Date
July 1, 2025, 3:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.940746] ================================================================== [ 18.941046] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.941256] Read of size 1 at addr fff00000c57f0240 by task kunit_try_catch/232 [ 18.941648] [ 18.941791] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.942035] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.942067] Hardware name: linux,dummy-virt (DT) [ 18.942102] Call trace: [ 18.942125] show_stack+0x20/0x38 (C) [ 18.942178] dump_stack_lvl+0x8c/0xd0 [ 18.942228] print_report+0x118/0x608 [ 18.942518] kasan_report+0xdc/0x128 [ 18.942659] __asan_report_load1_noabort+0x20/0x30 [ 18.942758] mempool_uaf_helper+0x314/0x340 [ 18.942930] mempool_slab_uaf+0xc0/0x118 [ 18.943136] kunit_try_run_case+0x170/0x3f0 [ 18.943418] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.943859] kthread+0x328/0x630 [ 18.944223] ret_from_fork+0x10/0x20 [ 18.944339] [ 18.944376] Allocated by task 232: [ 18.944721] kasan_save_stack+0x3c/0x68 [ 18.945111] kasan_save_track+0x20/0x40 [ 18.945239] kasan_save_alloc_info+0x40/0x58 [ 18.945669] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.945764] remove_element+0x16c/0x1f8 [ 18.945927] mempool_alloc_preallocated+0x58/0xc0 [ 18.945970] mempool_uaf_helper+0xa4/0x340 [ 18.946030] mempool_slab_uaf+0xc0/0x118 [ 18.946075] kunit_try_run_case+0x170/0x3f0 [ 18.946114] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.946409] kthread+0x328/0x630 [ 18.946478] ret_from_fork+0x10/0x20 [ 18.946544] [ 18.946637] Freed by task 232: [ 18.946696] kasan_save_stack+0x3c/0x68 [ 18.946735] kasan_save_track+0x20/0x40 [ 18.947095] kasan_save_free_info+0x4c/0x78 [ 18.947167] __kasan_mempool_poison_object+0xc0/0x150 [ 18.947252] mempool_free+0x28c/0x328 [ 18.947405] mempool_uaf_helper+0x104/0x340 [ 18.947492] mempool_slab_uaf+0xc0/0x118 [ 18.947669] kunit_try_run_case+0x170/0x3f0 [ 18.947862] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.947958] kthread+0x328/0x630 [ 18.948034] ret_from_fork+0x10/0x20 [ 18.948073] [ 18.948130] The buggy address belongs to the object at fff00000c57f0240 [ 18.948130] which belongs to the cache test_cache of size 123 [ 18.948355] The buggy address is located 0 bytes inside of [ 18.948355] freed 123-byte region [fff00000c57f0240, fff00000c57f02bb) [ 18.948541] [ 18.948590] The buggy address belongs to the physical page: [ 18.948896] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1057f0 [ 18.948990] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.949124] page_type: f5(slab) [ 18.949218] raw: 0bfffe0000000000 fff00000c5b9bdc0 dead000000000122 0000000000000000 [ 18.949377] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.949501] page dumped because: kasan: bad access detected [ 18.949706] [ 18.949837] Memory state around the buggy address: [ 18.949878] fff00000c57f0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.950143] fff00000c57f0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.950377] >fff00000c57f0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.950457] ^ [ 18.950533] fff00000c57f0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.950589] fff00000c57f0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.950629] ================================================================== [ 18.891615] ================================================================== [ 18.891686] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.891844] Read of size 1 at addr fff00000c669fa00 by task kunit_try_catch/228 [ 18.891900] [ 18.891940] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.892027] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.892055] Hardware name: linux,dummy-virt (DT) [ 18.892097] Call trace: [ 18.892231] show_stack+0x20/0x38 (C) [ 18.892513] dump_stack_lvl+0x8c/0xd0 [ 18.892869] print_report+0x118/0x608 [ 18.892923] kasan_report+0xdc/0x128 [ 18.892966] __asan_report_load1_noabort+0x20/0x30 [ 18.893016] mempool_uaf_helper+0x314/0x340 [ 18.893063] mempool_kmalloc_uaf+0xc4/0x120 [ 18.893606] kunit_try_run_case+0x170/0x3f0 [ 18.893703] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.893803] kthread+0x328/0x630 [ 18.893892] ret_from_fork+0x10/0x20 [ 18.893939] [ 18.893980] Allocated by task 228: [ 18.894010] kasan_save_stack+0x3c/0x68 [ 18.894052] kasan_save_track+0x20/0x40 [ 18.894089] kasan_save_alloc_info+0x40/0x58 [ 18.894130] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.894189] remove_element+0x130/0x1f8 [ 18.894506] mempool_alloc_preallocated+0x58/0xc0 [ 18.894742] mempool_uaf_helper+0xa4/0x340 [ 18.894795] mempool_kmalloc_uaf+0xc4/0x120 [ 18.894833] kunit_try_run_case+0x170/0x3f0 [ 18.894911] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.895088] kthread+0x328/0x630 [ 18.895121] ret_from_fork+0x10/0x20 [ 18.895158] [ 18.895177] Freed by task 228: [ 18.895249] kasan_save_stack+0x3c/0x68 [ 18.895410] kasan_save_track+0x20/0x40 [ 18.895611] kasan_save_free_info+0x4c/0x78 [ 18.895652] __kasan_mempool_poison_object+0xc0/0x150 [ 18.895696] mempool_free+0x28c/0x328 [ 18.895737] mempool_uaf_helper+0x104/0x340 [ 18.895792] mempool_kmalloc_uaf+0xc4/0x120 [ 18.895923] kunit_try_run_case+0x170/0x3f0 [ 18.896092] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.896227] kthread+0x328/0x630 [ 18.896261] ret_from_fork+0x10/0x20 [ 18.896340] [ 18.896360] The buggy address belongs to the object at fff00000c669fa00 [ 18.896360] which belongs to the cache kmalloc-128 of size 128 [ 18.896430] The buggy address is located 0 bytes inside of [ 18.896430] freed 128-byte region [fff00000c669fa00, fff00000c669fa80) [ 18.897115] [ 18.897144] The buggy address belongs to the physical page: [ 18.897180] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10669f [ 18.897237] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.897331] page_type: f5(slab) [ 18.897372] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.897422] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.897464] page dumped because: kasan: bad access detected [ 18.897496] [ 18.897513] Memory state around the buggy address: [ 18.897777] fff00000c669f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.898166] fff00000c669f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.898504] >fff00000c669fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.898547] ^ [ 18.898607] fff00000c669fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.898650] fff00000c669fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.898742] ==================================================================
[ 13.141130] ================================================================== [ 13.141535] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.141791] Read of size 1 at addr ffff8881033ae600 by task kunit_try_catch/244 [ 13.142019] [ 13.142127] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.142183] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.142197] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.142227] Call Trace: [ 13.142242] <TASK> [ 13.142261] dump_stack_lvl+0x73/0xb0 [ 13.142292] print_report+0xd1/0x650 [ 13.142316] ? __virt_addr_valid+0x1db/0x2d0 [ 13.142344] ? mempool_uaf_helper+0x392/0x400 [ 13.142367] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.142393] ? mempool_uaf_helper+0x392/0x400 [ 13.142416] kasan_report+0x141/0x180 [ 13.142439] ? mempool_uaf_helper+0x392/0x400 [ 13.142467] __asan_report_load1_noabort+0x18/0x20 [ 13.142494] mempool_uaf_helper+0x392/0x400 [ 13.142518] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.142543] ? __kasan_check_write+0x18/0x20 [ 13.142563] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.142588] ? finish_task_switch.isra.0+0x153/0x700 [ 13.142616] mempool_kmalloc_uaf+0xef/0x140 [ 13.142639] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.142665] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.142691] ? __pfx_mempool_kfree+0x10/0x10 [ 13.142716] ? __pfx_read_tsc+0x10/0x10 [ 13.142740] ? ktime_get_ts64+0x86/0x230 [ 13.142765] kunit_try_run_case+0x1a5/0x480 [ 13.142793] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.142816] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.142842] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.142867] ? __kthread_parkme+0x82/0x180 [ 13.142890] ? preempt_count_sub+0x50/0x80 [ 13.142913] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.142938] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.142963] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.142988] kthread+0x337/0x6f0 [ 13.143007] ? trace_preempt_on+0x20/0xc0 [ 13.143463] ? __pfx_kthread+0x10/0x10 [ 13.143493] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.143769] ? calculate_sigpending+0x7b/0xa0 [ 13.143802] ? __pfx_kthread+0x10/0x10 [ 13.143906] ret_from_fork+0x116/0x1d0 [ 13.143931] ? __pfx_kthread+0x10/0x10 [ 13.143952] ret_from_fork_asm+0x1a/0x30 [ 13.143986] </TASK> [ 13.143998] [ 13.157168] Allocated by task 244: [ 13.157444] kasan_save_stack+0x45/0x70 [ 13.157845] kasan_save_track+0x18/0x40 [ 13.158013] kasan_save_alloc_info+0x3b/0x50 [ 13.158383] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.158631] remove_element+0x11e/0x190 [ 13.159040] mempool_alloc_preallocated+0x4d/0x90 [ 13.159266] mempool_uaf_helper+0x96/0x400 [ 13.159454] mempool_kmalloc_uaf+0xef/0x140 [ 13.159642] kunit_try_run_case+0x1a5/0x480 [ 13.159840] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.160077] kthread+0x337/0x6f0 [ 13.160247] ret_from_fork+0x116/0x1d0 [ 13.160414] ret_from_fork_asm+0x1a/0x30 [ 13.160588] [ 13.160684] Freed by task 244: [ 13.161197] kasan_save_stack+0x45/0x70 [ 13.161393] kasan_save_track+0x18/0x40 [ 13.161532] kasan_save_free_info+0x3f/0x60 [ 13.161682] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.161929] mempool_free+0x2ec/0x380 [ 13.162135] mempool_uaf_helper+0x11a/0x400 [ 13.162346] mempool_kmalloc_uaf+0xef/0x140 [ 13.162628] kunit_try_run_case+0x1a5/0x480 [ 13.162894] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.163095] kthread+0x337/0x6f0 [ 13.163238] ret_from_fork+0x116/0x1d0 [ 13.163434] ret_from_fork_asm+0x1a/0x30 [ 13.163630] [ 13.163730] The buggy address belongs to the object at ffff8881033ae600 [ 13.163730] which belongs to the cache kmalloc-128 of size 128 [ 13.164457] The buggy address is located 0 bytes inside of [ 13.164457] freed 128-byte region [ffff8881033ae600, ffff8881033ae680) [ 13.164855] [ 13.165152] The buggy address belongs to the physical page: [ 13.165414] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033ae [ 13.165815] flags: 0x200000000000000(node=0|zone=2) [ 13.166046] page_type: f5(slab) [ 13.166173] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.166495] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.166837] page dumped because: kasan: bad access detected [ 13.167278] [ 13.167370] Memory state around the buggy address: [ 13.167576] ffff8881033ae500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.167960] ffff8881033ae580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.168284] >ffff8881033ae600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.168541] ^ [ 13.168660] ffff8881033ae680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.168982] ffff8881033ae700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.169296] ================================================================== [ 13.208047] ================================================================== [ 13.208584] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.209057] Read of size 1 at addr ffff8881027e0240 by task kunit_try_catch/248 [ 13.209338] [ 13.209483] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.209541] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.209556] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.209605] Call Trace: [ 13.209619] <TASK> [ 13.209638] dump_stack_lvl+0x73/0xb0 [ 13.209673] print_report+0xd1/0x650 [ 13.209697] ? __virt_addr_valid+0x1db/0x2d0 [ 13.209724] ? mempool_uaf_helper+0x392/0x400 [ 13.209747] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.209772] ? mempool_uaf_helper+0x392/0x400 [ 13.209795] kasan_report+0x141/0x180 [ 13.209817] ? mempool_uaf_helper+0x392/0x400 [ 13.209844] __asan_report_load1_noabort+0x18/0x20 [ 13.209870] mempool_uaf_helper+0x392/0x400 [ 13.209958] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.209987] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.210013] ? finish_task_switch.isra.0+0x153/0x700 [ 13.210053] mempool_slab_uaf+0xea/0x140 [ 13.210078] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.210106] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.210153] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.210176] ? __pfx_read_tsc+0x10/0x10 [ 13.210199] ? ktime_get_ts64+0x86/0x230 [ 13.210226] kunit_try_run_case+0x1a5/0x480 [ 13.210253] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.210276] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.210304] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.210327] ? __kthread_parkme+0x82/0x180 [ 13.210349] ? preempt_count_sub+0x50/0x80 [ 13.210374] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.210398] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.210423] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.210450] kthread+0x337/0x6f0 [ 13.210469] ? trace_preempt_on+0x20/0xc0 [ 13.210495] ? __pfx_kthread+0x10/0x10 [ 13.210516] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.210538] ? calculate_sigpending+0x7b/0xa0 [ 13.210564] ? __pfx_kthread+0x10/0x10 [ 13.210586] ret_from_fork+0x116/0x1d0 [ 13.210605] ? __pfx_kthread+0x10/0x10 [ 13.210626] ret_from_fork_asm+0x1a/0x30 [ 13.210697] </TASK> [ 13.210711] [ 13.219675] Allocated by task 248: [ 13.220095] kasan_save_stack+0x45/0x70 [ 13.220319] kasan_save_track+0x18/0x40 [ 13.220517] kasan_save_alloc_info+0x3b/0x50 [ 13.220724] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.220899] remove_element+0x11e/0x190 [ 13.221048] mempool_alloc_preallocated+0x4d/0x90 [ 13.221345] mempool_uaf_helper+0x96/0x400 [ 13.221620] mempool_slab_uaf+0xea/0x140 [ 13.222102] kunit_try_run_case+0x1a5/0x480 [ 13.222578] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.222851] kthread+0x337/0x6f0 [ 13.222981] ret_from_fork+0x116/0x1d0 [ 13.223191] ret_from_fork_asm+0x1a/0x30 [ 13.223400] [ 13.223503] Freed by task 248: [ 13.223782] kasan_save_stack+0x45/0x70 [ 13.224003] kasan_save_track+0x18/0x40 [ 13.224154] kasan_save_free_info+0x3f/0x60 [ 13.224299] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.224500] mempool_free+0x2ec/0x380 [ 13.224753] mempool_uaf_helper+0x11a/0x400 [ 13.225141] mempool_slab_uaf+0xea/0x140 [ 13.225391] kunit_try_run_case+0x1a5/0x480 [ 13.225684] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.225950] kthread+0x337/0x6f0 [ 13.226172] ret_from_fork+0x116/0x1d0 [ 13.226394] ret_from_fork_asm+0x1a/0x30 [ 13.226597] [ 13.226726] The buggy address belongs to the object at ffff8881027e0240 [ 13.226726] which belongs to the cache test_cache of size 123 [ 13.227199] The buggy address is located 0 bytes inside of [ 13.227199] freed 123-byte region [ffff8881027e0240, ffff8881027e02bb) [ 13.227896] [ 13.228019] The buggy address belongs to the physical page: [ 13.228327] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e0 [ 13.228732] flags: 0x200000000000000(node=0|zone=2) [ 13.229053] page_type: f5(slab) [ 13.229269] raw: 0200000000000000 ffff8881015c4b40 dead000000000122 0000000000000000 [ 13.229608] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.229998] page dumped because: kasan: bad access detected [ 13.230379] [ 13.230483] Memory state around the buggy address: [ 13.230718] ffff8881027e0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.231149] ffff8881027e0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.231463] >ffff8881027e0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.231923] ^ [ 13.232311] ffff8881027e0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.232840] ffff8881027e0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.233190] ==================================================================