Date
June 2, 2025, 2:13 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.503592] ================================================================== [ 20.504178] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.504951] Read of size 1 at addr fff00000c3f26240 by task kunit_try_catch/221 [ 20.505213] [ 20.505337] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 20.505473] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.505515] Hardware name: linux,dummy-virt (DT) [ 20.505576] Call trace: [ 20.505605] show_stack+0x20/0x38 (C) [ 20.505668] dump_stack_lvl+0x8c/0xd0 [ 20.505724] print_report+0x118/0x608 [ 20.505778] kasan_report+0xdc/0x128 [ 20.505829] __asan_report_load1_noabort+0x20/0x30 [ 20.505883] mempool_uaf_helper+0x314/0x340 [ 20.505935] mempool_slab_uaf+0xc0/0x118 [ 20.505988] kunit_try_run_case+0x170/0x3f0 [ 20.506043] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.506279] kthread+0x318/0x620 [ 20.506358] ret_from_fork+0x10/0x20 [ 20.506420] [ 20.509748] Allocated by task 221: [ 20.510083] kasan_save_stack+0x3c/0x68 [ 20.510285] kasan_save_track+0x20/0x40 [ 20.510633] kasan_save_alloc_info+0x40/0x58 [ 20.510863] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.511125] remove_element+0x16c/0x1f8 [ 20.511539] mempool_alloc_preallocated+0x58/0xc0 [ 20.511721] mempool_uaf_helper+0xa4/0x340 [ 20.512024] mempool_slab_uaf+0xc0/0x118 [ 20.512293] kunit_try_run_case+0x170/0x3f0 [ 20.512616] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.512932] kthread+0x318/0x620 [ 20.513222] ret_from_fork+0x10/0x20 [ 20.513539] [ 20.513732] Freed by task 221: [ 20.513935] kasan_save_stack+0x3c/0x68 [ 20.514328] kasan_save_track+0x20/0x40 [ 20.514610] kasan_save_free_info+0x4c/0x78 [ 20.514903] __kasan_mempool_poison_object+0xc0/0x150 [ 20.515231] mempool_free+0x28c/0x328 [ 20.515470] mempool_uaf_helper+0x104/0x340 [ 20.515732] mempool_slab_uaf+0xc0/0x118 [ 20.515948] kunit_try_run_case+0x170/0x3f0 [ 20.516151] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.516580] kthread+0x318/0x620 [ 20.516802] ret_from_fork+0x10/0x20 [ 20.517031] [ 20.517226] The buggy address belongs to the object at fff00000c3f26240 [ 20.517226] which belongs to the cache test_cache of size 123 [ 20.517801] The buggy address is located 0 bytes inside of [ 20.517801] freed 123-byte region [fff00000c3f26240, fff00000c3f262bb) [ 20.518497] [ 20.518696] The buggy address belongs to the physical page: [ 20.518984] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f26 [ 20.519493] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.519939] page_type: f5(slab) [ 20.520175] raw: 0bfffe0000000000 fff00000c3f5c3c0 dead000000000122 0000000000000000 [ 20.520526] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.520938] page dumped because: kasan: bad access detected [ 20.521260] [ 20.521471] Memory state around the buggy address: [ 20.521728] fff00000c3f26100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.522521] fff00000c3f26180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.522928] >fff00000c3f26200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.523234] ^ [ 20.523489] fff00000c3f26280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.523858] fff00000c3f26300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.524212] ================================================================== [ 20.445297] ================================================================== [ 20.445908] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.446937] Read of size 1 at addr fff00000c3f2d300 by task kunit_try_catch/217 [ 20.447334] [ 20.447521] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 20.447614] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.447643] Hardware name: linux,dummy-virt (DT) [ 20.447679] Call trace: [ 20.447705] show_stack+0x20/0x38 (C) [ 20.447765] dump_stack_lvl+0x8c/0xd0 [ 20.447816] print_report+0x118/0x608 [ 20.447865] kasan_report+0xdc/0x128 [ 20.447910] __asan_report_load1_noabort+0x20/0x30 [ 20.447958] mempool_uaf_helper+0x314/0x340 [ 20.448003] mempool_kmalloc_uaf+0xc4/0x120 [ 20.448047] kunit_try_run_case+0x170/0x3f0 [ 20.448096] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.448148] kthread+0x318/0x620 [ 20.448535] ret_from_fork+0x10/0x20 [ 20.448595] [ 20.452397] Allocated by task 217: [ 20.452670] kasan_save_stack+0x3c/0x68 [ 20.452973] kasan_save_track+0x20/0x40 [ 20.453188] kasan_save_alloc_info+0x40/0x58 [ 20.453417] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.453663] remove_element+0x130/0x1f8 [ 20.453899] mempool_alloc_preallocated+0x58/0xc0 [ 20.454626] mempool_uaf_helper+0xa4/0x340 [ 20.454814] mempool_kmalloc_uaf+0xc4/0x120 [ 20.455189] kunit_try_run_case+0x170/0x3f0 [ 20.455440] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.455694] kthread+0x318/0x620 [ 20.455905] ret_from_fork+0x10/0x20 [ 20.456098] [ 20.456209] Freed by task 217: [ 20.456411] kasan_save_stack+0x3c/0x68 [ 20.456651] kasan_save_track+0x20/0x40 [ 20.456847] kasan_save_free_info+0x4c/0x78 [ 20.457072] __kasan_mempool_poison_object+0xc0/0x150 [ 20.457861] mempool_free+0x28c/0x328 [ 20.458319] mempool_uaf_helper+0x104/0x340 [ 20.458510] mempool_kmalloc_uaf+0xc4/0x120 [ 20.458674] kunit_try_run_case+0x170/0x3f0 [ 20.458831] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.459162] kthread+0x318/0x620 [ 20.459442] ret_from_fork+0x10/0x20 [ 20.459664] [ 20.459782] The buggy address belongs to the object at fff00000c3f2d300 [ 20.459782] which belongs to the cache kmalloc-128 of size 128 [ 20.460792] The buggy address is located 0 bytes inside of [ 20.460792] freed 128-byte region [fff00000c3f2d300, fff00000c3f2d380) [ 20.461320] [ 20.461437] The buggy address belongs to the physical page: [ 20.462016] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f2d [ 20.463423] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.463715] page_type: f5(slab) [ 20.463865] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.464090] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.464322] page dumped because: kasan: bad access detected [ 20.464497] [ 20.464594] Memory state around the buggy address: [ 20.464756] fff00000c3f2d200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.464972] fff00000c3f2d280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.465249] >fff00000c3f2d300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.467526] ^ [ 20.468255] fff00000c3f2d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.468796] fff00000c3f2d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.469279] ==================================================================
[ 14.249333] ================================================================== [ 14.250253] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 14.251105] Read of size 1 at addr ffff888102a3d240 by task kunit_try_catch/239 [ 14.251748] [ 14.251977] CPU: 0 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 14.252040] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.252055] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.252084] Call Trace: [ 14.252098] <TASK> [ 14.252118] dump_stack_lvl+0x73/0xb0 [ 14.252156] print_report+0xd1/0x650 [ 14.252183] ? __virt_addr_valid+0x1db/0x2d0 [ 14.252212] ? mempool_uaf_helper+0x394/0x400 [ 14.252240] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.252273] ? mempool_uaf_helper+0x394/0x400 [ 14.252301] kasan_report+0x140/0x180 [ 14.252328] ? mempool_uaf_helper+0x394/0x400 [ 14.252361] __asan_report_load1_noabort+0x18/0x20 [ 14.252391] mempool_uaf_helper+0x394/0x400 [ 14.252419] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.252451] ? finish_task_switch.isra.0+0x153/0x700 [ 14.252486] mempool_slab_uaf+0xeb/0x140 [ 14.252514] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.252545] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.252573] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.252601] ? __pfx_read_tsc+0x10/0x10 [ 14.252628] ? ktime_get_ts64+0x86/0x230 [ 14.252659] kunit_try_run_case+0x1a6/0x480 [ 14.252689] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.252717] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 14.252748] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.252778] ? __kthread_parkme+0x82/0x160 [ 14.252806] ? preempt_count_sub+0x50/0x80 [ 14.252836] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.252864] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.252897] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.252931] kthread+0x324/0x6e0 [ 14.252956] ? trace_preempt_on+0x20/0xc0 [ 14.252985] ? __pfx_kthread+0x10/0x10 [ 14.253012] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.253048] ? calculate_sigpending+0x7b/0xa0 [ 14.253076] ? __pfx_kthread+0x10/0x10 [ 14.253103] ret_from_fork+0x41/0x80 [ 14.253128] ? __pfx_kthread+0x10/0x10 [ 14.253155] ret_from_fork_asm+0x1a/0x30 [ 14.253194] </TASK> [ 14.253206] [ 14.264872] Allocated by task 239: [ 14.265066] kasan_save_stack+0x45/0x70 [ 14.265216] kasan_save_track+0x18/0x40 [ 14.265356] kasan_save_alloc_info+0x3b/0x50 [ 14.265509] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.265765] remove_element+0x11e/0x190 [ 14.266201] mempool_alloc_preallocated+0x4d/0x90 [ 14.266444] mempool_uaf_helper+0x97/0x400 [ 14.266754] mempool_slab_uaf+0xeb/0x140 [ 14.266903] kunit_try_run_case+0x1a6/0x480 [ 14.267085] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.267350] kthread+0x324/0x6e0 [ 14.267526] ret_from_fork+0x41/0x80 [ 14.267759] ret_from_fork_asm+0x1a/0x30 [ 14.267964] [ 14.268073] Freed by task 239: [ 14.268235] kasan_save_stack+0x45/0x70 [ 14.268404] kasan_save_track+0x18/0x40 [ 14.268589] kasan_save_free_info+0x3f/0x60 [ 14.268766] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.268970] mempool_free+0x2ec/0x380 [ 14.269122] mempool_uaf_helper+0x11b/0x400 [ 14.269333] mempool_slab_uaf+0xeb/0x140 [ 14.269518] kunit_try_run_case+0x1a6/0x480 [ 14.269665] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.269853] kthread+0x324/0x6e0 [ 14.269996] ret_from_fork+0x41/0x80 [ 14.270231] ret_from_fork_asm+0x1a/0x30 [ 14.270557] [ 14.270765] The buggy address belongs to the object at ffff888102a3d240 [ 14.270765] which belongs to the cache test_cache of size 123 [ 14.271257] The buggy address is located 0 bytes inside of [ 14.271257] freed 123-byte region [ffff888102a3d240, ffff888102a3d2bb) [ 14.271753] [ 14.271854] The buggy address belongs to the physical page: [ 14.272128] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a3d [ 14.272475] flags: 0x200000000000000(node=0|zone=2) [ 14.272890] page_type: f5(slab) [ 14.273088] raw: 0200000000000000 ffff888101beb140 dead000000000122 0000000000000000 [ 14.273358] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.273837] page dumped because: kasan: bad access detected [ 14.274082] [ 14.274181] Memory state around the buggy address: [ 14.274385] ffff888102a3d100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.274608] ffff888102a3d180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.274841] >ffff888102a3d200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.275253] ^ [ 14.275504] ffff888102a3d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.275890] ffff888102a3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.276118] ================================================================== [ 14.188915] ================================================================== [ 14.189671] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 14.190188] Read of size 1 at addr ffff888102a2c900 by task kunit_try_catch/235 [ 14.190489] [ 14.190618] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 14.190663] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.190676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.190697] Call Trace: [ 14.190710] <TASK> [ 14.190726] dump_stack_lvl+0x73/0xb0 [ 14.190758] print_report+0xd1/0x650 [ 14.190784] ? __virt_addr_valid+0x1db/0x2d0 [ 14.190812] ? mempool_uaf_helper+0x394/0x400 [ 14.190837] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.190866] ? mempool_uaf_helper+0x394/0x400 [ 14.190891] kasan_report+0x140/0x180 [ 14.190916] ? mempool_uaf_helper+0x394/0x400 [ 14.190946] __asan_report_load1_noabort+0x18/0x20 [ 14.190973] mempool_uaf_helper+0x394/0x400 [ 14.190999] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.191048] ? finish_task_switch.isra.0+0x153/0x700 [ 14.191080] mempool_kmalloc_uaf+0xf0/0x140 [ 14.191106] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.191132] ? __kasan_check_write+0x18/0x20 [ 14.191159] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.191183] ? __pfx_mempool_kfree+0x10/0x10 [ 14.191208] ? __pfx_read_tsc+0x10/0x10 [ 14.191232] ? ktime_get_ts64+0x86/0x230 [ 14.191258] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 14.191291] kunit_try_run_case+0x1a6/0x480 [ 14.191319] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.191345] ? queued_spin_lock_slowpath+0x117/0xb40 [ 14.191375] ? __kthread_parkme+0x82/0x160 [ 14.191402] ? preempt_count_sub+0x50/0x80 [ 14.191430] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.191457] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.191486] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.191515] kthread+0x324/0x6e0 [ 14.191539] ? trace_preempt_on+0x20/0xc0 [ 14.191599] ? __pfx_kthread+0x10/0x10 [ 14.191628] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.191655] ? calculate_sigpending+0x7b/0xa0 [ 14.191681] ? __pfx_kthread+0x10/0x10 [ 14.191707] ret_from_fork+0x41/0x80 [ 14.191729] ? __pfx_kthread+0x10/0x10 [ 14.191753] ret_from_fork_asm+0x1a/0x30 [ 14.191789] </TASK> [ 14.191800] [ 14.202278] Allocated by task 235: [ 14.202473] kasan_save_stack+0x45/0x70 [ 14.203128] kasan_save_track+0x18/0x40 [ 14.203398] kasan_save_alloc_info+0x3b/0x50 [ 14.203855] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.204119] remove_element+0x11e/0x190 [ 14.204308] mempool_alloc_preallocated+0x4d/0x90 [ 14.204519] mempool_uaf_helper+0x97/0x400 [ 14.205161] mempool_kmalloc_uaf+0xf0/0x140 [ 14.205438] kunit_try_run_case+0x1a6/0x480 [ 14.205876] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.206336] kthread+0x324/0x6e0 [ 14.206579] ret_from_fork+0x41/0x80 [ 14.206907] ret_from_fork_asm+0x1a/0x30 [ 14.207135] [ 14.207209] Freed by task 235: [ 14.207324] kasan_save_stack+0x45/0x70 [ 14.207469] kasan_save_track+0x18/0x40 [ 14.207605] kasan_save_free_info+0x3f/0x60 [ 14.207754] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.207925] mempool_free+0x2ec/0x380 [ 14.208070] mempool_uaf_helper+0x11b/0x400 [ 14.208224] mempool_kmalloc_uaf+0xf0/0x140 [ 14.208371] kunit_try_run_case+0x1a6/0x480 [ 14.208984] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.209187] kthread+0x324/0x6e0 [ 14.209313] ret_from_fork+0x41/0x80 [ 14.209502] ret_from_fork_asm+0x1a/0x30 [ 14.210078] [ 14.210329] The buggy address belongs to the object at ffff888102a2c900 [ 14.210329] which belongs to the cache kmalloc-128 of size 128 [ 14.211241] The buggy address is located 0 bytes inside of [ 14.211241] freed 128-byte region [ffff888102a2c900, ffff888102a2c980) [ 14.212125] [ 14.212224] The buggy address belongs to the physical page: [ 14.212466] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a2c [ 14.213118] flags: 0x200000000000000(node=0|zone=2) [ 14.213486] page_type: f5(slab) [ 14.213704] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.214260] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.214847] page dumped because: kasan: bad access detected [ 14.215065] [ 14.215138] Memory state around the buggy address: [ 14.215292] ffff888102a2c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.215888] ffff888102a2c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.216385] >ffff888102a2c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.216936] ^ [ 14.217382] ffff888102a2c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.217808] ffff888102a2ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.218235] ==================================================================