282] mempool_uaf_helper+0x97/0x400 [ 20.024901] mempool_slab_uaf+0xeb/0x140 [ 20.025531] kunit_try_run_case+0x1a6/0x480 [ 20.026204] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.026689] kthread+0x257/0x310 [ 20.026977] ret_from_fork+0x41/0x80 [ 20.027399] ret_from_fork_asm+0x1a/0x30 [ 20.027815] [ 20.028042] Freed by task 236: [ 20.028394] kasan_save_stack+0x45/0x70 [ 20.028785] kasan_save_track+0x18/0x40 [ 20.029097] kasan_save_free_info+0x3f/0x60 [ 20.029606] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.030561] mempool_free+0x2ec/0x380 [ 20.030986] mempool_uaf_helper+0x11b/0x400 [ 20.031646] mempool_slab_uaf+0xeb/0x140 [ 20.032165] kunit_try_run_case+0x1a6/0x480 [ 20.032833] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.033338] kthread+0x257/0x310 [ 20.033762] ret_from_fork+0x41/0x80 [ 20.034677] ret_from_fork_asm+0x1a/0x30 [ 20.035266] [ 20.035451] The buggy address belongs to the object at ffff888102935240 [ 20.035451] which belongs to the cache test_cache of size 123 [ 20.036662] The buggy address is located 0 bytes inside of [ 20.036662] freed 123-byte region [ffff888102935240, ffff8881029352bb) [ 20.038091] [ 20.038366] The buggy address belongs to the physical page: [ 20.038799] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102935 [ 20.039908] flags: 0x200000000000000(node=0|zone=2) [ 20.040394] page_type: f5(slab) [ 20.040779] raw: 0200000000000000 ffff88810292e280 dead000000000122 0000000000000000 [ 20.042266] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 20.043350] page dumped because: kasan: bad access detected [ 20.044042] [ 20.044171] Memory state around the buggy address: [ 20.045103] ffff888102935100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.046093] ffff888102935180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.046692] >ffff888102935200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.047425] ^ [ 20.048175] ffff888102935280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.048789] ffff888102935300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.049333] ================================================================== [ 19.873891] ================================================================== [ 19.874781] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.876821] Read of size 1 at addr ffff888102930800 by task kunit_try_catch/232 [ 19.877643] [ 19.877895] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 19.878065] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.878091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.878126] Call Trace: [ 19.878147] <TASK> [ 19.878170] dump_stack_lvl+0x73/0xb0 [ 19.878246] print_report+0xd1/0x640 [ 19.878315] ? __virt_addr_valid+0x1db/0x2d0 [ 19.878356] ? mempool_uaf_helper+0x394/0x400 [ 19.878384] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.878417] ? mempool_uaf_helper+0x394/0x400 [ 19.878452] kasan_report+0x140/0x180 [ 19.878879] ? mempool_uaf_helper+0x394/0x400 [ 19.878921] __asan_report_load1_noabort+0x18/0x20 [ 19.878953] mempool_uaf_helper+0x394/0x400 [ 19.878983] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.879019] ? finish_task_switch.isra.0+0x153/0x700 [ 19.879058] mempool_kmalloc_uaf+0xf0/0x140 [ 19.879087] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 19.879119] ? __pfx_mempool_kmalloc+0x10/0x10 [ 19.879149] ? __pfx_mempool_kfree+0x10/0x10 [ 19.879179] ? __pfx_read_tsc+0x10/0x10 [ 19.879208] ? ktime_get_ts64+0x84/0x230 [ 19.879281] kunit_try_run_case+0x1a6/0x480 [ 19.879317] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.879347] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.879378] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.879416] ? __kthread_parkme+0x82/0x160 [ 19.879456] ? preempt_count_sub+0x50/0x80 [ 19.879559] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.879602] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.879641] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.879679] kthread+0x257/0x310 [ 19.879705] ? __pfx_kthread+0x10/0x10 [ 19.879732] ret_from_fork+0x41/0x80 [ 19.879763] ? __pfx_kthread+0x10/0x10 [ 19.879789] ret_from_fork_asm+0x1a/0x30 [ 19.879855] </TASK> [ 19.879873] [ 19.900904] Allocated by task 232: [ 19.901401] kasan_save_stack+0x45/0x70 [ 19.902149] kasan_save_track+0x18/0x40 [ 19.902475] kasan_save_alloc_info+0x3b/0x50 [ 19.903349] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 19.904283] remove_element+0x11e/0x190 [ 19.904948] mempool_alloc_preallocated+0x4d/0x90 [ 19.905405] mempool_uaf_helper+0x97/0x400 [ 19.905809] mempool_kmalloc_uaf+0xf0/0x140 [ 19.906339] kunit_try_run_case+0x1a6/0x480 [ 19.907111] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.908012] kthread+0x257/0x310 [ 19.908506] ret_from_fork+0x41/0x80 [ 19.909349] ret_from_fork_asm+0x1a/0x30 [ 19.909802] [ 19.910339] Freed by task 232: [ 19.911084] kasan_save_stack+0x45/0x70 [ 19.911778] kasan_save_track+0x18/0x40 [ 19.912336] kasan_save_free_info+0x3f/0x60 [ 19.912763] __kasan_mempool_poison_object+0x131/0x1d0 [ 19.913699] mempool_free+0x2ec/0x380 [ 19.914308] mempool_uaf_helper+0x11b/0x400 [ 19.915279] mempool_kmalloc_uaf+0xf0/0x140 [ 19.916355] kunit_try_run_case+0x1a6/0x480 [ 19.916769] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.917447] kthread+0x257/0x310 [ 19.917814] ret_from_fork+0x41/0x80 [ 19.918188] ret_from_fork_asm+0x1a/0x30 [ 19.918552] [ 19.918779] The buggy address belongs to the object at ffff888102930800 [ 19.918779] which belongs to the cache kmalloc-128 of size 128 [ 19.920459] The buggy address is located 0 bytes inside of [ 19.920459] freed 128-byte region [ffff888102930800, ffff888102930880) [ 19.921435] [ 19.921779] The buggy address belongs to the physical page: [ 19.922472] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102930 [ 19.923286] flags: 0x200000000000000(node=0|zone=2) [ 19.924371] page_type: f5(slab) [ 19.924911] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.926151] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 19.927380] page dumped because: kasan: bad access detected [ 19.927647] [ 19.927789] Memory state around the buggy address: [ 19.928887] ffff888102930700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.929482] ffff888102930780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.930389] >ffff888102930800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.931311] ^ [ 19.932009] ffff888102930880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.932918] ffff888102930900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.933604] ==================================================================