Date
June 26, 2025, 11:12 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 37.084243] ================================================================== [ 37.093567] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 37.100683] Read of size 1 at addr ffff000806481240 by task kunit_try_catch/280 [ 37.107973] [ 37.109460] CPU: 0 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 37.109516] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.109532] Hardware name: WinLink E850-96 board (DT) [ 37.109555] Call trace: [ 37.109569] show_stack+0x20/0x38 (C) [ 37.109605] dump_stack_lvl+0x8c/0xd0 [ 37.109644] print_report+0x118/0x608 [ 37.109676] kasan_report+0xdc/0x128 [ 37.109706] __asan_report_load1_noabort+0x20/0x30 [ 37.109741] mempool_uaf_helper+0x314/0x340 [ 37.109777] mempool_slab_uaf+0xc0/0x118 [ 37.109806] kunit_try_run_case+0x170/0x3f0 [ 37.109845] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.109886] kthread+0x328/0x630 [ 37.109921] ret_from_fork+0x10/0x20 [ 37.109959] [ 37.176202] Allocated by task 280: [ 37.179591] kasan_save_stack+0x3c/0x68 [ 37.183406] kasan_save_track+0x20/0x40 [ 37.187226] kasan_save_alloc_info+0x40/0x58 [ 37.191479] __kasan_mempool_unpoison_object+0xbc/0x180 [ 37.196687] remove_element+0x16c/0x1f8 [ 37.200506] mempool_alloc_preallocated+0x58/0xc0 [ 37.205195] mempool_uaf_helper+0xa4/0x340 [ 37.209273] mempool_slab_uaf+0xc0/0x118 [ 37.213180] kunit_try_run_case+0x170/0x3f0 [ 37.217347] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.222815] kthread+0x328/0x630 [ 37.226027] ret_from_fork+0x10/0x20 [ 37.229586] [ 37.231061] Freed by task 280: [ 37.234101] kasan_save_stack+0x3c/0x68 [ 37.237919] kasan_save_track+0x20/0x40 [ 37.241738] kasan_save_free_info+0x4c/0x78 [ 37.245905] __kasan_mempool_poison_object+0xc0/0x150 [ 37.250940] mempool_free+0x28c/0x328 [ 37.254585] mempool_uaf_helper+0x104/0x340 [ 37.258753] mempool_slab_uaf+0xc0/0x118 [ 37.262658] kunit_try_run_case+0x170/0x3f0 [ 37.266825] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.272293] kthread+0x328/0x630 [ 37.275505] ret_from_fork+0x10/0x20 [ 37.279064] [ 37.280541] The buggy address belongs to the object at ffff000806481240 [ 37.280541] which belongs to the cache test_cache of size 123 [ 37.292955] The buggy address is located 0 bytes inside of [ 37.292955] freed 123-byte region [ffff000806481240, ffff0008064812bb) [ 37.305019] [ 37.306498] The buggy address belongs to the physical page: [ 37.312054] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886481 [ 37.320040] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.326549] page_type: f5(slab) [ 37.329687] raw: 0bfffe0000000000 ffff00080177bcc0 dead000000000122 0000000000000000 [ 37.337403] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 37.345122] page dumped because: kasan: bad access detected [ 37.350679] [ 37.352155] Memory state around the buggy address: [ 37.356932] ffff000806481100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.364137] ffff000806481180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.371341] >ffff000806481200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 37.378542] ^ [ 37.383841] ffff000806481280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.391046] ffff000806481300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.398248] ================================================================== [ 36.495655] ================================================================== [ 36.501129] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 36.508244] Read of size 1 at addr ffff000802d03000 by task kunit_try_catch/276 [ 36.515534] [ 36.517021] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 36.517071] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.517088] Hardware name: WinLink E850-96 board (DT) [ 36.517114] Call trace: [ 36.517130] show_stack+0x20/0x38 (C) [ 36.517166] dump_stack_lvl+0x8c/0xd0 [ 36.517204] print_report+0x118/0x608 [ 36.517238] kasan_report+0xdc/0x128 [ 36.517272] __asan_report_load1_noabort+0x20/0x30 [ 36.517311] mempool_uaf_helper+0x314/0x340 [ 36.517346] mempool_kmalloc_uaf+0xc4/0x120 [ 36.517380] kunit_try_run_case+0x170/0x3f0 [ 36.517417] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.517457] kthread+0x328/0x630 [ 36.517497] ret_from_fork+0x10/0x20 [ 36.517535] [ 36.584023] Allocated by task 276: [ 36.587411] kasan_save_stack+0x3c/0x68 [ 36.591227] kasan_save_track+0x20/0x40 [ 36.595047] kasan_save_alloc_info+0x40/0x58 [ 36.599300] __kasan_mempool_unpoison_object+0x11c/0x180 [ 36.604595] remove_element+0x130/0x1f8 [ 36.608415] mempool_alloc_preallocated+0x58/0xc0 [ 36.613102] mempool_uaf_helper+0xa4/0x340 [ 36.617182] mempool_kmalloc_uaf+0xc4/0x120 [ 36.621350] kunit_try_run_case+0x170/0x3f0 [ 36.625515] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.630984] kthread+0x328/0x630 [ 36.634196] ret_from_fork+0x10/0x20 [ 36.637754] [ 36.639232] Freed by task 276: [ 36.642270] kasan_save_stack+0x3c/0x68 [ 36.646087] kasan_save_track+0x20/0x40 [ 36.649907] kasan_save_free_info+0x4c/0x78 [ 36.654074] __kasan_mempool_poison_object+0xc0/0x150 [ 36.659108] mempool_free+0x28c/0x328 [ 36.662754] mempool_uaf_helper+0x104/0x340 [ 36.666921] mempool_kmalloc_uaf+0xc4/0x120 [ 36.671087] kunit_try_run_case+0x170/0x3f0 [ 36.675255] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.680722] kthread+0x328/0x630 [ 36.683934] ret_from_fork+0x10/0x20 [ 36.687493] [ 36.688970] The buggy address belongs to the object at ffff000802d03000 [ 36.688970] which belongs to the cache kmalloc-128 of size 128 [ 36.701472] The buggy address is located 0 bytes inside of [ 36.701472] freed 128-byte region [ffff000802d03000, ffff000802d03080) [ 36.713534] [ 36.715014] The buggy address belongs to the physical page: [ 36.720571] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882d02 [ 36.728555] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 36.736194] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 36.743136] page_type: f5(slab) [ 36.746274] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 36.753992] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.761719] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 36.769530] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.777343] head: 0bfffe0000000001 fffffdffe00b4081 00000000ffffffff 00000000ffffffff [ 36.785155] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 36.792960] page dumped because: kasan: bad access detected [ 36.798516] [ 36.799991] Memory state around the buggy address: [ 36.804773] ffff000802d02f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.811974] ffff000802d02f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.819181] >ffff000802d03000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.826380] ^ [ 36.829596] ffff000802d03080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.836800] ffff000802d03100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.844003] ==================================================================
[ 20.046182] ================================================================== [ 20.046248] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.046307] Read of size 1 at addr fff00000c7a61240 by task kunit_try_catch/233 [ 20.046357] [ 20.046391] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 20.046478] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.047623] Hardware name: linux,dummy-virt (DT) [ 20.047711] Call trace: [ 20.047744] show_stack+0x20/0x38 (C) [ 20.047869] dump_stack_lvl+0x8c/0xd0 [ 20.048200] print_report+0x118/0x608 [ 20.048431] kasan_report+0xdc/0x128 [ 20.048508] __asan_report_load1_noabort+0x20/0x30 [ 20.048560] mempool_uaf_helper+0x314/0x340 [ 20.048610] mempool_slab_uaf+0xc0/0x118 [ 20.048710] kunit_try_run_case+0x170/0x3f0 [ 20.049160] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.049645] kthread+0x328/0x630 [ 20.050144] ret_from_fork+0x10/0x20 [ 20.050472] [ 20.050507] Allocated by task 233: [ 20.050539] kasan_save_stack+0x3c/0x68 [ 20.050585] kasan_save_track+0x20/0x40 [ 20.050927] kasan_save_alloc_info+0x40/0x58 [ 20.051227] __kasan_mempool_unpoison_object+0xbc/0x180 [ 20.051274] remove_element+0x16c/0x1f8 [ 20.051644] mempool_alloc_preallocated+0x58/0xc0 [ 20.051696] mempool_uaf_helper+0xa4/0x340 [ 20.051738] mempool_slab_uaf+0xc0/0x118 [ 20.051950] kunit_try_run_case+0x170/0x3f0 [ 20.052007] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.052363] kthread+0x328/0x630 [ 20.052435] ret_from_fork+0x10/0x20 [ 20.052766] [ 20.052898] Freed by task 233: [ 20.053093] kasan_save_stack+0x3c/0x68 [ 20.053253] kasan_save_track+0x20/0x40 [ 20.053380] kasan_save_free_info+0x4c/0x78 [ 20.053509] __kasan_mempool_poison_object+0xc0/0x150 [ 20.053770] mempool_free+0x28c/0x328 [ 20.054072] mempool_uaf_helper+0x104/0x340 [ 20.054208] mempool_slab_uaf+0xc0/0x118 [ 20.054460] kunit_try_run_case+0x170/0x3f0 [ 20.054575] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.054621] kthread+0x328/0x630 [ 20.055060] ret_from_fork+0x10/0x20 [ 20.055474] [ 20.055538] The buggy address belongs to the object at fff00000c7a61240 [ 20.055538] which belongs to the cache test_cache of size 123 [ 20.055875] The buggy address is located 0 bytes inside of [ 20.055875] freed 123-byte region [fff00000c7a61240, fff00000c7a612bb) [ 20.055947] [ 20.055967] The buggy address belongs to the physical page: [ 20.055998] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a61 [ 20.056236] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.056392] page_type: f5(slab) [ 20.056451] raw: 0bfffe0000000000 fff00000c59d6b40 dead000000000122 0000000000000000 [ 20.056723] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 20.056833] page dumped because: kasan: bad access detected [ 20.056876] [ 20.056894] Memory state around the buggy address: [ 20.057438] fff00000c7a61100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.057749] fff00000c7a61180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.057956] >fff00000c7a61200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.058002] ^ [ 20.058038] fff00000c7a61280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.058521] fff00000c7a61300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.058581] ================================================================== [ 20.000950] ================================================================== [ 20.001027] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.001097] Read of size 1 at addr fff00000c791d100 by task kunit_try_catch/229 [ 20.001150] [ 20.001191] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 20.001278] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.001307] Hardware name: linux,dummy-virt (DT) [ 20.001342] Call trace: [ 20.001365] show_stack+0x20/0x38 (C) [ 20.001416] dump_stack_lvl+0x8c/0xd0 [ 20.001467] print_report+0x118/0x608 [ 20.001513] kasan_report+0xdc/0x128 [ 20.001557] __asan_report_load1_noabort+0x20/0x30 [ 20.001609] mempool_uaf_helper+0x314/0x340 [ 20.001658] mempool_kmalloc_uaf+0xc4/0x120 [ 20.001706] kunit_try_run_case+0x170/0x3f0 [ 20.001757] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.001811] kthread+0x328/0x630 [ 20.001887] ret_from_fork+0x10/0x20 [ 20.001938] [ 20.001957] Allocated by task 229: [ 20.001985] kasan_save_stack+0x3c/0x68 [ 20.002025] kasan_save_track+0x20/0x40 [ 20.002062] kasan_save_alloc_info+0x40/0x58 [ 20.002100] __kasan_mempool_unpoison_object+0x11c/0x180 [ 20.002142] remove_element+0x130/0x1f8 [ 20.002185] mempool_alloc_preallocated+0x58/0xc0 [ 20.002226] mempool_uaf_helper+0xa4/0x340 [ 20.002267] mempool_kmalloc_uaf+0xc4/0x120 [ 20.002305] kunit_try_run_case+0x170/0x3f0 [ 20.002345] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.002391] kthread+0x328/0x630 [ 20.002426] ret_from_fork+0x10/0x20 [ 20.002462] [ 20.002481] Freed by task 229: [ 20.002507] kasan_save_stack+0x3c/0x68 [ 20.002542] kasan_save_track+0x20/0x40 [ 20.002578] kasan_save_free_info+0x4c/0x78 [ 20.002615] __kasan_mempool_poison_object+0xc0/0x150 [ 20.002658] mempool_free+0x28c/0x328 [ 20.002695] mempool_uaf_helper+0x104/0x340 [ 20.002735] mempool_kmalloc_uaf+0xc4/0x120 [ 20.002773] kunit_try_run_case+0x170/0x3f0 [ 20.002812] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.002867] kthread+0x328/0x630 [ 20.002902] ret_from_fork+0x10/0x20 [ 20.002937] [ 20.002958] The buggy address belongs to the object at fff00000c791d100 [ 20.002958] which belongs to the cache kmalloc-128 of size 128 [ 20.003018] The buggy address is located 0 bytes inside of [ 20.003018] freed 128-byte region [fff00000c791d100, fff00000c791d180) [ 20.003080] [ 20.003101] The buggy address belongs to the physical page: [ 20.003132] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10791d [ 20.003192] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.003244] page_type: f5(slab) [ 20.003286] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.003339] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.003382] page dumped because: kasan: bad access detected [ 20.003414] [ 20.003432] Memory state around the buggy address: [ 20.003464] fff00000c791d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.003510] fff00000c791d080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.003557] >fff00000c791d100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.003599] ^ [ 20.003627] fff00000c791d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.003672] fff00000c791d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.003714] ==================================================================
[ 12.516531] ================================================================== [ 12.517298] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.517609] Read of size 1 at addr ffff888102f7b240 by task kunit_try_catch/250 [ 12.518104] [ 12.518245] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 12.518319] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.518331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.518355] Call Trace: [ 12.518369] <TASK> [ 12.518400] dump_stack_lvl+0x73/0xb0 [ 12.518430] print_report+0xd1/0x650 [ 12.518454] ? __virt_addr_valid+0x1db/0x2d0 [ 12.518478] ? mempool_uaf_helper+0x392/0x400 [ 12.518501] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.518523] ? mempool_uaf_helper+0x392/0x400 [ 12.518555] kasan_report+0x141/0x180 [ 12.518577] ? mempool_uaf_helper+0x392/0x400 [ 12.518603] __asan_report_load1_noabort+0x18/0x20 [ 12.518635] mempool_uaf_helper+0x392/0x400 [ 12.518658] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.518685] ? finish_task_switch.isra.0+0x153/0x700 [ 12.518714] mempool_slab_uaf+0xea/0x140 [ 12.518734] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 12.518753] ? dequeue_task_fair+0x166/0x4e0 [ 12.518776] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 12.518799] ? __pfx_mempool_free_slab+0x10/0x10 [ 12.518821] ? __pfx_read_tsc+0x10/0x10 [ 12.518892] ? ktime_get_ts64+0x86/0x230 [ 12.518941] kunit_try_run_case+0x1a5/0x480 [ 12.518969] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.518991] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.519017] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.519049] ? __kthread_parkme+0x82/0x180 [ 12.519072] ? preempt_count_sub+0x50/0x80 [ 12.519097] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.519132] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.519155] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.519177] kthread+0x337/0x6f0 [ 12.519194] ? trace_preempt_on+0x20/0xc0 [ 12.519219] ? __pfx_kthread+0x10/0x10 [ 12.519236] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.519257] ? calculate_sigpending+0x7b/0xa0 [ 12.519280] ? __pfx_kthread+0x10/0x10 [ 12.519297] ret_from_fork+0x41/0x80 [ 12.519318] ? __pfx_kthread+0x10/0x10 [ 12.519336] ret_from_fork_asm+0x1a/0x30 [ 12.519368] </TASK> [ 12.519380] [ 12.527809] Allocated by task 250: [ 12.528004] kasan_save_stack+0x45/0x70 [ 12.528157] kasan_save_track+0x18/0x40 [ 12.528298] kasan_save_alloc_info+0x3b/0x50 [ 12.528731] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 12.529058] remove_element+0x11e/0x190 [ 12.529254] mempool_alloc_preallocated+0x4d/0x90 [ 12.529469] mempool_uaf_helper+0x96/0x400 [ 12.529688] mempool_slab_uaf+0xea/0x140 [ 12.530008] kunit_try_run_case+0x1a5/0x480 [ 12.530196] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.530416] kthread+0x337/0x6f0 [ 12.530588] ret_from_fork+0x41/0x80 [ 12.530751] ret_from_fork_asm+0x1a/0x30 [ 12.530951] [ 12.531021] Freed by task 250: [ 12.531132] kasan_save_stack+0x45/0x70 [ 12.531266] kasan_save_track+0x18/0x40 [ 12.531401] kasan_save_free_info+0x3f/0x60 [ 12.531685] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.531937] mempool_free+0x2ec/0x380 [ 12.532354] mempool_uaf_helper+0x11a/0x400 [ 12.532655] mempool_slab_uaf+0xea/0x140 [ 12.533037] kunit_try_run_case+0x1a5/0x480 [ 12.533261] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.533626] kthread+0x337/0x6f0 [ 12.533772] ret_from_fork+0x41/0x80 [ 12.533939] ret_from_fork_asm+0x1a/0x30 [ 12.534078] [ 12.534174] The buggy address belongs to the object at ffff888102f7b240 [ 12.534174] which belongs to the cache test_cache of size 123 [ 12.535824] The buggy address is located 0 bytes inside of [ 12.535824] freed 123-byte region [ffff888102f7b240, ffff888102f7b2bb) [ 12.536804] [ 12.536935] The buggy address belongs to the physical page: [ 12.537376] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f7b [ 12.537871] flags: 0x200000000000000(node=0|zone=2) [ 12.538319] page_type: f5(slab) [ 12.538488] raw: 0200000000000000 ffff88810128f780 dead000000000122 0000000000000000 [ 12.539106] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 12.539440] page dumped because: kasan: bad access detected [ 12.539843] [ 12.539957] Memory state around the buggy address: [ 12.540477] ffff888102f7b100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.541021] ffff888102f7b180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.541515] >ffff888102f7b200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 12.542116] ^ [ 12.542370] ffff888102f7b280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.542642] ffff888102f7b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.543218] ================================================================== [ 12.461496] ================================================================== [ 12.462070] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.462459] Read of size 1 at addr ffff8881029f9900 by task kunit_try_catch/246 [ 12.462803] [ 12.462910] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 12.462985] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.462998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.463021] Call Trace: [ 12.463035] <TASK> [ 12.463092] dump_stack_lvl+0x73/0xb0 [ 12.463127] print_report+0xd1/0x650 [ 12.463164] ? __virt_addr_valid+0x1db/0x2d0 [ 12.463188] ? mempool_uaf_helper+0x392/0x400 [ 12.463211] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.463235] ? mempool_uaf_helper+0x392/0x400 [ 12.463286] kasan_report+0x141/0x180 [ 12.463309] ? mempool_uaf_helper+0x392/0x400 [ 12.463337] __asan_report_load1_noabort+0x18/0x20 [ 12.463369] mempool_uaf_helper+0x392/0x400 [ 12.463393] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.463415] ? dequeue_entities+0x852/0x1740 [ 12.463442] ? finish_task_switch.isra.0+0x153/0x700 [ 12.463471] mempool_kmalloc_uaf+0xef/0x140 [ 12.463496] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 12.463518] ? dequeue_task_fair+0x166/0x4e0 [ 12.463540] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.463562] ? __pfx_mempool_kfree+0x10/0x10 [ 12.463615] ? __pfx_read_tsc+0x10/0x10 [ 12.463636] ? ktime_get_ts64+0x86/0x230 [ 12.463674] kunit_try_run_case+0x1a5/0x480 [ 12.463701] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.463723] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.463748] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.463771] ? __kthread_parkme+0x82/0x180 [ 12.463890] ? preempt_count_sub+0x50/0x80 [ 12.463939] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.463965] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.463990] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.464012] kthread+0x337/0x6f0 [ 12.464030] ? trace_preempt_on+0x20/0xc0 [ 12.464055] ? __pfx_kthread+0x10/0x10 [ 12.464073] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.464095] ? calculate_sigpending+0x7b/0xa0 [ 12.464117] ? __pfx_kthread+0x10/0x10 [ 12.464135] ret_from_fork+0x41/0x80 [ 12.464156] ? __pfx_kthread+0x10/0x10 [ 12.464174] ret_from_fork_asm+0x1a/0x30 [ 12.464206] </TASK> [ 12.464217] [ 12.473405] Allocated by task 246: [ 12.473659] kasan_save_stack+0x45/0x70 [ 12.473876] kasan_save_track+0x18/0x40 [ 12.474125] kasan_save_alloc_info+0x3b/0x50 [ 12.474410] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 12.474812] remove_element+0x11e/0x190 [ 12.474984] mempool_alloc_preallocated+0x4d/0x90 [ 12.475143] mempool_uaf_helper+0x96/0x400 [ 12.475316] mempool_kmalloc_uaf+0xef/0x140 [ 12.475498] kunit_try_run_case+0x1a5/0x480 [ 12.475827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.476073] kthread+0x337/0x6f0 [ 12.476194] ret_from_fork+0x41/0x80 [ 12.476431] ret_from_fork_asm+0x1a/0x30 [ 12.476905] [ 12.477021] Freed by task 246: [ 12.477234] kasan_save_stack+0x45/0x70 [ 12.477419] kasan_save_track+0x18/0x40 [ 12.477556] kasan_save_free_info+0x3f/0x60 [ 12.477700] __kasan_mempool_poison_object+0x131/0x1d0 [ 12.477904] mempool_free+0x2ec/0x380 [ 12.478136] mempool_uaf_helper+0x11a/0x400 [ 12.478362] mempool_kmalloc_uaf+0xef/0x140 [ 12.478588] kunit_try_run_case+0x1a5/0x480 [ 12.478754] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.479111] kthread+0x337/0x6f0 [ 12.479285] ret_from_fork+0x41/0x80 [ 12.479485] ret_from_fork_asm+0x1a/0x30 [ 12.479758] [ 12.479859] The buggy address belongs to the object at ffff8881029f9900 [ 12.479859] which belongs to the cache kmalloc-128 of size 128 [ 12.480396] The buggy address is located 0 bytes inside of [ 12.480396] freed 128-byte region [ffff8881029f9900, ffff8881029f9980) [ 12.480847] [ 12.480984] The buggy address belongs to the physical page: [ 12.481421] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029f9 [ 12.481796] flags: 0x200000000000000(node=0|zone=2) [ 12.482044] page_type: f5(slab) [ 12.482340] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.482722] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.482987] page dumped because: kasan: bad access detected [ 12.483251] [ 12.483344] Memory state around the buggy address: [ 12.483554] ffff8881029f9800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.483844] ffff8881029f9880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.484149] >ffff8881029f9900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.484451] ^ [ 12.484857] ffff8881029f9980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.485144] ffff8881029f9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 12.485359] ==================================================================