Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 48.775173] ================================================================== [ 48.787100] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 48.794337] Read of size 1 at addr ffff000093786240 by task kunit_try_catch/317 [ 48.801748] [ 48.803288] CPU: 0 UID: 0 PID: 317 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 48.803326] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.803337] Hardware name: Thundercomm Dragonboard 845c (DT) [ 48.803353] Call trace: [ 48.803361] show_stack+0x20/0x38 (C) [ 48.803385] dump_stack_lvl+0x8c/0xd0 [ 48.803409] print_report+0x118/0x608 [ 48.803432] kasan_report+0xdc/0x128 [ 48.803453] __asan_report_load1_noabort+0x20/0x30 [ 48.803472] mempool_uaf_helper+0x314/0x340 [ 48.803491] mempool_slab_uaf+0xc0/0x118 [ 48.803513] kunit_try_run_case+0x170/0x3f0 [ 48.803537] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.803561] kthread+0x328/0x630 [ 48.803579] ret_from_fork+0x10/0x20 [ 48.803601] [ 48.873292] Allocated by task 317: [ 48.876754] kasan_save_stack+0x3c/0x68 [ 48.880662] kasan_save_track+0x20/0x40 [ 48.884572] kasan_save_alloc_info+0x40/0x58 [ 48.888909] __kasan_mempool_unpoison_object+0xbc/0x180 [ 48.894225] remove_element+0x16c/0x1f8 [ 48.898134] mempool_alloc_preallocated+0x58/0xc0 [ 48.902916] mempool_uaf_helper+0xa4/0x340 [ 48.907082] mempool_slab_uaf+0xc0/0x118 [ 48.911077] kunit_try_run_case+0x170/0x3f0 [ 48.915328] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.920894] kthread+0x328/0x630 [ 48.924185] ret_from_fork+0x10/0x20 [ 48.927825] [ 48.929362] Freed by task 317: [ 48.932474] kasan_save_stack+0x3c/0x68 [ 48.936382] kasan_save_track+0x20/0x40 [ 48.940289] kasan_save_free_info+0x4c/0x78 [ 48.944540] __kasan_mempool_poison_object+0xc0/0x150 [ 48.949670] mempool_free+0x28c/0x328 [ 48.953403] mempool_uaf_helper+0x104/0x340 [ 48.957656] mempool_slab_uaf+0xc0/0x118 [ 48.961652] kunit_try_run_case+0x170/0x3f0 [ 48.965904] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.971477] kthread+0x328/0x630 [ 48.974769] ret_from_fork+0x10/0x20 [ 48.978418] [ 48.979955] The buggy address belongs to the object at ffff000093786240 [ 48.979955] which belongs to the cache test_cache of size 123 [ 48.992527] The buggy address is located 0 bytes inside of [ 48.992527] freed 123-byte region [ffff000093786240, ffff0000937862bb) [ 49.004759] [ 49.006290] The buggy address belongs to the physical page: [ 49.011946] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113786 [ 49.020059] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 49.026676] page_type: f5(slab) [ 49.029883] raw: 0bfffe0000000000 ffff000096528280 dead000000000122 0000000000000000 [ 49.037726] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 49.045565] page dumped because: kasan: bad access detected [ 49.051213] [ 49.052749] Memory state around the buggy address: [ 49.057612] ffff000093786100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.064933] ffff000093786180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.072256] >ffff000093786200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 49.079572] ^ [ 49.084959] ffff000093786280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.092283] ffff000093786300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.099597] ================================================================== [ 48.160555] ================================================================== [ 48.172255] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 48.179500] Read of size 1 at addr ffff000080dbc900 by task kunit_try_catch/313 [ 48.186911] [ 48.188458] CPU: 1 UID: 0 PID: 313 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 48.188497] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.188509] Hardware name: Thundercomm Dragonboard 845c (DT) [ 48.188525] Call trace: [ 48.188534] show_stack+0x20/0x38 (C) [ 48.188558] dump_stack_lvl+0x8c/0xd0 [ 48.188581] print_report+0x118/0x608 [ 48.188604] kasan_report+0xdc/0x128 [ 48.188624] __asan_report_load1_noabort+0x20/0x30 [ 48.188644] mempool_uaf_helper+0x314/0x340 [ 48.188663] mempool_kmalloc_uaf+0xc4/0x120 [ 48.188683] kunit_try_run_case+0x170/0x3f0 [ 48.188708] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.188730] kthread+0x328/0x630 [ 48.188748] ret_from_fork+0x10/0x20 [ 48.188771] [ 48.258738] Allocated by task 313: [ 48.262198] kasan_save_stack+0x3c/0x68 [ 48.266108] kasan_save_track+0x20/0x40 [ 48.270016] kasan_save_alloc_info+0x40/0x58 [ 48.274352] __kasan_mempool_unpoison_object+0x11c/0x180 [ 48.279748] remove_element+0x130/0x1f8 [ 48.283656] mempool_alloc_preallocated+0x58/0xc0 [ 48.288443] mempool_uaf_helper+0xa4/0x340 [ 48.292605] mempool_kmalloc_uaf+0xc4/0x120 [ 48.296856] kunit_try_run_case+0x170/0x3f0 [ 48.301109] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.306679] kthread+0x328/0x630 [ 48.309970] ret_from_fork+0x10/0x20 [ 48.313618] [ 48.315147] Freed by task 313: [ 48.318258] kasan_save_stack+0x3c/0x68 [ 48.322165] kasan_save_track+0x20/0x40 [ 48.326074] kasan_save_free_info+0x4c/0x78 [ 48.330333] __kasan_mempool_poison_object+0xc0/0x150 [ 48.335463] mempool_free+0x28c/0x328 [ 48.339197] mempool_uaf_helper+0x104/0x340 [ 48.343457] mempool_kmalloc_uaf+0xc4/0x120 [ 48.347708] kunit_try_run_case+0x170/0x3f0 [ 48.351967] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.357534] kthread+0x328/0x630 [ 48.360823] ret_from_fork+0x10/0x20 [ 48.364468] [ 48.365999] The buggy address belongs to the object at ffff000080dbc900 [ 48.365999] which belongs to the cache kmalloc-128 of size 128 [ 48.378659] The buggy address is located 0 bytes inside of [ 48.378659] freed 128-byte region [ffff000080dbc900, ffff000080dbc980) [ 48.390887] [ 48.392422] The buggy address belongs to the physical page: [ 48.398074] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100dbc [ 48.406183] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 48.413945] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 48.421017] page_type: f5(slab) [ 48.424223] raw: 0bfffe0000000040 ffff000080002a00 dead000000000100 dead000000000122 [ 48.432066] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.439908] head: 0bfffe0000000040 ffff000080002a00 dead000000000100 dead000000000122 [ 48.447844] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.455782] head: 0bfffe0000000001 fffffdffc2036f01 00000000ffffffff 00000000ffffffff [ 48.463718] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 48.471649] page dumped because: kasan: bad access detected [ 48.477302] [ 48.478831] Memory state around the buggy address: [ 48.483691] ffff000080dbc800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.491012] ffff000080dbc880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.498330] >ffff000080dbc900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.505648] ^ [ 48.508932] ffff000080dbc980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.516254] ffff000080dbca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.523564] ==================================================================
[ 28.855027] ================================================================== [ 28.855128] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.855206] Read of size 1 at addr fff00000c5773100 by task kunit_try_catch/239 [ 28.855265] [ 28.855327] CPU: 0 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 28.855443] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.855480] Hardware name: linux,dummy-virt (DT) [ 28.855512] Call trace: [ 28.855545] show_stack+0x20/0x38 (C) [ 28.855598] dump_stack_lvl+0x8c/0xd0 [ 28.855684] print_report+0x118/0x608 [ 28.855804] kasan_report+0xdc/0x128 [ 28.855877] __asan_report_load1_noabort+0x20/0x30 [ 28.856015] mempool_uaf_helper+0x314/0x340 [ 28.856155] mempool_kmalloc_uaf+0xc4/0x120 [ 28.856273] kunit_try_run_case+0x170/0x3f0 [ 28.856323] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.856441] kthread+0x328/0x630 [ 28.856484] ret_from_fork+0x10/0x20 [ 28.856557] [ 28.856577] Allocated by task 239: [ 28.856604] kasan_save_stack+0x3c/0x68 [ 28.856647] kasan_save_track+0x20/0x40 [ 28.856684] kasan_save_alloc_info+0x40/0x58 [ 28.856756] __kasan_mempool_unpoison_object+0x11c/0x180 [ 28.856801] remove_element+0x130/0x1f8 [ 28.856851] mempool_alloc_preallocated+0x58/0xc0 [ 28.856901] mempool_uaf_helper+0xa4/0x340 [ 28.856953] mempool_kmalloc_uaf+0xc4/0x120 [ 28.856992] kunit_try_run_case+0x170/0x3f0 [ 28.857030] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.857116] kthread+0x328/0x630 [ 28.857147] ret_from_fork+0x10/0x20 [ 28.857264] [ 28.857401] Freed by task 239: [ 28.857472] kasan_save_stack+0x3c/0x68 [ 28.857539] kasan_save_track+0x20/0x40 [ 28.857615] kasan_save_free_info+0x4c/0x78 [ 28.857687] __kasan_mempool_poison_object+0xc0/0x150 [ 28.857730] mempool_free+0x28c/0x328 [ 28.857765] mempool_uaf_helper+0x104/0x340 [ 28.857803] mempool_kmalloc_uaf+0xc4/0x120 [ 28.857873] kunit_try_run_case+0x170/0x3f0 [ 28.857912] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.857968] kthread+0x328/0x630 [ 28.858012] ret_from_fork+0x10/0x20 [ 28.858110] [ 28.858129] The buggy address belongs to the object at fff00000c5773100 [ 28.858129] which belongs to the cache kmalloc-128 of size 128 [ 28.858203] The buggy address is located 0 bytes inside of [ 28.858203] freed 128-byte region [fff00000c5773100, fff00000c5773180) [ 28.858525] [ 28.858585] The buggy address belongs to the physical page: [ 28.858619] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105773 [ 28.858676] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.858877] page_type: f5(slab) [ 28.858989] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.859066] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.859107] page dumped because: kasan: bad access detected [ 28.859138] [ 28.859156] Memory state around the buggy address: [ 28.859208] fff00000c5773000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.859251] fff00000c5773080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.859304] >fff00000c5773100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.859375] ^ [ 28.859402] fff00000c5773180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.859453] fff00000c5773200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.859491] ================================================================== [ 28.893579] ================================================================== [ 28.893648] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.893707] Read of size 1 at addr fff00000c5731240 by task kunit_try_catch/243 [ 28.895603] [ 28.895763] CPU: 0 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 28.896240] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.896282] Hardware name: linux,dummy-virt (DT) [ 28.896412] Call trace: [ 28.896595] show_stack+0x20/0x38 (C) [ 28.896770] dump_stack_lvl+0x8c/0xd0 [ 28.896824] print_report+0x118/0x608 [ 28.896870] kasan_report+0xdc/0x128 [ 28.896916] __asan_report_load1_noabort+0x20/0x30 [ 28.896963] mempool_uaf_helper+0x314/0x340 [ 28.897207] mempool_slab_uaf+0xc0/0x118 [ 28.897701] kunit_try_run_case+0x170/0x3f0 [ 28.897758] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.898091] kthread+0x328/0x630 [ 28.898165] ret_from_fork+0x10/0x20 [ 28.898216] [ 28.898401] Allocated by task 243: [ 28.898509] kasan_save_stack+0x3c/0x68 [ 28.898957] kasan_save_track+0x20/0x40 [ 28.899142] kasan_save_alloc_info+0x40/0x58 [ 28.899178] __kasan_mempool_unpoison_object+0xbc/0x180 [ 28.899223] remove_element+0x16c/0x1f8 [ 28.899665] mempool_alloc_preallocated+0x58/0xc0 [ 28.899872] mempool_uaf_helper+0xa4/0x340 [ 28.899925] mempool_slab_uaf+0xc0/0x118 [ 28.899969] kunit_try_run_case+0x170/0x3f0 [ 28.900007] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.900050] kthread+0x328/0x630 [ 28.900091] ret_from_fork+0x10/0x20 [ 28.900715] [ 28.900743] Freed by task 243: [ 28.900771] kasan_save_stack+0x3c/0x68 [ 28.900940] kasan_save_track+0x20/0x40 [ 28.900985] kasan_save_free_info+0x4c/0x78 [ 28.901228] __kasan_mempool_poison_object+0xc0/0x150 [ 28.901421] mempool_free+0x28c/0x328 [ 28.901743] mempool_uaf_helper+0x104/0x340 [ 28.901784] mempool_slab_uaf+0xc0/0x118 [ 28.901821] kunit_try_run_case+0x170/0x3f0 [ 28.902220] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.902642] kthread+0x328/0x630 [ 28.902947] ret_from_fork+0x10/0x20 [ 28.903299] [ 28.903321] The buggy address belongs to the object at fff00000c5731240 [ 28.903321] which belongs to the cache test_cache of size 123 [ 28.903710] The buggy address is located 0 bytes inside of [ 28.903710] freed 123-byte region [fff00000c5731240, fff00000c57312bb) [ 28.904088] [ 28.904262] The buggy address belongs to the physical page: [ 28.904473] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105731 [ 28.904715] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.904882] page_type: f5(slab) [ 28.905142] raw: 0bfffe0000000000 fff00000c56d4780 dead000000000122 0000000000000000 [ 28.905345] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 28.905427] page dumped because: kasan: bad access detected [ 28.905472] [ 28.905490] Memory state around the buggy address: [ 28.905768] fff00000c5731100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.905868] fff00000c5731180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.905912] >fff00000c5731200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 28.906171] ^ [ 28.906489] fff00000c5731280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.906543] fff00000c5731300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.906774] ==================================================================
[ 23.701590] ================================================================== [ 23.702939] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 23.703862] Read of size 1 at addr ffff8881024e6240 by task kunit_try_catch/260 [ 23.704258] [ 23.704357] CPU: 0 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 23.704412] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.704426] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.704450] Call Trace: [ 23.704466] <TASK> [ 23.704488] dump_stack_lvl+0x73/0xb0 [ 23.704524] print_report+0xd1/0x650 [ 23.704547] ? __virt_addr_valid+0x1db/0x2d0 [ 23.704574] ? mempool_uaf_helper+0x392/0x400 [ 23.704596] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.704621] ? mempool_uaf_helper+0x392/0x400 [ 23.704641] kasan_report+0x141/0x180 [ 23.704665] ? mempool_uaf_helper+0x392/0x400 [ 23.704690] __asan_report_load1_noabort+0x18/0x20 [ 23.704712] mempool_uaf_helper+0x392/0x400 [ 23.704734] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.704754] ? update_load_avg+0x1be/0x21b0 [ 23.704782] ? finish_task_switch.isra.0+0x153/0x700 [ 23.704809] mempool_slab_uaf+0xea/0x140 [ 23.704831] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 23.704855] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 23.704880] ? __pfx_mempool_free_slab+0x10/0x10 [ 23.704905] ? __pfx_read_tsc+0x10/0x10 [ 23.704928] ? ktime_get_ts64+0x86/0x230 [ 23.704952] kunit_try_run_case+0x1a5/0x480 [ 23.704979] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.705001] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.705028] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.705052] ? __kthread_parkme+0x82/0x180 [ 23.705073] ? preempt_count_sub+0x50/0x80 [ 23.705095] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.705119] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.705143] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.705168] kthread+0x337/0x6f0 [ 23.705189] ? trace_preempt_on+0x20/0xc0 [ 23.705214] ? __pfx_kthread+0x10/0x10 [ 23.705245] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.705268] ? calculate_sigpending+0x7b/0xa0 [ 23.705293] ? __pfx_kthread+0x10/0x10 [ 23.705314] ret_from_fork+0x116/0x1d0 [ 23.705333] ? __pfx_kthread+0x10/0x10 [ 23.705352] ret_from_fork_asm+0x1a/0x30 [ 23.705385] </TASK> [ 23.705398] [ 23.717482] Allocated by task 260: [ 23.717770] kasan_save_stack+0x45/0x70 [ 23.718064] kasan_save_track+0x18/0x40 [ 23.718234] kasan_save_alloc_info+0x3b/0x50 [ 23.718387] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 23.718599] remove_element+0x11e/0x190 [ 23.718757] mempool_alloc_preallocated+0x4d/0x90 [ 23.718981] mempool_uaf_helper+0x96/0x400 [ 23.719263] mempool_slab_uaf+0xea/0x140 [ 23.719425] kunit_try_run_case+0x1a5/0x480 [ 23.719628] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.719849] kthread+0x337/0x6f0 [ 23.719995] ret_from_fork+0x116/0x1d0 [ 23.720185] ret_from_fork_asm+0x1a/0x30 [ 23.720399] [ 23.720465] Freed by task 260: [ 23.720734] kasan_save_stack+0x45/0x70 [ 23.721239] kasan_save_track+0x18/0x40 [ 23.721383] kasan_save_free_info+0x3f/0x60 [ 23.721682] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.722033] mempool_free+0x2ec/0x380 [ 23.722239] mempool_uaf_helper+0x11a/0x400 [ 23.722382] mempool_slab_uaf+0xea/0x140 [ 23.722809] kunit_try_run_case+0x1a5/0x480 [ 23.722997] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.723227] kthread+0x337/0x6f0 [ 23.723343] ret_from_fork+0x116/0x1d0 [ 23.723520] ret_from_fork_asm+0x1a/0x30 [ 23.723725] [ 23.723852] The buggy address belongs to the object at ffff8881024e6240 [ 23.723852] which belongs to the cache test_cache of size 123 [ 23.724334] The buggy address is located 0 bytes inside of [ 23.724334] freed 123-byte region [ffff8881024e6240, ffff8881024e62bb) [ 23.724949] [ 23.725051] The buggy address belongs to the physical page: [ 23.725274] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024e6 [ 23.725599] flags: 0x200000000000000(node=0|zone=2) [ 23.725790] page_type: f5(slab) [ 23.725992] raw: 0200000000000000 ffff8881011068c0 dead000000000122 0000000000000000 [ 23.726334] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 23.726634] page dumped because: kasan: bad access detected [ 23.727040] [ 23.727150] Memory state around the buggy address: [ 23.727344] ffff8881024e6100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.727660] ffff8881024e6180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.728009] >ffff8881024e6200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 23.728254] ^ [ 23.728494] ffff8881024e6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.728781] ffff8881024e6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.729563] ================================================================== [ 23.637240] ================================================================== [ 23.637750] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 23.638591] Read of size 1 at addr ffff8881024e1300 by task kunit_try_catch/256 [ 23.638841] [ 23.638932] CPU: 0 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 23.638987] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.639002] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.639039] Call Trace: [ 23.639056] <TASK> [ 23.639080] dump_stack_lvl+0x73/0xb0 [ 23.639114] print_report+0xd1/0x650 [ 23.639137] ? __virt_addr_valid+0x1db/0x2d0 [ 23.639164] ? mempool_uaf_helper+0x392/0x400 [ 23.639185] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.639210] ? mempool_uaf_helper+0x392/0x400 [ 23.639241] kasan_report+0x141/0x180 [ 23.639264] ? mempool_uaf_helper+0x392/0x400 [ 23.639289] __asan_report_load1_noabort+0x18/0x20 [ 23.639312] mempool_uaf_helper+0x392/0x400 [ 23.639334] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.639354] ? update_load_avg+0x1be/0x21b0 [ 23.639412] ? dequeue_entities+0x27e/0x1740 [ 23.639437] ? finish_task_switch.isra.0+0x153/0x700 [ 23.639464] mempool_kmalloc_uaf+0xef/0x140 [ 23.639485] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 23.639509] ? __pfx_mempool_kmalloc+0x10/0x10 [ 23.639534] ? __pfx_mempool_kfree+0x10/0x10 [ 23.639560] ? __pfx_read_tsc+0x10/0x10 [ 23.639583] ? ktime_get_ts64+0x86/0x230 [ 23.639608] kunit_try_run_case+0x1a5/0x480 [ 23.639635] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.639657] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.639684] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.639710] ? __kthread_parkme+0x82/0x180 [ 23.639762] ? preempt_count_sub+0x50/0x80 [ 23.639793] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.639817] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.639841] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.639865] kthread+0x337/0x6f0 [ 23.639884] ? trace_preempt_on+0x20/0xc0 [ 23.639909] ? __pfx_kthread+0x10/0x10 [ 23.639929] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.639952] ? calculate_sigpending+0x7b/0xa0 [ 23.639976] ? __pfx_kthread+0x10/0x10 [ 23.639996] ret_from_fork+0x116/0x1d0 [ 23.640016] ? __pfx_kthread+0x10/0x10 [ 23.640036] ret_from_fork_asm+0x1a/0x30 [ 23.640069] </TASK> [ 23.640081] [ 23.651993] Allocated by task 256: [ 23.652215] kasan_save_stack+0x45/0x70 [ 23.652732] kasan_save_track+0x18/0x40 [ 23.653030] kasan_save_alloc_info+0x3b/0x50 [ 23.653405] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 23.653632] remove_element+0x11e/0x190 [ 23.654033] mempool_alloc_preallocated+0x4d/0x90 [ 23.654443] mempool_uaf_helper+0x96/0x400 [ 23.654657] mempool_kmalloc_uaf+0xef/0x140 [ 23.655082] kunit_try_run_case+0x1a5/0x480 [ 23.655392] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.655697] kthread+0x337/0x6f0 [ 23.655976] ret_from_fork+0x116/0x1d0 [ 23.656179] ret_from_fork_asm+0x1a/0x30 [ 23.656583] [ 23.656683] Freed by task 256: [ 23.657098] kasan_save_stack+0x45/0x70 [ 23.657321] kasan_save_track+0x18/0x40 [ 23.657627] kasan_save_free_info+0x3f/0x60 [ 23.657964] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.658288] mempool_free+0x2ec/0x380 [ 23.658600] mempool_uaf_helper+0x11a/0x400 [ 23.658900] mempool_kmalloc_uaf+0xef/0x140 [ 23.659286] kunit_try_run_case+0x1a5/0x480 [ 23.659525] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.659941] kthread+0x337/0x6f0 [ 23.660156] ret_from_fork+0x116/0x1d0 [ 23.660321] ret_from_fork_asm+0x1a/0x30 [ 23.660515] [ 23.660607] The buggy address belongs to the object at ffff8881024e1300 [ 23.660607] which belongs to the cache kmalloc-128 of size 128 [ 23.661398] The buggy address is located 0 bytes inside of [ 23.661398] freed 128-byte region [ffff8881024e1300, ffff8881024e1380) [ 23.662150] [ 23.662348] The buggy address belongs to the physical page: [ 23.662552] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024e1 [ 23.663111] flags: 0x200000000000000(node=0|zone=2) [ 23.663355] page_type: f5(slab) [ 23.663511] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.663831] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.664534] page dumped because: kasan: bad access detected [ 23.664759] [ 23.664825] Memory state around the buggy address: [ 23.665367] ffff8881024e1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.665765] ffff8881024e1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.666266] >ffff8881024e1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.666580] ^ [ 23.666720] ffff8881024e1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.667010] ffff8881024e1400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.667602] ==================================================================