Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 24.848721] ================================================================== [ 24.849837] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.850809] Read of size 1 at addr fff00000c64f9300 by task kunit_try_catch/216 [ 24.851662] [ 24.852022] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 24.852239] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.852314] Hardware name: linux,dummy-virt (DT) [ 24.852408] Call trace: [ 24.852475] show_stack+0x20/0x38 (C) [ 24.852627] dump_stack_lvl+0x8c/0xd0 [ 24.852770] print_report+0x118/0x608 [ 24.852928] kasan_report+0xdc/0x128 [ 24.853074] __asan_report_load1_noabort+0x20/0x30 [ 24.853204] mempool_uaf_helper+0x314/0x340 [ 24.853329] mempool_kmalloc_uaf+0xc4/0x120 [ 24.853391] kunit_try_run_case+0x170/0x3f0 [ 24.853453] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.853515] kthread+0x318/0x620 [ 24.853573] ret_from_fork+0x10/0x20 [ 24.853631] [ 24.861284] Allocated by task 216: [ 24.861696] kasan_save_stack+0x3c/0x68 [ 24.862225] kasan_save_track+0x20/0x40 [ 24.862802] kasan_save_alloc_info+0x40/0x58 [ 24.863372] __kasan_mempool_unpoison_object+0x11c/0x180 [ 24.864237] remove_element+0x130/0x1f8 [ 24.864742] mempool_alloc_preallocated+0x58/0xc0 [ 24.865391] mempool_uaf_helper+0xa4/0x340 [ 24.866404] mempool_kmalloc_uaf+0xc4/0x120 [ 24.868486] kunit_try_run_case+0x170/0x3f0 [ 24.869860] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.870379] kthread+0x318/0x620 [ 24.870734] ret_from_fork+0x10/0x20 [ 24.873299] [ 24.873904] Freed by task 216: [ 24.875320] kasan_save_stack+0x3c/0x68 [ 24.876909] kasan_save_track+0x20/0x40 [ 24.880080] kasan_save_free_info+0x4c/0x78 [ 24.880532] __kasan_mempool_poison_object+0xc0/0x150 [ 24.881007] mempool_free+0x28c/0x328 [ 24.881379] mempool_uaf_helper+0x104/0x340 [ 24.881791] mempool_kmalloc_uaf+0xc4/0x120 [ 24.885099] kunit_try_run_case+0x170/0x3f0 [ 24.885505] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.887221] kthread+0x318/0x620 [ 24.888510] ret_from_fork+0x10/0x20 [ 24.890251] [ 24.890623] The buggy address belongs to the object at fff00000c64f9300 [ 24.890623] which belongs to the cache kmalloc-128 of size 128 [ 24.891975] The buggy address is located 0 bytes inside of [ 24.891975] freed 128-byte region [fff00000c64f9300, fff00000c64f9380) [ 24.893633] [ 24.894110] The buggy address belongs to the physical page: [ 24.894843] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064f9 [ 24.895707] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.896567] page_type: f5(slab) [ 24.897647] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 24.898438] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.899191] page dumped because: kasan: bad access detected [ 24.899851] [ 24.900415] Memory state around the buggy address: [ 24.900986] fff00000c64f9200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.902234] fff00000c64f9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.903095] >fff00000c64f9300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.903944] ^ [ 24.904545] fff00000c64f9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.905259] fff00000c64f9400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.906291] ================================================================== [ 24.981383] ================================================================== [ 24.985489] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.988114] Read of size 1 at addr fff00000c65df240 by task kunit_try_catch/220 [ 24.990765] [ 24.991492] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 24.991689] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.991757] Hardware name: linux,dummy-virt (DT) [ 24.991833] Call trace: [ 24.992457] show_stack+0x20/0x38 (C) [ 24.992601] dump_stack_lvl+0x8c/0xd0 [ 24.992720] print_report+0x118/0x608 [ 24.992835] kasan_report+0xdc/0x128 [ 24.992966] __asan_report_load1_noabort+0x20/0x30 [ 24.993085] mempool_uaf_helper+0x314/0x340 [ 24.993197] mempool_slab_uaf+0xc0/0x118 [ 24.993310] kunit_try_run_case+0x170/0x3f0 [ 24.993424] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.993550] kthread+0x318/0x620 [ 24.993653] ret_from_fork+0x10/0x20 [ 24.993764] [ 25.008101] Allocated by task 220: [ 25.009420] kasan_save_stack+0x3c/0x68 [ 25.010171] kasan_save_track+0x20/0x40 [ 25.010574] kasan_save_alloc_info+0x40/0x58 [ 25.012086] __kasan_mempool_unpoison_object+0xbc/0x180 [ 25.014290] remove_element+0x16c/0x1f8 [ 25.015308] mempool_alloc_preallocated+0x58/0xc0 [ 25.017059] mempool_uaf_helper+0xa4/0x340 [ 25.018371] mempool_slab_uaf+0xc0/0x118 [ 25.018749] kunit_try_run_case+0x170/0x3f0 [ 25.019135] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.019569] kthread+0x318/0x620 [ 25.021224] ret_from_fork+0x10/0x20 [ 25.022262] [ 25.023327] Freed by task 220: [ 25.024627] kasan_save_stack+0x3c/0x68 [ 25.025948] kasan_save_track+0x20/0x40 [ 25.027387] kasan_save_free_info+0x4c/0x78 [ 25.029477] __kasan_mempool_poison_object+0xc0/0x150 [ 25.030858] mempool_free+0x28c/0x328 [ 25.032734] mempool_uaf_helper+0x104/0x340 [ 25.033669] mempool_slab_uaf+0xc0/0x118 [ 25.034099] kunit_try_run_case+0x170/0x3f0 [ 25.034522] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.036269] kthread+0x318/0x620 [ 25.037989] ret_from_fork+0x10/0x20 [ 25.039135] [ 25.039916] The buggy address belongs to the object at fff00000c65df240 [ 25.039916] which belongs to the cache test_cache of size 123 [ 25.042810] The buggy address is located 0 bytes inside of [ 25.042810] freed 123-byte region [fff00000c65df240, fff00000c65df2bb) [ 25.045009] [ 25.045239] The buggy address belongs to the physical page: [ 25.045660] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065df [ 25.050054] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.050579] page_type: f5(slab) [ 25.051331] raw: 0bfffe0000000000 fff00000c65e2000 dead000000000122 0000000000000000 [ 25.052307] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 25.053032] page dumped because: kasan: bad access detected [ 25.053528] [ 25.053757] Memory state around the buggy address: [ 25.055704] fff00000c65df100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.057350] fff00000c65df180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.058093] >fff00000c65df200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 25.058949] ^ [ 25.059423] fff00000c65df280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.060828] fff00000c65df300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.061626] ==================================================================
[ 19.671402] ================================================================== [ 19.672085] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.672814] Read of size 1 at addr ffff888102990240 by task kunit_try_catch/239 [ 19.673623] [ 19.673894] CPU: 1 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 19.673998] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.674030] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.674080] Call Trace: [ 19.674110] <TASK> [ 19.674155] dump_stack_lvl+0x73/0xb0 [ 19.674267] print_report+0xd1/0x650 [ 19.674383] ? __virt_addr_valid+0x1db/0x2d0 [ 19.674477] ? mempool_uaf_helper+0x394/0x400 [ 19.674533] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.674585] ? mempool_uaf_helper+0x394/0x400 [ 19.674624] kasan_report+0x140/0x180 [ 19.674669] ? mempool_uaf_helper+0x394/0x400 [ 19.674719] __asan_report_load1_noabort+0x18/0x20 [ 19.674767] mempool_uaf_helper+0x394/0x400 [ 19.674808] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.674877] ? finish_task_switch.isra.0+0x153/0x700 [ 19.674933] mempool_slab_uaf+0xeb/0x140 [ 19.674981] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 19.675034] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 19.675083] ? __pfx_mempool_free_slab+0x10/0x10 [ 19.675138] ? __pfx_read_tsc+0x10/0x10 [ 19.675196] ? ktime_get_ts64+0x86/0x230 [ 19.675262] kunit_try_run_case+0x1a6/0x480 [ 19.675364] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.675420] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.675560] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.675619] ? __kthread_parkme+0x82/0x160 [ 19.675675] ? preempt_count_sub+0x50/0x80 [ 19.675744] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.675793] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.675847] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.675919] kthread+0x324/0x6e0 [ 19.675965] ? trace_preempt_on+0x20/0xc0 [ 19.676026] ? __pfx_kthread+0x10/0x10 [ 19.676084] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.676144] ? calculate_sigpending+0x7b/0xa0 [ 19.676201] ? __pfx_kthread+0x10/0x10 [ 19.676235] ret_from_fork+0x41/0x80 [ 19.676263] ? __pfx_kthread+0x10/0x10 [ 19.676292] ret_from_fork_asm+0x1a/0x30 [ 19.676361] </TASK> [ 19.676378] [ 19.692801] Allocated by task 239: [ 19.693174] kasan_save_stack+0x45/0x70 [ 19.693705] kasan_save_track+0x18/0x40 [ 19.694183] kasan_save_alloc_info+0x3b/0x50 [ 19.694678] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 19.695051] remove_element+0x11e/0x190 [ 19.695557] mempool_alloc_preallocated+0x4d/0x90 [ 19.696110] mempool_uaf_helper+0x97/0x400 [ 19.696642] mempool_slab_uaf+0xeb/0x140 [ 19.697090] kunit_try_run_case+0x1a6/0x480 [ 19.697481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.698063] kthread+0x324/0x6e0 [ 19.698489] ret_from_fork+0x41/0x80 [ 19.698784] ret_from_fork_asm+0x1a/0x30 [ 19.699360] [ 19.699535] Freed by task 239: [ 19.699908] kasan_save_stack+0x45/0x70 [ 19.700402] kasan_save_track+0x18/0x40 [ 19.700839] kasan_save_free_info+0x3f/0x60 [ 19.701393] __kasan_mempool_poison_object+0x131/0x1d0 [ 19.701947] mempool_free+0x2ec/0x380 [ 19.702375] mempool_uaf_helper+0x11b/0x400 [ 19.702975] mempool_slab_uaf+0xeb/0x140 [ 19.703347] kunit_try_run_case+0x1a6/0x480 [ 19.703851] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.704496] kthread+0x324/0x6e0 [ 19.704895] ret_from_fork+0x41/0x80 [ 19.705283] ret_from_fork_asm+0x1a/0x30 [ 19.705803] [ 19.706071] The buggy address belongs to the object at ffff888102990240 [ 19.706071] which belongs to the cache test_cache of size 123 [ 19.707320] The buggy address is located 0 bytes inside of [ 19.707320] freed 123-byte region [ffff888102990240, ffff8881029902bb) [ 19.708467] [ 19.708617] The buggy address belongs to the physical page: [ 19.708836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102990 [ 19.709186] flags: 0x200000000000000(node=0|zone=2) [ 19.709778] page_type: f5(slab) [ 19.710191] raw: 0200000000000000 ffff888101da98c0 dead000000000122 0000000000000000 [ 19.710973] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.711766] page dumped because: kasan: bad access detected [ 19.712368] [ 19.712644] Memory state around the buggy address: [ 19.713209] ffff888102990100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.713839] ffff888102990180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.714569] >ffff888102990200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.715239] ^ [ 19.715837] ffff888102990280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.716517] ffff888102990300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.717224] ================================================================== [ 19.578151] ================================================================== [ 19.579330] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 19.579753] Read of size 1 at addr ffff888102c74200 by task kunit_try_catch/235 [ 19.580961] [ 19.581211] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 19.581319] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.581349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.581396] Call Trace: [ 19.581433] <TASK> [ 19.581500] dump_stack_lvl+0x73/0xb0 [ 19.581612] print_report+0xd1/0x650 [ 19.581675] ? __virt_addr_valid+0x1db/0x2d0 [ 19.581869] ? mempool_uaf_helper+0x394/0x400 [ 19.581958] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.582025] ? mempool_uaf_helper+0x394/0x400 [ 19.582075] kasan_report+0x140/0x180 [ 19.582132] ? mempool_uaf_helper+0x394/0x400 [ 19.582202] __asan_report_load1_noabort+0x18/0x20 [ 19.582267] mempool_uaf_helper+0x394/0x400 [ 19.582323] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.582382] ? irqentry_exit+0x2a/0x60 [ 19.582415] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 19.582499] mempool_kmalloc_uaf+0xf0/0x140 [ 19.582552] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 19.582587] ? __pfx_mempool_kmalloc+0x10/0x10 [ 19.582618] ? __pfx_mempool_kfree+0x10/0x10 [ 19.582644] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 19.582677] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 19.582708] kunit_try_run_case+0x1a6/0x480 [ 19.582739] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.582767] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 19.582801] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.582832] ? __kthread_parkme+0x82/0x160 [ 19.582886] ? preempt_count_sub+0x50/0x80 [ 19.582920] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.582950] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.582983] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.583016] kthread+0x324/0x6e0 [ 19.583043] ? trace_preempt_on+0x20/0xc0 [ 19.583075] ? __pfx_kthread+0x10/0x10 [ 19.583103] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.583133] ? calculate_sigpending+0x7b/0xa0 [ 19.583162] ? __pfx_kthread+0x10/0x10 [ 19.583190] ret_from_fork+0x41/0x80 [ 19.583216] ? __pfx_kthread+0x10/0x10 [ 19.583244] ret_from_fork_asm+0x1a/0x30 [ 19.583285] </TASK> [ 19.583316] [ 19.602693] Allocated by task 235: [ 19.603133] kasan_save_stack+0x45/0x70 [ 19.603699] kasan_save_track+0x18/0x40 [ 19.604187] kasan_save_alloc_info+0x3b/0x50 [ 19.604747] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 19.605229] remove_element+0x11e/0x190 [ 19.605779] mempool_alloc_preallocated+0x4d/0x90 [ 19.606178] mempool_uaf_helper+0x97/0x400 [ 19.606772] mempool_kmalloc_uaf+0xf0/0x140 [ 19.607226] kunit_try_run_case+0x1a6/0x480 [ 19.608283] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.608881] kthread+0x324/0x6e0 [ 19.609325] ret_from_fork+0x41/0x80 [ 19.609924] ret_from_fork_asm+0x1a/0x30 [ 19.610394] [ 19.610542] Freed by task 235: [ 19.610877] kasan_save_stack+0x45/0x70 [ 19.611278] kasan_save_track+0x18/0x40 [ 19.611641] kasan_save_free_info+0x3f/0x60 [ 19.612083] __kasan_mempool_poison_object+0x131/0x1d0 [ 19.612438] mempool_free+0x2ec/0x380 [ 19.613154] mempool_uaf_helper+0x11b/0x400 [ 19.614018] mempool_kmalloc_uaf+0xf0/0x140 [ 19.614353] kunit_try_run_case+0x1a6/0x480 [ 19.614561] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.614869] kthread+0x324/0x6e0 [ 19.615083] ret_from_fork+0x41/0x80 [ 19.615452] ret_from_fork_asm+0x1a/0x30 [ 19.615904] [ 19.616160] The buggy address belongs to the object at ffff888102c74200 [ 19.616160] which belongs to the cache kmalloc-128 of size 128 [ 19.617028] The buggy address is located 0 bytes inside of [ 19.617028] freed 128-byte region [ffff888102c74200, ffff888102c74280) [ 19.617903] [ 19.618150] The buggy address belongs to the physical page: [ 19.618814] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c74 [ 19.620029] flags: 0x200000000000000(node=0|zone=2) [ 19.620677] page_type: f5(slab) [ 19.621060] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.621398] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.622062] page dumped because: kasan: bad access detected [ 19.622382] [ 19.622584] Memory state around the buggy address: [ 19.623626] ffff888102c74100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.624034] ffff888102c74180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.624834] >ffff888102c74200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.625209] ^ [ 19.626399] ffff888102c74280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.627068] ffff888102c74300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.627697] ==================================================================