Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 19.028739] ================================================================== [ 19.029064] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.029557] Read of size 1 at addr fff00000c69b6600 by task kunit_try_catch/228 [ 19.029642] [ 19.029951] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.030058] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.030085] Hardware name: linux,dummy-virt (DT) [ 19.030153] Call trace: [ 19.030179] show_stack+0x20/0x38 (C) [ 19.030233] dump_stack_lvl+0x8c/0xd0 [ 19.030283] print_report+0x118/0x608 [ 19.030809] kasan_report+0xdc/0x128 [ 19.030887] __asan_report_load1_noabort+0x20/0x30 [ 19.030947] mempool_uaf_helper+0x314/0x340 [ 19.031004] mempool_kmalloc_uaf+0xc4/0x120 [ 19.031392] kunit_try_run_case+0x170/0x3f0 [ 19.031540] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.031692] kthread+0x328/0x630 [ 19.031755] ret_from_fork+0x10/0x20 [ 19.032145] [ 19.032205] Allocated by task 228: [ 19.032242] kasan_save_stack+0x3c/0x68 [ 19.032556] kasan_save_track+0x20/0x40 [ 19.032668] kasan_save_alloc_info+0x40/0x58 [ 19.032711] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.032994] remove_element+0x130/0x1f8 [ 19.033132] mempool_alloc_preallocated+0x58/0xc0 [ 19.033465] mempool_uaf_helper+0xa4/0x340 [ 19.033645] mempool_kmalloc_uaf+0xc4/0x120 [ 19.033737] kunit_try_run_case+0x170/0x3f0 [ 19.033877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.034350] kthread+0x328/0x630 [ 19.034432] ret_from_fork+0x10/0x20 [ 19.034555] [ 19.034574] Freed by task 228: [ 19.034855] kasan_save_stack+0x3c/0x68 [ 19.035018] kasan_save_track+0x20/0x40 [ 19.035119] kasan_save_free_info+0x4c/0x78 [ 19.035250] __kasan_mempool_poison_object+0xc0/0x150 [ 19.035480] mempool_free+0x28c/0x328 [ 19.035542] mempool_uaf_helper+0x104/0x340 [ 19.035580] mempool_kmalloc_uaf+0xc4/0x120 [ 19.035617] kunit_try_run_case+0x170/0x3f0 [ 19.035664] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.035709] kthread+0x328/0x630 [ 19.035760] ret_from_fork+0x10/0x20 [ 19.035797] [ 19.035819] The buggy address belongs to the object at fff00000c69b6600 [ 19.035819] which belongs to the cache kmalloc-128 of size 128 [ 19.036485] The buggy address is located 0 bytes inside of [ 19.036485] freed 128-byte region [fff00000c69b6600, fff00000c69b6680) [ 19.036569] [ 19.036678] The buggy address belongs to the physical page: [ 19.036756] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069b6 [ 19.037157] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.037239] page_type: f5(slab) [ 19.037301] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.037419] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.037538] page dumped because: kasan: bad access detected [ 19.037606] [ 19.037728] Memory state around the buggy address: [ 19.037793] fff00000c69b6500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.037859] fff00000c69b6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.038224] >fff00000c69b6600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.038286] ^ [ 19.038395] fff00000c69b6680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.038488] fff00000c69b6700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.038648] ================================================================== [ 19.068732] ================================================================== [ 19.068812] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.068872] Read of size 1 at addr fff00000c65c5240 by task kunit_try_catch/232 [ 19.068920] [ 19.068965] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.069063] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.069088] Hardware name: linux,dummy-virt (DT) [ 19.069443] Call trace: [ 19.069654] show_stack+0x20/0x38 (C) [ 19.069718] dump_stack_lvl+0x8c/0xd0 [ 19.069766] print_report+0x118/0x608 [ 19.069812] kasan_report+0xdc/0x128 [ 19.069856] __asan_report_load1_noabort+0x20/0x30 [ 19.070502] mempool_uaf_helper+0x314/0x340 [ 19.070901] mempool_slab_uaf+0xc0/0x118 [ 19.070961] kunit_try_run_case+0x170/0x3f0 [ 19.071031] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.071419] kthread+0x328/0x630 [ 19.071537] ret_from_fork+0x10/0x20 [ 19.071591] [ 19.071612] Allocated by task 232: [ 19.071669] kasan_save_stack+0x3c/0x68 [ 19.072026] kasan_save_track+0x20/0x40 [ 19.072103] kasan_save_alloc_info+0x40/0x58 [ 19.072155] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.072441] remove_element+0x16c/0x1f8 [ 19.072620] mempool_alloc_preallocated+0x58/0xc0 [ 19.072716] mempool_uaf_helper+0xa4/0x340 [ 19.072760] mempool_slab_uaf+0xc0/0x118 [ 19.073017] kunit_try_run_case+0x170/0x3f0 [ 19.073151] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.073351] kthread+0x328/0x630 [ 19.073419] ret_from_fork+0x10/0x20 [ 19.073476] [ 19.073496] Freed by task 232: [ 19.073808] kasan_save_stack+0x3c/0x68 [ 19.073924] kasan_save_track+0x20/0x40 [ 19.073964] kasan_save_free_info+0x4c/0x78 [ 19.074229] __kasan_mempool_poison_object+0xc0/0x150 [ 19.074365] mempool_free+0x28c/0x328 [ 19.074422] mempool_uaf_helper+0x104/0x340 [ 19.074734] mempool_slab_uaf+0xc0/0x118 [ 19.074827] kunit_try_run_case+0x170/0x3f0 [ 19.074894] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.075220] kthread+0x328/0x630 [ 19.075370] ret_from_fork+0x10/0x20 [ 19.075455] [ 19.075587] The buggy address belongs to the object at fff00000c65c5240 [ 19.075587] which belongs to the cache test_cache of size 123 [ 19.075711] The buggy address is located 0 bytes inside of [ 19.075711] freed 123-byte region [fff00000c65c5240, fff00000c65c52bb) [ 19.076203] [ 19.076255] The buggy address belongs to the physical page: [ 19.076320] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065c5 [ 19.076481] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.076537] page_type: f5(slab) [ 19.076913] raw: 0bfffe0000000000 fff00000c1aa5c80 dead000000000122 0000000000000000 [ 19.077108] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.077340] page dumped because: kasan: bad access detected [ 19.077510] [ 19.077601] Memory state around the buggy address: [ 19.077696] fff00000c65c5100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.077784] fff00000c65c5180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.077966] >fff00000c65c5200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.078027] ^ [ 19.078327] fff00000c65c5280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.078394] fff00000c65c5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.078647] ==================================================================
[ 18.702513] ================================================================== [ 18.702578] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.702632] Read of size 1 at addr fff00000c6230240 by task kunit_try_catch/232 [ 18.702683] [ 18.702755] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.702838] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.702880] Hardware name: linux,dummy-virt (DT) [ 18.702925] Call trace: [ 18.703076] show_stack+0x20/0x38 (C) [ 18.703129] dump_stack_lvl+0x8c/0xd0 [ 18.703176] print_report+0x118/0x608 [ 18.703219] kasan_report+0xdc/0x128 [ 18.703284] __asan_report_load1_noabort+0x20/0x30 [ 18.703339] mempool_uaf_helper+0x314/0x340 [ 18.703385] mempool_slab_uaf+0xc0/0x118 [ 18.703428] kunit_try_run_case+0x170/0x3f0 [ 18.703475] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.703526] kthread+0x328/0x630 [ 18.703565] ret_from_fork+0x10/0x20 [ 18.703612] [ 18.703630] Allocated by task 232: [ 18.703657] kasan_save_stack+0x3c/0x68 [ 18.703715] kasan_save_track+0x20/0x40 [ 18.703795] kasan_save_alloc_info+0x40/0x58 [ 18.703865] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.703941] remove_element+0x16c/0x1f8 [ 18.704005] mempool_alloc_preallocated+0x58/0xc0 [ 18.704046] mempool_uaf_helper+0xa4/0x340 [ 18.704111] mempool_slab_uaf+0xc0/0x118 [ 18.704196] kunit_try_run_case+0x170/0x3f0 [ 18.704296] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.704355] kthread+0x328/0x630 [ 18.704391] ret_from_fork+0x10/0x20 [ 18.704426] [ 18.704446] Freed by task 232: [ 18.704474] kasan_save_stack+0x3c/0x68 [ 18.704510] kasan_save_track+0x20/0x40 [ 18.704547] kasan_save_free_info+0x4c/0x78 [ 18.704588] __kasan_mempool_poison_object+0xc0/0x150 [ 18.704632] mempool_free+0x28c/0x328 [ 18.704666] mempool_uaf_helper+0x104/0x340 [ 18.704713] mempool_slab_uaf+0xc0/0x118 [ 18.704750] kunit_try_run_case+0x170/0x3f0 [ 18.704830] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.704880] kthread+0x328/0x630 [ 18.704924] ret_from_fork+0x10/0x20 [ 18.704958] [ 18.704979] The buggy address belongs to the object at fff00000c6230240 [ 18.704979] which belongs to the cache test_cache of size 123 [ 18.705046] The buggy address is located 0 bytes inside of [ 18.705046] freed 123-byte region [fff00000c6230240, fff00000c62302bb) [ 18.705114] [ 18.705135] The buggy address belongs to the physical page: [ 18.705165] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106230 [ 18.705216] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.705264] page_type: f5(slab) [ 18.705314] raw: 0bfffe0000000000 fff00000c77d9a00 dead000000000122 0000000000000000 [ 18.705363] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.705402] page dumped because: kasan: bad access detected [ 18.705433] [ 18.705450] Memory state around the buggy address: [ 18.705482] fff00000c6230100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.705523] fff00000c6230180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.705564] >fff00000c6230200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.705608] ^ [ 18.705642] fff00000c6230280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.705683] fff00000c6230300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.705718] ================================================================== [ 18.650521] ================================================================== [ 18.650586] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.651284] Read of size 1 at addr fff00000c7729600 by task kunit_try_catch/228 [ 18.651350] [ 18.651940] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.652181] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.652942] Hardware name: linux,dummy-virt (DT) [ 18.653212] Call trace: [ 18.653239] show_stack+0x20/0x38 (C) [ 18.653596] dump_stack_lvl+0x8c/0xd0 [ 18.653774] print_report+0x118/0x608 [ 18.654068] kasan_report+0xdc/0x128 [ 18.654387] __asan_report_load1_noabort+0x20/0x30 [ 18.654460] mempool_uaf_helper+0x314/0x340 [ 18.654543] mempool_kmalloc_uaf+0xc4/0x120 [ 18.654591] kunit_try_run_case+0x170/0x3f0 [ 18.654934] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.655391] kthread+0x328/0x630 [ 18.655477] ret_from_fork+0x10/0x20 [ 18.655715] [ 18.655751] Allocated by task 228: [ 18.656147] kasan_save_stack+0x3c/0x68 [ 18.656319] kasan_save_track+0x20/0x40 [ 18.656419] kasan_save_alloc_info+0x40/0x58 [ 18.656748] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.656800] remove_element+0x130/0x1f8 [ 18.656845] mempool_alloc_preallocated+0x58/0xc0 [ 18.657275] mempool_uaf_helper+0xa4/0x340 [ 18.657322] mempool_kmalloc_uaf+0xc4/0x120 [ 18.657360] kunit_try_run_case+0x170/0x3f0 [ 18.657810] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.658168] kthread+0x328/0x630 [ 18.658232] ret_from_fork+0x10/0x20 [ 18.658268] [ 18.658526] Freed by task 228: [ 18.658559] kasan_save_stack+0x3c/0x68 [ 18.658600] kasan_save_track+0x20/0x40 [ 18.658754] kasan_save_free_info+0x4c/0x78 [ 18.658796] __kasan_mempool_poison_object+0xc0/0x150 [ 18.658839] mempool_free+0x28c/0x328 [ 18.659141] mempool_uaf_helper+0x104/0x340 [ 18.659309] mempool_kmalloc_uaf+0xc4/0x120 [ 18.659359] kunit_try_run_case+0x170/0x3f0 [ 18.659642] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.659701] kthread+0x328/0x630 [ 18.659734] ret_from_fork+0x10/0x20 [ 18.659770] [ 18.659790] The buggy address belongs to the object at fff00000c7729600 [ 18.659790] which belongs to the cache kmalloc-128 of size 128 [ 18.659850] The buggy address is located 0 bytes inside of [ 18.659850] freed 128-byte region [fff00000c7729600, fff00000c7729680) [ 18.660844] [ 18.660892] The buggy address belongs to the physical page: [ 18.660933] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107729 [ 18.660990] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.661040] page_type: f5(slab) [ 18.661084] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.661133] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.661172] page dumped because: kasan: bad access detected [ 18.661815] [ 18.662217] Memory state around the buggy address: [ 18.662260] fff00000c7729500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.662331] fff00000c7729580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.662373] >fff00000c7729600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.662411] ^ [ 18.662445] fff00000c7729680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.662666] fff00000c7729700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.662715] ==================================================================
[ 15.014255] ================================================================== [ 15.014838] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.015148] Read of size 1 at addr ffff888102aa0e00 by task kunit_try_catch/245 [ 15.015542] [ 15.015712] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.015796] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.015819] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.015859] Call Trace: [ 15.015886] <TASK> [ 15.015916] dump_stack_lvl+0x73/0xb0 [ 15.015977] print_report+0xd1/0x650 [ 15.016021] ? __virt_addr_valid+0x1db/0x2d0 [ 15.016061] ? mempool_uaf_helper+0x392/0x400 [ 15.016092] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.016136] ? mempool_uaf_helper+0x392/0x400 [ 15.016178] kasan_report+0x141/0x180 [ 15.016213] ? mempool_uaf_helper+0x392/0x400 [ 15.016258] __asan_report_load1_noabort+0x18/0x20 [ 15.016301] mempool_uaf_helper+0x392/0x400 [ 15.016344] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.016389] ? __kasan_check_write+0x18/0x20 [ 15.016428] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.016471] ? finish_task_switch.isra.0+0x153/0x700 [ 15.016511] mempool_kmalloc_uaf+0xef/0x140 [ 15.016582] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 15.016647] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.016678] ? __pfx_mempool_kfree+0x10/0x10 [ 15.016701] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 15.016726] ? __pfx_read_tsc+0x10/0x10 [ 15.016746] ? ktime_get_ts64+0x86/0x230 [ 15.016765] ? trace_hardirqs_on+0x37/0xe0 [ 15.016789] kunit_try_run_case+0x1a5/0x480 [ 15.016813] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.016833] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.016857] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.016878] ? __kthread_parkme+0x82/0x180 [ 15.016896] ? preempt_count_sub+0x50/0x80 [ 15.016918] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.016940] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.016959] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.016980] kthread+0x337/0x6f0 [ 15.016998] ? trace_preempt_on+0x20/0xc0 [ 15.017018] ? __pfx_kthread+0x10/0x10 [ 15.017036] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.017055] ? calculate_sigpending+0x7b/0xa0 [ 15.017078] ? __pfx_kthread+0x10/0x10 [ 15.017097] ret_from_fork+0x116/0x1d0 [ 15.017125] ? __pfx_kthread+0x10/0x10 [ 15.017147] ret_from_fork_asm+0x1a/0x30 [ 15.017177] </TASK> [ 15.017189] [ 15.029427] Allocated by task 245: [ 15.029848] kasan_save_stack+0x45/0x70 [ 15.030203] kasan_save_track+0x18/0x40 [ 15.030453] kasan_save_alloc_info+0x3b/0x50 [ 15.030908] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 15.031284] remove_element+0x11e/0x190 [ 15.031732] mempool_alloc_preallocated+0x4d/0x90 [ 15.031937] mempool_uaf_helper+0x96/0x400 [ 15.032169] mempool_kmalloc_uaf+0xef/0x140 [ 15.032463] kunit_try_run_case+0x1a5/0x480 [ 15.032804] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.033426] kthread+0x337/0x6f0 [ 15.033852] ret_from_fork+0x116/0x1d0 [ 15.034211] ret_from_fork_asm+0x1a/0x30 [ 15.034444] [ 15.034649] Freed by task 245: [ 15.035004] kasan_save_stack+0x45/0x70 [ 15.035335] kasan_save_track+0x18/0x40 [ 15.035642] kasan_save_free_info+0x3f/0x60 [ 15.036165] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.037213] mempool_free+0x2ec/0x380 [ 15.038025] mempool_uaf_helper+0x11a/0x400 [ 15.038602] mempool_kmalloc_uaf+0xef/0x140 [ 15.038854] kunit_try_run_case+0x1a5/0x480 [ 15.039005] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.039878] kthread+0x337/0x6f0 [ 15.040255] ret_from_fork+0x116/0x1d0 [ 15.040686] ret_from_fork_asm+0x1a/0x30 [ 15.041002] [ 15.041125] The buggy address belongs to the object at ffff888102aa0e00 [ 15.041125] which belongs to the cache kmalloc-128 of size 128 [ 15.041715] The buggy address is located 0 bytes inside of [ 15.041715] freed 128-byte region [ffff888102aa0e00, ffff888102aa0e80) [ 15.042244] [ 15.042981] The buggy address belongs to the physical page: [ 15.043606] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102aa0 [ 15.043958] flags: 0x200000000000000(node=0|zone=2) [ 15.044514] page_type: f5(slab) [ 15.045193] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.045365] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.045492] page dumped because: kasan: bad access detected [ 15.045666] [ 15.046299] Memory state around the buggy address: [ 15.046497] ffff888102aa0d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.047185] ffff888102aa0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.047731] >ffff888102aa0e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.047959] ^ [ 15.048325] ffff888102aa0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.048971] ffff888102aa0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 15.049667] ================================================================== [ 15.084115] ================================================================== [ 15.084543] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.085232] Read of size 1 at addr ffff888102abb240 by task kunit_try_catch/249 [ 15.085952] [ 15.086116] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.086206] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.086231] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.086270] Call Trace: [ 15.086297] <TASK> [ 15.086348] dump_stack_lvl+0x73/0xb0 [ 15.086660] print_report+0xd1/0x650 [ 15.086698] ? __virt_addr_valid+0x1db/0x2d0 [ 15.086723] ? mempool_uaf_helper+0x392/0x400 [ 15.086745] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.086769] ? mempool_uaf_helper+0x392/0x400 [ 15.086789] kasan_report+0x141/0x180 [ 15.086808] ? mempool_uaf_helper+0x392/0x400 [ 15.086832] __asan_report_load1_noabort+0x18/0x20 [ 15.086854] mempool_uaf_helper+0x392/0x400 [ 15.086875] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.086898] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.086920] ? finish_task_switch.isra.0+0x153/0x700 [ 15.086943] mempool_slab_uaf+0xea/0x140 [ 15.086964] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.086987] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 15.087011] ? __pfx_mempool_free_slab+0x10/0x10 [ 15.087034] ? __pfx_read_tsc+0x10/0x10 [ 15.087054] ? ktime_get_ts64+0x86/0x230 [ 15.087076] kunit_try_run_case+0x1a5/0x480 [ 15.087111] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.087139] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.087162] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.087183] ? __kthread_parkme+0x82/0x180 [ 15.087203] ? preempt_count_sub+0x50/0x80 [ 15.087224] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.087246] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.087267] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.087288] kthread+0x337/0x6f0 [ 15.087307] ? trace_preempt_on+0x20/0xc0 [ 15.087329] ? __pfx_kthread+0x10/0x10 [ 15.087348] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.087367] ? calculate_sigpending+0x7b/0xa0 [ 15.087390] ? __pfx_kthread+0x10/0x10 [ 15.087409] ret_from_fork+0x116/0x1d0 [ 15.087427] ? __pfx_kthread+0x10/0x10 [ 15.087445] ret_from_fork_asm+0x1a/0x30 [ 15.087475] </TASK> [ 15.087488] [ 15.099985] Allocated by task 249: [ 15.100367] kasan_save_stack+0x45/0x70 [ 15.100540] kasan_save_track+0x18/0x40 [ 15.101097] kasan_save_alloc_info+0x3b/0x50 [ 15.101345] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 15.102004] remove_element+0x11e/0x190 [ 15.102439] mempool_alloc_preallocated+0x4d/0x90 [ 15.102653] mempool_uaf_helper+0x96/0x400 [ 15.103355] mempool_slab_uaf+0xea/0x140 [ 15.103668] kunit_try_run_case+0x1a5/0x480 [ 15.104213] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.104403] kthread+0x337/0x6f0 [ 15.104871] ret_from_fork+0x116/0x1d0 [ 15.105027] ret_from_fork_asm+0x1a/0x30 [ 15.105383] [ 15.105481] Freed by task 249: [ 15.106113] kasan_save_stack+0x45/0x70 [ 15.106903] kasan_save_track+0x18/0x40 [ 15.107098] kasan_save_free_info+0x3f/0x60 [ 15.107645] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.107841] mempool_free+0x2ec/0x380 [ 15.108355] mempool_uaf_helper+0x11a/0x400 [ 15.109017] mempool_slab_uaf+0xea/0x140 [ 15.109270] kunit_try_run_case+0x1a5/0x480 [ 15.109433] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.110097] kthread+0x337/0x6f0 [ 15.110411] ret_from_fork+0x116/0x1d0 [ 15.110561] ret_from_fork_asm+0x1a/0x30 [ 15.111115] [ 15.111287] The buggy address belongs to the object at ffff888102abb240 [ 15.111287] which belongs to the cache test_cache of size 123 [ 15.112170] The buggy address is located 0 bytes inside of [ 15.112170] freed 123-byte region [ffff888102abb240, ffff888102abb2bb) [ 15.112935] [ 15.113291] The buggy address belongs to the physical page: [ 15.113691] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102abb [ 15.114308] flags: 0x200000000000000(node=0|zone=2) [ 15.114547] page_type: f5(slab) [ 15.115216] raw: 0200000000000000 ffff888102ab9000 dead000000000122 0000000000000000 [ 15.115381] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 15.115632] page dumped because: kasan: bad access detected [ 15.115953] [ 15.116177] Memory state around the buggy address: [ 15.116456] ffff888102abb100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.116962] ffff888102abb180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.117756] >ffff888102abb200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 15.118352] ^ [ 15.118560] ffff888102abb280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.119215] ffff888102abb300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.119544] ==================================================================
[ 15.179551] ================================================================== [ 15.180085] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.180336] Read of size 1 at addr ffff8881039f2240 by task kunit_try_catch/248 [ 15.180569] [ 15.180663] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.180709] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.180722] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.180745] Call Trace: [ 15.180757] <TASK> [ 15.180774] dump_stack_lvl+0x73/0xb0 [ 15.180804] print_report+0xd1/0x650 [ 15.180827] ? __virt_addr_valid+0x1db/0x2d0 [ 15.180851] ? mempool_uaf_helper+0x392/0x400 [ 15.180874] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.180900] ? mempool_uaf_helper+0x392/0x400 [ 15.180922] kasan_report+0x141/0x180 [ 15.180946] ? mempool_uaf_helper+0x392/0x400 [ 15.180973] __asan_report_load1_noabort+0x18/0x20 [ 15.180998] mempool_uaf_helper+0x392/0x400 [ 15.181060] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.181096] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.181149] ? finish_task_switch.isra.0+0x153/0x700 [ 15.181174] mempool_slab_uaf+0xea/0x140 [ 15.181197] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 15.181224] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 15.181249] ? __pfx_mempool_free_slab+0x10/0x10 [ 15.181275] ? __pfx_read_tsc+0x10/0x10 [ 15.181297] ? ktime_get_ts64+0x86/0x230 [ 15.181321] kunit_try_run_case+0x1a5/0x480 [ 15.181346] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.181368] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.181392] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.181415] ? __kthread_parkme+0x82/0x180 [ 15.181436] ? preempt_count_sub+0x50/0x80 [ 15.181459] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.181482] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.181505] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.181531] kthread+0x337/0x6f0 [ 15.181551] ? trace_preempt_on+0x20/0xc0 [ 15.181574] ? __pfx_kthread+0x10/0x10 [ 15.181595] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.181616] ? calculate_sigpending+0x7b/0xa0 [ 15.181640] ? __pfx_kthread+0x10/0x10 [ 15.181661] ret_from_fork+0x116/0x1d0 [ 15.181680] ? __pfx_kthread+0x10/0x10 [ 15.181700] ret_from_fork_asm+0x1a/0x30 [ 15.181740] </TASK> [ 15.181752] [ 15.191074] Allocated by task 248: [ 15.191277] kasan_save_stack+0x45/0x70 [ 15.191444] kasan_save_track+0x18/0x40 [ 15.191630] kasan_save_alloc_info+0x3b/0x50 [ 15.191839] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 15.192157] remove_element+0x11e/0x190 [ 15.192303] mempool_alloc_preallocated+0x4d/0x90 [ 15.192470] mempool_uaf_helper+0x96/0x400 [ 15.192684] mempool_slab_uaf+0xea/0x140 [ 15.193147] kunit_try_run_case+0x1a5/0x480 [ 15.193361] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.193629] kthread+0x337/0x6f0 [ 15.193849] ret_from_fork+0x116/0x1d0 [ 15.194037] ret_from_fork_asm+0x1a/0x30 [ 15.194194] [ 15.194269] Freed by task 248: [ 15.194401] kasan_save_stack+0x45/0x70 [ 15.194602] kasan_save_track+0x18/0x40 [ 15.194799] kasan_save_free_info+0x3f/0x60 [ 15.195022] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.195209] mempool_free+0x2ec/0x380 [ 15.195347] mempool_uaf_helper+0x11a/0x400 [ 15.195496] mempool_slab_uaf+0xea/0x140 [ 15.195639] kunit_try_run_case+0x1a5/0x480 [ 15.195972] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.196290] kthread+0x337/0x6f0 [ 15.196466] ret_from_fork+0x116/0x1d0 [ 15.196659] ret_from_fork_asm+0x1a/0x30 [ 15.197118] [ 15.197226] The buggy address belongs to the object at ffff8881039f2240 [ 15.197226] which belongs to the cache test_cache of size 123 [ 15.198033] The buggy address is located 0 bytes inside of [ 15.198033] freed 123-byte region [ffff8881039f2240, ffff8881039f22bb) [ 15.198407] [ 15.198510] The buggy address belongs to the physical page: [ 15.198878] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f2 [ 15.199259] flags: 0x200000000000000(node=0|zone=2) [ 15.199506] page_type: f5(slab) [ 15.199683] raw: 0200000000000000 ffff888101601a00 dead000000000122 0000000000000000 [ 15.200004] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 15.200338] page dumped because: kasan: bad access detected [ 15.200579] [ 15.200677] Memory state around the buggy address: [ 15.200969] ffff8881039f2100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.201257] ffff8881039f2180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.201569] >ffff8881039f2200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 15.201867] ^ [ 15.202046] ffff8881039f2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.202393] ffff8881039f2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.202703] ================================================================== [ 15.106164] ================================================================== [ 15.107822] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.109121] Read of size 1 at addr ffff8881031c0700 by task kunit_try_catch/244 [ 15.109480] [ 15.109632] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 15.109681] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.109694] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.109869] Call Trace: [ 15.109911] <TASK> [ 15.109928] dump_stack_lvl+0x73/0xb0 [ 15.109959] print_report+0xd1/0x650 [ 15.109982] ? __virt_addr_valid+0x1db/0x2d0 [ 15.110004] ? mempool_uaf_helper+0x392/0x400 [ 15.110027] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.110065] ? mempool_uaf_helper+0x392/0x400 [ 15.110088] kasan_report+0x141/0x180 [ 15.110110] ? mempool_uaf_helper+0x392/0x400 [ 15.110138] __asan_report_load1_noabort+0x18/0x20 [ 15.110162] mempool_uaf_helper+0x392/0x400 [ 15.110185] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.110210] ? __kasan_check_write+0x18/0x20 [ 15.110230] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.110252] ? finish_task_switch.isra.0+0x153/0x700 [ 15.110279] mempool_kmalloc_uaf+0xef/0x140 [ 15.110301] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 15.110327] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.110350] ? __pfx_mempool_kfree+0x10/0x10 [ 15.110376] ? __pfx_read_tsc+0x10/0x10 [ 15.110396] ? ktime_get_ts64+0x86/0x230 [ 15.110421] kunit_try_run_case+0x1a5/0x480 [ 15.110446] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.110469] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.110492] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.110514] ? __kthread_parkme+0x82/0x180 [ 15.110535] ? preempt_count_sub+0x50/0x80 [ 15.110559] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.110583] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.110606] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.110629] kthread+0x337/0x6f0 [ 15.110648] ? trace_preempt_on+0x20/0xc0 [ 15.110671] ? __pfx_kthread+0x10/0x10 [ 15.110692] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.110744] ? calculate_sigpending+0x7b/0xa0 [ 15.110770] ? __pfx_kthread+0x10/0x10 [ 15.110792] ret_from_fork+0x116/0x1d0 [ 15.110811] ? __pfx_kthread+0x10/0x10 [ 15.110831] ret_from_fork_asm+0x1a/0x30 [ 15.110863] </TASK> [ 15.110875] [ 15.124282] Allocated by task 244: [ 15.124536] kasan_save_stack+0x45/0x70 [ 15.124741] kasan_save_track+0x18/0x40 [ 15.125236] kasan_save_alloc_info+0x3b/0x50 [ 15.125539] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 15.126061] remove_element+0x11e/0x190 [ 15.126266] mempool_alloc_preallocated+0x4d/0x90 [ 15.126634] mempool_uaf_helper+0x96/0x400 [ 15.126932] mempool_kmalloc_uaf+0xef/0x140 [ 15.127277] kunit_try_run_case+0x1a5/0x480 [ 15.127831] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.128256] kthread+0x337/0x6f0 [ 15.128553] ret_from_fork+0x116/0x1d0 [ 15.128888] ret_from_fork_asm+0x1a/0x30 [ 15.129297] [ 15.129432] Freed by task 244: [ 15.129591] kasan_save_stack+0x45/0x70 [ 15.130108] kasan_save_track+0x18/0x40 [ 15.130313] kasan_save_free_info+0x3f/0x60 [ 15.130645] __kasan_mempool_poison_object+0x131/0x1d0 [ 15.131044] mempool_free+0x2ec/0x380 [ 15.131283] mempool_uaf_helper+0x11a/0x400 [ 15.131483] mempool_kmalloc_uaf+0xef/0x140 [ 15.131702] kunit_try_run_case+0x1a5/0x480 [ 15.132255] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.132581] kthread+0x337/0x6f0 [ 15.132947] ret_from_fork+0x116/0x1d0 [ 15.133162] ret_from_fork_asm+0x1a/0x30 [ 15.133432] [ 15.133535] The buggy address belongs to the object at ffff8881031c0700 [ 15.133535] which belongs to the cache kmalloc-128 of size 128 [ 15.134307] The buggy address is located 0 bytes inside of [ 15.134307] freed 128-byte region [ffff8881031c0700, ffff8881031c0780) [ 15.135213] [ 15.135331] The buggy address belongs to the physical page: [ 15.135596] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031c0 [ 15.136264] flags: 0x200000000000000(node=0|zone=2) [ 15.136601] page_type: f5(slab) [ 15.136816] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.137493] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.137989] page dumped because: kasan: bad access detected [ 15.138636] [ 15.138771] Memory state around the buggy address: [ 15.139004] ffff8881031c0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.139339] ffff8881031c0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.139662] >ffff8881031c0700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.140660] ^ [ 15.140974] ffff8881031c0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.141314] ffff8881031c0800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 15.141852] ==================================================================
[ 36.861626] ================================================================== [ 36.873131] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 36.880272] Read of size 1 at addr ffff888105ba0f00 by task kunit_try_catch/268 [ 36.887586] [ 36.889089] CPU: 0 UID: 0 PID: 268 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 36.889098] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 36.889101] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 36.889105] Call Trace: [ 36.889107] <TASK> [ 36.889108] dump_stack_lvl+0x73/0xb0 [ 36.889113] print_report+0xd1/0x650 [ 36.889117] ? __virt_addr_valid+0x1db/0x2d0 [ 36.889122] ? mempool_uaf_helper+0x392/0x400 [ 36.889126] ? kasan_complete_mode_report_info+0x64/0x200 [ 36.889131] ? mempool_uaf_helper+0x392/0x400 [ 36.889135] kasan_report+0x141/0x180 [ 36.889139] ? mempool_uaf_helper+0x392/0x400 [ 36.889144] __asan_report_load1_noabort+0x18/0x20 [ 36.889149] mempool_uaf_helper+0x392/0x400 [ 36.889153] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 36.889158] ? __pfx_sched_clock_cpu+0x10/0x10 [ 36.889162] ? finish_task_switch.isra.0+0x153/0x700 [ 36.889166] mempool_kmalloc_uaf+0xef/0x140 [ 36.889170] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 36.889175] ? __pfx_mempool_kmalloc+0x10/0x10 [ 36.889180] ? __pfx_mempool_kfree+0x10/0x10 [ 36.889185] ? ktime_get_ts64+0x83/0x230 [ 36.889189] kunit_try_run_case+0x1a2/0x480 [ 36.889194] ? __pfx_kunit_try_run_case+0x10/0x10 [ 36.889198] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 36.889203] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 36.889207] ? __kthread_parkme+0x82/0x180 [ 36.889210] ? preempt_count_sub+0x50/0x80 [ 36.889215] ? __pfx_kunit_try_run_case+0x10/0x10 [ 36.889219] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 36.889223] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 36.889228] kthread+0x334/0x6f0 [ 36.889231] ? trace_preempt_on+0x20/0xc0 [ 36.889235] ? __pfx_kthread+0x10/0x10 [ 36.889239] ? _raw_spin_unlock_irq+0x47/0x80 [ 36.889243] ? calculate_sigpending+0x7b/0xa0 [ 36.889247] ? __pfx_kthread+0x10/0x10 [ 36.889251] ret_from_fork+0x113/0x1d0 [ 36.889255] ? __pfx_kthread+0x10/0x10 [ 36.889258] ret_from_fork_asm+0x1a/0x30 [ 36.889264] </TASK> [ 36.889266] [ 37.077760] Allocated by task 268: [ 37.081165] kasan_save_stack+0x45/0x70 [ 37.085005] kasan_save_track+0x18/0x40 [ 37.088844] kasan_save_alloc_info+0x3b/0x50 [ 37.093115] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 37.098430] remove_element+0x11e/0x190 [ 37.102276] mempool_alloc_preallocated+0x4d/0x90 [ 37.106984] mempool_uaf_helper+0x96/0x400 [ 37.111090] mempool_kmalloc_uaf+0xef/0x140 [ 37.115277] kunit_try_run_case+0x1a2/0x480 [ 37.119462] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.124860] kthread+0x334/0x6f0 [ 37.128093] ret_from_fork+0x113/0x1d0 [ 37.131847] ret_from_fork_asm+0x1a/0x30 [ 37.135774] [ 37.137274] Freed by task 268: [ 37.140350] kasan_save_stack+0x45/0x70 [ 37.144197] kasan_save_track+0x18/0x40 [ 37.148035] kasan_save_free_info+0x3f/0x60 [ 37.152223] __kasan_mempool_poison_object+0x131/0x1d0 [ 37.157394] mempool_free+0x2ec/0x380 [ 37.161062] mempool_uaf_helper+0x11a/0x400 [ 37.165247] mempool_kmalloc_uaf+0xef/0x140 [ 37.169433] kunit_try_run_case+0x1a2/0x480 [ 37.173621] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.179019] kthread+0x334/0x6f0 [ 37.182251] ret_from_fork+0x113/0x1d0 [ 37.186006] ret_from_fork_asm+0x1a/0x30 [ 37.189930] [ 37.191430] The buggy address belongs to the object at ffff888105ba0f00 [ 37.191430] which belongs to the cache kmalloc-128 of size 128 [ 37.203943] The buggy address is located 0 bytes inside of [ 37.203943] freed 128-byte region [ffff888105ba0f00, ffff888105ba0f80) [ 37.216026] [ 37.217526] The buggy address belongs to the physical page: [ 37.223098] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ba0 [ 37.231105] flags: 0x200000000000000(node=0|zone=2) [ 37.235984] page_type: f5(slab) [ 37.239132] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 37.246881] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 37.254628] page dumped because: kasan: bad access detected [ 37.260200] [ 37.261700] Memory state around the buggy address: [ 37.266492] ffff888105ba0e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.273712] ffff888105ba0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.280931] >ffff888105ba0f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.288149] ^ [ 37.291407] ffff888105ba0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.298629] ffff888105ba1000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 37.305847] ================================================================== [ 37.668902] ================================================================== [ 37.680663] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 37.687801] Read of size 1 at addr ffff8881066ea240 by task kunit_try_catch/272 [ 37.695110] [ 37.696609] CPU: 3 UID: 0 PID: 272 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 37.696618] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 37.696620] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 37.696624] Call Trace: [ 37.696626] <TASK> [ 37.696628] dump_stack_lvl+0x73/0xb0 [ 37.696632] print_report+0xd1/0x650 [ 37.696636] ? __virt_addr_valid+0x1db/0x2d0 [ 37.696641] ? mempool_uaf_helper+0x392/0x400 [ 37.696645] ? kasan_complete_mode_report_info+0x64/0x200 [ 37.696650] ? mempool_uaf_helper+0x392/0x400 [ 37.696654] kasan_report+0x141/0x180 [ 37.696658] ? mempool_uaf_helper+0x392/0x400 [ 37.696663] __asan_report_load1_noabort+0x18/0x20 [ 37.696668] mempool_uaf_helper+0x392/0x400 [ 37.696672] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 37.696677] ? __pfx_sched_clock_cpu+0x10/0x10 [ 37.696680] ? finish_task_switch.isra.0+0x153/0x700 [ 37.696685] mempool_slab_uaf+0xea/0x140 [ 37.696689] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 37.696694] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 37.696699] ? __pfx_mempool_free_slab+0x10/0x10 [ 37.696704] ? ktime_get_ts64+0x83/0x230 [ 37.696708] kunit_try_run_case+0x1a2/0x480 [ 37.696713] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.696717] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 37.696722] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 37.696726] ? __kthread_parkme+0x82/0x180 [ 37.696729] ? preempt_count_sub+0x50/0x80 [ 37.696733] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.696738] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.696742] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 37.696747] kthread+0x334/0x6f0 [ 37.696750] ? trace_preempt_on+0x20/0xc0 [ 37.696754] ? __pfx_kthread+0x10/0x10 [ 37.696758] ? _raw_spin_unlock_irq+0x47/0x80 [ 37.696762] ? calculate_sigpending+0x7b/0xa0 [ 37.696766] ? __pfx_kthread+0x10/0x10 [ 37.696770] ret_from_fork+0x113/0x1d0 [ 37.696773] ? __pfx_kthread+0x10/0x10 [ 37.696777] ret_from_fork_asm+0x1a/0x30 [ 37.696783] </TASK> [ 37.696784] [ 37.885308] Allocated by task 272: [ 37.888712] kasan_save_stack+0x45/0x70 [ 37.892553] kasan_save_track+0x18/0x40 [ 37.896404] kasan_save_alloc_info+0x3b/0x50 [ 37.900680] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 37.905992] remove_element+0x11e/0x190 [ 37.909833] mempool_alloc_preallocated+0x4d/0x90 [ 37.914538] mempool_uaf_helper+0x96/0x400 [ 37.918638] mempool_slab_uaf+0xea/0x140 [ 37.922562] kunit_try_run_case+0x1a2/0x480 [ 37.926749] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.932151] kthread+0x334/0x6f0 [ 37.935404] ret_from_fork+0x113/0x1d0 [ 37.939161] ret_from_fork_asm+0x1a/0x30 [ 37.943087] [ 37.944587] Freed by task 272: [ 37.947646] kasan_save_stack+0x45/0x70 [ 37.951486] kasan_save_track+0x18/0x40 [ 37.955323] kasan_save_free_info+0x3f/0x60 [ 37.959536] __kasan_mempool_poison_object+0x131/0x1d0 [ 37.964676] mempool_free+0x2ec/0x380 [ 37.968359] mempool_uaf_helper+0x11a/0x400 [ 37.972562] mempool_slab_uaf+0xea/0x140 [ 37.976488] kunit_try_run_case+0x1a2/0x480 [ 37.980674] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.986073] kthread+0x334/0x6f0 [ 37.989304] ret_from_fork+0x113/0x1d0 [ 37.993058] ret_from_fork_asm+0x1a/0x30 [ 37.996986] [ 37.998483] The buggy address belongs to the object at ffff8881066ea240 [ 37.998483] which belongs to the cache test_cache of size 123 [ 38.010911] The buggy address is located 0 bytes inside of [ 38.010911] freed 123-byte region [ffff8881066ea240, ffff8881066ea2bb) [ 38.022994] [ 38.024492] The buggy address belongs to the physical page: [ 38.030066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066ea [ 38.038072] flags: 0x200000000000000(node=0|zone=2) [ 38.042952] page_type: f5(slab) [ 38.046099] raw: 0200000000000000 ffff888103805400 dead000000000122 0000000000000000 [ 38.053847] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 38.061587] page dumped because: kasan: bad access detected [ 38.067158] [ 38.068658] Memory state around the buggy address: [ 38.073452] ffff8881066ea100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.080678] ffff8881066ea180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.087899] >ffff8881066ea200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 38.095118] ^ [ 38.100429] ffff8881066ea280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.107650] ffff8881066ea300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.114867] ==================================================================