Date
July 4, 2025, 3:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.435252] ================================================================== [ 34.437119] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 34.444233] Read of size 1 at addr ffff0008018e7300 by task kunit_try_catch/276 [ 34.451524] [ 34.453011] CPU: 2 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 34.453070] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.453090] Hardware name: WinLink E850-96 board (DT) [ 34.453114] Call trace: [ 34.453126] show_stack+0x20/0x38 (C) [ 34.453159] dump_stack_lvl+0x8c/0xd0 [ 34.453195] print_report+0x118/0x608 [ 34.453225] kasan_report+0xdc/0x128 [ 34.453255] __asan_report_load1_noabort+0x20/0x30 [ 34.453291] mempool_uaf_helper+0x314/0x340 [ 34.453326] mempool_kmalloc_uaf+0xc4/0x120 [ 34.453359] kunit_try_run_case+0x170/0x3f0 [ 34.453394] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.453430] kthread+0x328/0x630 [ 34.453465] ret_from_fork+0x10/0x20 [ 34.453500] [ 34.520015] Allocated by task 276: [ 34.523402] kasan_save_stack+0x3c/0x68 [ 34.527217] kasan_save_track+0x20/0x40 [ 34.531037] kasan_save_alloc_info+0x40/0x58 [ 34.535290] __kasan_mempool_unpoison_object+0x11c/0x180 [ 34.540585] remove_element+0x130/0x1f8 [ 34.544405] mempool_alloc_preallocated+0x58/0xc0 [ 34.549092] mempool_uaf_helper+0xa4/0x340 [ 34.553172] mempool_kmalloc_uaf+0xc4/0x120 [ 34.557338] kunit_try_run_case+0x170/0x3f0 [ 34.561505] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.566974] kthread+0x328/0x630 [ 34.570186] ret_from_fork+0x10/0x20 [ 34.573744] [ 34.575221] Freed by task 276: [ 34.578260] kasan_save_stack+0x3c/0x68 [ 34.582078] kasan_save_track+0x20/0x40 [ 34.585897] kasan_save_free_info+0x4c/0x78 [ 34.590064] __kasan_mempool_poison_object+0xc0/0x150 [ 34.595098] mempool_free+0x28c/0x328 [ 34.598744] mempool_uaf_helper+0x104/0x340 [ 34.602910] mempool_kmalloc_uaf+0xc4/0x120 [ 34.607077] kunit_try_run_case+0x170/0x3f0 [ 34.611245] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.616713] kthread+0x328/0x630 [ 34.619924] ret_from_fork+0x10/0x20 [ 34.623483] [ 34.624960] The buggy address belongs to the object at ffff0008018e7300 [ 34.624960] which belongs to the cache kmalloc-128 of size 128 [ 34.637463] The buggy address is located 0 bytes inside of [ 34.637463] freed 128-byte region [ffff0008018e7300, ffff0008018e7380) [ 34.649524] [ 34.651003] The buggy address belongs to the physical page: [ 34.656562] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8818e6 [ 34.664544] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.672184] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.679126] page_type: f5(slab) [ 34.682264] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 34.689982] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 34.697709] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 34.705520] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 34.713333] head: 0bfffe0000000001 fffffdffe0063981 00000000ffffffff 00000000ffffffff [ 34.721145] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 34.728950] page dumped because: kasan: bad access detected [ 34.734505] [ 34.735981] Memory state around the buggy address: [ 34.740765] ffff0008018e7200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.747964] ffff0008018e7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.755170] >ffff0008018e7300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.762370] ^ [ 34.765586] ffff0008018e7380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.772792] ffff0008018e7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.779993] ================================================================== [ 35.020117] ================================================================== [ 35.029561] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 35.036675] Read of size 1 at addr ffff0008067bf240 by task kunit_try_catch/280 [ 35.043965] [ 35.045451] CPU: 1 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 35.045507] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.045523] Hardware name: WinLink E850-96 board (DT) [ 35.045546] Call trace: [ 35.045558] show_stack+0x20/0x38 (C) [ 35.045594] dump_stack_lvl+0x8c/0xd0 [ 35.045633] print_report+0x118/0x608 [ 35.045666] kasan_report+0xdc/0x128 [ 35.045697] __asan_report_load1_noabort+0x20/0x30 [ 35.045734] mempool_uaf_helper+0x314/0x340 [ 35.045767] mempool_slab_uaf+0xc0/0x118 [ 35.045794] kunit_try_run_case+0x170/0x3f0 [ 35.045832] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.045869] kthread+0x328/0x630 [ 35.045906] ret_from_fork+0x10/0x20 [ 35.045942] [ 35.112192] Allocated by task 280: [ 35.115581] kasan_save_stack+0x3c/0x68 [ 35.119396] kasan_save_track+0x20/0x40 [ 35.123215] kasan_save_alloc_info+0x40/0x58 [ 35.127469] __kasan_mempool_unpoison_object+0xbc/0x180 [ 35.132677] remove_element+0x16c/0x1f8 [ 35.136496] mempool_alloc_preallocated+0x58/0xc0 [ 35.141185] mempool_uaf_helper+0xa4/0x340 [ 35.145264] mempool_slab_uaf+0xc0/0x118 [ 35.149170] kunit_try_run_case+0x170/0x3f0 [ 35.153337] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.158805] kthread+0x328/0x630 [ 35.162017] ret_from_fork+0x10/0x20 [ 35.165576] [ 35.167053] Freed by task 280: [ 35.170091] kasan_save_stack+0x3c/0x68 [ 35.173909] kasan_save_track+0x20/0x40 [ 35.177729] kasan_save_free_info+0x4c/0x78 [ 35.181895] __kasan_mempool_poison_object+0xc0/0x150 [ 35.186930] mempool_free+0x28c/0x328 [ 35.190575] mempool_uaf_helper+0x104/0x340 [ 35.194742] mempool_slab_uaf+0xc0/0x118 [ 35.198648] kunit_try_run_case+0x170/0x3f0 [ 35.202815] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.208283] kthread+0x328/0x630 [ 35.211495] ret_from_fork+0x10/0x20 [ 35.215054] [ 35.216532] The buggy address belongs to the object at ffff0008067bf240 [ 35.216532] which belongs to the cache test_cache of size 123 [ 35.228947] The buggy address is located 0 bytes inside of [ 35.228947] freed 123-byte region [ffff0008067bf240, ffff0008067bf2bb) [ 35.241009] [ 35.242488] The buggy address belongs to the physical page: [ 35.248045] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8867bf [ 35.256029] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.262537] page_type: f5(slab) [ 35.265676] raw: 0bfffe0000000000 ffff000806738000 dead000000000122 0000000000000000 [ 35.273394] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 35.281113] page dumped because: kasan: bad access detected [ 35.286668] [ 35.288143] Memory state around the buggy address: [ 35.292927] ffff0008067bf100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.300128] ffff0008067bf180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.307335] >ffff0008067bf200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.314532] ^ [ 35.319831] ffff0008067bf280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.327036] ffff0008067bf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.334238] ==================================================================
[ 17.622062] ================================================================== [ 17.622418] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.622491] Read of size 1 at addr fff00000c7936240 by task kunit_try_catch/236 [ 17.622562] [ 17.622597] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 17.622687] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.622714] Hardware name: linux,dummy-virt (DT) [ 17.622972] Call trace: [ 17.623146] show_stack+0x20/0x38 (C) [ 17.623205] dump_stack_lvl+0x8c/0xd0 [ 17.623522] print_report+0x118/0x608 [ 17.623608] kasan_report+0xdc/0x128 [ 17.623725] __asan_report_load1_noabort+0x20/0x30 [ 17.623797] mempool_uaf_helper+0x314/0x340 [ 17.623884] mempool_slab_uaf+0xc0/0x118 [ 17.623937] kunit_try_run_case+0x170/0x3f0 [ 17.624281] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.624403] kthread+0x328/0x630 [ 17.624584] ret_from_fork+0x10/0x20 [ 17.624775] [ 17.624858] Allocated by task 236: [ 17.625161] kasan_save_stack+0x3c/0x68 [ 17.625246] kasan_save_track+0x20/0x40 [ 17.625356] kasan_save_alloc_info+0x40/0x58 [ 17.625474] __kasan_mempool_unpoison_object+0xbc/0x180 [ 17.625672] remove_element+0x16c/0x1f8 [ 17.625724] mempool_alloc_preallocated+0x58/0xc0 [ 17.626008] mempool_uaf_helper+0xa4/0x340 [ 17.626089] mempool_slab_uaf+0xc0/0x118 [ 17.626417] kunit_try_run_case+0x170/0x3f0 [ 17.626491] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.626680] kthread+0x328/0x630 [ 17.626749] ret_from_fork+0x10/0x20 [ 17.626787] [ 17.627104] Freed by task 236: [ 17.627172] kasan_save_stack+0x3c/0x68 [ 17.627233] kasan_save_track+0x20/0x40 [ 17.627427] kasan_save_free_info+0x4c/0x78 [ 17.627569] __kasan_mempool_poison_object+0xc0/0x150 [ 17.627705] mempool_free+0x28c/0x328 [ 17.628174] mempool_uaf_helper+0x104/0x340 [ 17.628282] mempool_slab_uaf+0xc0/0x118 [ 17.628449] kunit_try_run_case+0x170/0x3f0 [ 17.628584] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.628676] kthread+0x328/0x630 [ 17.628720] ret_from_fork+0x10/0x20 [ 17.629030] [ 17.629142] The buggy address belongs to the object at fff00000c7936240 [ 17.629142] which belongs to the cache test_cache of size 123 [ 17.629284] The buggy address is located 0 bytes inside of [ 17.629284] freed 123-byte region [fff00000c7936240, fff00000c79362bb) [ 17.629511] [ 17.629704] The buggy address belongs to the physical page: [ 17.629762] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107936 [ 17.629914] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.630367] page_type: f5(slab) [ 17.631720] raw: 0bfffe0000000000 fff00000c3eadc80 dead000000000122 0000000000000000 [ 17.631778] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 17.631818] page dumped because: kasan: bad access detected [ 17.631857] [ 17.631875] Memory state around the buggy address: [ 17.631907] fff00000c7936100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.631952] fff00000c7936180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.631994] >fff00000c7936200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.632034] ^ [ 17.632069] fff00000c7936280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.632110] fff00000c7936300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.632148] ================================================================== [ 17.591710] ================================================================== [ 17.591787] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 17.591850] Read of size 1 at addr fff00000c6eca800 by task kunit_try_catch/232 [ 17.591902] [ 17.591939] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 17.592664] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.592695] Hardware name: linux,dummy-virt (DT) [ 17.592729] Call trace: [ 17.592754] show_stack+0x20/0x38 (C) [ 17.592807] dump_stack_lvl+0x8c/0xd0 [ 17.592857] print_report+0x118/0x608 [ 17.592900] kasan_report+0xdc/0x128 [ 17.592943] __asan_report_load1_noabort+0x20/0x30 [ 17.592993] mempool_uaf_helper+0x314/0x340 [ 17.593041] mempool_kmalloc_uaf+0xc4/0x120 [ 17.593089] kunit_try_run_case+0x170/0x3f0 [ 17.593138] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.593190] kthread+0x328/0x630 [ 17.593236] ret_from_fork+0x10/0x20 [ 17.593283] [ 17.593301] Allocated by task 232: [ 17.593330] kasan_save_stack+0x3c/0x68 [ 17.593370] kasan_save_track+0x20/0x40 [ 17.593406] kasan_save_alloc_info+0x40/0x58 [ 17.593445] __kasan_mempool_unpoison_object+0x11c/0x180 [ 17.593487] remove_element+0x130/0x1f8 [ 17.593528] mempool_alloc_preallocated+0x58/0xc0 [ 17.593568] mempool_uaf_helper+0xa4/0x340 [ 17.593605] mempool_kmalloc_uaf+0xc4/0x120 [ 17.593654] kunit_try_run_case+0x170/0x3f0 [ 17.593691] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.593735] kthread+0x328/0x630 [ 17.593771] ret_from_fork+0x10/0x20 [ 17.593807] [ 17.593825] Freed by task 232: [ 17.593850] kasan_save_stack+0x3c/0x68 [ 17.593885] kasan_save_track+0x20/0x40 [ 17.593919] kasan_save_free_info+0x4c/0x78 [ 17.593957] __kasan_mempool_poison_object+0xc0/0x150 [ 17.593999] mempool_free+0x28c/0x328 [ 17.594036] mempool_uaf_helper+0x104/0x340 [ 17.594075] mempool_kmalloc_uaf+0xc4/0x120 [ 17.594112] kunit_try_run_case+0x170/0x3f0 [ 17.594151] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.594195] kthread+0x328/0x630 [ 17.594229] ret_from_fork+0x10/0x20 [ 17.594263] [ 17.594283] The buggy address belongs to the object at fff00000c6eca800 [ 17.594283] which belongs to the cache kmalloc-128 of size 128 [ 17.594339] The buggy address is located 0 bytes inside of [ 17.594339] freed 128-byte region [fff00000c6eca800, fff00000c6eca880) [ 17.594399] [ 17.594421] The buggy address belongs to the physical page: [ 17.594452] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106eca [ 17.594506] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.594554] page_type: f5(slab) [ 17.594592] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.594877] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.594923] page dumped because: kasan: bad access detected [ 17.594955] [ 17.594973] Memory state around the buggy address: [ 17.595007] fff00000c6eca700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.595050] fff00000c6eca780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.595093] >fff00000c6eca800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.595131] ^ [ 17.595158] fff00000c6eca880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.595198] fff00000c6eca900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.595237] ==================================================================
[ 16.235575] ================================================================== [ 16.236104] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 16.237024] Read of size 1 at addr ffff888102613240 by task kunit_try_catch/252 [ 16.237356] [ 16.237730] CPU: 0 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 16.237824] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.237845] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 16.237873] Call Trace: [ 16.237891] <TASK> [ 16.237921] dump_stack_lvl+0x73/0xb0 [ 16.237992] print_report+0xd1/0x650 [ 16.238047] ? __virt_addr_valid+0x1db/0x2d0 [ 16.238100] ? mempool_uaf_helper+0x392/0x400 [ 16.238150] ? kasan_complete_mode_report_info+0x64/0x200 [ 16.238202] ? mempool_uaf_helper+0x392/0x400 [ 16.238249] kasan_report+0x141/0x180 [ 16.238295] ? mempool_uaf_helper+0x392/0x400 [ 16.238371] __asan_report_load1_noabort+0x18/0x20 [ 16.238421] mempool_uaf_helper+0x392/0x400 [ 16.238479] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 16.238539] ? finish_task_switch.isra.0+0x153/0x700 [ 16.238600] mempool_slab_uaf+0xea/0x140 [ 16.238635] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 16.238657] ? dequeue_task_fair+0x166/0x4e0 [ 16.238685] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 16.238713] ? __pfx_mempool_free_slab+0x10/0x10 [ 16.238740] ? __pfx_read_tsc+0x10/0x10 [ 16.238766] ? ktime_get_ts64+0x86/0x230 [ 16.238797] kunit_try_run_case+0x1a5/0x480 [ 16.238827] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.238853] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 16.238882] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 16.238910] ? __kthread_parkme+0x82/0x180 [ 16.238939] ? preempt_count_sub+0x50/0x80 [ 16.238966] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.238992] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.239018] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 16.239044] kthread+0x337/0x6f0 [ 16.239067] ? trace_preempt_on+0x20/0xc0 [ 16.239578] ? __pfx_kthread+0x10/0x10 [ 16.239648] ? _raw_spin_unlock_irq+0x47/0x80 [ 16.239703] ? calculate_sigpending+0x7b/0xa0 [ 16.239760] ? __pfx_kthread+0x10/0x10 [ 16.239808] ret_from_fork+0x41/0x80 [ 16.239857] ? __pfx_kthread+0x10/0x10 [ 16.239999] ret_from_fork_asm+0x1a/0x30 [ 16.240049] </TASK> [ 16.240064] [ 16.257023] Allocated by task 252: [ 16.257980] kasan_save_stack+0x45/0x70 [ 16.258422] kasan_save_track+0x18/0x40 [ 16.258680] kasan_save_alloc_info+0x3b/0x50 [ 16.258955] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 16.259905] remove_element+0x11e/0x190 [ 16.260249] mempool_alloc_preallocated+0x4d/0x90 [ 16.260487] mempool_uaf_helper+0x96/0x400 [ 16.260814] mempool_slab_uaf+0xea/0x140 [ 16.261687] kunit_try_run_case+0x1a5/0x480 [ 16.261939] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.262142] kthread+0x337/0x6f0 [ 16.262662] ret_from_fork+0x41/0x80 [ 16.262837] ret_from_fork_asm+0x1a/0x30 [ 16.263700] [ 16.263896] Freed by task 252: [ 16.264152] kasan_save_stack+0x45/0x70 [ 16.264366] kasan_save_track+0x18/0x40 [ 16.264691] kasan_save_free_info+0x3f/0x60 [ 16.265005] __kasan_mempool_poison_object+0x131/0x1d0 [ 16.265989] mempool_free+0x2ec/0x380 [ 16.266609] mempool_uaf_helper+0x11a/0x400 [ 16.266871] mempool_slab_uaf+0xea/0x140 [ 16.267041] kunit_try_run_case+0x1a5/0x480 [ 16.267639] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.268011] kthread+0x337/0x6f0 [ 16.268397] ret_from_fork+0x41/0x80 [ 16.268568] ret_from_fork_asm+0x1a/0x30 [ 16.268727] [ 16.268825] The buggy address belongs to the object at ffff888102613240 [ 16.268825] which belongs to the cache test_cache of size 123 [ 16.269914] The buggy address is located 0 bytes inside of [ 16.269914] freed 123-byte region [ffff888102613240, ffff8881026132bb) [ 16.271410] [ 16.271535] The buggy address belongs to the physical page: [ 16.271737] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102613 [ 16.272310] flags: 0x200000000000000(node=0|zone=2) [ 16.273111] page_type: f5(slab) [ 16.273462] raw: 0200000000000000 ffff888102610000 dead000000000122 0000000000000000 [ 16.273758] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 16.274308] page dumped because: kasan: bad access detected [ 16.274647] [ 16.274827] Memory state around the buggy address: [ 16.276003] ffff888102613100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.276453] ffff888102613180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.276818] >ffff888102613200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 16.277041] ^ [ 16.277535] ffff888102613280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.278205] ffff888102613300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.278903] ================================================================== [ 16.152887] ================================================================== [ 16.154283] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 16.154968] Read of size 1 at addr ffff888102b20100 by task kunit_try_catch/248 [ 16.155648] [ 16.156460] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 16.156578] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.156605] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 16.156647] Call Trace: [ 16.156672] <TASK> [ 16.156710] dump_stack_lvl+0x73/0xb0 [ 16.156772] print_report+0xd1/0x650 [ 16.156812] ? __virt_addr_valid+0x1db/0x2d0 [ 16.156852] ? mempool_uaf_helper+0x392/0x400 [ 16.156890] ? kasan_complete_mode_report_info+0x64/0x200 [ 16.156935] ? mempool_uaf_helper+0x392/0x400 [ 16.156979] kasan_report+0x141/0x180 [ 16.157232] ? mempool_uaf_helper+0x392/0x400 [ 16.157304] __asan_report_load1_noabort+0x18/0x20 [ 16.157361] mempool_uaf_helper+0x392/0x400 [ 16.157405] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 16.157442] ? dequeue_entities+0x852/0x1740 [ 16.157489] ? finish_task_switch.isra.0+0x153/0x700 [ 16.157536] mempool_kmalloc_uaf+0xef/0x140 [ 16.157574] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 16.157610] ? dequeue_task_fair+0x166/0x4e0 [ 16.157649] ? __pfx_mempool_kmalloc+0x10/0x10 [ 16.157684] ? __pfx_mempool_kfree+0x10/0x10 [ 16.157707] ? __pfx_read_tsc+0x10/0x10 [ 16.157730] ? ktime_get_ts64+0x86/0x230 [ 16.157760] kunit_try_run_case+0x1a5/0x480 [ 16.157789] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.157811] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 16.157838] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 16.157862] ? __kthread_parkme+0x82/0x180 [ 16.157887] ? preempt_count_sub+0x50/0x80 [ 16.157912] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.157937] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.157961] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 16.157985] kthread+0x337/0x6f0 [ 16.158003] ? trace_preempt_on+0x20/0xc0 [ 16.158029] ? __pfx_kthread+0x10/0x10 [ 16.158049] ? _raw_spin_unlock_irq+0x47/0x80 [ 16.158078] ? calculate_sigpending+0x7b/0xa0 [ 16.158110] ? __pfx_kthread+0x10/0x10 [ 16.158130] ret_from_fork+0x41/0x80 [ 16.158152] ? __pfx_kthread+0x10/0x10 [ 16.158171] ret_from_fork_asm+0x1a/0x30 [ 16.158235] </TASK> [ 16.158258] [ 16.172974] Allocated by task 248: [ 16.173406] kasan_save_stack+0x45/0x70 [ 16.173830] kasan_save_track+0x18/0x40 [ 16.174224] kasan_save_alloc_info+0x3b/0x50 [ 16.174450] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 16.174973] remove_element+0x11e/0x190 [ 16.175587] mempool_alloc_preallocated+0x4d/0x90 [ 16.175943] mempool_uaf_helper+0x96/0x400 [ 16.176662] mempool_kmalloc_uaf+0xef/0x140 [ 16.177020] kunit_try_run_case+0x1a5/0x480 [ 16.177838] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.178321] kthread+0x337/0x6f0 [ 16.178540] ret_from_fork+0x41/0x80 [ 16.178729] ret_from_fork_asm+0x1a/0x30 [ 16.178925] [ 16.179105] Freed by task 248: [ 16.179667] kasan_save_stack+0x45/0x70 [ 16.180035] kasan_save_track+0x18/0x40 [ 16.180957] kasan_save_free_info+0x3f/0x60 [ 16.181622] __kasan_mempool_poison_object+0x131/0x1d0 [ 16.182103] mempool_free+0x2ec/0x380 [ 16.182502] mempool_uaf_helper+0x11a/0x400 [ 16.182944] mempool_kmalloc_uaf+0xef/0x140 [ 16.183597] kunit_try_run_case+0x1a5/0x480 [ 16.183914] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.184602] kthread+0x337/0x6f0 [ 16.184780] ret_from_fork+0x41/0x80 [ 16.185543] ret_from_fork_asm+0x1a/0x30 [ 16.185725] [ 16.185883] The buggy address belongs to the object at ffff888102b20100 [ 16.185883] which belongs to the cache kmalloc-128 of size 128 [ 16.186847] The buggy address is located 0 bytes inside of [ 16.186847] freed 128-byte region [ffff888102b20100, ffff888102b20180) [ 16.187750] [ 16.187948] The buggy address belongs to the physical page: [ 16.188734] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b20 [ 16.189626] flags: 0x200000000000000(node=0|zone=2) [ 16.189960] page_type: f5(slab) [ 16.190428] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 16.190852] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.191583] page dumped because: kasan: bad access detected [ 16.192011] [ 16.192136] Memory state around the buggy address: [ 16.192770] ffff888102b20000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.193113] ffff888102b20080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.194128] >ffff888102b20100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.194630] ^ [ 16.194933] ffff888102b20180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.195678] ffff888102b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.196033] ==================================================================