Date
July 14, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 52.348121] ================================================================== [ 52.348302] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 52.352459] Read of size 1 at addr ffff000800dac400 by task kunit_try_catch/311 [ 52.359750] [ 52.361236] CPU: 7 UID: 0 PID: 311 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 52.361293] Tainted: [B]=BAD_PAGE, [N]=TEST [ 52.361311] Hardware name: WinLink E850-96 board (DT) [ 52.361335] Call trace: [ 52.361348] show_stack+0x20/0x38 (C) [ 52.361386] dump_stack_lvl+0x8c/0xd0 [ 52.361422] print_report+0x118/0x5d0 [ 52.361450] kasan_report+0xdc/0x128 [ 52.361478] __asan_report_load1_noabort+0x20/0x30 [ 52.361515] mempool_uaf_helper+0x314/0x340 [ 52.361549] mempool_kmalloc_uaf+0xc4/0x120 [ 52.361583] kunit_try_run_case+0x170/0x3f0 [ 52.361621] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 52.361653] kthread+0x328/0x630 [ 52.361683] ret_from_fork+0x10/0x20 [ 52.361718] [ 52.429453] Allocated by task 311: [ 52.432840] kasan_save_stack+0x3c/0x68 [ 52.436659] kasan_save_track+0x20/0x40 [ 52.440476] kasan_save_alloc_info+0x40/0x58 [ 52.444730] __kasan_mempool_unpoison_object+0x11c/0x180 [ 52.450025] remove_element+0x130/0x1f8 [ 52.453844] mempool_alloc_preallocated+0x58/0xc0 [ 52.458532] mempool_uaf_helper+0xa4/0x340 [ 52.462611] mempool_kmalloc_uaf+0xc4/0x120 [ 52.466779] kunit_try_run_case+0x170/0x3f0 [ 52.470946] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 52.476414] kthread+0x328/0x630 [ 52.479625] ret_from_fork+0x10/0x20 [ 52.483184] [ 52.484661] Freed by task 311: [ 52.487700] kasan_save_stack+0x3c/0x68 [ 52.491517] kasan_save_track+0x20/0x40 [ 52.495337] kasan_save_free_info+0x4c/0x78 [ 52.499503] __kasan_mempool_poison_object+0xc0/0x150 [ 52.504538] mempool_free+0x28c/0x328 [ 52.508184] mempool_uaf_helper+0x104/0x340 [ 52.512350] mempool_kmalloc_uaf+0xc4/0x120 [ 52.516517] kunit_try_run_case+0x170/0x3f0 [ 52.520685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 52.526152] kthread+0x328/0x630 [ 52.529364] ret_from_fork+0x10/0x20 [ 52.532923] [ 52.534400] The buggy address belongs to the object at ffff000800dac400 [ 52.534400] which belongs to the cache kmalloc-128 of size 128 [ 52.546902] The buggy address is located 0 bytes inside of [ 52.546902] freed 128-byte region [ffff000800dac400, ffff000800dac480) [ 52.558964] [ 52.560444] The buggy address belongs to the physical page: [ 52.566001] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880dac [ 52.573983] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 52.581623] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 52.588566] page_type: f5(slab) [ 52.591704] raw: 0bfffe0000000040 ffff000800002a00 dead000000000100 dead000000000122 [ 52.599422] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 52.607148] head: 0bfffe0000000040 ffff000800002a00 dead000000000100 dead000000000122 [ 52.614960] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 52.622772] head: 0bfffe0000000001 fffffdffe0036b01 00000000ffffffff 00000000ffffffff [ 52.630584] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 52.638391] page dumped because: kasan: bad access detected [ 52.643945] [ 52.645422] Memory state around the buggy address: [ 52.650203] ffff000800dac300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.657404] ffff000800dac380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.664612] >ffff000800dac400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.671810] ^ [ 52.675025] ffff000800dac480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.682230] ffff000800dac500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.689432] ================================================================== [ 52.930736] ================================================================== [ 52.940212] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 52.947327] Read of size 1 at addr ffff000808765240 by task kunit_try_catch/315 [ 52.954618] [ 52.956106] CPU: 3 UID: 0 PID: 315 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 52.956161] Tainted: [B]=BAD_PAGE, [N]=TEST [ 52.956178] Hardware name: WinLink E850-96 board (DT) [ 52.956200] Call trace: [ 52.956214] show_stack+0x20/0x38 (C) [ 52.956250] dump_stack_lvl+0x8c/0xd0 [ 52.956285] print_report+0x118/0x5d0 [ 52.956313] kasan_report+0xdc/0x128 [ 52.956341] __asan_report_load1_noabort+0x20/0x30 [ 52.956376] mempool_uaf_helper+0x314/0x340 [ 52.956407] mempool_slab_uaf+0xc0/0x118 [ 52.956442] kunit_try_run_case+0x170/0x3f0 [ 52.956481] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 52.956514] kthread+0x328/0x630 [ 52.956542] ret_from_fork+0x10/0x20 [ 52.956580] [ 53.024063] Allocated by task 315: [ 53.027450] kasan_save_stack+0x3c/0x68 [ 53.031266] kasan_save_track+0x20/0x40 [ 53.035085] kasan_save_alloc_info+0x40/0x58 [ 53.039339] __kasan_mempool_unpoison_object+0xbc/0x180 [ 53.044547] remove_element+0x16c/0x1f8 [ 53.048366] mempool_alloc_preallocated+0x58/0xc0 [ 53.053054] mempool_uaf_helper+0xa4/0x340 [ 53.057134] mempool_slab_uaf+0xc0/0x118 [ 53.061040] kunit_try_run_case+0x170/0x3f0 [ 53.065206] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 53.070675] kthread+0x328/0x630 [ 53.073887] ret_from_fork+0x10/0x20 [ 53.077446] [ 53.078923] Freed by task 315: [ 53.081960] kasan_save_stack+0x3c/0x68 [ 53.085779] kasan_save_track+0x20/0x40 [ 53.089599] kasan_save_free_info+0x4c/0x78 [ 53.093765] __kasan_mempool_poison_object+0xc0/0x150 [ 53.098800] mempool_free+0x28c/0x328 [ 53.102446] mempool_uaf_helper+0x104/0x340 [ 53.106612] mempool_slab_uaf+0xc0/0x118 [ 53.110518] kunit_try_run_case+0x170/0x3f0 [ 53.114685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 53.120154] kthread+0x328/0x630 [ 53.123365] ret_from_fork+0x10/0x20 [ 53.126924] [ 53.128400] The buggy address belongs to the object at ffff000808765240 [ 53.128400] which belongs to the cache test_cache of size 123 [ 53.140815] The buggy address is located 0 bytes inside of [ 53.140815] freed 123-byte region [ffff000808765240, ffff0008087652bb) [ 53.152879] [ 53.154357] The buggy address belongs to the physical page: [ 53.159915] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x888765 [ 53.167899] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 53.174409] page_type: f5(slab) [ 53.177542] raw: 0bfffe0000000000 ffff0008019bc280 dead000000000122 0000000000000000 [ 53.185264] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 53.192983] page dumped because: kasan: bad access detected [ 53.198538] [ 53.200013] Memory state around the buggy address: [ 53.204794] ffff000808765100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.211996] ffff000808765180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.219201] >ffff000808765200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 53.226402] ^ [ 53.231700] ffff000808765280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.238906] ffff000808765300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.246107] ==================================================================
[ 31.682718] ================================================================== [ 31.682811] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.682891] Read of size 1 at addr fff00000c85fc200 by task kunit_try_catch/258 [ 31.682944] [ 31.682987] CPU: 0 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 31.683096] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.683125] Hardware name: linux,dummy-virt (DT) [ 31.683160] Call trace: [ 31.683185] show_stack+0x20/0x38 (C) [ 31.683237] dump_stack_lvl+0x8c/0xd0 [ 31.683287] print_report+0x118/0x5d0 [ 31.683330] kasan_report+0xdc/0x128 [ 31.683373] __asan_report_load1_noabort+0x20/0x30 [ 31.683421] mempool_uaf_helper+0x314/0x340 [ 31.683467] mempool_kmalloc_uaf+0xc4/0x120 [ 31.683514] kunit_try_run_case+0x170/0x3f0 [ 31.683567] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.683616] kthread+0x328/0x630 [ 31.683658] ret_from_fork+0x10/0x20 [ 31.683705] [ 31.683725] Allocated by task 258: [ 31.683753] kasan_save_stack+0x3c/0x68 [ 31.683795] kasan_save_track+0x20/0x40 [ 31.683832] kasan_save_alloc_info+0x40/0x58 [ 31.683871] __kasan_mempool_unpoison_object+0x11c/0x180 [ 31.683912] remove_element+0x130/0x1f8 [ 31.683950] mempool_alloc_preallocated+0x58/0xc0 [ 31.683990] mempool_uaf_helper+0xa4/0x340 [ 31.684027] mempool_kmalloc_uaf+0xc4/0x120 [ 31.684075] kunit_try_run_case+0x170/0x3f0 [ 31.684113] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.684155] kthread+0x328/0x630 [ 31.684204] ret_from_fork+0x10/0x20 [ 31.684242] [ 31.684274] Freed by task 258: [ 31.684301] kasan_save_stack+0x3c/0x68 [ 31.684339] kasan_save_track+0x20/0x40 [ 31.684378] kasan_save_free_info+0x4c/0x78 [ 31.684414] __kasan_mempool_poison_object+0xc0/0x150 [ 31.684457] mempool_free+0x28c/0x328 [ 31.684494] mempool_uaf_helper+0x104/0x340 [ 31.684531] mempool_kmalloc_uaf+0xc4/0x120 [ 31.684570] kunit_try_run_case+0x170/0x3f0 [ 31.684608] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.684650] kthread+0x328/0x630 [ 31.684682] ret_from_fork+0x10/0x20 [ 31.684719] [ 31.684739] The buggy address belongs to the object at fff00000c85fc200 [ 31.684739] which belongs to the cache kmalloc-128 of size 128 [ 31.684798] The buggy address is located 0 bytes inside of [ 31.684798] freed 128-byte region [fff00000c85fc200, fff00000c85fc280) [ 31.684857] [ 31.684881] The buggy address belongs to the physical page: [ 31.684913] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1085fc [ 31.684970] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.685022] page_type: f5(slab) [ 31.685075] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.685125] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.685166] page dumped because: kasan: bad access detected [ 31.685198] [ 31.685216] Memory state around the buggy address: [ 31.685250] fff00000c85fc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.685292] fff00000c85fc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.685334] >fff00000c85fc200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.685374] ^ [ 31.685402] fff00000c85fc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.685445] fff00000c85fc300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.685483] ================================================================== [ 31.711947] ================================================================== [ 31.712020] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 31.712090] Read of size 1 at addr fff00000c85de240 by task kunit_try_catch/262 [ 31.712140] [ 31.712178] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 31.713208] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.713347] Hardware name: linux,dummy-virt (DT) [ 31.713503] Call trace: [ 31.713556] show_stack+0x20/0x38 (C) [ 31.713638] dump_stack_lvl+0x8c/0xd0 [ 31.714425] print_report+0x118/0x5d0 [ 31.714508] kasan_report+0xdc/0x128 [ 31.714555] __asan_report_load1_noabort+0x20/0x30 [ 31.714660] mempool_uaf_helper+0x314/0x340 [ 31.714723] mempool_slab_uaf+0xc0/0x118 [ 31.714770] kunit_try_run_case+0x170/0x3f0 [ 31.714819] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.714878] kthread+0x328/0x630 [ 31.714936] ret_from_fork+0x10/0x20 [ 31.714993] [ 31.715013] Allocated by task 262: [ 31.715064] kasan_save_stack+0x3c/0x68 [ 31.715111] kasan_save_track+0x20/0x40 [ 31.715151] kasan_save_alloc_info+0x40/0x58 [ 31.715189] __kasan_mempool_unpoison_object+0xbc/0x180 [ 31.715231] remove_element+0x16c/0x1f8 [ 31.715279] mempool_alloc_preallocated+0x58/0xc0 [ 31.715325] mempool_uaf_helper+0xa4/0x340 [ 31.715372] mempool_slab_uaf+0xc0/0x118 [ 31.715416] kunit_try_run_case+0x170/0x3f0 [ 31.715454] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.715496] kthread+0x328/0x630 [ 31.715528] ret_from_fork+0x10/0x20 [ 31.715582] [ 31.715602] Freed by task 262: [ 31.715635] kasan_save_stack+0x3c/0x68 [ 31.715674] kasan_save_track+0x20/0x40 [ 31.715721] kasan_save_free_info+0x4c/0x78 [ 31.715758] __kasan_mempool_poison_object+0xc0/0x150 [ 31.715810] mempool_free+0x28c/0x328 [ 31.715847] mempool_uaf_helper+0x104/0x340 [ 31.715885] mempool_slab_uaf+0xc0/0x118 [ 31.715921] kunit_try_run_case+0x170/0x3f0 [ 31.715975] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.716023] kthread+0x328/0x630 [ 31.716087] ret_from_fork+0x10/0x20 [ 31.716479] [ 31.716504] The buggy address belongs to the object at fff00000c85de240 [ 31.716504] which belongs to the cache test_cache of size 123 [ 31.717312] The buggy address is located 0 bytes inside of [ 31.717312] freed 123-byte region [fff00000c85de240, fff00000c85de2bb) [ 31.717596] [ 31.717638] The buggy address belongs to the physical page: [ 31.718132] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1085de [ 31.718244] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.718434] page_type: f5(slab) [ 31.718522] raw: 0bfffe0000000000 fff00000c5687b40 dead000000000122 0000000000000000 [ 31.718681] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 31.718782] page dumped because: kasan: bad access detected [ 31.719164] [ 31.719225] Memory state around the buggy address: [ 31.719309] fff00000c85de100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.719482] fff00000c85de180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.719528] >fff00000c85de200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.719960] ^ [ 31.720014] fff00000c85de280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.720376] fff00000c85de300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.720501] ==================================================================
[ 25.908804] ================================================================== [ 25.909435] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 25.909816] Read of size 1 at addr ffff888103eb6240 by task kunit_try_catch/280 [ 25.910102] [ 25.910277] CPU: 0 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 25.910333] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 25.910347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.910370] Call Trace: [ 25.910385] <TASK> [ 25.910405] dump_stack_lvl+0x73/0xb0 [ 25.910437] print_report+0xd1/0x610 [ 25.910459] ? __virt_addr_valid+0x1db/0x2d0 [ 25.910484] ? mempool_uaf_helper+0x392/0x400 [ 25.910505] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.910530] ? mempool_uaf_helper+0x392/0x400 [ 25.910552] kasan_report+0x141/0x180 [ 25.910574] ? mempool_uaf_helper+0x392/0x400 [ 25.910599] __asan_report_load1_noabort+0x18/0x20 [ 25.910622] mempool_uaf_helper+0x392/0x400 [ 25.910644] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 25.910681] ? finish_task_switch.isra.0+0x153/0x700 [ 25.910708] mempool_slab_uaf+0xea/0x140 [ 25.910731] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 25.910756] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 25.910780] ? __pfx_mempool_free_slab+0x10/0x10 [ 25.910804] ? __pfx_read_tsc+0x10/0x10 [ 25.910826] ? ktime_get_ts64+0x86/0x230 [ 25.910850] kunit_try_run_case+0x1a5/0x480 [ 25.910874] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.910893] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.910917] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.910940] ? __kthread_parkme+0x82/0x180 [ 25.910961] ? preempt_count_sub+0x50/0x80 [ 25.910983] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.911060] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.911085] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.911109] kthread+0x337/0x6f0 [ 25.911130] ? trace_preempt_on+0x20/0xc0 [ 25.911152] ? __pfx_kthread+0x10/0x10 [ 25.911173] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.911194] ? calculate_sigpending+0x7b/0xa0 [ 25.911218] ? __pfx_kthread+0x10/0x10 [ 25.911239] ret_from_fork+0x116/0x1d0 [ 25.911257] ? __pfx_kthread+0x10/0x10 [ 25.911278] ret_from_fork_asm+0x1a/0x30 [ 25.911308] </TASK> [ 25.911319] [ 25.920472] Allocated by task 280: [ 25.920643] kasan_save_stack+0x45/0x70 [ 25.920817] kasan_save_track+0x18/0x40 [ 25.920948] kasan_save_alloc_info+0x3b/0x50 [ 25.921263] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 25.922222] remove_element+0x11e/0x190 [ 25.922456] mempool_alloc_preallocated+0x4d/0x90 [ 25.922736] mempool_uaf_helper+0x96/0x400 [ 25.922972] mempool_slab_uaf+0xea/0x140 [ 25.923177] kunit_try_run_case+0x1a5/0x480 [ 25.923394] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.923627] kthread+0x337/0x6f0 [ 25.923808] ret_from_fork+0x116/0x1d0 [ 25.923936] ret_from_fork_asm+0x1a/0x30 [ 25.924069] [ 25.924175] Freed by task 280: [ 25.924329] kasan_save_stack+0x45/0x70 [ 25.924516] kasan_save_track+0x18/0x40 [ 25.924644] kasan_save_free_info+0x3f/0x60 [ 25.925001] __kasan_mempool_poison_object+0x131/0x1d0 [ 25.925305] mempool_free+0x2ec/0x380 [ 25.925450] mempool_uaf_helper+0x11a/0x400 [ 25.925678] mempool_slab_uaf+0xea/0x140 [ 25.925882] kunit_try_run_case+0x1a5/0x480 [ 25.926063] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.926236] kthread+0x337/0x6f0 [ 25.926559] ret_from_fork+0x116/0x1d0 [ 25.926839] ret_from_fork_asm+0x1a/0x30 [ 25.926984] [ 25.927049] The buggy address belongs to the object at ffff888103eb6240 [ 25.927049] which belongs to the cache test_cache of size 123 [ 25.927516] The buggy address is located 0 bytes inside of [ 25.927516] freed 123-byte region [ffff888103eb6240, ffff888103eb62bb) [ 25.928828] [ 25.928927] The buggy address belongs to the physical page: [ 25.929745] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103eb6 [ 25.930233] flags: 0x200000000000000(node=0|zone=2) [ 25.930477] page_type: f5(slab) [ 25.930884] raw: 0200000000000000 ffff888103eb1280 dead000000000122 0000000000000000 [ 25.931449] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 25.931925] page dumped because: kasan: bad access detected [ 25.932389] [ 25.932467] Memory state around the buggy address: [ 25.932676] ffff888103eb6100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.933022] ffff888103eb6180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.933641] >ffff888103eb6200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 25.934152] ^ [ 25.934365] ffff888103eb6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.934879] ffff888103eb6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.935683] ================================================================== [ 25.841295] ================================================================== [ 25.843092] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 25.844371] Read of size 1 at addr ffff888103e99500 by task kunit_try_catch/276 [ 25.845680] [ 25.846170] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 25.846249] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 25.846265] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.846337] Call Trace: [ 25.846356] <TASK> [ 25.846378] dump_stack_lvl+0x73/0xb0 [ 25.846422] print_report+0xd1/0x610 [ 25.846469] ? __virt_addr_valid+0x1db/0x2d0 [ 25.846496] ? mempool_uaf_helper+0x392/0x400 [ 25.846518] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.846544] ? mempool_uaf_helper+0x392/0x400 [ 25.846566] kasan_report+0x141/0x180 [ 25.846587] ? mempool_uaf_helper+0x392/0x400 [ 25.846613] __asan_report_load1_noabort+0x18/0x20 [ 25.846637] mempool_uaf_helper+0x392/0x400 [ 25.846668] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 25.846690] ? dequeue_entities+0x23f/0x1630 [ 25.846716] ? __kasan_check_write+0x18/0x20 [ 25.846755] ? __pfx_sched_clock_cpu+0x10/0x10 [ 25.846777] ? finish_task_switch.isra.0+0x153/0x700 [ 25.846804] mempool_kmalloc_uaf+0xef/0x140 [ 25.846825] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 25.846849] ? __pfx_mempool_kmalloc+0x10/0x10 [ 25.846874] ? __pfx_mempool_kfree+0x10/0x10 [ 25.846898] ? __pfx_read_tsc+0x10/0x10 [ 25.846920] ? ktime_get_ts64+0x86/0x230 [ 25.846976] kunit_try_run_case+0x1a5/0x480 [ 25.847001] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.847021] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.847046] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.847069] ? __kthread_parkme+0x82/0x180 [ 25.847090] ? preempt_count_sub+0x50/0x80 [ 25.847113] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.847135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.847160] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.847184] kthread+0x337/0x6f0 [ 25.847205] ? trace_preempt_on+0x20/0xc0 [ 25.847228] ? __pfx_kthread+0x10/0x10 [ 25.847249] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.847270] ? calculate_sigpending+0x7b/0xa0 [ 25.847293] ? __pfx_kthread+0x10/0x10 [ 25.847315] ret_from_fork+0x116/0x1d0 [ 25.847333] ? __pfx_kthread+0x10/0x10 [ 25.847353] ret_from_fork_asm+0x1a/0x30 [ 25.847385] </TASK> [ 25.847396] [ 25.862285] Allocated by task 276: [ 25.862497] kasan_save_stack+0x45/0x70 [ 25.862710] kasan_save_track+0x18/0x40 [ 25.863154] kasan_save_alloc_info+0x3b/0x50 [ 25.863310] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 25.863539] remove_element+0x11e/0x190 [ 25.863964] mempool_alloc_preallocated+0x4d/0x90 [ 25.864206] mempool_uaf_helper+0x96/0x400 [ 25.864587] mempool_kmalloc_uaf+0xef/0x140 [ 25.864924] kunit_try_run_case+0x1a5/0x480 [ 25.865285] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.865627] kthread+0x337/0x6f0 [ 25.865828] ret_from_fork+0x116/0x1d0 [ 25.866240] ret_from_fork_asm+0x1a/0x30 [ 25.866379] [ 25.866600] Freed by task 276: [ 25.866727] kasan_save_stack+0x45/0x70 [ 25.867023] kasan_save_track+0x18/0x40 [ 25.867468] kasan_save_free_info+0x3f/0x60 [ 25.867782] __kasan_mempool_poison_object+0x131/0x1d0 [ 25.868174] mempool_free+0x2ec/0x380 [ 25.868557] mempool_uaf_helper+0x11a/0x400 [ 25.869248] mempool_kmalloc_uaf+0xef/0x140 [ 25.869447] kunit_try_run_case+0x1a5/0x480 [ 25.869912] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.870266] kthread+0x337/0x6f0 [ 25.870555] ret_from_fork+0x116/0x1d0 [ 25.870729] ret_from_fork_asm+0x1a/0x30 [ 25.870920] [ 25.871160] The buggy address belongs to the object at ffff888103e99500 [ 25.871160] which belongs to the cache kmalloc-128 of size 128 [ 25.871623] The buggy address is located 0 bytes inside of [ 25.871623] freed 128-byte region [ffff888103e99500, ffff888103e99580) [ 25.872241] [ 25.872340] The buggy address belongs to the physical page: [ 25.872534] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103e99 [ 25.872932] flags: 0x200000000000000(node=0|zone=2) [ 25.873377] page_type: f5(slab) [ 25.873507] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.873905] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.874202] page dumped because: kasan: bad access detected [ 25.874672] [ 25.875245] Memory state around the buggy address: [ 25.875428] ffff888103e99400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.875786] ffff888103e99480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.876042] >ffff888103e99500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.876451] ^ [ 25.876651] ffff888103e99580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.877128] ffff888103e99600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.877431] ==================================================================