Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 25.085728] ================================================================== [ 25.085824] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 25.085917] Read of size 1 at addr fff00000c7714240 by task kunit_try_catch/235 [ 25.085976] [ 25.086024] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT [ 25.086125] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.086154] Hardware name: linux,dummy-virt (DT) [ 25.086193] Call trace: [ 25.086223] show_stack+0x20/0x38 (C) [ 25.086283] dump_stack_lvl+0x8c/0xd0 [ 25.086368] print_report+0x118/0x608 [ 25.086565] kasan_report+0xdc/0x128 [ 25.086625] __asan_report_load1_noabort+0x20/0x30 [ 25.086685] mempool_uaf_helper+0x314/0x340 [ 25.086742] mempool_slab_uaf+0xc0/0x118 [ 25.086795] kunit_try_run_case+0x170/0x3f0 [ 25.086854] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.086917] kthread+0x328/0x630 [ 25.086969] ret_from_fork+0x10/0x20 [ 25.087029] [ 25.087052] Allocated by task 235: [ 25.087091] kasan_save_stack+0x3c/0x68 [ 25.087147] kasan_save_track+0x20/0x40 [ 25.087190] kasan_save_alloc_info+0x40/0x58 [ 25.087236] __kasan_mempool_unpoison_object+0xbc/0x180 [ 25.087385] remove_element+0x16c/0x1f8 [ 25.087456] mempool_alloc_preallocated+0x58/0xc0 [ 25.087507] mempool_uaf_helper+0xa4/0x340 [ 25.087554] mempool_slab_uaf+0xc0/0x118 [ 25.087595] kunit_try_run_case+0x170/0x3f0 [ 25.087645] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.087698] kthread+0x328/0x630 [ 25.087740] ret_from_fork+0x10/0x20 [ 25.087784] [ 25.087809] Freed by task 235: [ 25.087842] kasan_save_stack+0x3c/0x68 [ 25.087886] kasan_save_track+0x20/0x40 [ 25.087930] kasan_save_free_info+0x4c/0x78 [ 25.087975] __kasan_mempool_poison_object+0xc0/0x150 [ 25.088025] mempool_free+0x28c/0x328 [ 25.088070] mempool_uaf_helper+0x104/0x340 [ 25.088308] mempool_slab_uaf+0xc0/0x118 [ 25.088370] kunit_try_run_case+0x170/0x3f0 [ 25.088437] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.088503] kthread+0x328/0x630 [ 25.088596] ret_from_fork+0x10/0x20 [ 25.088642] [ 25.088669] The buggy address belongs to the object at fff00000c7714240 [ 25.088669] which belongs to the cache test_cache of size 123 [ 25.088742] The buggy address is located 0 bytes inside of [ 25.088742] freed 123-byte region [fff00000c7714240, fff00000c77142bb) [ 25.088816] [ 25.088843] The buggy address belongs to the physical page: [ 25.088885] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107714 [ 25.088952] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.089807] page_type: f5(slab) [ 25.089906] raw: 0bfffe0000000000 fff00000c56b58c0 dead000000000122 0000000000000000 [ 25.090023] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 25.090074] page dumped because: kasan: bad access detected [ 25.090119] [ 25.090153] Memory state around the buggy address: [ 25.090199] fff00000c7714100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.090252] fff00000c7714180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.090324] >fff00000c7714200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 25.090490] ^ [ 25.090584] fff00000c7714280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.090821] fff00000c7714300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.091070] ================================================================== [ 25.052471] ================================================================== [ 25.052596] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 25.052713] Read of size 1 at addr fff00000c76c5600 by task kunit_try_catch/231 [ 25.052777] [ 25.052834] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT [ 25.052940] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.052974] Hardware name: linux,dummy-virt (DT) [ 25.053015] Call trace: [ 25.053046] show_stack+0x20/0x38 (C) [ 25.053109] dump_stack_lvl+0x8c/0xd0 [ 25.053173] print_report+0x118/0x608 [ 25.053225] kasan_report+0xdc/0x128 [ 25.053276] __asan_report_load1_noabort+0x20/0x30 [ 25.053352] mempool_uaf_helper+0x314/0x340 [ 25.053429] mempool_kmalloc_uaf+0xc4/0x120 [ 25.053489] kunit_try_run_case+0x170/0x3f0 [ 25.053550] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.053615] kthread+0x328/0x630 [ 25.053668] ret_from_fork+0x10/0x20 [ 25.053727] [ 25.053751] Allocated by task 231: [ 25.053846] kasan_save_stack+0x3c/0x68 [ 25.053950] kasan_save_track+0x20/0x40 [ 25.054046] kasan_save_alloc_info+0x40/0x58 [ 25.054098] __kasan_mempool_unpoison_object+0x11c/0x180 [ 25.054150] remove_element+0x130/0x1f8 [ 25.054201] mempool_alloc_preallocated+0x58/0xc0 [ 25.054251] mempool_uaf_helper+0xa4/0x340 [ 25.054353] mempool_kmalloc_uaf+0xc4/0x120 [ 25.054437] kunit_try_run_case+0x170/0x3f0 [ 25.054496] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.054552] kthread+0x328/0x630 [ 25.054594] ret_from_fork+0x10/0x20 [ 25.054639] [ 25.054662] Freed by task 231: [ 25.054698] kasan_save_stack+0x3c/0x68 [ 25.054743] kasan_save_track+0x20/0x40 [ 25.054834] kasan_save_free_info+0x4c/0x78 [ 25.054923] __kasan_mempool_poison_object+0xc0/0x150 [ 25.054996] mempool_free+0x28c/0x328 [ 25.055044] mempool_uaf_helper+0x104/0x340 [ 25.055095] mempool_kmalloc_uaf+0xc4/0x120 [ 25.055143] kunit_try_run_case+0x170/0x3f0 [ 25.055192] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.055328] kthread+0x328/0x630 [ 25.055379] ret_from_fork+0x10/0x20 [ 25.055539] [ 25.055567] The buggy address belongs to the object at fff00000c76c5600 [ 25.055567] which belongs to the cache kmalloc-128 of size 128 [ 25.055640] The buggy address is located 0 bytes inside of [ 25.055640] freed 128-byte region [fff00000c76c5600, fff00000c76c5680) [ 25.055711] [ 25.055742] The buggy address belongs to the physical page: [ 25.055833] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c5 [ 25.055905] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.055972] page_type: f5(slab) [ 25.056024] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.056256] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.056379] page dumped because: kasan: bad access detected [ 25.056479] [ 25.056503] Memory state around the buggy address: [ 25.056547] fff00000c76c5500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.056674] fff00000c76c5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.056727] >fff00000c76c5600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.056772] ^ [ 25.056816] fff00000c76c5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.056934] fff00000c76c5700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.056983] ==================================================================
[ 15.449049] ================================================================== [ 15.449547] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.449760] Read of size 1 at addr ffff8881033b1200 by task kunit_try_catch/247 [ 15.450595] [ 15.451010] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT(voluntary) [ 15.451082] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.451098] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.451125] Call Trace: [ 15.451164] <TASK> [ 15.451188] dump_stack_lvl+0x73/0xb0 [ 15.451233] print_report+0xd1/0x650 [ 15.451263] ? __virt_addr_valid+0x1db/0x2d0 [ 15.451292] ? mempool_uaf_helper+0x392/0x400 [ 15.451319] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.451344] ? mempool_uaf_helper+0x392/0x400 [ 15.451370] kasan_report+0x141/0x180 [ 15.451395] ? mempool_uaf_helper+0x392/0x400 [ 15.451424] __asan_report_load1_noabort+0x18/0x20 [ 15.451447] mempool_uaf_helper+0x392/0x400 [ 15.451472] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.451498] ? dequeue_entities+0x852/0x1740 [ 15.451528] ? finish_task_switch.isra.0+0x153/0x700 [ 15.451578] mempool_kmalloc_uaf+0xef/0x140 [ 15.451609] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 15.451635] ? dequeue_task_fair+0x166/0x4e0 [ 15.451659] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.451684] ? __pfx_mempool_kfree+0x10/0x10 [ 15.451709] ? __pfx_read_tsc+0x10/0x10 [ 15.451732] ? ktime_get_ts64+0x86/0x230 [ 15.451762] kunit_try_run_case+0x1a5/0x480 [ 15.451793] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.451819] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.451847] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.451872] ? __kthread_parkme+0x82/0x180 [ 15.451898] ? preempt_count_sub+0x50/0x80 [ 15.451925] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.451953] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.451978] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.452004] kthread+0x337/0x6f0 [ 15.452023] ? trace_preempt_on+0x20/0xc0 [ 15.452050] ? __pfx_kthread+0x10/0x10 [ 15.452070] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.452094] ? calculate_sigpending+0x7b/0xa0 [ 15.452120] ? __pfx_kthread+0x10/0x10 [ 15.452141] ret_from_fork+0x41/0x80 [ 15.452165] ? __pfx_kthread+0x10/0x10 [ 15.452185] ret_from_fork_asm+0x1a/0x30 [ 15.452218] </TASK> [ 15.452234] [ 15.464203] Allocated by task 247: [ 15.464405] kasan_save_stack+0x45/0x70 [ 15.465132] kasan_save_track+0x18/0x40 [ 15.465309] kasan_save_alloc_info+0x3b/0x50 [ 15.465872] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 15.466258] remove_element+0x11e/0x190 [ 15.466422] mempool_alloc_preallocated+0x4d/0x90 [ 15.466887] mempool_uaf_helper+0x96/0x400 [ 15.467089] mempool_kmalloc_uaf+0xef/0x140 [ 15.467221] kunit_try_run_case+0x1a5/0x480 [ 15.467548] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.468072] kthread+0x337/0x6f0 [ 15.468270] ret_from_fork+0x41/0x80 [ 15.468382] ret_from_fork_asm+0x1a/0x30 [ 15.468696] [ 15.468860] Freed by task 247: [ 15.469017] kasan_save_stack+0x45/0x70 [ 15.469186] kasan_save_track+0x18/0x40 [ 15.469382] kasan_save_free_info+0x3f/0x60 [ 15.470157] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.470452] mempool_free+0x2ec/0x380 [ 15.470587] mempool_uaf_helper+0x11a/0x400 [ 15.471046] mempool_kmalloc_uaf+0xef/0x140 [ 15.471290] kunit_try_run_case+0x1a5/0x480 [ 15.471529] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.472068] kthread+0x337/0x6f0 [ 15.472240] ret_from_fork+0x41/0x80 [ 15.472372] ret_from_fork_asm+0x1a/0x30 [ 15.472910] [ 15.473028] The buggy address belongs to the object at ffff8881033b1200 [ 15.473028] which belongs to the cache kmalloc-128 of size 128 [ 15.473576] The buggy address is located 0 bytes inside of [ 15.473576] freed 128-byte region [ffff8881033b1200, ffff8881033b1280) [ 15.474751] [ 15.474874] The buggy address belongs to the physical page: [ 15.475079] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033b1 [ 15.475688] flags: 0x200000000000000(node=0|zone=2) [ 15.476021] page_type: f5(slab) [ 15.476215] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.476813] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.477087] page dumped because: kasan: bad access detected [ 15.477255] [ 15.477394] Memory state around the buggy address: [ 15.477616] ffff8881033b1100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.477760] ffff8881033b1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.478415] >ffff8881033b1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.479201] ^ [ 15.479431] ffff8881033b1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.480217] ffff8881033b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 15.480455] ================================================================== [ 15.511953] ================================================================== [ 15.512344] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.513121] Read of size 1 at addr ffff8881033b3240 by task kunit_try_catch/251 [ 15.513531] [ 15.513651] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT(voluntary) [ 15.514036] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.514049] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.514073] Call Trace: [ 15.514090] <TASK> [ 15.514111] dump_stack_lvl+0x73/0xb0 [ 15.514150] print_report+0xd1/0x650 [ 15.514176] ? __virt_addr_valid+0x1db/0x2d0 [ 15.514200] ? mempool_uaf_helper+0x392/0x400 [ 15.514224] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.514247] ? mempool_uaf_helper+0x392/0x400 [ 15.514269] kasan_report+0x141/0x180 [ 15.514292] ? mempool_uaf_helper+0x392/0x400 [ 15.514319] __asan_report_load1_noabort+0x18/0x20 [ 15.514338] mempool_uaf_helper+0x392/0x400 [ 15.514361] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.514383] ? update_load_avg+0x1be/0x21b0 [ 15.514409] ? finish_task_switch.isra.0+0x153/0x700 [ 15.514436] mempool_slab_uaf+0xea/0x140 [ 15.514457] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.514476] ? dequeue_task_fair+0x156/0x4e0 [ 15.514499] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 15.514521] ? __pfx_mempool_free_slab+0x10/0x10 [ 15.514543] ? __pfx_read_tsc+0x10/0x10 [ 15.514583] ? ktime_get_ts64+0x86/0x230 [ 15.514615] kunit_try_run_case+0x1a5/0x480 [ 15.514644] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.514667] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.514693] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.514717] ? __kthread_parkme+0x82/0x180 [ 15.514741] ? preempt_count_sub+0x50/0x80 [ 15.514765] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.514788] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.514812] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.514834] kthread+0x337/0x6f0 [ 15.514852] ? trace_preempt_on+0x20/0xc0 [ 15.514878] ? __pfx_kthread+0x10/0x10 [ 15.514896] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.514917] ? calculate_sigpending+0x7b/0xa0 [ 15.514940] ? __pfx_kthread+0x10/0x10 [ 15.514958] ret_from_fork+0x41/0x80 [ 15.514980] ? __pfx_kthread+0x10/0x10 [ 15.514998] ret_from_fork_asm+0x1a/0x30 [ 15.515027] </TASK> [ 15.515041] [ 15.529902] Allocated by task 251: [ 15.530103] kasan_save_stack+0x45/0x70 [ 15.530291] kasan_save_track+0x18/0x40 [ 15.530453] kasan_save_alloc_info+0x3b/0x50 [ 15.531704] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 15.531948] remove_element+0x11e/0x190 [ 15.532135] mempool_alloc_preallocated+0x4d/0x90 [ 15.532361] mempool_uaf_helper+0x96/0x400 [ 15.532581] mempool_slab_uaf+0xea/0x140 [ 15.532744] kunit_try_run_case+0x1a5/0x480 [ 15.532864] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.532983] kthread+0x337/0x6f0 [ 15.533067] ret_from_fork+0x41/0x80 [ 15.533161] ret_from_fork_asm+0x1a/0x30 [ 15.533257] [ 15.533314] Freed by task 251: [ 15.533397] kasan_save_stack+0x45/0x70 [ 15.533498] kasan_save_track+0x18/0x40 [ 15.533615] kasan_save_free_info+0x3f/0x60 [ 15.533729] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.533850] mempool_free+0x2ec/0x380 [ 15.533943] mempool_uaf_helper+0x11a/0x400 [ 15.534045] mempool_slab_uaf+0xea/0x140 [ 15.534138] kunit_try_run_case+0x1a5/0x480 [ 15.534240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.534356] kthread+0x337/0x6f0 [ 15.534439] ret_from_fork+0x41/0x80 [ 15.534529] ret_from_fork_asm+0x1a/0x30 [ 15.535073] [ 15.535292] The buggy address belongs to the object at ffff8881033b3240 [ 15.535292] which belongs to the cache test_cache of size 123 [ 15.536808] The buggy address is located 0 bytes inside of [ 15.536808] freed 123-byte region [ffff8881033b3240, ffff8881033b32bb) [ 15.538099] [ 15.538318] The buggy address belongs to the physical page: [ 15.538977] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033b3 [ 15.540184] flags: 0x200000000000000(node=0|zone=2) [ 15.540619] page_type: f5(slab) [ 15.541074] raw: 0200000000000000 ffff8881033a93c0 dead000000000122 0000000000000000 [ 15.541340] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 15.542052] page dumped because: kasan: bad access detected [ 15.542373] [ 15.542516] Memory state around the buggy address: [ 15.543110] ffff8881033b3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.543529] ffff8881033b3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.544406] >ffff8881033b3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 15.544896] ^ [ 15.545256] ffff8881033b3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.545795] ffff8881033b3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.546030] ==================================================================