Date
June 23, 2025, 1:39 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 27.504575] ================================================================== [ 27.505005] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 27.505159] Read of size 1 at addr fff00000c76cfb00 by task kunit_try_catch/229 [ 27.505291] [ 27.505381] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT [ 27.505596] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.505680] Hardware name: linux,dummy-virt (DT) [ 27.505778] Call trace: [ 27.506141] show_stack+0x20/0x38 (C) [ 27.506507] dump_stack_lvl+0x8c/0xd0 [ 27.506747] print_report+0x118/0x608 [ 27.506913] kasan_report+0xdc/0x128 [ 27.507090] __asan_report_load1_noabort+0x20/0x30 [ 27.507379] mempool_uaf_helper+0x314/0x340 [ 27.507520] mempool_kmalloc_uaf+0xc4/0x120 [ 27.507672] kunit_try_run_case+0x170/0x3f0 [ 27.507861] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.508418] kthread+0x328/0x630 [ 27.509108] ret_from_fork+0x10/0x20 [ 27.509310] [ 27.509356] Allocated by task 229: [ 27.510265] kasan_save_stack+0x3c/0x68 [ 27.510373] kasan_save_track+0x20/0x40 [ 27.510933] kasan_save_alloc_info+0x40/0x58 [ 27.511048] __kasan_mempool_unpoison_object+0x11c/0x180 [ 27.511207] remove_element+0x130/0x1f8 [ 27.511308] mempool_alloc_preallocated+0x58/0xc0 [ 27.511474] mempool_uaf_helper+0xa4/0x340 [ 27.511571] mempool_kmalloc_uaf+0xc4/0x120 [ 27.511677] kunit_try_run_case+0x170/0x3f0 [ 27.511829] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.511988] kthread+0x328/0x630 [ 27.512094] ret_from_fork+0x10/0x20 [ 27.512197] [ 27.512244] Freed by task 229: [ 27.512309] kasan_save_stack+0x3c/0x68 [ 27.512417] kasan_save_track+0x20/0x40 [ 27.512535] kasan_save_free_info+0x4c/0x78 [ 27.512780] __kasan_mempool_poison_object+0xc0/0x150 [ 27.513075] mempool_free+0x28c/0x328 [ 27.513208] mempool_uaf_helper+0x104/0x340 [ 27.513365] mempool_kmalloc_uaf+0xc4/0x120 [ 27.513535] kunit_try_run_case+0x170/0x3f0 [ 27.513691] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.513804] kthread+0x328/0x630 [ 27.513898] ret_from_fork+0x10/0x20 [ 27.513997] [ 27.514125] The buggy address belongs to the object at fff00000c76cfb00 [ 27.514125] which belongs to the cache kmalloc-128 of size 128 [ 27.514447] The buggy address is located 0 bytes inside of [ 27.514447] freed 128-byte region [fff00000c76cfb00, fff00000c76cfb80) [ 27.514662] [ 27.514723] The buggy address belongs to the physical page: [ 27.514811] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076cf [ 27.515084] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.515548] page_type: f5(slab) [ 27.515925] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 27.516122] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.516438] page dumped because: kasan: bad access detected [ 27.516821] [ 27.517011] Memory state around the buggy address: [ 27.517287] fff00000c76cfa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.517425] fff00000c76cfa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.518127] >fff00000c76cfb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.518243] ^ [ 27.518320] fff00000c76cfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.518455] fff00000c76cfc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.518993] ================================================================== [ 27.576572] ================================================================== [ 27.576730] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 27.576861] Read of size 1 at addr fff00000c7068240 by task kunit_try_catch/233 [ 27.576976] [ 27.577055] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT [ 27.577272] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.577337] Hardware name: linux,dummy-virt (DT) [ 27.577428] Call trace: [ 27.577487] show_stack+0x20/0x38 (C) [ 27.577604] dump_stack_lvl+0x8c/0xd0 [ 27.577734] print_report+0x118/0x608 [ 27.578067] kasan_report+0xdc/0x128 [ 27.578341] __asan_report_load1_noabort+0x20/0x30 [ 27.578497] mempool_uaf_helper+0x314/0x340 [ 27.578677] mempool_slab_uaf+0xc0/0x118 [ 27.578867] kunit_try_run_case+0x170/0x3f0 [ 27.579063] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.579224] kthread+0x328/0x630 [ 27.579359] ret_from_fork+0x10/0x20 [ 27.579514] [ 27.579566] Allocated by task 233: [ 27.579640] kasan_save_stack+0x3c/0x68 [ 27.579855] kasan_save_track+0x20/0x40 [ 27.580035] kasan_save_alloc_info+0x40/0x58 [ 27.580160] __kasan_mempool_unpoison_object+0xbc/0x180 [ 27.580493] remove_element+0x16c/0x1f8 [ 27.580637] mempool_alloc_preallocated+0x58/0xc0 [ 27.580821] mempool_uaf_helper+0xa4/0x340 [ 27.580940] mempool_slab_uaf+0xc0/0x118 [ 27.581089] kunit_try_run_case+0x170/0x3f0 [ 27.581222] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.581341] kthread+0x328/0x630 [ 27.581494] ret_from_fork+0x10/0x20 [ 27.581612] [ 27.581714] Freed by task 233: [ 27.581835] kasan_save_stack+0x3c/0x68 [ 27.582019] kasan_save_track+0x20/0x40 [ 27.582194] kasan_save_free_info+0x4c/0x78 [ 27.582335] __kasan_mempool_poison_object+0xc0/0x150 [ 27.582464] mempool_free+0x28c/0x328 [ 27.582559] mempool_uaf_helper+0x104/0x340 [ 27.582683] mempool_slab_uaf+0xc0/0x118 [ 27.582790] kunit_try_run_case+0x170/0x3f0 [ 27.582902] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.583017] kthread+0x328/0x630 [ 27.583119] ret_from_fork+0x10/0x20 [ 27.583347] [ 27.583422] The buggy address belongs to the object at fff00000c7068240 [ 27.583422] which belongs to the cache test_cache of size 123 [ 27.583932] The buggy address is located 0 bytes inside of [ 27.583932] freed 123-byte region [fff00000c7068240, fff00000c70682bb) [ 27.584085] [ 27.584137] The buggy address belongs to the physical page: [ 27.584233] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107068 [ 27.584432] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.584599] page_type: f5(slab) [ 27.584703] raw: 0bfffe0000000000 fff00000c64b83c0 dead000000000122 0000000000000000 [ 27.584869] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 27.585186] page dumped because: kasan: bad access detected [ 27.585447] [ 27.585592] Memory state around the buggy address: [ 27.585726] fff00000c7068100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.585843] fff00000c7068180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.586016] >fff00000c7068200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.586116] ^ [ 27.586246] fff00000c7068280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.586360] fff00000c7068300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.586751] ==================================================================
[ 19.499776] ================================================================== [ 19.500772] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 19.501525] Read of size 1 at addr ffff88810a08c240 by task kunit_try_catch/252 [ 19.502747] [ 19.502963] CPU: 1 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT(voluntary) [ 19.503092] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.503128] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.503186] Call Trace: [ 19.503224] <TASK> [ 19.503268] dump_stack_lvl+0x73/0xb0 [ 19.503348] print_report+0xd1/0x650 [ 19.503427] ? __virt_addr_valid+0x1db/0x2d0 [ 19.503504] ? mempool_uaf_helper+0x392/0x400 [ 19.503582] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.503674] ? mempool_uaf_helper+0x392/0x400 [ 19.503760] kasan_report+0x141/0x180 [ 19.503836] ? mempool_uaf_helper+0x392/0x400 [ 19.503921] __asan_report_load1_noabort+0x18/0x20 [ 19.503981] mempool_uaf_helper+0x392/0x400 [ 19.504020] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.504055] ? update_load_avg+0x1be/0x21b0 [ 19.504095] ? finish_task_switch.isra.0+0x153/0x700 [ 19.504135] mempool_slab_uaf+0xea/0x140 [ 19.504165] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 19.504194] ? dequeue_task_fair+0x166/0x4e0 [ 19.504265] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 19.504305] ? __pfx_mempool_free_slab+0x10/0x10 [ 19.504339] ? __pfx_read_tsc+0x10/0x10 [ 19.504368] ? ktime_get_ts64+0x86/0x230 [ 19.504404] kunit_try_run_case+0x1a5/0x480 [ 19.504441] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.504473] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.504508] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.504540] ? __kthread_parkme+0x82/0x180 [ 19.504571] ? preempt_count_sub+0x50/0x80 [ 19.504669] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.504749] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.504787] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.504823] kthread+0x337/0x6f0 [ 19.504847] ? trace_preempt_on+0x20/0xc0 [ 19.504882] ? __pfx_kthread+0x10/0x10 [ 19.504907] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.504939] ? calculate_sigpending+0x7b/0xa0 [ 19.504969] ? __pfx_kthread+0x10/0x10 [ 19.504993] ret_from_fork+0x41/0x80 [ 19.505025] ? __pfx_kthread+0x10/0x10 [ 19.505051] ret_from_fork_asm+0x1a/0x30 [ 19.505095] </TASK> [ 19.505109] [ 19.525998] Allocated by task 252: [ 19.526532] kasan_save_stack+0x45/0x70 [ 19.527270] kasan_save_track+0x18/0x40 [ 19.528030] kasan_save_alloc_info+0x3b/0x50 [ 19.528586] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 19.529346] remove_element+0x11e/0x190 [ 19.529961] mempool_alloc_preallocated+0x4d/0x90 [ 19.530552] mempool_uaf_helper+0x96/0x400 [ 19.530949] mempool_slab_uaf+0xea/0x140 [ 19.531419] kunit_try_run_case+0x1a5/0x480 [ 19.532059] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.532933] kthread+0x337/0x6f0 [ 19.533461] ret_from_fork+0x41/0x80 [ 19.534050] ret_from_fork_asm+0x1a/0x30 [ 19.534376] [ 19.534623] Freed by task 252: [ 19.534971] kasan_save_stack+0x45/0x70 [ 19.535324] kasan_save_track+0x18/0x40 [ 19.536224] kasan_save_free_info+0x3f/0x60 [ 19.537074] __kasan_mempool_poison_object+0x131/0x1d0 [ 19.537732] mempool_free+0x2ec/0x380 [ 19.538361] mempool_uaf_helper+0x11a/0x400 [ 19.539035] mempool_slab_uaf+0xea/0x140 [ 19.539515] kunit_try_run_case+0x1a5/0x480 [ 19.539935] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.540568] kthread+0x337/0x6f0 [ 19.540929] ret_from_fork+0x41/0x80 [ 19.541306] ret_from_fork_asm+0x1a/0x30 [ 19.541748] [ 19.541975] The buggy address belongs to the object at ffff88810a08c240 [ 19.541975] which belongs to the cache test_cache of size 123 [ 19.543276] The buggy address is located 0 bytes inside of [ 19.543276] freed 123-byte region [ffff88810a08c240, ffff88810a08c2bb) [ 19.544281] [ 19.544520] The buggy address belongs to the physical page: [ 19.545149] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a08c [ 19.545971] flags: 0x200000000000000(node=0|zone=2) [ 19.546490] page_type: f5(slab) [ 19.547366] raw: 0200000000000000 ffff888101611dc0 dead000000000122 0000000000000000 [ 19.548132] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.548831] page dumped because: kasan: bad access detected [ 19.549358] [ 19.549592] Memory state around the buggy address: [ 19.550104] ffff88810a08c100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.550669] ffff88810a08c180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.551215] >ffff88810a08c200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.551753] ^ [ 19.552777] ffff88810a08c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.553355] ffff88810a08c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.554082] ================================================================== [ 19.385130] ================================================================== [ 19.386565] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 19.387250] Read of size 1 at addr ffff888102a13700 by task kunit_try_catch/248 [ 19.388248] [ 19.388867] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT(voluntary) [ 19.389018] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.389056] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.389114] Call Trace: [ 19.389150] <TASK> [ 19.389195] dump_stack_lvl+0x73/0xb0 [ 19.389279] print_report+0xd1/0x650 [ 19.389340] ? __virt_addr_valid+0x1db/0x2d0 [ 19.389376] ? mempool_uaf_helper+0x392/0x400 [ 19.389410] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.389442] ? mempool_uaf_helper+0x392/0x400 [ 19.389474] kasan_report+0x141/0x180 [ 19.389507] ? mempool_uaf_helper+0x392/0x400 [ 19.389547] __asan_report_load1_noabort+0x18/0x20 [ 19.389576] mempool_uaf_helper+0x392/0x400 [ 19.389678] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 19.389759] ? dequeue_entities+0x852/0x1740 [ 19.389802] ? finish_task_switch.isra.0+0x153/0x700 [ 19.389843] mempool_kmalloc_uaf+0xef/0x140 [ 19.389877] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 19.389911] ? dequeue_task_fair+0x166/0x4e0 [ 19.389943] ? __pfx_mempool_kmalloc+0x10/0x10 [ 19.389975] ? __pfx_mempool_kfree+0x10/0x10 [ 19.390006] ? __pfx_read_tsc+0x10/0x10 [ 19.390036] ? ktime_get_ts64+0x86/0x230 [ 19.390072] kunit_try_run_case+0x1a5/0x480 [ 19.390111] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.390145] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.390181] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.390243] ? __kthread_parkme+0x82/0x180 [ 19.390292] ? preempt_count_sub+0x50/0x80 [ 19.390330] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.390366] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.390401] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.390436] kthread+0x337/0x6f0 [ 19.390460] ? trace_preempt_on+0x20/0xc0 [ 19.390495] ? __pfx_kthread+0x10/0x10 [ 19.390522] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.390554] ? calculate_sigpending+0x7b/0xa0 [ 19.390586] ? __pfx_kthread+0x10/0x10 [ 19.390657] ret_from_fork+0x41/0x80 [ 19.390730] ? __pfx_kthread+0x10/0x10 [ 19.390795] ret_from_fork_asm+0x1a/0x30 [ 19.390843] </TASK> [ 19.390860] [ 19.411008] Allocated by task 248: [ 19.411421] kasan_save_stack+0x45/0x70 [ 19.412084] kasan_save_track+0x18/0x40 [ 19.412948] kasan_save_alloc_info+0x3b/0x50 [ 19.413421] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 19.414324] remove_element+0x11e/0x190 [ 19.414905] mempool_alloc_preallocated+0x4d/0x90 [ 19.415485] mempool_uaf_helper+0x96/0x400 [ 19.416124] mempool_kmalloc_uaf+0xef/0x140 [ 19.416739] kunit_try_run_case+0x1a5/0x480 [ 19.417197] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.417977] kthread+0x337/0x6f0 [ 19.418443] ret_from_fork+0x41/0x80 [ 19.419096] ret_from_fork_asm+0x1a/0x30 [ 19.419532] [ 19.419733] Freed by task 248: [ 19.420052] kasan_save_stack+0x45/0x70 [ 19.420576] kasan_save_track+0x18/0x40 [ 19.421074] kasan_save_free_info+0x3f/0x60 [ 19.421784] __kasan_mempool_poison_object+0x131/0x1d0 [ 19.422341] mempool_free+0x2ec/0x380 [ 19.422863] mempool_uaf_helper+0x11a/0x400 [ 19.423397] mempool_kmalloc_uaf+0xef/0x140 [ 19.424104] kunit_try_run_case+0x1a5/0x480 [ 19.424732] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.425342] kthread+0x337/0x6f0 [ 19.425915] ret_from_fork+0x41/0x80 [ 19.426388] ret_from_fork_asm+0x1a/0x30 [ 19.427025] [ 19.427259] The buggy address belongs to the object at ffff888102a13700 [ 19.427259] which belongs to the cache kmalloc-128 of size 128 [ 19.428509] The buggy address is located 0 bytes inside of [ 19.428509] freed 128-byte region [ffff888102a13700, ffff888102a13780) [ 19.430787] [ 19.430940] The buggy address belongs to the physical page: [ 19.431536] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a13 [ 19.432409] flags: 0x200000000000000(node=0|zone=2) [ 19.433071] page_type: f5(slab) [ 19.433401] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.434067] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.434696] page dumped because: kasan: bad access detected [ 19.435450] [ 19.435680] Memory state around the buggy address: [ 19.436437] ffff888102a13600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.437244] ffff888102a13680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.438742] >ffff888102a13700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.439304] ^ [ 19.439893] ffff888102a13780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.440523] ffff888102a13800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.441438] ==================================================================