Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 26.030302] ================================================================== [ 26.030415] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 26.030551] Read of size 1 at addr fff00000c77a0000 by task kunit_try_catch/235 [ 26.030665] [ 26.033289] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 26.034743] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.034816] Hardware name: linux,dummy-virt (DT) [ 26.034901] Call trace: [ 26.034976] show_stack+0x20/0x38 (C) [ 26.035099] dump_stack_lvl+0x8c/0xd0 [ 26.035212] print_report+0x118/0x608 [ 26.035326] kasan_report+0xdc/0x128 [ 26.035435] __asan_report_load1_noabort+0x20/0x30 [ 26.035569] mempool_uaf_helper+0x314/0x340 [ 26.037015] mempool_page_alloc_uaf+0xc0/0x118 [ 26.037233] kunit_try_run_case+0x170/0x3f0 [ 26.037358] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.037496] kthread+0x328/0x630 [ 26.037618] ret_from_fork+0x10/0x20 [ 26.037744] [ 26.037794] The buggy address belongs to the physical page: [ 26.037876] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077a0 [ 26.038022] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.038387] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 26.038615] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.038999] page dumped because: kasan: bad access detected [ 26.039080] [ 26.039370] Memory state around the buggy address: [ 26.040162] fff00000c779ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.040661] fff00000c779ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.040792] >fff00000c77a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.041132] ^ [ 26.041705] fff00000c77a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.041947] fff00000c77a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.042042] ================================================================== [ 25.907550] ================================================================== [ 25.908217] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 25.908378] Read of size 1 at addr fff00000c7784000 by task kunit_try_catch/231 [ 25.908498] [ 25.908841] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 25.909103] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.909212] Hardware name: linux,dummy-virt (DT) [ 25.909519] Call trace: [ 25.909575] show_stack+0x20/0x38 (C) [ 25.909976] dump_stack_lvl+0x8c/0xd0 [ 25.910696] print_report+0x118/0x608 [ 25.911419] kasan_report+0xdc/0x128 [ 25.911622] __asan_report_load1_noabort+0x20/0x30 [ 25.912205] mempool_uaf_helper+0x314/0x340 [ 25.912525] mempool_kmalloc_large_uaf+0xc4/0x120 [ 25.912689] kunit_try_run_case+0x170/0x3f0 [ 25.913461] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.914115] kthread+0x328/0x630 [ 25.914576] ret_from_fork+0x10/0x20 [ 25.914720] [ 25.914768] The buggy address belongs to the physical page: [ 25.915265] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107784 [ 25.915678] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.916097] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 25.916666] page_type: f8(unknown) [ 25.916768] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 25.916892] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 25.917077] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 25.917237] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 25.917398] head: 0bfffe0000000002 ffffc1ffc31de101 00000000ffffffff 00000000ffffffff [ 25.917695] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 25.917980] page dumped because: kasan: bad access detected [ 25.918198] [ 25.918313] Memory state around the buggy address: [ 25.918423] fff00000c7783f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.918527] fff00000c7783f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.918632] >fff00000c7784000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.918725] ^ [ 25.918791] fff00000c7784080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.918947] fff00000c7784100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.919058] ==================================================================
[ 13.100670] ================================================================== [ 13.101101] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.101416] Read of size 1 at addr ffff888102a1c000 by task kunit_try_catch/253 [ 13.101764] [ 13.101887] CPU: 0 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 13.101931] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.101944] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.101965] Call Trace: [ 13.101977] <TASK> [ 13.101993] dump_stack_lvl+0x73/0xb0 [ 13.102019] print_report+0xd1/0x650 [ 13.102041] ? __virt_addr_valid+0x1db/0x2d0 [ 13.102064] ? mempool_uaf_helper+0x392/0x400 [ 13.102086] ? kasan_addr_to_slab+0x11/0xa0 [ 13.102107] ? mempool_uaf_helper+0x392/0x400 [ 13.102130] kasan_report+0x141/0x180 [ 13.102167] ? mempool_uaf_helper+0x392/0x400 [ 13.102195] __asan_report_load1_noabort+0x18/0x20 [ 13.102216] mempool_uaf_helper+0x392/0x400 [ 13.102240] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.102262] ? dequeue_entities+0xa24/0x1790 [ 13.102289] ? finish_task_switch.isra.0+0x153/0x700 [ 13.102316] mempool_page_alloc_uaf+0xed/0x140 [ 13.102347] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.102367] ? dequeue_task_fair+0x166/0x4e0 [ 13.102448] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.102473] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.102497] ? __pfx_read_tsc+0x10/0x10 [ 13.102518] ? ktime_get_ts64+0x86/0x230 [ 13.102545] kunit_try_run_case+0x1a5/0x480 [ 13.102569] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.102590] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.102615] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.102639] ? __kthread_parkme+0x82/0x180 [ 13.102660] ? preempt_count_sub+0x50/0x80 [ 13.102685] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.102708] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.102730] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.102752] kthread+0x337/0x6f0 [ 13.102771] ? trace_preempt_on+0x20/0xc0 [ 13.102795] ? __pfx_kthread+0x10/0x10 [ 13.102817] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.102839] ? calculate_sigpending+0x7b/0xa0 [ 13.102860] ? __pfx_kthread+0x10/0x10 [ 13.102883] ret_from_fork+0x41/0x80 [ 13.102903] ? __pfx_kthread+0x10/0x10 [ 13.102925] ret_from_fork_asm+0x1a/0x30 [ 13.102957] </TASK> [ 13.102967] [ 13.113424] The buggy address belongs to the physical page: [ 13.113611] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a1c [ 13.113862] flags: 0x200000000000000(node=0|zone=2) [ 13.114036] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.114264] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.115172] page dumped because: kasan: bad access detected [ 13.115929] [ 13.116176] Memory state around the buggy address: [ 13.116700] ffff888102a1bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.117129] ffff888102a1bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.117361] >ffff888102a1c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.117573] ^ [ 13.117887] ffff888102a1c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.118220] ffff888102a1c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.118650] ================================================================== [ 13.029035] ================================================================== [ 13.029599] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.029840] Read of size 1 at addr ffff888102c74000 by task kunit_try_catch/249 [ 13.030064] [ 13.030630] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 13.030683] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.030695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.030717] Call Trace: [ 13.030729] <TASK> [ 13.030745] dump_stack_lvl+0x73/0xb0 [ 13.030936] print_report+0xd1/0x650 [ 13.030967] ? __virt_addr_valid+0x1db/0x2d0 [ 13.030990] ? mempool_uaf_helper+0x392/0x400 [ 13.031013] ? kasan_addr_to_slab+0x11/0xa0 [ 13.031033] ? mempool_uaf_helper+0x392/0x400 [ 13.031056] kasan_report+0x141/0x180 [ 13.031078] ? mempool_uaf_helper+0x392/0x400 [ 13.031106] __asan_report_load1_noabort+0x18/0x20 [ 13.031146] mempool_uaf_helper+0x392/0x400 [ 13.031170] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.031192] ? update_load_avg+0x1be/0x21b0 [ 13.031212] ? update_load_avg+0x1be/0x21b0 [ 13.031231] ? update_curr+0x80/0x810 [ 13.031251] ? finish_task_switch.isra.0+0x153/0x700 [ 13.031278] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.031303] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.031337] ? dequeue_task_fair+0x156/0x4e0 [ 13.031361] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.031381] ? __pfx_mempool_kfree+0x10/0x10 [ 13.031423] ? __pfx_read_tsc+0x10/0x10 [ 13.031443] ? ktime_get_ts64+0x86/0x230 [ 13.031468] kunit_try_run_case+0x1a5/0x480 [ 13.031492] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.031513] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.031539] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.031563] ? __kthread_parkme+0x82/0x180 [ 13.031585] ? preempt_count_sub+0x50/0x80 [ 13.031609] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.031632] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.031654] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.031678] kthread+0x337/0x6f0 [ 13.031698] ? trace_preempt_on+0x20/0xc0 [ 13.031721] ? __pfx_kthread+0x10/0x10 [ 13.031743] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.031765] ? calculate_sigpending+0x7b/0xa0 [ 13.031787] ? __pfx_kthread+0x10/0x10 [ 13.031810] ret_from_fork+0x41/0x80 [ 13.031831] ? __pfx_kthread+0x10/0x10 [ 13.031853] ret_from_fork_asm+0x1a/0x30 [ 13.031883] </TASK> [ 13.031895] [ 13.050611] The buggy address belongs to the physical page: [ 13.051220] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c74 [ 13.051833] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.052208] flags: 0x200000000000040(head|node=0|zone=2) [ 13.052412] page_type: f8(unknown) [ 13.052614] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.053152] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.053386] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.053675] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.053966] head: 0200000000000002 ffffea00040b1d01 00000000ffffffff 00000000ffffffff [ 13.054221] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.054952] page dumped because: kasan: bad access detected [ 13.055520] [ 13.055682] Memory state around the buggy address: [ 13.056089] ffff888102c73f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.056903] ffff888102c73f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.057271] >ffff888102c74000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.057556] ^ [ 13.057734] ffff888102c74080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.058425] ffff888102c74100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.058633] ==================================================================
[ 23.192697] ================================================================== [ 23.193739] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 23.194391] Read of size 1 at addr ffff00000df00000 by task kunit_try_catch/287 [ 23.195069] [ 23.195234] CPU: 2 UID: 0 PID: 287 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.195285] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.195299] Hardware name: Radxa ROCK Pi 4B (DT) [ 23.195317] Call trace: [ 23.195328] show_stack+0x20/0x38 (C) [ 23.195361] dump_stack_lvl+0x8c/0xd0 [ 23.195393] print_report+0x118/0x608 [ 23.195422] kasan_report+0xdc/0x128 [ 23.195450] __asan_report_load1_noabort+0x20/0x30 [ 23.195484] mempool_uaf_helper+0x314/0x340 [ 23.195517] mempool_page_alloc_uaf+0xc0/0x118 [ 23.195554] kunit_try_run_case+0x170/0x3f0 [ 23.195589] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.195629] kthread+0x328/0x630 [ 23.195663] ret_from_fork+0x10/0x20 [ 23.195696] [ 23.201674] The buggy address belongs to the physical page: [ 23.202191] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xdf00 [ 23.202916] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 23.203539] raw: 03fffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 23.204254] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.204962] page dumped because: kasan: bad access detected [ 23.205477] [ 23.205630] Memory state around the buggy address: [ 23.206079] ffff00000defff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.206746] ffff00000defff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.207412] >ffff00000df00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.208074] ^ [ 23.208385] ffff00000df00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.209052] ffff00000df00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.209714] ================================================================== [ 23.121231] ================================================================== [ 23.122283] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 23.122985] Read of size 1 at addr ffff00000dc7c000 by task kunit_try_catch/283 [ 23.123694] [ 23.123879] CPU: 1 UID: 0 PID: 283 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.123963] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.123988] Hardware name: Radxa ROCK Pi 4B (DT) [ 23.124015] Call trace: [ 23.124034] show_stack+0x20/0x38 (C) [ 23.124086] dump_stack_lvl+0x8c/0xd0 [ 23.124137] print_report+0x118/0x608 [ 23.124186] kasan_report+0xdc/0x128 [ 23.124234] __asan_report_load1_noabort+0x20/0x30 [ 23.124289] mempool_uaf_helper+0x314/0x340 [ 23.124347] mempool_kmalloc_large_uaf+0xc4/0x120 [ 23.124408] kunit_try_run_case+0x170/0x3f0 [ 23.124465] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.124531] kthread+0x328/0x630 [ 23.124587] ret_from_fork+0x10/0x20 [ 23.124640] [ 23.130754] The buggy address belongs to the physical page: [ 23.131293] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xdc7c [ 23.132048] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.132781] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 23.133467] page_type: f8(unknown) [ 23.133830] raw: 03fffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 23.134578] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 23.135326] head: 03fffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 23.136081] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 23.136837] head: 03fffe0000000002 fffffdffc0371f01 00000000ffffffff 00000000ffffffff [ 23.137593] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 23.138336] page dumped because: kasan: bad access detected [ 23.138872] [ 23.139042] Memory state around the buggy address: [ 23.139513] ffff00000dc7bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.140209] ffff00000dc7bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.140903] >ffff00000dc7c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.141590] ^ [ 23.141923] ffff00000dc7c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.142617] ffff00000dc7c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.143305] ==================================================================