Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 37.053742] ================================================================== [ 37.063145] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 37.070261] Read of size 1 at addr ffff000806060240 by task kunit_try_catch/278 [ 37.077550] [ 37.079037] CPU: 1 UID: 0 PID: 278 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 37.079094] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.079111] Hardware name: WinLink E850-96 board (DT) [ 37.079132] Call trace: [ 37.079149] show_stack+0x20/0x38 (C) [ 37.079185] dump_stack_lvl+0x8c/0xd0 [ 37.079224] print_report+0x118/0x608 [ 37.079259] kasan_report+0xdc/0x128 [ 37.079294] __asan_report_load1_noabort+0x20/0x30 [ 37.079335] mempool_uaf_helper+0x314/0x340 [ 37.079366] mempool_slab_uaf+0xc0/0x118 [ 37.079399] kunit_try_run_case+0x170/0x3f0 [ 37.079436] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.079472] kthread+0x328/0x630 [ 37.079500] ret_from_fork+0x10/0x20 [ 37.079536] [ 37.145779] Allocated by task 278: [ 37.149165] kasan_save_stack+0x3c/0x68 [ 37.152983] kasan_save_track+0x20/0x40 [ 37.156803] kasan_save_alloc_info+0x40/0x58 [ 37.161055] __kasan_mempool_unpoison_object+0xbc/0x180 [ 37.166263] remove_element+0x16c/0x1f8 [ 37.170083] mempool_alloc_preallocated+0x58/0xc0 [ 37.174771] mempool_uaf_helper+0xa4/0x340 [ 37.178850] mempool_slab_uaf+0xc0/0x118 [ 37.182756] kunit_try_run_case+0x170/0x3f0 [ 37.186923] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.192393] kthread+0x328/0x630 [ 37.195604] ret_from_fork+0x10/0x20 [ 37.199164] [ 37.200639] Freed by task 278: [ 37.203676] kasan_save_stack+0x3c/0x68 [ 37.207495] kasan_save_track+0x20/0x40 [ 37.211316] kasan_save_free_info+0x4c/0x78 [ 37.215481] __kasan_mempool_poison_object+0xc0/0x150 [ 37.220516] mempool_free+0x28c/0x328 [ 37.224162] mempool_uaf_helper+0x104/0x340 [ 37.228328] mempool_slab_uaf+0xc0/0x118 [ 37.232235] kunit_try_run_case+0x170/0x3f0 [ 37.236401] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.241870] kthread+0x328/0x630 [ 37.245083] ret_from_fork+0x10/0x20 [ 37.248641] [ 37.250118] The buggy address belongs to the object at ffff000806060240 [ 37.250118] which belongs to the cache test_cache of size 123 [ 37.262531] The buggy address is located 0 bytes inside of [ 37.262531] freed 123-byte region [ffff000806060240, ffff0008060602bb) [ 37.274595] [ 37.276075] The buggy address belongs to the physical page: [ 37.281630] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886060 [ 37.289615] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.296124] page_type: f5(slab) [ 37.299262] raw: 0bfffe0000000000 ffff000800dba280 dead000000000122 0000000000000000 [ 37.306980] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 37.314700] page dumped because: kasan: bad access detected [ 37.320254] [ 37.321730] Memory state around the buggy address: [ 37.326513] ffff000806060100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.333713] ffff000806060180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.340917] >ffff000806060200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 37.348118] ^ [ 37.353417] ffff000806060280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.360622] ffff000806060300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.367824] ================================================================== [ 36.466273] ================================================================== [ 36.470704] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 36.477821] Read of size 1 at addr ffff000801da3800 by task kunit_try_catch/274 [ 36.485112] [ 36.486599] CPU: 2 UID: 0 PID: 274 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 36.486657] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.486672] Hardware name: WinLink E850-96 board (DT) [ 36.486700] Call trace: [ 36.486716] show_stack+0x20/0x38 (C) [ 36.486757] dump_stack_lvl+0x8c/0xd0 [ 36.486794] print_report+0x118/0x608 [ 36.486829] kasan_report+0xdc/0x128 [ 36.486864] __asan_report_load1_noabort+0x20/0x30 [ 36.486906] mempool_uaf_helper+0x314/0x340 [ 36.486940] mempool_kmalloc_uaf+0xc4/0x120 [ 36.486972] kunit_try_run_case+0x170/0x3f0 [ 36.487010] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.487049] kthread+0x328/0x630 [ 36.487078] ret_from_fork+0x10/0x20 [ 36.487116] [ 36.553601] Allocated by task 274: [ 36.556988] kasan_save_stack+0x3c/0x68 [ 36.560804] kasan_save_track+0x20/0x40 [ 36.564623] kasan_save_alloc_info+0x40/0x58 [ 36.568876] __kasan_mempool_unpoison_object+0x11c/0x180 [ 36.574171] remove_element+0x130/0x1f8 [ 36.577991] mempool_alloc_preallocated+0x58/0xc0 [ 36.582679] mempool_uaf_helper+0xa4/0x340 [ 36.586758] mempool_kmalloc_uaf+0xc4/0x120 [ 36.590926] kunit_try_run_case+0x170/0x3f0 [ 36.595092] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.600560] kthread+0x328/0x630 [ 36.603772] ret_from_fork+0x10/0x20 [ 36.607331] [ 36.608808] Freed by task 274: [ 36.611846] kasan_save_stack+0x3c/0x68 [ 36.615666] kasan_save_track+0x20/0x40 [ 36.619484] kasan_save_free_info+0x4c/0x78 [ 36.623650] __kasan_mempool_poison_object+0xc0/0x150 [ 36.628685] mempool_free+0x28c/0x328 [ 36.632330] mempool_uaf_helper+0x104/0x340 [ 36.636497] mempool_kmalloc_uaf+0xc4/0x120 [ 36.640664] kunit_try_run_case+0x170/0x3f0 [ 36.644832] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.650299] kthread+0x328/0x630 [ 36.653511] ret_from_fork+0x10/0x20 [ 36.657070] [ 36.658547] The buggy address belongs to the object at ffff000801da3800 [ 36.658547] which belongs to the cache kmalloc-128 of size 128 [ 36.671048] The buggy address is located 0 bytes inside of [ 36.671048] freed 128-byte region [ffff000801da3800, ffff000801da3880) [ 36.683111] [ 36.684591] The buggy address belongs to the physical page: [ 36.690147] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881da2 [ 36.698130] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 36.705770] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 36.712713] page_type: f5(slab) [ 36.715851] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 36.723569] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.731297] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 36.739107] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.746919] head: 0bfffe0000000001 fffffdffe0076881 00000000ffffffff 00000000ffffffff [ 36.754732] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 36.762537] page dumped because: kasan: bad access detected [ 36.768092] [ 36.769568] Memory state around the buggy address: [ 36.774349] ffff000801da3700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.781551] ffff000801da3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.788757] >ffff000801da3800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.795956] ^ [ 36.799172] ffff000801da3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.806377] ffff000801da3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.813579] ==================================================================
[ 28.431305] ================================================================== [ 28.431629] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.432276] Read of size 1 at addr fff00000c6431100 by task kunit_try_catch/227 [ 28.432419] [ 28.432532] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.432759] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.432910] Hardware name: linux,dummy-virt (DT) [ 28.433038] Call trace: [ 28.433108] show_stack+0x20/0x38 (C) [ 28.433254] dump_stack_lvl+0x8c/0xd0 [ 28.433577] print_report+0x118/0x608 [ 28.433711] kasan_report+0xdc/0x128 [ 28.433902] __asan_report_load1_noabort+0x20/0x30 [ 28.434298] mempool_uaf_helper+0x314/0x340 [ 28.434453] mempool_kmalloc_uaf+0xc4/0x120 [ 28.434807] kunit_try_run_case+0x170/0x3f0 [ 28.435237] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.435386] kthread+0x328/0x630 [ 28.435552] ret_from_fork+0x10/0x20 [ 28.435828] [ 28.435881] Allocated by task 227: [ 28.435985] kasan_save_stack+0x3c/0x68 [ 28.436247] kasan_save_track+0x20/0x40 [ 28.436348] kasan_save_alloc_info+0x40/0x58 [ 28.436497] __kasan_mempool_unpoison_object+0x11c/0x180 [ 28.436735] remove_element+0x130/0x1f8 [ 28.436860] mempool_alloc_preallocated+0x58/0xc0 [ 28.437023] mempool_uaf_helper+0xa4/0x340 [ 28.437144] mempool_kmalloc_uaf+0xc4/0x120 [ 28.437262] kunit_try_run_case+0x170/0x3f0 [ 28.437375] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.437496] kthread+0x328/0x630 [ 28.437647] ret_from_fork+0x10/0x20 [ 28.437763] [ 28.437816] Freed by task 227: [ 28.437896] kasan_save_stack+0x3c/0x68 [ 28.438097] kasan_save_track+0x20/0x40 [ 28.438251] kasan_save_free_info+0x4c/0x78 [ 28.438478] __kasan_mempool_poison_object+0xc0/0x150 [ 28.438630] mempool_free+0x28c/0x328 [ 28.438887] mempool_uaf_helper+0x104/0x340 [ 28.439167] mempool_kmalloc_uaf+0xc4/0x120 [ 28.439364] kunit_try_run_case+0x170/0x3f0 [ 28.439472] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.439636] kthread+0x328/0x630 [ 28.439741] ret_from_fork+0x10/0x20 [ 28.439865] [ 28.439922] The buggy address belongs to the object at fff00000c6431100 [ 28.439922] which belongs to the cache kmalloc-128 of size 128 [ 28.440117] The buggy address is located 0 bytes inside of [ 28.440117] freed 128-byte region [fff00000c6431100, fff00000c6431180) [ 28.440204] [ 28.440231] The buggy address belongs to the physical page: [ 28.440271] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106431 [ 28.440341] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.440406] page_type: f5(slab) [ 28.440455] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.440517] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.440567] page dumped because: kasan: bad access detected [ 28.440608] [ 28.440630] Memory state around the buggy address: [ 28.440669] fff00000c6431000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.440721] fff00000c6431080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.440774] >fff00000c6431100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.440821] ^ [ 28.440855] fff00000c6431180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.440907] fff00000c6431200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.440981] ================================================================== [ 28.503144] ================================================================== [ 28.503545] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.503756] Read of size 1 at addr fff00000c6434240 by task kunit_try_catch/231 [ 28.504117] [ 28.504394] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.504613] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.505133] Hardware name: linux,dummy-virt (DT) [ 28.505224] Call trace: [ 28.505283] show_stack+0x20/0x38 (C) [ 28.505416] dump_stack_lvl+0x8c/0xd0 [ 28.505713] print_report+0x118/0x608 [ 28.505899] kasan_report+0xdc/0x128 [ 28.506410] __asan_report_load1_noabort+0x20/0x30 [ 28.506662] mempool_uaf_helper+0x314/0x340 [ 28.507262] mempool_slab_uaf+0xc0/0x118 [ 28.507838] kunit_try_run_case+0x170/0x3f0 [ 28.507998] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.508402] kthread+0x328/0x630 [ 28.508723] ret_from_fork+0x10/0x20 [ 28.508918] [ 28.509021] Allocated by task 231: [ 28.509111] kasan_save_stack+0x3c/0x68 [ 28.509227] kasan_save_track+0x20/0x40 [ 28.509329] kasan_save_alloc_info+0x40/0x58 [ 28.509862] __kasan_mempool_unpoison_object+0xbc/0x180 [ 28.510048] remove_element+0x16c/0x1f8 [ 28.510189] mempool_alloc_preallocated+0x58/0xc0 [ 28.510296] mempool_uaf_helper+0xa4/0x340 [ 28.510395] mempool_slab_uaf+0xc0/0x118 [ 28.510540] kunit_try_run_case+0x170/0x3f0 [ 28.510828] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.511466] kthread+0x328/0x630 [ 28.511655] ret_from_fork+0x10/0x20 [ 28.511755] [ 28.511806] Freed by task 231: [ 28.511918] kasan_save_stack+0x3c/0x68 [ 28.512167] kasan_save_track+0x20/0x40 [ 28.512429] kasan_save_free_info+0x4c/0x78 [ 28.512535] __kasan_mempool_poison_object+0xc0/0x150 [ 28.512642] mempool_free+0x28c/0x328 [ 28.512738] mempool_uaf_helper+0x104/0x340 [ 28.512951] mempool_slab_uaf+0xc0/0x118 [ 28.513051] kunit_try_run_case+0x170/0x3f0 [ 28.513167] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.513297] kthread+0x328/0x630 [ 28.513900] ret_from_fork+0x10/0x20 [ 28.514040] [ 28.514164] The buggy address belongs to the object at fff00000c6434240 [ 28.514164] which belongs to the cache test_cache of size 123 [ 28.514315] The buggy address is located 0 bytes inside of [ 28.514315] freed 123-byte region [fff00000c6434240, fff00000c64342bb) [ 28.514464] [ 28.514516] The buggy address belongs to the physical page: [ 28.514617] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106434 [ 28.514764] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.515228] page_type: f5(slab) [ 28.515408] raw: 0bfffe0000000000 fff00000c6432000 dead000000000122 0000000000000000 [ 28.515540] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.515687] page dumped because: kasan: bad access detected [ 28.515766] [ 28.515832] Memory state around the buggy address: [ 28.516022] fff00000c6434100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.516164] fff00000c6434180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.516305] >fff00000c6434200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.516414] ^ [ 28.516605] fff00000c6434280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.516714] fff00000c6434300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.516810] ==================================================================
[ 28.482708] ================================================================== [ 28.487360] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.487513] Read of size 1 at addr fff00000c60a5d00 by task kunit_try_catch/227 [ 28.487633] [ 28.487716] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.487971] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.488044] Hardware name: linux,dummy-virt (DT) [ 28.488132] Call trace: [ 28.488194] show_stack+0x20/0x38 (C) [ 28.488323] dump_stack_lvl+0x8c/0xd0 [ 28.488462] print_report+0x118/0x608 [ 28.488576] kasan_report+0xdc/0x128 [ 28.488682] __asan_report_load1_noabort+0x20/0x30 [ 28.488807] mempool_uaf_helper+0x314/0x340 [ 28.492007] mempool_kmalloc_uaf+0xc4/0x120 [ 28.492144] kunit_try_run_case+0x170/0x3f0 [ 28.492300] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.492533] kthread+0x328/0x630 [ 28.493486] ret_from_fork+0x10/0x20 [ 28.493955] [ 28.494646] Allocated by task 227: [ 28.495219] kasan_save_stack+0x3c/0x68 [ 28.495998] kasan_save_track+0x20/0x40 [ 28.496421] kasan_save_alloc_info+0x40/0x58 [ 28.496532] __kasan_mempool_unpoison_object+0x11c/0x180 [ 28.496643] remove_element+0x130/0x1f8 [ 28.496743] mempool_alloc_preallocated+0x58/0xc0 [ 28.496859] mempool_uaf_helper+0xa4/0x340 [ 28.499109] mempool_kmalloc_uaf+0xc4/0x120 [ 28.500099] kunit_try_run_case+0x170/0x3f0 [ 28.500582] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.500700] kthread+0x328/0x630 [ 28.500792] ret_from_fork+0x10/0x20 [ 28.500907] [ 28.500953] Freed by task 227: [ 28.501018] kasan_save_stack+0x3c/0x68 [ 28.503659] kasan_save_track+0x20/0x40 [ 28.503824] kasan_save_free_info+0x4c/0x78 [ 28.504648] __kasan_mempool_poison_object+0xc0/0x150 [ 28.505480] mempool_free+0x28c/0x328 [ 28.505614] mempool_uaf_helper+0x104/0x340 [ 28.505720] mempool_kmalloc_uaf+0xc4/0x120 [ 28.505827] kunit_try_run_case+0x170/0x3f0 [ 28.507598] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.508333] kthread+0x328/0x630 [ 28.508577] ret_from_fork+0x10/0x20 [ 28.508704] [ 28.508752] The buggy address belongs to the object at fff00000c60a5d00 [ 28.508752] which belongs to the cache kmalloc-128 of size 128 [ 28.508911] The buggy address is located 0 bytes inside of [ 28.508911] freed 128-byte region [fff00000c60a5d00, fff00000c60a5d80) [ 28.509061] [ 28.509116] The buggy address belongs to the physical page: [ 28.509242] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060a5 [ 28.509626] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.509848] page_type: f5(slab) [ 28.509970] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.510110] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.510799] page dumped because: kasan: bad access detected [ 28.510926] [ 28.510995] Memory state around the buggy address: [ 28.511186] fff00000c60a5c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.511640] fff00000c60a5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.511907] >fff00000c60a5d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.512105] ^ [ 28.512180] fff00000c60a5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.512357] fff00000c60a5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.512497] ================================================================== [ 28.576713] ================================================================== [ 28.577090] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.577478] Read of size 1 at addr fff00000c7772240 by task kunit_try_catch/231 [ 28.577805] [ 28.578143] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.578913] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.578985] Hardware name: linux,dummy-virt (DT) [ 28.579066] Call trace: [ 28.580221] show_stack+0x20/0x38 (C) [ 28.580427] dump_stack_lvl+0x8c/0xd0 [ 28.581633] print_report+0x118/0x608 [ 28.582324] kasan_report+0xdc/0x128 [ 28.582687] __asan_report_load1_noabort+0x20/0x30 [ 28.583308] mempool_uaf_helper+0x314/0x340 [ 28.583827] mempool_slab_uaf+0xc0/0x118 [ 28.583978] kunit_try_run_case+0x170/0x3f0 [ 28.584105] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.584239] kthread+0x328/0x630 [ 28.584347] ret_from_fork+0x10/0x20 [ 28.586601] [ 28.586901] Allocated by task 231: [ 28.587408] kasan_save_stack+0x3c/0x68 [ 28.587516] kasan_save_track+0x20/0x40 [ 28.588046] kasan_save_alloc_info+0x40/0x58 [ 28.588478] __kasan_mempool_unpoison_object+0xbc/0x180 [ 28.589178] remove_element+0x16c/0x1f8 [ 28.589291] mempool_alloc_preallocated+0x58/0xc0 [ 28.589402] mempool_uaf_helper+0xa4/0x340 [ 28.589554] mempool_slab_uaf+0xc0/0x118 [ 28.589724] kunit_try_run_case+0x170/0x3f0 [ 28.590201] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.590335] kthread+0x328/0x630 [ 28.590509] ret_from_fork+0x10/0x20 [ 28.590615] [ 28.590745] Freed by task 231: [ 28.590882] kasan_save_stack+0x3c/0x68 [ 28.591054] kasan_save_track+0x20/0x40 [ 28.591156] kasan_save_free_info+0x4c/0x78 [ 28.591255] __kasan_mempool_poison_object+0xc0/0x150 [ 28.591360] mempool_free+0x28c/0x328 [ 28.591449] mempool_uaf_helper+0x104/0x340 [ 28.591593] mempool_slab_uaf+0xc0/0x118 [ 28.591719] kunit_try_run_case+0x170/0x3f0 [ 28.591983] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.592315] kthread+0x328/0x630 [ 28.592408] ret_from_fork+0x10/0x20 [ 28.592504] [ 28.592607] The buggy address belongs to the object at fff00000c7772240 [ 28.592607] which belongs to the cache test_cache of size 123 [ 28.592914] The buggy address is located 0 bytes inside of [ 28.592914] freed 123-byte region [fff00000c7772240, fff00000c77722bb) [ 28.593144] [ 28.593211] The buggy address belongs to the physical page: [ 28.593340] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107772 [ 28.593516] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.593657] page_type: f5(slab) [ 28.593799] raw: 0bfffe0000000000 fff00000c7770000 dead000000000122 0000000000000000 [ 28.593953] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.594080] page dumped because: kasan: bad access detected [ 28.594207] [ 28.594281] Memory state around the buggy address: [ 28.594400] fff00000c7772100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.594509] fff00000c7772180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.594652] >fff00000c7772200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.594803] ^ [ 28.595065] fff00000c7772280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.595199] fff00000c7772300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.595298] ==================================================================
[ 21.402787] ================================================================== [ 21.404046] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 21.405988] Read of size 1 at addr ffff888101b43240 by task kunit_try_catch/249 [ 21.407944] [ 21.408460] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 21.408730] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.408771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.408837] Call Trace: [ 21.408891] <TASK> [ 21.408949] dump_stack_lvl+0x73/0xb0 [ 21.409009] print_report+0xd1/0x650 [ 21.409047] ? __virt_addr_valid+0x1db/0x2d0 [ 21.409082] ? mempool_uaf_helper+0x392/0x400 [ 21.409115] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.409146] ? mempool_uaf_helper+0x392/0x400 [ 21.409178] kasan_report+0x141/0x180 [ 21.409209] ? mempool_uaf_helper+0x392/0x400 [ 21.409301] __asan_report_load1_noabort+0x18/0x20 [ 21.409342] mempool_uaf_helper+0x392/0x400 [ 21.409376] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 21.409409] ? update_load_avg+0x1be/0x21b0 [ 21.409450] ? finish_task_switch.isra.0+0x153/0x700 [ 21.409489] mempool_slab_uaf+0xea/0x140 [ 21.409611] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 21.409711] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 21.409779] ? __pfx_mempool_free_slab+0x10/0x10 [ 21.409847] ? __pfx_read_tsc+0x10/0x10 [ 21.409917] ? ktime_get_ts64+0x86/0x230 [ 21.409976] kunit_try_run_case+0x1a5/0x480 [ 21.410017] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.410052] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.410089] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.410123] ? __kthread_parkme+0x82/0x180 [ 21.410152] ? preempt_count_sub+0x50/0x80 [ 21.410183] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.410218] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.410290] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.410331] kthread+0x337/0x6f0 [ 21.410359] ? trace_preempt_on+0x20/0xc0 [ 21.410395] ? __pfx_kthread+0x10/0x10 [ 21.410425] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.410455] ? calculate_sigpending+0x7b/0xa0 [ 21.410490] ? __pfx_kthread+0x10/0x10 [ 21.410557] ret_from_fork+0x116/0x1d0 [ 21.410633] ? __pfx_kthread+0x10/0x10 [ 21.410694] ret_from_fork_asm+0x1a/0x30 [ 21.410740] </TASK> [ 21.410757] [ 21.433018] Allocated by task 249: [ 21.434026] kasan_save_stack+0x45/0x70 [ 21.434713] kasan_save_track+0x18/0x40 [ 21.434988] kasan_save_alloc_info+0x3b/0x50 [ 21.435807] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 21.436466] remove_element+0x11e/0x190 [ 21.437326] mempool_alloc_preallocated+0x4d/0x90 [ 21.438199] mempool_uaf_helper+0x96/0x400 [ 21.439060] mempool_slab_uaf+0xea/0x140 [ 21.439747] kunit_try_run_case+0x1a5/0x480 [ 21.440100] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.440801] kthread+0x337/0x6f0 [ 21.441133] ret_from_fork+0x116/0x1d0 [ 21.441446] ret_from_fork_asm+0x1a/0x30 [ 21.442132] [ 21.442480] Freed by task 249: [ 21.443002] kasan_save_stack+0x45/0x70 [ 21.443522] kasan_save_track+0x18/0x40 [ 21.444119] kasan_save_free_info+0x3f/0x60 [ 21.445066] __kasan_mempool_poison_object+0x131/0x1d0 [ 21.445736] mempool_free+0x2ec/0x380 [ 21.446081] mempool_uaf_helper+0x11a/0x400 [ 21.446897] mempool_slab_uaf+0xea/0x140 [ 21.447329] kunit_try_run_case+0x1a5/0x480 [ 21.447960] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.448922] kthread+0x337/0x6f0 [ 21.449209] ret_from_fork+0x116/0x1d0 [ 21.449671] ret_from_fork_asm+0x1a/0x30 [ 21.450091] [ 21.450323] The buggy address belongs to the object at ffff888101b43240 [ 21.450323] which belongs to the cache test_cache of size 123 [ 21.451182] The buggy address is located 0 bytes inside of [ 21.451182] freed 123-byte region [ffff888101b43240, ffff888101b432bb) [ 21.451900] [ 21.452147] The buggy address belongs to the physical page: [ 21.453196] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b43 [ 21.454196] flags: 0x200000000000000(node=0|zone=2) [ 21.454609] page_type: f5(slab) [ 21.454981] raw: 0200000000000000 ffff8881010fd8c0 dead000000000122 0000000000000000 [ 21.455989] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 21.457444] page dumped because: kasan: bad access detected [ 21.457999] [ 21.458437] Memory state around the buggy address: [ 21.459018] ffff888101b43100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.459723] ffff888101b43180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.460243] >ffff888101b43200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.461924] ^ [ 21.462296] ffff888101b43280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.462821] ffff888101b43300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.463423] ================================================================== [ 21.279204] ================================================================== [ 21.280068] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 21.281452] Read of size 1 at addr ffff888101b3e300 by task kunit_try_catch/245 [ 21.282609] [ 21.283087] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 21.283206] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.283242] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.283301] Call Trace: [ 21.283342] <TASK> [ 21.283384] dump_stack_lvl+0x73/0xb0 [ 21.283477] print_report+0xd1/0x650 [ 21.283786] ? __virt_addr_valid+0x1db/0x2d0 [ 21.283868] ? mempool_uaf_helper+0x392/0x400 [ 21.284008] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.284076] ? mempool_uaf_helper+0x392/0x400 [ 21.284139] kasan_report+0x141/0x180 [ 21.284207] ? mempool_uaf_helper+0x392/0x400 [ 21.284287] __asan_report_load1_noabort+0x18/0x20 [ 21.284366] mempool_uaf_helper+0x392/0x400 [ 21.284436] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 21.284521] ? trace_hardirqs_on+0x37/0xe0 [ 21.284605] ? irqentry_exit+0x2a/0x60 [ 21.284682] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 21.284770] mempool_kmalloc_uaf+0xef/0x140 [ 21.284840] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 21.284912] ? __pfx_mempool_kmalloc+0x10/0x10 [ 21.284980] ? __pfx_mempool_kfree+0x10/0x10 [ 21.285052] ? __pfx_read_tsc+0x10/0x10 [ 21.285114] ? ktime_get_ts64+0x86/0x230 [ 21.285183] kunit_try_run_case+0x1a5/0x480 [ 21.285288] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.285361] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.285430] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.285517] ? __kthread_parkme+0x82/0x180 [ 21.285868] ? preempt_count_sub+0x50/0x80 [ 21.285910] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.285951] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.285986] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.286021] kthread+0x337/0x6f0 [ 21.286050] ? trace_preempt_on+0x20/0xc0 [ 21.286082] ? __pfx_kthread+0x10/0x10 [ 21.286112] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.286145] ? calculate_sigpending+0x7b/0xa0 [ 21.286180] ? __pfx_kthread+0x10/0x10 [ 21.286211] ret_from_fork+0x116/0x1d0 [ 21.286284] ? __pfx_kthread+0x10/0x10 [ 21.286323] ret_from_fork_asm+0x1a/0x30 [ 21.286369] </TASK> [ 21.286387] [ 21.308476] Allocated by task 245: [ 21.309141] kasan_save_stack+0x45/0x70 [ 21.309901] kasan_save_track+0x18/0x40 [ 21.310308] kasan_save_alloc_info+0x3b/0x50 [ 21.310933] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 21.311477] remove_element+0x11e/0x190 [ 21.311913] mempool_alloc_preallocated+0x4d/0x90 [ 21.312329] mempool_uaf_helper+0x96/0x400 [ 21.313384] mempool_kmalloc_uaf+0xef/0x140 [ 21.314107] kunit_try_run_case+0x1a5/0x480 [ 21.314759] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.315211] kthread+0x337/0x6f0 [ 21.315789] ret_from_fork+0x116/0x1d0 [ 21.316156] ret_from_fork_asm+0x1a/0x30 [ 21.317371] [ 21.317831] Freed by task 245: [ 21.318185] kasan_save_stack+0x45/0x70 [ 21.318842] kasan_save_track+0x18/0x40 [ 21.319255] kasan_save_free_info+0x3f/0x60 [ 21.319873] __kasan_mempool_poison_object+0x131/0x1d0 [ 21.320385] mempool_free+0x2ec/0x380 [ 21.321409] mempool_uaf_helper+0x11a/0x400 [ 21.321911] mempool_kmalloc_uaf+0xef/0x140 [ 21.322749] kunit_try_run_case+0x1a5/0x480 [ 21.323186] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.323821] kthread+0x337/0x6f0 [ 21.324204] ret_from_fork+0x116/0x1d0 [ 21.324710] ret_from_fork_asm+0x1a/0x30 [ 21.325112] [ 21.326141] The buggy address belongs to the object at ffff888101b3e300 [ 21.326141] which belongs to the cache kmalloc-128 of size 128 [ 21.327212] The buggy address is located 0 bytes inside of [ 21.327212] freed 128-byte region [ffff888101b3e300, ffff888101b3e380) [ 21.328339] [ 21.329144] The buggy address belongs to the physical page: [ 21.329720] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b3e [ 21.330715] flags: 0x200000000000000(node=0|zone=2) [ 21.331096] page_type: f5(slab) [ 21.331987] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 21.332495] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.333183] page dumped because: kasan: bad access detected [ 21.334005] [ 21.334244] Memory state around the buggy address: [ 21.334757] ffff888101b3e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.335323] ffff888101b3e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.335953] >ffff888101b3e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.337060] ^ [ 21.337575] ffff888101b3e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.338481] ffff888101b3e400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.339045] ==================================================================
[ 20.101914] ================================================================== [ 20.103367] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.103966] Read of size 1 at addr ffff8881032f7c00 by task kunit_try_catch/245 [ 20.104573] [ 20.104846] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.105167] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.105206] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.105271] Call Trace: [ 20.105306] <TASK> [ 20.105349] dump_stack_lvl+0x73/0xb0 [ 20.105435] print_report+0xd1/0x650 [ 20.105506] ? __virt_addr_valid+0x1db/0x2d0 [ 20.105751] ? mempool_uaf_helper+0x392/0x400 [ 20.105857] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.105954] ? mempool_uaf_helper+0x392/0x400 [ 20.106089] kasan_report+0x141/0x180 [ 20.106188] ? mempool_uaf_helper+0x392/0x400 [ 20.106298] __asan_report_load1_noabort+0x18/0x20 [ 20.106342] mempool_uaf_helper+0x392/0x400 [ 20.106378] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.106412] ? __kasan_check_write+0x18/0x20 [ 20.106441] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.106473] ? finish_task_switch.isra.0+0x153/0x700 [ 20.106511] mempool_kmalloc_uaf+0xef/0x140 [ 20.106629] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 20.106681] ? __pfx_mempool_kmalloc+0x10/0x10 [ 20.106717] ? __pfx_mempool_kfree+0x10/0x10 [ 20.106752] ? __pfx_read_tsc+0x10/0x10 [ 20.106782] ? ktime_get_ts64+0x86/0x230 [ 20.106815] kunit_try_run_case+0x1a5/0x480 [ 20.106852] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.106919] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.106958] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.106993] ? __kthread_parkme+0x82/0x180 [ 20.107020] ? preempt_count_sub+0x50/0x80 [ 20.107051] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.107086] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.107168] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.107209] kthread+0x337/0x6f0 [ 20.107238] ? trace_preempt_on+0x20/0xc0 [ 20.107269] ? __pfx_kthread+0x10/0x10 [ 20.107298] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.107329] ? calculate_sigpending+0x7b/0xa0 [ 20.107364] ? __pfx_kthread+0x10/0x10 [ 20.107393] ret_from_fork+0x116/0x1d0 [ 20.107418] ? __pfx_kthread+0x10/0x10 [ 20.107447] ret_from_fork_asm+0x1a/0x30 [ 20.107489] </TASK> [ 20.107503] [ 20.133166] Allocated by task 245: [ 20.133533] kasan_save_stack+0x45/0x70 [ 20.134468] kasan_save_track+0x18/0x40 [ 20.134893] kasan_save_alloc_info+0x3b/0x50 [ 20.135609] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 20.136426] remove_element+0x11e/0x190 [ 20.136910] mempool_alloc_preallocated+0x4d/0x90 [ 20.137762] mempool_uaf_helper+0x96/0x400 [ 20.138220] mempool_kmalloc_uaf+0xef/0x140 [ 20.138607] kunit_try_run_case+0x1a5/0x480 [ 20.139068] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.140141] kthread+0x337/0x6f0 [ 20.140835] ret_from_fork+0x116/0x1d0 [ 20.141168] ret_from_fork_asm+0x1a/0x30 [ 20.142179] [ 20.142287] Freed by task 245: [ 20.142424] kasan_save_stack+0x45/0x70 [ 20.142586] kasan_save_track+0x18/0x40 [ 20.142741] kasan_save_free_info+0x3f/0x60 [ 20.143192] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.144239] mempool_free+0x2ec/0x380 [ 20.145263] mempool_uaf_helper+0x11a/0x400 [ 20.145871] mempool_kmalloc_uaf+0xef/0x140 [ 20.146588] kunit_try_run_case+0x1a5/0x480 [ 20.147279] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.148604] kthread+0x337/0x6f0 [ 20.149313] ret_from_fork+0x116/0x1d0 [ 20.149609] ret_from_fork_asm+0x1a/0x30 [ 20.150152] [ 20.150427] The buggy address belongs to the object at ffff8881032f7c00 [ 20.150427] which belongs to the cache kmalloc-128 of size 128 [ 20.151789] The buggy address is located 0 bytes inside of [ 20.151789] freed 128-byte region [ffff8881032f7c00, ffff8881032f7c80) [ 20.153462] [ 20.154060] The buggy address belongs to the physical page: [ 20.154808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1032f7 [ 20.155510] flags: 0x200000000000000(node=0|zone=2) [ 20.155926] page_type: f5(slab) [ 20.156814] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 20.157895] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.158762] page dumped because: kasan: bad access detected [ 20.159353] [ 20.159449] Memory state around the buggy address: [ 20.160372] ffff8881032f7b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.161362] ffff8881032f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.162510] >ffff8881032f7c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.163500] ^ [ 20.163794] ffff8881032f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.165035] ffff8881032f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.166113] ================================================================== [ 20.225329] ================================================================== [ 20.226294] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.226959] Read of size 1 at addr ffff8881038ed240 by task kunit_try_catch/249 [ 20.227996] [ 20.228453] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.228576] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.228616] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.228700] Call Trace: [ 20.228764] <TASK> [ 20.228809] dump_stack_lvl+0x73/0xb0 [ 20.228911] print_report+0xd1/0x650 [ 20.228952] ? __virt_addr_valid+0x1db/0x2d0 [ 20.228986] ? mempool_uaf_helper+0x392/0x400 [ 20.229019] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.229052] ? mempool_uaf_helper+0x392/0x400 [ 20.229085] kasan_report+0x141/0x180 [ 20.229168] ? mempool_uaf_helper+0x392/0x400 [ 20.229210] __asan_report_load1_noabort+0x18/0x20 [ 20.229247] mempool_uaf_helper+0x392/0x400 [ 20.229280] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.229315] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.229348] ? finish_task_switch.isra.0+0x153/0x700 [ 20.229384] mempool_slab_uaf+0xea/0x140 [ 20.229417] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 20.229455] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 20.229483] ? __pfx_mempool_free_slab+0x10/0x10 [ 20.229514] ? __pfx_read_tsc+0x10/0x10 [ 20.229544] ? ktime_get_ts64+0x86/0x230 [ 20.229576] kunit_try_run_case+0x1a5/0x480 [ 20.229612] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.229647] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.229680] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.229714] ? __kthread_parkme+0x82/0x180 [ 20.229741] ? preempt_count_sub+0x50/0x80 [ 20.229773] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.229808] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.229842] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.229904] kthread+0x337/0x6f0 [ 20.229935] ? trace_preempt_on+0x20/0xc0 [ 20.229967] ? __pfx_kthread+0x10/0x10 [ 20.229996] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.230026] ? calculate_sigpending+0x7b/0xa0 [ 20.230061] ? __pfx_kthread+0x10/0x10 [ 20.230092] ret_from_fork+0x116/0x1d0 [ 20.230153] ? __pfx_kthread+0x10/0x10 [ 20.230186] ret_from_fork_asm+0x1a/0x30 [ 20.230230] </TASK> [ 20.230245] [ 20.247337] Allocated by task 249: [ 20.247625] kasan_save_stack+0x45/0x70 [ 20.248135] kasan_save_track+0x18/0x40 [ 20.248756] kasan_save_alloc_info+0x3b/0x50 [ 20.249533] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 20.250090] remove_element+0x11e/0x190 [ 20.250482] mempool_alloc_preallocated+0x4d/0x90 [ 20.250837] mempool_uaf_helper+0x96/0x400 [ 20.251378] mempool_slab_uaf+0xea/0x140 [ 20.251857] kunit_try_run_case+0x1a5/0x480 [ 20.252596] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.252972] kthread+0x337/0x6f0 [ 20.254962] ret_from_fork+0x116/0x1d0 [ 20.255659] ret_from_fork_asm+0x1a/0x30 [ 20.255999] [ 20.256581] Freed by task 249: [ 20.257333] kasan_save_stack+0x45/0x70 [ 20.257803] kasan_save_track+0x18/0x40 [ 20.258243] kasan_save_free_info+0x3f/0x60 [ 20.258670] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.259123] mempool_free+0x2ec/0x380 [ 20.259628] mempool_uaf_helper+0x11a/0x400 [ 20.260086] mempool_slab_uaf+0xea/0x140 [ 20.260570] kunit_try_run_case+0x1a5/0x480 [ 20.261053] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.261622] kthread+0x337/0x6f0 [ 20.261996] ret_from_fork+0x116/0x1d0 [ 20.262488] ret_from_fork_asm+0x1a/0x30 [ 20.262966] [ 20.263174] The buggy address belongs to the object at ffff8881038ed240 [ 20.263174] which belongs to the cache test_cache of size 123 [ 20.264227] The buggy address is located 0 bytes inside of [ 20.264227] freed 123-byte region [ffff8881038ed240, ffff8881038ed2bb) [ 20.265276] [ 20.265463] The buggy address belongs to the physical page: [ 20.265948] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038ed [ 20.266891] flags: 0x200000000000000(node=0|zone=2) [ 20.267303] page_type: f5(slab) [ 20.267719] raw: 0200000000000000 ffff88810111b640 dead000000000122 0000000000000000 [ 20.268463] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.269158] page dumped because: kasan: bad access detected [ 20.269606] [ 20.269815] Memory state around the buggy address: [ 20.270227] ffff8881038ed100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.270680] ffff8881038ed180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.271238] >ffff8881038ed200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.274203] ^ [ 20.274514] ffff8881038ed280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.274903] ffff8881038ed300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.275412] ==================================================================
[ 22.140778] ================================================================== [ 22.141874] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.142553] Read of size 1 at addr ffff00000cef7700 by task kunit_try_catch/280 [ 22.143231] [ 22.143395] CPU: 0 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 22.143446] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.143460] Hardware name: Radxa ROCK Pi 4B (DT) [ 22.143477] Call trace: [ 22.143488] show_stack+0x20/0x38 (C) [ 22.143522] dump_stack_lvl+0x8c/0xd0 [ 22.143557] print_report+0x118/0x608 [ 22.143591] kasan_report+0xdc/0x128 [ 22.143624] __asan_report_load1_noabort+0x20/0x30 [ 22.143662] mempool_uaf_helper+0x314/0x340 [ 22.143692] mempool_kmalloc_uaf+0xc4/0x120 [ 22.143722] kunit_try_run_case+0x170/0x3f0 [ 22.143757] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.143794] kthread+0x328/0x630 [ 22.143821] ret_from_fork+0x10/0x20 [ 22.143853] [ 22.149803] Allocated by task 280: [ 22.150128] kasan_save_stack+0x3c/0x68 [ 22.150506] kasan_save_track+0x20/0x40 [ 22.150881] kasan_save_alloc_info+0x40/0x58 [ 22.151298] __kasan_mempool_unpoison_object+0x11c/0x180 [ 22.151805] remove_element+0x130/0x1f8 [ 22.152179] mempool_alloc_preallocated+0x58/0xc0 [ 22.152629] mempool_uaf_helper+0xa4/0x340 [ 22.153026] mempool_kmalloc_uaf+0xc4/0x120 [ 22.153428] kunit_try_run_case+0x170/0x3f0 [ 22.153835] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.154359] kthread+0x328/0x630 [ 22.154675] ret_from_fork+0x10/0x20 [ 22.155025] [ 22.155176] Freed by task 280: [ 22.155470] kasan_save_stack+0x3c/0x68 [ 22.155846] kasan_save_track+0x20/0x40 [ 22.156219] kasan_save_free_info+0x4c/0x78 [ 22.156628] __kasan_mempool_poison_object+0xc0/0x150 [ 22.157111] mempool_free+0x28c/0x328 [ 22.157468] mempool_uaf_helper+0x104/0x340 [ 22.157871] mempool_kmalloc_uaf+0xc4/0x120 [ 22.158274] kunit_try_run_case+0x170/0x3f0 [ 22.158679] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.159203] kthread+0x328/0x630 [ 22.159518] ret_from_fork+0x10/0x20 [ 22.159868] [ 22.160020] The buggy address belongs to the object at ffff00000cef7700 [ 22.160020] which belongs to the cache kmalloc-128 of size 128 [ 22.161153] The buggy address is located 0 bytes inside of [ 22.161153] freed 128-byte region [ffff00000cef7700, ffff00000cef7780) [ 22.162252] [ 22.162405] The buggy address belongs to the physical page: [ 22.162921] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcef7 [ 22.163646] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 22.164256] page_type: f5(slab) [ 22.164570] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 22.165285] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.165992] page dumped because: kasan: bad access detected [ 22.166505] [ 22.166658] Memory state around the buggy address: [ 22.167106] ffff00000cef7600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.167772] ffff00000cef7680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.168438] >ffff00000cef7700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.169099] ^ [ 22.169410] ffff00000cef7780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.170075] ffff00000cef7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.170736] ================================================================== [ 22.199945] ================================================================== [ 22.201061] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.201740] Read of size 1 at addr ffff00000f241240 by task kunit_try_catch/284 [ 22.202417] [ 22.202581] CPU: 3 UID: 0 PID: 284 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 22.202632] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.202646] Hardware name: Radxa ROCK Pi 4B (DT) [ 22.202662] Call trace: [ 22.202674] show_stack+0x20/0x38 (C) [ 22.202708] dump_stack_lvl+0x8c/0xd0 [ 22.202744] print_report+0x118/0x608 [ 22.202778] kasan_report+0xdc/0x128 [ 22.202809] __asan_report_load1_noabort+0x20/0x30 [ 22.202848] mempool_uaf_helper+0x314/0x340 [ 22.202877] mempool_slab_uaf+0xc0/0x118 [ 22.202908] kunit_try_run_case+0x170/0x3f0 [ 22.202942] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.202980] kthread+0x328/0x630 [ 22.203006] ret_from_fork+0x10/0x20 [ 22.203039] [ 22.208992] Allocated by task 284: [ 22.209331] kasan_save_stack+0x3c/0x68 [ 22.209725] kasan_save_track+0x20/0x40 [ 22.210109] kasan_save_alloc_info+0x40/0x58 [ 22.210537] __kasan_mempool_unpoison_object+0xbc/0x180 [ 22.211049] remove_element+0x16c/0x1f8 [ 22.211430] mempool_alloc_preallocated+0x58/0xc0 [ 22.211889] mempool_uaf_helper+0xa4/0x340 [ 22.212295] mempool_slab_uaf+0xc0/0x118 [ 22.212686] kunit_try_run_case+0x170/0x3f0 [ 22.213104] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.213637] kthread+0x328/0x630 [ 22.213962] ret_from_fork+0x10/0x20 [ 22.214322] [ 22.214479] Freed by task 284: [ 22.214782] kasan_save_stack+0x3c/0x68 [ 22.215167] kasan_save_track+0x20/0x40 [ 22.215551] kasan_save_free_info+0x4c/0x78 [ 22.215969] __kasan_mempool_poison_object+0xc0/0x150 [ 22.216465] mempool_free+0x28c/0x328 [ 22.216830] mempool_uaf_helper+0x104/0x340 [ 22.217243] mempool_slab_uaf+0xc0/0x118 [ 22.217634] kunit_try_run_case+0x170/0x3f0 [ 22.218050] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.218585] kthread+0x328/0x630 [ 22.218909] ret_from_fork+0x10/0x20 [ 22.219267] [ 22.219427] The buggy address belongs to the object at ffff00000f241240 [ 22.219427] which belongs to the cache test_cache of size 123 [ 22.220565] The buggy address is located 0 bytes inside of [ 22.220565] freed 123-byte region [ffff00000f241240, ffff00000f2412bb) [ 22.221673] [ 22.221833] The buggy address belongs to the physical page: [ 22.222356] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf241 [ 22.223091] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 22.223713] page_type: f5(slab) [ 22.224034] raw: 03fffe0000000000 ffff00000daa4140 dead000000000122 0000000000000000 [ 22.224761] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 22.225477] page dumped because: kasan: bad access detected [ 22.225996] [ 22.226153] Memory state around the buggy address: [ 22.226610] ffff00000f241100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.227284] ffff00000f241180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.227958] >ffff00000f241200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 22.228626] ^ [ 22.229129] ffff00000f241280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.229803] ffff00000f241300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.230471] ==================================================================