Date
July 22, 2025, 2:40 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.201316] ================================================================== [ 19.201754] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.201848] Read of size 1 at addr fff00000c5b89a00 by task kunit_try_catch/229 [ 19.201909] [ 19.201958] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.8-rc1 #1 PREEMPT [ 19.202045] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.202072] Hardware name: linux,dummy-virt (DT) [ 19.202106] Call trace: [ 19.202310] show_stack+0x20/0x38 (C) [ 19.202381] dump_stack_lvl+0x8c/0xd0 [ 19.202443] print_report+0x118/0x5d0 [ 19.202487] kasan_report+0xdc/0x128 [ 19.202587] __asan_report_load1_noabort+0x20/0x30 [ 19.202644] mempool_uaf_helper+0x314/0x340 [ 19.202692] mempool_kmalloc_uaf+0xc4/0x120 [ 19.202795] kunit_try_run_case+0x170/0x3f0 [ 19.202847] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.202927] kthread+0x328/0x630 [ 19.203043] ret_from_fork+0x10/0x20 [ 19.203302] [ 19.203322] Allocated by task 229: [ 19.203431] kasan_save_stack+0x3c/0x68 [ 19.203487] kasan_save_track+0x20/0x40 [ 19.203526] kasan_save_alloc_info+0x40/0x58 [ 19.203565] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.203995] remove_element+0x130/0x1f8 [ 19.204077] mempool_alloc_preallocated+0x58/0xc0 [ 19.204144] mempool_uaf_helper+0xa4/0x340 [ 19.204300] mempool_kmalloc_uaf+0xc4/0x120 [ 19.204369] kunit_try_run_case+0x170/0x3f0 [ 19.204494] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.204539] kthread+0x328/0x630 [ 19.204606] ret_from_fork+0x10/0x20 [ 19.204940] [ 19.204999] Freed by task 229: [ 19.205069] kasan_save_stack+0x3c/0x68 [ 19.205142] kasan_save_track+0x20/0x40 [ 19.205243] kasan_save_free_info+0x4c/0x78 [ 19.205371] __kasan_mempool_poison_object+0xc0/0x150 [ 19.205437] mempool_free+0x28c/0x328 [ 19.205500] mempool_uaf_helper+0x104/0x340 [ 19.205794] mempool_kmalloc_uaf+0xc4/0x120 [ 19.205863] kunit_try_run_case+0x170/0x3f0 [ 19.205937] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.206143] kthread+0x328/0x630 [ 19.206190] ret_from_fork+0x10/0x20 [ 19.206303] [ 19.206354] The buggy address belongs to the object at fff00000c5b89a00 [ 19.206354] which belongs to the cache kmalloc-128 of size 128 [ 19.206505] The buggy address is located 0 bytes inside of [ 19.206505] freed 128-byte region [fff00000c5b89a00, fff00000c5b89a80) [ 19.206587] [ 19.206612] The buggy address belongs to the physical page: [ 19.206660] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b89 [ 19.206993] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.207132] page_type: f5(slab) [ 19.207209] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.207361] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.207443] page dumped because: kasan: bad access detected [ 19.207551] [ 19.207599] Memory state around the buggy address: [ 19.207647] fff00000c5b89900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.207695] fff00000c5b89980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.207738] >fff00000c5b89a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.207958] ^ [ 19.208013] fff00000c5b89a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.208064] fff00000c5b89b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.208130] ================================================================== [ 19.233168] ================================================================== [ 19.233230] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.233300] Read of size 1 at addr fff00000c78f9240 by task kunit_try_catch/233 [ 19.233353] [ 19.233630] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.8-rc1 #1 PREEMPT [ 19.233878] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.233909] Hardware name: linux,dummy-virt (DT) [ 19.233943] Call trace: [ 19.234050] show_stack+0x20/0x38 (C) [ 19.234113] dump_stack_lvl+0x8c/0xd0 [ 19.234167] print_report+0x118/0x5d0 [ 19.234273] kasan_report+0xdc/0x128 [ 19.234359] __asan_report_load1_noabort+0x20/0x30 [ 19.234690] mempool_uaf_helper+0x314/0x340 [ 19.234879] mempool_slab_uaf+0xc0/0x118 [ 19.235001] kunit_try_run_case+0x170/0x3f0 [ 19.235078] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.235234] kthread+0x328/0x630 [ 19.235469] ret_from_fork+0x10/0x20 [ 19.235527] [ 19.235545] Allocated by task 233: [ 19.235574] kasan_save_stack+0x3c/0x68 [ 19.235691] kasan_save_track+0x20/0x40 [ 19.235750] kasan_save_alloc_info+0x40/0x58 [ 19.235865] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.235943] remove_element+0x16c/0x1f8 [ 19.235989] mempool_alloc_preallocated+0x58/0xc0 [ 19.236362] mempool_uaf_helper+0xa4/0x340 [ 19.236441] mempool_slab_uaf+0xc0/0x118 [ 19.236542] kunit_try_run_case+0x170/0x3f0 [ 19.236622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.236667] kthread+0x328/0x630 [ 19.236732] ret_from_fork+0x10/0x20 [ 19.236903] [ 19.236923] Freed by task 233: [ 19.237110] kasan_save_stack+0x3c/0x68 [ 19.237183] kasan_save_track+0x20/0x40 [ 19.237323] kasan_save_free_info+0x4c/0x78 [ 19.237393] __kasan_mempool_poison_object+0xc0/0x150 [ 19.237465] mempool_free+0x28c/0x328 [ 19.237597] mempool_uaf_helper+0x104/0x340 [ 19.237664] mempool_slab_uaf+0xc0/0x118 [ 19.237792] kunit_try_run_case+0x170/0x3f0 [ 19.237892] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.237956] kthread+0x328/0x630 [ 19.238157] ret_from_fork+0x10/0x20 [ 19.238201] [ 19.238253] The buggy address belongs to the object at fff00000c78f9240 [ 19.238253] which belongs to the cache test_cache of size 123 [ 19.238434] The buggy address is located 0 bytes inside of [ 19.238434] freed 123-byte region [fff00000c78f9240, fff00000c78f92bb) [ 19.238520] [ 19.238606] The buggy address belongs to the physical page: [ 19.238666] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078f9 [ 19.238934] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.238990] page_type: f5(slab) [ 19.239146] raw: 0bfffe0000000000 fff00000c5971500 dead000000000122 0000000000000000 [ 19.239246] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.239355] page dumped because: kasan: bad access detected [ 19.239412] [ 19.239452] Memory state around the buggy address: [ 19.239566] fff00000c78f9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.239679] fff00000c78f9180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.239745] >fff00000c78f9200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.239939] ^ [ 19.239991] fff00000c78f9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.240034] fff00000c78f9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.240087] ==================================================================
[ 12.714939] ================================================================== [ 12.716081] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.716730] Read of size 1 at addr ffff888103d00240 by task kunit_try_catch/251 [ 12.717443] [ 12.717627] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.15.8-rc1 #1 PREEMPT(voluntary) [ 12.717672] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.717684] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.717704] Call Trace: [ 12.717715] <TASK> [ 12.717730] dump_stack_lvl+0x73/0xb0 [ 12.717756] print_report+0xd1/0x610 [ 12.717778] ? __virt_addr_valid+0x1db/0x2d0 [ 12.717800] ? mempool_uaf_helper+0x392/0x400 [ 12.717822] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.717845] ? mempool_uaf_helper+0x392/0x400 [ 12.717867] kasan_report+0x141/0x180 [ 12.717889] ? mempool_uaf_helper+0x392/0x400 [ 12.717916] __asan_report_load1_noabort+0x18/0x20 [ 12.717937] mempool_uaf_helper+0x392/0x400 [ 12.717960] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.717982] ? update_load_avg+0x1be/0x21b0 [ 12.718007] ? finish_task_switch.isra.0+0x153/0x700 [ 12.718033] mempool_slab_uaf+0xea/0x140 [ 12.718052] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 12.718071] ? dequeue_task_fair+0x156/0x4e0 [ 12.718097] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 12.718119] ? __pfx_mempool_free_slab+0x10/0x10 [ 12.718142] ? __pfx_read_tsc+0x10/0x10 [ 12.718161] ? ktime_get_ts64+0x86/0x230 [ 12.718186] kunit_try_run_case+0x1a5/0x480 [ 12.718208] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.718238] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.718259] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.718283] ? __kthread_parkme+0x82/0x180 [ 12.718305] ? preempt_count_sub+0x50/0x80 [ 12.718329] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.718349] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.718383] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.718406] kthread+0x337/0x6f0 [ 12.718423] ? trace_preempt_on+0x20/0xc0 [ 12.718448] ? __pfx_kthread+0x10/0x10 [ 12.718465] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.718486] ? calculate_sigpending+0x7b/0xa0 [ 12.718508] ? __pfx_kthread+0x10/0x10 [ 12.718526] ret_from_fork+0x41/0x80 [ 12.718546] ? __pfx_kthread+0x10/0x10 [ 12.718564] ret_from_fork_asm+0x1a/0x30 [ 12.718594] </TASK> [ 12.718605] [ 12.729447] Allocated by task 251: [ 12.729707] kasan_save_stack+0x45/0x70 [ 12.729855] kasan_save_track+0x18/0x40 [ 12.729989] kasan_save_alloc_info+0x3b/0x50 [ 12.730135] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 12.730319] remove_element+0x11e/0x190 [ 12.730561] mempool_alloc_preallocated+0x4d/0x90 [ 12.730784] mempool_uaf_helper+0x96/0x400 [ 12.730982] mempool_slab_uaf+0xea/0x140 [ 12.731169] kunit_try_run_case+0x1a5/0x480 [ 12.731403] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.731631] kthread+0x337/0x6f0 [ 12.731791] ret_from_fork+0x41/0x80 [ 12.731928] ret_from_fork_asm+0x1a/0x30 [ 12.732064] [ 12.732132] Freed by task 251: [ 12.732447] kasan_save_stack+0x45/0x70 [ 12.732654] kasan_save_track+0x18/0x40 [ 12.732897] kasan_save_free_info+0x3f/0x60 [ 12.733110] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.733372] mempool_free+0x2ec/0x380 [ 12.733559] mempool_uaf_helper+0x11a/0x400 [ 12.733934] mempool_slab_uaf+0xea/0x140 [ 12.734117] kunit_try_run_case+0x1a5/0x480 [ 12.734273] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.734750] kthread+0x337/0x6f0 [ 12.734899] ret_from_fork+0x41/0x80 [ 12.735059] ret_from_fork_asm+0x1a/0x30 [ 12.735259] [ 12.735336] The buggy address belongs to the object at ffff888103d00240 [ 12.735336] which belongs to the cache test_cache of size 123 [ 12.736049] The buggy address is located 0 bytes inside of [ 12.736049] freed 123-byte region [ffff888103d00240, ffff888103d002bb) [ 12.736564] [ 12.736646] The buggy address belongs to the physical page: [ 12.736835] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103d00 [ 12.737186] flags: 0x200000000000000(node=0|zone=2) [ 12.737523] page_type: f5(slab) [ 12.737678] raw: 0200000000000000 ffff8881014e3640 dead000000000122 0000000000000000 [ 12.737977] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 12.738201] page dumped because: kasan: bad access detected [ 12.738381] [ 12.738449] Memory state around the buggy address: [ 12.738601] ffff888103d00100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.738816] ffff888103d00180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.739131] >ffff888103d00200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 12.739769] ^ [ 12.740031] ffff888103d00280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.740360] ffff888103d00300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.740717] ================================================================== [ 12.644901] ================================================================== [ 12.645973] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.646219] Read of size 1 at addr ffff888103cfc100 by task kunit_try_catch/247 [ 12.646928] [ 12.647128] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.15.8-rc1 #1 PREEMPT(voluntary) [ 12.647174] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.647186] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.647206] Call Trace: [ 12.647218] <TASK> [ 12.647244] dump_stack_lvl+0x73/0xb0 [ 12.647269] print_report+0xd1/0x610 [ 12.647292] ? __virt_addr_valid+0x1db/0x2d0 [ 12.647313] ? mempool_uaf_helper+0x392/0x400 [ 12.647334] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.647378] ? mempool_uaf_helper+0x392/0x400 [ 12.647400] kasan_report+0x141/0x180 [ 12.647444] ? mempool_uaf_helper+0x392/0x400 [ 12.647472] __asan_report_load1_noabort+0x18/0x20 [ 12.647492] mempool_uaf_helper+0x392/0x400 [ 12.647515] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.647539] ? kasan_save_track+0x18/0x40 [ 12.647558] ? kasan_save_alloc_info+0x3b/0x50 [ 12.647577] ? kasan_save_stack+0x45/0x70 [ 12.647602] mempool_kmalloc_uaf+0xef/0x140 [ 12.647624] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.647646] ? dequeue_task_fair+0x166/0x4e0 [ 12.647687] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.647708] ? __pfx_mempool_kfree+0x10/0x10 [ 12.647729] ? __pfx_read_tsc+0x10/0x10 [ 12.647749] ? ktime_get_ts64+0x86/0x230 [ 12.647774] kunit_try_run_case+0x1a5/0x480 [ 12.647795] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.647813] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.647833] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.647857] ? __kthread_parkme+0x82/0x180 [ 12.647878] ? preempt_count_sub+0x50/0x80 [ 12.647902] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.647922] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.647945] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.647968] kthread+0x337/0x6f0 [ 12.647984] ? trace_preempt_on+0x20/0xc0 [ 12.648007] ? __pfx_kthread+0x10/0x10 [ 12.648024] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.648046] ? calculate_sigpending+0x7b/0xa0 [ 12.648068] ? __pfx_kthread+0x10/0x10 [ 12.648086] ret_from_fork+0x41/0x80 [ 12.648106] ? __pfx_kthread+0x10/0x10 [ 12.648124] ret_from_fork_asm+0x1a/0x30 [ 12.648155] </TASK> [ 12.648165] [ 12.663524] Allocated by task 247: [ 12.663900] kasan_save_stack+0x45/0x70 [ 12.664323] kasan_save_track+0x18/0x40 [ 12.664686] kasan_save_alloc_info+0x3b/0x50 [ 12.664838] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.665022] remove_element+0x11e/0x190 [ 12.665160] mempool_alloc_preallocated+0x4d/0x90 [ 12.665342] mempool_uaf_helper+0x96/0x400 [ 12.665548] mempool_kmalloc_uaf+0xef/0x140 [ 12.665764] kunit_try_run_case+0x1a5/0x480 [ 12.666131] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.666390] kthread+0x337/0x6f0 [ 12.666508] ret_from_fork+0x41/0x80 [ 12.666655] ret_from_fork_asm+0x1a/0x30 [ 12.666808] [ 12.666876] Freed by task 247: [ 12.667213] kasan_save_stack+0x45/0x70 [ 12.667583] kasan_save_track+0x18/0x40 [ 12.668078] kasan_save_free_info+0x3f/0x60 [ 12.668513] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.669077] mempool_free+0x2ec/0x380 [ 12.669514] mempool_uaf_helper+0x11a/0x400 [ 12.669748] mempool_kmalloc_uaf+0xef/0x140 [ 12.670125] kunit_try_run_case+0x1a5/0x480 [ 12.670544] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.670924] kthread+0x337/0x6f0 [ 12.671307] ret_from_fork+0x41/0x80 [ 12.671673] ret_from_fork_asm+0x1a/0x30 [ 12.671937] [ 12.672009] The buggy address belongs to the object at ffff888103cfc100 [ 12.672009] which belongs to the cache kmalloc-128 of size 128 [ 12.672380] The buggy address is located 0 bytes inside of [ 12.672380] freed 128-byte region [ffff888103cfc100, ffff888103cfc180) [ 12.673476] [ 12.673640] The buggy address belongs to the physical page: [ 12.674198] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103cfc [ 12.674996] flags: 0x200000000000000(node=0|zone=2) [ 12.675816] page_type: f5(slab) [ 12.676047] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.676294] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.676899] page dumped because: kasan: bad access detected [ 12.677413] [ 12.677569] Memory state around the buggy address: [ 12.678031] ffff888103cfc000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.678684] ffff888103cfc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.679011] >ffff888103cfc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.679980] ^ [ 12.680356] ffff888103cfc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.681148] ffff888103cfc200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.681523] ==================================================================