Date
April 22, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 20.012620] ================================================================== [ 20.012773] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.012916] Read of size 1 at addr fff00000c7a94000 by task kunit_try_catch/235 [ 20.013060] [ 20.013156] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 20.013344] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.013402] Hardware name: linux,dummy-virt (DT) [ 20.013479] Call trace: [ 20.013551] show_stack+0x20/0x38 (C) [ 20.013676] dump_stack_lvl+0x8c/0xd0 [ 20.013786] print_report+0x118/0x608 [ 20.013885] kasan_report+0xdc/0x128 [ 20.013987] __asan_report_load1_noabort+0x20/0x30 [ 20.014102] mempool_uaf_helper+0x314/0x340 [ 20.014209] mempool_page_alloc_uaf+0xc0/0x118 [ 20.014325] kunit_try_run_case+0x170/0x3f0 [ 20.014437] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.014574] kthread+0x328/0x630 [ 20.014678] ret_from_fork+0x10/0x20 [ 20.014785] [ 20.014836] The buggy address belongs to the physical page: [ 20.014913] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107a94 [ 20.015039] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.015183] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.015303] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.015389] page dumped because: kasan: bad access detected [ 20.015453] [ 20.015493] Memory state around the buggy address: [ 20.015577] fff00000c7a93f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.015674] fff00000c7a93f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.015763] >fff00000c7a94000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.015854] ^ [ 20.015922] fff00000c7a94080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.016021] fff00000c7a94100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.016113] ================================================================== [ 19.935208] ================================================================== [ 19.935381] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 19.935504] Read of size 1 at addr fff00000c6bb8000 by task kunit_try_catch/231 [ 19.935621] [ 19.935825] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 19.935993] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.936051] Hardware name: linux,dummy-virt (DT) [ 19.936137] Call trace: [ 19.936187] show_stack+0x20/0x38 (C) [ 19.936327] dump_stack_lvl+0x8c/0xd0 [ 19.936616] print_report+0x118/0x608 [ 19.936868] kasan_report+0xdc/0x128 [ 19.937052] __asan_report_load1_noabort+0x20/0x30 [ 19.937155] mempool_uaf_helper+0x314/0x340 [ 19.937248] mempool_kmalloc_large_uaf+0xc4/0x120 [ 19.937512] kunit_try_run_case+0x170/0x3f0 [ 19.937708] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.937847] kthread+0x328/0x630 [ 19.937943] ret_from_fork+0x10/0x20 [ 19.938048] [ 19.938096] The buggy address belongs to the physical page: [ 19.938169] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106bb8 [ 19.938438] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.938641] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 19.938806] page_type: f8(unknown) [ 19.938902] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.939004] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.939113] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 19.939222] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 19.939588] head: 0bfffe0000000002 ffffc1ffc31aee01 00000000ffffffff 00000000ffffffff [ 19.939714] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 19.939807] page dumped because: kasan: bad access detected [ 19.939869] [ 19.939907] Memory state around the buggy address: [ 19.939964] fff00000c6bb7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.940069] fff00000c6bb7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.940197] >fff00000c6bb8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.940289] ^ [ 19.940350] fff00000c6bb8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.940445] fff00000c6bb8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.940545] ==================================================================
[ 20.403461] ================================================================== [ 20.404517] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.405839] Read of size 1 at addr ffff888103cb4000 by task kunit_try_catch/249 [ 20.406377] [ 20.407204] CPU: 1 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 20.407296] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.407314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.407347] Call Trace: [ 20.407369] <TASK> [ 20.407396] dump_stack_lvl+0x73/0xb0 [ 20.407808] print_report+0xd1/0x650 [ 20.407860] ? __virt_addr_valid+0x1db/0x2d0 [ 20.407901] ? mempool_uaf_helper+0x392/0x400 [ 20.407935] ? kasan_addr_to_slab+0x11/0xa0 [ 20.407964] ? mempool_uaf_helper+0x392/0x400 [ 20.407996] kasan_report+0x141/0x180 [ 20.408028] ? mempool_uaf_helper+0x392/0x400 [ 20.408067] __asan_report_load1_noabort+0x18/0x20 [ 20.408095] mempool_uaf_helper+0x392/0x400 [ 20.408129] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.408163] ? dequeue_entities+0xa24/0x1790 [ 20.408201] ? finish_task_switch.isra.0+0x153/0x700 [ 20.408241] mempool_kmalloc_large_uaf+0xef/0x140 [ 20.408275] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 20.408308] ? dequeue_task_fair+0x166/0x4e0 [ 20.408339] ? __pfx_mempool_kmalloc+0x10/0x10 [ 20.408369] ? __pfx_mempool_kfree+0x10/0x10 [ 20.408398] ? __pfx_read_tsc+0x10/0x10 [ 20.408437] ? ktime_get_ts64+0x86/0x230 [ 20.408581] kunit_try_run_case+0x1a5/0x480 [ 20.408626] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.408658] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.408695] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.408730] ? __kthread_parkme+0x82/0x180 [ 20.408762] ? preempt_count_sub+0x50/0x80 [ 20.408795] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.408828] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.408861] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.408893] kthread+0x337/0x6f0 [ 20.408922] ? trace_preempt_on+0x20/0xc0 [ 20.408957] ? __pfx_kthread+0x10/0x10 [ 20.408988] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.409019] ? calculate_sigpending+0x7b/0xa0 [ 20.409050] ? __pfx_kthread+0x10/0x10 [ 20.409081] ret_from_fork+0x41/0x80 [ 20.409110] ? __pfx_kthread+0x10/0x10 [ 20.409141] ret_from_fork_asm+0x1a/0x30 [ 20.409186] </TASK> [ 20.409201] [ 20.429866] The buggy address belongs to the physical page: [ 20.430440] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103cb4 [ 20.431114] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.431623] flags: 0x200000000000040(head|node=0|zone=2) [ 20.432398] page_type: f8(unknown) [ 20.432930] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.433664] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.434364] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.434987] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.436673] head: 0200000000000002 ffffea00040f2d01 00000000ffffffff 00000000ffffffff [ 20.437205] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 20.437856] page dumped because: kasan: bad access detected [ 20.438231] [ 20.438457] Memory state around the buggy address: [ 20.439046] ffff888103cb3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.439847] ffff888103cb3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.440469] >ffff888103cb4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.441214] ^ [ 20.441646] ffff888103cb4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.442246] ffff888103cb4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.442978] ================================================================== [ 20.531034] ================================================================== [ 20.531718] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.532728] Read of size 1 at addr ffff888103cb4000 by task kunit_try_catch/253 [ 20.533273] [ 20.534176] CPU: 1 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 20.534764] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.534803] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.534866] Call Trace: [ 20.534921] <TASK> [ 20.534991] dump_stack_lvl+0x73/0xb0 [ 20.535082] print_report+0xd1/0x650 [ 20.535159] ? __virt_addr_valid+0x1db/0x2d0 [ 20.535218] ? mempool_uaf_helper+0x392/0x400 [ 20.535255] ? kasan_addr_to_slab+0x11/0xa0 [ 20.535287] ? mempool_uaf_helper+0x392/0x400 [ 20.535321] kasan_report+0x141/0x180 [ 20.535354] ? mempool_uaf_helper+0x392/0x400 [ 20.535394] __asan_report_load1_noabort+0x18/0x20 [ 20.535433] mempool_uaf_helper+0x392/0x400 [ 20.535559] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.535624] ? dequeue_entities+0xa24/0x1790 [ 20.535665] ? finish_task_switch.isra.0+0x153/0x700 [ 20.535706] mempool_page_alloc_uaf+0xed/0x140 [ 20.535736] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 20.535763] ? dequeue_task_fair+0x166/0x4e0 [ 20.535795] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 20.535826] ? __pfx_mempool_free_pages+0x10/0x10 [ 20.535857] ? __pfx_read_tsc+0x10/0x10 [ 20.535887] ? ktime_get_ts64+0x86/0x230 [ 20.535924] kunit_try_run_case+0x1a5/0x480 [ 20.535961] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.535992] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.536027] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.536061] ? __kthread_parkme+0x82/0x180 [ 20.536093] ? preempt_count_sub+0x50/0x80 [ 20.536126] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.536160] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.536194] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.536227] kthread+0x337/0x6f0 [ 20.536257] ? trace_preempt_on+0x20/0xc0 [ 20.536291] ? __pfx_kthread+0x10/0x10 [ 20.536321] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.536355] ? calculate_sigpending+0x7b/0xa0 [ 20.536386] ? __pfx_kthread+0x10/0x10 [ 20.536418] ret_from_fork+0x41/0x80 [ 20.536466] ? __pfx_kthread+0x10/0x10 [ 20.536558] ret_from_fork_asm+0x1a/0x30 [ 20.536654] </TASK> [ 20.536689] [ 20.560809] The buggy address belongs to the physical page: [ 20.561241] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103cb4 [ 20.562772] flags: 0x200000000000000(node=0|zone=2) [ 20.563221] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.564140] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.565054] page dumped because: kasan: bad access detected [ 20.565476] [ 20.565709] Memory state around the buggy address: [ 20.566142] ffff888103cb3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.567339] ffff888103cb3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.568512] >ffff888103cb4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.569095] ^ [ 20.569727] ffff888103cb4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.570394] ffff888103cb4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.571222] ==================================================================
[ 21.452408] ================================================================== [ 21.453479] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.454129] Read of size 1 at addr ffff000002598000 by task kunit_try_catch/287 [ 21.454808] [ 21.454973] CPU: 2 UID: 0 PID: 287 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.455024] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.455038] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.455056] Call trace: [ 21.455068] show_stack+0x20/0x38 (C) [ 21.455101] dump_stack_lvl+0x8c/0xd0 [ 21.455132] print_report+0x118/0x608 [ 21.455162] kasan_report+0xdc/0x128 [ 21.455190] __asan_report_load1_noabort+0x20/0x30 [ 21.455224] mempool_uaf_helper+0x314/0x340 [ 21.455259] mempool_kmalloc_large_uaf+0xc4/0x120 [ 21.455295] kunit_try_run_case+0x170/0x3f0 [ 21.455331] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.455370] kthread+0x328/0x630 [ 21.455404] ret_from_fork+0x10/0x20 [ 21.455437] [ 21.461436] The buggy address belongs to the physical page: [ 21.461953] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2598 [ 21.462677] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.463384] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 21.464035] page_type: f8(unknown) [ 21.464371] raw: 03fffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.465087] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 21.465803] head: 03fffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.466527] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 21.467251] head: 03fffe0000000002 fffffdffc0096601 00000000ffffffff 00000000ffffffff [ 21.467975] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 21.468692] page dumped because: kasan: bad access detected [ 21.469207] [ 21.469360] Memory state around the buggy address: [ 21.469809] ffff000002597f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.470476] ffff000002597f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.471142] >ffff000002598000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.471805] ^ [ 21.472116] ffff000002598080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.472782] ffff000002598100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.473444] ================================================================== [ 21.522232] ================================================================== [ 21.523243] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 21.523873] Read of size 1 at addr ffff0000103c4000 by task kunit_try_catch/291 [ 21.524538] [ 21.524693] CPU: 4 UID: 0 PID: 291 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.524729] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.524739] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.524751] Call trace: [ 21.524760] show_stack+0x20/0x38 (C) [ 21.524783] dump_stack_lvl+0x8c/0xd0 [ 21.524804] print_report+0x118/0x608 [ 21.524823] kasan_report+0xdc/0x128 [ 21.524842] __asan_report_load1_noabort+0x20/0x30 [ 21.524863] mempool_uaf_helper+0x314/0x340 [ 21.524886] mempool_page_alloc_uaf+0xc0/0x118 [ 21.524912] kunit_try_run_case+0x170/0x3f0 [ 21.524934] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.524960] kthread+0x328/0x630 [ 21.524982] ret_from_fork+0x10/0x20 [ 21.525003] [ 21.530926] The buggy address belongs to the physical page: [ 21.531431] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103c4 [ 21.532148] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.532754] raw: 03fffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 21.533454] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.534150] page dumped because: kasan: bad access detected [ 21.534655] [ 21.534800] Memory state around the buggy address: [ 21.535238] ffff0000103c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.535891] ffff0000103c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.536543] >ffff0000103c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.537191] ^ [ 21.537493] ffff0000103c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.538146] ffff0000103c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.538795] ==================================================================