Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 47.401141] ================================================================== [ 47.413056] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 47.420294] Read of size 1 at addr ffff0000875de240 by task kunit_try_catch/329 [ 47.427699] [ 47.429233] CPU: 4 UID: 0 PID: 329 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 47.429271] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.429279] Hardware name: Thundercomm Dragonboard 845c (DT) [ 47.429294] Call trace: [ 47.429304] show_stack+0x20/0x38 (C) [ 47.429324] dump_stack_lvl+0x8c/0xd0 [ 47.429347] print_report+0x118/0x608 [ 47.429367] kasan_report+0xdc/0x128 [ 47.429384] __asan_report_load1_noabort+0x20/0x30 [ 47.429402] mempool_uaf_helper+0x314/0x340 [ 47.429418] mempool_slab_uaf+0xc0/0x118 [ 47.429437] kunit_try_run_case+0x170/0x3f0 [ 47.429458] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.429479] kthread+0x328/0x630 [ 47.429495] ret_from_fork+0x10/0x20 [ 47.429514] [ 47.499155] Allocated by task 329: [ 47.502610] kasan_save_stack+0x3c/0x68 [ 47.506517] kasan_save_track+0x20/0x40 [ 47.510421] kasan_save_alloc_info+0x40/0x58 [ 47.514754] __kasan_mempool_unpoison_object+0xbc/0x180 [ 47.520053] remove_element+0x16c/0x1f8 [ 47.523956] mempool_alloc_preallocated+0x58/0xc0 [ 47.528736] mempool_uaf_helper+0xa4/0x340 [ 47.532896] mempool_slab_uaf+0xc0/0x118 [ 47.536884] kunit_try_run_case+0x170/0x3f0 [ 47.541132] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.546694] kthread+0x328/0x630 [ 47.549975] ret_from_fork+0x10/0x20 [ 47.553615] [ 47.555148] Freed by task 329: [ 47.558253] kasan_save_stack+0x3c/0x68 [ 47.562156] kasan_save_track+0x20/0x40 [ 47.566058] kasan_save_free_info+0x4c/0x78 [ 47.570304] __kasan_mempool_poison_object+0xc0/0x150 [ 47.575430] mempool_free+0x28c/0x328 [ 47.579148] mempool_uaf_helper+0x104/0x340 [ 47.583392] mempool_slab_uaf+0xc0/0x118 [ 47.587380] kunit_try_run_case+0x170/0x3f0 [ 47.591626] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.597189] kthread+0x328/0x630 [ 47.600471] ret_from_fork+0x10/0x20 [ 47.604111] [ 47.605634] The buggy address belongs to the object at ffff0000875de240 [ 47.605634] which belongs to the cache test_cache of size 123 [ 47.618198] The buggy address is located 0 bytes inside of [ 47.618198] freed 123-byte region [ffff0000875de240, ffff0000875de2bb) [ 47.630417] [ 47.631947] The buggy address belongs to the physical page: [ 47.637591] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1075de [ 47.645700] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 47.652311] page_type: f5(slab) [ 47.655509] raw: 0bfffe0000000000 ffff000083322000 dead000000000122 0000000000000000 [ 47.663349] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 47.671183] page dumped because: kasan: bad access detected [ 47.676821] [ 47.678344] Memory state around the buggy address: [ 47.683204] ffff0000875de100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.690518] ffff0000875de180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.697830] >ffff0000875de200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 47.705140] ^ [ 47.710522] ffff0000875de280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.717836] ffff0000875de300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.725146] ================================================================== [ 46.784775] ================================================================== [ 46.796457] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 46.803707] Read of size 1 at addr ffff000080dc0700 by task kunit_try_catch/325 [ 46.811118] [ 46.812658] CPU: 1 UID: 0 PID: 325 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 46.812698] Tainted: [B]=BAD_PAGE, [N]=TEST [ 46.812710] Hardware name: Thundercomm Dragonboard 845c (DT) [ 46.812726] Call trace: [ 46.812735] show_stack+0x20/0x38 (C) [ 46.812760] dump_stack_lvl+0x8c/0xd0 [ 46.812784] print_report+0x118/0x608 [ 46.812806] kasan_report+0xdc/0x128 [ 46.812826] __asan_report_load1_noabort+0x20/0x30 [ 46.812848] mempool_uaf_helper+0x314/0x340 [ 46.812868] mempool_kmalloc_uaf+0xc4/0x120 [ 46.812886] kunit_try_run_case+0x170/0x3f0 [ 46.812911] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.812937] kthread+0x328/0x630 [ 46.812957] ret_from_fork+0x10/0x20 [ 46.812979] [ 46.882910] Allocated by task 325: [ 46.886373] kasan_save_stack+0x3c/0x68 [ 46.890283] kasan_save_track+0x20/0x40 [ 46.894191] kasan_save_alloc_info+0x40/0x58 [ 46.898528] __kasan_mempool_unpoison_object+0x11c/0x180 [ 46.903923] remove_element+0x130/0x1f8 [ 46.907837] mempool_alloc_preallocated+0x58/0xc0 [ 46.912616] mempool_uaf_helper+0xa4/0x340 [ 46.916785] mempool_kmalloc_uaf+0xc4/0x120 [ 46.921039] kunit_try_run_case+0x170/0x3f0 [ 46.925294] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.930867] kthread+0x328/0x630 [ 46.934158] ret_from_fork+0x10/0x20 [ 46.937807] [ 46.939334] Freed by task 325: [ 46.942449] kasan_save_stack+0x3c/0x68 [ 46.946357] kasan_save_track+0x20/0x40 [ 46.950268] kasan_save_free_info+0x4c/0x78 [ 46.954520] __kasan_mempool_poison_object+0xc0/0x150 [ 46.959659] mempool_free+0x28c/0x328 [ 46.963382] mempool_uaf_helper+0x104/0x340 [ 46.967632] mempool_kmalloc_uaf+0xc4/0x120 [ 46.971884] kunit_try_run_case+0x170/0x3f0 [ 46.976135] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.981709] kthread+0x328/0x630 [ 46.984999] ret_from_fork+0x10/0x20 [ 46.988637] [ 46.990168] The buggy address belongs to the object at ffff000080dc0700 [ 46.990168] which belongs to the cache kmalloc-128 of size 128 [ 47.002830] The buggy address is located 0 bytes inside of [ 47.002830] freed 128-byte region [ffff000080dc0700, ffff000080dc0780) [ 47.015050] [ 47.016589] The buggy address belongs to the physical page: [ 47.022242] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100dc0 [ 47.030358] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.038117] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 47.045179] page_type: f5(slab) [ 47.048389] raw: 0bfffe0000000040 ffff000080002a00 dead000000000100 dead000000000122 [ 47.056234] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 47.064079] head: 0bfffe0000000040 ffff000080002a00 dead000000000100 dead000000000122 [ 47.072011] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 47.079939] head: 0bfffe0000000001 fffffdffc2037001 00000000ffffffff 00000000ffffffff [ 47.087869] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 47.095795] page dumped because: kasan: bad access detected [ 47.101443] [ 47.102972] Memory state around the buggy address: [ 47.107831] ffff000080dc0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.115146] ffff000080dc0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.122471] >ffff000080dc0700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.129791] ^ [ 47.133079] ffff000080dc0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.140403] ffff000080dc0800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.147715] ==================================================================
[ 35.752653] ================================================================== [ 35.752817] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.752995] Read of size 1 at addr fff00000c7732d00 by task kunit_try_catch/238 [ 35.753129] [ 35.753229] CPU: 0 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 35.753572] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.753686] Hardware name: linux,dummy-virt (DT) [ 35.753996] Call trace: [ 35.754152] show_stack+0x20/0x38 (C) [ 35.754341] dump_stack_lvl+0x8c/0xd0 [ 35.754510] print_report+0x118/0x608 [ 35.754708] kasan_report+0xdc/0x128 [ 35.754829] __asan_report_load1_noabort+0x20/0x30 [ 35.755034] mempool_uaf_helper+0x314/0x340 [ 35.755189] mempool_kmalloc_uaf+0xc4/0x120 [ 35.755555] kunit_try_run_case+0x170/0x3f0 [ 35.755997] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.756255] kthread+0x328/0x630 [ 35.756682] ret_from_fork+0x10/0x20 [ 35.757454] [ 35.757639] Allocated by task 238: [ 35.757755] kasan_save_stack+0x3c/0x68 [ 35.758689] kasan_save_track+0x20/0x40 [ 35.759027] kasan_save_alloc_info+0x40/0x58 [ 35.759487] __kasan_mempool_unpoison_object+0x11c/0x180 [ 35.759630] remove_element+0x130/0x1f8 [ 35.759877] mempool_alloc_preallocated+0x58/0xc0 [ 35.760003] mempool_uaf_helper+0xa4/0x340 [ 35.760158] mempool_kmalloc_uaf+0xc4/0x120 [ 35.760369] kunit_try_run_case+0x170/0x3f0 [ 35.760487] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.760997] kthread+0x328/0x630 [ 35.761181] ret_from_fork+0x10/0x20 [ 35.761294] [ 35.761375] Freed by task 238: [ 35.761477] kasan_save_stack+0x3c/0x68 [ 35.761586] kasan_save_track+0x20/0x40 [ 35.761683] kasan_save_free_info+0x4c/0x78 [ 35.761772] __kasan_mempool_poison_object+0xc0/0x150 [ 35.761875] mempool_free+0x28c/0x328 [ 35.761983] mempool_uaf_helper+0x104/0x340 [ 35.762093] mempool_kmalloc_uaf+0xc4/0x120 [ 35.762211] kunit_try_run_case+0x170/0x3f0 [ 35.762319] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.762449] kthread+0x328/0x630 [ 35.762548] ret_from_fork+0x10/0x20 [ 35.762659] [ 35.762739] The buggy address belongs to the object at fff00000c7732d00 [ 35.762739] which belongs to the cache kmalloc-128 of size 128 [ 35.762880] The buggy address is located 0 bytes inside of [ 35.762880] freed 128-byte region [fff00000c7732d00, fff00000c7732d80) [ 35.763399] [ 35.763534] The buggy address belongs to the physical page: [ 35.763622] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 35.765068] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.765349] page_type: f5(slab) [ 35.765470] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 35.766171] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 35.766576] page dumped because: kasan: bad access detected [ 35.766906] [ 35.767271] Memory state around the buggy address: [ 35.767699] fff00000c7732c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.767862] fff00000c7732c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.768065] >fff00000c7732d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.768223] ^ [ 35.768380] fff00000c7732d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.768968] fff00000c7732e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.769344] ================================================================== [ 35.846052] ================================================================== [ 35.846214] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.846544] Read of size 1 at addr fff00000c77e5240 by task kunit_try_catch/242 [ 35.846719] [ 35.846803] CPU: 0 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 35.847764] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.848119] Hardware name: linux,dummy-virt (DT) [ 35.848211] Call trace: [ 35.848277] show_stack+0x20/0x38 (C) [ 35.848411] dump_stack_lvl+0x8c/0xd0 [ 35.848908] print_report+0x118/0x608 [ 35.849202] kasan_report+0xdc/0x128 [ 35.849323] __asan_report_load1_noabort+0x20/0x30 [ 35.850400] mempool_uaf_helper+0x314/0x340 [ 35.851232] mempool_slab_uaf+0xc0/0x118 [ 35.852002] kunit_try_run_case+0x170/0x3f0 [ 35.852424] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.852860] kthread+0x328/0x630 [ 35.854081] ret_from_fork+0x10/0x20 [ 35.854533] [ 35.854946] Allocated by task 242: [ 35.855033] kasan_save_stack+0x3c/0x68 [ 35.855525] kasan_save_track+0x20/0x40 [ 35.856160] kasan_save_alloc_info+0x40/0x58 [ 35.856634] __kasan_mempool_unpoison_object+0xbc/0x180 [ 35.857035] remove_element+0x16c/0x1f8 [ 35.857488] mempool_alloc_preallocated+0x58/0xc0 [ 35.857735] mempool_uaf_helper+0xa4/0x340 [ 35.858460] mempool_slab_uaf+0xc0/0x118 [ 35.859403] kunit_try_run_case+0x170/0x3f0 [ 35.859520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.860261] kthread+0x328/0x630 [ 35.860355] ret_from_fork+0x10/0x20 [ 35.860454] [ 35.860500] Freed by task 242: [ 35.862035] kasan_save_stack+0x3c/0x68 [ 35.862514] kasan_save_track+0x20/0x40 [ 35.862617] kasan_save_free_info+0x4c/0x78 [ 35.863291] __kasan_mempool_poison_object+0xc0/0x150 [ 35.863575] mempool_free+0x28c/0x328 [ 35.863670] mempool_uaf_helper+0x104/0x340 [ 35.863767] mempool_slab_uaf+0xc0/0x118 [ 35.863875] kunit_try_run_case+0x170/0x3f0 [ 35.865992] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.866917] kthread+0x328/0x630 [ 35.867010] ret_from_fork+0x10/0x20 [ 35.867768] [ 35.867822] The buggy address belongs to the object at fff00000c77e5240 [ 35.867822] which belongs to the cache test_cache of size 123 [ 35.868865] The buggy address is located 0 bytes inside of [ 35.868865] freed 123-byte region [fff00000c77e5240, fff00000c77e52bb) [ 35.869585] [ 35.870136] The buggy address belongs to the physical page: [ 35.870285] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e5 [ 35.871240] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.871465] page_type: f5(slab) [ 35.871572] raw: 0bfffe0000000000 fff00000c77d6640 dead000000000122 0000000000000000 [ 35.871699] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 35.871801] page dumped because: kasan: bad access detected [ 35.873797] [ 35.873948] Memory state around the buggy address: [ 35.874319] fff00000c77e5100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.874442] fff00000c77e5180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.874548] >fff00000c77e5200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.875265] ^ [ 35.875666] fff00000c77e5280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.875770] fff00000c77e5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.875869] ==================================================================
[ 31.103488] ================================================================== [ 31.104528] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 31.105323] Read of size 1 at addr ffff888102df3240 by task kunit_try_catch/261 [ 31.105882] [ 31.106166] CPU: 0 UID: 0 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 31.106406] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.106454] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.106535] Call Trace: [ 31.106586] <TASK> [ 31.106676] dump_stack_lvl+0x73/0xb0 [ 31.106788] print_report+0xd1/0x650 [ 31.106864] ? __virt_addr_valid+0x1db/0x2d0 [ 31.106929] ? mempool_uaf_helper+0x392/0x400 [ 31.106981] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.107023] ? mempool_uaf_helper+0x392/0x400 [ 31.107059] kasan_report+0x141/0x180 [ 31.107142] ? mempool_uaf_helper+0x392/0x400 [ 31.107191] __asan_report_load1_noabort+0x18/0x20 [ 31.107225] mempool_uaf_helper+0x392/0x400 [ 31.107257] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 31.107290] ? __pfx_sched_clock_cpu+0x10/0x10 [ 31.107322] ? finish_task_switch.isra.0+0x153/0x700 [ 31.107359] mempool_slab_uaf+0xea/0x140 [ 31.107389] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 31.107422] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 31.107453] ? __pfx_mempool_free_slab+0x10/0x10 [ 31.107486] ? __pfx_read_tsc+0x10/0x10 [ 31.107515] ? ktime_get_ts64+0x86/0x230 [ 31.107570] kunit_try_run_case+0x1a5/0x480 [ 31.107606] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.107658] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.107698] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.107733] ? __kthread_parkme+0x82/0x180 [ 31.107762] ? preempt_count_sub+0x50/0x80 [ 31.107793] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.107837] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.107869] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.107901] kthread+0x337/0x6f0 [ 31.107928] ? trace_preempt_on+0x20/0xc0 [ 31.107959] ? __pfx_kthread+0x10/0x10 [ 31.107986] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.108016] ? calculate_sigpending+0x7b/0xa0 [ 31.108048] ? __pfx_kthread+0x10/0x10 [ 31.108101] ret_from_fork+0x116/0x1d0 [ 31.108147] ? __pfx_kthread+0x10/0x10 [ 31.108192] ret_from_fork_asm+0x1a/0x30 [ 31.108258] </TASK> [ 31.108281] [ 31.125930] Allocated by task 261: [ 31.126513] kasan_save_stack+0x45/0x70 [ 31.126945] kasan_save_track+0x18/0x40 [ 31.127562] kasan_save_alloc_info+0x3b/0x50 [ 31.127935] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 31.128654] remove_element+0x11e/0x190 [ 31.128992] mempool_alloc_preallocated+0x4d/0x90 [ 31.129704] mempool_uaf_helper+0x96/0x400 [ 31.130129] mempool_slab_uaf+0xea/0x140 [ 31.130482] kunit_try_run_case+0x1a5/0x480 [ 31.130763] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.131748] kthread+0x337/0x6f0 [ 31.132123] ret_from_fork+0x116/0x1d0 [ 31.132984] ret_from_fork_asm+0x1a/0x30 [ 31.133570] [ 31.133854] Freed by task 261: [ 31.134443] kasan_save_stack+0x45/0x70 [ 31.134808] kasan_save_track+0x18/0x40 [ 31.135397] kasan_save_free_info+0x3f/0x60 [ 31.135850] __kasan_mempool_poison_object+0x131/0x1d0 [ 31.136625] mempool_free+0x2ec/0x380 [ 31.137075] mempool_uaf_helper+0x11a/0x400 [ 31.137442] mempool_slab_uaf+0xea/0x140 [ 31.137903] kunit_try_run_case+0x1a5/0x480 [ 31.138319] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.138895] kthread+0x337/0x6f0 [ 31.139405] ret_from_fork+0x116/0x1d0 [ 31.139811] ret_from_fork_asm+0x1a/0x30 [ 31.140341] [ 31.140566] The buggy address belongs to the object at ffff888102df3240 [ 31.140566] which belongs to the cache test_cache of size 123 [ 31.141859] The buggy address is located 0 bytes inside of [ 31.141859] freed 123-byte region [ffff888102df3240, ffff888102df32bb) [ 31.142880] [ 31.143193] The buggy address belongs to the physical page: [ 31.143669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102df3 [ 31.144536] flags: 0x200000000000000(node=0|zone=2) [ 31.145021] page_type: f5(slab) [ 31.145415] raw: 0200000000000000 ffff888102de7500 dead000000000122 0000000000000000 [ 31.146003] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 31.146575] page dumped because: kasan: bad access detected [ 31.147404] [ 31.147791] Memory state around the buggy address: [ 31.148427] ffff888102df3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.148975] ffff888102df3180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.149737] >ffff888102df3200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.150419] ^ [ 31.150731] ffff888102df3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.151726] ffff888102df3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.152344] ================================================================== [ 31.009907] ================================================================== [ 31.010595] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 31.011258] Read of size 1 at addr ffff888102dcfe00 by task kunit_try_catch/257 [ 31.011777] [ 31.012119] CPU: 0 UID: 0 PID: 257 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 31.012238] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.012270] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.012350] Call Trace: [ 31.012398] <TASK> [ 31.012439] dump_stack_lvl+0x73/0xb0 [ 31.012519] print_report+0xd1/0x650 [ 31.012604] ? __virt_addr_valid+0x1db/0x2d0 [ 31.012670] ? mempool_uaf_helper+0x392/0x400 [ 31.012728] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.012818] ? mempool_uaf_helper+0x392/0x400 [ 31.012879] kasan_report+0x141/0x180 [ 31.012942] ? mempool_uaf_helper+0x392/0x400 [ 31.013013] __asan_report_load1_noabort+0x18/0x20 [ 31.013070] mempool_uaf_helper+0x392/0x400 [ 31.013126] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 31.013186] ? kasan_save_track+0x18/0x40 [ 31.013271] ? kasan_save_alloc_info+0x3b/0x50 [ 31.013329] ? kasan_save_stack+0x45/0x70 [ 31.013392] mempool_kmalloc_uaf+0xef/0x140 [ 31.013474] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 31.013535] ? __pfx_mempool_kmalloc+0x10/0x10 [ 31.013615] ? __pfx_mempool_kfree+0x10/0x10 [ 31.013679] ? __pfx_read_tsc+0x10/0x10 [ 31.013740] ? ktime_get_ts64+0x86/0x230 [ 31.013809] kunit_try_run_case+0x1a5/0x480 [ 31.013858] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.013891] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.013926] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.013958] ? __kthread_parkme+0x82/0x180 [ 31.013987] ? preempt_count_sub+0x50/0x80 [ 31.014018] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.014049] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.014081] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.014113] kthread+0x337/0x6f0 [ 31.014139] ? trace_preempt_on+0x20/0xc0 [ 31.014170] ? __pfx_kthread+0x10/0x10 [ 31.014197] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.014268] ? calculate_sigpending+0x7b/0xa0 [ 31.014301] ? __pfx_kthread+0x10/0x10 [ 31.014328] ret_from_fork+0x116/0x1d0 [ 31.014355] ? __pfx_kthread+0x10/0x10 [ 31.014381] ret_from_fork_asm+0x1a/0x30 [ 31.014423] </TASK> [ 31.014438] [ 31.027188] Allocated by task 257: [ 31.027607] kasan_save_stack+0x45/0x70 [ 31.028063] kasan_save_track+0x18/0x40 [ 31.028467] kasan_save_alloc_info+0x3b/0x50 [ 31.028910] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 31.029514] remove_element+0x11e/0x190 [ 31.029853] mempool_alloc_preallocated+0x4d/0x90 [ 31.030337] mempool_uaf_helper+0x96/0x400 [ 31.030653] mempool_kmalloc_uaf+0xef/0x140 [ 31.031081] kunit_try_run_case+0x1a5/0x480 [ 31.031355] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.031765] kthread+0x337/0x6f0 [ 31.032169] ret_from_fork+0x116/0x1d0 [ 31.032688] ret_from_fork_asm+0x1a/0x30 [ 31.033102] [ 31.033324] Freed by task 257: [ 31.033592] kasan_save_stack+0x45/0x70 [ 31.033975] kasan_save_track+0x18/0x40 [ 31.034263] kasan_save_free_info+0x3f/0x60 [ 31.034516] __kasan_mempool_poison_object+0x131/0x1d0 [ 31.035029] mempool_free+0x2ec/0x380 [ 31.035467] mempool_uaf_helper+0x11a/0x400 [ 31.035987] mempool_kmalloc_uaf+0xef/0x140 [ 31.036431] kunit_try_run_case+0x1a5/0x480 [ 31.036868] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.037177] kthread+0x337/0x6f0 [ 31.037567] ret_from_fork+0x116/0x1d0 [ 31.038011] ret_from_fork_asm+0x1a/0x30 [ 31.038470] [ 31.038701] The buggy address belongs to the object at ffff888102dcfe00 [ 31.038701] which belongs to the cache kmalloc-128 of size 128 [ 31.039306] The buggy address is located 0 bytes inside of [ 31.039306] freed 128-byte region [ffff888102dcfe00, ffff888102dcfe80) [ 31.040449] [ 31.040765] The buggy address belongs to the physical page: [ 31.041204] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102dcf [ 31.041620] flags: 0x200000000000000(node=0|zone=2) [ 31.042165] page_type: f5(slab) [ 31.042613] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 31.043406] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.044071] page dumped because: kasan: bad access detected [ 31.044401] [ 31.044523] Memory state around the buggy address: [ 31.045021] ffff888102dcfd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.045854] ffff888102dcfd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.046398] >ffff888102dcfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.046756] ^ [ 31.047009] ffff888102dcfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.047733] ffff888102dcff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.048481] ==================================================================