Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 49.594072] ================================================================== [ 49.606005] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 49.613251] Read of size 1 at addr ffff000097e1a240 by task kunit_try_catch/340 [ 49.620660] [ 49.622201] CPU: 3 UID: 0 PID: 340 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 49.622238] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.622247] Hardware name: Thundercomm Dragonboard 845c (DT) [ 49.622263] Call trace: [ 49.622273] show_stack+0x20/0x38 (C) [ 49.622295] dump_stack_lvl+0x8c/0xd0 [ 49.622318] print_report+0x118/0x608 [ 49.622341] kasan_report+0xdc/0x128 [ 49.622361] __asan_report_load1_noabort+0x20/0x30 [ 49.622381] mempool_uaf_helper+0x314/0x340 [ 49.622399] mempool_slab_uaf+0xc0/0x118 [ 49.622420] kunit_try_run_case+0x170/0x3f0 [ 49.622443] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.622468] kthread+0x328/0x630 [ 49.622486] ret_from_fork+0x10/0x20 [ 49.622509] [ 49.692208] Allocated by task 340: [ 49.695673] kasan_save_stack+0x3c/0x68 [ 49.699583] kasan_save_track+0x20/0x40 [ 49.703492] kasan_save_alloc_info+0x40/0x58 [ 49.707838] __kasan_mempool_unpoison_object+0xbc/0x180 [ 49.713150] remove_element+0x16c/0x1f8 [ 49.717059] mempool_alloc_preallocated+0x58/0xc0 [ 49.721842] mempool_uaf_helper+0xa4/0x340 [ 49.726008] mempool_slab_uaf+0xc0/0x118 [ 49.730004] kunit_try_run_case+0x170/0x3f0 [ 49.734256] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.739833] kthread+0x328/0x630 [ 49.743127] ret_from_fork+0x10/0x20 [ 49.746766] [ 49.748301] Freed by task 340: [ 49.751408] kasan_save_stack+0x3c/0x68 [ 49.755318] kasan_save_track+0x20/0x40 [ 49.759228] kasan_save_free_info+0x4c/0x78 [ 49.763478] __kasan_mempool_poison_object+0xc0/0x150 [ 49.768615] mempool_free+0x28c/0x328 [ 49.772349] mempool_uaf_helper+0x104/0x340 [ 49.776602] mempool_slab_uaf+0xc0/0x118 [ 49.780595] kunit_try_run_case+0x170/0x3f0 [ 49.784849] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.790422] kthread+0x328/0x630 [ 49.793713] ret_from_fork+0x10/0x20 [ 49.797360] [ 49.798891] The buggy address belongs to the object at ffff000097e1a240 [ 49.798891] which belongs to the cache test_cache of size 123 [ 49.811463] The buggy address is located 0 bytes inside of [ 49.811463] freed 123-byte region [ffff000097e1a240, ffff000097e1a2bb) [ 49.823689] [ 49.825218] The buggy address belongs to the physical page: [ 49.830869] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117e1a [ 49.838979] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 49.845601] page_type: f5(slab) [ 49.848811] raw: 0bfffe0000000000 ffff000082242280 dead000000000122 0000000000000000 [ 49.856665] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 49.864514] page dumped because: kasan: bad access detected [ 49.870163] [ 49.871701] Memory state around the buggy address: [ 49.876559] ffff000097e1a100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.883883] ffff000097e1a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.891208] >ffff000097e1a200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 49.898528] ^ [ 49.903915] ffff000097e1a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.911239] ffff000097e1a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.918561] ================================================================== [ 48.978434] ================================================================== [ 48.990143] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 48.997399] Read of size 1 at addr ffff000082240500 by task kunit_try_catch/336 [ 49.004810] [ 49.006354] CPU: 3 UID: 0 PID: 336 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 49.006392] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.006401] Hardware name: Thundercomm Dragonboard 845c (DT) [ 49.006418] Call trace: [ 49.006427] show_stack+0x20/0x38 (C) [ 49.006451] dump_stack_lvl+0x8c/0xd0 [ 49.006476] print_report+0x118/0x608 [ 49.006499] kasan_report+0xdc/0x128 [ 49.006517] __asan_report_load1_noabort+0x20/0x30 [ 49.006538] mempool_uaf_helper+0x314/0x340 [ 49.006555] mempool_kmalloc_uaf+0xc4/0x120 [ 49.006573] kunit_try_run_case+0x170/0x3f0 [ 49.006597] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.006621] kthread+0x328/0x630 [ 49.006640] ret_from_fork+0x10/0x20 [ 49.006662] [ 49.076614] Allocated by task 336: [ 49.080075] kasan_save_stack+0x3c/0x68 [ 49.083988] kasan_save_track+0x20/0x40 [ 49.087897] kasan_save_alloc_info+0x40/0x58 [ 49.092233] __kasan_mempool_unpoison_object+0x11c/0x180 [ 49.097635] remove_element+0x130/0x1f8 [ 49.101545] mempool_alloc_preallocated+0x58/0xc0 [ 49.106327] mempool_uaf_helper+0xa4/0x340 [ 49.110493] mempool_kmalloc_uaf+0xc4/0x120 [ 49.114747] kunit_try_run_case+0x170/0x3f0 [ 49.118998] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.124576] kthread+0x328/0x630 [ 49.127867] ret_from_fork+0x10/0x20 [ 49.131507] [ 49.133043] Freed by task 336: [ 49.136154] kasan_save_stack+0x3c/0x68 [ 49.140065] kasan_save_track+0x20/0x40 [ 49.143973] kasan_save_free_info+0x4c/0x78 [ 49.148223] __kasan_mempool_poison_object+0xc0/0x150 [ 49.153354] mempool_free+0x28c/0x328 [ 49.157087] mempool_uaf_helper+0x104/0x340 [ 49.161339] mempool_kmalloc_uaf+0xc4/0x120 [ 49.165592] kunit_try_run_case+0x170/0x3f0 [ 49.169846] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.175419] kthread+0x328/0x630 [ 49.178712] ret_from_fork+0x10/0x20 [ 49.182349] [ 49.183885] The buggy address belongs to the object at ffff000082240500 [ 49.183885] which belongs to the cache kmalloc-128 of size 128 [ 49.196549] The buggy address is located 0 bytes inside of [ 49.196549] freed 128-byte region [ffff000082240500, ffff000082240580) [ 49.208781] [ 49.210316] The buggy address belongs to the physical page: [ 49.215971] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102240 [ 49.224083] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 49.231839] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 49.238904] page_type: f5(slab) [ 49.242114] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 49.249958] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.257803] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 49.265743] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.273684] head: 0bfffe0000000001 fffffdffc2089001 00000000ffffffff 00000000ffffffff [ 49.281623] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 49.289559] page dumped because: kasan: bad access detected [ 49.295207] [ 49.296742] Memory state around the buggy address: [ 49.301607] ffff000082240400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.308928] ffff000082240480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.316251] >ffff000082240500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.323566] ^ [ 49.326855] ffff000082240580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.334175] ffff000082240600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.341497] ==================================================================
[ 33.083234] ================================================================== [ 33.083321] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.083544] Read of size 1 at addr fff00000c5a85240 by task kunit_try_catch/263 [ 33.083595] [ 33.083638] CPU: 0 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.083785] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.083812] Hardware name: linux,dummy-virt (DT) [ 33.083858] Call trace: [ 33.083882] show_stack+0x20/0x38 (C) [ 33.083932] dump_stack_lvl+0x8c/0xd0 [ 33.084009] print_report+0x118/0x608 [ 33.084058] kasan_report+0xdc/0x128 [ 33.084104] __asan_report_load1_noabort+0x20/0x30 [ 33.084210] mempool_uaf_helper+0x314/0x340 [ 33.084259] mempool_slab_uaf+0xc0/0x118 [ 33.084429] kunit_try_run_case+0x170/0x3f0 [ 33.084486] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.084542] kthread+0x328/0x630 [ 33.084584] ret_from_fork+0x10/0x20 [ 33.084637] [ 33.084657] Allocated by task 263: [ 33.084709] kasan_save_stack+0x3c/0x68 [ 33.084865] kasan_save_track+0x20/0x40 [ 33.084908] kasan_save_alloc_info+0x40/0x58 [ 33.084949] __kasan_mempool_unpoison_object+0xbc/0x180 [ 33.084996] remove_element+0x16c/0x1f8 [ 33.085038] mempool_alloc_preallocated+0x58/0xc0 [ 33.085080] mempool_uaf_helper+0xa4/0x340 [ 33.085119] mempool_slab_uaf+0xc0/0x118 [ 33.085156] kunit_try_run_case+0x170/0x3f0 [ 33.085197] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.085244] kthread+0x328/0x630 [ 33.085278] ret_from_fork+0x10/0x20 [ 33.085316] [ 33.085334] Freed by task 263: [ 33.085406] kasan_save_stack+0x3c/0x68 [ 33.085581] kasan_save_track+0x20/0x40 [ 33.085766] kasan_save_free_info+0x4c/0x78 [ 33.085848] __kasan_mempool_poison_object+0xc0/0x150 [ 33.085974] mempool_free+0x28c/0x328 [ 33.086051] mempool_uaf_helper+0x104/0x340 [ 33.086167] mempool_slab_uaf+0xc0/0x118 [ 33.086254] kunit_try_run_case+0x170/0x3f0 [ 33.086301] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.086482] kthread+0x328/0x630 [ 33.086556] ret_from_fork+0x10/0x20 [ 33.086673] [ 33.086693] The buggy address belongs to the object at fff00000c5a85240 [ 33.086693] which belongs to the cache test_cache of size 123 [ 33.086752] The buggy address is located 0 bytes inside of [ 33.086752] freed 123-byte region [fff00000c5a85240, fff00000c5a852bb) [ 33.086851] [ 33.086871] The buggy address belongs to the physical page: [ 33.086904] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a85 [ 33.086980] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.087056] page_type: f5(slab) [ 33.087124] raw: 0bfffe0000000000 fff00000c9251000 dead000000000122 0000000000000000 [ 33.087177] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 33.087218] page dumped because: kasan: bad access detected [ 33.087249] [ 33.087267] Memory state around the buggy address: [ 33.087299] fff00000c5a85100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.087342] fff00000c5a85180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.087385] >fff00000c5a85200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 33.087423] ^ [ 33.087457] fff00000c5a85280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.087499] fff00000c5a85300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.087582] ================================================================== [ 33.049486] ================================================================== [ 33.049567] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.049636] Read of size 1 at addr fff00000c9ae3800 by task kunit_try_catch/259 [ 33.049689] [ 33.049727] CPU: 0 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.049822] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.049866] Hardware name: linux,dummy-virt (DT) [ 33.049902] Call trace: [ 33.049926] show_stack+0x20/0x38 (C) [ 33.049986] dump_stack_lvl+0x8c/0xd0 [ 33.050038] print_report+0x118/0x608 [ 33.050086] kasan_report+0xdc/0x128 [ 33.050133] __asan_report_load1_noabort+0x20/0x30 [ 33.050183] mempool_uaf_helper+0x314/0x340 [ 33.050230] mempool_kmalloc_uaf+0xc4/0x120 [ 33.050278] kunit_try_run_case+0x170/0x3f0 [ 33.050329] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.050385] kthread+0x328/0x630 [ 33.050426] ret_from_fork+0x10/0x20 [ 33.050476] [ 33.050496] Allocated by task 259: [ 33.050523] kasan_save_stack+0x3c/0x68 [ 33.050566] kasan_save_track+0x20/0x40 [ 33.050604] kasan_save_alloc_info+0x40/0x58 [ 33.050645] __kasan_mempool_unpoison_object+0x11c/0x180 [ 33.050692] remove_element+0x130/0x1f8 [ 33.050730] mempool_alloc_preallocated+0x58/0xc0 [ 33.050771] mempool_uaf_helper+0xa4/0x340 [ 33.050809] mempool_kmalloc_uaf+0xc4/0x120 [ 33.050859] kunit_try_run_case+0x170/0x3f0 [ 33.050899] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.050947] kthread+0x328/0x630 [ 33.050980] ret_from_fork+0x10/0x20 [ 33.051016] [ 33.051036] Freed by task 259: [ 33.051062] kasan_save_stack+0x3c/0x68 [ 33.051101] kasan_save_track+0x20/0x40 [ 33.051141] kasan_save_free_info+0x4c/0x78 [ 33.051178] __kasan_mempool_poison_object+0xc0/0x150 [ 33.051224] mempool_free+0x28c/0x328 [ 33.051258] mempool_uaf_helper+0x104/0x340 [ 33.051298] mempool_kmalloc_uaf+0xc4/0x120 [ 33.051337] kunit_try_run_case+0x170/0x3f0 [ 33.051375] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.051422] kthread+0x328/0x630 [ 33.051455] ret_from_fork+0x10/0x20 [ 33.051493] [ 33.051512] The buggy address belongs to the object at fff00000c9ae3800 [ 33.051512] which belongs to the cache kmalloc-128 of size 128 [ 33.051572] The buggy address is located 0 bytes inside of [ 33.051572] freed 128-byte region [fff00000c9ae3800, fff00000c9ae3880) [ 33.051633] [ 33.051654] The buggy address belongs to the physical page: [ 33.051687] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ae3 [ 33.051741] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.051792] page_type: f5(slab) [ 33.051845] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.051897] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.051938] page dumped because: kasan: bad access detected [ 33.051969] [ 33.051987] Memory state around the buggy address: [ 33.052020] fff00000c9ae3700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.052063] fff00000c9ae3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.052106] >fff00000c9ae3800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.052146] ^ [ 33.052174] fff00000c9ae3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.052216] fff00000c9ae3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.052256] ==================================================================
[ 24.676834] ================================================================== [ 24.677220] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.677468] Read of size 1 at addr ffff888105ab1600 by task kunit_try_catch/276 [ 24.677689] [ 24.678234] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.678309] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.678324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.678347] Call Trace: [ 24.678360] <TASK> [ 24.678378] dump_stack_lvl+0x73/0xb0 [ 24.678698] print_report+0xd1/0x650 [ 24.678724] ? __virt_addr_valid+0x1db/0x2d0 [ 24.678750] ? mempool_uaf_helper+0x392/0x400 [ 24.678772] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.678798] ? mempool_uaf_helper+0x392/0x400 [ 24.678820] kasan_report+0x141/0x180 [ 24.678842] ? mempool_uaf_helper+0x392/0x400 [ 24.678869] __asan_report_load1_noabort+0x18/0x20 [ 24.678893] mempool_uaf_helper+0x392/0x400 [ 24.678915] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.678938] ? __kasan_check_write+0x18/0x20 [ 24.678961] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.678984] ? finish_task_switch.isra.0+0x153/0x700 [ 24.679010] mempool_kmalloc_uaf+0xef/0x140 [ 24.679032] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 24.679057] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.679081] ? __pfx_mempool_kfree+0x10/0x10 [ 24.679105] ? __pfx_read_tsc+0x10/0x10 [ 24.679127] ? ktime_get_ts64+0x86/0x230 [ 24.679151] kunit_try_run_case+0x1a5/0x480 [ 24.679178] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.679202] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.679224] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.679251] ? __kthread_parkme+0x82/0x180 [ 24.679272] ? preempt_count_sub+0x50/0x80 [ 24.679296] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.679321] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.679345] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.679369] kthread+0x337/0x6f0 [ 24.679389] ? trace_preempt_on+0x20/0xc0 [ 24.679413] ? __pfx_kthread+0x10/0x10 [ 24.679434] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.679470] ? calculate_sigpending+0x7b/0xa0 [ 24.679496] ? __pfx_kthread+0x10/0x10 [ 24.679518] ret_from_fork+0x116/0x1d0 [ 24.679539] ? __pfx_kthread+0x10/0x10 [ 24.679559] ret_from_fork_asm+0x1a/0x30 [ 24.679592] </TASK> [ 24.679603] [ 24.689040] Allocated by task 276: [ 24.689318] kasan_save_stack+0x45/0x70 [ 24.689533] kasan_save_track+0x18/0x40 [ 24.689768] kasan_save_alloc_info+0x3b/0x50 [ 24.689983] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 24.690226] remove_element+0x11e/0x190 [ 24.690437] mempool_alloc_preallocated+0x4d/0x90 [ 24.690775] mempool_uaf_helper+0x96/0x400 [ 24.691205] mempool_kmalloc_uaf+0xef/0x140 [ 24.691406] kunit_try_run_case+0x1a5/0x480 [ 24.691561] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.691739] kthread+0x337/0x6f0 [ 24.691901] ret_from_fork+0x116/0x1d0 [ 24.692083] ret_from_fork_asm+0x1a/0x30 [ 24.692493] [ 24.692723] Freed by task 276: [ 24.692882] kasan_save_stack+0x45/0x70 [ 24.693225] kasan_save_track+0x18/0x40 [ 24.693509] kasan_save_free_info+0x3f/0x60 [ 24.693712] __kasan_mempool_poison_object+0x131/0x1d0 [ 24.693984] mempool_free+0x2ec/0x380 [ 24.694115] mempool_uaf_helper+0x11a/0x400 [ 24.694252] mempool_kmalloc_uaf+0xef/0x140 [ 24.694452] kunit_try_run_case+0x1a5/0x480 [ 24.694967] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.695291] kthread+0x337/0x6f0 [ 24.695518] ret_from_fork+0x116/0x1d0 [ 24.695660] ret_from_fork_asm+0x1a/0x30 [ 24.695841] [ 24.695931] The buggy address belongs to the object at ffff888105ab1600 [ 24.695931] which belongs to the cache kmalloc-128 of size 128 [ 24.697164] The buggy address is located 0 bytes inside of [ 24.697164] freed 128-byte region [ffff888105ab1600, ffff888105ab1680) [ 24.697849] [ 24.697973] The buggy address belongs to the physical page: [ 24.698412] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ab1 [ 24.698891] flags: 0x200000000000000(node=0|zone=2) [ 24.699122] page_type: f5(slab) [ 24.699345] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.699650] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.699972] page dumped because: kasan: bad access detected [ 24.700293] [ 24.700392] Memory state around the buggy address: [ 24.700556] ffff888105ab1500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.700870] ffff888105ab1580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.701099] >ffff888105ab1600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.701476] ^ [ 24.701700] ffff888105ab1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.702047] ffff888105ab1700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.702586] ================================================================== [ 24.735230] ================================================================== [ 24.735714] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.735980] Read of size 1 at addr ffff888106194240 by task kunit_try_catch/280 [ 24.736512] [ 24.736616] CPU: 0 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.736667] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.736680] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.736703] Call Trace: [ 24.736715] <TASK> [ 24.736732] dump_stack_lvl+0x73/0xb0 [ 24.736764] print_report+0xd1/0x650 [ 24.736788] ? __virt_addr_valid+0x1db/0x2d0 [ 24.736812] ? mempool_uaf_helper+0x392/0x400 [ 24.736834] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.736860] ? mempool_uaf_helper+0x392/0x400 [ 24.736882] kasan_report+0x141/0x180 [ 24.736905] ? mempool_uaf_helper+0x392/0x400 [ 24.736931] __asan_report_load1_noabort+0x18/0x20 [ 24.736955] mempool_uaf_helper+0x392/0x400 [ 24.736978] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.737000] ? update_load_avg+0x1be/0x21b0 [ 24.737025] ? irqentry_exit+0x2a/0x60 [ 24.737048] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 24.737074] mempool_slab_uaf+0xea/0x140 [ 24.737097] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 24.737123] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 24.737147] ? __pfx_mempool_free_slab+0x10/0x10 [ 24.737174] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 24.737199] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 24.737223] kunit_try_run_case+0x1a5/0x480 [ 24.737249] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.737273] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.737298] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.737325] ? __kthread_parkme+0x82/0x180 [ 24.737347] ? preempt_count_sub+0x50/0x80 [ 24.737373] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.737399] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.737424] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.737449] kthread+0x337/0x6f0 [ 24.737479] ? trace_preempt_on+0x20/0xc0 [ 24.737503] ? __pfx_kthread+0x10/0x10 [ 24.737524] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.737569] ? calculate_sigpending+0x7b/0xa0 [ 24.737604] ? __pfx_kthread+0x10/0x10 [ 24.737626] ret_from_fork+0x116/0x1d0 [ 24.737646] ? __pfx_kthread+0x10/0x10 [ 24.737667] ret_from_fork_asm+0x1a/0x30 [ 24.737699] </TASK> [ 24.737710] [ 24.745820] Allocated by task 280: [ 24.745980] kasan_save_stack+0x45/0x70 [ 24.746142] kasan_save_track+0x18/0x40 [ 24.746500] kasan_save_alloc_info+0x3b/0x50 [ 24.746711] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 24.746880] remove_element+0x11e/0x190 [ 24.747012] mempool_alloc_preallocated+0x4d/0x90 [ 24.747249] mempool_uaf_helper+0x96/0x400 [ 24.747480] mempool_slab_uaf+0xea/0x140 [ 24.747684] kunit_try_run_case+0x1a5/0x480 [ 24.747848] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.748016] kthread+0x337/0x6f0 [ 24.748177] ret_from_fork+0x116/0x1d0 [ 24.748357] ret_from_fork_asm+0x1a/0x30 [ 24.748563] [ 24.748655] Freed by task 280: [ 24.748807] kasan_save_stack+0x45/0x70 [ 24.748956] kasan_save_track+0x18/0x40 [ 24.749083] kasan_save_free_info+0x3f/0x60 [ 24.749223] __kasan_mempool_poison_object+0x131/0x1d0 [ 24.749387] mempool_free+0x2ec/0x380 [ 24.749624] mempool_uaf_helper+0x11a/0x400 [ 24.749923] mempool_slab_uaf+0xea/0x140 [ 24.750114] kunit_try_run_case+0x1a5/0x480 [ 24.750309] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.750485] kthread+0x337/0x6f0 [ 24.750597] ret_from_fork+0x116/0x1d0 [ 24.750721] ret_from_fork_asm+0x1a/0x30 [ 24.750852] [ 24.750916] The buggy address belongs to the object at ffff888106194240 [ 24.750916] which belongs to the cache test_cache of size 123 [ 24.751846] The buggy address is located 0 bytes inside of [ 24.751846] freed 123-byte region [ffff888106194240, ffff8881061942bb) [ 24.752376] [ 24.752485] The buggy address belongs to the physical page: [ 24.752741] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106194 [ 24.753097] flags: 0x200000000000000(node=0|zone=2) [ 24.753327] page_type: f5(slab) [ 24.753443] raw: 0200000000000000 ffff888105acb000 dead000000000122 0000000000000000 [ 24.753781] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 24.754119] page dumped because: kasan: bad access detected [ 24.754360] [ 24.754424] Memory state around the buggy address: [ 24.754584] ffff888106194100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.754795] ffff888106194180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.755103] >ffff888106194200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 24.755969] ^ [ 24.756227] ffff888106194280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.756570] ffff888106194300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.756828] ==================================================================