Hay
Sign in
Date
July 11, 2025, 10:11 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   53.645850] ==================================================================
[   53.646037] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   53.652808] Read of size 1 at addr ffff000803b8aa00 by task kunit_try_catch/311
[   53.660097] 
[   53.661584] CPU: 5 UID: 0 PID: 311 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   53.661640] Tainted: [B]=BAD_PAGE, [N]=TEST
[   53.661657] Hardware name: WinLink E850-96 board (DT)
[   53.661680] Call trace:
[   53.661694]  show_stack+0x20/0x38 (C)
[   53.661731]  dump_stack_lvl+0x8c/0xd0
[   53.661763]  print_report+0x118/0x5d0
[   53.661793]  kasan_report+0xdc/0x128
[   53.661821]  __asan_report_load1_noabort+0x20/0x30
[   53.661852]  mempool_uaf_helper+0x314/0x340
[   53.661885]  mempool_kmalloc_uaf+0xc4/0x120
[   53.661916]  kunit_try_run_case+0x170/0x3f0
[   53.661958]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.661990]  kthread+0x328/0x630
[   53.662020]  ret_from_fork+0x10/0x20
[   53.662054] 
[   53.729802] Allocated by task 311:
[   53.733190]  kasan_save_stack+0x3c/0x68
[   53.737006]  kasan_save_track+0x20/0x40
[   53.740826]  kasan_save_alloc_info+0x40/0x58
[   53.745079]  __kasan_mempool_unpoison_object+0x11c/0x180
[   53.750373]  remove_element+0x130/0x1f8
[   53.754193]  mempool_alloc_preallocated+0x58/0xc0
[   53.758880]  mempool_uaf_helper+0xa4/0x340
[   53.762960]  mempool_kmalloc_uaf+0xc4/0x120
[   53.767127]  kunit_try_run_case+0x170/0x3f0
[   53.771293]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.776763]  kthread+0x328/0x630
[   53.779973]  ret_from_fork+0x10/0x20
[   53.783532] 
[   53.785010] Freed by task 311:
[   53.788046]  kasan_save_stack+0x3c/0x68
[   53.791866]  kasan_save_track+0x20/0x40
[   53.795687]  kasan_save_free_info+0x4c/0x78
[   53.799852]  __kasan_mempool_poison_object+0xc0/0x150
[   53.804886]  mempool_free+0x28c/0x328
[   53.808532]  mempool_uaf_helper+0x104/0x340
[   53.812699]  mempool_kmalloc_uaf+0xc4/0x120
[   53.816865]  kunit_try_run_case+0x170/0x3f0
[   53.821032]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.826500]  kthread+0x328/0x630
[   53.829712]  ret_from_fork+0x10/0x20
[   53.833272] 
[   53.834750] The buggy address belongs to the object at ffff000803b8aa00
[   53.834750]  which belongs to the cache kmalloc-128 of size 128
[   53.847249] The buggy address is located 0 bytes inside of
[   53.847249]  freed 128-byte region [ffff000803b8aa00, ffff000803b8aa80)
[   53.859312] 
[   53.860791] The buggy address belongs to the physical page:
[   53.866348] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883b8a
[   53.874332] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   53.881971] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   53.888915] page_type: f5(slab)
[   53.892050] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   53.899770] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   53.907496] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   53.915308] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   53.923121] head: 0bfffe0000000001 fffffdffe00ee281 00000000ffffffff 00000000ffffffff
[   53.930933] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   53.938738] page dumped because: kasan: bad access detected
[   53.944294] 
[   53.945769] Memory state around the buggy address:
[   53.950549]  ffff000803b8a900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.957752]  ffff000803b8a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.964960] >ffff000803b8aa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.972158]                    ^
[   53.975374]  ffff000803b8aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.982579]  ffff000803b8ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.989779] ==================================================================
[   54.231369] ==================================================================
[   54.240563] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   54.247678] Read of size 1 at addr ffff000801da7240 by task kunit_try_catch/315
[   54.254966] 
[   54.256455] CPU: 4 UID: 0 PID: 315 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   54.256513] Tainted: [B]=BAD_PAGE, [N]=TEST
[   54.256532] Hardware name: WinLink E850-96 board (DT)
[   54.256554] Call trace:
[   54.256570]  show_stack+0x20/0x38 (C)
[   54.256607]  dump_stack_lvl+0x8c/0xd0
[   54.256639]  print_report+0x118/0x5d0
[   54.256669]  kasan_report+0xdc/0x128
[   54.256698]  __asan_report_load1_noabort+0x20/0x30
[   54.256732]  mempool_uaf_helper+0x314/0x340
[   54.256766]  mempool_slab_uaf+0xc0/0x118
[   54.256799]  kunit_try_run_case+0x170/0x3f0
[   54.256841]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   54.256875]  kthread+0x328/0x630
[   54.256904]  ret_from_fork+0x10/0x20
[   54.256940] 
[   54.324410] Allocated by task 315:
[   54.327799]  kasan_save_stack+0x3c/0x68
[   54.331615]  kasan_save_track+0x20/0x40
[   54.335434]  kasan_save_alloc_info+0x40/0x58
[   54.339688]  __kasan_mempool_unpoison_object+0xbc/0x180
[   54.344895]  remove_element+0x16c/0x1f8
[   54.348715]  mempool_alloc_preallocated+0x58/0xc0
[   54.353402]  mempool_uaf_helper+0xa4/0x340
[   54.357482]  mempool_slab_uaf+0xc0/0x118
[   54.361390]  kunit_try_run_case+0x170/0x3f0
[   54.365555]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   54.371024]  kthread+0x328/0x630
[   54.374235]  ret_from_fork+0x10/0x20
[   54.377795] 
[   54.379271] Freed by task 315:
[   54.382310]  kasan_save_stack+0x3c/0x68
[   54.386127]  kasan_save_track+0x20/0x40
[   54.389947]  kasan_save_free_info+0x4c/0x78
[   54.394113]  __kasan_mempool_poison_object+0xc0/0x150
[   54.399148]  mempool_free+0x28c/0x328
[   54.402794]  mempool_uaf_helper+0x104/0x340
[   54.406960]  mempool_slab_uaf+0xc0/0x118
[   54.410867]  kunit_try_run_case+0x170/0x3f0
[   54.415035]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   54.420502]  kthread+0x328/0x630
[   54.423714]  ret_from_fork+0x10/0x20
[   54.427273] 
[   54.428750] The buggy address belongs to the object at ffff000801da7240
[   54.428750]  which belongs to the cache test_cache of size 123
[   54.441164] The buggy address is located 0 bytes inside of
[   54.441164]  freed 123-byte region [ffff000801da7240, ffff000801da72bb)
[   54.453227] 
[   54.454706] The buggy address belongs to the physical page:
[   54.460262] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881da7
[   54.468247] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   54.474756] page_type: f5(slab)
[   54.477893] raw: 0bfffe0000000000 ffff000801b70500 dead000000000122 0000000000000000
[   54.485612] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   54.493332] page dumped because: kasan: bad access detected
[   54.498886] 
[   54.500362] Memory state around the buggy address:
[   54.505143]  ffff000801da7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   54.512345]  ffff000801da7180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.519554] >ffff000801da7200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   54.526750]                                            ^
[   54.532049]  ffff000801da7280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   54.539254]  ffff000801da7300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.546455] ==================================================================
Metadata Full log Test run details 

[   32.452574] ==================================================================
[   32.452670] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   32.452756] Read of size 1 at addr fff00000c9ace240 by task kunit_try_catch/262
[   32.452808] 
[   32.452845] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   32.452949] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.452975] Hardware name: linux,dummy-virt (DT)
[   32.453027] Call trace:
[   32.453086]  show_stack+0x20/0x38 (C)
[   32.453334]  dump_stack_lvl+0x8c/0xd0
[   32.453403]  print_report+0x118/0x5d0
[   32.453543]  kasan_report+0xdc/0x128
[   32.453639]  __asan_report_load1_noabort+0x20/0x30
[   32.453689]  mempool_uaf_helper+0x314/0x340
[   32.453737]  mempool_slab_uaf+0xc0/0x118
[   32.453879]  kunit_try_run_case+0x170/0x3f0
[   32.453931]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.454130]  kthread+0x328/0x630
[   32.454218]  ret_from_fork+0x10/0x20
[   32.454299] 
[   32.454337] Allocated by task 262:
[   32.454367]  kasan_save_stack+0x3c/0x68
[   32.454410]  kasan_save_track+0x20/0x40
[   32.454459]  kasan_save_alloc_info+0x40/0x58
[   32.454498]  __kasan_mempool_unpoison_object+0xbc/0x180
[   32.454543]  remove_element+0x16c/0x1f8
[   32.454583]  mempool_alloc_preallocated+0x58/0xc0
[   32.454624]  mempool_uaf_helper+0xa4/0x340
[   32.454661]  mempool_slab_uaf+0xc0/0x118
[   32.454700]  kunit_try_run_case+0x170/0x3f0
[   32.454739]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.454780]  kthread+0x328/0x630
[   32.454812]  ret_from_fork+0x10/0x20
[   32.454850] 
[   32.454869] Freed by task 262:
[   32.454917]  kasan_save_stack+0x3c/0x68
[   32.454967]  kasan_save_track+0x20/0x40
[   32.455011]  kasan_save_free_info+0x4c/0x78
[   32.455058]  __kasan_mempool_poison_object+0xc0/0x150
[   32.455111]  mempool_free+0x28c/0x328
[   32.455154]  mempool_uaf_helper+0x104/0x340
[   32.455200]  mempool_slab_uaf+0xc0/0x118
[   32.455237]  kunit_try_run_case+0x170/0x3f0
[   32.455286]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.455338]  kthread+0x328/0x630
[   32.455372]  ret_from_fork+0x10/0x20
[   32.455406] 
[   32.455426] The buggy address belongs to the object at fff00000c9ace240
[   32.455426]  which belongs to the cache test_cache of size 123
[   32.455486] The buggy address is located 0 bytes inside of
[   32.455486]  freed 123-byte region [fff00000c9ace240, fff00000c9ace2bb)
[   32.455798] 
[   32.455919] The buggy address belongs to the physical page:
[   32.455955] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ace
[   32.456158] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.456245] page_type: f5(slab)
[   32.456297] raw: 0bfffe0000000000 fff00000c5d1fa00 dead000000000122 0000000000000000
[   32.456378] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   32.456422] page dumped because: kasan: bad access detected
[   32.456665] 
[   32.456719] Memory state around the buggy address:
[   32.456824]  fff00000c9ace100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.456939]  fff00000c9ace180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.457012] >fff00000c9ace200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   32.457068]                                            ^
[   32.457125]  fff00000c9ace280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.457188]  fff00000c9ace300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.457225] ==================================================================
[   32.429262] ==================================================================
[   32.429369] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   32.429465] Read of size 1 at addr fff00000c99f0900 by task kunit_try_catch/258
[   32.429516] 
[   32.429569] CPU: 0 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   32.429666] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.429692] Hardware name: linux,dummy-virt (DT)
[   32.429751] Call trace:
[   32.429777]  show_stack+0x20/0x38 (C)
[   32.429945]  dump_stack_lvl+0x8c/0xd0
[   32.430069]  print_report+0x118/0x5d0
[   32.430157]  kasan_report+0xdc/0x128
[   32.430245]  __asan_report_load1_noabort+0x20/0x30
[   32.430342]  mempool_uaf_helper+0x314/0x340
[   32.430427]  mempool_kmalloc_uaf+0xc4/0x120
[   32.430553]  kunit_try_run_case+0x170/0x3f0
[   32.430620]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.430695]  kthread+0x328/0x630
[   32.430795]  ret_from_fork+0x10/0x20
[   32.430893] 
[   32.430912] Allocated by task 258:
[   32.430943]  kasan_save_stack+0x3c/0x68
[   32.431275]  kasan_save_track+0x20/0x40
[   32.431372]  kasan_save_alloc_info+0x40/0x58
[   32.431509]  __kasan_mempool_unpoison_object+0x11c/0x180
[   32.431605]  remove_element+0x130/0x1f8
[   32.431733]  mempool_alloc_preallocated+0x58/0xc0
[   32.431833]  mempool_uaf_helper+0xa4/0x340
[   32.431928]  mempool_kmalloc_uaf+0xc4/0x120
[   32.432058]  kunit_try_run_case+0x170/0x3f0
[   32.432109]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.432152]  kthread+0x328/0x630
[   32.432481]  ret_from_fork+0x10/0x20
[   32.432580] 
[   32.432706] Freed by task 258:
[   32.432757]  kasan_save_stack+0x3c/0x68
[   32.432798]  kasan_save_track+0x20/0x40
[   32.433110]  kasan_save_free_info+0x4c/0x78
[   32.433212]  __kasan_mempool_poison_object+0xc0/0x150
[   32.433349]  mempool_free+0x28c/0x328
[   32.433397]  mempool_uaf_helper+0x104/0x340
[   32.433459]  mempool_kmalloc_uaf+0xc4/0x120
[   32.433566]  kunit_try_run_case+0x170/0x3f0
[   32.433647]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.433742]  kthread+0x328/0x630
[   32.433855]  ret_from_fork+0x10/0x20
[   32.433931] 
[   32.433981] The buggy address belongs to the object at fff00000c99f0900
[   32.433981]  which belongs to the cache kmalloc-128 of size 128
[   32.434045] The buggy address is located 0 bytes inside of
[   32.434045]  freed 128-byte region [fff00000c99f0900, fff00000c99f0980)
[   32.434202] 
[   32.434224] The buggy address belongs to the physical page:
[   32.434258] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099f0
[   32.434527] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.434614] page_type: f5(slab)
[   32.434688] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   32.434821] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   32.434892] page dumped because: kasan: bad access detected
[   32.434946] 
[   32.435054] Memory state around the buggy address:
[   32.435124]  fff00000c99f0800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.435207]  fff00000c99f0880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.435249] >fff00000c99f0900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.435542]                    ^
[   32.435623]  fff00000c99f0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.435779]  fff00000c99f0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.435849] ==================================================================
Metadata Full log Test run details 

[   25.405095] ==================================================================
[   25.406192] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400
[   25.406639] Read of size 1 at addr ffff888104cc8240 by task kunit_try_catch/281
[   25.407210] 
[   25.407530] CPU: 0 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   25.407705] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.407720] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.407766] Call Trace:
[   25.407782]  <TASK>
[   25.407802]  dump_stack_lvl+0x73/0xb0
[   25.407837]  print_report+0xd1/0x610
[   25.407861]  ? __virt_addr_valid+0x1db/0x2d0
[   25.407885]  ? mempool_uaf_helper+0x392/0x400
[   25.407908]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.407935]  ? mempool_uaf_helper+0x392/0x400
[   25.407957]  kasan_report+0x141/0x180
[   25.407978]  ? mempool_uaf_helper+0x392/0x400
[   25.408004]  __asan_report_load1_noabort+0x18/0x20
[   25.408028]  mempool_uaf_helper+0x392/0x400
[   25.408052]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   25.408076]  ? __pfx_sched_clock_cpu+0x10/0x10
[   25.408099]  ? finish_task_switch.isra.0+0x153/0x700
[   25.408126]  mempool_slab_uaf+0xea/0x140
[   25.408149]  ? __pfx_mempool_slab_uaf+0x10/0x10
[   25.408172]  ? __kasan_check_write+0x18/0x20
[   25.408196]  ? __pfx_mempool_alloc_slab+0x10/0x10
[   25.408222]  ? __pfx_mempool_free_slab+0x10/0x10
[   25.408248]  ? __pfx_read_tsc+0x10/0x10
[   25.408282]  ? ktime_get_ts64+0x86/0x230
[   25.408305]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   25.408340]  kunit_try_run_case+0x1a5/0x480
[   25.408364]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.408386]  ? queued_spin_lock_slowpath+0x116/0xb40
[   25.408589]  ? __kthread_parkme+0x82/0x180
[   25.408621]  ? preempt_count_sub+0x50/0x80
[   25.408645]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.408669]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.408695]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.408720]  kthread+0x337/0x6f0
[   25.408755]  ? trace_preempt_on+0x20/0xc0
[   25.408778]  ? __pfx_kthread+0x10/0x10
[   25.408799]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.408822]  ? calculate_sigpending+0x7b/0xa0
[   25.408846]  ? __pfx_kthread+0x10/0x10
[   25.408869]  ret_from_fork+0x116/0x1d0
[   25.408888]  ? __pfx_kthread+0x10/0x10
[   25.408909]  ret_from_fork_asm+0x1a/0x30
[   25.408940]  </TASK>
[   25.408953] 
[   25.421810] Allocated by task 281:
[   25.421995]  kasan_save_stack+0x45/0x70
[   25.422178]  kasan_save_track+0x18/0x40
[   25.422353]  kasan_save_alloc_info+0x3b/0x50
[   25.423096]  __kasan_mempool_unpoison_object+0x1bb/0x200
[   25.423683]  remove_element+0x11e/0x190
[   25.423916]  mempool_alloc_preallocated+0x4d/0x90
[   25.424218]  mempool_uaf_helper+0x96/0x400
[   25.424571]  mempool_slab_uaf+0xea/0x140
[   25.424931]  kunit_try_run_case+0x1a5/0x480
[   25.425255]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.425662]  kthread+0x337/0x6f0
[   25.425850]  ret_from_fork+0x116/0x1d0
[   25.426029]  ret_from_fork_asm+0x1a/0x30
[   25.426221] 
[   25.426722] Freed by task 281:
[   25.426894]  kasan_save_stack+0x45/0x70
[   25.427056]  kasan_save_track+0x18/0x40
[   25.427569]  kasan_save_free_info+0x3f/0x60
[   25.427927]  __kasan_mempool_poison_object+0x131/0x1d0
[   25.428240]  mempool_free+0x2ec/0x380
[   25.428711]  mempool_uaf_helper+0x11a/0x400
[   25.428934]  mempool_slab_uaf+0xea/0x140
[   25.429196]  kunit_try_run_case+0x1a5/0x480
[   25.429555]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.429932]  kthread+0x337/0x6f0
[   25.430102]  ret_from_fork+0x116/0x1d0
[   25.430619]  ret_from_fork_asm+0x1a/0x30
[   25.430843] 
[   25.430915] The buggy address belongs to the object at ffff888104cc8240
[   25.430915]  which belongs to the cache test_cache of size 123
[   25.431696] The buggy address is located 0 bytes inside of
[   25.431696]  freed 123-byte region [ffff888104cc8240, ffff888104cc82bb)
[   25.432229] 
[   25.432672] The buggy address belongs to the physical page:
[   25.432929] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cc8
[   25.433356] flags: 0x200000000000000(node=0|zone=2)
[   25.433761] page_type: f5(slab)
[   25.434048] raw: 0200000000000000 ffff888101b22b40 dead000000000122 0000000000000000
[   25.434691] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   25.435031] page dumped because: kasan: bad access detected
[   25.435268] 
[   25.435700] Memory state around the buggy address:
[   25.435899]  ffff888104cc8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.436574]  ffff888104cc8180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.436901] >ffff888104cc8200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   25.437451]                                            ^
[   25.437686]  ffff888104cc8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.438100]  ffff888104cc8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.438636] ==================================================================
[   25.330808] ==================================================================
[   25.332509] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400
[   25.333622] Read of size 1 at addr ffff888104cac700 by task kunit_try_catch/277
[   25.334452] 
[   25.334824] CPU: 0 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   25.334886] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.335164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.335199] Call Trace:
[   25.335215]  <TASK>
[   25.335237]  dump_stack_lvl+0x73/0xb0
[   25.335290]  print_report+0xd1/0x610
[   25.335316]  ? __virt_addr_valid+0x1db/0x2d0
[   25.335343]  ? mempool_uaf_helper+0x392/0x400
[   25.335366]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.335392]  ? mempool_uaf_helper+0x392/0x400
[   25.335475]  kasan_report+0x141/0x180
[   25.335500]  ? mempool_uaf_helper+0x392/0x400
[   25.335527]  __asan_report_load1_noabort+0x18/0x20
[   25.335550]  mempool_uaf_helper+0x392/0x400
[   25.335573]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   25.335594]  ? update_load_avg+0x1be/0x21b0
[   25.335620]  ? dequeue_entities+0x27e/0x1740
[   25.335646]  ? finish_task_switch.isra.0+0x153/0x700
[   25.335672]  mempool_kmalloc_uaf+0xef/0x140
[   25.335694]  ? __pfx_mempool_kmalloc_uaf+0x10/0x10
[   25.335717]  ? __pfx_mempool_kmalloc+0x10/0x10
[   25.335755]  ? __pfx_mempool_kfree+0x10/0x10
[   25.335779]  ? __pfx_read_tsc+0x10/0x10
[   25.335802]  ? ktime_get_ts64+0x86/0x230
[   25.335829]  kunit_try_run_case+0x1a5/0x480
[   25.335853]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.335874]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.335900]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.335922]  ? __kthread_parkme+0x82/0x180
[   25.335944]  ? preempt_count_sub+0x50/0x80
[   25.335967]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.335989]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.336016]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.336041]  kthread+0x337/0x6f0
[   25.336062]  ? trace_preempt_on+0x20/0xc0
[   25.336086]  ? __pfx_kthread+0x10/0x10
[   25.336107]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.336129]  ? calculate_sigpending+0x7b/0xa0
[   25.336155]  ? __pfx_kthread+0x10/0x10
[   25.336176]  ret_from_fork+0x116/0x1d0
[   25.336196]  ? __pfx_kthread+0x10/0x10
[   25.336218]  ret_from_fork_asm+0x1a/0x30
[   25.336250]  </TASK>
[   25.336262] 
[   25.349491] Allocated by task 277:
[   25.349631]  kasan_save_stack+0x45/0x70
[   25.349852]  kasan_save_track+0x18/0x40
[   25.350041]  kasan_save_alloc_info+0x3b/0x50
[   25.350236]  __kasan_mempool_unpoison_object+0x1a9/0x200
[   25.351009]  remove_element+0x11e/0x190
[   25.351507]  mempool_alloc_preallocated+0x4d/0x90
[   25.351747]  mempool_uaf_helper+0x96/0x400
[   25.352033]  mempool_kmalloc_uaf+0xef/0x140
[   25.352401]  kunit_try_run_case+0x1a5/0x480
[   25.352784]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.353138]  kthread+0x337/0x6f0
[   25.353530]  ret_from_fork+0x116/0x1d0
[   25.353721]  ret_from_fork_asm+0x1a/0x30
[   25.354005] 
[   25.354081] Freed by task 277:
[   25.354601]  kasan_save_stack+0x45/0x70
[   25.354788]  kasan_save_track+0x18/0x40
[   25.354974]  kasan_save_free_info+0x3f/0x60
[   25.355167]  __kasan_mempool_poison_object+0x131/0x1d0
[   25.355713]  mempool_free+0x2ec/0x380
[   25.355892]  mempool_uaf_helper+0x11a/0x400
[   25.356260]  mempool_kmalloc_uaf+0xef/0x140
[   25.356642]  kunit_try_run_case+0x1a5/0x480
[   25.356958]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.357291]  kthread+0x337/0x6f0
[   25.357619]  ret_from_fork+0x116/0x1d0
[   25.357822]  ret_from_fork_asm+0x1a/0x30
[   25.357991] 
[   25.358085] The buggy address belongs to the object at ffff888104cac700
[   25.358085]  which belongs to the cache kmalloc-128 of size 128
[   25.359111] The buggy address is located 0 bytes inside of
[   25.359111]  freed 128-byte region [ffff888104cac700, ffff888104cac780)
[   25.360024] 
[   25.360133] The buggy address belongs to the physical page:
[   25.360629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cac
[   25.361103] flags: 0x200000000000000(node=0|zone=2)
[   25.361537] page_type: f5(slab)
[   25.361680] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   25.362228] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.362825] page dumped because: kasan: bad access detected
[   25.363186] 
[   25.363511] Memory state around the buggy address:
[   25.363839]  ffff888104cac600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.364142]  ffff888104cac680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.364761] >ffff888104cac700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.365174]                    ^
[   25.365518]  ffff888104cac780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.365941]  ffff888104cac800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.366593] ==================================================================
Metadata Full log Test run details