Date
June 17, 2025, 3:40 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 24.187997] ================================================================== [ 24.188135] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.188237] Read of size 1 at addr fff00000c794bc00 by task kunit_try_catch/229 [ 24.188298] [ 24.188355] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.3-rc1 #1 PREEMPT [ 24.188459] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.188489] Hardware name: linux,dummy-virt (DT) [ 24.188529] Call trace: [ 24.188559] show_stack+0x20/0x38 (C) [ 24.188619] dump_stack_lvl+0x8c/0xd0 [ 24.188679] print_report+0x118/0x608 [ 24.189226] kasan_report+0xdc/0x128 [ 24.189511] __asan_report_load1_noabort+0x20/0x30 [ 24.189789] mempool_uaf_helper+0x314/0x340 [ 24.189857] mempool_kmalloc_uaf+0xc4/0x120 [ 24.189920] kunit_try_run_case+0x170/0x3f0 [ 24.190012] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.190131] kthread+0x328/0x630 [ 24.190196] ret_from_fork+0x10/0x20 [ 24.190259] [ 24.190282] Allocated by task 229: [ 24.190325] kasan_save_stack+0x3c/0x68 [ 24.190432] kasan_save_track+0x20/0x40 [ 24.190808] kasan_save_alloc_info+0x40/0x58 [ 24.190900] __kasan_mempool_unpoison_object+0x11c/0x180 [ 24.190967] remove_element+0x130/0x1f8 [ 24.191076] mempool_alloc_preallocated+0x58/0xc0 [ 24.191130] mempool_uaf_helper+0xa4/0x340 [ 24.191188] mempool_kmalloc_uaf+0xc4/0x120 [ 24.191486] kunit_try_run_case+0x170/0x3f0 [ 24.191554] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.191611] kthread+0x328/0x630 [ 24.191724] ret_from_fork+0x10/0x20 [ 24.191813] [ 24.192157] Freed by task 229: [ 24.192298] kasan_save_stack+0x3c/0x68 [ 24.192454] kasan_save_track+0x20/0x40 [ 24.192527] kasan_save_free_info+0x4c/0x78 [ 24.192679] __kasan_mempool_poison_object+0xc0/0x150 [ 24.192803] mempool_free+0x28c/0x328 [ 24.192859] mempool_uaf_helper+0x104/0x340 [ 24.193073] mempool_kmalloc_uaf+0xc4/0x120 [ 24.193207] kunit_try_run_case+0x170/0x3f0 [ 24.193331] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.193470] kthread+0x328/0x630 [ 24.193531] ret_from_fork+0x10/0x20 [ 24.193656] [ 24.193688] The buggy address belongs to the object at fff00000c794bc00 [ 24.193688] which belongs to the cache kmalloc-128 of size 128 [ 24.193811] The buggy address is located 0 bytes inside of [ 24.193811] freed 128-byte region [fff00000c794bc00, fff00000c794bc80) [ 24.194008] [ 24.194045] The buggy address belongs to the physical page: [ 24.194088] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10794b [ 24.194171] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.194239] page_type: f5(slab) [ 24.194295] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 24.194357] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.194889] page dumped because: kasan: bad access detected [ 24.195016] [ 24.195112] Memory state around the buggy address: [ 24.195171] fff00000c794bb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.195232] fff00000c794bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.195292] >fff00000c794bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.195339] ^ [ 24.195701] fff00000c794bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.195945] fff00000c794bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.196247] ================================================================== [ 24.230937] ================================================================== [ 24.231058] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 24.231159] Read of size 1 at addr fff00000c78d9240 by task kunit_try_catch/233 [ 24.231220] [ 24.231273] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.3-rc1 #1 PREEMPT [ 24.231399] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.231458] Hardware name: linux,dummy-virt (DT) [ 24.231506] Call trace: [ 24.231592] show_stack+0x20/0x38 (C) [ 24.231661] dump_stack_lvl+0x8c/0xd0 [ 24.231722] print_report+0x118/0x608 [ 24.232205] kasan_report+0xdc/0x128 [ 24.232300] __asan_report_load1_noabort+0x20/0x30 [ 24.232370] mempool_uaf_helper+0x314/0x340 [ 24.232429] mempool_slab_uaf+0xc0/0x118 [ 24.232484] kunit_try_run_case+0x170/0x3f0 [ 24.232544] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.232606] kthread+0x328/0x630 [ 24.233109] ret_from_fork+0x10/0x20 [ 24.233213] [ 24.233237] Allocated by task 233: [ 24.233511] kasan_save_stack+0x3c/0x68 [ 24.233602] kasan_save_track+0x20/0x40 [ 24.234017] kasan_save_alloc_info+0x40/0x58 [ 24.234094] __kasan_mempool_unpoison_object+0xbc/0x180 [ 24.234158] remove_element+0x16c/0x1f8 [ 24.234284] mempool_alloc_preallocated+0x58/0xc0 [ 24.234351] mempool_uaf_helper+0xa4/0x340 [ 24.234629] mempool_slab_uaf+0xc0/0x118 [ 24.234814] kunit_try_run_case+0x170/0x3f0 [ 24.234898] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.235024] kthread+0x328/0x630 [ 24.235162] ret_from_fork+0x10/0x20 [ 24.235421] [ 24.235591] Freed by task 233: [ 24.235653] kasan_save_stack+0x3c/0x68 [ 24.235711] kasan_save_track+0x20/0x40 [ 24.235897] kasan_save_free_info+0x4c/0x78 [ 24.235958] __kasan_mempool_poison_object+0xc0/0x150 [ 24.236252] mempool_free+0x28c/0x328 [ 24.236458] mempool_uaf_helper+0x104/0x340 [ 24.236540] mempool_slab_uaf+0xc0/0x118 [ 24.236793] kunit_try_run_case+0x170/0x3f0 [ 24.236995] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.237062] kthread+0x328/0x630 [ 24.237226] ret_from_fork+0x10/0x20 [ 24.237399] [ 24.237457] The buggy address belongs to the object at fff00000c78d9240 [ 24.237457] which belongs to the cache test_cache of size 123 [ 24.237539] The buggy address is located 0 bytes inside of [ 24.237539] freed 123-byte region [fff00000c78d9240, fff00000c78d92bb) [ 24.237612] [ 24.237638] The buggy address belongs to the physical page: [ 24.237682] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078d9 [ 24.237812] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.237888] page_type: f5(slab) [ 24.237945] raw: 0bfffe0000000000 fff00000c5918780 dead000000000122 0000000000000000 [ 24.238006] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 24.238055] page dumped because: kasan: bad access detected [ 24.238095] [ 24.238116] Memory state around the buggy address: [ 24.238182] fff00000c78d9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.238301] fff00000c78d9180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.238358] >fff00000c78d9200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 24.238400] ^ [ 24.238444] fff00000c78d9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.238490] fff00000c78d9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.238986] ==================================================================
[ 21.559750] ================================================================== [ 21.560711] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 21.561429] Read of size 1 at addr ffff888103096e00 by task kunit_try_catch/247 [ 21.563031] [ 21.563596] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.15.3-rc1 #1 PREEMPT(voluntary) [ 21.563780] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.563830] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.563914] Call Trace: [ 21.563983] <TASK> [ 21.564038] dump_stack_lvl+0x73/0xb0 [ 21.564172] print_report+0xd1/0x650 [ 21.564269] ? __virt_addr_valid+0x1db/0x2d0 [ 21.564337] ? mempool_uaf_helper+0x392/0x400 [ 21.564374] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.564408] ? mempool_uaf_helper+0x392/0x400 [ 21.564443] kasan_report+0x141/0x180 [ 21.564481] ? mempool_uaf_helper+0x392/0x400 [ 21.564524] __asan_report_load1_noabort+0x18/0x20 [ 21.564557] mempool_uaf_helper+0x392/0x400 [ 21.564591] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 21.564627] ? dequeue_entities+0x852/0x1740 [ 21.564664] ? finish_task_switch.isra.0+0x153/0x700 [ 21.564703] mempool_kmalloc_uaf+0xef/0x140 [ 21.564738] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 21.564772] ? dequeue_task_fair+0x166/0x4e0 [ 21.564804] ? __pfx_mempool_kmalloc+0x10/0x10 [ 21.564835] ? __pfx_mempool_kfree+0x10/0x10 [ 21.564866] ? __pfx_read_tsc+0x10/0x10 [ 21.564898] ? ktime_get_ts64+0x86/0x230 [ 21.564936] kunit_try_run_case+0x1a5/0x480 [ 21.565032] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.565112] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.565157] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.565193] ? __kthread_parkme+0x82/0x180 [ 21.565228] ? preempt_count_sub+0x50/0x80 [ 21.565264] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.565329] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.565368] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.565402] kthread+0x337/0x6f0 [ 21.565428] ? trace_preempt_on+0x20/0xc0 [ 21.565463] ? __pfx_kthread+0x10/0x10 [ 21.565490] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.565521] ? calculate_sigpending+0x7b/0xa0 [ 21.565554] ? __pfx_kthread+0x10/0x10 [ 21.565579] ret_from_fork+0x41/0x80 [ 21.565611] ? __pfx_kthread+0x10/0x10 [ 21.565636] ret_from_fork_asm+0x1a/0x30 [ 21.565682] </TASK> [ 21.565698] [ 21.589186] Allocated by task 247: [ 21.589685] kasan_save_stack+0x45/0x70 [ 21.590180] kasan_save_track+0x18/0x40 [ 21.590675] kasan_save_alloc_info+0x3b/0x50 [ 21.591275] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 21.591842] remove_element+0x11e/0x190 [ 21.593114] mempool_alloc_preallocated+0x4d/0x90 [ 21.593486] mempool_uaf_helper+0x96/0x400 [ 21.593823] mempool_kmalloc_uaf+0xef/0x140 [ 21.594597] kunit_try_run_case+0x1a5/0x480 [ 21.594930] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.595884] kthread+0x337/0x6f0 [ 21.596590] ret_from_fork+0x41/0x80 [ 21.597575] ret_from_fork_asm+0x1a/0x30 [ 21.598134] [ 21.598375] Freed by task 247: [ 21.598767] kasan_save_stack+0x45/0x70 [ 21.599348] kasan_save_track+0x18/0x40 [ 21.599794] kasan_save_free_info+0x3f/0x60 [ 21.600168] __kasan_mempool_poison_object+0x131/0x1d0 [ 21.600775] mempool_free+0x2ec/0x380 [ 21.601108] mempool_uaf_helper+0x11a/0x400 [ 21.601560] mempool_kmalloc_uaf+0xef/0x140 [ 21.601989] kunit_try_run_case+0x1a5/0x480 [ 21.602715] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.603129] kthread+0x337/0x6f0 [ 21.603436] ret_from_fork+0x41/0x80 [ 21.604060] ret_from_fork_asm+0x1a/0x30 [ 21.604699] [ 21.605142] The buggy address belongs to the object at ffff888103096e00 [ 21.605142] which belongs to the cache kmalloc-128 of size 128 [ 21.606163] The buggy address is located 0 bytes inside of [ 21.606163] freed 128-byte region [ffff888103096e00, ffff888103096e80) [ 21.607537] [ 21.607816] The buggy address belongs to the physical page: [ 21.608499] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103096 [ 21.609381] flags: 0x200000000000000(node=0|zone=2) [ 21.609821] page_type: f5(slab) [ 21.610511] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 21.611113] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.611931] page dumped because: kasan: bad access detected [ 21.612585] [ 21.612837] Memory state around the buggy address: [ 21.613456] ffff888103096d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.614336] ffff888103096d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.614899] >ffff888103096e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.615595] ^ [ 21.616106] ffff888103096e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.616687] ffff888103096f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.617489] ================================================================== [ 21.678106] ================================================================== [ 21.678874] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 21.679808] Read of size 1 at addr ffff888102eec240 by task kunit_try_catch/251 [ 21.680959] [ 21.681318] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.15.3-rc1 #1 PREEMPT(voluntary) [ 21.681449] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.681486] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.681542] Call Trace: [ 21.681631] <TASK> [ 21.681682] dump_stack_lvl+0x73/0xb0 [ 21.681796] print_report+0xd1/0x650 [ 21.681880] ? __virt_addr_valid+0x1db/0x2d0 [ 21.681956] ? mempool_uaf_helper+0x392/0x400 [ 21.682220] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.682311] ? mempool_uaf_helper+0x392/0x400 [ 21.682391] kasan_report+0x141/0x180 [ 21.682466] ? mempool_uaf_helper+0x392/0x400 [ 21.682524] __asan_report_load1_noabort+0x18/0x20 [ 21.682560] mempool_uaf_helper+0x392/0x400 [ 21.682602] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 21.682642] ? irqentry_exit+0x2a/0x60 [ 21.682671] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 21.682713] mempool_slab_uaf+0xea/0x140 [ 21.682744] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 21.682778] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 21.682815] ? __pfx_mempool_free_slab+0x10/0x10 [ 21.682852] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 21.682886] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 21.682919] kunit_try_run_case+0x1a5/0x480 [ 21.683056] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.683111] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.683153] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.683190] ? __kthread_parkme+0x82/0x180 [ 21.683227] ? preempt_count_sub+0x50/0x80 [ 21.683265] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.683333] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.683376] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.683413] kthread+0x337/0x6f0 [ 21.683440] ? trace_preempt_on+0x20/0xc0 [ 21.683477] ? __pfx_kthread+0x10/0x10 [ 21.683504] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.683539] ? calculate_sigpending+0x7b/0xa0 [ 21.683574] ? __pfx_kthread+0x10/0x10 [ 21.683603] ret_from_fork+0x41/0x80 [ 21.683636] ? __pfx_kthread+0x10/0x10 [ 21.683665] ret_from_fork_asm+0x1a/0x30 [ 21.683712] </TASK> [ 21.683728] [ 21.706021] Allocated by task 251: [ 21.706623] kasan_save_stack+0x45/0x70 [ 21.707086] kasan_save_track+0x18/0x40 [ 21.707707] kasan_save_alloc_info+0x3b/0x50 [ 21.708927] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 21.710030] remove_element+0x11e/0x190 [ 21.710459] mempool_alloc_preallocated+0x4d/0x90 [ 21.712244] mempool_uaf_helper+0x96/0x400 [ 21.713662] mempool_slab_uaf+0xea/0x140 [ 21.713951] kunit_try_run_case+0x1a5/0x480 [ 21.714253] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.715498] kthread+0x337/0x6f0 [ 21.715936] ret_from_fork+0x41/0x80 [ 21.717367] ret_from_fork_asm+0x1a/0x30 [ 21.717641] [ 21.717776] Freed by task 251: [ 21.718801] kasan_save_stack+0x45/0x70 [ 21.719133] kasan_save_track+0x18/0x40 [ 21.719473] kasan_save_free_info+0x3f/0x60 [ 21.719772] __kasan_mempool_poison_object+0x131/0x1d0 [ 21.720139] mempool_free+0x2ec/0x380 [ 21.721530] mempool_uaf_helper+0x11a/0x400 [ 21.723459] mempool_slab_uaf+0xea/0x140 [ 21.724752] kunit_try_run_case+0x1a5/0x480 [ 21.726230] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.727712] kthread+0x337/0x6f0 [ 21.727994] ret_from_fork+0x41/0x80 [ 21.728658] ret_from_fork_asm+0x1a/0x30 [ 21.728987] [ 21.729402] The buggy address belongs to the object at ffff888102eec240 [ 21.729402] which belongs to the cache test_cache of size 123 [ 21.731362] The buggy address is located 0 bytes inside of [ 21.731362] freed 123-byte region [ffff888102eec240, ffff888102eec2bb) [ 21.732813] [ 21.733266] The buggy address belongs to the physical page: [ 21.733747] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102eec [ 21.735376] flags: 0x200000000000000(node=0|zone=2) [ 21.735766] page_type: f5(slab) [ 21.736752] raw: 0200000000000000 ffff888102ee4280 dead000000000122 0000000000000000 [ 21.737798] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.738591] page dumped because: kasan: bad access detected [ 21.739063] [ 21.739349] Memory state around the buggy address: [ 21.739688] ffff888102eec100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.740421] ffff888102eec180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.741752] >ffff888102eec200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.742404] ^ [ 21.742915] ffff888102eec280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.743805] ffff888102eec300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.744685] ==================================================================