lkft/linux-next-master - next-20250530 - log-parser-boot/kasan-bug-kasan-use-after-free-in-mempool_uaf_helper

Date

May 30, 2025, 4:14 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64
x15

[   36.936453] ==================================================================
[   36.945760] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340
[   36.952442] Read of size 1 at addr ffff000806070000 by task kunit_try_catch/273
[   36.959730] 
[   36.961218] CPU: 4 UID: 0 PID: 273 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250530 #1 PREEMPT 
[   36.961273] Tainted: [B]=BAD_PAGE, [N]=TEST
[   36.961293] Hardware name: WinLink E850-96 board (DT)
[   36.961314] Call trace:
[   36.961329]  show_stack+0x20/0x38 (C)
[   36.961370]  dump_stack_lvl+0x8c/0xd0
[   36.961407]  print_report+0x118/0x608
[   36.961446]  kasan_report+0xdc/0x128
[   36.961479]  __asan_report_load1_noabort+0x20/0x30
[   36.961513]  mempool_uaf_helper+0x314/0x340
[   36.961549]  mempool_kmalloc_large_uaf+0xc4/0x120
[   36.961583]  kunit_try_run_case+0x170/0x3f0
[   36.961621]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.961659]  kthread+0x328/0x630
[   36.961689]  ret_from_fork+0x10/0x20
[   36.961725] 
[   37.029610] The buggy address belongs to the physical page:
[   37.035168] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886070
[   37.043152] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   37.050792] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   37.057733] page_type: f8(unknown)
[   37.061130] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   37.068849] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000
[   37.076577] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   37.084387] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000
[   37.092200] head: 0bfffe0000000002 fffffdffe0181c01 00000000ffffffff 00000000ffffffff
[   37.100012] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   37.107818] page dumped because: kasan: bad access detected
[   37.113374] 
[   37.114849] Memory state around the buggy address:
[   37.119633]  ffff00080606ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.126832]  ffff00080606ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.134038] >ffff000806070000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.141237]                    ^
[   37.144453]  ffff000806070080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.151657]  ffff000806070100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.158859] ==================================================================
[   37.499457] ==================================================================
[   37.501481] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340
[   37.508161] Read of size 1 at addr ffff000806014000 by task kunit_try_catch/277
[   37.515452] 
[   37.516937] CPU: 4 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250530 #1 PREEMPT 
[   37.516997] Tainted: [B]=BAD_PAGE, [N]=TEST
[   37.517016] Hardware name: WinLink E850-96 board (DT)
[   37.517035] Call trace:
[   37.517052]  show_stack+0x20/0x38 (C)
[   37.517094]  dump_stack_lvl+0x8c/0xd0
[   37.517131]  print_report+0x118/0x608
[   37.517170]  kasan_report+0xdc/0x128
[   37.517204]  __asan_report_load1_noabort+0x20/0x30
[   37.517238]  mempool_uaf_helper+0x314/0x340
[   37.517270]  mempool_page_alloc_uaf+0xc0/0x118
[   37.517304]  kunit_try_run_case+0x170/0x3f0
[   37.517344]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   37.517383]  kthread+0x328/0x630
[   37.517412]  ret_from_fork+0x10/0x20
[   37.517447] 
[   37.585071] The buggy address belongs to the physical page:
[   37.590628] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886014
[   37.598611] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   37.605134] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000
[   37.612851] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   37.620572] page dumped because: kasan: bad access detected
[   37.626127] 
[   37.627601] Memory state around the buggy address:
[   37.632382]  ffff000806013f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.639584]  ffff000806013f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.646792] >ffff000806014000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.653990]                    ^
[   37.657205]  ffff000806014080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.664410]  ffff000806014100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.671613] ==================================================================

Metadata Full log Test run details

[   27.920593] ==================================================================
[   27.920840] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340
[   27.921042] Read of size 1 at addr fff00000c78d0000 by task kunit_try_catch/230
[   27.921237] 
[   27.921337] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250530 #1 PREEMPT 
[   27.921546] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.921714] Hardware name: linux,dummy-virt (DT)
[   27.921824] Call trace:
[   27.921958]  show_stack+0x20/0x38 (C)
[   27.922154]  dump_stack_lvl+0x8c/0xd0
[   27.922344]  print_report+0x118/0x608
[   27.922553]  kasan_report+0xdc/0x128
[   27.922675]  __asan_report_load1_noabort+0x20/0x30
[   27.923033]  mempool_uaf_helper+0x314/0x340
[   27.923208]  mempool_kmalloc_large_uaf+0xc4/0x120
[   27.923355]  kunit_try_run_case+0x170/0x3f0
[   27.923489]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   27.923644]  kthread+0x328/0x630
[   27.923818]  ret_from_fork+0x10/0x20
[   27.924138] 
[   27.924242] The buggy address belongs to the physical page:
[   27.924399] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078d0
[   27.924528] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   27.924631] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   27.924782] page_type: f8(unknown)
[   27.924961] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   27.925151] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000
[   27.925304] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   27.925432] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000
[   27.925623] head: 0bfffe0000000002 ffffc1ffc31e3401 00000000ffffffff 00000000ffffffff
[   27.925954] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   27.926084] page dumped because: kasan: bad access detected
[   27.926240] 
[   27.926286] Memory state around the buggy address:
[   27.926468]  fff00000c78cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.926601]  fff00000c78cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.926750] >fff00000c78d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.926851]                    ^
[   27.926921]  fff00000c78d0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.927029]  fff00000c78d0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.927126] ==================================================================
[   28.038485] ==================================================================
[   28.038625] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340
[   28.038831] Read of size 1 at addr fff00000c78d0000 by task kunit_try_catch/234
[   28.038968] 
[   28.039071] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250530 #1 PREEMPT 
[   28.042914] Tainted: [B]=BAD_PAGE, [N]=TEST
[   28.043012] Hardware name: linux,dummy-virt (DT)
[   28.043155] Call trace:
[   28.043220]  show_stack+0x20/0x38 (C)
[   28.043353]  dump_stack_lvl+0x8c/0xd0
[   28.043485]  print_report+0x118/0x608
[   28.044187]  kasan_report+0xdc/0x128
[   28.044315]  __asan_report_load1_noabort+0x20/0x30
[   28.044457]  mempool_uaf_helper+0x314/0x340
[   28.044580]  mempool_page_alloc_uaf+0xc0/0x118
[   28.044743]  kunit_try_run_case+0x170/0x3f0
[   28.044867]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   28.044996]  kthread+0x328/0x630
[   28.045101]  ret_from_fork+0x10/0x20
[   28.045214] 
[   28.045276] The buggy address belongs to the physical page:
[   28.045352] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078d0
[   28.045478] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   28.045622] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000
[   28.045769] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   28.045870] page dumped because: kasan: bad access detected
[   28.045941] 
[   28.045988] Memory state around the buggy address:
[   28.046076]  fff00000c78cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.049014]  fff00000c78cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.049148] >fff00000c78d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.049260]                    ^
[   28.049338]  fff00000c78d0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.049447]  fff00000c78d0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.049542] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2xnemi99Hvuh7IMni6GLnPJJmyr

job_id

TEST:linaro@lkft#2xner8G5PGJzTqMMTXexKt9Nkqk

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2xner8G5PGJzTqMMTXexKt9Nkqk

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xnenk2TiaLlh3htnBwxI8n2lS2/Image.gz
sha256sum	54039bd66f1e3df45769ff753620d7b6f2f3dfddb4e37a1b2bb3c1537e2e7b6b

rootfs

url	https://storage.tuxboot.com/debian/20250425/trixie/arm64/rootfs.ext4.xz
sha256sum	1cc8d041751cc9cfe19b957ffa27d6115f076efaeb324bcd0fb145c37c99e1b7

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xnenk2TiaLlh3htnBwxI8n2lS2/modules.tar.xz
sha256sum	ad1c5e14b41ead63c47b931720e214e3f7689877b529c6a0fb4fa79c978e95f6

durations

tests

boot	0
kunit	302.96

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   20.561778] ==================================================================
[   20.563111] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400
[   20.563645] Read of size 1 at addr ffff888103c60000 by task kunit_try_catch/246
[   20.564249] 
[   20.564518] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250530 #1 PREEMPT(voluntary) 
[   20.564651] Tainted: [B]=BAD_PAGE, [N]=TEST
[   20.564689] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   20.564751] Call Trace:
[   20.564793]  <TASK>
[   20.564845]  dump_stack_lvl+0x73/0xb0
[   20.564930]  print_report+0xd1/0x650
[   20.565338]  ? __virt_addr_valid+0x1db/0x2d0
[   20.565416]  ? mempool_uaf_helper+0x392/0x400
[   20.565452]  ? kasan_addr_to_slab+0x11/0xa0
[   20.565484]  ? mempool_uaf_helper+0x392/0x400
[   20.565517]  kasan_report+0x141/0x180
[   20.565550]  ? mempool_uaf_helper+0x392/0x400
[   20.565590]  __asan_report_load1_noabort+0x18/0x20
[   20.565619]  mempool_uaf_helper+0x392/0x400
[   20.565653]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   20.565738]  ? update_load_avg+0x1be/0x21b0
[   20.565782]  ? dequeue_entities+0x27e/0x1740
[   20.565820]  ? finish_task_switch.isra.0+0x153/0x700
[   20.565857]  mempool_kmalloc_large_uaf+0xef/0x140
[   20.565893]  ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10
[   20.565930]  ? __pfx_mempool_kmalloc+0x10/0x10
[   20.565988]  ? __pfx_mempool_kfree+0x10/0x10
[   20.566022]  ? __pfx_read_tsc+0x10/0x10
[   20.566053]  ? ktime_get_ts64+0x86/0x230
[   20.566087]  kunit_try_run_case+0x1a5/0x480
[   20.566117]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.566145]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   20.566234]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   20.566318]  ? __kthread_parkme+0x82/0x180
[   20.566350]  ? preempt_count_sub+0x50/0x80
[   20.566382]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.566413]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.566449]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   20.566484]  kthread+0x337/0x6f0
[   20.566512]  ? trace_preempt_on+0x20/0xc0
[   20.566544]  ? __pfx_kthread+0x10/0x10
[   20.566573]  ? _raw_spin_unlock_irq+0x47/0x80
[   20.566606]  ? calculate_sigpending+0x7b/0xa0
[   20.566640]  ? __pfx_kthread+0x10/0x10
[   20.566670]  ret_from_fork+0x116/0x1d0
[   20.566741]  ? __pfx_kthread+0x10/0x10
[   20.566773]  ret_from_fork_asm+0x1a/0x30
[   20.566817]  </TASK>
[   20.566831] 
[   20.591551] The buggy address belongs to the physical page:
[   20.592871] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103c60
[   20.593611] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   20.594531] flags: 0x200000000000040(head|node=0|zone=2)
[   20.595226] page_type: f8(unknown)
[   20.595415] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   20.595667] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000
[   20.597250] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   20.598608] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000
[   20.599014] head: 0200000000000002 ffffea00040f1801 00000000ffffffff 00000000ffffffff
[   20.599414] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   20.600353] page dumped because: kasan: bad access detected
[   20.601125] 
[   20.601291] Memory state around the buggy address:
[   20.601602]  ffff888103c5ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.602040]  ffff888103c5ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.602467] >ffff888103c60000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.602882]                    ^
[   20.603171]  ffff888103c60080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.604982]  ffff888103c60100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.605753] ==================================================================
[   20.679094] ==================================================================
[   20.679946] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400
[   20.680629] Read of size 1 at addr ffff888103c28000 by task kunit_try_catch/250
[   20.681674] 
[   20.682214] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250530 #1 PREEMPT(voluntary) 
[   20.682361] Tainted: [B]=BAD_PAGE, [N]=TEST
[   20.682402] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   20.682465] Call Trace:
[   20.682510]  <TASK>
[   20.682563]  dump_stack_lvl+0x73/0xb0
[   20.682658]  print_report+0xd1/0x650
[   20.682846]  ? __virt_addr_valid+0x1db/0x2d0
[   20.682933]  ? mempool_uaf_helper+0x392/0x400
[   20.683029]  ? kasan_addr_to_slab+0x11/0xa0
[   20.683102]  ? mempool_uaf_helper+0x392/0x400
[   20.683178]  kasan_report+0x141/0x180
[   20.683308]  ? mempool_uaf_helper+0x392/0x400
[   20.683363]  __asan_report_load1_noabort+0x18/0x20
[   20.683398]  mempool_uaf_helper+0x392/0x400
[   20.683433]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   20.683470]  ? __kasan_check_write+0x18/0x20
[   20.683501]  ? __pfx_sched_clock_cpu+0x10/0x10
[   20.683534]  ? finish_task_switch.isra.0+0x153/0x700
[   20.683572]  mempool_page_alloc_uaf+0xed/0x140
[   20.683607]  ? __pfx_mempool_page_alloc_uaf+0x10/0x10
[   20.683646]  ? __pfx_mempool_alloc_pages+0x10/0x10
[   20.683702]  ? __pfx_mempool_free_pages+0x10/0x10
[   20.683752]  ? __pfx_read_tsc+0x10/0x10
[   20.683786]  ? ktime_get_ts64+0x86/0x230
[   20.683820]  kunit_try_run_case+0x1a5/0x480
[   20.683852]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.683880]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   20.683915]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   20.683952]  ? __kthread_parkme+0x82/0x180
[   20.684009]  ? preempt_count_sub+0x50/0x80
[   20.684045]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.684075]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.684111]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   20.684147]  kthread+0x337/0x6f0
[   20.684226]  ? trace_preempt_on+0x20/0xc0
[   20.684317]  ? __pfx_kthread+0x10/0x10
[   20.684391]  ? _raw_spin_unlock_irq+0x47/0x80
[   20.684468]  ? calculate_sigpending+0x7b/0xa0
[   20.684509]  ? __pfx_kthread+0x10/0x10
[   20.684540]  ret_from_fork+0x116/0x1d0
[   20.684566]  ? __pfx_kthread+0x10/0x10
[   20.684595]  ret_from_fork_asm+0x1a/0x30
[   20.684639]  </TASK>
[   20.684655] 
[   20.711144] The buggy address belongs to the physical page:
[   20.712376] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103c28
[   20.713348] flags: 0x200000000000000(node=0|zone=2)
[   20.714347] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
[   20.714985] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   20.715798] page dumped because: kasan: bad access detected
[   20.717000] 
[   20.717536] Memory state around the buggy address:
[   20.718443]  ffff888103c27f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.719020]  ffff888103c27f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.720090] >ffff888103c28000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.721158]                    ^
[   20.721519]  ffff888103c28080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.722508]  ffff888103c28100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.723449] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2xnemi99Hvuh7IMni6GLnPJJmyr

job_id

TEST:linaro@lkft#2xnerzD7c8zvUUJ0cIJLNaZoXbe

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2xnerzD7c8zvUUJ0cIJLNaZoXbe

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xneodXjiC3GEwcZ9W0tAuggieI/bzImage
sha256sum	0239b9405f6caf05c6cb66487dfcbd91a08bb67af2cc091383be2bb288ae84ab

rootfs

url	https://storage.tuxboot.com/debian/20250425/trixie/amd64/rootfs.ext4.xz
sha256sum	3e64c22b7a85dd4a60fd0a31f22599e711e865f841aed0d517fae37e9c171158

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xneodXjiC3GEwcZ9W0tAuggieI/modules.tar.xz
sha256sum	a4e701489e98e3501a2b8de33e92dc78764a7120dcce30460eade35c60420cd9

durations

tests

boot	0
kunit	361.88

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   64.265655] ==================================================================
[   64.276702] BUG: KASAN: use-after-free in mempool_uaf_helper+0x388/0x3b8
[   64.283477] Read of size 1 at addr cc8a4000 by task kunit_try_catch/285
[   64.290130] 
[   64.291656] CPU: 1 UID: 0 PID: 285 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.0-next-20250530 #1 NONE 
[   64.291687] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   64.291687] Hardware name: Generic DRA74X (Flattened Device Tree)
[   64.291717] Call trace: 
[   64.291717]  unwind_backtrace from show_stack+0x18/0x1c
[   64.291748]  show_stack from dump_stack_lvl+0x70/0x90
[   64.291809]  dump_stack_lvl from print_report+0x158/0x528
[   64.291839]  print_report from kasan_report+0xdc/0x118
[   64.291870]  kasan_report from mempool_uaf_helper+0x388/0x3b8
[   64.291870]  mempool_uaf_helper from mempool_page_alloc_uaf+0xb8/0x104
[   64.291931]  mempool_page_alloc_uaf from kunit_try_run_case+0x22c/0x5a8
[   64.291961]  kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128
[   64.291992]  kunit_generic_run_threadfn_adapter from kthread+0x464/0x810
[   64.292022]  kthread from ret_from_fork+0x14/0x20
[   64.292053] Exception stack(0xf242bfb0 to 0xf242bff8)
[   64.292083] bfa0:                                     00000000 00000000 00000000 00000000
[   64.292083] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   64.292114] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[   64.292114] 
[   64.404998] The buggy address belongs to the physical page:
[   64.410614] page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c8a4
[   64.417877] flags: 0x0(zone=0)
[   64.420989] raw: 00000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001
[   64.429138] raw: 00000000
[   64.431762] page dumped because: kasan: bad access detected
[   64.437377] 
[   64.438903] Memory state around the buggy address:
[   64.443725]  cc8a3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   64.450286]  cc8a3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   64.456878] >cc8a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   64.463439]            ^
[   64.466003]  cc8a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   64.472595]  cc8a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   64.479156] ==================================================================
[   63.659790] ==================================================================
[   63.671081] BUG: KASAN: use-after-free in mempool_uaf_helper+0x388/0x3b8
[   63.677825] Read of size 1 at addr cc8a4000 by task kunit_try_catch/281
[   63.684478] 
[   63.686004] CPU: 1 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.0-next-20250530 #1 NONE 
[   63.686035] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   63.686035] Hardware name: Generic DRA74X (Flattened Device Tree)
[   63.686035] Call trace: 
[   63.686065]  unwind_backtrace from show_stack+0x18/0x1c
[   63.686065]  show_stack from dump_stack_lvl+0x70/0x90
[   63.686096]  dump_stack_lvl from print_report+0x158/0x528
[   63.686126]  print_report from kasan_report+0xdc/0x118
[   63.686157]  kasan_report from mempool_uaf_helper+0x388/0x3b8
[   63.686187]  mempool_uaf_helper from mempool_kmalloc_large_uaf+0xbc/0x108
[   63.686187]  mempool_kmalloc_large_uaf from kunit_try_run_case+0x22c/0x5a8
[   63.686218]  kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128
[   63.686248]  kunit_generic_run_threadfn_adapter from kthread+0x464/0x810
[   63.686279]  kthread from ret_from_fork+0x14/0x20
[   63.686309] Exception stack(0xf241bfb0 to 0xf241bff8)
[   63.686309] bfa0:                                     00000000 00000000 00000000 00000000
[   63.686340] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   63.686340] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[   63.686370] 
[   63.799713] The buggy address belongs to the physical page:
[   63.805328] page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c8a4
[   63.812591] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   63.820312] flags: 0x40(head|zone=0)
[   63.823913] page_type: f8(unknown)
[   63.827331] raw: 00000040 00000000 00000122 00000000 00000000 00000000 f8000000 00000001
[   63.835479] raw: 00000000
[   63.838134] head: 00000040 00000000 00000122 00000000 00000000 00000000 f8000000 00000001
[   63.846343] head: 00000000 00000002 eebc2711 ffffffff 00000000 ffffffff 00000000 ffffffff
[   63.854583] head: 00000000 00000004
[   63.858093] page dumped because: kasan: bad access detected
[   63.863708] 
[   63.865203] Memory state around the buggy address:
[   63.870025]  cc8a3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   63.876617]  cc8a3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   63.883178] >cc8a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   63.889739]            ^
[   63.892303]  cc8a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   63.898864]  cc8a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   63.905426] ==================================================================

Metadata Full log Test run details

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - x15 - gcc-13-lkftconfig-kunit