Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.947209] ================================================================== [ 32.947673] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.947739] Read of size 1 at addr fff00000c9aec000 by task kunit_try_catch/262 [ 32.947792] [ 32.947823] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.947913] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.947951] Hardware name: linux,dummy-virt (DT) [ 32.947984] Call trace: [ 32.948009] show_stack+0x20/0x38 (C) [ 32.948058] dump_stack_lvl+0x8c/0xd0 [ 32.948107] print_report+0x118/0x608 [ 32.948154] kasan_report+0xdc/0x128 [ 32.948200] __asan_report_load1_noabort+0x20/0x30 [ 32.948251] mempool_uaf_helper+0x314/0x340 [ 32.948974] mempool_kmalloc_large_uaf+0xc4/0x120 [ 32.949068] kunit_try_run_case+0x170/0x3f0 [ 32.949155] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.949215] kthread+0x328/0x630 [ 32.949376] ret_from_fork+0x10/0x20 [ 32.949701] [ 32.949725] The buggy address belongs to the physical page: [ 32.950151] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109aec [ 32.950297] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.950522] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.950859] page_type: f8(unknown) [ 32.950905] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.951221] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.951312] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.951538] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.951593] head: 0bfffe0000000002 ffffc1ffc326bb01 00000000ffffffff 00000000ffffffff [ 32.951761] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.951806] page dumped because: kasan: bad access detected [ 32.951838] [ 32.951897] Memory state around the buggy address: [ 32.951943] fff00000c9aebf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.952096] fff00000c9aebf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.952143] >fff00000c9aec000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.952265] ^ [ 32.952296] fff00000c9aec080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.952706] fff00000c9aec100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.952756] ================================================================== [ 33.034793] ================================================================== [ 33.035740] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.035894] Read of size 1 at addr fff00000c9aec000 by task kunit_try_catch/266 [ 33.036350] [ 33.037490] CPU: 0 UID: 0 PID: 266 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 33.038365] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.038538] Hardware name: linux,dummy-virt (DT) [ 33.038769] Call trace: [ 33.038836] show_stack+0x20/0x38 (C) [ 33.039170] dump_stack_lvl+0x8c/0xd0 [ 33.039550] print_report+0x118/0x608 [ 33.039873] kasan_report+0xdc/0x128 [ 33.040040] __asan_report_load1_noabort+0x20/0x30 [ 33.040135] mempool_uaf_helper+0x314/0x340 [ 33.040520] mempool_page_alloc_uaf+0xc0/0x118 [ 33.040663] kunit_try_run_case+0x170/0x3f0 [ 33.040839] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.041099] kthread+0x328/0x630 [ 33.041152] ret_from_fork+0x10/0x20 [ 33.041202] [ 33.041845] The buggy address belongs to the physical page: [ 33.041947] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109aec [ 33.042300] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.042708] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 33.042829] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.043147] page dumped because: kasan: bad access detected [ 33.043247] [ 33.043440] Memory state around the buggy address: [ 33.043639] fff00000c9aebf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.043721] fff00000c9aebf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.043766] >fff00000c9aec000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.044115] ^ [ 33.044196] fff00000c9aec080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.044246] fff00000c9aec100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.044355] ==================================================================
[ 34.833727] ================================================================== [ 34.833797] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.833881] Read of size 1 at addr fff00000c9af4000 by task kunit_try_catch/264 [ 34.833956] [ 34.833999] CPU: 1 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 34.834092] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.834121] Hardware name: linux,dummy-virt (DT) [ 34.834168] Call trace: [ 34.834558] show_stack+0x20/0x38 (C) [ 34.834626] dump_stack_lvl+0x8c/0xd0 [ 34.834690] print_report+0x118/0x608 [ 34.834741] kasan_report+0xdc/0x128 [ 34.834902] __asan_report_load1_noabort+0x20/0x30 [ 34.834956] mempool_uaf_helper+0x314/0x340 [ 34.835010] mempool_page_alloc_uaf+0xc0/0x118 [ 34.835294] kunit_try_run_case+0x170/0x3f0 [ 34.835419] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.835518] kthread+0x328/0x630 [ 34.835696] ret_from_fork+0x10/0x20 [ 34.835762] [ 34.835786] The buggy address belongs to the physical page: [ 34.835822] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109af4 [ 34.835886] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.835957] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 34.836008] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 34.836113] page dumped because: kasan: bad access detected [ 34.836174] [ 34.836218] Memory state around the buggy address: [ 34.836387] fff00000c9af3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.836467] fff00000c9af3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.836583] >fff00000c9af4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.836651] ^ [ 34.836709] fff00000c9af4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.836753] fff00000c9af4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.837052] ================================================================== [ 34.785986] ================================================================== [ 34.786134] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.786229] Read of size 1 at addr fff00000c9af0000 by task kunit_try_catch/260 [ 34.786314] [ 34.786364] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 34.786458] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.786495] Hardware name: linux,dummy-virt (DT) [ 34.786529] Call trace: [ 34.786552] show_stack+0x20/0x38 (C) [ 34.786603] dump_stack_lvl+0x8c/0xd0 [ 34.786654] print_report+0x118/0x608 [ 34.786702] kasan_report+0xdc/0x128 [ 34.786748] __asan_report_load1_noabort+0x20/0x30 [ 34.786797] mempool_uaf_helper+0x314/0x340 [ 34.786845] mempool_kmalloc_large_uaf+0xc4/0x120 [ 34.786896] kunit_try_run_case+0x170/0x3f0 [ 34.786954] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.787010] kthread+0x328/0x630 [ 34.787052] ret_from_fork+0x10/0x20 [ 34.787100] [ 34.787129] The buggy address belongs to the physical page: [ 34.787454] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109af0 [ 34.787709] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.787765] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.787821] page_type: f8(unknown) [ 34.787861] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 34.787913] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 34.788137] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 34.788434] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 34.788524] head: 0bfffe0000000002 ffffc1ffc326bc01 00000000ffffffff 00000000ffffffff [ 34.788764] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 34.788894] page dumped because: kasan: bad access detected [ 34.788945] [ 34.788987] Memory state around the buggy address: [ 34.789096] fff00000c9aeff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.789170] fff00000c9aeff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.789231] >fff00000c9af0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.789370] ^ [ 34.789468] fff00000c9af0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.789575] fff00000c9af0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.789645] ==================================================================
[ 24.888080] ================================================================== [ 24.888896] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.889265] Read of size 1 at addr ffff8881060cc000 by task kunit_try_catch/278 [ 24.889962] [ 24.890149] CPU: 1 UID: 0 PID: 278 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 24.890207] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.890221] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.890246] Call Trace: [ 24.890262] <TASK> [ 24.890283] dump_stack_lvl+0x73/0xb0 [ 24.890315] print_report+0xd1/0x650 [ 24.890339] ? __virt_addr_valid+0x1db/0x2d0 [ 24.890364] ? mempool_uaf_helper+0x392/0x400 [ 24.890387] ? kasan_addr_to_slab+0x11/0xa0 [ 24.890407] ? mempool_uaf_helper+0x392/0x400 [ 24.890429] kasan_report+0x141/0x180 [ 24.890450] ? mempool_uaf_helper+0x392/0x400 [ 24.890477] __asan_report_load1_noabort+0x18/0x20 [ 24.890501] mempool_uaf_helper+0x392/0x400 [ 24.890524] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.890546] ? update_load_avg+0x1be/0x21b0 [ 24.890570] ? update_load_avg+0x1be/0x21b0 [ 24.890591] ? update_curr+0x80/0x810 [ 24.890615] ? finish_task_switch.isra.0+0x153/0x700 [ 24.890642] mempool_kmalloc_large_uaf+0xef/0x140 [ 24.890666] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 24.890692] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.890717] ? __pfx_mempool_kfree+0x10/0x10 [ 24.890741] ? __pfx_read_tsc+0x10/0x10 [ 24.890764] ? ktime_get_ts64+0x86/0x230 [ 24.890789] kunit_try_run_case+0x1a5/0x480 [ 24.890817] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.890842] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.890866] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.890891] ? __kthread_parkme+0x82/0x180 [ 24.890912] ? preempt_count_sub+0x50/0x80 [ 24.890935] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.890961] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.890986] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.891011] kthread+0x337/0x6f0 [ 24.891032] ? trace_preempt_on+0x20/0xc0 [ 24.891056] ? __pfx_kthread+0x10/0x10 [ 24.891088] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.891113] ? calculate_sigpending+0x7b/0xa0 [ 24.891138] ? __pfx_kthread+0x10/0x10 [ 24.891160] ret_from_fork+0x116/0x1d0 [ 24.891188] ? __pfx_kthread+0x10/0x10 [ 24.891209] ret_from_fork_asm+0x1a/0x30 [ 24.891241] </TASK> [ 24.891254] [ 24.903402] The buggy address belongs to the physical page: [ 24.903695] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060cc [ 24.904076] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.904538] flags: 0x200000000000040(head|node=0|zone=2) [ 24.904749] page_type: f8(unknown) [ 24.904953] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.905304] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.905807] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.906153] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.906429] head: 0200000000000002 ffffea0004183301 00000000ffffffff 00000000ffffffff [ 24.906645] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.906944] page dumped because: kasan: bad access detected [ 24.907210] [ 24.907296] Memory state around the buggy address: [ 24.907472] ffff8881060cbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.907671] ffff8881060cbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.908214] >ffff8881060cc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.908625] ^ [ 24.908815] ffff8881060cc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.909120] ffff8881060cc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.909630] ================================================================== [ 24.952602] ================================================================== [ 24.953607] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.953907] Read of size 1 at addr ffff8881061f0000 by task kunit_try_catch/282 [ 24.954393] [ 24.954519] CPU: 0 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 24.954577] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.954592] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.954618] Call Trace: [ 24.954634] <TASK> [ 24.954656] dump_stack_lvl+0x73/0xb0 [ 24.954691] print_report+0xd1/0x650 [ 24.954716] ? __virt_addr_valid+0x1db/0x2d0 [ 24.954744] ? mempool_uaf_helper+0x392/0x400 [ 24.954768] ? kasan_addr_to_slab+0x11/0xa0 [ 24.954789] ? mempool_uaf_helper+0x392/0x400 [ 24.954813] kasan_report+0x141/0x180 [ 24.954838] ? mempool_uaf_helper+0x392/0x400 [ 24.954866] __asan_report_load1_noabort+0x18/0x20 [ 24.954890] mempool_uaf_helper+0x392/0x400 [ 24.954914] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.954951] ? __kasan_check_write+0x18/0x20 [ 24.954976] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.955000] ? finish_task_switch.isra.0+0x153/0x700 [ 24.955027] mempool_page_alloc_uaf+0xed/0x140 [ 24.955053] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 24.955092] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 24.955118] ? __pfx_mempool_free_pages+0x10/0x10 [ 24.955143] ? __pfx_read_tsc+0x10/0x10 [ 24.955166] ? ktime_get_ts64+0x86/0x230 [ 24.955241] kunit_try_run_case+0x1a5/0x480 [ 24.955272] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.955296] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.955320] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.955342] ? __kthread_parkme+0x82/0x180 [ 24.955364] ? preempt_count_sub+0x50/0x80 [ 24.955386] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.955411] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.955436] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.955461] kthread+0x337/0x6f0 [ 24.955481] ? trace_preempt_on+0x20/0xc0 [ 24.955506] ? __pfx_kthread+0x10/0x10 [ 24.955526] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.955551] ? calculate_sigpending+0x7b/0xa0 [ 24.955576] ? __pfx_kthread+0x10/0x10 [ 24.955597] ret_from_fork+0x116/0x1d0 [ 24.955618] ? __pfx_kthread+0x10/0x10 [ 24.955638] ret_from_fork_asm+0x1a/0x30 [ 24.955671] </TASK> [ 24.955684] [ 24.964567] The buggy address belongs to the physical page: [ 24.964884] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061f0 [ 24.965351] flags: 0x200000000000000(node=0|zone=2) [ 24.965615] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.965962] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.966321] page dumped because: kasan: bad access detected [ 24.966624] [ 24.966735] Memory state around the buggy address: [ 24.966963] ffff8881061eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.967355] ffff8881061eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.967563] >ffff8881061f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.967762] ^ [ 24.967871] ffff8881061f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.968183] ffff8881061f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.968532] ==================================================================
[ 24.690483] ================================================================== [ 24.690877] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.691107] Read of size 1 at addr ffff8881060dc000 by task kunit_try_catch/281 [ 24.691334] [ 24.691423] CPU: 0 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 24.691479] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.691493] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.691517] Call Trace: [ 24.691531] <TASK> [ 24.691553] dump_stack_lvl+0x73/0xb0 [ 24.691583] print_report+0xd1/0x650 [ 24.691607] ? __virt_addr_valid+0x1db/0x2d0 [ 24.691634] ? mempool_uaf_helper+0x392/0x400 [ 24.691656] ? kasan_addr_to_slab+0x11/0xa0 [ 24.691676] ? mempool_uaf_helper+0x392/0x400 [ 24.691698] kasan_report+0x141/0x180 [ 24.691719] ? mempool_uaf_helper+0x392/0x400 [ 24.691745] __asan_report_load1_noabort+0x18/0x20 [ 24.691769] mempool_uaf_helper+0x392/0x400 [ 24.691791] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.691814] ? __kasan_check_write+0x18/0x20 [ 24.691837] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.691859] ? finish_task_switch.isra.0+0x153/0x700 [ 24.691885] mempool_page_alloc_uaf+0xed/0x140 [ 24.691908] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 24.691933] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 24.691957] ? __pfx_mempool_free_pages+0x10/0x10 [ 24.691981] ? __pfx_read_tsc+0x10/0x10 [ 24.692002] ? ktime_get_ts64+0x86/0x230 [ 24.692028] kunit_try_run_case+0x1a5/0x480 [ 24.692054] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.692076] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.692099] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.692120] ? __kthread_parkme+0x82/0x180 [ 24.692141] ? preempt_count_sub+0x50/0x80 [ 24.692162] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.692187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.692210] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.692235] kthread+0x337/0x6f0 [ 24.692253] ? trace_preempt_on+0x20/0xc0 [ 24.692277] ? __pfx_kthread+0x10/0x10 [ 24.692297] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.692852] ? calculate_sigpending+0x7b/0xa0 [ 24.692896] ? __pfx_kthread+0x10/0x10 [ 24.692920] ret_from_fork+0x116/0x1d0 [ 24.692942] ? __pfx_kthread+0x10/0x10 [ 24.693201] ret_from_fork_asm+0x1a/0x30 [ 24.693236] </TASK> [ 24.693251] [ 24.712883] The buggy address belongs to the physical page: [ 24.713084] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060dc [ 24.713339] flags: 0x200000000000000(node=0|zone=2) [ 24.713852] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.714766] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.715836] page dumped because: kasan: bad access detected [ 24.716545] [ 24.716850] Memory state around the buggy address: [ 24.717428] ffff8881060dbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.718252] ffff8881060dbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.719073] >ffff8881060dc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.719302] ^ [ 24.719438] ffff8881060dc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.720439] ffff8881060dc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.721399] ================================================================== [ 24.615993] ================================================================== [ 24.616401] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.617153] Read of size 1 at addr ffff888106154000 by task kunit_try_catch/277 [ 24.617946] [ 24.618175] CPU: 1 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 24.618233] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.618247] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.618271] Call Trace: [ 24.618286] <TASK> [ 24.618318] dump_stack_lvl+0x73/0xb0 [ 24.618355] print_report+0xd1/0x650 [ 24.618380] ? __virt_addr_valid+0x1db/0x2d0 [ 24.618405] ? mempool_uaf_helper+0x392/0x400 [ 24.618427] ? kasan_addr_to_slab+0x11/0xa0 [ 24.618447] ? mempool_uaf_helper+0x392/0x400 [ 24.618469] kasan_report+0x141/0x180 [ 24.618497] ? mempool_uaf_helper+0x392/0x400 [ 24.618524] __asan_report_load1_noabort+0x18/0x20 [ 24.618577] mempool_uaf_helper+0x392/0x400 [ 24.618600] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.618635] ? __kasan_check_write+0x18/0x20 [ 24.618658] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.618683] ? finish_task_switch.isra.0+0x153/0x700 [ 24.618725] mempool_kmalloc_large_uaf+0xef/0x140 [ 24.618748] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 24.618773] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.618798] ? __pfx_mempool_kfree+0x10/0x10 [ 24.618823] ? __pfx_read_tsc+0x10/0x10 [ 24.618847] ? ktime_get_ts64+0x86/0x230 [ 24.618873] kunit_try_run_case+0x1a5/0x480 [ 24.618903] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.618926] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.618949] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.618971] ? __kthread_parkme+0x82/0x180 [ 24.618992] ? preempt_count_sub+0x50/0x80 [ 24.619014] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.619039] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.619064] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.619088] kthread+0x337/0x6f0 [ 24.619107] ? trace_preempt_on+0x20/0xc0 [ 24.619132] ? __pfx_kthread+0x10/0x10 [ 24.619153] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.619178] ? calculate_sigpending+0x7b/0xa0 [ 24.619203] ? __pfx_kthread+0x10/0x10 [ 24.619224] ret_from_fork+0x116/0x1d0 [ 24.619243] ? __pfx_kthread+0x10/0x10 [ 24.619263] ret_from_fork_asm+0x1a/0x30 [ 24.619296] </TASK> [ 24.619318] [ 24.632197] The buggy address belongs to the physical page: [ 24.632453] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106154 [ 24.633215] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.633772] flags: 0x200000000000040(head|node=0|zone=2) [ 24.634027] page_type: f8(unknown) [ 24.634197] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.634798] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.635258] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.636468] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.637257] head: 0200000000000002 ffffea0004185501 00000000ffffffff 00000000ffffffff [ 24.637894] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.638420] page dumped because: kasan: bad access detected [ 24.639104] [ 24.639199] Memory state around the buggy address: [ 24.639563] ffff888106153f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.640159] ffff888106153f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.640494] >ffff888106154000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.641000] ^ [ 24.641410] ffff888106154080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.641962] ffff888106154100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.642522] ==================================================================