Date
July 16, 2025, 3:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.538049] ================================================================== [ 18.538110] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.538162] Read of size 1 at addr fff00000c5975240 by task kunit_try_catch/231 [ 18.538212] [ 18.538243] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.538325] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.538352] Hardware name: linux,dummy-virt (DT) [ 18.538400] Call trace: [ 18.538483] show_stack+0x20/0x38 (C) [ 18.538560] dump_stack_lvl+0x8c/0xd0 [ 18.538641] print_report+0x118/0x5d0 [ 18.538695] kasan_report+0xdc/0x128 [ 18.538750] __asan_report_load1_noabort+0x20/0x30 [ 18.539062] mempool_uaf_helper+0x314/0x340 [ 18.539107] mempool_slab_uaf+0xc0/0x118 [ 18.539152] kunit_try_run_case+0x170/0x3f0 [ 18.539209] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.539262] kthread+0x328/0x630 [ 18.539324] ret_from_fork+0x10/0x20 [ 18.539388] [ 18.539405] Allocated by task 231: [ 18.539434] kasan_save_stack+0x3c/0x68 [ 18.539473] kasan_save_track+0x20/0x40 [ 18.539509] kasan_save_alloc_info+0x40/0x58 [ 18.539550] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.539593] remove_element+0x16c/0x1f8 [ 18.539629] mempool_alloc_preallocated+0x58/0xc0 [ 18.539669] mempool_uaf_helper+0xa4/0x340 [ 18.539706] mempool_slab_uaf+0xc0/0x118 [ 18.539753] kunit_try_run_case+0x170/0x3f0 [ 18.539791] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.539835] kthread+0x328/0x630 [ 18.539866] ret_from_fork+0x10/0x20 [ 18.539902] [ 18.539921] Freed by task 231: [ 18.540017] kasan_save_stack+0x3c/0x68 [ 18.540146] kasan_save_track+0x20/0x40 [ 18.540201] kasan_save_free_info+0x4c/0x78 [ 18.540241] __kasan_mempool_poison_object+0xc0/0x150 [ 18.540528] mempool_free+0x28c/0x328 [ 18.540687] mempool_uaf_helper+0x104/0x340 [ 18.540798] mempool_slab_uaf+0xc0/0x118 [ 18.540884] kunit_try_run_case+0x170/0x3f0 [ 18.540937] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.540982] kthread+0x328/0x630 [ 18.541014] ret_from_fork+0x10/0x20 [ 18.541051] [ 18.541071] The buggy address belongs to the object at fff00000c5975240 [ 18.541071] which belongs to the cache test_cache of size 123 [ 18.541131] The buggy address is located 0 bytes inside of [ 18.541131] freed 123-byte region [fff00000c5975240, fff00000c59752bb) [ 18.541194] [ 18.541219] The buggy address belongs to the physical page: [ 18.541253] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105975 [ 18.541311] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.541360] page_type: f5(slab) [ 18.541405] raw: 0bfffe0000000000 fff00000c6ae2000 dead000000000122 0000000000000000 [ 18.541457] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.541498] page dumped because: kasan: bad access detected [ 18.541540] [ 18.541557] Memory state around the buggy address: [ 18.541596] fff00000c5975100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.541639] fff00000c5975180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.541681] >fff00000c5975200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.541730] ^ [ 18.541764] fff00000c5975280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.541807] fff00000c5975300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.541845] ================================================================== [ 18.514486] ================================================================== [ 18.514552] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.514618] Read of size 1 at addr fff00000c5967300 by task kunit_try_catch/227 [ 18.514694] [ 18.514745] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.514835] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.514861] Hardware name: linux,dummy-virt (DT) [ 18.514893] Call trace: [ 18.514917] show_stack+0x20/0x38 (C) [ 18.514969] dump_stack_lvl+0x8c/0xd0 [ 18.515018] print_report+0x118/0x5d0 [ 18.515066] kasan_report+0xdc/0x128 [ 18.515111] __asan_report_load1_noabort+0x20/0x30 [ 18.515161] mempool_uaf_helper+0x314/0x340 [ 18.515207] mempool_kmalloc_uaf+0xc4/0x120 [ 18.515281] kunit_try_run_case+0x170/0x3f0 [ 18.515333] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.515386] kthread+0x328/0x630 [ 18.515428] ret_from_fork+0x10/0x20 [ 18.515510] [ 18.515572] Allocated by task 227: [ 18.515622] kasan_save_stack+0x3c/0x68 [ 18.515761] kasan_save_track+0x20/0x40 [ 18.515815] kasan_save_alloc_info+0x40/0x58 [ 18.515875] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.516048] remove_element+0x130/0x1f8 [ 18.516158] mempool_alloc_preallocated+0x58/0xc0 [ 18.516315] mempool_uaf_helper+0xa4/0x340 [ 18.516384] mempool_kmalloc_uaf+0xc4/0x120 [ 18.516421] kunit_try_run_case+0x170/0x3f0 [ 18.516461] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.516505] kthread+0x328/0x630 [ 18.516536] ret_from_fork+0x10/0x20 [ 18.516573] [ 18.516593] Freed by task 227: [ 18.516620] kasan_save_stack+0x3c/0x68 [ 18.516657] kasan_save_track+0x20/0x40 [ 18.516693] kasan_save_free_info+0x4c/0x78 [ 18.516785] __kasan_mempool_poison_object+0xc0/0x150 [ 18.516829] mempool_free+0x28c/0x328 [ 18.516886] mempool_uaf_helper+0x104/0x340 [ 18.516928] mempool_kmalloc_uaf+0xc4/0x120 [ 18.516966] kunit_try_run_case+0x170/0x3f0 [ 18.517049] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.517135] kthread+0x328/0x630 [ 18.517242] ret_from_fork+0x10/0x20 [ 18.517331] [ 18.517372] The buggy address belongs to the object at fff00000c5967300 [ 18.517372] which belongs to the cache kmalloc-128 of size 128 [ 18.517482] The buggy address is located 0 bytes inside of [ 18.517482] freed 128-byte region [fff00000c5967300, fff00000c5967380) [ 18.517644] [ 18.517681] The buggy address belongs to the physical page: [ 18.517733] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105967 [ 18.517817] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.517885] page_type: f5(slab) [ 18.517926] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.518061] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.518115] page dumped because: kasan: bad access detected [ 18.518149] [ 18.518166] Memory state around the buggy address: [ 18.518198] fff00000c5967200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.518241] fff00000c5967280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.518284] >fff00000c5967300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.518324] ^ [ 18.518350] fff00000c5967380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.518394] fff00000c5967400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.518433] ==================================================================
[ 14.168807] ================================================================== [ 14.169431] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.169775] Read of size 1 at addr ffff888103082240 by task kunit_try_catch/248 [ 14.170089] [ 14.170274] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.170327] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.170339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.170363] Call Trace: [ 14.170375] <TASK> [ 14.170394] dump_stack_lvl+0x73/0xb0 [ 14.170427] print_report+0xd1/0x610 [ 14.170452] ? __virt_addr_valid+0x1db/0x2d0 [ 14.170479] ? mempool_uaf_helper+0x392/0x400 [ 14.170502] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.170526] ? mempool_uaf_helper+0x392/0x400 [ 14.170550] kasan_report+0x141/0x180 [ 14.170572] ? mempool_uaf_helper+0x392/0x400 [ 14.170600] __asan_report_load1_noabort+0x18/0x20 [ 14.170627] mempool_uaf_helper+0x392/0x400 [ 14.170650] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.170678] ? finish_task_switch.isra.0+0x153/0x700 [ 14.170709] mempool_slab_uaf+0xea/0x140 [ 14.170733] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.170773] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.170802] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.170829] ? __pfx_read_tsc+0x10/0x10 [ 14.170853] ? ktime_get_ts64+0x86/0x230 [ 14.170880] kunit_try_run_case+0x1a5/0x480 [ 14.170908] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.170933] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.170962] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.171005] ? __kthread_parkme+0x82/0x180 [ 14.171028] ? preempt_count_sub+0x50/0x80 [ 14.171053] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.171079] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.171105] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.171132] kthread+0x337/0x6f0 [ 14.171153] ? trace_preempt_on+0x20/0xc0 [ 14.171184] ? __pfx_kthread+0x10/0x10 [ 14.171206] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.171229] ? calculate_sigpending+0x7b/0xa0 [ 14.171255] ? __pfx_kthread+0x10/0x10 [ 14.171276] ret_from_fork+0x116/0x1d0 [ 14.171297] ? __pfx_kthread+0x10/0x10 [ 14.171318] ret_from_fork_asm+0x1a/0x30 [ 14.171352] </TASK> [ 14.171363] [ 14.183293] Allocated by task 248: [ 14.183714] kasan_save_stack+0x45/0x70 [ 14.184048] kasan_save_track+0x18/0x40 [ 14.184241] kasan_save_alloc_info+0x3b/0x50 [ 14.184659] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.184901] remove_element+0x11e/0x190 [ 14.185512] mempool_alloc_preallocated+0x4d/0x90 [ 14.185831] mempool_uaf_helper+0x96/0x400 [ 14.186343] mempool_slab_uaf+0xea/0x140 [ 14.186619] kunit_try_run_case+0x1a5/0x480 [ 14.186837] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.187449] kthread+0x337/0x6f0 [ 14.187613] ret_from_fork+0x116/0x1d0 [ 14.187798] ret_from_fork_asm+0x1a/0x30 [ 14.188178] [ 14.188286] Freed by task 248: [ 14.188645] kasan_save_stack+0x45/0x70 [ 14.188820] kasan_save_track+0x18/0x40 [ 14.189097] kasan_save_free_info+0x3f/0x60 [ 14.189302] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.189894] mempool_free+0x2ec/0x380 [ 14.190357] mempool_uaf_helper+0x11a/0x400 [ 14.190682] mempool_slab_uaf+0xea/0x140 [ 14.190895] kunit_try_run_case+0x1a5/0x480 [ 14.191451] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.191807] kthread+0x337/0x6f0 [ 14.191971] ret_from_fork+0x116/0x1d0 [ 14.192456] ret_from_fork_asm+0x1a/0x30 [ 14.192657] [ 14.192750] The buggy address belongs to the object at ffff888103082240 [ 14.192750] which belongs to the cache test_cache of size 123 [ 14.193729] The buggy address is located 0 bytes inside of [ 14.193729] freed 123-byte region [ffff888103082240, ffff8881030822bb) [ 14.194900] [ 14.195206] The buggy address belongs to the physical page: [ 14.195624] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103082 [ 14.196034] flags: 0x200000000000000(node=0|zone=2) [ 14.196262] page_type: f5(slab) [ 14.196425] raw: 0200000000000000 ffff888103074640 dead000000000122 0000000000000000 [ 14.196735] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.196976] page dumped because: kasan: bad access detected [ 14.197276] [ 14.197379] Memory state around the buggy address: [ 14.197625] ffff888103082100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.197946] ffff888103082180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.198367] >ffff888103082200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.198662] ^ [ 14.198925] ffff888103082280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.199289] ffff888103082300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.199573] ================================================================== [ 14.087951] ================================================================== [ 14.088583] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.088959] Read of size 1 at addr ffff8881029ccf00 by task kunit_try_catch/244 [ 14.089996] [ 14.090367] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.090420] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.090443] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.090467] Call Trace: [ 14.090481] <TASK> [ 14.090500] dump_stack_lvl+0x73/0xb0 [ 14.090671] print_report+0xd1/0x610 [ 14.090698] ? __virt_addr_valid+0x1db/0x2d0 [ 14.090724] ? mempool_uaf_helper+0x392/0x400 [ 14.090747] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.090783] ? mempool_uaf_helper+0x392/0x400 [ 14.090806] kasan_report+0x141/0x180 [ 14.090829] ? mempool_uaf_helper+0x392/0x400 [ 14.090857] __asan_report_load1_noabort+0x18/0x20 [ 14.090883] mempool_uaf_helper+0x392/0x400 [ 14.090907] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.090929] ? update_load_avg+0x1be/0x21b0 [ 14.090958] ? finish_task_switch.isra.0+0x153/0x700 [ 14.091002] mempool_kmalloc_uaf+0xef/0x140 [ 14.091025] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.091052] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.091077] ? __pfx_mempool_kfree+0x10/0x10 [ 14.091103] ? __pfx_read_tsc+0x10/0x10 [ 14.091125] ? ktime_get_ts64+0x86/0x230 [ 14.091152] kunit_try_run_case+0x1a5/0x480 [ 14.091182] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.091206] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.091232] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.091256] ? __kthread_parkme+0x82/0x180 [ 14.091278] ? preempt_count_sub+0x50/0x80 [ 14.091302] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.091326] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.091352] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.091378] kthread+0x337/0x6f0 [ 14.091397] ? trace_preempt_on+0x20/0xc0 [ 14.091421] ? __pfx_kthread+0x10/0x10 [ 14.091443] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.091465] ? calculate_sigpending+0x7b/0xa0 [ 14.091491] ? __pfx_kthread+0x10/0x10 [ 14.091512] ret_from_fork+0x116/0x1d0 [ 14.091531] ? __pfx_kthread+0x10/0x10 [ 14.091552] ret_from_fork_asm+0x1a/0x30 [ 14.091584] </TASK> [ 14.091595] [ 14.106581] Allocated by task 244: [ 14.106964] kasan_save_stack+0x45/0x70 [ 14.107376] kasan_save_track+0x18/0x40 [ 14.107714] kasan_save_alloc_info+0x3b/0x50 [ 14.109065] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.109533] remove_element+0x11e/0x190 [ 14.109686] mempool_alloc_preallocated+0x4d/0x90 [ 14.111181] mempool_uaf_helper+0x96/0x400 [ 14.111741] mempool_kmalloc_uaf+0xef/0x140 [ 14.112488] kunit_try_run_case+0x1a5/0x480 [ 14.113065] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.113735] kthread+0x337/0x6f0 [ 14.114232] ret_from_fork+0x116/0x1d0 [ 14.114572] ret_from_fork_asm+0x1a/0x30 [ 14.114725] [ 14.115196] Freed by task 244: [ 14.115648] kasan_save_stack+0x45/0x70 [ 14.116247] kasan_save_track+0x18/0x40 [ 14.116718] kasan_save_free_info+0x3f/0x60 [ 14.117284] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.117520] mempool_free+0x2ec/0x380 [ 14.118159] mempool_uaf_helper+0x11a/0x400 [ 14.118801] mempool_kmalloc_uaf+0xef/0x140 [ 14.119464] kunit_try_run_case+0x1a5/0x480 [ 14.120091] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.120569] kthread+0x337/0x6f0 [ 14.120703] ret_from_fork+0x116/0x1d0 [ 14.120850] ret_from_fork_asm+0x1a/0x30 [ 14.120993] [ 14.121516] The buggy address belongs to the object at ffff8881029ccf00 [ 14.121516] which belongs to the cache kmalloc-128 of size 128 [ 14.123152] The buggy address is located 0 bytes inside of [ 14.123152] freed 128-byte region [ffff8881029ccf00, ffff8881029ccf80) [ 14.124857] [ 14.124966] The buggy address belongs to the physical page: [ 14.125145] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029cc [ 14.125402] flags: 0x200000000000000(node=0|zone=2) [ 14.125572] page_type: f5(slab) [ 14.125698] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.126295] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 14.127002] page dumped because: kasan: bad access detected [ 14.127601] [ 14.127799] Memory state around the buggy address: [ 14.128268] ffff8881029cce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.128940] ffff8881029cce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.129616] >ffff8881029ccf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.130300] ^ [ 14.130437] ffff8881029ccf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.131100] ffff8881029cd000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.131326] ==================================================================