Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 64.584930] ================================================================== [ 64.595977] BUG: KASAN: use-after-free in mempool_uaf_helper+0x388/0x3b8 [ 64.602752] Read of size 1 at addr ccc0c000 by task kunit_try_catch/289 [ 64.609405] [ 64.610900] CPU: 1 UID: 0 PID: 289 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 64.610931] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 64.610961] Hardware name: Generic DRA74X (Flattened Device Tree) [ 64.610961] Call trace: [ 64.610961] unwind_backtrace from show_stack+0x18/0x1c [ 64.610992] show_stack from dump_stack_lvl+0x70/0x90 [ 64.611022] dump_stack_lvl from print_report+0x158/0x528 [ 64.611053] print_report from kasan_report+0xdc/0x118 [ 64.611083] kasan_report from mempool_uaf_helper+0x388/0x3b8 [ 64.611083] mempool_uaf_helper from mempool_page_alloc_uaf+0xb8/0x104 [ 64.611114] mempool_page_alloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 64.611145] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.611175] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 64.611206] kthread from ret_from_fork+0x14/0x20 [ 64.611236] Exception stack(0xf2603fb0 to 0xf2603ff8) [ 64.611236] 3fa0: 00000000 00000000 00000000 00000000 [ 64.611267] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 64.611267] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 64.611297] [ 64.723236] The buggy address belongs to the physical page: [ 64.728851] page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x8cc0c [ 64.736114] flags: 0x0(zone=0) [ 64.739227] raw: 00000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 [ 64.747375] raw: 00000000 [ 64.749999] page dumped because: kasan: bad access detected [ 64.755615] [ 64.757110] Memory state around the buggy address: [ 64.761932] ccc0bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.768524] ccc0bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.775085] >ccc0c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.781646] ^ [ 64.784210] ccc0c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.790771] ccc0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.797332] ================================================================== [ 63.982269] ================================================================== [ 63.993560] BUG: KASAN: use-after-free in mempool_uaf_helper+0x388/0x3b8 [ 64.000305] Read of size 1 at addr ccc0c000 by task kunit_try_catch/285 [ 64.006958] [ 64.008483] CPU: 1 UID: 0 PID: 285 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 64.008514] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 64.008514] Hardware name: Generic DRA74X (Flattened Device Tree) [ 64.008514] Call trace: [ 64.008544] unwind_backtrace from show_stack+0x18/0x1c [ 64.008575] show_stack from dump_stack_lvl+0x70/0x90 [ 64.008575] dump_stack_lvl from print_report+0x158/0x528 [ 64.008605] print_report from kasan_report+0xdc/0x118 [ 64.008636] kasan_report from mempool_uaf_helper+0x388/0x3b8 [ 64.008666] mempool_uaf_helper from mempool_kmalloc_large_uaf+0xbc/0x108 [ 64.008697] mempool_kmalloc_large_uaf from kunit_try_run_case+0x22c/0x5a8 [ 64.008697] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 64.008728] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 64.008758] kthread from ret_from_fork+0x14/0x20 [ 64.008789] Exception stack(0xf25e3fb0 to 0xf25e3ff8) [ 64.008789] 3fa0: 00000000 00000000 00000000 00000000 [ 64.008819] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 64.008819] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 64.008850] [ 64.121307] The buggy address belongs to the physical page: [ 64.126922] page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x8cc0c [ 64.134185] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 64.141906] flags: 0x40(head|zone=0) [ 64.145507] page_type: f8(unknown) [ 64.148956] raw: 00000040 00000000 00000122 00000000 00000000 00000000 f8000000 00000001 [ 64.157073] raw: 00000000 [ 64.159729] head: 00000040 00000000 00000122 00000000 00000000 00000000 f8000000 00000001 [ 64.167968] head: 00000000 00000002 eebca1b1 ffffffff 00000000 ffffffff 00000000 ffffffff [ 64.176208] head: 00000000 00000004 [ 64.179718] page dumped because: kasan: bad access detected [ 64.185302] [ 64.186828] Memory state around the buggy address: [ 64.191650] ccc0bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.198211] ccc0bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.204772] >ccc0c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.211364] ^ [ 64.213897] ccc0c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.220489] ccc0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.227050] ==================================================================
[ 37.877096] ================================================================== [ 37.888082] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 37.894790] Read of size 1 at addr ffff888105238000 by task kunit_try_catch/276 [ 37.902103] [ 37.903604] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 37.903613] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.903615] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 37.903619] Call Trace: [ 37.903620] <TASK> [ 37.903622] dump_stack_lvl+0x73/0xb0 [ 37.903627] print_report+0xd1/0x650 [ 37.903631] ? __virt_addr_valid+0x1db/0x2d0 [ 37.903635] ? mempool_uaf_helper+0x392/0x400 [ 37.903639] ? kasan_addr_to_slab+0x11/0xa0 [ 37.903643] ? mempool_uaf_helper+0x392/0x400 [ 37.903648] kasan_report+0x141/0x180 [ 37.903652] ? mempool_uaf_helper+0x392/0x400 [ 37.903657] __asan_report_load1_noabort+0x18/0x20 [ 37.903661] mempool_uaf_helper+0x392/0x400 [ 37.903685] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 37.903690] ? dequeue_entities+0xa24/0x1790 [ 37.903695] ? finish_task_switch.isra.0+0x153/0x700 [ 37.903700] mempool_page_alloc_uaf+0xed/0x140 [ 37.903704] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 37.903708] ? dequeue_task_fair+0x166/0x4e0 [ 37.903724] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 37.903728] ? __pfx_mempool_free_pages+0x10/0x10 [ 37.903745] ? ktime_get_ts64+0x83/0x230 [ 37.903750] kunit_try_run_case+0x1a2/0x480 [ 37.903754] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.903759] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 37.903763] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 37.903768] ? __kthread_parkme+0x82/0x180 [ 37.903772] ? preempt_count_sub+0x50/0x80 [ 37.903776] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.903781] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.903785] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 37.903789] kthread+0x334/0x6f0 [ 37.903793] ? trace_preempt_on+0x20/0xc0 [ 37.903797] ? __pfx_kthread+0x10/0x10 [ 37.903801] ? _raw_spin_unlock_irq+0x47/0x80 [ 37.903806] ? calculate_sigpending+0x7b/0xa0 [ 37.903810] ? __pfx_kthread+0x10/0x10 [ 37.903814] ret_from_fork+0x3e/0x80 [ 37.903818] ? __pfx_kthread+0x10/0x10 [ 37.903822] ret_from_fork_asm+0x1a/0x30 [ 37.903828] </TASK> [ 37.903830] [ 38.094618] The buggy address belongs to the physical page: [ 38.100189] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105238 [ 38.108197] flags: 0x200000000000000(node=0|zone=2) [ 38.113077] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 38.120825] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 38.128572] page dumped because: kasan: bad access detected [ 38.134142] [ 38.135643] Memory state around the buggy address: [ 38.140435] ffff888105237f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.147653] ffff888105237f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.154908] >ffff888105238000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.162127] ^ [ 38.165360] ffff888105238080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.172580] ffff888105238100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.179807] ================================================================== [ 37.069712] ================================================================== [ 37.080950] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 37.087687] Read of size 1 at addr ffff888106b0c000 by task kunit_try_catch/272 [ 37.095050] [ 37.096551] CPU: 3 UID: 0 PID: 272 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 37.096560] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.096562] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 37.096566] Call Trace: [ 37.096567] <TASK> [ 37.096569] dump_stack_lvl+0x73/0xb0 [ 37.096574] print_report+0xd1/0x650 [ 37.096578] ? __virt_addr_valid+0x1db/0x2d0 [ 37.096582] ? mempool_uaf_helper+0x392/0x400 [ 37.096586] ? kasan_addr_to_slab+0x11/0xa0 [ 37.096590] ? mempool_uaf_helper+0x392/0x400 [ 37.096595] kasan_report+0x141/0x180 [ 37.096599] ? mempool_uaf_helper+0x392/0x400 [ 37.096604] __asan_report_load1_noabort+0x18/0x20 [ 37.096608] mempool_uaf_helper+0x392/0x400 [ 37.096612] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 37.096617] ? dequeue_entities+0xa24/0x1790 [ 37.096621] ? finish_task_switch.isra.0+0x153/0x700 [ 37.096626] mempool_kmalloc_large_uaf+0xef/0x140 [ 37.096631] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 37.096635] ? dequeue_task_fair+0x166/0x4e0 [ 37.096640] ? __pfx_mempool_kmalloc+0x10/0x10 [ 37.096643] ? __pfx_mempool_kfree+0x10/0x10 [ 37.096647] ? ktime_get_ts64+0x83/0x230 [ 37.096652] kunit_try_run_case+0x1a2/0x480 [ 37.096656] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.096660] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 37.096685] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 37.096690] ? __kthread_parkme+0x82/0x180 [ 37.096695] ? preempt_count_sub+0x50/0x80 [ 37.096699] ? __pfx_kunit_try_run_case+0x10/0x10 [ 37.096704] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 37.096724] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 37.096728] kthread+0x334/0x6f0 [ 37.096745] ? trace_preempt_on+0x20/0xc0 [ 37.096749] ? __pfx_kthread+0x10/0x10 [ 37.096753] ? _raw_spin_unlock_irq+0x47/0x80 [ 37.096757] ? calculate_sigpending+0x7b/0xa0 [ 37.096761] ? __pfx_kthread+0x10/0x10 [ 37.096766] ret_from_fork+0x3e/0x80 [ 37.096770] ? __pfx_kthread+0x10/0x10 [ 37.096774] ret_from_fork_asm+0x1a/0x30 [ 37.096780] </TASK> [ 37.096782] [ 37.287224] The buggy address belongs to the physical page: [ 37.292796] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106b0c [ 37.300806] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 37.308464] flags: 0x200000000000040(head|node=0|zone=2) [ 37.313776] page_type: f8(unknown) [ 37.317184] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 37.324925] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 37.332690] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 37.340575] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 37.348410] head: 0200000000000002 ffffea00041ac301 00000000ffffffff 00000000ffffffff [ 37.356242] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 37.364066] page dumped because: kasan: bad access detected [ 37.369641] [ 37.371138] Memory state around the buggy address: [ 37.375934] ffff888106b0bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.383161] ffff888106b0bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.390379] >ffff888106b0c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.397596] ^ [ 37.400830] ffff888106b0c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.408049] ffff888106b0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.415268] ==================================================================