Date
July 3, 2025, 3:13 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.625118] ================================================================== [ 17.625252] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.625416] Read of size 1 at addr fff00000c77fa240 by task kunit_try_catch/234 [ 17.625477] [ 17.625552] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc1 #1 PREEMPT [ 17.625645] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.625672] Hardware name: linux,dummy-virt (DT) [ 17.625709] Call trace: [ 17.625732] show_stack+0x20/0x38 (C) [ 17.625791] dump_stack_lvl+0x8c/0xd0 [ 17.625841] print_report+0x118/0x608 [ 17.625884] kasan_report+0xdc/0x128 [ 17.625931] __asan_report_load1_noabort+0x20/0x30 [ 17.625998] mempool_uaf_helper+0x314/0x340 [ 17.626059] mempool_slab_uaf+0xc0/0x118 [ 17.626106] kunit_try_run_case+0x170/0x3f0 [ 17.626154] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.626206] kthread+0x328/0x630 [ 17.626251] ret_from_fork+0x10/0x20 [ 17.626300] [ 17.626317] Allocated by task 234: [ 17.626347] kasan_save_stack+0x3c/0x68 [ 17.626386] kasan_save_track+0x20/0x40 [ 17.626430] kasan_save_alloc_info+0x40/0x58 [ 17.626466] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.626507] remove_element+0x16c/0x1f8 [ 17.626546] mempool_alloc_preallocated+0x58/0xc0 [ 17.626587] mempool_uaf_helper+0xa4/0x340 [ 17.626624] mempool_slab_uaf+0xc0/0x118 [ 17.626658] kunit_try_run_case+0x170/0x3f0 [ 17.626700] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.626747] kthread+0x328/0x630 [ 17.626782] ret_from_fork+0x10/0x20 [ 17.626815] [ 17.626834] Freed by task 234: [ 17.626858] kasan_save_stack+0x3c/0x68 [ 17.626892] kasan_save_track+0x20/0x40 [ 17.626927] kasan_save_free_info+0x4c/0x78 [ 17.626980] __kasan_mempool_poison_object+0xc0/0x150 [ 17.627019] mempool_free+0x28c/0x328 [ 17.627056] mempool_uaf_helper+0x104/0x340 [ 17.627094] mempool_slab_uaf+0xc0/0x118 [ 17.627128] kunit_try_run_case+0x170/0x3f0 [ 17.627165] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.627212] kthread+0x328/0x630 [ 17.627245] ret_from_fork+0x10/0x20 [ 17.627279] [ 17.627299] The buggy address belongs to the object at fff00000c77fa240 [ 17.627299] which belongs to the cache test_cache of size 123 [ 17.627355] The buggy address is located 0 bytes inside of [ 17.627355] freed 123-byte region [fff00000c77fa240, fff00000c77fa2bb) [ 17.627416] [ 17.627436] The buggy address belongs to the physical page: [ 17.627465] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077fa [ 17.627518] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.627565] page_type: f5(slab) [ 17.627606] raw: 0bfffe0000000000 fff00000c5d10b40 dead000000000122 0000000000000000 [ 17.627653] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.627692] page dumped because: kasan: bad access detected [ 17.627722] [ 17.627739] Memory state around the buggy address: [ 17.627771] fff00000c77fa100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.627813] fff00000c77fa180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.627855] >fff00000c77fa200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.627891] ^ [ 17.627924] fff00000c77fa280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.627972] fff00000c77fa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.628021] ================================================================== [ 17.539965] ================================================================== [ 17.540047] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.540115] Read of size 1 at addr fff00000c638ed00 by task kunit_try_catch/230 [ 17.540183] [ 17.540224] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc1 #1 PREEMPT [ 17.540553] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.540581] Hardware name: linux,dummy-virt (DT) [ 17.540732] Call trace: [ 17.540872] show_stack+0x20/0x38 (C) [ 17.540960] dump_stack_lvl+0x8c/0xd0 [ 17.542218] print_report+0x118/0x608 [ 17.542265] kasan_report+0xdc/0x128 [ 17.542325] __asan_report_load1_noabort+0x20/0x30 [ 17.542380] mempool_uaf_helper+0x314/0x340 [ 17.542435] mempool_kmalloc_uaf+0xc4/0x120 [ 17.542482] kunit_try_run_case+0x170/0x3f0 [ 17.542531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.542584] kthread+0x328/0x630 [ 17.542627] ret_from_fork+0x10/0x20 [ 17.542709] [ 17.542729] Allocated by task 230: [ 17.542770] kasan_save_stack+0x3c/0x68 [ 17.542810] kasan_save_track+0x20/0x40 [ 17.542846] kasan_save_alloc_info+0x40/0x58 [ 17.542908] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.543073] remove_element+0x130/0x1f8 [ 17.543160] mempool_alloc_preallocated+0x58/0xc0 [ 17.543201] mempool_uaf_helper+0xa4/0x340 [ 17.543248] mempool_kmalloc_uaf+0xc4/0x120 [ 17.543288] kunit_try_run_case+0x170/0x3f0 [ 17.543327] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.543376] kthread+0x328/0x630 [ 17.543411] ret_from_fork+0x10/0x20 [ 17.543446] [ 17.543469] Freed by task 230: [ 17.543747] kasan_save_stack+0x3c/0x68 [ 17.543826] kasan_save_track+0x20/0x40 [ 17.544074] kasan_save_free_info+0x4c/0x78 [ 17.544120] __kasan_mempool_poison_object+0xc0/0x150 [ 17.544280] mempool_free+0x28c/0x328 [ 17.544335] mempool_uaf_helper+0x104/0x340 [ 17.544661] mempool_kmalloc_uaf+0xc4/0x120 [ 17.544760] kunit_try_run_case+0x170/0x3f0 [ 17.544877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.544934] kthread+0x328/0x630 [ 17.545029] ret_from_fork+0x10/0x20 [ 17.545065] [ 17.545084] The buggy address belongs to the object at fff00000c638ed00 [ 17.545084] which belongs to the cache kmalloc-128 of size 128 [ 17.545440] The buggy address is located 0 bytes inside of [ 17.545440] freed 128-byte region [fff00000c638ed00, fff00000c638ed80) [ 17.545682] [ 17.545707] The buggy address belongs to the physical page: [ 17.545738] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10638e [ 17.545866] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.545920] page_type: f5(slab) [ 17.545979] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.546028] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.546087] page dumped because: kasan: bad access detected [ 17.546117] [ 17.546137] Memory state around the buggy address: [ 17.546446] fff00000c638ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.546506] fff00000c638ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.546745] >fff00000c638ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.546788] ^ [ 17.547682] fff00000c638ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.547930] fff00000c638ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.548000] ==================================================================
[ 12.672581] ================================================================== [ 12.672993] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.673249] Read of size 1 at addr ffff888102dc0d00 by task kunit_try_catch/246 [ 12.673487] [ 12.673584] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc1 #1 PREEMPT(voluntary) [ 12.673781] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.673797] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.673823] Call Trace: [ 12.673836] <TASK> [ 12.674087] dump_stack_lvl+0x73/0xb0 [ 12.674124] print_report+0xd1/0x650 [ 12.674161] ? __virt_addr_valid+0x1db/0x2d0 [ 12.674185] ? mempool_uaf_helper+0x392/0x400 [ 12.674207] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.674240] ? mempool_uaf_helper+0x392/0x400 [ 12.674263] kasan_report+0x141/0x180 [ 12.674287] ? mempool_uaf_helper+0x392/0x400 [ 12.674314] __asan_report_load1_noabort+0x18/0x20 [ 12.674336] mempool_uaf_helper+0x392/0x400 [ 12.674360] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.674383] ? dequeue_entities+0x852/0x1740 [ 12.674409] ? finish_task_switch.isra.0+0x153/0x700 [ 12.674437] mempool_kmalloc_uaf+0xef/0x140 [ 12.674460] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.674483] ? dequeue_task_fair+0x166/0x4e0 [ 12.674506] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.674528] ? __pfx_mempool_kfree+0x10/0x10 [ 12.674550] ? __pfx_read_tsc+0x10/0x10 [ 12.674570] ? ktime_get_ts64+0x86/0x230 [ 12.674598] kunit_try_run_case+0x1a5/0x480 [ 12.674624] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.674647] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.674672] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.674697] ? __kthread_parkme+0x82/0x180 [ 12.674720] ? preempt_count_sub+0x50/0x80 [ 12.674744] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.674768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.674791] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.674815] kthread+0x337/0x6f0 [ 12.674832] ? trace_preempt_on+0x20/0xc0 [ 12.674855] ? __pfx_kthread+0x10/0x10 [ 12.674874] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.674896] ? calculate_sigpending+0x7b/0xa0 [ 12.674919] ? __pfx_kthread+0x10/0x10 [ 12.674937] ret_from_fork+0x41/0x80 [ 12.674958] ? __pfx_kthread+0x10/0x10 [ 12.674976] ret_from_fork_asm+0x1a/0x30 [ 12.675007] </TASK> [ 12.675019] [ 12.687167] Allocated by task 246: [ 12.687503] kasan_save_stack+0x45/0x70 [ 12.687928] kasan_save_track+0x18/0x40 [ 12.688087] kasan_save_alloc_info+0x3b/0x50 [ 12.688252] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.688643] remove_element+0x11e/0x190 [ 12.689158] mempool_alloc_preallocated+0x4d/0x90 [ 12.689397] mempool_uaf_helper+0x96/0x400 [ 12.689746] mempool_kmalloc_uaf+0xef/0x140 [ 12.689896] kunit_try_run_case+0x1a5/0x480 [ 12.690106] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.690582] kthread+0x337/0x6f0 [ 12.690755] ret_from_fork+0x41/0x80 [ 12.691073] ret_from_fork_asm+0x1a/0x30 [ 12.691254] [ 12.691459] Freed by task 246: [ 12.691587] kasan_save_stack+0x45/0x70 [ 12.691868] kasan_save_track+0x18/0x40 [ 12.692000] kasan_save_free_info+0x3f/0x60 [ 12.692205] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.692461] mempool_free+0x2ec/0x380 [ 12.692635] mempool_uaf_helper+0x11a/0x400 [ 12.693030] mempool_kmalloc_uaf+0xef/0x140 [ 12.693204] kunit_try_run_case+0x1a5/0x480 [ 12.693442] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.693618] kthread+0x337/0x6f0 [ 12.693732] ret_from_fork+0x41/0x80 [ 12.693984] ret_from_fork_asm+0x1a/0x30 [ 12.694210] [ 12.694309] The buggy address belongs to the object at ffff888102dc0d00 [ 12.694309] which belongs to the cache kmalloc-128 of size 128 [ 12.695103] The buggy address is located 0 bytes inside of [ 12.695103] freed 128-byte region [ffff888102dc0d00, ffff888102dc0d80) [ 12.696187] [ 12.696309] The buggy address belongs to the physical page: [ 12.696594] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102dc0 [ 12.697045] flags: 0x200000000000000(node=0|zone=2) [ 12.697370] page_type: f5(slab) [ 12.697867] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.698402] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.698701] page dumped because: kasan: bad access detected [ 12.699145] [ 12.699264] Memory state around the buggy address: [ 12.699664] ffff888102dc0c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.700124] ffff888102dc0c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.700457] >ffff888102dc0d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.701086] ^ [ 12.701451] ffff888102dc0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.701935] ffff888102dc0e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.702190] ================================================================== [ 12.740183] ================================================================== [ 12.741387] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.741819] Read of size 1 at addr ffff8881039f2240 by task kunit_try_catch/250 [ 12.742610] [ 12.742981] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc1 #1 PREEMPT(voluntary) [ 12.743095] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.743110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.743135] Call Trace: [ 12.743149] <TASK> [ 12.743169] dump_stack_lvl+0x73/0xb0 [ 12.743202] print_report+0xd1/0x650 [ 12.743227] ? __virt_addr_valid+0x1db/0x2d0 [ 12.743263] ? mempool_uaf_helper+0x392/0x400 [ 12.743288] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.743311] ? mempool_uaf_helper+0x392/0x400 [ 12.743334] kasan_report+0x141/0x180 [ 12.743357] ? mempool_uaf_helper+0x392/0x400 [ 12.743385] __asan_report_load1_noabort+0x18/0x20 [ 12.743407] mempool_uaf_helper+0x392/0x400 [ 12.743430] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.743457] ? finish_task_switch.isra.0+0x153/0x700 [ 12.743487] mempool_slab_uaf+0xea/0x140 [ 12.743507] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 12.743527] ? dequeue_task_fair+0x166/0x4e0 [ 12.743551] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 12.743574] ? __pfx_mempool_free_slab+0x10/0x10 [ 12.743597] ? __pfx_read_tsc+0x10/0x10 [ 12.743619] ? ktime_get_ts64+0x86/0x230 [ 12.743645] kunit_try_run_case+0x1a5/0x480 [ 12.743672] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.743695] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.743721] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.743746] ? __kthread_parkme+0x82/0x180 [ 12.743769] ? preempt_count_sub+0x50/0x80 [ 12.743794] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.743819] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.743843] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.743866] kthread+0x337/0x6f0 [ 12.743883] ? trace_preempt_on+0x20/0xc0 [ 12.743908] ? __pfx_kthread+0x10/0x10 [ 12.743926] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.743949] ? calculate_sigpending+0x7b/0xa0 [ 12.743972] ? __pfx_kthread+0x10/0x10 [ 12.743990] ret_from_fork+0x41/0x80 [ 12.744010] ? __pfx_kthread+0x10/0x10 [ 12.744029] ret_from_fork_asm+0x1a/0x30 [ 12.744060] </TASK> [ 12.744072] [ 12.758497] Allocated by task 250: [ 12.758989] kasan_save_stack+0x45/0x70 [ 12.759456] kasan_save_track+0x18/0x40 [ 12.759825] kasan_save_alloc_info+0x3b/0x50 [ 12.760307] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 12.760639] remove_element+0x11e/0x190 [ 12.761053] mempool_alloc_preallocated+0x4d/0x90 [ 12.761685] mempool_uaf_helper+0x96/0x400 [ 12.762104] mempool_slab_uaf+0xea/0x140 [ 12.762597] kunit_try_run_case+0x1a5/0x480 [ 12.763053] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.763449] kthread+0x337/0x6f0 [ 12.763839] ret_from_fork+0x41/0x80 [ 12.764223] ret_from_fork_asm+0x1a/0x30 [ 12.764757] [ 12.765015] Freed by task 250: [ 12.765199] kasan_save_stack+0x45/0x70 [ 12.765492] kasan_save_track+0x18/0x40 [ 12.765755] kasan_save_free_info+0x3f/0x60 [ 12.765942] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.766167] mempool_free+0x2ec/0x380 [ 12.766700] mempool_uaf_helper+0x11a/0x400 [ 12.767107] mempool_slab_uaf+0xea/0x140 [ 12.767561] kunit_try_run_case+0x1a5/0x480 [ 12.767950] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.768193] kthread+0x337/0x6f0 [ 12.768701] ret_from_fork+0x41/0x80 [ 12.768981] ret_from_fork_asm+0x1a/0x30 [ 12.769567] [ 12.769671] The buggy address belongs to the object at ffff8881039f2240 [ 12.769671] which belongs to the cache test_cache of size 123 [ 12.770142] The buggy address is located 0 bytes inside of [ 12.770142] freed 123-byte region [ffff8881039f2240, ffff8881039f22bb) [ 12.771173] [ 12.771434] The buggy address belongs to the physical page: [ 12.772261] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f2 [ 12.773123] flags: 0x200000000000000(node=0|zone=2) [ 12.773628] page_type: f5(slab) [ 12.773918] raw: 0200000000000000 ffff888101ac5640 dead000000000122 0000000000000000 [ 12.774251] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 12.774993] page dumped because: kasan: bad access detected [ 12.775251] [ 12.775619] Memory state around the buggy address: [ 12.775899] ffff8881039f2100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.776222] ffff8881039f2180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.776452] >ffff8881039f2200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 12.777060] ^ [ 12.777708] ffff8881039f2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.778185] ffff8881039f2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.778769] ==================================================================