Date
July 20, 2025, 8:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.146569] ================================================================== [ 17.147279] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.147828] Read of size 1 at addr fff00000c64d8400 by task kunit_try_catch/228 [ 17.148341] [ 17.148580] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.148849] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.148927] Hardware name: linux,dummy-virt (DT) [ 17.149050] Call trace: [ 17.149135] show_stack+0x20/0x38 (C) [ 17.149349] dump_stack_lvl+0x8c/0xd0 [ 17.149414] print_report+0x118/0x5d0 [ 17.149463] kasan_report+0xdc/0x128 [ 17.149672] __asan_report_load1_noabort+0x20/0x30 [ 17.149907] mempool_uaf_helper+0x314/0x340 [ 17.150098] mempool_kmalloc_uaf+0xc4/0x120 [ 17.150303] kunit_try_run_case+0x170/0x3f0 [ 17.150480] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.150544] kthread+0x328/0x630 [ 17.150587] ret_from_fork+0x10/0x20 [ 17.150637] [ 17.151038] Allocated by task 228: [ 17.151198] kasan_save_stack+0x3c/0x68 [ 17.151245] kasan_save_track+0x20/0x40 [ 17.151813] kasan_save_alloc_info+0x40/0x58 [ 17.152474] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.152698] remove_element+0x130/0x1f8 [ 17.152788] mempool_alloc_preallocated+0x58/0xc0 [ 17.152931] mempool_uaf_helper+0xa4/0x340 [ 17.152980] mempool_kmalloc_uaf+0xc4/0x120 [ 17.153363] kunit_try_run_case+0x170/0x3f0 [ 17.153415] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.153458] kthread+0x328/0x630 [ 17.153492] ret_from_fork+0x10/0x20 [ 17.153536] [ 17.153556] Freed by task 228: [ 17.153588] kasan_save_stack+0x3c/0x68 [ 17.153812] kasan_save_track+0x20/0x40 [ 17.153994] kasan_save_free_info+0x4c/0x78 [ 17.154034] __kasan_mempool_poison_object+0xc0/0x150 [ 17.154183] mempool_free+0x28c/0x328 [ 17.154229] mempool_uaf_helper+0x104/0x340 [ 17.154742] mempool_kmalloc_uaf+0xc4/0x120 [ 17.154784] kunit_try_run_case+0x170/0x3f0 [ 17.154821] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.154865] kthread+0x328/0x630 [ 17.154897] ret_from_fork+0x10/0x20 [ 17.155331] [ 17.155355] The buggy address belongs to the object at fff00000c64d8400 [ 17.155355] which belongs to the cache kmalloc-128 of size 128 [ 17.155421] The buggy address is located 0 bytes inside of [ 17.155421] freed 128-byte region [fff00000c64d8400, fff00000c64d8480) [ 17.155943] [ 17.155973] The buggy address belongs to the physical page: [ 17.156284] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064d8 [ 17.156936] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.157019] page_type: f5(slab) [ 17.157329] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.157612] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.157662] page dumped because: kasan: bad access detected [ 17.157697] [ 17.157716] Memory state around the buggy address: [ 17.157751] fff00000c64d8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.158074] fff00000c64d8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.158359] >fff00000c64d8400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.158403] ^ [ 17.158434] fff00000c64d8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.158477] fff00000c64d8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.159060] ================================================================== [ 17.196474] ================================================================== [ 17.196539] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.196593] Read of size 1 at addr fff00000c6422240 by task kunit_try_catch/232 [ 17.196644] [ 17.196678] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.196761] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.196806] Hardware name: linux,dummy-virt (DT) [ 17.196840] Call trace: [ 17.196863] show_stack+0x20/0x38 (C) [ 17.196913] dump_stack_lvl+0x8c/0xd0 [ 17.196988] print_report+0x118/0x5d0 [ 17.197071] kasan_report+0xdc/0x128 [ 17.197269] __asan_report_load1_noabort+0x20/0x30 [ 17.197341] mempool_uaf_helper+0x314/0x340 [ 17.197637] mempool_slab_uaf+0xc0/0x118 [ 17.197774] kunit_try_run_case+0x170/0x3f0 [ 17.197848] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.197923] kthread+0x328/0x630 [ 17.197966] ret_from_fork+0x10/0x20 [ 17.198144] [ 17.198183] Allocated by task 232: [ 17.198228] kasan_save_stack+0x3c/0x68 [ 17.198311] kasan_save_track+0x20/0x40 [ 17.198388] kasan_save_alloc_info+0x40/0x58 [ 17.198511] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.198591] remove_element+0x16c/0x1f8 [ 17.198709] mempool_alloc_preallocated+0x58/0xc0 [ 17.198806] mempool_uaf_helper+0xa4/0x340 [ 17.198915] mempool_slab_uaf+0xc0/0x118 [ 17.199011] kunit_try_run_case+0x170/0x3f0 [ 17.199061] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.199149] kthread+0x328/0x630 [ 17.199201] ret_from_fork+0x10/0x20 [ 17.199238] [ 17.199281] Freed by task 232: [ 17.199330] kasan_save_stack+0x3c/0x68 [ 17.199379] kasan_save_track+0x20/0x40 [ 17.199415] kasan_save_free_info+0x4c/0x78 [ 17.199455] __kasan_mempool_poison_object+0xc0/0x150 [ 17.199496] mempool_free+0x28c/0x328 [ 17.199688] mempool_uaf_helper+0x104/0x340 [ 17.199730] mempool_slab_uaf+0xc0/0x118 [ 17.199797] kunit_try_run_case+0x170/0x3f0 [ 17.199866] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.199966] kthread+0x328/0x630 [ 17.200042] ret_from_fork+0x10/0x20 [ 17.200103] [ 17.200123] The buggy address belongs to the object at fff00000c6422240 [ 17.200123] which belongs to the cache test_cache of size 123 [ 17.200244] The buggy address is located 0 bytes inside of [ 17.200244] freed 123-byte region [fff00000c6422240, fff00000c64222bb) [ 17.200317] [ 17.200360] The buggy address belongs to the physical page: [ 17.200408] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106422 [ 17.200462] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.200510] page_type: f5(slab) [ 17.200548] raw: 0bfffe0000000000 fff00000c1af18c0 dead000000000122 0000000000000000 [ 17.200598] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.200654] page dumped because: kasan: bad access detected [ 17.200705] [ 17.200734] Memory state around the buggy address: [ 17.200767] fff00000c6422100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.200811] fff00000c6422180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.200853] >fff00000c6422200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.201342] ^ [ 17.201480] fff00000c6422280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.201574] fff00000c6422300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.201613] ==================================================================
[ 14.460045] ================================================================== [ 14.460557] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.461135] Read of size 1 at addr ffff8881029dfa00 by task kunit_try_catch/245 [ 14.461586] [ 14.461723] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.461777] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.461789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.461815] Call Trace: [ 14.461828] <TASK> [ 14.461850] dump_stack_lvl+0x73/0xb0 [ 14.461887] print_report+0xd1/0x610 [ 14.461912] ? __virt_addr_valid+0x1db/0x2d0 [ 14.461939] ? mempool_uaf_helper+0x392/0x400 [ 14.461962] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.461986] ? mempool_uaf_helper+0x392/0x400 [ 14.462008] kasan_report+0x141/0x180 [ 14.462031] ? mempool_uaf_helper+0x392/0x400 [ 14.462119] __asan_report_load1_noabort+0x18/0x20 [ 14.462145] mempool_uaf_helper+0x392/0x400 [ 14.462168] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.462195] ? finish_task_switch.isra.0+0x153/0x700 [ 14.462225] mempool_kmalloc_uaf+0xef/0x140 [ 14.462247] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.462273] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.462300] ? __pfx_mempool_kfree+0x10/0x10 [ 14.462325] ? __pfx_read_tsc+0x10/0x10 [ 14.462348] ? ktime_get_ts64+0x86/0x230 [ 14.462375] kunit_try_run_case+0x1a5/0x480 [ 14.462402] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.462425] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.462452] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.462488] ? __kthread_parkme+0x82/0x180 [ 14.462510] ? preempt_count_sub+0x50/0x80 [ 14.462534] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.462558] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.462582] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.462606] kthread+0x337/0x6f0 [ 14.462626] ? trace_preempt_on+0x20/0xc0 [ 14.462652] ? __pfx_kthread+0x10/0x10 [ 14.462673] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.462695] ? calculate_sigpending+0x7b/0xa0 [ 14.462722] ? __pfx_kthread+0x10/0x10 [ 14.462744] ret_from_fork+0x116/0x1d0 [ 14.462763] ? __pfx_kthread+0x10/0x10 [ 14.462784] ret_from_fork_asm+0x1a/0x30 [ 14.462818] </TASK> [ 14.462829] [ 14.471779] Allocated by task 245: [ 14.471989] kasan_save_stack+0x45/0x70 [ 14.472353] kasan_save_track+0x18/0x40 [ 14.472554] kasan_save_alloc_info+0x3b/0x50 [ 14.472732] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.473152] remove_element+0x11e/0x190 [ 14.473334] mempool_alloc_preallocated+0x4d/0x90 [ 14.473519] mempool_uaf_helper+0x96/0x400 [ 14.473704] mempool_kmalloc_uaf+0xef/0x140 [ 14.473919] kunit_try_run_case+0x1a5/0x480 [ 14.474141] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.474505] kthread+0x337/0x6f0 [ 14.474685] ret_from_fork+0x116/0x1d0 [ 14.474899] ret_from_fork_asm+0x1a/0x30 [ 14.475254] [ 14.475339] Freed by task 245: [ 14.475459] kasan_save_stack+0x45/0x70 [ 14.475624] kasan_save_track+0x18/0x40 [ 14.475768] kasan_save_free_info+0x3f/0x60 [ 14.475924] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.476404] mempool_free+0x2ec/0x380 [ 14.476621] mempool_uaf_helper+0x11a/0x400 [ 14.476902] mempool_kmalloc_uaf+0xef/0x140 [ 14.477241] kunit_try_run_case+0x1a5/0x480 [ 14.477458] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.477651] kthread+0x337/0x6f0 [ 14.477778] ret_from_fork+0x116/0x1d0 [ 14.477918] ret_from_fork_asm+0x1a/0x30 [ 14.478064] [ 14.478174] The buggy address belongs to the object at ffff8881029dfa00 [ 14.478174] which belongs to the cache kmalloc-128 of size 128 [ 14.478754] The buggy address is located 0 bytes inside of [ 14.478754] freed 128-byte region [ffff8881029dfa00, ffff8881029dfa80) [ 14.479742] [ 14.479920] The buggy address belongs to the physical page: [ 14.480235] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029df [ 14.480584] flags: 0x200000000000000(node=0|zone=2) [ 14.480792] page_type: f5(slab) [ 14.481038] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.481355] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.481737] page dumped because: kasan: bad access detected [ 14.481992] [ 14.482074] Memory state around the buggy address: [ 14.482309] ffff8881029df900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.482597] ffff8881029df980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.483167] >ffff8881029dfa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.483433] ^ [ 14.483574] ffff8881029dfa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.484129] ffff8881029dfb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.484412] ================================================================== [ 14.511805] ================================================================== [ 14.512407] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.512764] Read of size 1 at addr ffff88810326a240 by task kunit_try_catch/249 [ 14.513154] [ 14.513279] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.513329] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.513341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.513364] Call Trace: [ 14.513376] <TASK> [ 14.513395] dump_stack_lvl+0x73/0xb0 [ 14.513427] print_report+0xd1/0x610 [ 14.513452] ? __virt_addr_valid+0x1db/0x2d0 [ 14.513488] ? mempool_uaf_helper+0x392/0x400 [ 14.513512] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.513535] ? mempool_uaf_helper+0x392/0x400 [ 14.513559] kasan_report+0x141/0x180 [ 14.513582] ? mempool_uaf_helper+0x392/0x400 [ 14.513611] __asan_report_load1_noabort+0x18/0x20 [ 14.513637] mempool_uaf_helper+0x392/0x400 [ 14.513660] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.513686] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.513708] ? finish_task_switch.isra.0+0x153/0x700 [ 14.513734] mempool_slab_uaf+0xea/0x140 [ 14.513758] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.513796] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.513823] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.513850] ? __pfx_read_tsc+0x10/0x10 [ 14.513872] ? ktime_get_ts64+0x86/0x230 [ 14.513897] kunit_try_run_case+0x1a5/0x480 [ 14.513924] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.513948] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.513974] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.513998] ? __kthread_parkme+0x82/0x180 [ 14.514020] ? preempt_count_sub+0x50/0x80 [ 14.514044] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.514071] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.514096] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.514129] kthread+0x337/0x6f0 [ 14.514150] ? trace_preempt_on+0x20/0xc0 [ 14.514174] ? __pfx_kthread+0x10/0x10 [ 14.514196] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.514219] ? calculate_sigpending+0x7b/0xa0 [ 14.514245] ? __pfx_kthread+0x10/0x10 [ 14.514267] ret_from_fork+0x116/0x1d0 [ 14.514286] ? __pfx_kthread+0x10/0x10 [ 14.514308] ret_from_fork_asm+0x1a/0x30 [ 14.514340] </TASK> [ 14.514351] [ 14.523679] Allocated by task 249: [ 14.523840] kasan_save_stack+0x45/0x70 [ 14.524089] kasan_save_track+0x18/0x40 [ 14.524268] kasan_save_alloc_info+0x3b/0x50 [ 14.524456] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.524700] remove_element+0x11e/0x190 [ 14.525134] mempool_alloc_preallocated+0x4d/0x90 [ 14.525360] mempool_uaf_helper+0x96/0x400 [ 14.525552] mempool_slab_uaf+0xea/0x140 [ 14.525756] kunit_try_run_case+0x1a5/0x480 [ 14.525914] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.526191] kthread+0x337/0x6f0 [ 14.526322] ret_from_fork+0x116/0x1d0 [ 14.526585] ret_from_fork_asm+0x1a/0x30 [ 14.526816] [ 14.526914] Freed by task 249: [ 14.527035] kasan_save_stack+0x45/0x70 [ 14.527182] kasan_save_track+0x18/0x40 [ 14.527326] kasan_save_free_info+0x3f/0x60 [ 14.527492] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.527678] mempool_free+0x2ec/0x380 [ 14.527920] mempool_uaf_helper+0x11a/0x400 [ 14.528151] mempool_slab_uaf+0xea/0x140 [ 14.528356] kunit_try_run_case+0x1a5/0x480 [ 14.528578] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.528962] kthread+0x337/0x6f0 [ 14.529142] ret_from_fork+0x116/0x1d0 [ 14.529317] ret_from_fork_asm+0x1a/0x30 [ 14.529477] [ 14.529554] The buggy address belongs to the object at ffff88810326a240 [ 14.529554] which belongs to the cache test_cache of size 123 [ 14.529935] The buggy address is located 0 bytes inside of [ 14.529935] freed 123-byte region [ffff88810326a240, ffff88810326a2bb) [ 14.530696] [ 14.530818] The buggy address belongs to the physical page: [ 14.531177] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10326a [ 14.531568] flags: 0x200000000000000(node=0|zone=2) [ 14.531853] page_type: f5(slab) [ 14.532025] raw: 0200000000000000 ffff8881032603c0 dead000000000122 0000000000000000 [ 14.532331] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.532585] page dumped because: kasan: bad access detected [ 14.532800] [ 14.532897] Memory state around the buggy address: [ 14.533277] ffff88810326a100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.533617] ffff88810326a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.534259] >ffff88810326a200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.534507] ^ [ 14.534743] ffff88810326a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.535429] ffff88810326a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.535753] ==================================================================