Date
July 20, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.575552] ================================================================== [ 18.575955] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.576082] Read of size 1 at addr fff00000c798c000 by task kunit_try_catch/229 [ 18.576489] [ 18.576547] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.576959] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.577032] Hardware name: linux,dummy-virt (DT) [ 18.577066] Call trace: [ 18.577329] show_stack+0x20/0x38 (C) [ 18.577648] dump_stack_lvl+0x8c/0xd0 [ 18.577756] print_report+0x118/0x5d0 [ 18.577868] kasan_report+0xdc/0x128 [ 18.577927] __asan_report_load1_noabort+0x20/0x30 [ 18.578385] mempool_uaf_helper+0x314/0x340 [ 18.578552] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.578638] kunit_try_run_case+0x170/0x3f0 [ 18.579007] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.579104] kthread+0x328/0x630 [ 18.579522] ret_from_fork+0x10/0x20 [ 18.579652] [ 18.579774] The buggy address belongs to the physical page: [ 18.580090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10798c [ 18.580162] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.580265] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.580395] page_type: f8(unknown) [ 18.580756] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.580861] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.580956] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.581054] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.581168] head: 0bfffe0000000002 ffffc1ffc31e6301 00000000ffffffff 00000000ffffffff [ 18.581538] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.581596] page dumped because: kasan: bad access detected [ 18.581638] [ 18.581657] Memory state around the buggy address: [ 18.581692] fff00000c798bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.581758] fff00000c798bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.581952] >fff00000c798c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.582288] ^ [ 18.582478] fff00000c798c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.582537] fff00000c798c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.582578] ================================================================== [ 18.632666] ================================================================== [ 18.632732] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.633106] Read of size 1 at addr fff00000c7990000 by task kunit_try_catch/233 [ 18.633232] [ 18.633357] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.633450] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.633476] Hardware name: linux,dummy-virt (DT) [ 18.633526] Call trace: [ 18.633551] show_stack+0x20/0x38 (C) [ 18.633604] dump_stack_lvl+0x8c/0xd0 [ 18.633826] print_report+0x118/0x5d0 [ 18.634054] kasan_report+0xdc/0x128 [ 18.634241] __asan_report_load1_noabort+0x20/0x30 [ 18.634765] mempool_uaf_helper+0x314/0x340 [ 18.635054] mempool_page_alloc_uaf+0xc0/0x118 [ 18.635237] kunit_try_run_case+0x170/0x3f0 [ 18.635514] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.635581] kthread+0x328/0x630 [ 18.635625] ret_from_fork+0x10/0x20 [ 18.635700] [ 18.635723] The buggy address belongs to the physical page: [ 18.635766] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107990 [ 18.635835] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.635915] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.635968] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.636009] page dumped because: kasan: bad access detected [ 18.636042] [ 18.636060] Memory state around the buggy address: [ 18.636104] fff00000c798ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.636150] fff00000c798ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.636196] >fff00000c7990000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.636235] ^ [ 18.636274] fff00000c7990080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.636316] fff00000c7990100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.636370] ==================================================================
[ 18.692602] ================================================================== [ 18.692710] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.692777] Read of size 1 at addr fff00000c79b8000 by task kunit_try_catch/229 [ 18.692829] [ 18.692965] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.693062] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.693090] Hardware name: linux,dummy-virt (DT) [ 18.693853] Call trace: [ 18.694415] show_stack+0x20/0x38 (C) [ 18.694766] dump_stack_lvl+0x8c/0xd0 [ 18.695197] print_report+0x118/0x5d0 [ 18.695731] kasan_report+0xdc/0x128 [ 18.696134] __asan_report_load1_noabort+0x20/0x30 [ 18.696544] mempool_uaf_helper+0x314/0x340 [ 18.696798] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.697132] kunit_try_run_case+0x170/0x3f0 [ 18.697216] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.697280] kthread+0x328/0x630 [ 18.697677] ret_from_fork+0x10/0x20 [ 18.697800] [ 18.697853] The buggy address belongs to the physical page: [ 18.697889] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1079b8 [ 18.698095] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.698298] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.698492] page_type: f8(unknown) [ 18.698568] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.698925] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.698994] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.699046] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.699491] head: 0bfffe0000000002 ffffc1ffc31e6e01 00000000ffffffff 00000000ffffffff [ 18.699716] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.699876] page dumped because: kasan: bad access detected [ 18.700129] [ 18.700155] Memory state around the buggy address: [ 18.700591] fff00000c79b7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.700971] fff00000c79b7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.701175] >fff00000c79b8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.701444] ^ [ 18.701635] fff00000c79b8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.701711] fff00000c79b8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.701778] ================================================================== [ 18.788816] ================================================================== [ 18.788890] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.789075] Read of size 1 at addr fff00000c79e8000 by task kunit_try_catch/233 [ 18.789129] [ 18.789173] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 18.789259] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.789287] Hardware name: linux,dummy-virt (DT) [ 18.789322] Call trace: [ 18.789347] show_stack+0x20/0x38 (C) [ 18.789398] dump_stack_lvl+0x8c/0xd0 [ 18.789450] print_report+0x118/0x5d0 [ 18.789496] kasan_report+0xdc/0x128 [ 18.789542] __asan_report_load1_noabort+0x20/0x30 [ 18.789594] mempool_uaf_helper+0x314/0x340 [ 18.789656] mempool_page_alloc_uaf+0xc0/0x118 [ 18.789702] kunit_try_run_case+0x170/0x3f0 [ 18.789753] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.789806] kthread+0x328/0x630 [ 18.789848] ret_from_fork+0x10/0x20 [ 18.789903] [ 18.789928] The buggy address belongs to the physical page: [ 18.789961] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1079e8 [ 18.790018] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.790089] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.790142] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.790184] page dumped because: kasan: bad access detected [ 18.790216] [ 18.790234] Memory state around the buggy address: [ 18.790268] fff00000c79e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.790313] fff00000c79e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.790357] >fff00000c79e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.790397] ^ [ 18.790424] fff00000c79e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.790466] fff00000c79e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.790505] ==================================================================
[ 14.208645] ================================================================== [ 14.209320] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.209566] Read of size 1 at addr ffff888103920000 by task kunit_try_catch/247 [ 14.209795] [ 14.209888] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.209936] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.209948] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.209971] Call Trace: [ 14.209983] <TASK> [ 14.210001] dump_stack_lvl+0x73/0xb0 [ 14.210032] print_report+0xd1/0x610 [ 14.210055] ? __virt_addr_valid+0x1db/0x2d0 [ 14.210089] ? mempool_uaf_helper+0x392/0x400 [ 14.210111] ? kasan_addr_to_slab+0x11/0xa0 [ 14.210132] ? mempool_uaf_helper+0x392/0x400 [ 14.210155] kasan_report+0x141/0x180 [ 14.210178] ? mempool_uaf_helper+0x392/0x400 [ 14.210206] __asan_report_load1_noabort+0x18/0x20 [ 14.210231] mempool_uaf_helper+0x392/0x400 [ 14.210255] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.210277] ? update_load_avg+0x1be/0x21b0 [ 14.210307] ? finish_task_switch.isra.0+0x153/0x700 [ 14.210333] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.210357] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.211051] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.211088] ? __pfx_mempool_kfree+0x10/0x10 [ 14.211115] ? __pfx_read_tsc+0x10/0x10 [ 14.211136] ? ktime_get_ts64+0x86/0x230 [ 14.211164] kunit_try_run_case+0x1a5/0x480 [ 14.211190] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.211213] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.211237] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.211261] ? __kthread_parkme+0x82/0x180 [ 14.211282] ? preempt_count_sub+0x50/0x80 [ 14.211305] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.211329] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.211353] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.211377] kthread+0x337/0x6f0 [ 14.211406] ? trace_preempt_on+0x20/0xc0 [ 14.211430] ? __pfx_kthread+0x10/0x10 [ 14.211451] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.211472] ? calculate_sigpending+0x7b/0xa0 [ 14.211496] ? __pfx_kthread+0x10/0x10 [ 14.211519] ret_from_fork+0x116/0x1d0 [ 14.211538] ? __pfx_kthread+0x10/0x10 [ 14.211560] ret_from_fork_asm+0x1a/0x30 [ 14.211592] </TASK> [ 14.211603] [ 14.231482] The buggy address belongs to the physical page: [ 14.232268] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103920 [ 14.232901] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.233503] flags: 0x200000000000040(head|node=0|zone=2) [ 14.234178] page_type: f8(unknown) [ 14.234554] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.234893] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.235204] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.235525] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.235843] head: 0200000000000002 ffffea00040e4801 00000000ffffffff 00000000ffffffff [ 14.236168] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.236897] page dumped because: kasan: bad access detected [ 14.237598] [ 14.237833] Memory state around the buggy address: [ 14.238311] ffff88810391ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.238779] ffff88810391ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.239377] >ffff888103920000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.239849] ^ [ 14.240327] ffff888103920080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.240909] ffff888103920100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.241654] ================================================================== [ 14.288866] ================================================================== [ 14.289550] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.290688] Read of size 1 at addr ffff888103920000 by task kunit_try_catch/251 [ 14.291813] [ 14.292087] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.292140] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.292153] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.292176] Call Trace: [ 14.292190] <TASK> [ 14.292208] dump_stack_lvl+0x73/0xb0 [ 14.292240] print_report+0xd1/0x610 [ 14.292263] ? __virt_addr_valid+0x1db/0x2d0 [ 14.292288] ? mempool_uaf_helper+0x392/0x400 [ 14.292310] ? kasan_addr_to_slab+0x11/0xa0 [ 14.292330] ? mempool_uaf_helper+0x392/0x400 [ 14.292353] kasan_report+0x141/0x180 [ 14.292375] ? mempool_uaf_helper+0x392/0x400 [ 14.292414] __asan_report_load1_noabort+0x18/0x20 [ 14.292439] mempool_uaf_helper+0x392/0x400 [ 14.292462] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.292486] ? __kasan_check_write+0x18/0x20 [ 14.292506] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.292575] ? finish_task_switch.isra.0+0x153/0x700 [ 14.292604] mempool_page_alloc_uaf+0xed/0x140 [ 14.292641] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.292694] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.292721] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.292748] ? __pfx_read_tsc+0x10/0x10 [ 14.292769] ? ktime_get_ts64+0x86/0x230 [ 14.292796] kunit_try_run_case+0x1a5/0x480 [ 14.292821] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.292843] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.292867] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.292890] ? __kthread_parkme+0x82/0x180 [ 14.292911] ? preempt_count_sub+0x50/0x80 [ 14.292934] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.292959] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.292982] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.293005] kthread+0x337/0x6f0 [ 14.293038] ? trace_preempt_on+0x20/0xc0 [ 14.293062] ? __pfx_kthread+0x10/0x10 [ 14.293083] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.293103] ? calculate_sigpending+0x7b/0xa0 [ 14.293128] ? __pfx_kthread+0x10/0x10 [ 14.293150] ret_from_fork+0x116/0x1d0 [ 14.293169] ? __pfx_kthread+0x10/0x10 [ 14.293190] ret_from_fork_asm+0x1a/0x30 [ 14.293222] </TASK> [ 14.293233] [ 14.307796] The buggy address belongs to the physical page: [ 14.307986] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103920 [ 14.308952] flags: 0x200000000000000(node=0|zone=2) [ 14.309543] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.310001] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.310728] page dumped because: kasan: bad access detected [ 14.310902] [ 14.310973] Memory state around the buggy address: [ 14.311425] ffff88810391ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.312166] ffff88810391ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.312893] >ffff888103920000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.313374] ^ [ 14.313780] ffff888103920080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.314254] ffff888103920100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.314482] ==================================================================
[ 14.310943] ================================================================== [ 14.311620] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.311869] Read of size 1 at addr ffff8881038c0000 by task kunit_try_catch/247 [ 14.312105] [ 14.312212] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.312262] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.312276] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.312300] Call Trace: [ 14.312313] <TASK> [ 14.312337] dump_stack_lvl+0x73/0xb0 [ 14.312370] print_report+0xd1/0x610 [ 14.312393] ? __virt_addr_valid+0x1db/0x2d0 [ 14.312419] ? mempool_uaf_helper+0x392/0x400 [ 14.312440] ? kasan_addr_to_slab+0x11/0xa0 [ 14.312461] ? mempool_uaf_helper+0x392/0x400 [ 14.312483] kasan_report+0x141/0x180 [ 14.312504] ? mempool_uaf_helper+0x392/0x400 [ 14.312530] __asan_report_load1_noabort+0x18/0x20 [ 14.312554] mempool_uaf_helper+0x392/0x400 [ 14.312577] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.312600] ? __kasan_check_write+0x18/0x20 [ 14.312618] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.312642] ? finish_task_switch.isra.0+0x153/0x700 [ 14.312668] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.312691] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.312717] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.312741] ? __pfx_mempool_kfree+0x10/0x10 [ 14.312766] ? __pfx_read_tsc+0x10/0x10 [ 14.312788] ? ktime_get_ts64+0x86/0x230 [ 14.312813] kunit_try_run_case+0x1a5/0x480 [ 14.312840] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.312862] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.312887] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.312910] ? __kthread_parkme+0x82/0x180 [ 14.312931] ? preempt_count_sub+0x50/0x80 [ 14.312954] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.312978] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.313000] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.313024] kthread+0x337/0x6f0 [ 14.313043] ? trace_preempt_on+0x20/0xc0 [ 14.313067] ? __pfx_kthread+0x10/0x10 [ 14.313087] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.313108] ? calculate_sigpending+0x7b/0xa0 [ 14.313133] ? __pfx_kthread+0x10/0x10 [ 14.313190] ret_from_fork+0x116/0x1d0 [ 14.313210] ? __pfx_kthread+0x10/0x10 [ 14.313230] ret_from_fork_asm+0x1a/0x30 [ 14.313262] </TASK> [ 14.313273] [ 14.331742] The buggy address belongs to the physical page: [ 14.331955] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038c0 [ 14.332231] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.332567] flags: 0x200000000000040(head|node=0|zone=2) [ 14.332780] page_type: f8(unknown) [ 14.332961] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.333380] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.333690] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.334087] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.334439] head: 0200000000000002 ffffea00040e3001 00000000ffffffff 00000000ffffffff [ 14.334747] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.335110] page dumped because: kasan: bad access detected [ 14.335405] [ 14.335488] Memory state around the buggy address: [ 14.335707] ffff8881038bff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.336049] ffff8881038bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.336365] >ffff8881038c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.336683] ^ [ 14.336916] ffff8881038c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.337212] ffff8881038c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.337515] ================================================================== [ 14.387621] ================================================================== [ 14.388665] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.389168] Read of size 1 at addr ffff8881038c0000 by task kunit_try_catch/251 [ 14.389936] [ 14.390142] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 14.390203] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.390217] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.390240] Call Trace: [ 14.390256] <TASK> [ 14.390275] dump_stack_lvl+0x73/0xb0 [ 14.390329] print_report+0xd1/0x610 [ 14.390353] ? __virt_addr_valid+0x1db/0x2d0 [ 14.390379] ? mempool_uaf_helper+0x392/0x400 [ 14.390400] ? kasan_addr_to_slab+0x11/0xa0 [ 14.390421] ? mempool_uaf_helper+0x392/0x400 [ 14.390443] kasan_report+0x141/0x180 [ 14.390464] ? mempool_uaf_helper+0x392/0x400 [ 14.390491] __asan_report_load1_noabort+0x18/0x20 [ 14.390515] mempool_uaf_helper+0x392/0x400 [ 14.390537] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.390560] ? __kasan_check_write+0x18/0x20 [ 14.390579] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.390602] ? finish_task_switch.isra.0+0x153/0x700 [ 14.390629] mempool_page_alloc_uaf+0xed/0x140 [ 14.390652] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.390678] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.390703] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.390728] ? __pfx_read_tsc+0x10/0x10 [ 14.390749] ? ktime_get_ts64+0x86/0x230 [ 14.390773] kunit_try_run_case+0x1a5/0x480 [ 14.390802] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.390825] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.390856] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.390879] ? __kthread_parkme+0x82/0x180 [ 14.390900] ? preempt_count_sub+0x50/0x80 [ 14.390924] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.390948] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.390971] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.390994] kthread+0x337/0x6f0 [ 14.391014] ? trace_preempt_on+0x20/0xc0 [ 14.391037] ? __pfx_kthread+0x10/0x10 [ 14.391058] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.391078] ? calculate_sigpending+0x7b/0xa0 [ 14.391103] ? __pfx_kthread+0x10/0x10 [ 14.391124] ret_from_fork+0x116/0x1d0 [ 14.391142] ? __pfx_kthread+0x10/0x10 [ 14.391170] ret_from_fork_asm+0x1a/0x30 [ 14.391200] </TASK> [ 14.391211] [ 14.405780] The buggy address belongs to the physical page: [ 14.406111] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038c0 [ 14.406960] flags: 0x200000000000000(node=0|zone=2) [ 14.407505] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.408103] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.408595] page dumped because: kasan: bad access detected [ 14.409104] [ 14.409216] Memory state around the buggy address: [ 14.409712] ffff8881038bff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.410193] ffff8881038bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.410545] >ffff8881038c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.410782] ^ [ 14.410946] ffff8881038c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.411648] ffff8881038c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.412425] ==================================================================