Date
July 5, 2025, 5:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.169699] ================================================================== [ 20.169778] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.169837] Read of size 1 at addr fff00000c7823240 by task kunit_try_catch/231 [ 20.169900] [ 20.169938] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.170020] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.170045] Hardware name: linux,dummy-virt (DT) [ 20.170077] Call trace: [ 20.170100] show_stack+0x20/0x38 (C) [ 20.170148] dump_stack_lvl+0x8c/0xd0 [ 20.170195] print_report+0x118/0x608 [ 20.170241] kasan_report+0xdc/0x128 [ 20.170285] __asan_report_load1_noabort+0x20/0x30 [ 20.170335] mempool_uaf_helper+0x314/0x340 [ 20.170381] mempool_slab_uaf+0xc0/0x118 [ 20.170424] kunit_try_run_case+0x170/0x3f0 [ 20.170473] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.170524] kthread+0x328/0x630 [ 20.170565] ret_from_fork+0x10/0x20 [ 20.170610] [ 20.170630] Allocated by task 231: [ 20.170658] kasan_save_stack+0x3c/0x68 [ 20.170700] kasan_save_track+0x20/0x40 [ 20.170738] kasan_save_alloc_info+0x40/0x58 [ 20.170895] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.170941] remove_element+0x16c/0x1f8 [ 20.170979] mempool_alloc_preallocated+0x58/0xc0 [ 20.171018] mempool_uaf_helper+0xa4/0x340 [ 20.171055] mempool_slab_uaf+0xc0/0x118 [ 20.171092] kunit_try_run_case+0x170/0x3f0 [ 20.171130] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.171174] kthread+0x328/0x630 [ 20.171206] ret_from_fork+0x10/0x20 [ 20.171242] [ 20.171261] Freed by task 231: [ 20.171288] kasan_save_stack+0x3c/0x68 [ 20.171326] kasan_save_track+0x20/0x40 [ 20.171363] kasan_save_free_info+0x4c/0x78 [ 20.171401] __kasan_mempool_poison_object+0xc0/0x150 [ 20.171449] mempool_free+0x28c/0x328 [ 20.171485] mempool_uaf_helper+0x104/0x340 [ 20.171522] mempool_slab_uaf+0xc0/0x118 [ 20.171558] kunit_try_run_case+0x170/0x3f0 [ 20.171596] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.171639] kthread+0x328/0x630 [ 20.171672] ret_from_fork+0x10/0x20 [ 20.171708] [ 20.171727] The buggy address belongs to the object at fff00000c7823240 [ 20.171727] which belongs to the cache test_cache of size 123 [ 20.171785] The buggy address is located 0 bytes inside of [ 20.171785] freed 123-byte region [fff00000c7823240, fff00000c78232bb) [ 20.171846] [ 20.171875] The buggy address belongs to the physical page: [ 20.171906] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107823 [ 20.171956] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.172002] page_type: f5(slab) [ 20.172040] raw: 0bfffe0000000000 fff00000c5693500 dead000000000122 0000000000000000 [ 20.172089] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.172128] page dumped because: kasan: bad access detected [ 20.172157] [ 20.172176] Memory state around the buggy address: [ 20.172205] fff00000c7823100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.172248] fff00000c7823180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.172289] >fff00000c7823200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.172326] ^ [ 20.172358] fff00000c7823280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.172399] fff00000c7823300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.172436] ================================================================== [ 20.088913] ================================================================== [ 20.088978] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.089048] Read of size 1 at addr fff00000c77e8300 by task kunit_try_catch/227 [ 20.089336] [ 20.089402] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.089648] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.089674] Hardware name: linux,dummy-virt (DT) [ 20.089842] Call trace: [ 20.090172] show_stack+0x20/0x38 (C) [ 20.090322] dump_stack_lvl+0x8c/0xd0 [ 20.090372] print_report+0x118/0x608 [ 20.090969] kasan_report+0xdc/0x128 [ 20.091099] __asan_report_load1_noabort+0x20/0x30 [ 20.091162] mempool_uaf_helper+0x314/0x340 [ 20.091208] mempool_kmalloc_uaf+0xc4/0x120 [ 20.091508] kunit_try_run_case+0x170/0x3f0 [ 20.091672] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.091778] kthread+0x328/0x630 [ 20.091822] ret_from_fork+0x10/0x20 [ 20.091879] [ 20.092191] Allocated by task 227: [ 20.092229] kasan_save_stack+0x3c/0x68 [ 20.092275] kasan_save_track+0x20/0x40 [ 20.092693] kasan_save_alloc_info+0x40/0x58 [ 20.092739] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.092783] remove_element+0x130/0x1f8 [ 20.092821] mempool_alloc_preallocated+0x58/0xc0 [ 20.093023] mempool_uaf_helper+0xa4/0x340 [ 20.093294] mempool_kmalloc_uaf+0xc4/0x120 [ 20.093697] kunit_try_run_case+0x170/0x3f0 [ 20.093883] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.093987] kthread+0x328/0x630 [ 20.094019] ret_from_fork+0x10/0x20 [ 20.094063] [ 20.094082] Freed by task 227: [ 20.094110] kasan_save_stack+0x3c/0x68 [ 20.094148] kasan_save_track+0x20/0x40 [ 20.094325] kasan_save_free_info+0x4c/0x78 [ 20.094554] __kasan_mempool_poison_object+0xc0/0x150 [ 20.094600] mempool_free+0x28c/0x328 [ 20.095014] mempool_uaf_helper+0x104/0x340 [ 20.095123] mempool_kmalloc_uaf+0xc4/0x120 [ 20.095194] kunit_try_run_case+0x170/0x3f0 [ 20.095240] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.095284] kthread+0x328/0x630 [ 20.095337] ret_from_fork+0x10/0x20 [ 20.095373] [ 20.095395] The buggy address belongs to the object at fff00000c77e8300 [ 20.095395] which belongs to the cache kmalloc-128 of size 128 [ 20.095489] The buggy address is located 0 bytes inside of [ 20.095489] freed 128-byte region [fff00000c77e8300, fff00000c77e8380) [ 20.095824] [ 20.095851] The buggy address belongs to the physical page: [ 20.095894] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 20.095947] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.095995] page_type: f5(slab) [ 20.096044] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.096300] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.096348] page dumped because: kasan: bad access detected [ 20.096642] [ 20.096893] Memory state around the buggy address: [ 20.097103] fff00000c77e8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.097151] fff00000c77e8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.097193] >fff00000c77e8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.097231] ^ [ 20.097258] fff00000c77e8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.097300] fff00000c77e8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.097577] ==================================================================
[ 13.109422] ================================================================== [ 13.109899] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.110255] Read of size 1 at addr ffff8881031a0d00 by task kunit_try_catch/245 [ 13.111064] [ 13.111195] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.111244] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.111257] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.111280] Call Trace: [ 13.111292] <TASK> [ 13.111307] dump_stack_lvl+0x73/0xb0 [ 13.111338] print_report+0xd1/0x650 [ 13.111360] ? __virt_addr_valid+0x1db/0x2d0 [ 13.111383] ? mempool_uaf_helper+0x392/0x400 [ 13.111405] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.111428] ? mempool_uaf_helper+0x392/0x400 [ 13.111450] kasan_report+0x141/0x180 [ 13.111487] ? mempool_uaf_helper+0x392/0x400 [ 13.111514] __asan_report_load1_noabort+0x18/0x20 [ 13.111538] mempool_uaf_helper+0x392/0x400 [ 13.111561] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.111582] ? update_load_avg+0x1be/0x21b0 [ 13.111606] ? update_load_avg+0x1be/0x21b0 [ 13.111627] ? update_curr+0x80/0x810 [ 13.111649] ? finish_task_switch.isra.0+0x153/0x700 [ 13.111674] mempool_kmalloc_uaf+0xef/0x140 [ 13.111697] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.111722] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.111746] ? __pfx_mempool_kfree+0x10/0x10 [ 13.111772] ? __pfx_read_tsc+0x10/0x10 [ 13.111792] ? ktime_get_ts64+0x86/0x230 [ 13.111817] kunit_try_run_case+0x1a5/0x480 [ 13.111840] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.111862] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.111886] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.111911] ? __kthread_parkme+0x82/0x180 [ 13.111941] ? preempt_count_sub+0x50/0x80 [ 13.111964] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.112012] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.112035] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.112058] kthread+0x337/0x6f0 [ 13.112077] ? trace_preempt_on+0x20/0xc0 [ 13.112100] ? __pfx_kthread+0x10/0x10 [ 13.112121] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.112141] ? calculate_sigpending+0x7b/0xa0 [ 13.112166] ? __pfx_kthread+0x10/0x10 [ 13.112188] ret_from_fork+0x116/0x1d0 [ 13.112205] ? __pfx_kthread+0x10/0x10 [ 13.112226] ret_from_fork_asm+0x1a/0x30 [ 13.112257] </TASK> [ 13.112268] [ 13.121175] Allocated by task 245: [ 13.121386] kasan_save_stack+0x45/0x70 [ 13.121612] kasan_save_track+0x18/0x40 [ 13.121947] kasan_save_alloc_info+0x3b/0x50 [ 13.122162] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.122435] remove_element+0x11e/0x190 [ 13.122591] mempool_alloc_preallocated+0x4d/0x90 [ 13.122749] mempool_uaf_helper+0x96/0x400 [ 13.122900] mempool_kmalloc_uaf+0xef/0x140 [ 13.123121] kunit_try_run_case+0x1a5/0x480 [ 13.123328] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.123751] kthread+0x337/0x6f0 [ 13.123875] ret_from_fork+0x116/0x1d0 [ 13.124008] ret_from_fork_asm+0x1a/0x30 [ 13.124147] [ 13.124219] Freed by task 245: [ 13.124483] kasan_save_stack+0x45/0x70 [ 13.124682] kasan_save_track+0x18/0x40 [ 13.124880] kasan_save_free_info+0x3f/0x60 [ 13.125391] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.125664] mempool_free+0x2ec/0x380 [ 13.125867] mempool_uaf_helper+0x11a/0x400 [ 13.126032] mempool_kmalloc_uaf+0xef/0x140 [ 13.126242] kunit_try_run_case+0x1a5/0x480 [ 13.126643] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.126876] kthread+0x337/0x6f0 [ 13.127052] ret_from_fork+0x116/0x1d0 [ 13.127197] ret_from_fork_asm+0x1a/0x30 [ 13.127466] [ 13.127559] The buggy address belongs to the object at ffff8881031a0d00 [ 13.127559] which belongs to the cache kmalloc-128 of size 128 [ 13.127921] The buggy address is located 0 bytes inside of [ 13.127921] freed 128-byte region [ffff8881031a0d00, ffff8881031a0d80) [ 13.128738] [ 13.128943] The buggy address belongs to the physical page: [ 13.129325] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031a0 [ 13.129739] flags: 0x200000000000000(node=0|zone=2) [ 13.129957] page_type: f5(slab) [ 13.130109] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.130466] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.130817] page dumped because: kasan: bad access detected [ 13.130995] [ 13.131067] Memory state around the buggy address: [ 13.131437] ffff8881031a0c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.131743] ffff8881031a0c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.132048] >ffff8881031a0d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.132420] ^ [ 13.132595] ffff8881031a0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.132937] ffff8881031a0e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.133153] ================================================================== [ 13.162342] ================================================================== [ 13.163656] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.164133] Read of size 1 at addr ffff8881031bf240 by task kunit_try_catch/249 [ 13.164792] [ 13.164909] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.164989] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.165002] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.165108] Call Trace: [ 13.165125] <TASK> [ 13.165142] dump_stack_lvl+0x73/0xb0 [ 13.165172] print_report+0xd1/0x650 [ 13.165373] ? __virt_addr_valid+0x1db/0x2d0 [ 13.165408] ? mempool_uaf_helper+0x392/0x400 [ 13.165431] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.165467] ? mempool_uaf_helper+0x392/0x400 [ 13.165490] kasan_report+0x141/0x180 [ 13.165513] ? mempool_uaf_helper+0x392/0x400 [ 13.165541] __asan_report_load1_noabort+0x18/0x20 [ 13.165565] mempool_uaf_helper+0x392/0x400 [ 13.165588] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.165612] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.165634] ? finish_task_switch.isra.0+0x153/0x700 [ 13.165659] mempool_slab_uaf+0xea/0x140 [ 13.165682] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.165707] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.165727] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.165749] ? __pfx_read_tsc+0x10/0x10 [ 13.165770] ? ktime_get_ts64+0x86/0x230 [ 13.165794] kunit_try_run_case+0x1a5/0x480 [ 13.165819] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.165841] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.165866] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.165888] ? __kthread_parkme+0x82/0x180 [ 13.165909] ? preempt_count_sub+0x50/0x80 [ 13.165931] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.165955] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.165978] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.166000] kthread+0x337/0x6f0 [ 13.166020] ? trace_preempt_on+0x20/0xc0 [ 13.166042] ? __pfx_kthread+0x10/0x10 [ 13.166062] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.166083] ? calculate_sigpending+0x7b/0xa0 [ 13.166106] ? __pfx_kthread+0x10/0x10 [ 13.166128] ret_from_fork+0x116/0x1d0 [ 13.166147] ? __pfx_kthread+0x10/0x10 [ 13.166168] ret_from_fork_asm+0x1a/0x30 [ 13.166218] </TASK> [ 13.166234] [ 13.178629] Allocated by task 249: [ 13.178928] kasan_save_stack+0x45/0x70 [ 13.179215] kasan_save_track+0x18/0x40 [ 13.179366] kasan_save_alloc_info+0x3b/0x50 [ 13.179745] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.180125] remove_element+0x11e/0x190 [ 13.180394] mempool_alloc_preallocated+0x4d/0x90 [ 13.180772] mempool_uaf_helper+0x96/0x400 [ 13.181102] mempool_slab_uaf+0xea/0x140 [ 13.181345] kunit_try_run_case+0x1a5/0x480 [ 13.181916] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.182171] kthread+0x337/0x6f0 [ 13.182650] ret_from_fork+0x116/0x1d0 [ 13.182863] ret_from_fork_asm+0x1a/0x30 [ 13.183015] [ 13.183357] Freed by task 249: [ 13.183649] kasan_save_stack+0x45/0x70 [ 13.183931] kasan_save_track+0x18/0x40 [ 13.184173] kasan_save_free_info+0x3f/0x60 [ 13.184577] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.184979] mempool_free+0x2ec/0x380 [ 13.185483] mempool_uaf_helper+0x11a/0x400 [ 13.185698] mempool_slab_uaf+0xea/0x140 [ 13.186116] kunit_try_run_case+0x1a5/0x480 [ 13.186540] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.186958] kthread+0x337/0x6f0 [ 13.187129] ret_from_fork+0x116/0x1d0 [ 13.187539] ret_from_fork_asm+0x1a/0x30 [ 13.187754] [ 13.187837] The buggy address belongs to the object at ffff8881031bf240 [ 13.187837] which belongs to the cache test_cache of size 123 [ 13.188634] The buggy address is located 0 bytes inside of [ 13.188634] freed 123-byte region [ffff8881031bf240, ffff8881031bf2bb) [ 13.189335] [ 13.189597] The buggy address belongs to the physical page: [ 13.190063] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031bf [ 13.190669] flags: 0x200000000000000(node=0|zone=2) [ 13.191041] page_type: f5(slab) [ 13.191219] raw: 0200000000000000 ffff888100a55640 dead000000000122 0000000000000000 [ 13.191658] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.192134] page dumped because: kasan: bad access detected [ 13.192563] [ 13.192668] Memory state around the buggy address: [ 13.192998] ffff8881031bf100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.193680] ffff8881031bf180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.193976] >ffff8881031bf200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.194332] ^ [ 13.194741] ffff8881031bf280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.195096] ffff8881031bf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.195532] ==================================================================