Date
July 23, 2025, 2:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.481754] ================================================================== [ 17.481831] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.481897] Read of size 1 at addr fff00000c6495240 by task kunit_try_catch/231 [ 17.482153] [ 17.482225] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 17.482319] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.482365] Hardware name: linux,dummy-virt (DT) [ 17.482413] Call trace: [ 17.482463] show_stack+0x20/0x38 (C) [ 17.482513] dump_stack_lvl+0x8c/0xd0 [ 17.482583] print_report+0x118/0x5d0 [ 17.482682] kasan_report+0xdc/0x128 [ 17.482774] __asan_report_load1_noabort+0x20/0x30 [ 17.482825] mempool_uaf_helper+0x314/0x340 [ 17.482892] mempool_slab_uaf+0xc0/0x118 [ 17.482939] kunit_try_run_case+0x170/0x3f0 [ 17.483255] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.483352] kthread+0x328/0x630 [ 17.483483] ret_from_fork+0x10/0x20 [ 17.483594] [ 17.483614] Allocated by task 231: [ 17.483643] kasan_save_stack+0x3c/0x68 [ 17.483908] kasan_save_track+0x20/0x40 [ 17.483986] kasan_save_alloc_info+0x40/0x58 [ 17.484103] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.484204] remove_element+0x16c/0x1f8 [ 17.484316] mempool_alloc_preallocated+0x58/0xc0 [ 17.484385] mempool_uaf_helper+0xa4/0x340 [ 17.484424] mempool_slab_uaf+0xc0/0x118 [ 17.484737] kunit_try_run_case+0x170/0x3f0 [ 17.484881] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.484969] kthread+0x328/0x630 [ 17.485080] ret_from_fork+0x10/0x20 [ 17.485146] [ 17.485167] Freed by task 231: [ 17.485194] kasan_save_stack+0x3c/0x68 [ 17.485471] kasan_save_track+0x20/0x40 [ 17.485587] kasan_save_free_info+0x4c/0x78 [ 17.485695] __kasan_mempool_poison_object+0xc0/0x150 [ 17.485762] mempool_free+0x28c/0x328 [ 17.485845] mempool_uaf_helper+0x104/0x340 [ 17.485896] mempool_slab_uaf+0xc0/0x118 [ 17.486174] kunit_try_run_case+0x170/0x3f0 [ 17.486238] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.486284] kthread+0x328/0x630 [ 17.486318] ret_from_fork+0x10/0x20 [ 17.486364] [ 17.486386] The buggy address belongs to the object at fff00000c6495240 [ 17.486386] which belongs to the cache test_cache of size 123 [ 17.486453] The buggy address is located 0 bytes inside of [ 17.486453] freed 123-byte region [fff00000c6495240, fff00000c64952bb) [ 17.486527] [ 17.486763] The buggy address belongs to the physical page: [ 17.486829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106495 [ 17.486976] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.487094] page_type: f5(slab) [ 17.487214] raw: 0bfffe0000000000 fff00000c5842780 dead000000000122 0000000000000000 [ 17.487267] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.487336] page dumped because: kasan: bad access detected [ 17.487370] [ 17.487389] Memory state around the buggy address: [ 17.487420] fff00000c6495100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.487464] fff00000c6495180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.487691] >fff00000c6495200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.487783] ^ [ 17.487881] fff00000c6495280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.487986] fff00000c6495300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.488023] ================================================================== [ 17.460930] ================================================================== [ 17.461016] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.461089] Read of size 1 at addr fff00000c644b800 by task kunit_try_catch/227 [ 17.461146] [ 17.461189] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 17.461278] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.461305] Hardware name: linux,dummy-virt (DT) [ 17.461340] Call trace: [ 17.461365] show_stack+0x20/0x38 (C) [ 17.461418] dump_stack_lvl+0x8c/0xd0 [ 17.461468] print_report+0x118/0x5d0 [ 17.461516] kasan_report+0xdc/0x128 [ 17.461562] __asan_report_load1_noabort+0x20/0x30 [ 17.461614] mempool_uaf_helper+0x314/0x340 [ 17.461659] mempool_kmalloc_uaf+0xc4/0x120 [ 17.461706] kunit_try_run_case+0x170/0x3f0 [ 17.461756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.461810] kthread+0x328/0x630 [ 17.461908] ret_from_fork+0x10/0x20 [ 17.461966] [ 17.461988] Allocated by task 227: [ 17.462021] kasan_save_stack+0x3c/0x68 [ 17.462068] kasan_save_track+0x20/0x40 [ 17.462107] kasan_save_alloc_info+0x40/0x58 [ 17.462148] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.462193] remove_element+0x130/0x1f8 [ 17.462232] mempool_alloc_preallocated+0x58/0xc0 [ 17.462271] mempool_uaf_helper+0xa4/0x340 [ 17.462309] mempool_kmalloc_uaf+0xc4/0x120 [ 17.462347] kunit_try_run_case+0x170/0x3f0 [ 17.462386] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.462431] kthread+0x328/0x630 [ 17.462471] ret_from_fork+0x10/0x20 [ 17.462508] [ 17.462527] Freed by task 227: [ 17.462569] kasan_save_stack+0x3c/0x68 [ 17.462606] kasan_save_track+0x20/0x40 [ 17.462643] kasan_save_free_info+0x4c/0x78 [ 17.462683] __kasan_mempool_poison_object+0xc0/0x150 [ 17.462725] mempool_free+0x28c/0x328 [ 17.462761] mempool_uaf_helper+0x104/0x340 [ 17.462800] mempool_kmalloc_uaf+0xc4/0x120 [ 17.462838] kunit_try_run_case+0x170/0x3f0 [ 17.462889] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.462937] kthread+0x328/0x630 [ 17.462970] ret_from_fork+0x10/0x20 [ 17.463007] [ 17.463026] The buggy address belongs to the object at fff00000c644b800 [ 17.463026] which belongs to the cache kmalloc-128 of size 128 [ 17.463090] The buggy address is located 0 bytes inside of [ 17.463090] freed 128-byte region [fff00000c644b800, fff00000c644b880) [ 17.463154] [ 17.463177] The buggy address belongs to the physical page: [ 17.463209] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10644b [ 17.463265] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.463319] page_type: f5(slab) [ 17.463363] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.463415] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.463457] page dumped because: kasan: bad access detected [ 17.463490] [ 17.463508] Memory state around the buggy address: [ 17.463541] fff00000c644b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.463586] fff00000c644b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.463630] >fff00000c644b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.463669] ^ [ 17.463696] fff00000c644b880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.463739] fff00000c644b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.463778] ==================================================================
[ 14.167760] ================================================================== [ 14.168373] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.168656] Read of size 1 at addr ffff888102b16240 by task kunit_try_catch/248 [ 14.168990] [ 14.169132] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.169177] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.169245] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.169270] Call Trace: [ 14.169283] <TASK> [ 14.169298] dump_stack_lvl+0x73/0xb0 [ 14.169330] print_report+0xd1/0x610 [ 14.169353] ? __virt_addr_valid+0x1db/0x2d0 [ 14.169377] ? mempool_uaf_helper+0x392/0x400 [ 14.169399] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.169422] ? mempool_uaf_helper+0x392/0x400 [ 14.169444] kasan_report+0x141/0x180 [ 14.169466] ? mempool_uaf_helper+0x392/0x400 [ 14.169493] __asan_report_load1_noabort+0x18/0x20 [ 14.169517] mempool_uaf_helper+0x392/0x400 [ 14.169540] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.169564] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.169588] ? finish_task_switch.isra.0+0x153/0x700 [ 14.169614] mempool_slab_uaf+0xea/0x140 [ 14.169635] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 14.169661] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 14.169686] ? __pfx_mempool_free_slab+0x10/0x10 [ 14.169712] ? __pfx_read_tsc+0x10/0x10 [ 14.169734] ? ktime_get_ts64+0x86/0x230 [ 14.169759] kunit_try_run_case+0x1a5/0x480 [ 14.169784] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.169807] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.169843] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.169866] ? __kthread_parkme+0x82/0x180 [ 14.169887] ? preempt_count_sub+0x50/0x80 [ 14.169910] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.169933] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.169957] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.169980] kthread+0x337/0x6f0 [ 14.170000] ? trace_preempt_on+0x20/0xc0 [ 14.170023] ? __pfx_kthread+0x10/0x10 [ 14.170044] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.170065] ? calculate_sigpending+0x7b/0xa0 [ 14.170108] ? __pfx_kthread+0x10/0x10 [ 14.170129] ret_from_fork+0x116/0x1d0 [ 14.170148] ? __pfx_kthread+0x10/0x10 [ 14.170168] ret_from_fork_asm+0x1a/0x30 [ 14.170249] </TASK> [ 14.170261] [ 14.178121] Allocated by task 248: [ 14.178340] kasan_save_stack+0x45/0x70 [ 14.178547] kasan_save_track+0x18/0x40 [ 14.178739] kasan_save_alloc_info+0x3b/0x50 [ 14.178965] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 14.179311] remove_element+0x11e/0x190 [ 14.179514] mempool_alloc_preallocated+0x4d/0x90 [ 14.179737] mempool_uaf_helper+0x96/0x400 [ 14.179947] mempool_slab_uaf+0xea/0x140 [ 14.180105] kunit_try_run_case+0x1a5/0x480 [ 14.180398] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.180643] kthread+0x337/0x6f0 [ 14.180769] ret_from_fork+0x116/0x1d0 [ 14.180919] ret_from_fork_asm+0x1a/0x30 [ 14.181063] [ 14.181166] Freed by task 248: [ 14.181369] kasan_save_stack+0x45/0x70 [ 14.181571] kasan_save_track+0x18/0x40 [ 14.181761] kasan_save_free_info+0x3f/0x60 [ 14.181990] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.182241] mempool_free+0x2ec/0x380 [ 14.182428] mempool_uaf_helper+0x11a/0x400 [ 14.182635] mempool_slab_uaf+0xea/0x140 [ 14.182838] kunit_try_run_case+0x1a5/0x480 [ 14.183045] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.183295] kthread+0x337/0x6f0 [ 14.183428] ret_from_fork+0x116/0x1d0 [ 14.183583] ret_from_fork_asm+0x1a/0x30 [ 14.183770] [ 14.184955] The buggy address belongs to the object at ffff888102b16240 [ 14.184955] which belongs to the cache test_cache of size 123 [ 14.185938] The buggy address is located 0 bytes inside of [ 14.185938] freed 123-byte region [ffff888102b16240, ffff888102b162bb) [ 14.186937] [ 14.187275] The buggy address belongs to the physical page: [ 14.187524] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b16 [ 14.188082] flags: 0x200000000000000(node=0|zone=2) [ 14.188568] page_type: f5(slab) [ 14.188912] raw: 0200000000000000 ffff888102b14000 dead000000000122 0000000000000000 [ 14.189587] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 14.189926] page dumped because: kasan: bad access detected [ 14.190171] [ 14.190677] Memory state around the buggy address: [ 14.190900] ffff888102b16100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.191553] ffff888102b16180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.192000] >ffff888102b16200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 14.192525] ^ [ 14.192763] ffff888102b16280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.193075] ffff888102b16300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.193889] ================================================================== [ 14.105689] ================================================================== [ 14.106422] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.106742] Read of size 1 at addr ffff8881025cc600 by task kunit_try_catch/244 [ 14.107065] [ 14.107222] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.107347] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.107363] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.107384] Call Trace: [ 14.107396] <TASK> [ 14.107412] dump_stack_lvl+0x73/0xb0 [ 14.107443] print_report+0xd1/0x610 [ 14.107490] ? __virt_addr_valid+0x1db/0x2d0 [ 14.107513] ? mempool_uaf_helper+0x392/0x400 [ 14.107535] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.107557] ? mempool_uaf_helper+0x392/0x400 [ 14.107579] kasan_report+0x141/0x180 [ 14.107601] ? mempool_uaf_helper+0x392/0x400 [ 14.107644] __asan_report_load1_noabort+0x18/0x20 [ 14.107668] mempool_uaf_helper+0x392/0x400 [ 14.107691] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.107711] ? update_load_avg+0x1be/0x21b0 [ 14.107735] ? dequeue_entities+0x27e/0x1740 [ 14.107761] ? finish_task_switch.isra.0+0x153/0x700 [ 14.107786] mempool_kmalloc_uaf+0xef/0x140 [ 14.107808] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 14.107844] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.107868] ? __pfx_mempool_kfree+0x10/0x10 [ 14.107911] ? __pfx_read_tsc+0x10/0x10 [ 14.107932] ? ktime_get_ts64+0x86/0x230 [ 14.107956] kunit_try_run_case+0x1a5/0x480 [ 14.107981] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.108004] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.108028] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.108051] ? __kthread_parkme+0x82/0x180 [ 14.108072] ? preempt_count_sub+0x50/0x80 [ 14.108112] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.108136] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.108159] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.108183] kthread+0x337/0x6f0 [ 14.108202] ? trace_preempt_on+0x20/0xc0 [ 14.108296] ? __pfx_kthread+0x10/0x10 [ 14.108318] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.108340] ? calculate_sigpending+0x7b/0xa0 [ 14.108364] ? __pfx_kthread+0x10/0x10 [ 14.108385] ret_from_fork+0x116/0x1d0 [ 14.108405] ? __pfx_kthread+0x10/0x10 [ 14.108424] ret_from_fork_asm+0x1a/0x30 [ 14.108455] </TASK> [ 14.108465] [ 14.117584] Allocated by task 244: [ 14.117751] kasan_save_stack+0x45/0x70 [ 14.117984] kasan_save_track+0x18/0x40 [ 14.118182] kasan_save_alloc_info+0x3b/0x50 [ 14.118618] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 14.118989] remove_element+0x11e/0x190 [ 14.119284] mempool_alloc_preallocated+0x4d/0x90 [ 14.119490] mempool_uaf_helper+0x96/0x400 [ 14.119717] mempool_kmalloc_uaf+0xef/0x140 [ 14.119946] kunit_try_run_case+0x1a5/0x480 [ 14.120149] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.120408] kthread+0x337/0x6f0 [ 14.120574] ret_from_fork+0x116/0x1d0 [ 14.120861] ret_from_fork_asm+0x1a/0x30 [ 14.121037] [ 14.121133] Freed by task 244: [ 14.121337] kasan_save_stack+0x45/0x70 [ 14.121555] kasan_save_track+0x18/0x40 [ 14.121727] kasan_save_free_info+0x3f/0x60 [ 14.121887] __kasan_mempool_poison_object+0x131/0x1d0 [ 14.122194] mempool_free+0x2ec/0x380 [ 14.122494] mempool_uaf_helper+0x11a/0x400 [ 14.122670] mempool_kmalloc_uaf+0xef/0x140 [ 14.122881] kunit_try_run_case+0x1a5/0x480 [ 14.123057] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.123653] kthread+0x337/0x6f0 [ 14.123844] ret_from_fork+0x116/0x1d0 [ 14.123980] ret_from_fork_asm+0x1a/0x30 [ 14.124307] [ 14.124410] The buggy address belongs to the object at ffff8881025cc600 [ 14.124410] which belongs to the cache kmalloc-128 of size 128 [ 14.125036] The buggy address is located 0 bytes inside of [ 14.125036] freed 128-byte region [ffff8881025cc600, ffff8881025cc680) [ 14.125516] [ 14.125686] The buggy address belongs to the physical page: [ 14.125953] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025cc [ 14.126316] flags: 0x200000000000000(node=0|zone=2) [ 14.126550] page_type: f5(slab) [ 14.126710] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.126953] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.127798] page dumped because: kasan: bad access detected [ 14.128072] [ 14.128180] Memory state around the buggy address: [ 14.128522] ffff8881025cc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.128840] ffff8881025cc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.129209] >ffff8881025cc600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.129569] ^ [ 14.129739] ffff8881025cc680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.130046] ffff8881025cc700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 14.130450] ==================================================================