Hay
Sign in
Date
Nov. 26, 2024, 6:09 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   33.678059] ==================================================================
[   33.679226] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   33.680797] Read of size 1 at addr fff00000c58e3240 by task kunit_try_catch/220
[   33.681815] 
[   33.682262] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   33.683510] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.684130] Hardware name: linux,dummy-virt (DT)
[   33.684968] Call trace:
[   33.685364]  show_stack+0x20/0x38 (C)
[   33.685940]  dump_stack_lvl+0x8c/0xd0
[   33.686496]  print_report+0x118/0x5e0
[   33.687118]  kasan_report+0xc8/0x118
[   33.687645]  __asan_report_load1_noabort+0x20/0x30
[   33.688616]  mempool_uaf_helper+0x314/0x340
[   33.689656]  mempool_slab_uaf+0xb8/0x110
[   33.690194]  kunit_try_run_case+0x14c/0x3d0
[   33.690729]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.691378]  kthread+0x24c/0x2d0
[   33.691817]  ret_from_fork+0x10/0x20
[   33.692475] 
[   33.693016] Allocated by task 220:
[   33.693600]  kasan_save_stack+0x3c/0x68
[   33.694282]  kasan_save_track+0x20/0x40
[   33.695092]  kasan_save_alloc_info+0x40/0x58
[   33.695876]  __kasan_mempool_unpoison_object+0xbc/0x180
[   33.697134]  remove_element+0x16c/0x1f8
[   33.697898]  mempool_alloc_preallocated+0x58/0xc0
[   33.698530]  mempool_uaf_helper+0xa4/0x340
[   33.699091]  mempool_slab_uaf+0xb8/0x110
[   33.699617]  kunit_try_run_case+0x14c/0x3d0
[   33.700838]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.701757]  kthread+0x24c/0x2d0
[   33.702417]  ret_from_fork+0x10/0x20
[   33.703152] 
[   33.703691] Freed by task 220:
[   33.704396]  kasan_save_stack+0x3c/0x68
[   33.705319]  kasan_save_track+0x20/0x40
[   33.705856]  kasan_save_free_info+0x4c/0x78
[   33.706420]  __kasan_mempool_poison_object+0xc0/0x150
[   33.707486]  mempool_free+0x28c/0x328
[   33.708200]  mempool_uaf_helper+0x104/0x340
[   33.709142]  mempool_slab_uaf+0xb8/0x110
[   33.710000]  kunit_try_run_case+0x14c/0x3d0
[   33.710815]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.711723]  kthread+0x24c/0x2d0
[   33.712531]  ret_from_fork+0x10/0x20
[   33.712876] 
[   33.713067] The buggy address belongs to the object at fff00000c58e3240
[   33.713067]  which belongs to the cache test_cache of size 123
[   33.713598] The buggy address is located 0 bytes inside of
[   33.713598]  freed 123-byte region [fff00000c58e3240, fff00000c58e32bb)
[   33.714350] 
[   33.714741] The buggy address belongs to the physical page:
[   33.715430] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058e3
[   33.717325] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.718205] page_type: f5(slab)
[   33.718960] raw: 0bfffe0000000000 fff00000c59253c0 dead000000000122 0000000000000000
[   33.719866] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000
[   33.720696] page dumped because: kasan: bad access detected
[   33.721308] 
[   33.721665] Memory state around the buggy address:
[   33.722572]  fff00000c58e3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.723381]  fff00000c58e3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.724526] >fff00000c58e3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   33.725449]                                            ^
[   33.726054]  fff00000c58e3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.726870]  fff00000c58e3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.727694] ==================================================================
[   33.566013] ==================================================================
[   33.567047] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   33.567993] Read of size 1 at addr fff00000c5922c00 by task kunit_try_catch/216
[   33.569862] 
[   33.570324] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   33.571519] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.572119] Hardware name: linux,dummy-virt (DT)
[   33.572677] Call trace:
[   33.573473]  show_stack+0x20/0x38 (C)
[   33.574139]  dump_stack_lvl+0x8c/0xd0
[   33.574764]  print_report+0x118/0x5e0
[   33.575443]  kasan_report+0xc8/0x118
[   33.576061]  __asan_report_load1_noabort+0x20/0x30
[   33.577043]  mempool_uaf_helper+0x314/0x340
[   33.577445]  mempool_kmalloc_uaf+0xbc/0x118
[   33.578163]  kunit_try_run_case+0x14c/0x3d0
[   33.578858]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.579698]  kthread+0x24c/0x2d0
[   33.580300]  ret_from_fork+0x10/0x20
[   33.581145] 
[   33.581510] Allocated by task 216:
[   33.582109]  kasan_save_stack+0x3c/0x68
[   33.582754]  kasan_save_track+0x20/0x40
[   33.583314]  kasan_save_alloc_info+0x40/0x58
[   33.584019]  __kasan_mempool_unpoison_object+0x11c/0x180
[   33.584695]  remove_element+0x130/0x1f8
[   33.585148]  mempool_alloc_preallocated+0x58/0xc0
[   33.586240]  mempool_uaf_helper+0xa4/0x340
[   33.587515]  mempool_kmalloc_uaf+0xbc/0x118
[   33.588863]  kunit_try_run_case+0x14c/0x3d0
[   33.589581]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.590306]  kthread+0x24c/0x2d0
[   33.590864]  ret_from_fork+0x10/0x20
[   33.591445] 
[   33.591844] Freed by task 216:
[   33.592398]  kasan_save_stack+0x3c/0x68
[   33.593023]  kasan_save_track+0x20/0x40
[   33.593757]  kasan_save_free_info+0x4c/0x78
[   33.594393]  __kasan_mempool_poison_object+0xc0/0x150
[   33.595029]  mempool_free+0x28c/0x328
[   33.595685]  mempool_uaf_helper+0x104/0x340
[   33.596537]  mempool_kmalloc_uaf+0xbc/0x118
[   33.597471]  kunit_try_run_case+0x14c/0x3d0
[   33.598107]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.599013]  kthread+0x24c/0x2d0
[   33.599694]  ret_from_fork+0x10/0x20
[   33.600468] 
[   33.600825] The buggy address belongs to the object at fff00000c5922c00
[   33.600825]  which belongs to the cache kmalloc-128 of size 128
[   33.602005] The buggy address is located 0 bytes inside of
[   33.602005]  freed 128-byte region [fff00000c5922c00, fff00000c5922c80)
[   33.603269] 
[   33.603577] The buggy address belongs to the physical page:
[   33.604217] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105922
[   33.605173] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.605815] page_type: f5(slab)
[   33.607361] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   33.608890] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   33.609766] page dumped because: kasan: bad access detected
[   33.610391] 
[   33.610794] Memory state around the buggy address:
[   33.611417]  fff00000c5922b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.612151]  fff00000c5922b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.613572] >fff00000c5922c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.614375]                    ^
[   33.614989]  fff00000c5922c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.615760]  fff00000c5922d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.616994] ==================================================================
Metadata Full log Test run details 

[   33.594707] ==================================================================
[   33.595828] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   33.596741] Read of size 1 at addr fff00000c5e7b400 by task kunit_try_catch/216
[   33.597375] 
[   33.598125] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   33.599709] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.600431] Hardware name: linux,dummy-virt (DT)
[   33.601148] Call trace:
[   33.601868]  show_stack+0x20/0x38 (C)
[   33.602295]  dump_stack_lvl+0x8c/0xd0
[   33.602974]  print_report+0x118/0x5e0
[   33.603515]  kasan_report+0xc8/0x118
[   33.604173]  __asan_report_load1_noabort+0x20/0x30
[   33.604841]  mempool_uaf_helper+0x314/0x340
[   33.605572]  mempool_kmalloc_uaf+0xbc/0x118
[   33.606484]  kunit_try_run_case+0x14c/0x3d0
[   33.607079]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.607912]  kthread+0x24c/0x2d0
[   33.608418]  ret_from_fork+0x10/0x20
[   33.609135] 
[   33.609511] Allocated by task 216:
[   33.610466]  kasan_save_stack+0x3c/0x68
[   33.611241]  kasan_save_track+0x20/0x40
[   33.611832]  kasan_save_alloc_info+0x40/0x58
[   33.612498]  __kasan_mempool_unpoison_object+0x11c/0x180
[   33.613084]  remove_element+0x130/0x1f8
[   33.613770]  mempool_alloc_preallocated+0x58/0xc0
[   33.614696]  mempool_uaf_helper+0xa4/0x340
[   33.615681]  mempool_kmalloc_uaf+0xbc/0x118
[   33.616652]  kunit_try_run_case+0x14c/0x3d0
[   33.617252]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.618381]  kthread+0x24c/0x2d0
[   33.618978]  ret_from_fork+0x10/0x20
[   33.619502] 
[   33.620315] Freed by task 216:
[   33.620863]  kasan_save_stack+0x3c/0x68
[   33.621397]  kasan_save_track+0x20/0x40
[   33.622317]  kasan_save_free_info+0x4c/0x78
[   33.622728]  __kasan_mempool_poison_object+0xc0/0x150
[   33.623031]  mempool_free+0x28c/0x328
[   33.623272]  mempool_uaf_helper+0x104/0x340
[   33.623556]  mempool_kmalloc_uaf+0xbc/0x118
[   33.624070]  kunit_try_run_case+0x14c/0x3d0
[   33.624772]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.625514]  kthread+0x24c/0x2d0
[   33.626429]  ret_from_fork+0x10/0x20
[   33.627035] 
[   33.627471] The buggy address belongs to the object at fff00000c5e7b400
[   33.627471]  which belongs to the cache kmalloc-128 of size 128
[   33.628712] The buggy address is located 0 bytes inside of
[   33.628712]  freed 128-byte region [fff00000c5e7b400, fff00000c5e7b480)
[   33.630589] 
[   33.631041] The buggy address belongs to the physical page:
[   33.631954] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e7b
[   33.632990] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.634421] page_type: f5(slab)
[   33.635278] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   33.636474] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   33.637509] page dumped because: kasan: bad access detected
[   33.638463] 
[   33.638883] Memory state around the buggy address:
[   33.639515]  fff00000c5e7b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.640424]  fff00000c5e7b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.641317] >fff00000c5e7b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.642399]                    ^
[   33.643170]  fff00000c5e7b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.644036]  fff00000c5e7b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.644947] ==================================================================
[   33.701307] ==================================================================
[   33.702466] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   33.703407] Read of size 1 at addr fff00000c65a0240 by task kunit_try_catch/220
[   33.705726] 
[   33.706463] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   33.707662] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.708138] Hardware name: linux,dummy-virt (DT)
[   33.709037] Call trace:
[   33.709640]  show_stack+0x20/0x38 (C)
[   33.710221]  dump_stack_lvl+0x8c/0xd0
[   33.710818]  print_report+0x118/0x5e0
[   33.711735]  kasan_report+0xc8/0x118
[   33.712363]  __asan_report_load1_noabort+0x20/0x30
[   33.713762]  mempool_uaf_helper+0x314/0x340
[   33.714670]  mempool_slab_uaf+0xb8/0x110
[   33.715399]  kunit_try_run_case+0x14c/0x3d0
[   33.716094]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.716843]  kthread+0x24c/0x2d0
[   33.717434]  ret_from_fork+0x10/0x20
[   33.718158] 
[   33.718908] Allocated by task 220:
[   33.719365]  kasan_save_stack+0x3c/0x68
[   33.720009]  kasan_save_track+0x20/0x40
[   33.720695]  kasan_save_alloc_info+0x40/0x58
[   33.721258]  __kasan_mempool_unpoison_object+0xbc/0x180
[   33.722060]  remove_element+0x16c/0x1f8
[   33.722682]  mempool_alloc_preallocated+0x58/0xc0
[   33.723641]  mempool_uaf_helper+0xa4/0x340
[   33.724246]  mempool_slab_uaf+0xb8/0x110
[   33.724908]  kunit_try_run_case+0x14c/0x3d0
[   33.726647]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.727430]  kthread+0x24c/0x2d0
[   33.728026]  ret_from_fork+0x10/0x20
[   33.728666] 
[   33.729055] Freed by task 220:
[   33.729606]  kasan_save_stack+0x3c/0x68
[   33.730190]  kasan_save_track+0x20/0x40
[   33.730783]  kasan_save_free_info+0x4c/0x78
[   33.731442]  __kasan_mempool_poison_object+0xc0/0x150
[   33.732190]  mempool_free+0x28c/0x328
[   33.733162]  mempool_uaf_helper+0x104/0x340
[   33.734663]  mempool_slab_uaf+0xb8/0x110
[   33.735220]  kunit_try_run_case+0x14c/0x3d0
[   33.735902]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.736620]  kthread+0x24c/0x2d0
[   33.737106]  ret_from_fork+0x10/0x20
[   33.738089] 
[   33.738466] The buggy address belongs to the object at fff00000c65a0240
[   33.738466]  which belongs to the cache test_cache of size 123
[   33.739812] The buggy address is located 0 bytes inside of
[   33.739812]  freed 123-byte region [fff00000c65a0240, fff00000c65a02bb)
[   33.740950] 
[   33.741327] The buggy address belongs to the physical page:
[   33.743110] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065a0
[   33.744047] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.744796] page_type: f5(slab)
[   33.745355] raw: 0bfffe0000000000 fff00000c659c000 dead000000000122 0000000000000000
[   33.746736] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000
[   33.747576] page dumped because: kasan: bad access detected
[   33.748234] 
[   33.748630] Memory state around the buggy address:
[   33.749279]  fff00000c65a0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.751078]  fff00000c65a0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.751885] >fff00000c65a0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   33.752681]                                            ^
[   33.753414]  fff00000c65a0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.754713]  fff00000c65a0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.755522] ==================================================================
Metadata Full log Test run details 

[   27.806850] ==================================================================
[   27.807148] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400
[   27.807148] Read of size 1 at addr ffff8881028f1240 by task kunit_try_catch/240
[   27.807148] 
[   27.807148] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   27.807148] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.807148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.807148] Call Trace:
[   27.807148]  <TASK>
[   27.807148]  dump_stack_lvl+0x73/0xb0
[   27.807148]  print_report+0xd1/0x640
[   27.807148]  ? __virt_addr_valid+0x1db/0x2d0
[   27.807148]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.807148]  kasan_report+0x102/0x140
[   27.807148]  ? mempool_uaf_helper+0x394/0x400
[   27.807148]  ? mempool_uaf_helper+0x394/0x400
[   27.807148]  __asan_report_load1_noabort+0x18/0x20
[   27.807148]  mempool_uaf_helper+0x394/0x400
[   27.807148]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   27.807148]  ? ktime_get_ts64+0x84/0x230
[   27.807148]  ? trace_hardirqs_on+0x37/0xe0
[   27.807148]  mempool_slab_uaf+0xae/0x100
[   27.807148]  ? __pfx_mempool_slab_uaf+0x10/0x10
[   27.807148]  ? __switch_to+0x5d9/0xf60
[   27.807148]  ? __pfx_mempool_alloc_slab+0x10/0x10
[   27.807148]  ? __pfx_mempool_free_slab+0x10/0x10
[   27.807148]  ? ktime_get_ts64+0x84/0x230
[   27.807148]  kunit_try_run_case+0x1b3/0x490
[   27.807148]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.807148]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   27.807148]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.807148]  ? __kthread_parkme+0x82/0x160
[   27.807148]  ? preempt_count_sub+0x50/0x80
[   27.807148]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.807148]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.807148]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.807148]  kthread+0x257/0x310
[   27.807148]  ? __pfx_kthread+0x10/0x10
[   27.807148]  ret_from_fork+0x41/0x80
[   27.807148]  ? __pfx_kthread+0x10/0x10
[   27.807148]  ret_from_fork_asm+0x1a/0x30
[   27.807148]  </TASK>
[   27.807148] 
[   27.807148] Allocated by task 240:
[   27.807148]  kasan_save_stack+0x3d/0x60
[   27.807148]  kasan_save_track+0x18/0x40
[   27.807148]  kasan_save_alloc_info+0x3b/0x50
[   27.807148]  __kasan_mempool_unpoison_object+0x1bb/0x200
[   27.807148]  remove_element+0x11e/0x190
[   27.807148]  mempool_alloc_preallocated+0x4d/0x90
[   27.807148]  mempool_uaf_helper+0x97/0x400
[   27.807148]  mempool_slab_uaf+0xae/0x100
[   27.807148]  kunit_try_run_case+0x1b3/0x490
[   27.807148]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.807148]  kthread+0x257/0x310
[   27.807148]  ret_from_fork+0x41/0x80
[   27.807148]  ret_from_fork_asm+0x1a/0x30
[   27.807148] 
[   27.807148] Freed by task 240:
[   27.807148]  kasan_save_stack+0x3d/0x60
[   27.807148]  kasan_save_track+0x18/0x40
[   27.807148]  kasan_save_free_info+0x3f/0x60
[   27.807148]  __kasan_mempool_poison_object+0x131/0x1d0
[   27.807148]  mempool_free+0x2ec/0x380
[   27.807148]  mempool_uaf_helper+0x11b/0x400
[   27.807148]  mempool_slab_uaf+0xae/0x100
[   27.807148]  kunit_try_run_case+0x1b3/0x490
[   27.807148]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.807148]  kthread+0x257/0x310
[   27.807148]  ret_from_fork+0x41/0x80
[   27.807148]  ret_from_fork_asm+0x1a/0x30
[   27.807148] 
[   27.807148] The buggy address belongs to the object at ffff8881028f1240
[   27.807148]  which belongs to the cache test_cache of size 123
[   27.807148] The buggy address is located 0 bytes inside of
[   27.807148]  freed 123-byte region [ffff8881028f1240, ffff8881028f12bb)
[   27.807148] 
[   27.807148] The buggy address belongs to the physical page:
[   27.807148] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028f1
[   27.807148] flags: 0x200000000000000(node=0|zone=2)
[   27.807148] page_type: f5(slab)
[   27.807148] raw: 0200000000000000 ffff8881028ee000 dead000000000122 0000000000000000
[   27.807148] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000
[   27.807148] page dumped because: kasan: bad access detected
[   27.807148] 
[   27.807148] Memory state around the buggy address:
[   27.807148]  ffff8881028f1100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   27.807148]  ffff8881028f1180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.807148] >ffff8881028f1200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   27.807148]                                            ^
[   27.807148]  ffff8881028f1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   27.807148]  ffff8881028f1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.807148] ==================================================================
[   27.683747] ==================================================================
[   27.684155] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400
[   27.684155] Read of size 1 at addr ffff8881028e5a00 by task kunit_try_catch/236
[   27.684155] 
[   27.684155] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   27.684155] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.684155] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.684155] Call Trace:
[   27.684155]  <TASK>
[   27.684155]  dump_stack_lvl+0x73/0xb0
[   27.684155]  print_report+0xd1/0x640
[   27.684155]  ? __virt_addr_valid+0x1db/0x2d0
[   27.684155]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.684155]  kasan_report+0x102/0x140
[   27.684155]  ? mempool_uaf_helper+0x394/0x400
[   27.684155]  ? mempool_uaf_helper+0x394/0x400
[   27.684155]  __asan_report_load1_noabort+0x18/0x20
[   27.684155]  mempool_uaf_helper+0x394/0x400
[   27.684155]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   27.684155]  ? read_hpet+0x1f0/0x230
[   27.684155]  ? ktime_get_ts64+0x84/0x230
[   27.684155]  ? trace_hardirqs_on+0x37/0xe0
[   27.684155]  mempool_kmalloc_uaf+0xb3/0x100
[   27.684155]  ? __pfx_mempool_kmalloc_uaf+0x10/0x10
[   27.684155]  ? __switch_to+0x5d9/0xf60
[   27.684155]  ? __pfx_mempool_kmalloc+0x10/0x10
[   27.684155]  ? __pfx_mempool_kfree+0x10/0x10
[   27.684155]  ? ktime_get_ts64+0x84/0x230
[   27.684155]  kunit_try_run_case+0x1b3/0x490
[   27.684155]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.684155]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   27.684155]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.684155]  ? __kthread_parkme+0x82/0x160
[   27.684155]  ? preempt_count_sub+0x50/0x80
[   27.684155]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.684155]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.684155]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.684155]  kthread+0x257/0x310
[   27.684155]  ? __pfx_kthread+0x10/0x10
[   27.684155]  ret_from_fork+0x41/0x80
[   27.684155]  ? __pfx_kthread+0x10/0x10
[   27.684155]  ret_from_fork_asm+0x1a/0x30
[   27.684155]  </TASK>
[   27.684155] 
[   27.684155] Allocated by task 236:
[   27.684155]  kasan_save_stack+0x3d/0x60
[   27.684155]  kasan_save_track+0x18/0x40
[   27.684155]  kasan_save_alloc_info+0x3b/0x50
[   27.684155]  __kasan_mempool_unpoison_object+0x1a9/0x200
[   27.684155]  remove_element+0x11e/0x190
[   27.684155]  mempool_alloc_preallocated+0x4d/0x90
[   27.684155]  mempool_uaf_helper+0x97/0x400
[   27.684155]  mempool_kmalloc_uaf+0xb3/0x100
[   27.684155]  kunit_try_run_case+0x1b3/0x490
[   27.684155]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.684155]  kthread+0x257/0x310
[   27.684155]  ret_from_fork+0x41/0x80
[   27.684155]  ret_from_fork_asm+0x1a/0x30
[   27.684155] 
[   27.684155] Freed by task 236:
[   27.684155]  kasan_save_stack+0x3d/0x60
[   27.684155]  kasan_save_track+0x18/0x40
[   27.684155]  kasan_save_free_info+0x3f/0x60
[   27.684155]  __kasan_mempool_poison_object+0x131/0x1d0
[   27.684155]  mempool_free+0x2ec/0x380
[   27.684155]  mempool_uaf_helper+0x11b/0x400
[   27.684155]  mempool_kmalloc_uaf+0xb3/0x100
[   27.684155]  kunit_try_run_case+0x1b3/0x490
[   27.684155]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.684155]  kthread+0x257/0x310
[   27.684155]  ret_from_fork+0x41/0x80
[   27.684155]  ret_from_fork_asm+0x1a/0x30
[   27.684155] 
[   27.684155] The buggy address belongs to the object at ffff8881028e5a00
[   27.684155]  which belongs to the cache kmalloc-128 of size 128
[   27.684155] The buggy address is located 0 bytes inside of
[   27.684155]  freed 128-byte region [ffff8881028e5a00, ffff8881028e5a80)
[   27.684155] 
[   27.684155] The buggy address belongs to the physical page:
[   27.684155] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028e5
[   27.684155] flags: 0x200000000000000(node=0|zone=2)
[   27.684155] page_type: f5(slab)
[   27.684155] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   27.684155] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   27.684155] page dumped because: kasan: bad access detected
[   27.684155] 
[   27.684155] Memory state around the buggy address:
[   27.684155]  ffff8881028e5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.684155]  ffff8881028e5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.684155] >ffff8881028e5a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.684155]                    ^
[   27.684155]  ffff8881028e5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.684155]  ffff8881028e5b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.684155] ==================================================================
Metadata Full log Test run details 

[   22.742234] ==================================================================
[   22.743305] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400
[   22.744028] Read of size 1 at addr ffff8881028c6240 by task kunit_try_catch/238
[   22.744686] 
[   22.745089] CPU: 0 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   22.745864] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.746508] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.747381] Call Trace:
[   22.747716]  <TASK>
[   22.748526]  dump_stack_lvl+0x73/0xb0
[   22.748912]  print_report+0xd1/0x640
[   22.749527]  ? __virt_addr_valid+0x1db/0x2d0
[   22.750876]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.751366]  kasan_report+0x102/0x140
[   22.751714]  ? mempool_uaf_helper+0x394/0x400
[   22.752363]  ? mempool_uaf_helper+0x394/0x400
[   22.753289]  __asan_report_load1_noabort+0x18/0x20
[   22.753672]  mempool_uaf_helper+0x394/0x400
[   22.754120]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   22.754580]  ? irqentry_exit+0x2a/0x60
[   22.754947]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   22.755359]  mempool_slab_uaf+0xae/0x100
[   22.756816]  ? __pfx_mempool_slab_uaf+0x10/0x10
[   22.757688]  ? __pfx_mempool_alloc_slab+0x10/0x10
[   22.758298]  ? __pfx_mempool_free_slab+0x10/0x10
[   22.758760]  ? __pfx_mempool_slab_uaf+0x10/0x10
[   22.759740]  kunit_try_run_case+0x1b3/0x490
[   22.760787]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.761341]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   22.762222]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.762848]  ? __kthread_parkme+0x82/0x160
[   22.763608]  ? preempt_count_sub+0x50/0x80
[   22.764159]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.765050]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.765775]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.766393]  kthread+0x257/0x310
[   22.766832]  ? __pfx_kthread+0x10/0x10
[   22.767550]  ret_from_fork+0x41/0x80
[   22.768166]  ? __pfx_kthread+0x10/0x10
[   22.768737]  ret_from_fork_asm+0x1a/0x30
[   22.769157]  </TASK>
[   22.769699] 
[   22.769986] Allocated by task 238:
[   22.770351]  kasan_save_stack+0x3d/0x60
[   22.771071]  kasan_save_track+0x18/0x40
[   22.771735]  kasan_save_alloc_info+0x3b/0x50
[   22.772470]  __kasan_mempool_unpoison_object+0x1bb/0x200
[   22.773319]  remove_element+0x11e/0x190
[   22.773990]  mempool_alloc_preallocated+0x4d/0x90
[   22.774423]  mempool_uaf_helper+0x97/0x400
[   22.774875]  mempool_slab_uaf+0xae/0x100
[   22.775750]  kunit_try_run_case+0x1b3/0x490
[   22.776320]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.776913]  kthread+0x257/0x310
[   22.777877]  ret_from_fork+0x41/0x80
[   22.778637]  ret_from_fork_asm+0x1a/0x30
[   22.779316] 
[   22.779565] Freed by task 238:
[   22.779992]  kasan_save_stack+0x3d/0x60
[   22.780540]  kasan_save_track+0x18/0x40
[   22.780888]  kasan_save_free_info+0x3f/0x60
[   22.781307]  __kasan_mempool_poison_object+0x131/0x1d0
[   22.782404]  mempool_free+0x2ec/0x380
[   22.782759]  mempool_uaf_helper+0x11b/0x400
[   22.783048]  mempool_slab_uaf+0xae/0x100
[   22.783466]  kunit_try_run_case+0x1b3/0x490
[   22.783931]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.784964]  kthread+0x257/0x310
[   22.785343]  ret_from_fork+0x41/0x80
[   22.785800]  ret_from_fork_asm+0x1a/0x30
[   22.786454] 
[   22.787344] The buggy address belongs to the object at ffff8881028c6240
[   22.787344]  which belongs to the cache test_cache of size 123
[   22.788865] The buggy address is located 0 bytes inside of
[   22.788865]  freed 123-byte region [ffff8881028c6240, ffff8881028c62bb)
[   22.790255] 
[   22.790519] The buggy address belongs to the physical page:
[   22.791338] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028c6
[   22.791972] flags: 0x200000000000000(node=0|zone=2)
[   22.792310] page_type: f5(slab)
[   22.792910] raw: 0200000000000000 ffff888101b1ea00 dead000000000122 0000000000000000
[   22.794319] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000
[   22.794817] page dumped because: kasan: bad access detected
[   22.795508] 
[   22.795752] Memory state around the buggy address:
[   22.796037]  ffff8881028c6100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   22.796866]  ffff8881028c6180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.797335] >ffff8881028c6200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   22.797902]                                            ^
[   22.798506]  ffff8881028c6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   22.799281]  ffff8881028c6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.799668] ==================================================================
[   22.624868] ==================================================================
[   22.625816] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400
[   22.626242] Read of size 1 at addr ffff8881028c3300 by task kunit_try_catch/234
[   22.627167] 
[   22.627335] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   22.628266] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.629255] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.630824] Call Trace:
[   22.631129]  <TASK>
[   22.631416]  dump_stack_lvl+0x73/0xb0
[   22.631895]  print_report+0xd1/0x640
[   22.632330]  ? __virt_addr_valid+0x1db/0x2d0
[   22.633756]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.634877]  kasan_report+0x102/0x140
[   22.635151]  ? mempool_uaf_helper+0x394/0x400
[   22.636051]  ? mempool_uaf_helper+0x394/0x400
[   22.636842]  __asan_report_load1_noabort+0x18/0x20
[   22.637844]  mempool_uaf_helper+0x394/0x400
[   22.638414]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   22.638955]  ? finish_task_switch.isra.0+0x153/0x700
[   22.639679]  mempool_kmalloc_uaf+0xb3/0x100
[   22.640172]  ? __pfx_mempool_kmalloc_uaf+0x10/0x10
[   22.640735]  ? __switch_to+0x5d9/0xf60
[   22.641592]  ? __pfx_mempool_kmalloc+0x10/0x10
[   22.642073]  ? __pfx_mempool_kfree+0x10/0x10
[   22.642520]  ? __pfx_read_tsc+0x10/0x10
[   22.643196]  ? ktime_get_ts64+0x84/0x230
[   22.643804]  kunit_try_run_case+0x1b3/0x490
[   22.644325]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.644824]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   22.645831]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.646477]  ? __kthread_parkme+0x82/0x160
[   22.647381]  ? preempt_count_sub+0x50/0x80
[   22.647771]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.648516]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.649676]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.650269]  kthread+0x257/0x310
[   22.650630]  ? __pfx_kthread+0x10/0x10
[   22.650941]  ret_from_fork+0x41/0x80
[   22.651358]  ? __pfx_kthread+0x10/0x10
[   22.652038]  ret_from_fork_asm+0x1a/0x30
[   22.652583]  </TASK>
[   22.652857] 
[   22.653549] Allocated by task 234:
[   22.653963]  kasan_save_stack+0x3d/0x60
[   22.654756]  kasan_save_track+0x18/0x40
[   22.655036]  kasan_save_alloc_info+0x3b/0x50
[   22.655542]  __kasan_mempool_unpoison_object+0x1a9/0x200
[   22.656040]  remove_element+0x11e/0x190
[   22.656405]  mempool_alloc_preallocated+0x4d/0x90
[   22.656816]  mempool_uaf_helper+0x97/0x400
[   22.657122]  mempool_kmalloc_uaf+0xb3/0x100
[   22.657579]  kunit_try_run_case+0x1b3/0x490
[   22.658027]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.659034]  kthread+0x257/0x310
[   22.659404]  ret_from_fork+0x41/0x80
[   22.660582]  ret_from_fork_asm+0x1a/0x30
[   22.661559] 
[   22.662013] Freed by task 234:
[   22.662545]  kasan_save_stack+0x3d/0x60
[   22.663078]  kasan_save_track+0x18/0x40
[   22.663738]  kasan_save_free_info+0x3f/0x60
[   22.664262]  __kasan_mempool_poison_object+0x131/0x1d0
[   22.664920]  mempool_free+0x2ec/0x380
[   22.665366]  mempool_uaf_helper+0x11b/0x400
[   22.665940]  mempool_kmalloc_uaf+0xb3/0x100
[   22.666689]  kunit_try_run_case+0x1b3/0x490
[   22.667585]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.668381]  kthread+0x257/0x310
[   22.668733]  ret_from_fork+0x41/0x80
[   22.669519]  ret_from_fork_asm+0x1a/0x30
[   22.670037] 
[   22.670305] The buggy address belongs to the object at ffff8881028c3300
[   22.670305]  which belongs to the cache kmalloc-128 of size 128
[   22.671709] The buggy address is located 0 bytes inside of
[   22.671709]  freed 128-byte region [ffff8881028c3300, ffff8881028c3380)
[   22.672404] 
[   22.672652] The buggy address belongs to the physical page:
[   22.673173] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028c3
[   22.674380] flags: 0x200000000000000(node=0|zone=2)
[   22.674924] page_type: f5(slab)
[   22.675742] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   22.676704] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   22.677372] page dumped because: kasan: bad access detected
[   22.678351] 
[   22.678638] Memory state around the buggy address:
[   22.679333]  ffff8881028c3200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.680167]  ffff8881028c3280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.680755] >ffff8881028c3300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.681327]                    ^
[   22.682140]  ffff8881028c3380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.683378]  ffff8881028c3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   22.684228] ==================================================================
Metadata Full log Test run details