Date
July 8, 2025, 7:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.360833] ================================================================== [ 21.361228] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.361281] Read of size 1 at addr fff00000c571e240 by task kunit_try_catch/231 [ 21.361332] [ 21.361363] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.361445] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.361471] Hardware name: linux,dummy-virt (DT) [ 21.361501] Call trace: [ 21.361524] show_stack+0x20/0x38 (C) [ 21.361571] dump_stack_lvl+0x8c/0xd0 [ 21.361617] print_report+0x118/0x608 [ 21.361660] kasan_report+0xdc/0x128 [ 21.361703] __asan_report_load1_noabort+0x20/0x30 [ 21.361765] mempool_uaf_helper+0x314/0x340 [ 21.361820] mempool_slab_uaf+0xc0/0x118 [ 21.361865] kunit_try_run_case+0x170/0x3f0 [ 21.361914] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.362381] kthread+0x328/0x630 [ 21.362450] ret_from_fork+0x10/0x20 [ 21.362540] [ 21.362621] Allocated by task 231: [ 21.362648] kasan_save_stack+0x3c/0x68 [ 21.362829] kasan_save_track+0x20/0x40 [ 21.362994] kasan_save_alloc_info+0x40/0x58 [ 21.363089] __kasan_mempool_unpoison_object+0xbc/0x180 [ 21.363416] remove_element+0x16c/0x1f8 [ 21.363565] mempool_alloc_preallocated+0x58/0xc0 [ 21.363603] mempool_uaf_helper+0xa4/0x340 [ 21.363663] mempool_slab_uaf+0xc0/0x118 [ 21.363698] kunit_try_run_case+0x170/0x3f0 [ 21.363746] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.363804] kthread+0x328/0x630 [ 21.363837] ret_from_fork+0x10/0x20 [ 21.364165] [ 21.364187] Freed by task 231: [ 21.364242] kasan_save_stack+0x3c/0x68 [ 21.364320] kasan_save_track+0x20/0x40 [ 21.364428] kasan_save_free_info+0x4c/0x78 [ 21.364469] __kasan_mempool_poison_object+0xc0/0x150 [ 21.364539] mempool_free+0x28c/0x328 [ 21.364609] mempool_uaf_helper+0x104/0x340 [ 21.364645] mempool_slab_uaf+0xc0/0x118 [ 21.364868] kunit_try_run_case+0x170/0x3f0 [ 21.364905] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.364987] kthread+0x328/0x630 [ 21.365069] ret_from_fork+0x10/0x20 [ 21.365159] [ 21.365241] The buggy address belongs to the object at fff00000c571e240 [ 21.365241] which belongs to the cache test_cache of size 123 [ 21.365324] The buggy address is located 0 bytes inside of [ 21.365324] freed 123-byte region [fff00000c571e240, fff00000c571e2bb) [ 21.365545] [ 21.365587] The buggy address belongs to the physical page: [ 21.365685] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10571e [ 21.365746] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.365793] page_type: f5(slab) [ 21.365831] raw: 0bfffe0000000000 fff00000c5cfe8c0 dead000000000122 0000000000000000 [ 21.365880] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.365920] page dumped because: kasan: bad access detected [ 21.365951] [ 21.366109] Memory state around the buggy address: [ 21.366144] fff00000c571e100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.366608] fff00000c571e180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.366666] >fff00000c571e200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.366704] ^ [ 21.366750] fff00000c571e280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.366791] fff00000c571e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.366840] ================================================================== [ 21.328679] ================================================================== [ 21.328771] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.328839] Read of size 1 at addr fff00000c5713200 by task kunit_try_catch/227 [ 21.328888] [ 21.328927] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.329010] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.329038] Hardware name: linux,dummy-virt (DT) [ 21.329069] Call trace: [ 21.329094] show_stack+0x20/0x38 (C) [ 21.329145] dump_stack_lvl+0x8c/0xd0 [ 21.329193] print_report+0x118/0x608 [ 21.329240] kasan_report+0xdc/0x128 [ 21.329283] __asan_report_load1_noabort+0x20/0x30 [ 21.329333] mempool_uaf_helper+0x314/0x340 [ 21.329377] mempool_kmalloc_uaf+0xc4/0x120 [ 21.329423] kunit_try_run_case+0x170/0x3f0 [ 21.329469] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.329521] kthread+0x328/0x630 [ 21.329562] ret_from_fork+0x10/0x20 [ 21.329610] [ 21.329629] Allocated by task 227: [ 21.329658] kasan_save_stack+0x3c/0x68 [ 21.329698] kasan_save_track+0x20/0x40 [ 21.329748] kasan_save_alloc_info+0x40/0x58 [ 21.329787] __kasan_mempool_unpoison_object+0x11c/0x180 [ 21.329830] remove_element+0x130/0x1f8 [ 21.329867] mempool_alloc_preallocated+0x58/0xc0 [ 21.329904] mempool_uaf_helper+0xa4/0x340 [ 21.329942] mempool_kmalloc_uaf+0xc4/0x120 [ 21.329977] kunit_try_run_case+0x170/0x3f0 [ 21.330015] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.330058] kthread+0x328/0x630 [ 21.330090] ret_from_fork+0x10/0x20 [ 21.330126] [ 21.330144] Freed by task 227: [ 21.330169] kasan_save_stack+0x3c/0x68 [ 21.330207] kasan_save_track+0x20/0x40 [ 21.330243] kasan_save_free_info+0x4c/0x78 [ 21.330283] __kasan_mempool_poison_object+0xc0/0x150 [ 21.330326] mempool_free+0x28c/0x328 [ 21.330358] mempool_uaf_helper+0x104/0x340 [ 21.330395] mempool_kmalloc_uaf+0xc4/0x120 [ 21.330432] kunit_try_run_case+0x170/0x3f0 [ 21.330470] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.330512] kthread+0x328/0x630 [ 21.330543] ret_from_fork+0x10/0x20 [ 21.330579] [ 21.330598] The buggy address belongs to the object at fff00000c5713200 [ 21.330598] which belongs to the cache kmalloc-128 of size 128 [ 21.330659] The buggy address is located 0 bytes inside of [ 21.330659] freed 128-byte region [fff00000c5713200, fff00000c5713280) [ 21.330729] [ 21.330750] The buggy address belongs to the physical page: [ 21.330781] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105713 [ 21.330836] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.330886] page_type: f5(slab) [ 21.330926] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.330977] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.331018] page dumped because: kasan: bad access detected [ 21.331050] [ 21.331068] Memory state around the buggy address: [ 21.331101] fff00000c5713100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.331144] fff00000c5713180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.331187] >fff00000c5713200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.331225] ^ [ 21.331253] fff00000c5713280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.331295] fff00000c5713300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.331332] ==================================================================
[ 14.569958] ================================================================== [ 14.571346] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.572307] Read of size 1 at addr ffff888102b16240 by task kunit_try_catch/248 [ 14.573022] [ 14.573246] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.573304] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.573321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.573378] Call Trace: [ 14.573391] <TASK> [ 14.573409] dump_stack_lvl+0x73/0xb0 [ 14.573444] print_report+0xd1/0x650 [ 14.573468] ? __virt_addr_valid+0x1db/0x2d0 [ 14.573494] ? mempool_uaf_helper+0x392/0x400 [ 14.573516] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.573544] ? mempool_uaf_helper+0x392/0x400 [ 14.573583] kasan_report+0x141/0x180 [ 14.573606] ? mempool_uaf_helper+0x392/0x400 [ 14.573633] __asan_report_load1_noabort+0x18/0x20 [ 14.573659] mempool_uaf_helper+0x392/0x400 [ 14.573683] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.573705] ? update_load_avg+0x1be/0x21b0 [ 14.573735] ? finish_task_switch.isra.0+0x153/0x700 [ 14.573764] mempool_slab_uaf+0xea/0x140 [ 14.573788] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.573815] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.573843] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.573871] ? __pfx_read_tsc+0x10/0x10 [ 14.573893] ? ktime_get_ts64+0x86/0x230 [ 14.573920] kunit_try_run_case+0x1a5/0x480 [ 14.573947] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.573970] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.573996] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.574021] ? __kthread_parkme+0x82/0x180 [ 14.574055] ? preempt_count_sub+0x50/0x80 [ 14.574092] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.574117] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.574141] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.574166] kthread+0x337/0x6f0 [ 14.574185] ? trace_preempt_on+0x20/0xc0 [ 14.574209] ? __pfx_kthread+0x10/0x10 [ 14.574230] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.574251] ? calculate_sigpending+0x7b/0xa0 [ 14.574276] ? __pfx_kthread+0x10/0x10 [ 14.574297] ret_from_fork+0x116/0x1d0 [ 14.574316] ? __pfx_kthread+0x10/0x10 [ 14.574337] ret_from_fork_asm+0x1a/0x30 [ 14.574370] </TASK> [ 14.574382] [ 14.587255] Allocated by task 248: [ 14.587418] kasan_save_stack+0x45/0x70 [ 14.587565] kasan_save_track+0x18/0x40 [ 14.587912] kasan_save_alloc_info+0x3b/0x50 [ 14.588348] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.588894] remove_element+0x11e/0x190 [ 14.589331] mempool_alloc_preallocated+0x4d/0x90 [ 14.589784] mempool_uaf_helper+0x96/0x400 [ 14.590222] mempool_slab_uaf+0xea/0x140 [ 14.590363] kunit_try_run_case+0x1a5/0x480 [ 14.590513] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.590689] kthread+0x337/0x6f0 [ 14.590809] ret_from_fork+0x116/0x1d0 [ 14.590941] ret_from_fork_asm+0x1a/0x30 [ 14.591128] [ 14.591282] Freed by task 248: [ 14.591564] kasan_save_stack+0x45/0x70 [ 14.591938] kasan_save_track+0x18/0x40 [ 14.592445] kasan_save_free_info+0x3f/0x60 [ 14.592880] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.593237] mempool_free+0x2ec/0x380 [ 14.593381] mempool_uaf_helper+0x11a/0x400 [ 14.593556] mempool_slab_uaf+0xea/0x140 [ 14.593903] kunit_try_run_case+0x1a5/0x480 [ 14.594346] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.594943] kthread+0x337/0x6f0 [ 14.595330] ret_from_fork+0x116/0x1d0 [ 14.595748] ret_from_fork_asm+0x1a/0x30 [ 14.595894] [ 14.595969] The buggy address belongs to the object at ffff888102b16240 [ 14.595969] which belongs to the cache test_cache of size 123 [ 14.596971] The buggy address is located 0 bytes inside of [ 14.596971] freed 123-byte region [ffff888102b16240, ffff888102b162bb) [ 14.598056] [ 14.598276] The buggy address belongs to the physical page: [ 14.598712] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b16 [ 14.598961] flags: 0x200000000000000(node=0|zone=2) [ 14.599245] page_type: f5(slab) [ 14.599549] raw: 0200000000000000 ffff88810161cc80 dead000000000122 0000000000000000 [ 14.600297] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.601172] page dumped because: kasan: bad access detected [ 14.601689] [ 14.601845] Memory state around the buggy address: [ 14.602252] ffff888102b16100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.602913] ffff888102b16180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.603305] >ffff888102b16200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.603916] ^ [ 14.604469] ffff888102b16280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.604889] ffff888102b16300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.605277] ================================================================== [ 14.502136] ================================================================== [ 14.503358] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.504241] Read of size 1 at addr ffff888102af6a00 by task kunit_try_catch/244 [ 14.505271] [ 14.505417] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.505473] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.505487] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.505522] Call Trace: [ 14.505538] <TASK> [ 14.505562] dump_stack_lvl+0x73/0xb0 [ 14.505595] print_report+0xd1/0x650 [ 14.505619] ? __virt_addr_valid+0x1db/0x2d0 [ 14.505644] ? mempool_uaf_helper+0x392/0x400 [ 14.505668] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.505697] ? mempool_uaf_helper+0x392/0x400 [ 14.505720] kasan_report+0x141/0x180 [ 14.505742] ? mempool_uaf_helper+0x392/0x400 [ 14.505771] __asan_report_load1_noabort+0x18/0x20 [ 14.505796] mempool_uaf_helper+0x392/0x400 [ 14.505820] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.505846] ? __kasan_check_write+0x18/0x20 [ 14.505867] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.505890] ? finish_task_switch.isra.0+0x153/0x700 [ 14.505916] mempool_kmalloc_uaf+0xef/0x140 [ 14.505939] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.505966] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.505991] ? __pfx_mempool_kfree+0x10/0x10 [ 14.506016] ? __pfx_read_tsc+0x10/0x10 [ 14.506037] ? ktime_get_ts64+0x86/0x230 [ 14.506074] kunit_try_run_case+0x1a5/0x480 [ 14.506099] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.506122] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.506148] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.506172] ? __kthread_parkme+0x82/0x180 [ 14.506193] ? preempt_count_sub+0x50/0x80 [ 14.506216] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.506241] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.506266] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.506292] kthread+0x337/0x6f0 [ 14.506311] ? trace_preempt_on+0x20/0xc0 [ 14.506335] ? __pfx_kthread+0x10/0x10 [ 14.506356] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.506391] ? calculate_sigpending+0x7b/0xa0 [ 14.506417] ? __pfx_kthread+0x10/0x10 [ 14.506439] ret_from_fork+0x116/0x1d0 [ 14.506457] ? __pfx_kthread+0x10/0x10 [ 14.506478] ret_from_fork_asm+0x1a/0x30 [ 14.506510] </TASK> [ 14.506522] [ 14.518329] Allocated by task 244: [ 14.518527] kasan_save_stack+0x45/0x70 [ 14.518698] kasan_save_track+0x18/0x40 [ 14.518835] kasan_save_alloc_info+0x3b/0x50 [ 14.519058] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.519380] remove_element+0x11e/0x190 [ 14.519662] mempool_alloc_preallocated+0x4d/0x90 [ 14.519827] mempool_uaf_helper+0x96/0x400 [ 14.520007] mempool_kmalloc_uaf+0xef/0x140 [ 14.520333] kunit_try_run_case+0x1a5/0x480 [ 14.520542] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.520898] kthread+0x337/0x6f0 [ 14.521163] ret_from_fork+0x116/0x1d0 [ 14.521344] ret_from_fork_asm+0x1a/0x30 [ 14.521564] [ 14.521661] Freed by task 244: [ 14.521795] kasan_save_stack+0x45/0x70 [ 14.521931] kasan_save_track+0x18/0x40 [ 14.522079] kasan_save_free_info+0x3f/0x60 [ 14.522430] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.522671] mempool_free+0x2ec/0x380 [ 14.522985] mempool_uaf_helper+0x11a/0x400 [ 14.523363] mempool_kmalloc_uaf+0xef/0x140 [ 14.523589] kunit_try_run_case+0x1a5/0x480 [ 14.523785] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.524012] kthread+0x337/0x6f0 [ 14.524332] ret_from_fork+0x116/0x1d0 [ 14.524476] ret_from_fork_asm+0x1a/0x30 [ 14.524636] [ 14.524734] The buggy address belongs to the object at ffff888102af6a00 [ 14.524734] which belongs to the cache kmalloc-128 of size 128 [ 14.525331] The buggy address is located 0 bytes inside of [ 14.525331] freed 128-byte region [ffff888102af6a00, ffff888102af6a80) [ 14.525851] [ 14.525929] The buggy address belongs to the physical page: [ 14.526114] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102af6 [ 14.526591] flags: 0x200000000000000(node=0|zone=2) [ 14.526831] page_type: f5(slab) [ 14.527002] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.527314] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.527663] page dumped because: kasan: bad access detected [ 14.527840] [ 14.527909] Memory state around the buggy address: [ 14.528099] ffff888102af6900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.528417] ffff888102af6980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.528765] >ffff888102af6a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.529136] ^ [ 14.529253] ffff888102af6a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.529786] ffff888102af6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.530213] ==================================================================