Date
July 1, 2025, 12:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.450669] ================================================================== [ 19.451048] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.451481] Read of size 1 at addr fff00000c79ef240 by task kunit_try_catch/231 [ 19.451540] [ 19.451579] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 19.451894] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.451926] Hardware name: linux,dummy-virt (DT) [ 19.451969] Call trace: [ 19.452185] show_stack+0x20/0x38 (C) [ 19.452264] dump_stack_lvl+0x8c/0xd0 [ 19.452556] print_report+0x118/0x608 [ 19.452606] kasan_report+0xdc/0x128 [ 19.452651] __asan_report_load1_noabort+0x20/0x30 [ 19.453082] mempool_uaf_helper+0x314/0x340 [ 19.453152] mempool_slab_uaf+0xc0/0x118 [ 19.453197] kunit_try_run_case+0x170/0x3f0 [ 19.453321] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.453375] kthread+0x328/0x630 [ 19.453417] ret_from_fork+0x10/0x20 [ 19.453475] [ 19.453494] Allocated by task 231: [ 19.453524] kasan_save_stack+0x3c/0x68 [ 19.453564] kasan_save_track+0x20/0x40 [ 19.454066] kasan_save_alloc_info+0x40/0x58 [ 19.454114] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.454395] remove_element+0x16c/0x1f8 [ 19.454453] mempool_alloc_preallocated+0x58/0xc0 [ 19.454870] mempool_uaf_helper+0xa4/0x340 [ 19.454936] mempool_slab_uaf+0xc0/0x118 [ 19.455203] kunit_try_run_case+0x170/0x3f0 [ 19.455255] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.455332] kthread+0x328/0x630 [ 19.455376] ret_from_fork+0x10/0x20 [ 19.455425] [ 19.455569] Freed by task 231: [ 19.455677] kasan_save_stack+0x3c/0x68 [ 19.455851] kasan_save_track+0x20/0x40 [ 19.456097] kasan_save_free_info+0x4c/0x78 [ 19.456145] __kasan_mempool_poison_object+0xc0/0x150 [ 19.456517] mempool_free+0x28c/0x328 [ 19.456808] mempool_uaf_helper+0x104/0x340 [ 19.456856] mempool_slab_uaf+0xc0/0x118 [ 19.457098] kunit_try_run_case+0x170/0x3f0 [ 19.457141] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.457647] kthread+0x328/0x630 [ 19.457716] ret_from_fork+0x10/0x20 [ 19.457751] [ 19.458111] The buggy address belongs to the object at fff00000c79ef240 [ 19.458111] which belongs to the cache test_cache of size 123 [ 19.458436] The buggy address is located 0 bytes inside of [ 19.458436] freed 123-byte region [fff00000c79ef240, fff00000c79ef2bb) [ 19.458784] [ 19.458887] The buggy address belongs to the physical page: [ 19.458982] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1079ef [ 19.459248] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.459308] page_type: f5(slab) [ 19.459347] raw: 0bfffe0000000000 fff00000c3e83b40 dead000000000122 0000000000000000 [ 19.459400] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.459579] page dumped because: kasan: bad access detected [ 19.459617] [ 19.459663] Memory state around the buggy address: [ 19.459906] fff00000c79ef100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.460233] fff00000c79ef180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.460437] >fff00000c79ef200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.460601] ^ [ 19.460645] fff00000c79ef280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.461227] fff00000c79ef300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.461271] ================================================================== [ 19.404795] ================================================================== [ 19.405536] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.405853] Read of size 1 at addr fff00000c656ad00 by task kunit_try_catch/227 [ 19.406435] [ 19.406487] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 19.406575] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.406601] Hardware name: linux,dummy-virt (DT) [ 19.406635] Call trace: [ 19.406658] show_stack+0x20/0x38 (C) [ 19.406712] dump_stack_lvl+0x8c/0xd0 [ 19.406762] print_report+0x118/0x608 [ 19.406807] kasan_report+0xdc/0x128 [ 19.406852] __asan_report_load1_noabort+0x20/0x30 [ 19.406901] mempool_uaf_helper+0x314/0x340 [ 19.407222] mempool_kmalloc_uaf+0xc4/0x120 [ 19.407458] kunit_try_run_case+0x170/0x3f0 [ 19.407514] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.407609] kthread+0x328/0x630 [ 19.408392] ret_from_fork+0x10/0x20 [ 19.409141] [ 19.409166] Allocated by task 227: [ 19.409363] kasan_save_stack+0x3c/0x68 [ 19.409810] kasan_save_track+0x20/0x40 [ 19.409861] kasan_save_alloc_info+0x40/0x58 [ 19.409910] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.410183] remove_element+0x130/0x1f8 [ 19.410231] mempool_alloc_preallocated+0x58/0xc0 [ 19.410525] mempool_uaf_helper+0xa4/0x340 [ 19.410584] mempool_kmalloc_uaf+0xc4/0x120 [ 19.410770] kunit_try_run_case+0x170/0x3f0 [ 19.410809] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.410854] kthread+0x328/0x630 [ 19.410888] ret_from_fork+0x10/0x20 [ 19.410923] [ 19.410942] Freed by task 227: [ 19.411144] kasan_save_stack+0x3c/0x68 [ 19.411322] kasan_save_track+0x20/0x40 [ 19.411364] kasan_save_free_info+0x4c/0x78 [ 19.411404] __kasan_mempool_poison_object+0xc0/0x150 [ 19.411677] mempool_free+0x28c/0x328 [ 19.411729] mempool_uaf_helper+0x104/0x340 [ 19.411789] mempool_kmalloc_uaf+0xc4/0x120 [ 19.412129] kunit_try_run_case+0x170/0x3f0 [ 19.412311] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.412373] kthread+0x328/0x630 [ 19.412405] ret_from_fork+0x10/0x20 [ 19.412441] [ 19.412899] The buggy address belongs to the object at fff00000c656ad00 [ 19.412899] which belongs to the cache kmalloc-128 of size 128 [ 19.413005] The buggy address is located 0 bytes inside of [ 19.413005] freed 128-byte region [fff00000c656ad00, fff00000c656ad80) [ 19.413816] [ 19.413844] The buggy address belongs to the physical page: [ 19.413881] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10656a [ 19.414134] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.414190] page_type: f5(slab) [ 19.414230] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.414741] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.414794] page dumped because: kasan: bad access detected [ 19.415009] [ 19.415036] Memory state around the buggy address: [ 19.415073] fff00000c656ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.415118] fff00000c656ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.415350] >fff00000c656ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.415397] ^ [ 19.415438] fff00000c656ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.415541] fff00000c656ae00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.415580] ==================================================================
[ 12.947980] ================================================================== [ 12.948650] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.949211] Read of size 1 at addr ffff88810312fa00 by task kunit_try_catch/244 [ 12.949927] [ 12.950173] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.950233] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.950246] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.950280] Call Trace: [ 12.950302] <TASK> [ 12.950317] dump_stack_lvl+0x73/0xb0 [ 12.950349] print_report+0xd1/0x650 [ 12.950384] ? __virt_addr_valid+0x1db/0x2d0 [ 12.950409] ? mempool_uaf_helper+0x392/0x400 [ 12.950431] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.950453] ? mempool_uaf_helper+0x392/0x400 [ 12.950475] kasan_report+0x141/0x180 [ 12.950498] ? mempool_uaf_helper+0x392/0x400 [ 12.950526] __asan_report_load1_noabort+0x18/0x20 [ 12.950551] mempool_uaf_helper+0x392/0x400 [ 12.950573] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.950596] ? __kasan_check_write+0x18/0x20 [ 12.950616] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.950637] ? finish_task_switch.isra.0+0x153/0x700 [ 12.950662] mempool_kmalloc_uaf+0xef/0x140 [ 12.950684] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.950709] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.950732] ? __pfx_mempool_kfree+0x10/0x10 [ 12.950757] ? __pfx_read_tsc+0x10/0x10 [ 12.950777] ? ktime_get_ts64+0x86/0x230 [ 12.950801] kunit_try_run_case+0x1a5/0x480 [ 12.950826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.950850] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.950873] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.950894] ? __kthread_parkme+0x82/0x180 [ 12.950914] ? preempt_count_sub+0x50/0x80 [ 12.950936] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.950960] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.950982] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.951005] kthread+0x337/0x6f0 [ 12.951087] ? trace_preempt_on+0x20/0xc0 [ 12.951117] ? __pfx_kthread+0x10/0x10 [ 12.951156] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.951177] ? calculate_sigpending+0x7b/0xa0 [ 12.951202] ? __pfx_kthread+0x10/0x10 [ 12.951223] ret_from_fork+0x116/0x1d0 [ 12.951243] ? __pfx_kthread+0x10/0x10 [ 12.951262] ret_from_fork_asm+0x1a/0x30 [ 12.951293] </TASK> [ 12.951305] [ 12.960106] Allocated by task 244: [ 12.960325] kasan_save_stack+0x45/0x70 [ 12.960530] kasan_save_track+0x18/0x40 [ 12.960721] kasan_save_alloc_info+0x3b/0x50 [ 12.960923] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.961223] remove_element+0x11e/0x190 [ 12.961397] mempool_alloc_preallocated+0x4d/0x90 [ 12.961640] mempool_uaf_helper+0x96/0x400 [ 12.961886] mempool_kmalloc_uaf+0xef/0x140 [ 12.962180] kunit_try_run_case+0x1a5/0x480 [ 12.962375] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.962660] kthread+0x337/0x6f0 [ 12.962799] ret_from_fork+0x116/0x1d0 [ 12.963007] ret_from_fork_asm+0x1a/0x30 [ 12.963299] [ 12.963403] Freed by task 244: [ 12.963551] kasan_save_stack+0x45/0x70 [ 12.963767] kasan_save_track+0x18/0x40 [ 12.963924] kasan_save_free_info+0x3f/0x60 [ 12.964407] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.964618] mempool_free+0x2ec/0x380 [ 12.964784] mempool_uaf_helper+0x11a/0x400 [ 12.965010] mempool_kmalloc_uaf+0xef/0x140 [ 12.965326] kunit_try_run_case+0x1a5/0x480 [ 12.965527] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.965759] kthread+0x337/0x6f0 [ 12.965925] ret_from_fork+0x116/0x1d0 [ 12.966131] ret_from_fork_asm+0x1a/0x30 [ 12.966302] [ 12.966400] The buggy address belongs to the object at ffff88810312fa00 [ 12.966400] which belongs to the cache kmalloc-128 of size 128 [ 12.966946] The buggy address is located 0 bytes inside of [ 12.966946] freed 128-byte region [ffff88810312fa00, ffff88810312fa80) [ 12.967477] [ 12.967574] The buggy address belongs to the physical page: [ 12.967847] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10312f [ 12.968311] flags: 0x200000000000000(node=0|zone=2) [ 12.968509] page_type: f5(slab) [ 12.968632] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.968999] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.969539] page dumped because: kasan: bad access detected [ 12.969720] [ 12.969797] Memory state around the buggy address: [ 12.970022] ffff88810312f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.970391] ffff88810312f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.970686] >ffff88810312fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.971111] ^ [ 12.971313] ffff88810312fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.971615] ffff88810312fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.971866] ================================================================== [ 12.997640] ================================================================== [ 12.998193] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.999131] Read of size 1 at addr ffff888103121240 by task kunit_try_catch/248 [ 12.999674] [ 12.999799] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.999845] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.999858] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.999880] Call Trace: [ 12.999892] <TASK> [ 12.999907] dump_stack_lvl+0x73/0xb0 [ 12.999938] print_report+0xd1/0x650 [ 12.999959] ? __virt_addr_valid+0x1db/0x2d0 [ 12.999983] ? mempool_uaf_helper+0x392/0x400 [ 13.000004] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.000040] ? mempool_uaf_helper+0x392/0x400 [ 13.000063] kasan_report+0x141/0x180 [ 13.000084] ? mempool_uaf_helper+0x392/0x400 [ 13.000109] __asan_report_load1_noabort+0x18/0x20 [ 13.000134] mempool_uaf_helper+0x392/0x400 [ 13.000157] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.000181] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.000204] ? finish_task_switch.isra.0+0x153/0x700 [ 13.000229] mempool_slab_uaf+0xea/0x140 [ 13.000252] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.000277] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.000296] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.000318] ? __pfx_read_tsc+0x10/0x10 [ 13.000339] ? ktime_get_ts64+0x86/0x230 [ 13.000363] kunit_try_run_case+0x1a5/0x480 [ 13.000388] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.000410] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.000491] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.000517] ? __kthread_parkme+0x82/0x180 [ 13.000538] ? preempt_count_sub+0x50/0x80 [ 13.000560] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.000583] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.000606] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.000629] kthread+0x337/0x6f0 [ 13.000648] ? trace_preempt_on+0x20/0xc0 [ 13.000670] ? __pfx_kthread+0x10/0x10 [ 13.000691] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.000711] ? calculate_sigpending+0x7b/0xa0 [ 13.000735] ? __pfx_kthread+0x10/0x10 [ 13.000757] ret_from_fork+0x116/0x1d0 [ 13.000775] ? __pfx_kthread+0x10/0x10 [ 13.000795] ret_from_fork_asm+0x1a/0x30 [ 13.000825] </TASK> [ 13.000836] [ 13.008978] Allocated by task 248: [ 13.009210] kasan_save_stack+0x45/0x70 [ 13.009377] kasan_save_track+0x18/0x40 [ 13.009561] kasan_save_alloc_info+0x3b/0x50 [ 13.009739] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.009963] remove_element+0x11e/0x190 [ 13.010258] mempool_alloc_preallocated+0x4d/0x90 [ 13.010458] mempool_uaf_helper+0x96/0x400 [ 13.010628] mempool_slab_uaf+0xea/0x140 [ 13.010802] kunit_try_run_case+0x1a5/0x480 [ 13.010947] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.011466] kthread+0x337/0x6f0 [ 13.011630] ret_from_fork+0x116/0x1d0 [ 13.011795] ret_from_fork_asm+0x1a/0x30 [ 13.011971] [ 13.012102] Freed by task 248: [ 13.012381] kasan_save_stack+0x45/0x70 [ 13.012559] kasan_save_track+0x18/0x40 [ 13.012702] kasan_save_free_info+0x3f/0x60 [ 13.012906] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.013238] mempool_free+0x2ec/0x380 [ 13.013385] mempool_uaf_helper+0x11a/0x400 [ 13.013529] mempool_slab_uaf+0xea/0x140 [ 13.013667] kunit_try_run_case+0x1a5/0x480 [ 13.013810] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.013987] kthread+0x337/0x6f0 [ 13.014167] ret_from_fork+0x116/0x1d0 [ 13.014352] ret_from_fork_asm+0x1a/0x30 [ 13.014558] [ 13.014653] The buggy address belongs to the object at ffff888103121240 [ 13.014653] which belongs to the cache test_cache of size 123 [ 13.015296] The buggy address is located 0 bytes inside of [ 13.015296] freed 123-byte region [ffff888103121240, ffff8881031212bb) [ 13.015739] [ 13.015814] The buggy address belongs to the physical page: [ 13.015986] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103121 [ 13.016264] flags: 0x200000000000000(node=0|zone=2) [ 13.016643] page_type: f5(slab) [ 13.016858] raw: 0200000000000000 ffff88810311c140 dead000000000122 0000000000000000 [ 13.017232] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.017628] page dumped because: kasan: bad access detected [ 13.017881] [ 13.017952] Memory state around the buggy address: [ 13.018121] ffff888103121100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.018445] ffff888103121180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.018793] >ffff888103121200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.019132] ^ [ 13.019531] ffff888103121280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.019794] ffff888103121300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.020200] ==================================================================