Date
July 18, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.010875] ================================================================== [ 19.010973] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.011113] Read of size 1 at addr fff00000c78e9000 by task kunit_try_catch/227 [ 19.011202] [ 19.011619] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 19.011793] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.011932] Hardware name: linux,dummy-virt (DT) [ 19.012033] Call trace: [ 19.012063] show_stack+0x20/0x38 (C) [ 19.012120] dump_stack_lvl+0x8c/0xd0 [ 19.012558] print_report+0x118/0x5d0 [ 19.012720] kasan_report+0xdc/0x128 [ 19.012791] __asan_report_load1_noabort+0x20/0x30 [ 19.012856] mempool_uaf_helper+0x314/0x340 [ 19.013348] mempool_kmalloc_uaf+0xc4/0x120 [ 19.013431] kunit_try_run_case+0x170/0x3f0 [ 19.013495] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.013547] kthread+0x328/0x630 [ 19.013592] ret_from_fork+0x10/0x20 [ 19.013652] [ 19.013671] Allocated by task 227: [ 19.013715] kasan_save_stack+0x3c/0x68 [ 19.013769] kasan_save_track+0x20/0x40 [ 19.013807] kasan_save_alloc_info+0x40/0x58 [ 19.013868] __kasan_mempool_unpoison_object+0x11c/0x180 [ 19.014227] remove_element+0x130/0x1f8 [ 19.014323] mempool_alloc_preallocated+0x58/0xc0 [ 19.014413] mempool_uaf_helper+0xa4/0x340 [ 19.014494] mempool_kmalloc_uaf+0xc4/0x120 [ 19.014920] kunit_try_run_case+0x170/0x3f0 [ 19.015174] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.015246] kthread+0x328/0x630 [ 19.015348] ret_from_fork+0x10/0x20 [ 19.015529] [ 19.015607] Freed by task 227: [ 19.016172] kasan_save_stack+0x3c/0x68 [ 19.016525] kasan_save_track+0x20/0x40 [ 19.016596] kasan_save_free_info+0x4c/0x78 [ 19.016678] __kasan_mempool_poison_object+0xc0/0x150 [ 19.016740] mempool_free+0x28c/0x328 [ 19.016885] mempool_uaf_helper+0x104/0x340 [ 19.017034] mempool_kmalloc_uaf+0xc4/0x120 [ 19.017085] kunit_try_run_case+0x170/0x3f0 [ 19.017169] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.017384] kthread+0x328/0x630 [ 19.017577] ret_from_fork+0x10/0x20 [ 19.017714] [ 19.017738] The buggy address belongs to the object at fff00000c78e9000 [ 19.017738] which belongs to the cache kmalloc-128 of size 128 [ 19.018004] The buggy address is located 0 bytes inside of [ 19.018004] freed 128-byte region [fff00000c78e9000, fff00000c78e9080) [ 19.018178] [ 19.018233] The buggy address belongs to the physical page: [ 19.018281] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e9 [ 19.018610] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.018687] page_type: f5(slab) [ 19.018902] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.019141] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.019373] page dumped because: kasan: bad access detected [ 19.019459] [ 19.019610] Memory state around the buggy address: [ 19.019711] fff00000c78e8f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.019766] fff00000c78e8f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.019809] >fff00000c78e9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.020169] ^ [ 19.020250] fff00000c78e9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.020352] fff00000c78e9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.020431] ================================================================== [ 19.050771] ================================================================== [ 19.051035] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.051106] Read of size 1 at addr fff00000c78e5240 by task kunit_try_catch/231 [ 19.051521] [ 19.051607] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 19.051869] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.051944] Hardware name: linux,dummy-virt (DT) [ 19.052084] Call trace: [ 19.052118] show_stack+0x20/0x38 (C) [ 19.052185] dump_stack_lvl+0x8c/0xd0 [ 19.052301] print_report+0x118/0x5d0 [ 19.052352] kasan_report+0xdc/0x128 [ 19.052397] __asan_report_load1_noabort+0x20/0x30 [ 19.052766] mempool_uaf_helper+0x314/0x340 [ 19.052830] mempool_slab_uaf+0xc0/0x118 [ 19.052918] kunit_try_run_case+0x170/0x3f0 [ 19.053000] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.053071] kthread+0x328/0x630 [ 19.053145] ret_from_fork+0x10/0x20 [ 19.053255] [ 19.053542] Allocated by task 231: [ 19.053605] kasan_save_stack+0x3c/0x68 [ 19.053692] kasan_save_track+0x20/0x40 [ 19.053758] kasan_save_alloc_info+0x40/0x58 [ 19.053824] __kasan_mempool_unpoison_object+0xbc/0x180 [ 19.054115] remove_element+0x16c/0x1f8 [ 19.054253] mempool_alloc_preallocated+0x58/0xc0 [ 19.054330] mempool_uaf_helper+0xa4/0x340 [ 19.054396] mempool_slab_uaf+0xc0/0x118 [ 19.054519] kunit_try_run_case+0x170/0x3f0 [ 19.054680] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.054807] kthread+0x328/0x630 [ 19.054915] ret_from_fork+0x10/0x20 [ 19.055259] [ 19.055339] Freed by task 231: [ 19.055392] kasan_save_stack+0x3c/0x68 [ 19.055458] kasan_save_track+0x20/0x40 [ 19.055630] kasan_save_free_info+0x4c/0x78 [ 19.055820] __kasan_mempool_poison_object+0xc0/0x150 [ 19.055901] mempool_free+0x28c/0x328 [ 19.055998] mempool_uaf_helper+0x104/0x340 [ 19.056039] mempool_slab_uaf+0xc0/0x118 [ 19.056723] kunit_try_run_case+0x170/0x3f0 [ 19.056818] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.056879] kthread+0x328/0x630 [ 19.056912] ret_from_fork+0x10/0x20 [ 19.056950] [ 19.056993] The buggy address belongs to the object at fff00000c78e5240 [ 19.056993] which belongs to the cache test_cache of size 123 [ 19.057222] The buggy address is located 0 bytes inside of [ 19.057222] freed 123-byte region [fff00000c78e5240, fff00000c78e52bb) [ 19.057598] [ 19.057687] The buggy address belongs to the physical page: [ 19.057856] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e5 [ 19.058009] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.058112] page_type: f5(slab) [ 19.058163] raw: 0bfffe0000000000 fff00000c78af3c0 dead000000000122 0000000000000000 [ 19.058368] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 19.058533] page dumped because: kasan: bad access detected [ 19.058625] [ 19.058929] Memory state around the buggy address: [ 19.059027] fff00000c78e5100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.059079] fff00000c78e5180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.059125] >fff00000c78e5200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.059202] ^ [ 19.059249] fff00000c78e5280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.059473] fff00000c78e5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.059517] ==================================================================
[ 18.648005] ================================================================== [ 18.648111] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.648213] Read of size 1 at addr fff00000c7a4e100 by task kunit_try_catch/227 [ 18.648271] [ 18.648311] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.648486] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.648835] Hardware name: linux,dummy-virt (DT) [ 18.648886] Call trace: [ 18.648965] show_stack+0x20/0x38 (C) [ 18.649037] dump_stack_lvl+0x8c/0xd0 [ 18.649117] print_report+0x118/0x5d0 [ 18.649166] kasan_report+0xdc/0x128 [ 18.649211] __asan_report_load1_noabort+0x20/0x30 [ 18.649261] mempool_uaf_helper+0x314/0x340 [ 18.649308] mempool_kmalloc_uaf+0xc4/0x120 [ 18.649502] kunit_try_run_case+0x170/0x3f0 [ 18.649588] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.649693] kthread+0x328/0x630 [ 18.649767] ret_from_fork+0x10/0x20 [ 18.649831] [ 18.649921] Allocated by task 227: [ 18.649979] kasan_save_stack+0x3c/0x68 [ 18.651008] kasan_save_track+0x20/0x40 [ 18.651067] kasan_save_alloc_info+0x40/0x58 [ 18.651109] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.651445] remove_element+0x130/0x1f8 [ 18.651521] mempool_alloc_preallocated+0x58/0xc0 [ 18.651664] mempool_uaf_helper+0xa4/0x340 [ 18.651767] mempool_kmalloc_uaf+0xc4/0x120 [ 18.651817] kunit_try_run_case+0x170/0x3f0 [ 18.652276] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.652541] kthread+0x328/0x630 [ 18.652575] ret_from_fork+0x10/0x20 [ 18.653264] [ 18.653293] Freed by task 227: [ 18.653335] kasan_save_stack+0x3c/0x68 [ 18.654012] kasan_save_track+0x20/0x40 [ 18.654402] kasan_save_free_info+0x4c/0x78 [ 18.654717] __kasan_mempool_poison_object+0xc0/0x150 [ 18.655393] mempool_free+0x28c/0x328 [ 18.655570] mempool_uaf_helper+0x104/0x340 [ 18.655607] mempool_kmalloc_uaf+0xc4/0x120 [ 18.655647] kunit_try_run_case+0x170/0x3f0 [ 18.656276] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.656821] kthread+0x328/0x630 [ 18.656998] ret_from_fork+0x10/0x20 [ 18.657039] [ 18.657531] The buggy address belongs to the object at fff00000c7a4e100 [ 18.657531] which belongs to the cache kmalloc-128 of size 128 [ 18.658015] The buggy address is located 0 bytes inside of [ 18.658015] freed 128-byte region [fff00000c7a4e100, fff00000c7a4e180) [ 18.658725] [ 18.659109] The buggy address belongs to the physical page: [ 18.659147] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a4e [ 18.661461] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.661529] page_type: f5(slab) [ 18.661687] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.662327] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.663551] page dumped because: kasan: bad access detected [ 18.663603] [ 18.663657] Memory state around the buggy address: [ 18.663694] fff00000c7a4e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.663903] fff00000c7a4e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.664053] >fff00000c7a4e100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.664546] ^ [ 18.665173] fff00000c7a4e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.665237] fff00000c7a4e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.665501] ================================================================== [ 18.699249] ================================================================== [ 18.699313] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.699749] Read of size 1 at addr fff00000c7a5b240 by task kunit_try_catch/231 [ 18.700165] [ 18.700214] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.700316] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.700363] Hardware name: linux,dummy-virt (DT) [ 18.700397] Call trace: [ 18.700429] show_stack+0x20/0x38 (C) [ 18.700481] dump_stack_lvl+0x8c/0xd0 [ 18.701965] print_report+0x118/0x5d0 [ 18.702514] kasan_report+0xdc/0x128 [ 18.703063] __asan_report_load1_noabort+0x20/0x30 [ 18.703260] mempool_uaf_helper+0x314/0x340 [ 18.703315] mempool_slab_uaf+0xc0/0x118 [ 18.703417] kunit_try_run_case+0x170/0x3f0 [ 18.704110] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.704234] kthread+0x328/0x630 [ 18.704380] ret_from_fork+0x10/0x20 [ 18.704552] [ 18.704692] Allocated by task 231: [ 18.704726] kasan_save_stack+0x3c/0x68 [ 18.704791] kasan_save_track+0x20/0x40 [ 18.705042] kasan_save_alloc_info+0x40/0x58 [ 18.705211] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.705356] remove_element+0x16c/0x1f8 [ 18.705425] mempool_alloc_preallocated+0x58/0xc0 [ 18.705794] mempool_uaf_helper+0xa4/0x340 [ 18.705863] mempool_slab_uaf+0xc0/0x118 [ 18.705935] kunit_try_run_case+0x170/0x3f0 [ 18.706059] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.706128] kthread+0x328/0x630 [ 18.706477] ret_from_fork+0x10/0x20 [ 18.706923] [ 18.707004] Freed by task 231: [ 18.707036] kasan_save_stack+0x3c/0x68 [ 18.707357] kasan_save_track+0x20/0x40 [ 18.707437] kasan_save_free_info+0x4c/0x78 [ 18.707520] __kasan_mempool_poison_object+0xc0/0x150 [ 18.707566] mempool_free+0x28c/0x328 [ 18.707907] mempool_uaf_helper+0x104/0x340 [ 18.707962] mempool_slab_uaf+0xc0/0x118 [ 18.708000] kunit_try_run_case+0x170/0x3f0 [ 18.708038] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.708082] kthread+0x328/0x630 [ 18.708115] ret_from_fork+0x10/0x20 [ 18.708156] [ 18.708177] The buggy address belongs to the object at fff00000c7a5b240 [ 18.708177] which belongs to the cache test_cache of size 123 [ 18.708240] The buggy address is located 0 bytes inside of [ 18.708240] freed 123-byte region [fff00000c7a5b240, fff00000c7a5b2bb) [ 18.708308] [ 18.708338] The buggy address belongs to the physical page: [ 18.708372] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a5b [ 18.708424] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.708474] page_type: f5(slab) [ 18.708519] raw: 0bfffe0000000000 fff00000c598d8c0 dead000000000122 0000000000000000 [ 18.708569] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.708607] page dumped because: kasan: bad access detected [ 18.708645] [ 18.708662] Memory state around the buggy address: [ 18.708697] fff00000c7a5b100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.708737] fff00000c7a5b180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.708872] >fff00000c7a5b200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.708947] ^ [ 18.708985] fff00000c7a5b280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.709428] fff00000c7a5b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.709494] ==================================================================
[ 18.620521] ================================================================== [ 18.620674] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.620760] Read of size 1 at addr fff00000c7711240 by task kunit_try_catch/231 [ 18.620812] [ 18.620847] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.620930] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.620955] Hardware name: linux,dummy-virt (DT) [ 18.620987] Call trace: [ 18.621047] show_stack+0x20/0x38 (C) [ 18.621102] dump_stack_lvl+0x8c/0xd0 [ 18.621193] print_report+0x118/0x5d0 [ 18.621240] kasan_report+0xdc/0x128 [ 18.621283] __asan_report_load1_noabort+0x20/0x30 [ 18.621340] mempool_uaf_helper+0x314/0x340 [ 18.621385] mempool_slab_uaf+0xc0/0x118 [ 18.621428] kunit_try_run_case+0x170/0x3f0 [ 18.621474] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.621554] kthread+0x328/0x630 [ 18.621595] ret_from_fork+0x10/0x20 [ 18.621697] [ 18.621771] Allocated by task 231: [ 18.621828] kasan_save_stack+0x3c/0x68 [ 18.621869] kasan_save_track+0x20/0x40 [ 18.621914] kasan_save_alloc_info+0x40/0x58 [ 18.621955] __kasan_mempool_unpoison_object+0xbc/0x180 [ 18.622110] remove_element+0x16c/0x1f8 [ 18.622199] mempool_alloc_preallocated+0x58/0xc0 [ 18.622278] mempool_uaf_helper+0xa4/0x340 [ 18.622315] mempool_slab_uaf+0xc0/0x118 [ 18.622399] kunit_try_run_case+0x170/0x3f0 [ 18.622486] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.622530] kthread+0x328/0x630 [ 18.622628] ret_from_fork+0x10/0x20 [ 18.622665] [ 18.622683] Freed by task 231: [ 18.622709] kasan_save_stack+0x3c/0x68 [ 18.622781] kasan_save_track+0x20/0x40 [ 18.622826] kasan_save_free_info+0x4c/0x78 [ 18.623015] __kasan_mempool_poison_object+0xc0/0x150 [ 18.623061] mempool_free+0x28c/0x328 [ 18.623095] mempool_uaf_helper+0x104/0x340 [ 18.623142] mempool_slab_uaf+0xc0/0x118 [ 18.623241] kunit_try_run_case+0x170/0x3f0 [ 18.623333] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.623474] kthread+0x328/0x630 [ 18.623593] ret_from_fork+0x10/0x20 [ 18.623785] [ 18.623890] The buggy address belongs to the object at fff00000c7711240 [ 18.623890] which belongs to the cache test_cache of size 123 [ 18.624052] The buggy address is located 0 bytes inside of [ 18.624052] freed 123-byte region [fff00000c7711240, fff00000c77112bb) [ 18.624206] [ 18.624229] The buggy address belongs to the physical page: [ 18.624260] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107711 [ 18.624323] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.624373] page_type: f5(slab) [ 18.624573] raw: 0bfffe0000000000 fff00000c1bfc640 dead000000000122 0000000000000000 [ 18.624622] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 18.624662] page dumped because: kasan: bad access detected [ 18.624800] [ 18.624906] Memory state around the buggy address: [ 18.624990] fff00000c7711100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.625180] fff00000c7711180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.625252] >fff00000c7711200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.625380] ^ [ 18.625475] fff00000c7711280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.625626] fff00000c7711300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.625703] ================================================================== [ 18.600680] ================================================================== [ 18.600769] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.600839] Read of size 1 at addr fff00000c472cf00 by task kunit_try_catch/227 [ 18.600889] [ 18.600947] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.601035] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.601070] Hardware name: linux,dummy-virt (DT) [ 18.601112] Call trace: [ 18.601136] show_stack+0x20/0x38 (C) [ 18.601189] dump_stack_lvl+0x8c/0xd0 [ 18.601241] print_report+0x118/0x5d0 [ 18.601303] kasan_report+0xdc/0x128 [ 18.601362] __asan_report_load1_noabort+0x20/0x30 [ 18.601413] mempool_uaf_helper+0x314/0x340 [ 18.601459] mempool_kmalloc_uaf+0xc4/0x120 [ 18.601504] kunit_try_run_case+0x170/0x3f0 [ 18.601553] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.601615] kthread+0x328/0x630 [ 18.601659] ret_from_fork+0x10/0x20 [ 18.601726] [ 18.601747] Allocated by task 227: [ 18.601778] kasan_save_stack+0x3c/0x68 [ 18.601820] kasan_save_track+0x20/0x40 [ 18.601928] kasan_save_alloc_info+0x40/0x58 [ 18.602018] __kasan_mempool_unpoison_object+0x11c/0x180 [ 18.602086] remove_element+0x130/0x1f8 [ 18.602125] mempool_alloc_preallocated+0x58/0xc0 [ 18.602163] mempool_uaf_helper+0xa4/0x340 [ 18.602200] mempool_kmalloc_uaf+0xc4/0x120 [ 18.602237] kunit_try_run_case+0x170/0x3f0 [ 18.602275] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.602317] kthread+0x328/0x630 [ 18.602350] ret_from_fork+0x10/0x20 [ 18.602386] [ 18.602430] Freed by task 227: [ 18.602458] kasan_save_stack+0x3c/0x68 [ 18.602494] kasan_save_track+0x20/0x40 [ 18.602529] kasan_save_free_info+0x4c/0x78 [ 18.602569] __kasan_mempool_poison_object+0xc0/0x150 [ 18.602722] mempool_free+0x28c/0x328 [ 18.602760] mempool_uaf_helper+0x104/0x340 [ 18.602798] mempool_kmalloc_uaf+0xc4/0x120 [ 18.602868] kunit_try_run_case+0x170/0x3f0 [ 18.603001] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.603137] kthread+0x328/0x630 [ 18.603276] ret_from_fork+0x10/0x20 [ 18.603382] [ 18.603491] The buggy address belongs to the object at fff00000c472cf00 [ 18.603491] which belongs to the cache kmalloc-128 of size 128 [ 18.603553] The buggy address is located 0 bytes inside of [ 18.603553] freed 128-byte region [fff00000c472cf00, fff00000c472cf80) [ 18.603613] [ 18.603633] The buggy address belongs to the physical page: [ 18.603665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10472c [ 18.603768] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.603821] page_type: f5(slab) [ 18.603882] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.603932] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 18.603972] page dumped because: kasan: bad access detected [ 18.604005] [ 18.604025] Memory state around the buggy address: [ 18.604056] fff00000c472ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.604130] fff00000c472ce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.604206] >fff00000c472cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.604315] ^ [ 18.604438] fff00000c472cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.604512] fff00000c472d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.604622] ==================================================================
[ 13.740310] ================================================================== [ 13.741049] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.741405] Read of size 1 at addr ffff888102e24d00 by task kunit_try_catch/244 [ 13.742168] [ 13.742326] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.742374] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.742385] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.742409] Call Trace: [ 13.742421] <TASK> [ 13.742439] dump_stack_lvl+0x73/0xb0 [ 13.742472] print_report+0xd1/0x610 [ 13.742494] ? __virt_addr_valid+0x1db/0x2d0 [ 13.742520] ? mempool_uaf_helper+0x392/0x400 [ 13.742541] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.742564] ? mempool_uaf_helper+0x392/0x400 [ 13.742707] kasan_report+0x141/0x180 [ 13.742730] ? mempool_uaf_helper+0x392/0x400 [ 13.742757] __asan_report_load1_noabort+0x18/0x20 [ 13.742844] mempool_uaf_helper+0x392/0x400 [ 13.742866] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.742902] ? __kasan_check_write+0x18/0x20 [ 13.742922] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.742946] ? finish_task_switch.isra.0+0x153/0x700 [ 13.742974] mempool_kmalloc_uaf+0xef/0x140 [ 13.743014] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.743040] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.743064] ? __pfx_mempool_kfree+0x10/0x10 [ 13.743089] ? __pfx_read_tsc+0x10/0x10 [ 13.743110] ? ktime_get_ts64+0x86/0x230 [ 13.743135] kunit_try_run_case+0x1a5/0x480 [ 13.743162] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.743184] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.743210] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.743236] ? __kthread_parkme+0x82/0x180 [ 13.743259] ? preempt_count_sub+0x50/0x80 [ 13.743283] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.743306] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.743330] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.743354] kthread+0x337/0x6f0 [ 13.743373] ? trace_preempt_on+0x20/0xc0 [ 13.743398] ? __pfx_kthread+0x10/0x10 [ 13.743418] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.743440] ? calculate_sigpending+0x7b/0xa0 [ 13.743465] ? __pfx_kthread+0x10/0x10 [ 13.743486] ret_from_fork+0x116/0x1d0 [ 13.743505] ? __pfx_kthread+0x10/0x10 [ 13.743525] ret_from_fork_asm+0x1a/0x30 [ 13.743561] </TASK> [ 13.743573] [ 13.752734] Allocated by task 244: [ 13.752953] kasan_save_stack+0x45/0x70 [ 13.753121] kasan_save_track+0x18/0x40 [ 13.753308] kasan_save_alloc_info+0x3b/0x50 [ 13.753511] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.753794] remove_element+0x11e/0x190 [ 13.754044] mempool_alloc_preallocated+0x4d/0x90 [ 13.754238] mempool_uaf_helper+0x96/0x400 [ 13.754433] mempool_kmalloc_uaf+0xef/0x140 [ 13.754701] kunit_try_run_case+0x1a5/0x480 [ 13.754959] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.755182] kthread+0x337/0x6f0 [ 13.755353] ret_from_fork+0x116/0x1d0 [ 13.755628] ret_from_fork_asm+0x1a/0x30 [ 13.755808] [ 13.755926] Freed by task 244: [ 13.756109] kasan_save_stack+0x45/0x70 [ 13.756282] kasan_save_track+0x18/0x40 [ 13.756475] kasan_save_free_info+0x3f/0x60 [ 13.756934] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.757266] mempool_free+0x2ec/0x380 [ 13.757463] mempool_uaf_helper+0x11a/0x400 [ 13.757609] mempool_kmalloc_uaf+0xef/0x140 [ 13.757755] kunit_try_run_case+0x1a5/0x480 [ 13.757908] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.758083] kthread+0x337/0x6f0 [ 13.758217] ret_from_fork+0x116/0x1d0 [ 13.758492] ret_from_fork_asm+0x1a/0x30 [ 13.758746] [ 13.758849] The buggy address belongs to the object at ffff888102e24d00 [ 13.758849] which belongs to the cache kmalloc-128 of size 128 [ 13.759684] The buggy address is located 0 bytes inside of [ 13.759684] freed 128-byte region [ffff888102e24d00, ffff888102e24d80) [ 13.760225] [ 13.760299] The buggy address belongs to the physical page: [ 13.760475] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102e24 [ 13.761230] flags: 0x200000000000000(node=0|zone=2) [ 13.761473] page_type: f5(slab) [ 13.761766] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.762114] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.762432] page dumped because: kasan: bad access detected [ 13.762778] [ 13.762908] Memory state around the buggy address: [ 13.763120] ffff888102e24c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.763449] ffff888102e24c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.763823] >ffff888102e24d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.764220] ^ [ 13.764337] ffff888102e24d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.764912] ffff888102e24e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.765377] ================================================================== [ 13.793118] ================================================================== [ 13.793608] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.793987] Read of size 1 at addr ffff8881029b0240 by task kunit_try_catch/248 [ 13.794337] [ 13.794444] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.794491] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.794504] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.794527] Call Trace: [ 13.794539] <TASK> [ 13.794556] dump_stack_lvl+0x73/0xb0 [ 13.794645] print_report+0xd1/0x610 [ 13.794686] ? __virt_addr_valid+0x1db/0x2d0 [ 13.794712] ? mempool_uaf_helper+0x392/0x400 [ 13.794735] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.794758] ? mempool_uaf_helper+0x392/0x400 [ 13.794787] kasan_report+0x141/0x180 [ 13.794809] ? mempool_uaf_helper+0x392/0x400 [ 13.794838] __asan_report_load1_noabort+0x18/0x20 [ 13.794870] mempool_uaf_helper+0x392/0x400 [ 13.794911] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.794933] ? update_load_avg+0x1be/0x21b0 [ 13.794963] ? finish_task_switch.isra.0+0x153/0x700 [ 13.794990] mempool_slab_uaf+0xea/0x140 [ 13.795014] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.795041] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.795067] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.795093] ? __pfx_read_tsc+0x10/0x10 [ 13.795124] ? ktime_get_ts64+0x86/0x230 [ 13.795150] kunit_try_run_case+0x1a5/0x480 [ 13.795177] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.795211] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.795237] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.795262] ? __kthread_parkme+0x82/0x180 [ 13.795283] ? preempt_count_sub+0x50/0x80 [ 13.795316] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.795340] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.795365] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.795400] kthread+0x337/0x6f0 [ 13.795420] ? trace_preempt_on+0x20/0xc0 [ 13.795444] ? __pfx_kthread+0x10/0x10 [ 13.795465] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.795487] ? calculate_sigpending+0x7b/0xa0 [ 13.795513] ? __pfx_kthread+0x10/0x10 [ 13.795574] ret_from_fork+0x116/0x1d0 [ 13.795596] ? __pfx_kthread+0x10/0x10 [ 13.795617] ret_from_fork_asm+0x1a/0x30 [ 13.795651] </TASK> [ 13.795662] [ 13.804765] Allocated by task 248: [ 13.804975] kasan_save_stack+0x45/0x70 [ 13.805127] kasan_save_track+0x18/0x40 [ 13.805394] kasan_save_alloc_info+0x3b/0x50 [ 13.805720] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.805914] remove_element+0x11e/0x190 [ 13.806183] mempool_alloc_preallocated+0x4d/0x90 [ 13.806410] mempool_uaf_helper+0x96/0x400 [ 13.806689] mempool_slab_uaf+0xea/0x140 [ 13.806914] kunit_try_run_case+0x1a5/0x480 [ 13.807189] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.807431] kthread+0x337/0x6f0 [ 13.807554] ret_from_fork+0x116/0x1d0 [ 13.807689] ret_from_fork_asm+0x1a/0x30 [ 13.807829] [ 13.807910] Freed by task 248: [ 13.808024] kasan_save_stack+0x45/0x70 [ 13.808216] kasan_save_track+0x18/0x40 [ 13.808406] kasan_save_free_info+0x3f/0x60 [ 13.808818] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.809164] mempool_free+0x2ec/0x380 [ 13.809301] mempool_uaf_helper+0x11a/0x400 [ 13.809447] mempool_slab_uaf+0xea/0x140 [ 13.809756] kunit_try_run_case+0x1a5/0x480 [ 13.809983] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.810477] kthread+0x337/0x6f0 [ 13.810822] ret_from_fork+0x116/0x1d0 [ 13.811039] ret_from_fork_asm+0x1a/0x30 [ 13.811230] [ 13.811303] The buggy address belongs to the object at ffff8881029b0240 [ 13.811303] which belongs to the cache test_cache of size 123 [ 13.811663] The buggy address is located 0 bytes inside of [ 13.811663] freed 123-byte region [ffff8881029b0240, ffff8881029b02bb) [ 13.812187] [ 13.812284] The buggy address belongs to the physical page: [ 13.812567] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029b0 [ 13.813116] flags: 0x200000000000000(node=0|zone=2) [ 13.813290] page_type: f5(slab) [ 13.813414] raw: 0200000000000000 ffff8881029ad000 dead000000000122 0000000000000000 [ 13.813996] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.814337] page dumped because: kasan: bad access detected [ 13.814594] [ 13.814685] Memory state around the buggy address: [ 13.814890] ffff8881029b0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.815402] ffff8881029b0180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.815842] >ffff8881029b0200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.816107] ^ [ 13.816280] ffff8881029b0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.816497] ffff8881029b0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.817068] ==================================================================
[ 13.568554] ================================================================== [ 13.569019] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.569781] Read of size 1 at addr ffff8881026ef100 by task kunit_try_catch/245 [ 13.570126] [ 13.570250] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.570298] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.570310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.570333] Call Trace: [ 13.570345] <TASK> [ 13.570363] dump_stack_lvl+0x73/0xb0 [ 13.570396] print_report+0xd1/0x610 [ 13.570421] ? __virt_addr_valid+0x1db/0x2d0 [ 13.570459] ? mempool_uaf_helper+0x392/0x400 [ 13.570482] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.570575] ? mempool_uaf_helper+0x392/0x400 [ 13.570601] kasan_report+0x141/0x180 [ 13.570624] ? mempool_uaf_helper+0x392/0x400 [ 13.570881] __asan_report_load1_noabort+0x18/0x20 [ 13.570907] mempool_uaf_helper+0x392/0x400 [ 13.570932] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.570958] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.570982] ? finish_task_switch.isra.0+0x153/0x700 [ 13.571009] mempool_kmalloc_uaf+0xef/0x140 [ 13.571033] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.571058] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.571083] ? __pfx_mempool_kfree+0x10/0x10 [ 13.571109] ? __pfx_read_tsc+0x10/0x10 [ 13.571130] ? ktime_get_ts64+0x86/0x230 [ 13.571156] kunit_try_run_case+0x1a5/0x480 [ 13.571183] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.571205] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.571231] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.571254] ? __kthread_parkme+0x82/0x180 [ 13.571276] ? preempt_count_sub+0x50/0x80 [ 13.571300] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.571323] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.571348] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.571375] kthread+0x337/0x6f0 [ 13.571397] ? trace_preempt_on+0x20/0xc0 [ 13.571449] ? __pfx_kthread+0x10/0x10 [ 13.571470] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.571492] ? calculate_sigpending+0x7b/0xa0 [ 13.571517] ? __pfx_kthread+0x10/0x10 [ 13.571539] ret_from_fork+0x116/0x1d0 [ 13.571558] ? __pfx_kthread+0x10/0x10 [ 13.571590] ret_from_fork_asm+0x1a/0x30 [ 13.571626] </TASK> [ 13.571636] [ 13.584787] Allocated by task 245: [ 13.584984] kasan_save_stack+0x45/0x70 [ 13.585187] kasan_save_track+0x18/0x40 [ 13.585359] kasan_save_alloc_info+0x3b/0x50 [ 13.585958] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.586304] remove_element+0x11e/0x190 [ 13.586724] mempool_alloc_preallocated+0x4d/0x90 [ 13.587079] mempool_uaf_helper+0x96/0x400 [ 13.587394] mempool_kmalloc_uaf+0xef/0x140 [ 13.587837] kunit_try_run_case+0x1a5/0x480 [ 13.588058] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.588304] kthread+0x337/0x6f0 [ 13.588479] ret_from_fork+0x116/0x1d0 [ 13.588961] ret_from_fork_asm+0x1a/0x30 [ 13.589147] [ 13.589398] Freed by task 245: [ 13.589790] kasan_save_stack+0x45/0x70 [ 13.590092] kasan_save_track+0x18/0x40 [ 13.590243] kasan_save_free_info+0x3f/0x60 [ 13.590526] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.590901] mempool_free+0x2ec/0x380 [ 13.591063] mempool_uaf_helper+0x11a/0x400 [ 13.591273] mempool_kmalloc_uaf+0xef/0x140 [ 13.591499] kunit_try_run_case+0x1a5/0x480 [ 13.591873] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.592166] kthread+0x337/0x6f0 [ 13.592352] ret_from_fork+0x116/0x1d0 [ 13.592513] ret_from_fork_asm+0x1a/0x30 [ 13.592698] [ 13.592801] The buggy address belongs to the object at ffff8881026ef100 [ 13.592801] which belongs to the cache kmalloc-128 of size 128 [ 13.593284] The buggy address is located 0 bytes inside of [ 13.593284] freed 128-byte region [ffff8881026ef100, ffff8881026ef180) [ 13.594028] [ 13.594113] The buggy address belongs to the physical page: [ 13.594343] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026ef [ 13.594739] flags: 0x200000000000000(node=0|zone=2) [ 13.595059] page_type: f5(slab) [ 13.595230] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.595576] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.595796] page dumped because: kasan: bad access detected [ 13.596182] [ 13.596280] Memory state around the buggy address: [ 13.597002] ffff8881026ef000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.597326] ffff8881026ef080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.597851] >ffff8881026ef100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.598181] ^ [ 13.598345] ffff8881026ef180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.598899] ffff8881026ef200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.599139] ================================================================== [ 13.628106] ================================================================== [ 13.628678] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.628991] Read of size 1 at addr ffff8881026f1240 by task kunit_try_catch/249 [ 13.629378] [ 13.629538] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.629646] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.629659] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.629682] Call Trace: [ 13.629695] <TASK> [ 13.629712] dump_stack_lvl+0x73/0xb0 [ 13.629744] print_report+0xd1/0x610 [ 13.629768] ? __virt_addr_valid+0x1db/0x2d0 [ 13.629792] ? mempool_uaf_helper+0x392/0x400 [ 13.629815] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.629838] ? mempool_uaf_helper+0x392/0x400 [ 13.629860] kasan_report+0x141/0x180 [ 13.629883] ? mempool_uaf_helper+0x392/0x400 [ 13.629911] __asan_report_load1_noabort+0x18/0x20 [ 13.629935] mempool_uaf_helper+0x392/0x400 [ 13.629958] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.629980] ? update_load_avg+0x1be/0x21b0 [ 13.630008] ? finish_task_switch.isra.0+0x153/0x700 [ 13.630035] mempool_slab_uaf+0xea/0x140 [ 13.630059] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.630085] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.630112] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.630138] ? __pfx_read_tsc+0x10/0x10 [ 13.630161] ? ktime_get_ts64+0x86/0x230 [ 13.630186] kunit_try_run_case+0x1a5/0x480 [ 13.630213] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.630235] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.630261] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.630285] ? __kthread_parkme+0x82/0x180 [ 13.630307] ? preempt_count_sub+0x50/0x80 [ 13.630331] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.630355] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.630379] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.630403] kthread+0x337/0x6f0 [ 13.630445] ? trace_preempt_on+0x20/0xc0 [ 13.630470] ? __pfx_kthread+0x10/0x10 [ 13.630490] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.630512] ? calculate_sigpending+0x7b/0xa0 [ 13.630538] ? __pfx_kthread+0x10/0x10 [ 13.630559] ret_from_fork+0x116/0x1d0 [ 13.630578] ? __pfx_kthread+0x10/0x10 [ 13.630598] ret_from_fork_asm+0x1a/0x30 [ 13.630633] </TASK> [ 13.630643] [ 13.638932] Allocated by task 249: [ 13.639071] kasan_save_stack+0x45/0x70 [ 13.639222] kasan_save_track+0x18/0x40 [ 13.639413] kasan_save_alloc_info+0x3b/0x50 [ 13.639635] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.639889] remove_element+0x11e/0x190 [ 13.640294] mempool_alloc_preallocated+0x4d/0x90 [ 13.640595] mempool_uaf_helper+0x96/0x400 [ 13.640769] mempool_slab_uaf+0xea/0x140 [ 13.640940] kunit_try_run_case+0x1a5/0x480 [ 13.641088] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.641291] kthread+0x337/0x6f0 [ 13.641704] ret_from_fork+0x116/0x1d0 [ 13.641922] ret_from_fork_asm+0x1a/0x30 [ 13.642128] [ 13.642223] Freed by task 249: [ 13.642380] kasan_save_stack+0x45/0x70 [ 13.642554] kasan_save_track+0x18/0x40 [ 13.642767] kasan_save_free_info+0x3f/0x60 [ 13.642956] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.643125] mempool_free+0x2ec/0x380 [ 13.643258] mempool_uaf_helper+0x11a/0x400 [ 13.643404] mempool_slab_uaf+0xea/0x140 [ 13.643553] kunit_try_run_case+0x1a5/0x480 [ 13.643826] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.644365] kthread+0x337/0x6f0 [ 13.644656] ret_from_fork+0x116/0x1d0 [ 13.644843] ret_from_fork_asm+0x1a/0x30 [ 13.645036] [ 13.645137] The buggy address belongs to the object at ffff8881026f1240 [ 13.645137] which belongs to the cache test_cache of size 123 [ 13.645519] The buggy address is located 0 bytes inside of [ 13.645519] freed 123-byte region [ffff8881026f1240, ffff8881026f12bb) [ 13.645942] [ 13.646047] The buggy address belongs to the physical page: [ 13.646307] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026f1 [ 13.647034] flags: 0x200000000000000(node=0|zone=2) [ 13.647281] page_type: f5(slab) [ 13.647464] raw: 0200000000000000 ffff8881015eab40 dead000000000122 0000000000000000 [ 13.647916] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.648219] page dumped because: kasan: bad access detected [ 13.648404] [ 13.648552] Memory state around the buggy address: [ 13.648780] ffff8881026f1100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.649112] ffff8881026f1180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.649367] >ffff8881026f1200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.650039] ^ [ 13.650263] ffff8881026f1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.650648] ffff8881026f1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.650901] ==================================================================
[ 13.853858] ================================================================== [ 13.854796] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.855853] Read of size 1 at addr ffff8881029c8240 by task kunit_try_catch/248 [ 13.856422] [ 13.856529] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.856583] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.856597] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.856621] Call Trace: [ 13.856639] <TASK> [ 13.856660] dump_stack_lvl+0x73/0xb0 [ 13.856699] print_report+0xd1/0x610 [ 13.856723] ? __virt_addr_valid+0x1db/0x2d0 [ 13.856748] ? mempool_uaf_helper+0x392/0x400 [ 13.856771] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.856793] ? mempool_uaf_helper+0x392/0x400 [ 13.856816] kasan_report+0x141/0x180 [ 13.856837] ? mempool_uaf_helper+0x392/0x400 [ 13.856871] __asan_report_load1_noabort+0x18/0x20 [ 13.856896] mempool_uaf_helper+0x392/0x400 [ 13.856919] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.856943] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.856967] ? finish_task_switch.isra.0+0x153/0x700 [ 13.856993] mempool_slab_uaf+0xea/0x140 [ 13.857040] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 13.857065] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 13.857091] ? __pfx_mempool_free_slab+0x10/0x10 [ 13.857117] ? __pfx_read_tsc+0x10/0x10 [ 13.857139] ? ktime_get_ts64+0x86/0x230 [ 13.857164] kunit_try_run_case+0x1a5/0x480 [ 13.857191] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.857212] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.857238] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.857288] ? __kthread_parkme+0x82/0x180 [ 13.857310] ? preempt_count_sub+0x50/0x80 [ 13.857334] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.857358] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.857381] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.857406] kthread+0x337/0x6f0 [ 13.857425] ? trace_preempt_on+0x20/0xc0 [ 13.857449] ? __pfx_kthread+0x10/0x10 [ 13.857469] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.857490] ? calculate_sigpending+0x7b/0xa0 [ 13.857515] ? __pfx_kthread+0x10/0x10 [ 13.857536] ret_from_fork+0x116/0x1d0 [ 13.857555] ? __pfx_kthread+0x10/0x10 [ 13.857574] ret_from_fork_asm+0x1a/0x30 [ 13.857606] </TASK> [ 13.857618] [ 13.875508] Allocated by task 248: [ 13.876123] kasan_save_stack+0x45/0x70 [ 13.876671] kasan_save_track+0x18/0x40 [ 13.876825] kasan_save_alloc_info+0x3b/0x50 [ 13.876987] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 13.878204] remove_element+0x11e/0x190 [ 13.878628] mempool_alloc_preallocated+0x4d/0x90 [ 13.879089] mempool_uaf_helper+0x96/0x400 [ 13.879681] mempool_slab_uaf+0xea/0x140 [ 13.880167] kunit_try_run_case+0x1a5/0x480 [ 13.880645] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.880832] kthread+0x337/0x6f0 [ 13.880963] ret_from_fork+0x116/0x1d0 [ 13.881646] ret_from_fork_asm+0x1a/0x30 [ 13.882343] [ 13.882512] Freed by task 248: [ 13.883028] kasan_save_stack+0x45/0x70 [ 13.883939] kasan_save_track+0x18/0x40 [ 13.884464] kasan_save_free_info+0x3f/0x60 [ 13.884622] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.884789] mempool_free+0x2ec/0x380 [ 13.884930] mempool_uaf_helper+0x11a/0x400 [ 13.885259] mempool_slab_uaf+0xea/0x140 [ 13.886070] kunit_try_run_case+0x1a5/0x480 [ 13.886589] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.887379] kthread+0x337/0x6f0 [ 13.887851] ret_from_fork+0x116/0x1d0 [ 13.888404] ret_from_fork_asm+0x1a/0x30 [ 13.889306] [ 13.889391] The buggy address belongs to the object at ffff8881029c8240 [ 13.889391] which belongs to the cache test_cache of size 123 [ 13.889743] The buggy address is located 0 bytes inside of [ 13.889743] freed 123-byte region [ffff8881029c8240, ffff8881029c82bb) [ 13.890092] [ 13.890166] The buggy address belongs to the physical page: [ 13.890338] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029c8 [ 13.891535] flags: 0x200000000000000(node=0|zone=2) [ 13.892109] page_type: f5(slab) [ 13.892435] raw: 0200000000000000 ffff8881034193c0 dead000000000122 0000000000000000 [ 13.893449] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 13.894380] page dumped because: kasan: bad access detected [ 13.895482] [ 13.895920] Memory state around the buggy address: [ 13.896631] ffff8881029c8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.897423] ffff8881029c8180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.897999] >ffff8881029c8200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.898736] ^ [ 13.899559] ffff8881029c8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.899790] ffff8881029c8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.900685] ================================================================== [ 13.787332] ================================================================== [ 13.788527] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.789088] Read of size 1 at addr ffff8881029c5000 by task kunit_try_catch/244 [ 13.789311] [ 13.789409] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.789471] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.789484] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.789508] Call Trace: [ 13.789523] <TASK> [ 13.789582] dump_stack_lvl+0x73/0xb0 [ 13.789621] print_report+0xd1/0x610 [ 13.789646] ? __virt_addr_valid+0x1db/0x2d0 [ 13.789671] ? mempool_uaf_helper+0x392/0x400 [ 13.789695] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.789718] ? mempool_uaf_helper+0x392/0x400 [ 13.789740] kasan_report+0x141/0x180 [ 13.789763] ? mempool_uaf_helper+0x392/0x400 [ 13.789790] __asan_report_load1_noabort+0x18/0x20 [ 13.789815] mempool_uaf_helper+0x392/0x400 [ 13.789839] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.789862] ? kasan_save_track+0x18/0x40 [ 13.789881] ? kasan_save_alloc_info+0x3b/0x50 [ 13.789903] ? kasan_save_stack+0x45/0x70 [ 13.789928] mempool_kmalloc_uaf+0xef/0x140 [ 13.789949] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 13.789975] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.790001] ? __pfx_mempool_kfree+0x10/0x10 [ 13.790037] ? __pfx_read_tsc+0x10/0x10 [ 13.790059] ? ktime_get_ts64+0x86/0x230 [ 13.790086] kunit_try_run_case+0x1a5/0x480 [ 13.790113] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.790135] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.790161] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.790185] ? __kthread_parkme+0x82/0x180 [ 13.790207] ? preempt_count_sub+0x50/0x80 [ 13.790232] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.790256] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.790280] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.790304] kthread+0x337/0x6f0 [ 13.790324] ? trace_preempt_on+0x20/0xc0 [ 13.790349] ? __pfx_kthread+0x10/0x10 [ 13.790369] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.790390] ? calculate_sigpending+0x7b/0xa0 [ 13.790416] ? __pfx_kthread+0x10/0x10 [ 13.790460] ret_from_fork+0x116/0x1d0 [ 13.790480] ? __pfx_kthread+0x10/0x10 [ 13.790501] ret_from_fork_asm+0x1a/0x30 [ 13.790532] </TASK> [ 13.790543] [ 13.803378] Allocated by task 244: [ 13.803622] kasan_save_stack+0x45/0x70 [ 13.804038] kasan_save_track+0x18/0x40 [ 13.804173] kasan_save_alloc_info+0x3b/0x50 [ 13.804601] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 13.805053] remove_element+0x11e/0x190 [ 13.805194] mempool_alloc_preallocated+0x4d/0x90 [ 13.805349] mempool_uaf_helper+0x96/0x400 [ 13.805684] mempool_kmalloc_uaf+0xef/0x140 [ 13.806075] kunit_try_run_case+0x1a5/0x480 [ 13.806481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.807062] kthread+0x337/0x6f0 [ 13.807401] ret_from_fork+0x116/0x1d0 [ 13.807776] ret_from_fork_asm+0x1a/0x30 [ 13.808165] [ 13.808243] Freed by task 244: [ 13.808357] kasan_save_stack+0x45/0x70 [ 13.808670] kasan_save_track+0x18/0x40 [ 13.809047] kasan_save_free_info+0x3f/0x60 [ 13.809437] __kasan_mempool_poison_object+0x131/0x1d0 [ 13.809898] mempool_free+0x2ec/0x380 [ 13.810081] mempool_uaf_helper+0x11a/0x400 [ 13.810225] mempool_kmalloc_uaf+0xef/0x140 [ 13.810366] kunit_try_run_case+0x1a5/0x480 [ 13.810739] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.811225] kthread+0x337/0x6f0 [ 13.811573] ret_from_fork+0x116/0x1d0 [ 13.811923] ret_from_fork_asm+0x1a/0x30 [ 13.812304] [ 13.812505] The buggy address belongs to the object at ffff8881029c5000 [ 13.812505] which belongs to the cache kmalloc-128 of size 128 [ 13.813386] The buggy address is located 0 bytes inside of [ 13.813386] freed 128-byte region [ffff8881029c5000, ffff8881029c5080) [ 13.814071] [ 13.814151] The buggy address belongs to the physical page: [ 13.814321] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029c5 [ 13.814620] flags: 0x200000000000000(node=0|zone=2) [ 13.814968] page_type: f5(slab) [ 13.815156] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.815448] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.815808] page dumped because: kasan: bad access detected [ 13.816028] [ 13.816119] Memory state around the buggy address: [ 13.816322] ffff8881029c4f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 13.816647] ffff8881029c4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.816922] >ffff8881029c5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.817211] ^ [ 13.817372] ffff8881029c5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.817646] ffff8881029c5100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 13.817955] ==================================================================