Date
May 12, 2025, 6:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.401893] ================================================================== [ 20.402673] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.403201] Read of size 1 at addr fff00000c59c2d00 by task kunit_try_catch/216 [ 20.403708] [ 20.403895] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 20.403998] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.404032] Hardware name: linux,dummy-virt (DT) [ 20.404069] Call trace: [ 20.404100] show_stack+0x20/0x38 (C) [ 20.404158] dump_stack_lvl+0x8c/0xd0 [ 20.404216] print_report+0x118/0x608 [ 20.404269] kasan_report+0xdc/0x128 [ 20.404321] __asan_report_load1_noabort+0x20/0x30 [ 20.404373] mempool_uaf_helper+0x314/0x340 [ 20.404425] mempool_kmalloc_uaf+0xc4/0x120 [ 20.404477] kunit_try_run_case+0x170/0x3f0 [ 20.404530] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.404588] kthread+0x318/0x620 [ 20.404638] ret_from_fork+0x10/0x20 [ 20.404694] [ 20.409868] Allocated by task 216: [ 20.410410] kasan_save_stack+0x3c/0x68 [ 20.410962] kasan_save_track+0x20/0x40 [ 20.411334] kasan_save_alloc_info+0x40/0x58 [ 20.411678] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.412085] remove_element+0x130/0x1f8 [ 20.412485] mempool_alloc_preallocated+0x58/0xc0 [ 20.412868] mempool_uaf_helper+0xa4/0x340 [ 20.413125] mempool_kmalloc_uaf+0xc4/0x120 [ 20.413371] kunit_try_run_case+0x170/0x3f0 [ 20.413618] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.413898] kthread+0x318/0x620 [ 20.414131] ret_from_fork+0x10/0x20 [ 20.414365] [ 20.414511] Freed by task 216: [ 20.414712] kasan_save_stack+0x3c/0x68 [ 20.415439] kasan_save_track+0x20/0x40 [ 20.415753] kasan_save_free_info+0x4c/0x78 [ 20.416020] __kasan_mempool_poison_object+0xc0/0x150 [ 20.416256] mempool_free+0x28c/0x328 [ 20.416616] mempool_uaf_helper+0x104/0x340 [ 20.416980] mempool_kmalloc_uaf+0xc4/0x120 [ 20.417308] kunit_try_run_case+0x170/0x3f0 [ 20.417658] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.418087] kthread+0x318/0x620 [ 20.418391] ret_from_fork+0x10/0x20 [ 20.418705] [ 20.418929] The buggy address belongs to the object at fff00000c59c2d00 [ 20.418929] which belongs to the cache kmalloc-128 of size 128 [ 20.419704] The buggy address is located 0 bytes inside of [ 20.419704] freed 128-byte region [fff00000c59c2d00, fff00000c59c2d80) [ 20.420451] [ 20.420645] The buggy address belongs to the physical page: [ 20.421045] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059c2 [ 20.421589] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.422088] page_type: f5(slab) [ 20.422377] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.422809] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.423242] page dumped because: kasan: bad access detected [ 20.423496] [ 20.423681] Memory state around the buggy address: [ 20.424247] fff00000c59c2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.424754] fff00000c59c2c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.425226] >fff00000c59c2d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.425688] ^ [ 20.425952] fff00000c59c2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.426412] fff00000c59c2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.426907] ================================================================== [ 20.459123] ================================================================== [ 20.459623] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.460333] Read of size 1 at addr fff00000c6589240 by task kunit_try_catch/220 [ 20.460851] [ 20.461065] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 20.461168] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.461202] Hardware name: linux,dummy-virt (DT) [ 20.461239] Call trace: [ 20.461268] show_stack+0x20/0x38 (C) [ 20.461334] dump_stack_lvl+0x8c/0xd0 [ 20.461392] print_report+0x118/0x608 [ 20.461448] kasan_report+0xdc/0x128 [ 20.461498] __asan_report_load1_noabort+0x20/0x30 [ 20.461548] mempool_uaf_helper+0x314/0x340 [ 20.461599] mempool_slab_uaf+0xc0/0x118 [ 20.461648] kunit_try_run_case+0x170/0x3f0 [ 20.461704] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.461844] kthread+0x318/0x620 [ 20.461916] ret_from_fork+0x10/0x20 [ 20.461979] [ 20.465829] Allocated by task 220: [ 20.466125] kasan_save_stack+0x3c/0x68 [ 20.466478] kasan_save_track+0x20/0x40 [ 20.466830] kasan_save_alloc_info+0x40/0x58 [ 20.467018] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.467207] remove_element+0x16c/0x1f8 [ 20.467543] mempool_alloc_preallocated+0x58/0xc0 [ 20.468116] mempool_uaf_helper+0xa4/0x340 [ 20.468488] mempool_slab_uaf+0xc0/0x118 [ 20.468721] kunit_try_run_case+0x170/0x3f0 [ 20.469070] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.469437] kthread+0x318/0x620 [ 20.469675] ret_from_fork+0x10/0x20 [ 20.469938] [ 20.470106] Freed by task 220: [ 20.470393] kasan_save_stack+0x3c/0x68 [ 20.470849] kasan_save_track+0x20/0x40 [ 20.471134] kasan_save_free_info+0x4c/0x78 [ 20.471311] __kasan_mempool_poison_object+0xc0/0x150 [ 20.471701] mempool_free+0x28c/0x328 [ 20.471936] mempool_uaf_helper+0x104/0x340 [ 20.472315] mempool_slab_uaf+0xc0/0x118 [ 20.472541] kunit_try_run_case+0x170/0x3f0 [ 20.472872] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.473182] kthread+0x318/0x620 [ 20.473496] ret_from_fork+0x10/0x20 [ 20.473676] [ 20.473883] The buggy address belongs to the object at fff00000c6589240 [ 20.473883] which belongs to the cache test_cache of size 123 [ 20.474868] The buggy address is located 0 bytes inside of [ 20.474868] freed 123-byte region [fff00000c6589240, fff00000c65892bb) [ 20.475275] [ 20.475384] The buggy address belongs to the physical page: [ 20.475566] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106589 [ 20.476021] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.476424] page_type: f5(slab) [ 20.476701] raw: 0bfffe0000000000 fff00000c596f8c0 dead000000000122 0000000000000000 [ 20.477032] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.477498] page dumped because: kasan: bad access detected [ 20.477888] [ 20.478111] Memory state around the buggy address: [ 20.478373] fff00000c6589100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.478971] fff00000c6589180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.479637] >fff00000c6589200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.480644] ^ [ 20.480953] fff00000c6589280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.481369] fff00000c6589300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.481793] ==================================================================
[ 13.916189] ================================================================== [ 13.916658] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 13.917083] Read of size 1 at addr ffff888102add300 by task kunit_try_catch/235 [ 13.917387] [ 13.917631] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 13.917682] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.917695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.917718] Call Trace: [ 13.917733] <TASK> [ 13.917761] dump_stack_lvl+0x73/0xb0 [ 13.917915] print_report+0xd1/0x650 [ 13.917939] ? __virt_addr_valid+0x1db/0x2d0 [ 13.917963] ? mempool_uaf_helper+0x394/0x400 [ 13.917986] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.918011] ? mempool_uaf_helper+0x394/0x400 [ 13.918069] kasan_report+0x140/0x180 [ 13.918103] ? mempool_uaf_helper+0x394/0x400 [ 13.918128] __asan_report_load1_noabort+0x18/0x20 [ 13.918191] mempool_uaf_helper+0x394/0x400 [ 13.918213] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.918237] ? finish_task_switch.isra.0+0x153/0x700 [ 13.918267] mempool_kmalloc_uaf+0xf0/0x140 [ 13.918289] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.918313] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.918335] ? __pfx_mempool_kfree+0x10/0x10 [ 13.918356] ? __pfx_read_tsc+0x10/0x10 [ 13.918379] ? ktime_get_ts64+0x86/0x230 [ 13.918437] kunit_try_run_case+0x1a6/0x480 [ 13.918463] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.918485] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.918509] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.918535] ? __kthread_parkme+0x82/0x160 [ 13.918558] ? preempt_count_sub+0x50/0x80 [ 13.918613] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.918636] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.918661] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.918687] kthread+0x324/0x6e0 [ 13.918708] ? trace_preempt_on+0x20/0xc0 [ 13.918733] ? __pfx_kthread+0x10/0x10 [ 13.918755] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.918779] ? calculate_sigpending+0x7b/0xa0 [ 13.918801] ? __pfx_kthread+0x10/0x10 [ 13.918824] ret_from_fork+0x41/0x80 [ 13.918853] ? __pfx_kthread+0x10/0x10 [ 13.918875] ret_from_fork_asm+0x1a/0x30 [ 13.918910] </TASK> [ 13.918922] [ 13.927772] Allocated by task 235: [ 13.927948] kasan_save_stack+0x45/0x70 [ 13.928125] kasan_save_track+0x18/0x40 [ 13.928366] kasan_save_alloc_info+0x3b/0x50 [ 13.928766] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.929309] remove_element+0x11e/0x190 [ 13.929456] mempool_alloc_preallocated+0x4d/0x90 [ 13.929609] mempool_uaf_helper+0x97/0x400 [ 13.929789] mempool_kmalloc_uaf+0xf0/0x140 [ 13.930109] kunit_try_run_case+0x1a6/0x480 [ 13.930350] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.930609] kthread+0x324/0x6e0 [ 13.930808] ret_from_fork+0x41/0x80 [ 13.931022] ret_from_fork_asm+0x1a/0x30 [ 13.931308] [ 13.931380] Freed by task 235: [ 13.931516] kasan_save_stack+0x45/0x70 [ 13.931707] kasan_save_track+0x18/0x40 [ 13.931936] kasan_save_free_info+0x3f/0x60 [ 13.932142] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.932305] mempool_free+0x2ec/0x380 [ 13.932433] mempool_uaf_helper+0x11b/0x400 [ 13.932921] mempool_kmalloc_uaf+0xf0/0x140 [ 13.933345] kunit_try_run_case+0x1a6/0x480 [ 13.933670] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.933940] kthread+0x324/0x6e0 [ 13.934214] ret_from_fork+0x41/0x80 [ 13.934412] ret_from_fork_asm+0x1a/0x30 [ 13.934617] [ 13.934711] The buggy address belongs to the object at ffff888102add300 [ 13.934711] which belongs to the cache kmalloc-128 of size 128 [ 13.935075] The buggy address is located 0 bytes inside of [ 13.935075] freed 128-byte region [ffff888102add300, ffff888102add380) [ 13.935822] [ 13.935976] The buggy address belongs to the physical page: [ 13.936321] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102add [ 13.936617] flags: 0x200000000000000(node=0|zone=2) [ 13.936872] page_type: f5(slab) [ 13.937236] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.937553] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.937853] page dumped because: kasan: bad access detected [ 13.938021] [ 13.938090] Memory state around the buggy address: [ 13.938433] ffff888102add200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.938755] ffff888102add280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.939084] >ffff888102add300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.939642] ^ [ 13.939813] ffff888102add380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.940216] ffff888102add400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.940479] ================================================================== [ 13.972101] ================================================================== [ 13.972654] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 13.973019] Read of size 1 at addr ffff888101b38240 by task kunit_try_catch/239 [ 13.973451] [ 13.973565] CPU: 1 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 13.973614] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.973661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.973685] Call Trace: [ 13.973699] <TASK> [ 13.973726] dump_stack_lvl+0x73/0xb0 [ 13.973767] print_report+0xd1/0x650 [ 13.973790] ? __virt_addr_valid+0x1db/0x2d0 [ 13.973814] ? mempool_uaf_helper+0x394/0x400 [ 13.973880] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.973907] ? mempool_uaf_helper+0x394/0x400 [ 13.973927] kasan_report+0x140/0x180 [ 13.973949] ? mempool_uaf_helper+0x394/0x400 [ 13.973975] __asan_report_load1_noabort+0x18/0x20 [ 13.973997] mempool_uaf_helper+0x394/0x400 [ 13.974036] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.974116] ? finish_task_switch.isra.0+0x153/0x700 [ 13.974181] mempool_slab_uaf+0xeb/0x140 [ 13.974229] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.974255] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.974278] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.974299] ? __pfx_read_tsc+0x10/0x10 [ 13.974322] ? ktime_get_ts64+0x86/0x230 [ 13.974349] kunit_try_run_case+0x1a6/0x480 [ 13.974374] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.974395] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.974419] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.974445] ? __kthread_parkme+0x82/0x160 [ 13.974468] ? preempt_count_sub+0x50/0x80 [ 13.974492] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.974515] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.974541] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.974567] kthread+0x324/0x6e0 [ 13.974589] ? trace_preempt_on+0x20/0xc0 [ 13.974613] ? __pfx_kthread+0x10/0x10 [ 13.974637] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.974661] ? calculate_sigpending+0x7b/0xa0 [ 13.974683] ? __pfx_kthread+0x10/0x10 [ 13.974707] ret_from_fork+0x41/0x80 [ 13.974728] ? __pfx_kthread+0x10/0x10 [ 13.974751] ret_from_fork_asm+0x1a/0x30 [ 13.974783] </TASK> [ 13.974794] [ 13.983517] Allocated by task 239: [ 13.983742] kasan_save_stack+0x45/0x70 [ 13.984017] kasan_save_track+0x18/0x40 [ 13.984366] kasan_save_alloc_info+0x3b/0x50 [ 13.984547] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.984751] remove_element+0x11e/0x190 [ 13.984953] mempool_alloc_preallocated+0x4d/0x90 [ 13.985266] mempool_uaf_helper+0x97/0x400 [ 13.985405] mempool_slab_uaf+0xeb/0x140 [ 13.985541] kunit_try_run_case+0x1a6/0x480 [ 13.985963] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.986287] kthread+0x324/0x6e0 [ 13.986461] ret_from_fork+0x41/0x80 [ 13.986681] ret_from_fork_asm+0x1a/0x30 [ 13.986913] [ 13.987156] Freed by task 239: [ 13.987319] kasan_save_stack+0x45/0x70 [ 13.987506] kasan_save_track+0x18/0x40 [ 13.987771] kasan_save_free_info+0x3f/0x60 [ 13.987985] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.988241] mempool_free+0x2ec/0x380 [ 13.988373] mempool_uaf_helper+0x11b/0x400 [ 13.988514] mempool_slab_uaf+0xeb/0x140 [ 13.988648] kunit_try_run_case+0x1a6/0x480 [ 13.988787] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.989037] kthread+0x324/0x6e0 [ 13.989269] ret_from_fork+0x41/0x80 [ 13.989455] ret_from_fork_asm+0x1a/0x30 [ 13.989656] [ 13.989759] The buggy address belongs to the object at ffff888101b38240 [ 13.989759] which belongs to the cache test_cache of size 123 [ 13.990496] The buggy address is located 0 bytes inside of [ 13.990496] freed 123-byte region [ffff888101b38240, ffff888101b382bb) [ 13.990955] [ 13.991031] The buggy address belongs to the physical page: [ 13.991504] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b38 [ 13.991907] flags: 0x200000000000000(node=0|zone=2) [ 13.992241] page_type: f5(slab) [ 13.992370] raw: 0200000000000000 ffff888101ab2dc0 dead000000000122 0000000000000000 [ 13.992595] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.992813] page dumped because: kasan: bad access detected [ 13.993203] [ 13.993303] Memory state around the buggy address: [ 13.993535] ffff888101b38100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.993878] ffff888101b38180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.994560] >ffff888101b38200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.994862] ^ [ 13.995234] ffff888101b38280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.995552] ffff888101b38300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.995863] ==================================================================