Date
July 10, 2025, 6:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.895868] ================================================================== [ 18.896513] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.896666] Read of size 1 at addr fff00000c5a53240 by task kunit_try_catch/231 [ 18.896806] [ 18.896954] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.897254] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.897282] Hardware name: linux,dummy-virt (DT) [ 18.897313] Call trace: [ 18.897335] show_stack+0x20/0x38 (C) [ 18.897397] dump_stack_lvl+0x8c/0xd0 [ 18.897445] print_report+0x118/0x608 [ 18.898122] kasan_report+0xdc/0x128 [ 18.898310] __asan_report_load1_noabort+0x20/0x30 [ 18.898404] mempool_uaf_helper+0x314/0x340 [ 18.898479] mempool_slab_uaf+0xc0/0x118 [ 18.898527] kunit_try_run_case+0x170/0x3f0 [ 18.898577] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.898654] kthread+0x328/0x630 [ 18.899028] ret_from_fork+0x10/0x20 [ 18.899153] [ 18.899172] Allocated by task 231: [ 18.899209] kasan_save_stack+0x3c/0x68 [ 18.899311] kasan_save_track+0x20/0x40 [ 18.899359] kasan_save_alloc_info+0x40/0x58 [ 18.899400] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.899448] remove_element+0x16c/0x1f8 [ 18.899486] mempool_alloc_preallocated+0x58/0xc0 [ 18.899763] mempool_uaf_helper+0xa4/0x340 [ 18.899809] mempool_slab_uaf+0xc0/0x118 [ 18.899847] kunit_try_run_case+0x170/0x3f0 [ 18.899897] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.899943] kthread+0x328/0x630 [ 18.900131] ret_from_fork+0x10/0x20 [ 18.900324] [ 18.900356] Freed by task 231: [ 18.900586] kasan_save_stack+0x3c/0x68 [ 18.900641] kasan_save_track+0x20/0x40 [ 18.900767] kasan_save_free_info+0x4c/0x78 [ 18.900808] __kasan_mempool_poison_object+0xc0/0x150 [ 18.900852] mempool_free+0x28c/0x328 [ 18.900904] mempool_uaf_helper+0x104/0x340 [ 18.901033] mempool_slab_uaf+0xc0/0x118 [ 18.901071] kunit_try_run_case+0x170/0x3f0 [ 18.901108] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.901153] kthread+0x328/0x630 [ 18.901191] ret_from_fork+0x10/0x20 [ 18.901374] [ 18.901394] The buggy address belongs to the object at fff00000c5a53240 [ 18.901394] which belongs to the cache test_cache of size 123 [ 18.901458] The buggy address is located 0 bytes inside of [ 18.901458] freed 123-byte region [fff00000c5a53240, fff00000c5a532bb) [ 18.901545] [ 18.901658] The buggy address belongs to the physical page: [ 18.901792] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a53 [ 18.901846] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.901897] page_type: f5(slab) [ 18.901943] raw: 0bfffe0000000000 fff00000c3e02b40 dead000000000122 0000000000000000 [ 18.901993] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.902068] page dumped because: kasan: bad access detected [ 18.902101] [ 18.902118] Memory state around the buggy address: [ 18.902151] fff00000c5a53100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.902225] fff00000c5a53180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.902268] >fff00000c5a53200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.902775] ^ [ 18.902817] fff00000c5a53280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.902861] fff00000c5a53300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.902903] ================================================================== [ 18.858542] ================================================================== [ 18.858619] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.858830] Read of size 1 at addr fff00000c401ef00 by task kunit_try_catch/227 [ 18.859016] [ 18.859057] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.859144] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.859518] Hardware name: linux,dummy-virt (DT) [ 18.859646] Call trace: [ 18.859672] show_stack+0x20/0x38 (C) [ 18.859728] dump_stack_lvl+0x8c/0xd0 [ 18.859781] print_report+0x118/0x608 [ 18.859828] kasan_report+0xdc/0x128 [ 18.859873] __asan_report_load1_noabort+0x20/0x30 [ 18.859926] mempool_uaf_helper+0x314/0x340 [ 18.859974] mempool_kmalloc_uaf+0xc4/0x120 [ 18.860022] kunit_try_run_case+0x170/0x3f0 [ 18.860072] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.860125] kthread+0x328/0x630 [ 18.860169] ret_from_fork+0x10/0x20 [ 18.860221] [ 18.860239] Allocated by task 227: [ 18.860276] kasan_save_stack+0x3c/0x68 [ 18.860584] kasan_save_track+0x20/0x40 [ 18.860680] kasan_save_alloc_info+0x40/0x58 [ 18.860720] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.860765] remove_element+0x130/0x1f8 [ 18.861182] mempool_alloc_preallocated+0x58/0xc0 [ 18.861544] mempool_uaf_helper+0xa4/0x340 [ 18.861587] mempool_kmalloc_uaf+0xc4/0x120 [ 18.861624] kunit_try_run_case+0x170/0x3f0 [ 18.861670] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.861836] kthread+0x328/0x630 [ 18.862269] ret_from_fork+0x10/0x20 [ 18.862375] [ 18.862453] Freed by task 227: [ 18.862481] kasan_save_stack+0x3c/0x68 [ 18.862598] kasan_save_track+0x20/0x40 [ 18.862636] kasan_save_free_info+0x4c/0x78 [ 18.862698] __kasan_mempool_poison_object+0xc0/0x150 [ 18.862743] mempool_free+0x28c/0x328 [ 18.862779] mempool_uaf_helper+0x104/0x340 [ 18.862846] mempool_kmalloc_uaf+0xc4/0x120 [ 18.863059] kunit_try_run_case+0x170/0x3f0 [ 18.863106] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.863151] kthread+0x328/0x630 [ 18.863261] ret_from_fork+0x10/0x20 [ 18.863401] [ 18.863425] The buggy address belongs to the object at fff00000c401ef00 [ 18.863425] which belongs to the cache kmalloc-128 of size 128 [ 18.863496] The buggy address is located 0 bytes inside of [ 18.863496] freed 128-byte region [fff00000c401ef00, fff00000c401ef80) [ 18.863588] [ 18.863609] The buggy address belongs to the physical page: [ 18.863696] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10401e [ 18.863807] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.863861] page_type: f5(slab) [ 18.864077] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.864355] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 18.864582] page dumped because: kasan: bad access detected [ 18.864687] [ 18.864705] Memory state around the buggy address: [ 18.864797] fff00000c401ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.864885] fff00000c401ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.864995] >fff00000c401ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.865081] ^ [ 18.865349] fff00000c401ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.865472] fff00000c401f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.865571] ==================================================================
[ 14.049441] ================================================================== [ 14.051314] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.052397] Read of size 1 at addr ffff8881027af240 by task kunit_try_catch/248 [ 14.052629] [ 14.052722] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.052768] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.052780] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.052885] Call Trace: [ 14.052900] <TASK> [ 14.052936] dump_stack_lvl+0x73/0xb0 [ 14.052971] print_report+0xd1/0x650 [ 14.052994] ? __virt_addr_valid+0x1db/0x2d0 [ 14.053019] ? mempool_uaf_helper+0x392/0x400 [ 14.053051] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.053075] ? mempool_uaf_helper+0x392/0x400 [ 14.053097] kasan_report+0x141/0x180 [ 14.053119] ? mempool_uaf_helper+0x392/0x400 [ 14.053146] __asan_report_load1_noabort+0x18/0x20 [ 14.053171] mempool_uaf_helper+0x392/0x400 [ 14.053194] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.053217] ? update_load_avg+0x1be/0x21b0 [ 14.053245] ? finish_task_switch.isra.0+0x153/0x700 [ 14.053271] mempool_slab_uaf+0xea/0x140 [ 14.053305] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.053331] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.053357] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.053395] ? __pfx_read_tsc+0x10/0x10 [ 14.053416] ? ktime_get_ts64+0x86/0x230 [ 14.053442] kunit_try_run_case+0x1a5/0x480 [ 14.053468] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.053491] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.053517] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.053540] ? __kthread_parkme+0x82/0x180 [ 14.053562] ? preempt_count_sub+0x50/0x80 [ 14.053584] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.053608] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.053633] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.053658] kthread+0x337/0x6f0 [ 14.053677] ? trace_preempt_on+0x20/0xc0 [ 14.053700] ? __pfx_kthread+0x10/0x10 [ 14.053721] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.053742] ? calculate_sigpending+0x7b/0xa0 [ 14.053766] ? __pfx_kthread+0x10/0x10 [ 14.053787] ret_from_fork+0x116/0x1d0 [ 14.053867] ? __pfx_kthread+0x10/0x10 [ 14.053888] ret_from_fork_asm+0x1a/0x30 [ 14.053937] </TASK> [ 14.053949] [ 14.068037] Allocated by task 248: [ 14.068376] kasan_save_stack+0x45/0x70 [ 14.068751] kasan_save_track+0x18/0x40 [ 14.069207] kasan_save_alloc_info+0x3b/0x50 [ 14.069607] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.070177] remove_element+0x11e/0x190 [ 14.070563] mempool_alloc_preallocated+0x4d/0x90 [ 14.070963] mempool_uaf_helper+0x96/0x400 [ 14.071343] mempool_slab_uaf+0xea/0x140 [ 14.071488] kunit_try_run_case+0x1a5/0x480 [ 14.071636] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.071924] kthread+0x337/0x6f0 [ 14.072280] ret_from_fork+0x116/0x1d0 [ 14.072653] ret_from_fork_asm+0x1a/0x30 [ 14.073149] [ 14.073322] Freed by task 248: [ 14.073631] kasan_save_stack+0x45/0x70 [ 14.074132] kasan_save_track+0x18/0x40 [ 14.074537] kasan_save_free_info+0x3f/0x60 [ 14.075054] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.075238] mempool_free+0x2ec/0x380 [ 14.075624] mempool_uaf_helper+0x11a/0x400 [ 14.076101] mempool_slab_uaf+0xea/0x140 [ 14.076281] kunit_try_run_case+0x1a5/0x480 [ 14.076696] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.077230] kthread+0x337/0x6f0 [ 14.077356] ret_from_fork+0x116/0x1d0 [ 14.077489] ret_from_fork_asm+0x1a/0x30 [ 14.077628] [ 14.077700] The buggy address belongs to the object at ffff8881027af240 [ 14.077700] which belongs to the cache test_cache of size 123 [ 14.078078] The buggy address is located 0 bytes inside of [ 14.078078] freed 123-byte region [ffff8881027af240, ffff8881027af2bb) [ 14.078641] [ 14.078745] The buggy address belongs to the physical page: [ 14.079167] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027af [ 14.079492] flags: 0x200000000000000(node=0|zone=2) [ 14.079755] page_type: f5(slab) [ 14.080063] raw: 0200000000000000 ffff8881027a4500 dead000000000122 0000000000000000 [ 14.080387] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.080725] page dumped because: kasan: bad access detected [ 14.081049] [ 14.081122] Memory state around the buggy address: [ 14.081345] ffff8881027af100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.081685] ffff8881027af180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.082054] >ffff8881027af200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.082388] ^ [ 14.082604] ffff8881027af280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.083154] ffff8881027af300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.083438] ================================================================== [ 13.990352] ================================================================== [ 13.991552] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.992553] Read of size 1 at addr ffff888102b0cd00 by task kunit_try_catch/244 [ 13.993153] [ 13.993247] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.993294] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.993306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.993327] Call Trace: [ 13.993341] <TASK> [ 13.993358] dump_stack_lvl+0x73/0xb0 [ 13.993390] print_report+0xd1/0x650 [ 13.993413] ? __virt_addr_valid+0x1db/0x2d0 [ 13.993437] ? mempool_uaf_helper+0x392/0x400 [ 13.993459] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.993483] ? mempool_uaf_helper+0x392/0x400 [ 13.993506] kasan_report+0x141/0x180 [ 13.993528] ? mempool_uaf_helper+0x392/0x400 [ 13.993554] __asan_report_load1_noabort+0x18/0x20 [ 13.993580] mempool_uaf_helper+0x392/0x400 [ 13.993603] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.993628] ? __kasan_check_write+0x18/0x20 [ 13.993648] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.993671] ? finish_task_switch.isra.0+0x153/0x700 [ 13.993699] mempool_kmalloc_uaf+0xef/0x140 [ 13.993721] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.993747] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.993772] ? __pfx_mempool_kfree+0x10/0x10 [ 13.993806] ? __pfx_read_tsc+0x10/0x10 [ 13.993829] ? ktime_get_ts64+0x86/0x230 [ 13.993854] kunit_try_run_case+0x1a5/0x480 [ 13.993880] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.993903] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.993929] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.993955] ? __kthread_parkme+0x82/0x180 [ 13.993977] ? preempt_count_sub+0x50/0x80 [ 13.994000] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.994024] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.994059] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.994085] kthread+0x337/0x6f0 [ 13.994103] ? trace_preempt_on+0x20/0xc0 [ 13.994127] ? __pfx_kthread+0x10/0x10 [ 13.994148] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.994171] ? calculate_sigpending+0x7b/0xa0 [ 13.994196] ? __pfx_kthread+0x10/0x10 [ 13.994218] ret_from_fork+0x116/0x1d0 [ 13.994238] ? __pfx_kthread+0x10/0x10 [ 13.994258] ret_from_fork_asm+0x1a/0x30 [ 13.994291] </TASK> [ 13.994301] [ 14.002891] Allocated by task 244: [ 14.003074] kasan_save_stack+0x45/0x70 [ 14.003234] kasan_save_track+0x18/0x40 [ 14.003427] kasan_save_alloc_info+0x3b/0x50 [ 14.003637] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.003817] remove_element+0x11e/0x190 [ 14.003962] mempool_alloc_preallocated+0x4d/0x90 [ 14.004129] mempool_uaf_helper+0x96/0x400 [ 14.004308] mempool_kmalloc_uaf+0xef/0x140 [ 14.004509] kunit_try_run_case+0x1a5/0x480 [ 14.004712] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.004960] kthread+0x337/0x6f0 [ 14.005201] ret_from_fork+0x116/0x1d0 [ 14.005340] ret_from_fork_asm+0x1a/0x30 [ 14.005479] [ 14.005548] Freed by task 244: [ 14.005706] kasan_save_stack+0x45/0x70 [ 14.005979] kasan_save_track+0x18/0x40 [ 14.006186] kasan_save_free_info+0x3f/0x60 [ 14.006394] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.006638] mempool_free+0x2ec/0x380 [ 14.006882] mempool_uaf_helper+0x11a/0x400 [ 14.007079] mempool_kmalloc_uaf+0xef/0x140 [ 14.007288] kunit_try_run_case+0x1a5/0x480 [ 14.007466] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.007651] kthread+0x337/0x6f0 [ 14.007772] ret_from_fork+0x116/0x1d0 [ 14.008136] ret_from_fork_asm+0x1a/0x30 [ 14.008339] [ 14.008433] The buggy address belongs to the object at ffff888102b0cd00 [ 14.008433] which belongs to the cache kmalloc-128 of size 128 [ 14.009053] The buggy address is located 0 bytes inside of [ 14.009053] freed 128-byte region [ffff888102b0cd00, ffff888102b0cd80) [ 14.009571] [ 14.009649] The buggy address belongs to the physical page: [ 14.009822] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b0c [ 14.010187] flags: 0x200000000000000(node=0|zone=2) [ 14.010420] page_type: f5(slab) [ 14.010582] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.010897] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.011265] page dumped because: kasan: bad access detected [ 14.011498] [ 14.011589] Memory state around the buggy address: [ 14.011850] ffff888102b0cc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.012141] ffff888102b0cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.012461] >ffff888102b0cd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.012696] ^ [ 14.012874] ffff888102b0cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.013164] ffff888102b0ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.013480] ==================================================================