Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 37.168414] ================================================================== [ 37.177789] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 37.184901] Read of size 1 at addr ffff000805857240 by task kunit_try_catch/275 [ 37.192192] [ 37.193679] CPU: 2 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 37.193733] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.193752] Hardware name: WinLink E850-96 board (DT) [ 37.193774] Call trace: [ 37.193788] show_stack+0x20/0x38 (C) [ 37.193828] dump_stack_lvl+0x8c/0xd0 [ 37.193866] print_report+0x118/0x608 [ 37.193904] kasan_report+0xdc/0x128 [ 37.193937] __asan_report_load1_noabort+0x20/0x30 [ 37.193971] mempool_uaf_helper+0x314/0x340 [ 37.194002] mempool_slab_uaf+0xc0/0x118 [ 37.194036] kunit_try_run_case+0x170/0x3f0 [ 37.194072] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.194113] kthread+0x328/0x630 [ 37.194142] ret_from_fork+0x10/0x20 [ 37.194176] [ 37.261287] Allocated by task 275: [ 37.264677] kasan_save_stack+0x3c/0x68 [ 37.268492] kasan_save_track+0x20/0x40 [ 37.272312] kasan_save_alloc_info+0x40/0x58 [ 37.276565] __kasan_mempool_unpoison_object+0xbc/0x180 [ 37.281775] remove_element+0x16c/0x1f8 [ 37.285593] mempool_alloc_preallocated+0x58/0xc0 [ 37.290280] mempool_uaf_helper+0xa4/0x340 [ 37.294360] mempool_slab_uaf+0xc0/0x118 [ 37.298267] kunit_try_run_case+0x170/0x3f0 [ 37.302433] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.307902] kthread+0x328/0x630 [ 37.311114] ret_from_fork+0x10/0x20 [ 37.314672] [ 37.316149] Freed by task 275: [ 37.319188] kasan_save_stack+0x3c/0x68 [ 37.323006] kasan_save_track+0x20/0x40 [ 37.326825] kasan_save_free_info+0x4c/0x78 [ 37.330992] __kasan_mempool_poison_object+0xc0/0x150 [ 37.336027] mempool_free+0x28c/0x328 [ 37.339672] mempool_uaf_helper+0x104/0x340 [ 37.343839] mempool_slab_uaf+0xc0/0x118 [ 37.347745] kunit_try_run_case+0x170/0x3f0 [ 37.351911] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.357380] kthread+0x328/0x630 [ 37.360592] ret_from_fork+0x10/0x20 [ 37.364151] [ 37.365628] The buggy address belongs to the object at ffff000805857240 [ 37.365628] which belongs to the cache test_cache of size 123 [ 37.378041] The buggy address is located 0 bytes inside of [ 37.378041] freed 123-byte region [ffff000805857240, ffff0008058572bb) [ 37.390105] [ 37.391583] The buggy address belongs to the physical page: [ 37.397141] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x885857 [ 37.405125] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.411635] page_type: f5(slab) [ 37.414770] raw: 0bfffe0000000000 ffff000801dbb400 dead000000000122 0000000000000000 [ 37.422490] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 37.430209] page dumped because: kasan: bad access detected [ 37.435766] [ 37.437240] Memory state around the buggy address: [ 37.442021] ffff000805857100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.449223] ffff000805857180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.456429] >ffff000805857200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 37.463628] ^ [ 37.468927] ffff000805857280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.476132] ffff000805857300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.483333] ================================================================== [ 36.579403] ================================================================== [ 36.583617] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 36.590729] Read of size 1 at addr ffff000801dbdd00 by task kunit_try_catch/271 [ 36.598016] [ 36.599502] CPU: 2 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 36.599561] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.599577] Hardware name: WinLink E850-96 board (DT) [ 36.599599] Call trace: [ 36.599613] show_stack+0x20/0x38 (C) [ 36.599651] dump_stack_lvl+0x8c/0xd0 [ 36.599689] print_report+0x118/0x608 [ 36.599725] kasan_report+0xdc/0x128 [ 36.599758] __asan_report_load1_noabort+0x20/0x30 [ 36.599789] mempool_uaf_helper+0x314/0x340 [ 36.599820] mempool_kmalloc_uaf+0xc4/0x120 [ 36.599852] kunit_try_run_case+0x170/0x3f0 [ 36.599887] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.599926] kthread+0x328/0x630 [ 36.599954] ret_from_fork+0x10/0x20 [ 36.599992] [ 36.667373] Allocated by task 271: [ 36.670763] kasan_save_stack+0x3c/0x68 [ 36.674578] kasan_save_track+0x20/0x40 [ 36.678399] kasan_save_alloc_info+0x40/0x58 [ 36.682650] __kasan_mempool_unpoison_object+0x11c/0x180 [ 36.687946] remove_element+0x130/0x1f8 [ 36.691765] mempool_alloc_preallocated+0x58/0xc0 [ 36.696453] mempool_uaf_helper+0xa4/0x340 [ 36.700532] mempool_kmalloc_uaf+0xc4/0x120 [ 36.704699] kunit_try_run_case+0x170/0x3f0 [ 36.708865] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.714336] kthread+0x328/0x630 [ 36.717546] ret_from_fork+0x10/0x20 [ 36.721105] [ 36.722582] Freed by task 271: [ 36.725618] kasan_save_stack+0x3c/0x68 [ 36.729438] kasan_save_track+0x20/0x40 [ 36.733258] kasan_save_free_info+0x4c/0x78 [ 36.737424] __kasan_mempool_poison_object+0xc0/0x150 [ 36.742459] mempool_free+0x28c/0x328 [ 36.746104] mempool_uaf_helper+0x104/0x340 [ 36.750271] mempool_kmalloc_uaf+0xc4/0x120 [ 36.754438] kunit_try_run_case+0x170/0x3f0 [ 36.758604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.764073] kthread+0x328/0x630 [ 36.767285] ret_from_fork+0x10/0x20 [ 36.770843] [ 36.772322] The buggy address belongs to the object at ffff000801dbdd00 [ 36.772322] which belongs to the cache kmalloc-128 of size 128 [ 36.784821] The buggy address is located 0 bytes inside of [ 36.784821] freed 128-byte region [ffff000801dbdd00, ffff000801dbdd80) [ 36.796885] [ 36.798363] The buggy address belongs to the physical page: [ 36.803921] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881dbc [ 36.811904] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 36.819544] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 36.826487] page_type: f5(slab) [ 36.829624] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 36.837343] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.845070] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 36.852880] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.860693] head: 0bfffe0000000001 fffffdffe0076f01 00000000ffffffff 00000000ffffffff [ 36.868505] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 36.876311] page dumped because: kasan: bad access detected [ 36.881868] [ 36.883342] Memory state around the buggy address: [ 36.888124] ffff000801dbdc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.895326] ffff000801dbdc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.902531] >ffff000801dbdd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.909730] ^ [ 36.912946] ffff000801dbdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.920152] ffff000801dbde00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.927353] ==================================================================
[ 27.876549] ================================================================== [ 27.876699] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 27.876854] Read of size 1 at addr fff00000c56e8300 by task kunit_try_catch/228 [ 27.876972] [ 27.877055] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 27.877275] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.877341] Hardware name: linux,dummy-virt (DT) [ 27.877415] Call trace: [ 27.877470] show_stack+0x20/0x38 (C) [ 27.877596] dump_stack_lvl+0x8c/0xd0 [ 27.878352] print_report+0x118/0x608 [ 27.878455] kasan_report+0xdc/0x128 [ 27.878555] __asan_report_load1_noabort+0x20/0x30 [ 27.878753] mempool_uaf_helper+0x314/0x340 [ 27.878961] mempool_kmalloc_uaf+0xc4/0x120 [ 27.879201] kunit_try_run_case+0x170/0x3f0 [ 27.879334] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.879487] kthread+0x328/0x630 [ 27.879612] ret_from_fork+0x10/0x20 [ 27.879788] [ 27.879869] Allocated by task 228: [ 27.880000] kasan_save_stack+0x3c/0x68 [ 27.880110] kasan_save_track+0x20/0x40 [ 27.880235] kasan_save_alloc_info+0x40/0x58 [ 27.880382] __kasan_mempool_unpoison_object+0x11c/0x180 [ 27.880624] remove_element+0x130/0x1f8 [ 27.880756] mempool_alloc_preallocated+0x58/0xc0 [ 27.880870] mempool_uaf_helper+0xa4/0x340 [ 27.880979] mempool_kmalloc_uaf+0xc4/0x120 [ 27.881092] kunit_try_run_case+0x170/0x3f0 [ 27.881192] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.881704] kthread+0x328/0x630 [ 27.882030] ret_from_fork+0x10/0x20 [ 27.882134] [ 27.882181] Freed by task 228: [ 27.882367] kasan_save_stack+0x3c/0x68 [ 27.882465] kasan_save_track+0x20/0x40 [ 27.882777] kasan_save_free_info+0x4c/0x78 [ 27.882892] __kasan_mempool_poison_object+0xc0/0x150 [ 27.883318] mempool_free+0x28c/0x328 [ 27.883500] mempool_uaf_helper+0x104/0x340 [ 27.883623] mempool_kmalloc_uaf+0xc4/0x120 [ 27.883914] kunit_try_run_case+0x170/0x3f0 [ 27.884030] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.884255] kthread+0x328/0x630 [ 27.884550] ret_from_fork+0x10/0x20 [ 27.884700] [ 27.884772] The buggy address belongs to the object at fff00000c56e8300 [ 27.884772] which belongs to the cache kmalloc-128 of size 128 [ 27.884976] The buggy address is located 0 bytes inside of [ 27.884976] freed 128-byte region [fff00000c56e8300, fff00000c56e8380) [ 27.885138] [ 27.885196] The buggy address belongs to the physical page: [ 27.885296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056e8 [ 27.885437] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.885824] page_type: f5(slab) [ 27.885961] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 27.886124] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.886227] page dumped because: kasan: bad access detected [ 27.886332] [ 27.886378] Memory state around the buggy address: [ 27.886462] fff00000c56e8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.886613] fff00000c56e8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.887348] >fff00000c56e8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.887473] ^ [ 27.887678] fff00000c56e8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.888114] fff00000c56e8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.888231] ================================================================== [ 27.960494] ================================================================== [ 27.961143] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 27.961334] Read of size 1 at addr fff00000c7895240 by task kunit_try_catch/232 [ 27.961449] [ 27.961523] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 27.963265] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.963875] Hardware name: linux,dummy-virt (DT) [ 27.964486] Call trace: [ 27.964651] show_stack+0x20/0x38 (C) [ 27.965093] dump_stack_lvl+0x8c/0xd0 [ 27.966161] print_report+0x118/0x608 [ 27.966430] kasan_report+0xdc/0x128 [ 27.967253] __asan_report_load1_noabort+0x20/0x30 [ 27.967766] mempool_uaf_helper+0x314/0x340 [ 27.968074] mempool_slab_uaf+0xc0/0x118 [ 27.968348] kunit_try_run_case+0x170/0x3f0 [ 27.968558] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.968768] kthread+0x328/0x630 [ 27.968891] ret_from_fork+0x10/0x20 [ 27.969491] [ 27.969563] Allocated by task 232: [ 27.969666] kasan_save_stack+0x3c/0x68 [ 27.969794] kasan_save_track+0x20/0x40 [ 27.969969] kasan_save_alloc_info+0x40/0x58 [ 27.970072] __kasan_mempool_unpoison_object+0xbc/0x180 [ 27.970406] remove_element+0x16c/0x1f8 [ 27.970790] mempool_alloc_preallocated+0x58/0xc0 [ 27.971079] mempool_uaf_helper+0xa4/0x340 [ 27.971211] mempool_slab_uaf+0xc0/0x118 [ 27.971362] kunit_try_run_case+0x170/0x3f0 [ 27.971464] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.971797] kthread+0x328/0x630 [ 27.972183] ret_from_fork+0x10/0x20 [ 27.972301] [ 27.972351] Freed by task 232: [ 27.972934] kasan_save_stack+0x3c/0x68 [ 27.973141] kasan_save_track+0x20/0x40 [ 27.973328] kasan_save_free_info+0x4c/0x78 [ 27.973907] __kasan_mempool_poison_object+0xc0/0x150 [ 27.974108] mempool_free+0x28c/0x328 [ 27.974463] mempool_uaf_helper+0x104/0x340 [ 27.974991] mempool_slab_uaf+0xc0/0x118 [ 27.975093] kunit_try_run_case+0x170/0x3f0 [ 27.975215] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.975316] kthread+0x328/0x630 [ 27.975406] ret_from_fork+0x10/0x20 [ 27.975812] [ 27.976019] The buggy address belongs to the object at fff00000c7895240 [ 27.976019] which belongs to the cache test_cache of size 123 [ 27.976158] The buggy address is located 0 bytes inside of [ 27.976158] freed 123-byte region [fff00000c7895240, fff00000c78952bb) [ 27.976917] [ 27.977241] The buggy address belongs to the physical page: [ 27.977354] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107895 [ 27.977880] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.978644] page_type: f5(slab) [ 27.978806] raw: 0bfffe0000000000 fff00000c56eb280 dead000000000122 0000000000000000 [ 27.979366] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 27.979593] page dumped because: kasan: bad access detected [ 27.979675] [ 27.979739] Memory state around the buggy address: [ 27.979819] fff00000c7895100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.980034] fff00000c7895180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.980151] >fff00000c7895200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.980558] ^ [ 27.981166] fff00000c7895280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.981286] fff00000c7895300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.982006] ==================================================================
[ 20.615692] ================================================================== [ 20.616892] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.617649] Read of size 1 at addr ffff8881022e3240 by task kunit_try_catch/248 [ 20.618856] [ 20.619311] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 20.619588] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.619609] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.619642] Call Trace: [ 20.619659] <TASK> [ 20.619691] dump_stack_lvl+0x73/0xb0 [ 20.619758] print_report+0xd1/0x650 [ 20.619797] ? __virt_addr_valid+0x1db/0x2d0 [ 20.619853] ? mempool_uaf_helper+0x392/0x400 [ 20.619887] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.619940] ? mempool_uaf_helper+0x392/0x400 [ 20.620006] kasan_report+0x141/0x180 [ 20.620043] ? mempool_uaf_helper+0x392/0x400 [ 20.620101] __asan_report_load1_noabort+0x18/0x20 [ 20.620134] mempool_uaf_helper+0x392/0x400 [ 20.620187] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.620226] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.620283] ? finish_task_switch.isra.0+0x153/0x700 [ 20.620323] mempool_slab_uaf+0xea/0x140 [ 20.620373] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 20.620403] ? trace_hardirqs_on+0x37/0xe0 [ 20.620495] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 20.620549] ? __pfx_mempool_free_slab+0x10/0x10 [ 20.620582] ? __pfx_read_tsc+0x10/0x10 [ 20.620616] ? ktime_get_ts64+0x86/0x230 [ 20.620645] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 20.620697] kunit_try_run_case+0x1a5/0x480 [ 20.620743] ? __kthread_parkme+0x82/0x180 [ 20.620773] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.620804] ? __kthread_parkme+0x82/0x180 [ 20.620832] ? preempt_count_sub+0x50/0x80 [ 20.620864] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.620893] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.620929] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.620987] kthread+0x337/0x6f0 [ 20.621020] ? trace_preempt_on+0x20/0xc0 [ 20.621053] ? __pfx_kthread+0x10/0x10 [ 20.621083] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.621116] ? calculate_sigpending+0x7b/0xa0 [ 20.621152] ? __pfx_kthread+0x10/0x10 [ 20.621183] ret_from_fork+0x116/0x1d0 [ 20.621208] ? __pfx_kthread+0x10/0x10 [ 20.621237] ret_from_fork_asm+0x1a/0x30 [ 20.621280] </TASK> [ 20.621295] [ 20.642723] Allocated by task 248: [ 20.643390] kasan_save_stack+0x45/0x70 [ 20.644191] kasan_save_track+0x18/0x40 [ 20.644521] kasan_save_alloc_info+0x3b/0x50 [ 20.645009] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 20.645415] remove_element+0x11e/0x190 [ 20.646393] mempool_alloc_preallocated+0x4d/0x90 [ 20.646757] mempool_uaf_helper+0x96/0x400 [ 20.647413] mempool_slab_uaf+0xea/0x140 [ 20.647736] kunit_try_run_case+0x1a5/0x480 [ 20.648085] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.648486] kthread+0x337/0x6f0 [ 20.648788] ret_from_fork+0x116/0x1d0 [ 20.649201] ret_from_fork_asm+0x1a/0x30 [ 20.649530] [ 20.649771] Freed by task 248: [ 20.650128] kasan_save_stack+0x45/0x70 [ 20.650478] kasan_save_track+0x18/0x40 [ 20.650795] kasan_save_free_info+0x3f/0x60 [ 20.651237] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.651755] mempool_free+0x2ec/0x380 [ 20.652217] mempool_uaf_helper+0x11a/0x400 [ 20.652755] mempool_slab_uaf+0xea/0x140 [ 20.653253] kunit_try_run_case+0x1a5/0x480 [ 20.653798] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.654311] kthread+0x337/0x6f0 [ 20.654811] ret_from_fork+0x116/0x1d0 [ 20.655150] ret_from_fork_asm+0x1a/0x30 [ 20.655474] [ 20.655731] The buggy address belongs to the object at ffff8881022e3240 [ 20.655731] which belongs to the cache test_cache of size 123 [ 20.656842] The buggy address is located 0 bytes inside of [ 20.656842] freed 123-byte region [ffff8881022e3240, ffff8881022e32bb) [ 20.657850] [ 20.658081] The buggy address belongs to the physical page: [ 20.658659] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022e3 [ 20.659353] flags: 0x200000000000000(node=0|zone=2) [ 20.659863] page_type: f5(slab) [ 20.660279] raw: 0200000000000000 ffff8881022d3640 dead000000000122 0000000000000000 [ 20.661053] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.661614] page dumped because: kasan: bad access detected [ 20.662238] [ 20.662485] Memory state around the buggy address: [ 20.663029] ffff8881022e3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.663599] ffff8881022e3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.664274] >ffff8881022e3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.664992] ^ [ 20.665467] ffff8881022e3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.666136] ffff8881022e3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.666809] ================================================================== [ 20.498085] ================================================================== [ 20.499529] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.500347] Read of size 1 at addr ffff8881022e0100 by task kunit_try_catch/244 [ 20.501516] [ 20.501735] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 20.501848] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.501889] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.502122] Call Trace: [ 20.502166] <TASK> [ 20.502212] dump_stack_lvl+0x73/0xb0 [ 20.502268] print_report+0xd1/0x650 [ 20.502307] ? __virt_addr_valid+0x1db/0x2d0 [ 20.502343] ? mempool_uaf_helper+0x392/0x400 [ 20.502376] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.502409] ? mempool_uaf_helper+0x392/0x400 [ 20.502442] kasan_report+0x141/0x180 [ 20.502474] ? mempool_uaf_helper+0x392/0x400 [ 20.502512] __asan_report_load1_noabort+0x18/0x20 [ 20.502542] mempool_uaf_helper+0x392/0x400 [ 20.502574] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.502610] ? __kasan_check_write+0x18/0x20 [ 20.502638] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.502671] ? finish_task_switch.isra.0+0x153/0x700 [ 20.502750] mempool_kmalloc_uaf+0xef/0x140 [ 20.502788] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 20.502826] ? __pfx_mempool_kmalloc+0x10/0x10 [ 20.502855] ? __pfx_mempool_kfree+0x10/0x10 [ 20.502885] ? __pfx_read_tsc+0x10/0x10 [ 20.502916] ? ktime_get_ts64+0x86/0x230 [ 20.502950] kunit_try_run_case+0x1a5/0x480 [ 20.503010] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.503041] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.503079] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.503114] ? __kthread_parkme+0x82/0x180 [ 20.503143] ? preempt_count_sub+0x50/0x80 [ 20.503175] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.503206] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.503243] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.503279] kthread+0x337/0x6f0 [ 20.503308] ? trace_preempt_on+0x20/0xc0 [ 20.503341] ? __pfx_kthread+0x10/0x10 [ 20.503371] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.503404] ? calculate_sigpending+0x7b/0xa0 [ 20.503438] ? __pfx_kthread+0x10/0x10 [ 20.503469] ret_from_fork+0x116/0x1d0 [ 20.503495] ? __pfx_kthread+0x10/0x10 [ 20.503523] ret_from_fork_asm+0x1a/0x30 [ 20.503565] </TASK> [ 20.503581] [ 20.523855] Allocated by task 244: [ 20.524845] kasan_save_stack+0x45/0x70 [ 20.525182] kasan_save_track+0x18/0x40 [ 20.525635] kasan_save_alloc_info+0x3b/0x50 [ 20.526399] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 20.526986] remove_element+0x11e/0x190 [ 20.527651] mempool_alloc_preallocated+0x4d/0x90 [ 20.528168] mempool_uaf_helper+0x96/0x400 [ 20.528881] mempool_kmalloc_uaf+0xef/0x140 [ 20.529353] kunit_try_run_case+0x1a5/0x480 [ 20.530107] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.530540] kthread+0x337/0x6f0 [ 20.531020] ret_from_fork+0x116/0x1d0 [ 20.531651] ret_from_fork_asm+0x1a/0x30 [ 20.532176] [ 20.532342] Freed by task 244: [ 20.532600] kasan_save_stack+0x45/0x70 [ 20.533848] kasan_save_track+0x18/0x40 [ 20.534227] kasan_save_free_info+0x3f/0x60 [ 20.535001] __kasan_mempool_poison_object+0x131/0x1d0 [ 20.535429] mempool_free+0x2ec/0x380 [ 20.535742] mempool_uaf_helper+0x11a/0x400 [ 20.536093] mempool_kmalloc_uaf+0xef/0x140 [ 20.536425] kunit_try_run_case+0x1a5/0x480 [ 20.537744] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.538109] kthread+0x337/0x6f0 [ 20.538751] ret_from_fork+0x116/0x1d0 [ 20.539434] ret_from_fork_asm+0x1a/0x30 [ 20.540134] [ 20.540300] The buggy address belongs to the object at ffff8881022e0100 [ 20.540300] which belongs to the cache kmalloc-128 of size 128 [ 20.541773] The buggy address is located 0 bytes inside of [ 20.541773] freed 128-byte region [ffff8881022e0100, ffff8881022e0180) [ 20.542688] [ 20.543420] The buggy address belongs to the physical page: [ 20.543930] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022e0 [ 20.544504] flags: 0x200000000000000(node=0|zone=2) [ 20.545193] page_type: f5(slab) [ 20.545569] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 20.546182] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.546734] page dumped because: kasan: bad access detected [ 20.547722] [ 20.548289] Memory state around the buggy address: [ 20.548709] ffff8881022e0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.549364] ffff8881022e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.550300] >ffff8881022e0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.550876] ^ [ 20.551253] ffff8881022e0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.551742] ffff8881022e0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.552796] ==================================================================
[ 63.914215] ================================================================== [ 63.926055] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x388/0x3b8 [ 63.933258] Read of size 1 at addr cc8d2240 by task kunit_try_catch/283 [ 63.939910] [ 63.941436] CPU: 0 UID: 0 PID: 283 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 63.941467] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 63.941467] Hardware name: Generic DRA74X (Flattened Device Tree) [ 63.941497] Call trace: [ 63.941497] unwind_backtrace from show_stack+0x18/0x1c [ 63.941528] show_stack from dump_stack_lvl+0x70/0x90 [ 63.941558] dump_stack_lvl from print_report+0x158/0x528 [ 63.941589] print_report from kasan_report+0xdc/0x118 [ 63.941619] kasan_report from mempool_uaf_helper+0x388/0x3b8 [ 63.941650] mempool_uaf_helper from mempool_slab_uaf+0xb8/0x100 [ 63.941680] mempool_slab_uaf from kunit_try_run_case+0x22c/0x5a8 [ 63.941711] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.941772] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 63.941802] kthread from ret_from_fork+0x14/0x20 [ 63.941833] Exception stack(0xf2423fb0 to 0xf2423ff8) [ 63.941833] 3fa0: 00000000 00000000 00000000 00000000 [ 63.941864] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 63.941894] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 63.941894] [ 64.053710] Allocated by task 283: [ 64.057128] kasan_save_track+0x30/0x5c [ 64.061004] __kasan_mempool_unpoison_object+0xec/0x14c [ 64.066284] remove_element+0x1d4/0x264 [ 64.070159] mempool_alloc_preallocated+0x60/0x9c [ 64.074920] mempool_uaf_helper+0x90/0x3b8 [ 64.079040] mempool_slab_uaf+0xb8/0x100 [ 64.083007] kunit_try_run_case+0x22c/0x5a8 [ 64.087249] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.092773] kthread+0x464/0x810 [ 64.096038] ret_from_fork+0x14/0x20 [ 64.099639] [ 64.101165] Freed by task 283: [ 64.104248] kasan_save_track+0x30/0x5c [ 64.108093] kasan_save_free_info+0x3c/0x48 [ 64.112335] __kasan_mempool_poison_object+0x94/0x128 [ 64.117431] mempool_free+0x360/0x440 [ 64.121124] mempool_uaf_helper+0x13c/0x3b8 [ 64.125335] mempool_slab_uaf+0xb8/0x100 [ 64.129302] kunit_try_run_case+0x22c/0x5a8 [ 64.133544] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.139068] kthread+0x464/0x810 [ 64.142333] ret_from_fork+0x14/0x20 [ 64.145935] [ 64.147460] The buggy address belongs to the object at cc8d2240 [ 64.147460] which belongs to the cache test_cache of size 123 [ 64.159271] The buggy address is located 0 bytes inside of [ 64.159271] freed 123-byte region [cc8d2240, cc8d22bb) [ 64.170043] [ 64.171539] The buggy address belongs to the physical page: [ 64.177154] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c8d2 [ 64.184448] flags: 0x0(zone=0) [ 64.187530] page_type: f5(slab) [ 64.190704] raw: 00000000 c8f6d600 00000122 00000000 00000000 80150015 f5000000 00000000 [ 64.198852] raw: 00000000 [ 64.201477] page dumped because: kasan: bad access detected [ 64.207092] [ 64.208618] Memory state around the buggy address: [ 64.213439] cc8d2100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 64.220001] cc8d2180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.226593] >cc8d2200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 64.233154] ^ [ 64.237823] cc8d2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 64.244384] cc8d2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.250976] ================================================================== [ 63.321411] ================================================================== [ 63.332977] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x388/0x3b8 [ 63.340148] Read of size 1 at addr cc854900 by task kunit_try_catch/279 [ 63.346832] [ 63.348327] CPU: 1 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 63.348358] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 63.348358] Hardware name: Generic DRA74X (Flattened Device Tree) [ 63.348388] Call trace: [ 63.348388] unwind_backtrace from show_stack+0x18/0x1c [ 63.348419] show_stack from dump_stack_lvl+0x70/0x90 [ 63.348449] dump_stack_lvl from print_report+0x158/0x528 [ 63.348480] print_report from kasan_report+0xdc/0x118 [ 63.348510] kasan_report from mempool_uaf_helper+0x388/0x3b8 [ 63.348510] mempool_uaf_helper from mempool_kmalloc_uaf+0xbc/0x108 [ 63.348541] mempool_kmalloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 63.348571] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.348602] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 63.348632] kthread from ret_from_fork+0x14/0x20 [ 63.348663] Exception stack(0xf2413fb0 to 0xf2413ff8) [ 63.348663] 3fa0: 00000000 00000000 00000000 00000000 [ 63.348693] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 63.348693] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 63.348724] [ 63.461029] Allocated by task 279: [ 63.464447] kasan_save_track+0x30/0x5c [ 63.468322] remove_element+0x180/0x264 [ 63.472167] mempool_alloc_preallocated+0x60/0x9c [ 63.476928] mempool_uaf_helper+0x90/0x3b8 [ 63.481048] mempool_kmalloc_uaf+0xbc/0x108 [ 63.485260] kunit_try_run_case+0x22c/0x5a8 [ 63.489501] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.495025] kthread+0x464/0x810 [ 63.498260] ret_from_fork+0x14/0x20 [ 63.501892] [ 63.503387] Freed by task 279: [ 63.506469] kasan_save_track+0x30/0x5c [ 63.510314] kasan_save_free_info+0x3c/0x48 [ 63.514526] __kasan_mempool_poison_object+0x94/0x128 [ 63.519622] mempool_free+0x360/0x440 [ 63.523315] mempool_uaf_helper+0x13c/0x3b8 [ 63.527526] mempool_kmalloc_uaf+0xbc/0x108 [ 63.531768] kunit_try_run_case+0x22c/0x5a8 [ 63.535980] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.541503] kthread+0x464/0x810 [ 63.544769] ret_from_fork+0x14/0x20 [ 63.548370] [ 63.549865] The buggy address belongs to the object at cc854900 [ 63.549865] which belongs to the cache kmalloc-128 of size 128 [ 63.561767] The buggy address is located 0 bytes inside of [ 63.561767] freed 128-byte region [cc854900, cc854980) [ 63.572540] [ 63.574035] The buggy address belongs to the physical page: [ 63.579650] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c854 [ 63.586914] flags: 0x0(zone=0) [ 63.589996] page_type: f5(slab) [ 63.593170] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 63.601318] raw: 00000000 [ 63.603942] page dumped because: kasan: bad access detected [ 63.609558] [ 63.611053] Memory state around the buggy address: [ 63.615875] cc854800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.622436] cc854880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.629028] >cc854900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.635589] ^ [ 63.638153] cc854980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.644714] cc854a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.651275] ==================================================================