Date
July 9, 2025, 2:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.154223] ================================================================== [ 19.154300] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.154374] Read of size 1 at addr fff00000c5a4ad00 by task kunit_try_catch/227 [ 19.154429] [ 19.154470] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5 #1 PREEMPT [ 19.154561] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.154593] Hardware name: linux,dummy-virt (DT) [ 19.154626] Call trace: [ 19.154652] show_stack+0x20/0x38 (C) [ 19.154703] dump_stack_lvl+0x8c/0xd0 [ 19.154755] print_report+0x118/0x608 [ 19.154802] kasan_report+0xdc/0x128 [ 19.154848] __asan_report_load1_noabort+0x20/0x30 [ 19.155619] mempool_uaf_helper+0x314/0x340 [ 19.156900] mempool_kmalloc_uaf+0xc4/0x120 [ 19.157359] kunit_try_run_case+0x170/0x3f0 [ 19.157632] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.157711] kthread+0x328/0x630 [ 19.157758] ret_from_fork+0x10/0x20 [ 19.157817] [ 19.157836] Allocated by task 227: [ 19.157867] kasan_save_stack+0x3c/0x68 [ 19.157911] kasan_save_track+0x20/0x40 [ 19.158075] kasan_save_alloc_info+0x40/0x58 [ 19.158216] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.158319] remove_element+0x130/0x1f8 [ 19.158485] mempool_alloc_preallocated+0x58/0xc0 [ 19.158545] mempool_uaf_helper+0xa4/0x340 [ 19.158630] mempool_kmalloc_uaf+0xc4/0x120 [ 19.158673] kunit_try_run_case+0x170/0x3f0 [ 19.158829] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.158927] kthread+0x328/0x630 [ 19.159074] ret_from_fork+0x10/0x20 [ 19.159122] [ 19.159157] Freed by task 227: [ 19.159409] kasan_save_stack+0x3c/0x68 [ 19.159493] kasan_save_track+0x20/0x40 [ 19.159561] kasan_save_free_info+0x4c/0x78 [ 19.159678] __kasan_mempool_poison_object+0xc0/0x150 [ 19.159781] mempool_free+0x28c/0x328 [ 19.159934] mempool_uaf_helper+0x104/0x340 [ 19.160008] mempool_kmalloc_uaf+0xc4/0x120 [ 19.160116] kunit_try_run_case+0x170/0x3f0 [ 19.160157] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.160211] kthread+0x328/0x630 [ 19.160245] ret_from_fork+0x10/0x20 [ 19.160282] [ 19.160301] The buggy address belongs to the object at fff00000c5a4ad00 [ 19.160301] which belongs to the cache kmalloc-128 of size 128 [ 19.160381] The buggy address is located 0 bytes inside of [ 19.160381] freed 128-byte region [fff00000c5a4ad00, fff00000c5a4ad80) [ 19.160452] [ 19.160479] The buggy address belongs to the physical page: [ 19.160528] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a4a [ 19.160592] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.160646] page_type: f5(slab) [ 19.160688] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.160740] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.160782] page dumped because: kasan: bad access detected [ 19.160813] [ 19.160832] Memory state around the buggy address: [ 19.160864] fff00000c5a4ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.160917] fff00000c5a4ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.160960] >fff00000c5a4ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.161006] ^ [ 19.161034] fff00000c5a4ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.161076] fff00000c5a4ae00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.161125] ================================================================== [ 19.184677] ================================================================== [ 19.184789] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.184858] Read of size 1 at addr fff00000c6c1d240 by task kunit_try_catch/231 [ 19.184917] [ 19.185158] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5 #1 PREEMPT [ 19.185261] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.185324] Hardware name: linux,dummy-virt (DT) [ 19.185360] Call trace: [ 19.185442] show_stack+0x20/0x38 (C) [ 19.185538] dump_stack_lvl+0x8c/0xd0 [ 19.186009] print_report+0x118/0x608 [ 19.186159] kasan_report+0xdc/0x128 [ 19.186211] __asan_report_load1_noabort+0x20/0x30 [ 19.186380] mempool_uaf_helper+0x314/0x340 [ 19.186452] mempool_slab_uaf+0xc0/0x118 [ 19.186639] kunit_try_run_case+0x170/0x3f0 [ 19.186745] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.186869] kthread+0x328/0x630 [ 19.186976] ret_from_fork+0x10/0x20 [ 19.187078] [ 19.187296] Allocated by task 231: [ 19.187422] kasan_save_stack+0x3c/0x68 [ 19.187543] kasan_save_track+0x20/0x40 [ 19.187691] kasan_save_alloc_info+0x40/0x58 [ 19.187749] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.188144] remove_element+0x16c/0x1f8 [ 19.188252] mempool_alloc_preallocated+0x58/0xc0 [ 19.188329] mempool_uaf_helper+0xa4/0x340 [ 19.188617] mempool_slab_uaf+0xc0/0x118 [ 19.188765] kunit_try_run_case+0x170/0x3f0 [ 19.188883] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.189039] kthread+0x328/0x630 [ 19.189110] ret_from_fork+0x10/0x20 [ 19.189357] [ 19.189477] Freed by task 231: [ 19.189645] kasan_save_stack+0x3c/0x68 [ 19.189763] kasan_save_track+0x20/0x40 [ 19.189902] kasan_save_free_info+0x4c/0x78 [ 19.189978] __kasan_mempool_poison_object+0xc0/0x150 [ 19.190019] mempool_free+0x28c/0x328 [ 19.190306] mempool_uaf_helper+0x104/0x340 [ 19.190380] mempool_slab_uaf+0xc0/0x118 [ 19.190521] kunit_try_run_case+0x170/0x3f0 [ 19.190601] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.190652] kthread+0x328/0x630 [ 19.190908] ret_from_fork+0x10/0x20 [ 19.191021] [ 19.191132] The buggy address belongs to the object at fff00000c6c1d240 [ 19.191132] which belongs to the cache test_cache of size 123 [ 19.191586] The buggy address is located 0 bytes inside of [ 19.191586] freed 123-byte region [fff00000c6c1d240, fff00000c6c1d2bb) [ 19.191687] [ 19.191824] The buggy address belongs to the physical page: [ 19.191919] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106c1d [ 19.192069] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.192139] page_type: f5(slab) [ 19.192180] raw: 0bfffe0000000000 fff00000c582bdc0 dead000000000122 0000000000000000 [ 19.192418] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.192594] page dumped because: kasan: bad access detected [ 19.192702] [ 19.192864] Memory state around the buggy address: [ 19.192961] fff00000c6c1d100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.193233] fff00000c6c1d180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.193287] >fff00000c6c1d200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.193376] ^ [ 19.193580] fff00000c6c1d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.193680] fff00000c6c1d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.193819] ==================================================================
[ 14.285017] ================================================================== [ 14.286444] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.287725] Read of size 1 at addr ffff8881029c7500 by task kunit_try_catch/244 [ 14.288630] [ 14.288736] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.288794] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.288807] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.288829] Call Trace: [ 14.288843] <TASK> [ 14.288861] dump_stack_lvl+0x73/0xb0 [ 14.288896] print_report+0xd1/0x650 [ 14.288919] ? __virt_addr_valid+0x1db/0x2d0 [ 14.288944] ? mempool_uaf_helper+0x392/0x400 [ 14.288966] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.288990] ? mempool_uaf_helper+0x392/0x400 [ 14.289013] kasan_report+0x141/0x180 [ 14.289034] ? mempool_uaf_helper+0x392/0x400 [ 14.289061] __asan_report_load1_noabort+0x18/0x20 [ 14.289086] mempool_uaf_helper+0x392/0x400 [ 14.289108] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.289132] ? __kasan_check_write+0x18/0x20 [ 14.289152] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.289175] ? finish_task_switch.isra.0+0x153/0x700 [ 14.289201] mempool_kmalloc_uaf+0xef/0x140 [ 14.289223] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.289248] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.289274] ? __pfx_mempool_kfree+0x10/0x10 [ 14.289298] ? __pfx_read_tsc+0x10/0x10 [ 14.289319] ? ktime_get_ts64+0x86/0x230 [ 14.289343] kunit_try_run_case+0x1a5/0x480 [ 14.289368] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.289391] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.289416] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.289440] ? __kthread_parkme+0x82/0x180 [ 14.289460] ? preempt_count_sub+0x50/0x80 [ 14.289483] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.289507] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.289531] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.289556] kthread+0x337/0x6f0 [ 14.289575] ? trace_preempt_on+0x20/0xc0 [ 14.289610] ? __pfx_kthread+0x10/0x10 [ 14.289631] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.289651] ? calculate_sigpending+0x7b/0xa0 [ 14.289676] ? __pfx_kthread+0x10/0x10 [ 14.289696] ret_from_fork+0x116/0x1d0 [ 14.289715] ? __pfx_kthread+0x10/0x10 [ 14.289735] ret_from_fork_asm+0x1a/0x30 [ 14.289766] </TASK> [ 14.289777] [ 14.306104] Allocated by task 244: [ 14.306256] kasan_save_stack+0x45/0x70 [ 14.306416] kasan_save_track+0x18/0x40 [ 14.306552] kasan_save_alloc_info+0x3b/0x50 [ 14.306926] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.307409] remove_element+0x11e/0x190 [ 14.307813] mempool_alloc_preallocated+0x4d/0x90 [ 14.308490] mempool_uaf_helper+0x96/0x400 [ 14.308895] mempool_kmalloc_uaf+0xef/0x140 [ 14.309384] kunit_try_run_case+0x1a5/0x480 [ 14.309838] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.310442] kthread+0x337/0x6f0 [ 14.310783] ret_from_fork+0x116/0x1d0 [ 14.311250] ret_from_fork_asm+0x1a/0x30 [ 14.311644] [ 14.311816] Freed by task 244: [ 14.312126] kasan_save_stack+0x45/0x70 [ 14.312561] kasan_save_track+0x18/0x40 [ 14.313031] kasan_save_free_info+0x3f/0x60 [ 14.313429] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.313990] mempool_free+0x2ec/0x380 [ 14.314371] mempool_uaf_helper+0x11a/0x400 [ 14.314520] mempool_kmalloc_uaf+0xef/0x140 [ 14.314675] kunit_try_run_case+0x1a5/0x480 [ 14.314871] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.315355] kthread+0x337/0x6f0 [ 14.315680] ret_from_fork+0x116/0x1d0 [ 14.316129] ret_from_fork_asm+0x1a/0x30 [ 14.316510] [ 14.316677] The buggy address belongs to the object at ffff8881029c7500 [ 14.316677] which belongs to the cache kmalloc-128 of size 128 [ 14.317632] The buggy address is located 0 bytes inside of [ 14.317632] freed 128-byte region [ffff8881029c7500, ffff8881029c7580) [ 14.318274] [ 14.318457] The buggy address belongs to the physical page: [ 14.319055] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029c7 [ 14.319821] flags: 0x200000000000000(node=0|zone=2) [ 14.320405] page_type: f5(slab) [ 14.320536] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.321045] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.321900] page dumped because: kasan: bad access detected [ 14.322331] [ 14.322444] Memory state around the buggy address: [ 14.322685] ffff8881029c7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.323242] ffff8881029c7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.323930] >ffff8881029c7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.324247] ^ [ 14.324364] ffff8881029c7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.324578] ffff8881029c7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.325060] ================================================================== [ 14.357720] ================================================================== [ 14.358508] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.359525] Read of size 1 at addr ffff8881029cc240 by task kunit_try_catch/248 [ 14.360322] [ 14.360493] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.360737] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.360754] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.360776] Call Trace: [ 14.360790] <TASK> [ 14.360809] dump_stack_lvl+0x73/0xb0 [ 14.360844] print_report+0xd1/0x650 [ 14.360867] ? __virt_addr_valid+0x1db/0x2d0 [ 14.360893] ? mempool_uaf_helper+0x392/0x400 [ 14.360915] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.360938] ? mempool_uaf_helper+0x392/0x400 [ 14.360960] kasan_report+0x141/0x180 [ 14.360981] ? mempool_uaf_helper+0x392/0x400 [ 14.361008] __asan_report_load1_noabort+0x18/0x20 [ 14.361033] mempool_uaf_helper+0x392/0x400 [ 14.361056] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.361081] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.361106] ? finish_task_switch.isra.0+0x153/0x700 [ 14.361133] mempool_slab_uaf+0xea/0x140 [ 14.361156] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.361181] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.361208] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.361233] ? __pfx_read_tsc+0x10/0x10 [ 14.361256] ? ktime_get_ts64+0x86/0x230 [ 14.361281] kunit_try_run_case+0x1a5/0x480 [ 14.361306] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.361329] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.361355] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.361379] ? __kthread_parkme+0x82/0x180 [ 14.361401] ? preempt_count_sub+0x50/0x80 [ 14.361424] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.361448] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.361473] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.361498] kthread+0x337/0x6f0 [ 14.361516] ? trace_preempt_on+0x20/0xc0 [ 14.361540] ? __pfx_kthread+0x10/0x10 [ 14.361560] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.361582] ? calculate_sigpending+0x7b/0xa0 [ 14.361619] ? __pfx_kthread+0x10/0x10 [ 14.361640] ret_from_fork+0x116/0x1d0 [ 14.361659] ? __pfx_kthread+0x10/0x10 [ 14.361679] ret_from_fork_asm+0x1a/0x30 [ 14.361711] </TASK> [ 14.361721] [ 14.375533] Allocated by task 248: [ 14.375900] kasan_save_stack+0x45/0x70 [ 14.376202] kasan_save_track+0x18/0x40 [ 14.376611] kasan_save_alloc_info+0x3b/0x50 [ 14.377084] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.377609] remove_element+0x11e/0x190 [ 14.377753] mempool_alloc_preallocated+0x4d/0x90 [ 14.378211] mempool_uaf_helper+0x96/0x400 [ 14.378694] mempool_slab_uaf+0xea/0x140 [ 14.379196] kunit_try_run_case+0x1a5/0x480 [ 14.379554] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.379746] kthread+0x337/0x6f0 [ 14.380157] ret_from_fork+0x116/0x1d0 [ 14.380538] ret_from_fork_asm+0x1a/0x30 [ 14.380962] [ 14.381152] Freed by task 248: [ 14.381514] kasan_save_stack+0x45/0x70 [ 14.381736] kasan_save_track+0x18/0x40 [ 14.382031] kasan_save_free_info+0x3f/0x60 [ 14.382523] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.383044] mempool_free+0x2ec/0x380 [ 14.383302] mempool_uaf_helper+0x11a/0x400 [ 14.383643] mempool_slab_uaf+0xea/0x140 [ 14.384093] kunit_try_run_case+0x1a5/0x480 [ 14.384427] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.384617] kthread+0x337/0x6f0 [ 14.384737] ret_from_fork+0x116/0x1d0 [ 14.384965] ret_from_fork_asm+0x1a/0x30 [ 14.385112] [ 14.385183] The buggy address belongs to the object at ffff8881029cc240 [ 14.385183] which belongs to the cache test_cache of size 123 [ 14.385545] The buggy address is located 0 bytes inside of [ 14.385545] freed 123-byte region [ffff8881029cc240, ffff8881029cc2bb) [ 14.386027] [ 14.386106] The buggy address belongs to the physical page: [ 14.386358] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029cc [ 14.387021] flags: 0x200000000000000(node=0|zone=2) [ 14.387246] page_type: f5(slab) [ 14.387414] raw: 0200000000000000 ffff8881029c4140 dead000000000122 0000000000000000 [ 14.387764] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.388607] page dumped because: kasan: bad access detected [ 14.388802] [ 14.388873] Memory state around the buggy address: [ 14.389031] ffff8881029cc100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.389252] ffff8881029cc180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.389469] >ffff8881029cc200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.389693] ^ [ 14.389861] ffff8881029cc280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.390078] ffff8881029cc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.390290] ==================================================================