Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 25.957706] ================================================================== [ 25.957836] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 25.958060] Read of size 1 at addr fff00000c67e5240 by task kunit_try_catch/233 [ 25.958183] [ 25.958362] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 25.958685] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.958808] Hardware name: linux,dummy-virt (DT) [ 25.958907] Call trace: [ 25.959053] show_stack+0x20/0x38 (C) [ 25.959179] dump_stack_lvl+0x8c/0xd0 [ 25.959297] print_report+0x118/0x608 [ 25.959408] kasan_report+0xdc/0x128 [ 25.959516] __asan_report_load1_noabort+0x20/0x30 [ 25.959718] mempool_uaf_helper+0x314/0x340 [ 25.959994] mempool_slab_uaf+0xc0/0x118 [ 25.960204] kunit_try_run_case+0x170/0x3f0 [ 25.960489] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.960633] kthread+0x328/0x630 [ 25.960812] ret_from_fork+0x10/0x20 [ 25.960962] [ 25.961051] Allocated by task 233: [ 25.961178] kasan_save_stack+0x3c/0x68 [ 25.961285] kasan_save_track+0x20/0x40 [ 25.961479] kasan_save_alloc_info+0x40/0x58 [ 25.961667] __kasan_mempool_unpoison_object+0xbc/0x180 [ 25.961867] remove_element+0x16c/0x1f8 [ 25.962146] mempool_alloc_preallocated+0x58/0xc0 [ 25.962268] mempool_uaf_helper+0xa4/0x340 [ 25.962381] mempool_slab_uaf+0xc0/0x118 [ 25.962647] kunit_try_run_case+0x170/0x3f0 [ 25.962799] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.963112] kthread+0x328/0x630 [ 25.963271] ret_from_fork+0x10/0x20 [ 25.963411] [ 25.963508] Freed by task 233: [ 25.963636] kasan_save_stack+0x3c/0x68 [ 25.963788] kasan_save_track+0x20/0x40 [ 25.963975] kasan_save_free_info+0x4c/0x78 [ 25.964094] __kasan_mempool_poison_object+0xc0/0x150 [ 25.964205] mempool_free+0x28c/0x328 [ 25.964369] mempool_uaf_helper+0x104/0x340 [ 25.964604] mempool_slab_uaf+0xc0/0x118 [ 25.964720] kunit_try_run_case+0x170/0x3f0 [ 25.964887] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.965061] kthread+0x328/0x630 [ 25.965165] ret_from_fork+0x10/0x20 [ 25.965264] [ 25.965311] The buggy address belongs to the object at fff00000c67e5240 [ 25.965311] which belongs to the cache test_cache of size 123 [ 25.965449] The buggy address is located 0 bytes inside of [ 25.965449] freed 123-byte region [fff00000c67e5240, fff00000c67e52bb) [ 25.965750] [ 25.967026] The buggy address belongs to the physical page: [ 25.967113] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1067e5 [ 25.967974] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.968105] page_type: f5(slab) [ 25.968203] raw: 0bfffe0000000000 fff00000c7617140 dead000000000122 0000000000000000 [ 25.968809] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 25.969016] page dumped because: kasan: bad access detected [ 25.969172] [ 25.969223] Memory state around the buggy address: [ 25.969587] fff00000c67e5100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.970005] fff00000c67e5180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.970562] >fff00000c67e5200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 25.971197] ^ [ 25.971895] fff00000c67e5280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.972031] fff00000c67e5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.972127] ================================================================== [ 25.883346] ================================================================== [ 25.883572] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 25.883812] Read of size 1 at addr fff00000c6600c00 by task kunit_try_catch/229 [ 25.884066] [ 25.884255] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 25.884562] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.885080] Hardware name: linux,dummy-virt (DT) [ 25.885169] Call trace: [ 25.885228] show_stack+0x20/0x38 (C) [ 25.885357] dump_stack_lvl+0x8c/0xd0 [ 25.885491] print_report+0x118/0x608 [ 25.885706] kasan_report+0xdc/0x128 [ 25.885898] __asan_report_load1_noabort+0x20/0x30 [ 25.886059] mempool_uaf_helper+0x314/0x340 [ 25.886300] mempool_kmalloc_uaf+0xc4/0x120 [ 25.886519] kunit_try_run_case+0x170/0x3f0 [ 25.886650] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.886987] kthread+0x328/0x630 [ 25.887106] ret_from_fork+0x10/0x20 [ 25.887274] [ 25.887390] Allocated by task 229: [ 25.887539] kasan_save_stack+0x3c/0x68 [ 25.887651] kasan_save_track+0x20/0x40 [ 25.887773] kasan_save_alloc_info+0x40/0x58 [ 25.887949] __kasan_mempool_unpoison_object+0x11c/0x180 [ 25.888105] remove_element+0x130/0x1f8 [ 25.888233] mempool_alloc_preallocated+0x58/0xc0 [ 25.888383] mempool_uaf_helper+0xa4/0x340 [ 25.888497] mempool_kmalloc_uaf+0xc4/0x120 [ 25.888661] kunit_try_run_case+0x170/0x3f0 [ 25.888806] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.888977] kthread+0x328/0x630 [ 25.889151] ret_from_fork+0x10/0x20 [ 25.889298] [ 25.889346] Freed by task 229: [ 25.889429] kasan_save_stack+0x3c/0x68 [ 25.889617] kasan_save_track+0x20/0x40 [ 25.889812] kasan_save_free_info+0x4c/0x78 [ 25.889968] __kasan_mempool_poison_object+0xc0/0x150 [ 25.890088] mempool_free+0x28c/0x328 [ 25.890247] mempool_uaf_helper+0x104/0x340 [ 25.890420] mempool_kmalloc_uaf+0xc4/0x120 [ 25.890734] kunit_try_run_case+0x170/0x3f0 [ 25.891111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.891399] kthread+0x328/0x630 [ 25.891542] ret_from_fork+0x10/0x20 [ 25.891641] [ 25.891718] The buggy address belongs to the object at fff00000c6600c00 [ 25.891718] which belongs to the cache kmalloc-128 of size 128 [ 25.891924] The buggy address is located 0 bytes inside of [ 25.891924] freed 128-byte region [fff00000c6600c00, fff00000c6600c80) [ 25.892593] [ 25.892690] The buggy address belongs to the physical page: [ 25.892769] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106600 [ 25.892895] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.893032] page_type: f5(slab) [ 25.893121] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.893240] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.893370] page dumped because: kasan: bad access detected [ 25.893543] [ 25.893588] Memory state around the buggy address: [ 25.893666] fff00000c6600b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.893765] fff00000c6600b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.893867] >fff00000c6600c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.893977] ^ [ 25.894047] fff00000c6600c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.894147] fff00000c6600d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.894240] ==================================================================
[ 12.990910] ================================================================== [ 12.991366] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.992506] Read of size 1 at addr ffff888102b49500 by task kunit_try_catch/247 [ 12.993351] [ 12.993689] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 12.993741] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.993754] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.993780] Call Trace: [ 12.993794] <TASK> [ 12.993845] dump_stack_lvl+0x73/0xb0 [ 12.993876] print_report+0xd1/0x650 [ 12.993900] ? __virt_addr_valid+0x1db/0x2d0 [ 12.993923] ? mempool_uaf_helper+0x392/0x400 [ 12.993945] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.993969] ? mempool_uaf_helper+0x392/0x400 [ 12.993992] kasan_report+0x141/0x180 [ 12.994015] ? mempool_uaf_helper+0x392/0x400 [ 12.994044] __asan_report_load1_noabort+0x18/0x20 [ 12.994065] mempool_uaf_helper+0x392/0x400 [ 12.994089] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.994112] ? dequeue_entities+0xa24/0x1790 [ 12.994263] ? finish_task_switch.isra.0+0x153/0x700 [ 12.994295] mempool_kmalloc_uaf+0xef/0x140 [ 12.994319] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.994351] ? dequeue_task_fair+0x166/0x4e0 [ 12.994374] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.994398] ? __pfx_mempool_kfree+0x10/0x10 [ 12.994421] ? __pfx_read_tsc+0x10/0x10 [ 12.994442] ? ktime_get_ts64+0x86/0x230 [ 12.994468] kunit_try_run_case+0x1a5/0x480 [ 12.994494] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.994516] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.994540] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.994565] ? __kthread_parkme+0x82/0x180 [ 12.994586] ? preempt_count_sub+0x50/0x80 [ 12.994612] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.994635] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.994658] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.994682] kthread+0x337/0x6f0 [ 12.994703] ? trace_preempt_on+0x20/0xc0 [ 12.994727] ? __pfx_kthread+0x10/0x10 [ 12.994749] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.994771] ? calculate_sigpending+0x7b/0xa0 [ 12.994794] ? __pfx_kthread+0x10/0x10 [ 12.994817] ret_from_fork+0x41/0x80 [ 12.994838] ? __pfx_kthread+0x10/0x10 [ 12.994860] ret_from_fork_asm+0x1a/0x30 [ 12.994893] </TASK> [ 12.994904] [ 13.010149] Allocated by task 247: [ 13.010598] kasan_save_stack+0x45/0x70 [ 13.011009] kasan_save_track+0x18/0x40 [ 13.011622] kasan_save_alloc_info+0x3b/0x50 [ 13.012092] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.012487] remove_element+0x11e/0x190 [ 13.012818] mempool_alloc_preallocated+0x4d/0x90 [ 13.012978] mempool_uaf_helper+0x96/0x400 [ 13.013120] mempool_kmalloc_uaf+0xef/0x140 [ 13.013537] kunit_try_run_case+0x1a5/0x480 [ 13.013987] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.014546] kthread+0x337/0x6f0 [ 13.014957] ret_from_fork+0x41/0x80 [ 13.015175] ret_from_fork_asm+0x1a/0x30 [ 13.015632] [ 13.015795] Freed by task 247: [ 13.016046] kasan_save_stack+0x45/0x70 [ 13.016623] kasan_save_track+0x18/0x40 [ 13.016852] kasan_save_free_info+0x3f/0x60 [ 13.016997] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.017220] mempool_free+0x2ec/0x380 [ 13.017626] mempool_uaf_helper+0x11a/0x400 [ 13.018036] mempool_kmalloc_uaf+0xef/0x140 [ 13.018540] kunit_try_run_case+0x1a5/0x480 [ 13.018937] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.019468] kthread+0x337/0x6f0 [ 13.019597] ret_from_fork+0x41/0x80 [ 13.019727] ret_from_fork_asm+0x1a/0x30 [ 13.019870] [ 13.019941] The buggy address belongs to the object at ffff888102b49500 [ 13.019941] which belongs to the cache kmalloc-128 of size 128 [ 13.020339] The buggy address is located 0 bytes inside of [ 13.020339] freed 128-byte region [ffff888102b49500, ffff888102b49580) [ 13.021092] [ 13.021220] The buggy address belongs to the physical page: [ 13.021632] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b49 [ 13.021882] flags: 0x200000000000000(node=0|zone=2) [ 13.022435] page_type: f5(slab) [ 13.022613] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.022912] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.023345] page dumped because: kasan: bad access detected [ 13.023728] [ 13.023847] Memory state around the buggy address: [ 13.024026] ffff888102b49400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.024409] ffff888102b49480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.024764] >ffff888102b49500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.025071] ^ [ 13.025231] ffff888102b49580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.025539] ffff888102b49600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.025898] ================================================================== [ 13.062254] ================================================================== [ 13.062854] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.063095] Read of size 1 at addr ffff888102756240 by task kunit_try_catch/251 [ 13.063799] [ 13.063979] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 13.064026] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.064037] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.064059] Call Trace: [ 13.064071] <TASK> [ 13.064087] dump_stack_lvl+0x73/0xb0 [ 13.064116] print_report+0xd1/0x650 [ 13.064139] ? __virt_addr_valid+0x1db/0x2d0 [ 13.064162] ? mempool_uaf_helper+0x392/0x400 [ 13.064184] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.064207] ? mempool_uaf_helper+0x392/0x400 [ 13.064230] kasan_report+0x141/0x180 [ 13.064252] ? mempool_uaf_helper+0x392/0x400 [ 13.064280] __asan_report_load1_noabort+0x18/0x20 [ 13.064300] mempool_uaf_helper+0x392/0x400 [ 13.064339] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.064365] ? irqentry_exit+0x2a/0x60 [ 13.064385] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.064413] mempool_slab_uaf+0xea/0x140 [ 13.064433] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.064467] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.064489] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.064510] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.064532] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.064553] kunit_try_run_case+0x1a5/0x480 [ 13.064580] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.064603] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.064626] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.064650] ? __kthread_parkme+0x82/0x180 [ 13.064672] ? preempt_count_sub+0x50/0x80 [ 13.064697] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.064720] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.064743] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.064766] kthread+0x337/0x6f0 [ 13.064786] ? trace_preempt_on+0x20/0xc0 [ 13.064810] ? __pfx_kthread+0x10/0x10 [ 13.064831] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.064853] ? calculate_sigpending+0x7b/0xa0 [ 13.064875] ? __pfx_kthread+0x10/0x10 [ 13.064897] ret_from_fork+0x41/0x80 [ 13.064919] ? __pfx_kthread+0x10/0x10 [ 13.064940] ret_from_fork_asm+0x1a/0x30 [ 13.064972] </TASK> [ 13.064983] [ 13.078106] Allocated by task 251: [ 13.078449] kasan_save_stack+0x45/0x70 [ 13.078897] kasan_save_track+0x18/0x40 [ 13.079281] kasan_save_alloc_info+0x3b/0x50 [ 13.079759] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.079951] remove_element+0x11e/0x190 [ 13.080087] mempool_alloc_preallocated+0x4d/0x90 [ 13.080407] mempool_uaf_helper+0x96/0x400 [ 13.080826] mempool_slab_uaf+0xea/0x140 [ 13.081220] kunit_try_run_case+0x1a5/0x480 [ 13.081665] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.082142] kthread+0x337/0x6f0 [ 13.082490] ret_from_fork+0x41/0x80 [ 13.082661] ret_from_fork_asm+0x1a/0x30 [ 13.082801] [ 13.082871] Freed by task 251: [ 13.082980] kasan_save_stack+0x45/0x70 [ 13.083114] kasan_save_track+0x18/0x40 [ 13.083545] kasan_save_free_info+0x3f/0x60 [ 13.083913] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.084507] mempool_free+0x2ec/0x380 [ 13.084839] mempool_uaf_helper+0x11a/0x400 [ 13.085222] mempool_slab_uaf+0xea/0x140 [ 13.085632] kunit_try_run_case+0x1a5/0x480 [ 13.086019] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.086546] kthread+0x337/0x6f0 [ 13.086674] ret_from_fork+0x41/0x80 [ 13.086803] ret_from_fork_asm+0x1a/0x30 [ 13.086941] [ 13.087011] The buggy address belongs to the object at ffff888102756240 [ 13.087011] which belongs to the cache test_cache of size 123 [ 13.087393] The buggy address is located 0 bytes inside of [ 13.087393] freed 123-byte region [ffff888102756240, ffff8881027562bb) [ 13.087942] [ 13.088040] The buggy address belongs to the physical page: [ 13.088282] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102756 [ 13.088734] flags: 0x200000000000000(node=0|zone=2) [ 13.088949] page_type: f5(slab) [ 13.089071] raw: 0200000000000000 ffff888101a70780 dead000000000122 0000000000000000 [ 13.089848] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.090130] page dumped because: kasan: bad access detected [ 13.090413] [ 13.090495] Memory state around the buggy address: [ 13.090648] ffff888102756100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.090963] ffff888102756180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.091629] >ffff888102756200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.091923] ^ [ 13.092154] ffff888102756280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.092428] ffff888102756300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.092727] ==================================================================
[ 23.148568] ================================================================== [ 23.149688] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 23.150377] Read of size 1 at addr ffff0000101ea240 by task kunit_try_catch/285 [ 23.151056] [ 23.151222] CPU: 0 UID: 0 PID: 285 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.151272] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.151287] Hardware name: Radxa ROCK Pi 4B (DT) [ 23.151304] Call trace: [ 23.151317] show_stack+0x20/0x38 (C) [ 23.151349] dump_stack_lvl+0x8c/0xd0 [ 23.151381] print_report+0x118/0x608 [ 23.151411] kasan_report+0xdc/0x128 [ 23.151439] __asan_report_load1_noabort+0x20/0x30 [ 23.151473] mempool_uaf_helper+0x314/0x340 [ 23.151507] mempool_slab_uaf+0xc0/0x118 [ 23.151536] kunit_try_run_case+0x170/0x3f0 [ 23.151571] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.151610] kthread+0x328/0x630 [ 23.151645] ret_from_fork+0x10/0x20 [ 23.151678] [ 23.157609] Allocated by task 285: [ 23.157935] kasan_save_stack+0x3c/0x68 [ 23.158312] kasan_save_track+0x20/0x40 [ 23.158694] kasan_save_alloc_info+0x40/0x58 [ 23.159119] __kasan_mempool_unpoison_object+0xbc/0x180 [ 23.159628] remove_element+0x16c/0x1f8 [ 23.160017] mempool_alloc_preallocated+0x58/0xc0 [ 23.160483] mempool_uaf_helper+0xa4/0x340 [ 23.160894] mempool_slab_uaf+0xc0/0x118 [ 23.161283] kunit_try_run_case+0x170/0x3f0 [ 23.161701] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.162237] kthread+0x328/0x630 [ 23.162572] ret_from_fork+0x10/0x20 [ 23.162933] [ 23.163093] Freed by task 285: [ 23.163394] kasan_save_stack+0x3c/0x68 [ 23.163774] kasan_save_track+0x20/0x40 [ 23.164155] kasan_save_free_info+0x4c/0x78 [ 23.164570] __kasan_mempool_poison_object+0xc0/0x150 [ 23.165061] mempool_free+0x28c/0x328 [ 23.165432] mempool_uaf_helper+0x104/0x340 [ 23.165850] mempool_slab_uaf+0xc0/0x118 [ 23.166237] kunit_try_run_case+0x170/0x3f0 [ 23.166654] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.167191] kthread+0x328/0x630 [ 23.167523] ret_from_fork+0x10/0x20 [ 23.167881] [ 23.168040] The buggy address belongs to the object at ffff0000101ea240 [ 23.168040] which belongs to the cache test_cache of size 123 [ 23.169176] The buggy address is located 0 bytes inside of [ 23.169176] freed 123-byte region [ffff0000101ea240, ffff0000101ea2bb) [ 23.170288] [ 23.170448] The buggy address belongs to the physical page: [ 23.170972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ea [ 23.171715] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 23.172337] page_type: f5(slab) [ 23.172660] raw: 03fffe0000000000 ffff000000d1bb80 dead000000000122 0000000000000000 [ 23.173389] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 23.174105] page dumped because: kasan: bad access detected [ 23.174629] [ 23.174787] Memory state around the buggy address: [ 23.175243] ffff0000101ea100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.175920] ffff0000101ea180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.176594] >ffff0000101ea200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 23.177265] ^ [ 23.177768] ffff0000101ea280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.178443] ffff0000101ea300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.179113] ================================================================== [ 23.088699] ================================================================== [ 23.089794] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 23.090481] Read of size 1 at addr ffff00000ea7eb00 by task kunit_try_catch/281 [ 23.091160] [ 23.091324] CPU: 3 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.091373] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.091388] Hardware name: Radxa ROCK Pi 4B (DT) [ 23.091405] Call trace: [ 23.091417] show_stack+0x20/0x38 (C) [ 23.091450] dump_stack_lvl+0x8c/0xd0 [ 23.091482] print_report+0x118/0x608 [ 23.091512] kasan_report+0xdc/0x128 [ 23.091539] __asan_report_load1_noabort+0x20/0x30 [ 23.091573] mempool_uaf_helper+0x314/0x340 [ 23.091607] mempool_kmalloc_uaf+0xc4/0x120 [ 23.091641] kunit_try_run_case+0x170/0x3f0 [ 23.091677] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.091716] kthread+0x328/0x630 [ 23.091750] ret_from_fork+0x10/0x20 [ 23.091783] [ 23.097734] Allocated by task 281: [ 23.098060] kasan_save_stack+0x3c/0x68 [ 23.098435] kasan_save_track+0x20/0x40 [ 23.098805] kasan_save_alloc_info+0x40/0x58 [ 23.099219] __kasan_mempool_unpoison_object+0x11c/0x180 [ 23.099722] remove_element+0x130/0x1f8 [ 23.100102] mempool_alloc_preallocated+0x58/0xc0 [ 23.100555] mempool_uaf_helper+0xa4/0x340 [ 23.100955] mempool_kmalloc_uaf+0xc4/0x120 [ 23.101363] kunit_try_run_case+0x170/0x3f0 [ 23.101771] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.102295] kthread+0x328/0x630 [ 23.102619] ret_from_fork+0x10/0x20 [ 23.102969] [ 23.103121] Freed by task 281: [ 23.103417] kasan_save_stack+0x3c/0x68 [ 23.103789] kasan_save_track+0x20/0x40 [ 23.104161] kasan_save_free_info+0x4c/0x78 [ 23.104565] __kasan_mempool_poison_object+0xc0/0x150 [ 23.105048] mempool_free+0x28c/0x328 [ 23.105408] mempool_uaf_helper+0x104/0x340 [ 23.105816] mempool_kmalloc_uaf+0xc4/0x120 [ 23.106224] kunit_try_run_case+0x170/0x3f0 [ 23.106630] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.107154] kthread+0x328/0x630 [ 23.107477] ret_from_fork+0x10/0x20 [ 23.107827] [ 23.107980] The buggy address belongs to the object at ffff00000ea7eb00 [ 23.107980] which belongs to the cache kmalloc-128 of size 128 [ 23.109115] The buggy address is located 0 bytes inside of [ 23.109115] freed 128-byte region [ffff00000ea7eb00, ffff00000ea7eb80) [ 23.110214] [ 23.110368] The buggy address belongs to the physical page: [ 23.110885] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xea7e [ 23.111611] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 23.112223] page_type: f5(slab) [ 23.112538] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 23.113254] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.113962] page dumped because: kasan: bad access detected [ 23.114477] [ 23.114629] Memory state around the buggy address: [ 23.115078] ffff00000ea7ea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.115745] ffff00000ea7ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.116411] >ffff00000ea7eb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.117073] ^ [ 23.117383] ffff00000ea7eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.118050] ffff00000ea7ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.118711] ==================================================================