Date
July 15, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.893374] ================================================================== [ 19.893435] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.893489] Read of size 1 at addr fff00000c5996240 by task kunit_try_catch/233 [ 19.893541] [ 19.893570] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT [ 19.893655] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.893683] Hardware name: linux,dummy-virt (DT) [ 19.894325] Call trace: [ 19.894449] show_stack+0x20/0x38 (C) [ 19.894610] dump_stack_lvl+0x8c/0xd0 [ 19.894789] print_report+0x118/0x5d0 [ 19.894908] kasan_report+0xdc/0x128 [ 19.894959] __asan_report_load1_noabort+0x20/0x30 [ 19.895011] mempool_uaf_helper+0x314/0x340 [ 19.895059] mempool_slab_uaf+0xc0/0x118 [ 19.895105] kunit_try_run_case+0x170/0x3f0 [ 19.895339] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.895534] kthread+0x328/0x630 [ 19.895633] ret_from_fork+0x10/0x20 [ 19.895826] [ 19.895893] Allocated by task 233: [ 19.896080] kasan_save_stack+0x3c/0x68 [ 19.896157] kasan_save_track+0x20/0x40 [ 19.896195] kasan_save_alloc_info+0x40/0x58 [ 19.896529] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.896713] remove_element+0x16c/0x1f8 [ 19.896786] mempool_alloc_preallocated+0x58/0xc0 [ 19.896962] mempool_uaf_helper+0xa4/0x340 [ 19.897053] mempool_slab_uaf+0xc0/0x118 [ 19.897217] kunit_try_run_case+0x170/0x3f0 [ 19.897269] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.897521] kthread+0x328/0x630 [ 19.897568] ret_from_fork+0x10/0x20 [ 19.897611] [ 19.897651] Freed by task 233: [ 19.897706] kasan_save_stack+0x3c/0x68 [ 19.898406] kasan_save_track+0x20/0x40 [ 19.898474] kasan_save_free_info+0x4c/0x78 [ 19.898607] __kasan_mempool_poison_object+0xc0/0x150 [ 19.898738] mempool_free+0x28c/0x328 [ 19.898891] mempool_uaf_helper+0x104/0x340 [ 19.898998] mempool_slab_uaf+0xc0/0x118 [ 19.899138] kunit_try_run_case+0x170/0x3f0 [ 19.899264] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.899334] kthread+0x328/0x630 [ 19.899610] ret_from_fork+0x10/0x20 [ 19.899752] [ 19.899794] The buggy address belongs to the object at fff00000c5996240 [ 19.899794] which belongs to the cache test_cache of size 123 [ 19.899917] The buggy address is located 0 bytes inside of [ 19.899917] freed 123-byte region [fff00000c5996240, fff00000c59962bb) [ 19.899993] [ 19.900042] The buggy address belongs to the physical page: [ 19.900306] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105996 [ 19.900384] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.900480] page_type: f5(slab) [ 19.900583] raw: 0bfffe0000000000 fff00000c1c3adc0 dead000000000122 0000000000000000 [ 19.900636] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.900821] page dumped because: kasan: bad access detected [ 19.900863] [ 19.900881] Memory state around the buggy address: [ 19.900943] fff00000c5996100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.901021] fff00000c5996180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.901130] >fff00000c5996200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.901267] ^ [ 19.901362] fff00000c5996280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.901467] fff00000c5996300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.901538] ================================================================== [ 19.856833] ================================================================== [ 19.857147] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.857230] Read of size 1 at addr fff00000c59e4a00 by task kunit_try_catch/229 [ 19.857283] [ 19.857783] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT [ 19.857982] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.858074] Hardware name: linux,dummy-virt (DT) [ 19.858148] Call trace: [ 19.858196] show_stack+0x20/0x38 (C) [ 19.858308] dump_stack_lvl+0x8c/0xd0 [ 19.858377] print_report+0x118/0x5d0 [ 19.858447] kasan_report+0xdc/0x128 [ 19.858493] __asan_report_load1_noabort+0x20/0x30 [ 19.858544] mempool_uaf_helper+0x314/0x340 [ 19.858858] mempool_kmalloc_uaf+0xc4/0x120 [ 19.858937] kunit_try_run_case+0x170/0x3f0 [ 19.859002] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.859073] kthread+0x328/0x630 [ 19.859164] ret_from_fork+0x10/0x20 [ 19.859238] [ 19.859276] Allocated by task 229: [ 19.859326] kasan_save_stack+0x3c/0x68 [ 19.859405] kasan_save_track+0x20/0x40 [ 19.859494] kasan_save_alloc_info+0x40/0x58 [ 19.859571] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.859639] remove_element+0x130/0x1f8 [ 19.859696] mempool_alloc_preallocated+0x58/0xc0 [ 19.859886] mempool_uaf_helper+0xa4/0x340 [ 19.860417] mempool_kmalloc_uaf+0xc4/0x120 [ 19.860556] kunit_try_run_case+0x170/0x3f0 [ 19.860668] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.861006] kthread+0x328/0x630 [ 19.861192] ret_from_fork+0x10/0x20 [ 19.861252] [ 19.861417] Freed by task 229: [ 19.861510] kasan_save_stack+0x3c/0x68 [ 19.861739] kasan_save_track+0x20/0x40 [ 19.861818] kasan_save_free_info+0x4c/0x78 [ 19.861959] __kasan_mempool_poison_object+0xc0/0x150 [ 19.862058] mempool_free+0x28c/0x328 [ 19.862136] mempool_uaf_helper+0x104/0x340 [ 19.862708] mempool_kmalloc_uaf+0xc4/0x120 [ 19.863174] kunit_try_run_case+0x170/0x3f0 [ 19.863323] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.863476] kthread+0x328/0x630 [ 19.863588] ret_from_fork+0x10/0x20 [ 19.863719] [ 19.863772] The buggy address belongs to the object at fff00000c59e4a00 [ 19.863772] which belongs to the cache kmalloc-128 of size 128 [ 19.863860] The buggy address is located 0 bytes inside of [ 19.863860] freed 128-byte region [fff00000c59e4a00, fff00000c59e4a80) [ 19.864254] [ 19.864322] The buggy address belongs to the physical page: [ 19.864434] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059e4 [ 19.864714] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.864922] page_type: f5(slab) [ 19.865032] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.865086] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.865332] page dumped because: kasan: bad access detected [ 19.865542] [ 19.865576] Memory state around the buggy address: [ 19.865850] fff00000c59e4900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.866038] fff00000c59e4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.866098] >fff00000c59e4a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.866467] ^ [ 19.866583] fff00000c59e4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.866639] fff00000c59e4b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.866842] ==================================================================
[ 12.562459] ================================================================== [ 12.563210] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.563557] Read of size 1 at addr ffff888102245240 by task kunit_try_catch/250 [ 12.564004] [ 12.564110] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT(voluntary) [ 12.564196] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.564208] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.564228] Call Trace: [ 12.564241] <TASK> [ 12.564257] dump_stack_lvl+0x73/0xb0 [ 12.564281] print_report+0xd1/0x610 [ 12.564305] ? __virt_addr_valid+0x1db/0x2d0 [ 12.564359] ? mempool_uaf_helper+0x392/0x400 [ 12.564381] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.564403] ? mempool_uaf_helper+0x392/0x400 [ 12.564425] kasan_report+0x141/0x180 [ 12.564448] ? mempool_uaf_helper+0x392/0x400 [ 12.564475] __asan_report_load1_noabort+0x18/0x20 [ 12.564495] mempool_uaf_helper+0x392/0x400 [ 12.564548] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.564569] ? update_load_avg+0x1be/0x21b0 [ 12.564593] ? finish_task_switch.isra.0+0x153/0x700 [ 12.564620] mempool_slab_uaf+0xea/0x140 [ 12.564639] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 12.564686] ? dequeue_task_fair+0x156/0x4e0 [ 12.564708] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 12.564729] ? __pfx_mempool_free_slab+0x10/0x10 [ 12.564800] ? __pfx_read_tsc+0x10/0x10 [ 12.564823] ? ktime_get_ts64+0x86/0x230 [ 12.564849] kunit_try_run_case+0x1a5/0x480 [ 12.564871] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.564901] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.564926] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.564948] ? __kthread_parkme+0x82/0x180 [ 12.564970] ? preempt_count_sub+0x50/0x80 [ 12.564993] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.565013] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.565037] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.565059] kthread+0x337/0x6f0 [ 12.565075] ? trace_preempt_on+0x20/0xc0 [ 12.565098] ? __pfx_kthread+0x10/0x10 [ 12.565115] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.565140] ? calculate_sigpending+0x7b/0xa0 [ 12.565162] ? __pfx_kthread+0x10/0x10 [ 12.565179] ret_from_fork+0x41/0x80 [ 12.565199] ? __pfx_kthread+0x10/0x10 [ 12.565216] ret_from_fork_asm+0x1a/0x30 [ 12.565246] </TASK> [ 12.565256] [ 12.574874] Allocated by task 250: [ 12.575070] kasan_save_stack+0x45/0x70 [ 12.575256] kasan_save_track+0x18/0x40 [ 12.575392] kasan_save_alloc_info+0x3b/0x50 [ 12.575601] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 12.575896] remove_element+0x11e/0x190 [ 12.576040] mempool_alloc_preallocated+0x4d/0x90 [ 12.576599] mempool_uaf_helper+0x96/0x400 [ 12.576821] mempool_slab_uaf+0xea/0x140 [ 12.577263] kunit_try_run_case+0x1a5/0x480 [ 12.577469] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.577663] kthread+0x337/0x6f0 [ 12.578160] ret_from_fork+0x41/0x80 [ 12.578353] ret_from_fork_asm+0x1a/0x30 [ 12.578561] [ 12.578629] Freed by task 250: [ 12.578735] kasan_save_stack+0x45/0x70 [ 12.578868] kasan_save_track+0x18/0x40 [ 12.579149] kasan_save_free_info+0x3f/0x60 [ 12.579415] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.579722] mempool_free+0x2ec/0x380 [ 12.580050] mempool_uaf_helper+0x11a/0x400 [ 12.580202] mempool_slab_uaf+0xea/0x140 [ 12.580357] kunit_try_run_case+0x1a5/0x480 [ 12.580560] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.580946] kthread+0x337/0x6f0 [ 12.581111] ret_from_fork+0x41/0x80 [ 12.581281] ret_from_fork_asm+0x1a/0x30 [ 12.581419] [ 12.581515] The buggy address belongs to the object at ffff888102245240 [ 12.581515] which belongs to the cache test_cache of size 123 [ 12.582397] The buggy address is located 0 bytes inside of [ 12.582397] freed 123-byte region [ffff888102245240, ffff8881022452bb) [ 12.582749] [ 12.582847] The buggy address belongs to the physical page: [ 12.583122] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102245 [ 12.583647] flags: 0x200000000000000(node=0|zone=2) [ 12.584047] page_type: f5(slab) [ 12.584218] raw: 0200000000000000 ffff888101949a00 dead000000000122 0000000000000000 [ 12.584590] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 12.585071] page dumped because: kasan: bad access detected [ 12.585362] [ 12.585452] Memory state around the buggy address: [ 12.585933] ffff888102245100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.586248] ffff888102245180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.586582] >ffff888102245200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 12.587051] ^ [ 12.587315] ffff888102245280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.587627] ffff888102245300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.588025] ================================================================== [ 12.506295] ================================================================== [ 12.507616] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.508442] Read of size 1 at addr ffff888102240200 by task kunit_try_catch/246 [ 12.509025] [ 12.509223] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT(voluntary) [ 12.509272] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.509284] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.509306] Call Trace: [ 12.509320] <TASK> [ 12.509339] dump_stack_lvl+0x73/0xb0 [ 12.509369] print_report+0xd1/0x610 [ 12.509392] ? __virt_addr_valid+0x1db/0x2d0 [ 12.509414] ? mempool_uaf_helper+0x392/0x400 [ 12.509435] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.509458] ? mempool_uaf_helper+0x392/0x400 [ 12.509480] kasan_report+0x141/0x180 [ 12.509502] ? mempool_uaf_helper+0x392/0x400 [ 12.509529] __asan_report_load1_noabort+0x18/0x20 [ 12.509549] mempool_uaf_helper+0x392/0x400 [ 12.509575] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.509597] ? dequeue_entities+0x852/0x1740 [ 12.509623] ? finish_task_switch.isra.0+0x153/0x700 [ 12.509650] mempool_kmalloc_uaf+0xef/0x140 [ 12.509672] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.509693] ? dequeue_task_fair+0x166/0x4e0 [ 12.509716] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.509737] ? __pfx_mempool_kfree+0x10/0x10 [ 12.509758] ? __pfx_read_tsc+0x10/0x10 [ 12.509778] ? ktime_get_ts64+0x86/0x230 [ 12.509972] kunit_try_run_case+0x1a5/0x480 [ 12.510003] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.510022] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.510048] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.510071] ? __kthread_parkme+0x82/0x180 [ 12.510093] ? preempt_count_sub+0x50/0x80 [ 12.510116] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.510135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.510157] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.510180] kthread+0x337/0x6f0 [ 12.510197] ? trace_preempt_on+0x20/0xc0 [ 12.510220] ? __pfx_kthread+0x10/0x10 [ 12.510237] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.510258] ? calculate_sigpending+0x7b/0xa0 [ 12.510280] ? __pfx_kthread+0x10/0x10 [ 12.510297] ret_from_fork+0x41/0x80 [ 12.510317] ? __pfx_kthread+0x10/0x10 [ 12.510334] ret_from_fork_asm+0x1a/0x30 [ 12.510365] </TASK> [ 12.510376] [ 12.519177] Allocated by task 246: [ 12.519515] kasan_save_stack+0x45/0x70 [ 12.519778] kasan_save_track+0x18/0x40 [ 12.519943] kasan_save_alloc_info+0x3b/0x50 [ 12.520105] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.520385] remove_element+0x11e/0x190 [ 12.520554] mempool_alloc_preallocated+0x4d/0x90 [ 12.520855] mempool_uaf_helper+0x96/0x400 [ 12.521094] mempool_kmalloc_uaf+0xef/0x140 [ 12.521268] kunit_try_run_case+0x1a5/0x480 [ 12.521494] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.521871] kthread+0x337/0x6f0 [ 12.522112] ret_from_fork+0x41/0x80 [ 12.522278] ret_from_fork_asm+0x1a/0x30 [ 12.522511] [ 12.522622] Freed by task 246: [ 12.522804] kasan_save_stack+0x45/0x70 [ 12.523083] kasan_save_track+0x18/0x40 [ 12.523287] kasan_save_free_info+0x3f/0x60 [ 12.523522] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.523830] mempool_free+0x2ec/0x380 [ 12.524159] mempool_uaf_helper+0x11a/0x400 [ 12.524393] mempool_kmalloc_uaf+0xef/0x140 [ 12.524610] kunit_try_run_case+0x1a5/0x480 [ 12.524927] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.525199] kthread+0x337/0x6f0 [ 12.525366] ret_from_fork+0x41/0x80 [ 12.525499] ret_from_fork_asm+0x1a/0x30 [ 12.525637] [ 12.525707] The buggy address belongs to the object at ffff888102240200 [ 12.525707] which belongs to the cache kmalloc-128 of size 128 [ 12.526804] The buggy address is located 0 bytes inside of [ 12.526804] freed 128-byte region [ffff888102240200, ffff888102240280) [ 12.527281] [ 12.527356] The buggy address belongs to the physical page: [ 12.527528] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102240 [ 12.527788] flags: 0x200000000000000(node=0|zone=2) [ 12.528035] page_type: f5(slab) [ 12.528206] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.528527] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.528755] page dumped because: kasan: bad access detected [ 12.529187] [ 12.529305] Memory state around the buggy address: [ 12.529531] ffff888102240100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.530110] ffff888102240180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.530423] >ffff888102240200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.530634] ^ [ 12.530748] ffff888102240280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.531071] ffff888102240300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.531450] ==================================================================