Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 63.645019] ================================================================== [ 63.656585] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x388/0x3b8 [ 63.663787] Read of size 1 at addr cc22d700 by task kunit_try_catch/283 [ 63.670471] [ 63.671966] CPU: 1 UID: 0 PID: 283 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 63.671997] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 63.671997] Hardware name: Generic DRA74X (Flattened Device Tree) [ 63.672027] Call trace: [ 63.672027] unwind_backtrace from show_stack+0x18/0x1c [ 63.672058] show_stack from dump_stack_lvl+0x70/0x90 [ 63.672088] dump_stack_lvl from print_report+0x158/0x528 [ 63.672119] print_report from kasan_report+0xdc/0x118 [ 63.672119] kasan_report from mempool_uaf_helper+0x388/0x3b8 [ 63.672149] mempool_uaf_helper from mempool_kmalloc_uaf+0xbc/0x108 [ 63.672180] mempool_kmalloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 63.672210] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.672241] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 63.672271] kthread from ret_from_fork+0x14/0x20 [ 63.672271] Exception stack(0xf25d3fb0 to 0xf25d3ff8) [ 63.672302] 3fa0: 00000000 00000000 00000000 00000000 [ 63.672302] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 63.672332] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 63.672332] [ 63.783782] Allocated by task 283: [ 63.787200] kasan_save_track+0x30/0x5c [ 63.791076] remove_element+0x180/0x264 [ 63.794952] mempool_alloc_preallocated+0x60/0x9c [ 63.799682] mempool_uaf_helper+0x90/0x3b8 [ 63.803802] mempool_kmalloc_uaf+0xbc/0x108 [ 63.808044] kunit_try_run_case+0x22c/0x5a8 [ 63.812255] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.817779] kthread+0x464/0x810 [ 63.821044] ret_from_fork+0x14/0x20 [ 63.824645] [ 63.826141] Freed by task 283: [ 63.829223] kasan_save_track+0x30/0x5c [ 63.833099] kasan_save_free_info+0x3c/0x48 [ 63.837310] __kasan_mempool_poison_object+0x94/0x128 [ 63.842407] mempool_free+0x360/0x440 [ 63.846099] mempool_uaf_helper+0x13c/0x3b8 [ 63.850311] mempool_kmalloc_uaf+0xbc/0x108 [ 63.854522] kunit_try_run_case+0x22c/0x5a8 [ 63.858734] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 63.864257] kthread+0x464/0x810 [ 63.867523] ret_from_fork+0x14/0x20 [ 63.871124] [ 63.872619] The buggy address belongs to the object at cc22d700 [ 63.872619] which belongs to the cache kmalloc-128 of size 128 [ 63.884521] The buggy address is located 0 bytes inside of [ 63.884521] freed 128-byte region [cc22d700, cc22d780) [ 63.895294] [ 63.896789] The buggy address belongs to the physical page: [ 63.902404] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c22d [ 63.909698] flags: 0x0(zone=0) [ 63.912780] page_type: f5(slab) [ 63.915924] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 63.924072] raw: 00000000 [ 63.926727] page dumped because: kasan: bad access detected [ 63.932342] [ 63.933837] Memory state around the buggy address: [ 63.938659] cc22d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.945220] cc22d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.951812] >cc22d700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.958374] ^ [ 63.960937] cc22d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.967498] cc22d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.974060] ================================================================== [ 64.235748] ================================================================== [ 64.247589] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x388/0x3b8 [ 64.254760] Read of size 1 at addr cc23a240 by task kunit_try_catch/287 [ 64.261444] [ 64.262939] CPU: 1 UID: 0 PID: 287 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 64.262969] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 64.262969] Hardware name: Generic DRA74X (Flattened Device Tree) [ 64.263000] Call trace: [ 64.263000] unwind_backtrace from show_stack+0x18/0x1c [ 64.263031] show_stack from dump_stack_lvl+0x70/0x90 [ 64.263061] dump_stack_lvl from print_report+0x158/0x528 [ 64.263061] print_report from kasan_report+0xdc/0x118 [ 64.263092] kasan_report from mempool_uaf_helper+0x388/0x3b8 [ 64.263122] mempool_uaf_helper from mempool_slab_uaf+0xb8/0x100 [ 64.263153] mempool_slab_uaf from kunit_try_run_case+0x22c/0x5a8 [ 64.263153] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.263183] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 64.263214] kthread from ret_from_fork+0x14/0x20 [ 64.263244] Exception stack(0xf25f3fb0 to 0xf25f3ff8) [ 64.263244] 3fa0: 00000000 00000000 00000000 00000000 [ 64.263275] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 64.263305] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 64.263305] [ 64.374206] Allocated by task 287: [ 64.377624] kasan_save_track+0x30/0x5c [ 64.381500] __kasan_mempool_unpoison_object+0xec/0x14c [ 64.386749] remove_element+0x1d4/0x264 [ 64.390624] mempool_alloc_preallocated+0x60/0x9c [ 64.395355] mempool_uaf_helper+0x90/0x3b8 [ 64.399505] mempool_slab_uaf+0xb8/0x100 [ 64.403442] kunit_try_run_case+0x22c/0x5a8 [ 64.407684] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.413208] kthread+0x464/0x810 [ 64.416473] ret_from_fork+0x14/0x20 [ 64.420074] [ 64.421569] Freed by task 287: [ 64.424652] kasan_save_track+0x30/0x5c [ 64.428497] kasan_save_free_info+0x3c/0x48 [ 64.432708] __kasan_mempool_poison_object+0x94/0x128 [ 64.437805] mempool_free+0x360/0x440 [ 64.441497] mempool_uaf_helper+0x13c/0x3b8 [ 64.445709] mempool_slab_uaf+0xb8/0x100 [ 64.449676] kunit_try_run_case+0x22c/0x5a8 [ 64.453887] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.459442] kthread+0x464/0x810 [ 64.462677] ret_from_fork+0x14/0x20 [ 64.466278] [ 64.467803] The buggy address belongs to the object at cc23a240 [ 64.467803] which belongs to the cache test_cache of size 123 [ 64.479614] The buggy address is located 0 bytes inside of [ 64.479614] freed 123-byte region [cc23a240, cc23a2bb) [ 64.490356] [ 64.491882] The buggy address belongs to the physical page: [ 64.497467] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c23a [ 64.504760] flags: 0x0(zone=0) [ 64.507843] page_type: f5(slab) [ 64.511016] raw: 00000000 cc22f800 00000122 00000000 00000000 80150015 f5000000 00000000 [ 64.519134] raw: 00000000 [ 64.521789] page dumped because: kasan: bad access detected [ 64.527404] [ 64.528900] Memory state around the buggy address: [ 64.533721] cc23a100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 64.540283] cc23a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.546874] >cc23a200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 64.553436] ^ [ 64.558074] cc23a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 64.564666] cc23a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.571228] ==================================================================
[ 37.422957] ================================================================== [ 37.434732] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 37.441872] Read of size 1 at addr ffff8881061f7240 by task kunit_try_catch/274 [ 37.449180] [ 37.450714] CPU: 2 UID: 0 PID: 274 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 37.450736] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.450738] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 37.450742] Call Trace: [ 37.450743] <TASK> [ 37.450745] dump_stack_lvl+0x73/0xb0 [ 37.450749] print_report+0xd1/0x650 [ 37.450754] ? __virt_addr_valid+0x1db/0x2d0 [ 37.450758] ? mempool_uaf_helper+0x392/0x400 [ 37.450762] ? kasan_complete_mode_report_info+0x64/0x200 [ 37.450766] ? mempool_uaf_helper+0x392/0x400 [ 37.450770] kasan_report+0x141/0x180 [ 37.450775] ? mempool_uaf_helper+0x392/0x400 [ 37.450780] __asan_report_load1_noabort+0x18/0x20 [ 37.450784] mempool_uaf_helper+0x392/0x400 [ 37.450788] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 37.450793] ? finish_task_switch.isra.0+0x153/0x700 [ 37.450798] mempool_slab_uaf+0xea/0x140 [ 37.450802] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 37.450805] ? dequeue_task_fair+0x166/0x4e0 [ 37.450809] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 37.450813] ? __pfx_mempool_free_slab+0x10/0x10 [ 37.450817] ? ktime_get_ts64+0x83/0x230 [ 37.450822] kunit_try_run_case+0x1a2/0x480 [ 37.450826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.450830] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 37.450835] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 37.450840] ? __kthread_parkme+0x82/0x180 [ 37.450844] ? preempt_count_sub+0x50/0x80 [ 37.450848] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.450853] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.450857] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 37.450861] kthread+0x334/0x6f0 [ 37.450865] ? trace_preempt_on+0x20/0xc0 [ 37.450869] ? __pfx_kthread+0x10/0x10 [ 37.450873] ? _raw_spin_unlock_irq+0x47/0x80 [ 37.450878] ? calculate_sigpending+0x7b/0xa0 [ 37.450881] ? __pfx_kthread+0x10/0x10 [ 37.450886] ret_from_fork+0x3e/0x80 [ 37.450890] ? __pfx_kthread+0x10/0x10 [ 37.450894] ret_from_fork_asm+0x1a/0x30 [ 37.450899] </TASK> [ 37.450901] [ 37.637428] Allocated by task 274: [ 37.640834] kasan_save_stack+0x45/0x70 [ 37.644714] kasan_save_track+0x18/0x40 [ 37.648590] kasan_save_alloc_info+0x3b/0x50 [ 37.652861] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 37.658173] remove_element+0x11e/0x190 [ 37.662015] mempool_alloc_preallocated+0x4d/0x90 [ 37.666732] mempool_uaf_helper+0x96/0x400 [ 37.670836] mempool_slab_uaf+0xea/0x140 [ 37.674762] kunit_try_run_case+0x1a2/0x480 [ 37.678948] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.684348] kthread+0x334/0x6f0 [ 37.687589] ret_from_fork+0x3e/0x80 [ 37.691175] ret_from_fork_asm+0x1a/0x30 [ 37.695101] [ 37.696601] Freed by task 274: [ 37.699659] kasan_save_stack+0x45/0x70 [ 37.703534] kasan_save_track+0x18/0x40 [ 37.707373] kasan_save_free_info+0x3f/0x60 [ 37.711558] __kasan_mempool_poison_object+0x131/0x1d0 [ 37.716700] mempool_free+0x2ec/0x380 [ 37.720407] mempool_uaf_helper+0x11a/0x400 [ 37.724593] mempool_slab_uaf+0xea/0x140 [ 37.728520] kunit_try_run_case+0x1a2/0x480 [ 37.732735] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.738163] kthread+0x334/0x6f0 [ 37.741397] ret_from_fork+0x3e/0x80 [ 37.744975] ret_from_fork_asm+0x1a/0x30 [ 37.748902] [ 37.750401] The buggy address belongs to the object at ffff8881061f7240 [ 37.750401] which belongs to the cache test_cache of size 123 [ 37.762830] The buggy address is located 0 bytes inside of [ 37.762830] freed 123-byte region [ffff8881061f7240, ffff8881061f72bb) [ 37.774917] [ 37.776417] The buggy address belongs to the physical page: [ 37.781991] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061f7 [ 37.789997] flags: 0x200000000000000(node=0|zone=2) [ 37.794875] page_type: f5(slab) [ 37.798024] raw: 0200000000000000 ffff888100dbcf00 dead000000000122 0000000000000000 [ 37.805771] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 37.813510] page dumped because: kasan: bad access detected [ 37.819082] [ 37.820580] Memory state around the buggy address: [ 37.825373] ffff8881061f7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.832593] ffff8881061f7180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.839812] >ffff8881061f7200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 37.847030] ^ [ 37.852341] ffff8881061f7280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.859563] ffff8881061f7300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.866790] ================================================================== [ 36.616059] ================================================================== [ 36.627565] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 36.634734] Read of size 1 at addr ffff8881061dfb00 by task kunit_try_catch/270 [ 36.642047] [ 36.643547] CPU: 2 UID: 0 PID: 270 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 36.643557] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.643559] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 36.643563] Call Trace: [ 36.643565] <TASK> [ 36.643567] dump_stack_lvl+0x73/0xb0 [ 36.643572] print_report+0xd1/0x650 [ 36.643577] ? __virt_addr_valid+0x1db/0x2d0 [ 36.643581] ? mempool_uaf_helper+0x392/0x400 [ 36.643585] ? kasan_complete_mode_report_info+0x64/0x200 [ 36.643590] ? mempool_uaf_helper+0x392/0x400 [ 36.643594] kasan_report+0x141/0x180 [ 36.643598] ? mempool_uaf_helper+0x392/0x400 [ 36.643603] __asan_report_load1_noabort+0x18/0x20 [ 36.643607] mempool_uaf_helper+0x392/0x400 [ 36.643612] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 36.643616] ? dequeue_entities+0xa24/0x1790 [ 36.643621] ? finish_task_switch.isra.0+0x153/0x700 [ 36.643626] mempool_kmalloc_uaf+0xef/0x140 [ 36.643631] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 36.643635] ? dequeue_task_fair+0x166/0x4e0 [ 36.643639] ? __pfx_mempool_kmalloc+0x10/0x10 [ 36.643643] ? __pfx_mempool_kfree+0x10/0x10 [ 36.643647] ? ktime_get_ts64+0x83/0x230 [ 36.643652] kunit_try_run_case+0x1a2/0x480 [ 36.643658] ? __pfx_kunit_try_run_case+0x10/0x10 [ 36.643662] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 36.643667] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 36.643688] ? __kthread_parkme+0x82/0x180 [ 36.643693] ? preempt_count_sub+0x50/0x80 [ 36.643698] ? __pfx_kunit_try_run_case+0x10/0x10 [ 36.643703] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 36.643719] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 36.643724] kthread+0x334/0x6f0 [ 36.643728] ? trace_preempt_on+0x20/0xc0 [ 36.643733] ? __pfx_kthread+0x10/0x10 [ 36.643737] ? _raw_spin_unlock_irq+0x47/0x80 [ 36.643742] ? calculate_sigpending+0x7b/0xa0 [ 36.643746] ? __pfx_kthread+0x10/0x10 [ 36.643750] ret_from_fork+0x3e/0x80 [ 36.643755] ? __pfx_kthread+0x10/0x10 [ 36.643759] ret_from_fork_asm+0x1a/0x30 [ 36.643765] </TASK> [ 36.643767] [ 36.834403] Allocated by task 270: [ 36.837808] kasan_save_stack+0x45/0x70 [ 36.841647] kasan_save_track+0x18/0x40 [ 36.845488] kasan_save_alloc_info+0x3b/0x50 [ 36.849761] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 36.855081] remove_element+0x11e/0x190 [ 36.858919] mempool_alloc_preallocated+0x4d/0x90 [ 36.863625] mempool_uaf_helper+0x96/0x400 [ 36.867762] mempool_kmalloc_uaf+0xef/0x140 [ 36.871953] kunit_try_run_case+0x1a2/0x480 [ 36.876139] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 36.881538] kthread+0x334/0x6f0 [ 36.884772] ret_from_fork+0x3e/0x80 [ 36.888350] ret_from_fork_asm+0x1a/0x30 [ 36.892276] [ 36.893776] Freed by task 270: [ 36.896835] kasan_save_stack+0x45/0x70 [ 36.900703] kasan_save_track+0x18/0x40 [ 36.904592] kasan_save_free_info+0x3f/0x60 [ 36.908778] __kasan_mempool_poison_object+0x131/0x1d0 [ 36.913925] mempool_free+0x2ec/0x380 [ 36.917590] mempool_uaf_helper+0x11a/0x400 [ 36.921775] mempool_kmalloc_uaf+0xef/0x140 [ 36.925962] kunit_try_run_case+0x1a2/0x480 [ 36.930147] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 36.935547] kthread+0x334/0x6f0 [ 36.938778] ret_from_fork+0x3e/0x80 [ 36.942359] ret_from_fork_asm+0x1a/0x30 [ 36.946284] [ 36.947783] The buggy address belongs to the object at ffff8881061dfb00 [ 36.947783] which belongs to the cache kmalloc-128 of size 128 [ 36.960298] The buggy address is located 0 bytes inside of [ 36.960298] freed 128-byte region [ffff8881061dfb00, ffff8881061dfb80) [ 36.972380] [ 36.973876] The buggy address belongs to the physical page: [ 36.979450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061df [ 36.987458] flags: 0x200000000000000(node=0|zone=2) [ 36.992338] page_type: f5(slab) [ 36.995484] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 37.003232] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 37.010970] page dumped because: kasan: bad access detected [ 37.016541] [ 37.018041] Memory state around the buggy address: [ 37.022835] ffff8881061dfa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.030063] ffff8881061dfa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.037291] >ffff8881061dfb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.044515] ^ [ 37.047768] ffff8881061dfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.054985] ffff8881061dfc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.062206] ==================================================================