Date
Nov. 20, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 38.946196] ================================================================== [ 38.947332] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 38.948232] Read of size 1 at addr fff00000c652ee00 by task kunit_try_catch/216 [ 38.948886] [ 38.949340] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 38.950429] Tainted: [B]=BAD_PAGE, [N]=TEST [ 38.951089] Hardware name: linux,dummy-virt (DT) [ 38.951836] Call trace: [ 38.952372] show_stack+0x20/0x38 (C) [ 38.953025] dump_stack_lvl+0x8c/0xd0 [ 38.953624] print_report+0x118/0x5e0 [ 38.954206] kasan_report+0xc8/0x118 [ 38.954800] __asan_report_load1_noabort+0x20/0x30 [ 38.955433] mempool_uaf_helper+0x314/0x340 [ 38.956087] mempool_kmalloc_uaf+0xbc/0x118 [ 38.956717] kunit_try_run_case+0x14c/0x3d0 [ 38.957386] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.958117] kthread+0x24c/0x2d0 [ 38.958668] ret_from_fork+0x10/0x20 [ 38.959214] [ 38.959533] Allocated by task 216: [ 38.960049] kasan_save_stack+0x3c/0x68 [ 38.960645] kasan_save_track+0x20/0x40 [ 38.961234] kasan_save_alloc_info+0x40/0x58 [ 38.961900] __kasan_mempool_unpoison_object+0x11c/0x180 [ 38.962540] remove_element+0x130/0x1f8 [ 38.963154] mempool_alloc_preallocated+0x58/0xc0 [ 38.963759] mempool_uaf_helper+0xa4/0x340 [ 38.964389] mempool_kmalloc_uaf+0xbc/0x118 [ 38.964954] kunit_try_run_case+0x14c/0x3d0 [ 38.965617] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.966256] kthread+0x24c/0x2d0 [ 38.966826] ret_from_fork+0x10/0x20 [ 38.967322] [ 38.967706] Freed by task 216: [ 38.968210] kasan_save_stack+0x3c/0x68 [ 38.968757] kasan_save_track+0x20/0x40 [ 38.969368] kasan_save_free_info+0x4c/0x78 [ 38.969967] __kasan_mempool_poison_object+0xc0/0x150 [ 38.970689] mempool_free+0x28c/0x328 [ 38.971181] mempool_uaf_helper+0x104/0x340 [ 38.971827] mempool_kmalloc_uaf+0xbc/0x118 [ 38.972414] kunit_try_run_case+0x14c/0x3d0 [ 38.973023] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.973674] kthread+0x24c/0x2d0 [ 38.974233] ret_from_fork+0x10/0x20 [ 38.974760] [ 38.975085] The buggy address belongs to the object at fff00000c652ee00 [ 38.975085] which belongs to the cache kmalloc-128 of size 128 [ 38.976383] The buggy address is located 0 bytes inside of [ 38.976383] freed 128-byte region [fff00000c652ee00, fff00000c652ee80) [ 38.977617] [ 38.977975] The buggy address belongs to the physical page: [ 38.978701] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10652e [ 38.979628] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 38.980433] page_type: f5(slab) [ 38.980961] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 38.981863] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 38.982699] page dumped because: kasan: bad access detected [ 38.983325] [ 38.983692] Memory state around the buggy address: [ 38.984346] fff00000c652ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.985119] fff00000c652ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.985886] >fff00000c652ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.986648] ^ [ 38.987101] fff00000c652ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.987919] fff00000c652ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.988806] ================================================================== [ 39.049087] ================================================================== [ 39.050278] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 39.051162] Read of size 1 at addr fff00000c1bed240 by task kunit_try_catch/220 [ 39.051997] [ 39.052384] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 39.053652] Tainted: [B]=BAD_PAGE, [N]=TEST [ 39.055076] Hardware name: linux,dummy-virt (DT) [ 39.055571] Call trace: [ 39.055867] show_stack+0x20/0x38 (C) [ 39.056355] dump_stack_lvl+0x8c/0xd0 [ 39.057055] print_report+0x118/0x5e0 [ 39.057627] kasan_report+0xc8/0x118 [ 39.058106] __asan_report_load1_noabort+0x20/0x30 [ 39.058833] mempool_uaf_helper+0x314/0x340 [ 39.059467] mempool_slab_uaf+0xb8/0x110 [ 39.060019] kunit_try_run_case+0x14c/0x3d0 [ 39.060986] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.061714] kthread+0x24c/0x2d0 [ 39.062190] ret_from_fork+0x10/0x20 [ 39.063110] [ 39.063409] Allocated by task 220: [ 39.064162] kasan_save_stack+0x3c/0x68 [ 39.064779] kasan_save_track+0x20/0x40 [ 39.065412] kasan_save_alloc_info+0x40/0x58 [ 39.066857] __kasan_mempool_unpoison_object+0xbc/0x180 [ 39.067556] remove_element+0x16c/0x1f8 [ 39.068134] mempool_alloc_preallocated+0x58/0xc0 [ 39.068796] mempool_uaf_helper+0xa4/0x340 [ 39.069313] mempool_slab_uaf+0xb8/0x110 [ 39.070226] kunit_try_run_case+0x14c/0x3d0 [ 39.070732] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.071410] kthread+0x24c/0x2d0 [ 39.071849] ret_from_fork+0x10/0x20 [ 39.072847] [ 39.073194] Freed by task 220: [ 39.073769] kasan_save_stack+0x3c/0x68 [ 39.074421] kasan_save_track+0x20/0x40 [ 39.075042] kasan_save_free_info+0x4c/0x78 [ 39.075712] __kasan_mempool_poison_object+0xc0/0x150 [ 39.076548] mempool_free+0x28c/0x328 [ 39.077199] mempool_uaf_helper+0x104/0x340 [ 39.078247] mempool_slab_uaf+0xb8/0x110 [ 39.078977] kunit_try_run_case+0x14c/0x3d0 [ 39.079585] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.080319] kthread+0x24c/0x2d0 [ 39.081210] ret_from_fork+0x10/0x20 [ 39.081816] [ 39.082211] The buggy address belongs to the object at fff00000c1bed240 [ 39.082211] which belongs to the cache test_cache of size 123 [ 39.083506] The buggy address is located 0 bytes inside of [ 39.083506] freed 123-byte region [fff00000c1bed240, fff00000c1bed2bb) [ 39.084766] [ 39.085226] The buggy address belongs to the physical page: [ 39.086266] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bed [ 39.088052] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 39.088935] page_type: f5(slab) [ 39.089588] raw: 0bfffe0000000000 fff00000c59d3a00 dead000000000122 0000000000000000 [ 39.090609] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 39.091585] page dumped because: kasan: bad access detected [ 39.092181] [ 39.092489] Memory state around the buggy address: [ 39.093242] fff00000c1bed100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.094464] fff00000c1bed180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.095307] >fff00000c1bed200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 39.096588] ^ [ 39.097129] fff00000c1bed280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.097800] fff00000c1bed300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.098364] ==================================================================
[ 30.605627] ================================================================== [ 30.606386] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 30.606788] Read of size 1 at addr ffff888101ad9240 by task kunit_try_catch/238 [ 30.607152] [ 30.607309] CPU: 0 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 30.609187] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.611219] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.612117] Call Trace: [ 30.612385] <TASK> [ 30.612645] dump_stack_lvl+0x73/0xb0 [ 30.614686] print_report+0xd1/0x640 [ 30.615526] ? __virt_addr_valid+0x1db/0x2d0 [ 30.616154] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.616477] kasan_report+0x102/0x140 [ 30.616836] ? mempool_uaf_helper+0x394/0x400 [ 30.617115] ? mempool_uaf_helper+0x394/0x400 [ 30.617397] __asan_report_load1_noabort+0x18/0x20 [ 30.617764] mempool_uaf_helper+0x394/0x400 [ 30.619085] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 30.620201] ? finish_task_switch.isra.0+0x153/0x700 [ 30.621379] mempool_slab_uaf+0xae/0x100 [ 30.621882] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 30.622960] ? __switch_to+0x5d9/0xf60 [ 30.623468] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 30.623978] ? __pfx_mempool_free_slab+0x10/0x10 [ 30.624658] ? __pfx_read_tsc+0x10/0x10 [ 30.625328] ? ktime_get_ts64+0x84/0x230 [ 30.625666] kunit_try_run_case+0x1b3/0x490 [ 30.626462] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.627079] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 30.627662] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.628290] ? __kthread_parkme+0x82/0x160 [ 30.629052] ? preempt_count_sub+0x50/0x80 [ 30.630195] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.630782] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.631550] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.632721] kthread+0x257/0x310 [ 30.633133] ? __pfx_kthread+0x10/0x10 [ 30.633869] ret_from_fork+0x41/0x80 [ 30.634383] ? __pfx_kthread+0x10/0x10 [ 30.634860] ret_from_fork_asm+0x1a/0x30 [ 30.635367] </TASK> [ 30.635673] [ 30.636029] Allocated by task 238: [ 30.636954] kasan_save_stack+0x3d/0x60 [ 30.637944] kasan_save_track+0x18/0x40 [ 30.638418] kasan_save_alloc_info+0x3b/0x50 [ 30.639015] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 30.640025] remove_element+0x11e/0x190 [ 30.640510] mempool_alloc_preallocated+0x4d/0x90 [ 30.641212] mempool_uaf_helper+0x97/0x400 [ 30.642273] mempool_slab_uaf+0xae/0x100 [ 30.642723] kunit_try_run_case+0x1b3/0x490 [ 30.643407] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.643920] kthread+0x257/0x310 [ 30.644501] ret_from_fork+0x41/0x80 [ 30.645407] ret_from_fork_asm+0x1a/0x30 [ 30.645613] [ 30.645777] Freed by task 238: [ 30.646973] kasan_save_stack+0x3d/0x60 [ 30.647762] kasan_save_track+0x18/0x40 [ 30.648034] kasan_save_free_info+0x3f/0x60 [ 30.648630] __kasan_mempool_poison_object+0x131/0x1d0 [ 30.649503] mempool_free+0x2ec/0x380 [ 30.650076] mempool_uaf_helper+0x11b/0x400 [ 30.650677] mempool_slab_uaf+0xae/0x100 [ 30.651262] kunit_try_run_case+0x1b3/0x490 [ 30.651940] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.652909] kthread+0x257/0x310 [ 30.653196] ret_from_fork+0x41/0x80 [ 30.654295] ret_from_fork_asm+0x1a/0x30 [ 30.654796] [ 30.655134] The buggy address belongs to the object at ffff888101ad9240 [ 30.655134] which belongs to the cache test_cache of size 123 [ 30.656267] The buggy address is located 0 bytes inside of [ 30.656267] freed 123-byte region [ffff888101ad9240, ffff888101ad92bb) [ 30.657718] [ 30.657941] The buggy address belongs to the physical page: [ 30.658438] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ad9 [ 30.659360] flags: 0x200000000000000(node=0|zone=2) [ 30.660039] page_type: f5(slab) [ 30.660787] raw: 0200000000000000 ffff888101ad2140 dead000000000122 0000000000000000 [ 30.661683] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 30.662550] page dumped because: kasan: bad access detected [ 30.663089] [ 30.663485] Memory state around the buggy address: [ 30.664029] ffff888101ad9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.665208] ffff888101ad9180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.665939] >ffff888101ad9200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 30.666834] ^ [ 30.667883] ffff888101ad9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.669042] ffff888101ad9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.670178] ================================================================== [ 30.482037] ================================================================== [ 30.482821] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 30.483232] Read of size 1 at addr ffff888101acf900 by task kunit_try_catch/234 [ 30.484533] [ 30.484959] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 30.486592] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.487589] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.489028] Call Trace: [ 30.489621] <TASK> [ 30.489917] dump_stack_lvl+0x73/0xb0 [ 30.491058] print_report+0xd1/0x640 [ 30.491926] ? __virt_addr_valid+0x1db/0x2d0 [ 30.492520] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.493196] kasan_report+0x102/0x140 [ 30.493803] ? mempool_uaf_helper+0x394/0x400 [ 30.494566] ? mempool_uaf_helper+0x394/0x400 [ 30.495204] __asan_report_load1_noabort+0x18/0x20 [ 30.495843] mempool_uaf_helper+0x394/0x400 [ 30.496571] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 30.497064] ? finish_task_switch.isra.0+0x153/0x700 [ 30.497940] mempool_kmalloc_uaf+0xb3/0x100 [ 30.498624] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 30.499482] ? __switch_to+0x5d9/0xf60 [ 30.500263] ? __pfx_mempool_kmalloc+0x10/0x10 [ 30.501058] ? __pfx_mempool_kfree+0x10/0x10 [ 30.501925] ? __pfx_read_tsc+0x10/0x10 [ 30.502588] ? ktime_get_ts64+0x84/0x230 [ 30.503376] kunit_try_run_case+0x1b3/0x490 [ 30.504100] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.505171] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 30.505777] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.506903] ? __kthread_parkme+0x82/0x160 [ 30.507469] ? preempt_count_sub+0x50/0x80 [ 30.507925] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.508397] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.509942] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.510599] kthread+0x257/0x310 [ 30.511367] ? __pfx_kthread+0x10/0x10 [ 30.512153] ret_from_fork+0x41/0x80 [ 30.512806] ? __pfx_kthread+0x10/0x10 [ 30.513852] ret_from_fork_asm+0x1a/0x30 [ 30.514807] </TASK> [ 30.515126] [ 30.515605] Allocated by task 234: [ 30.516405] kasan_save_stack+0x3d/0x60 [ 30.516816] kasan_save_track+0x18/0x40 [ 30.517761] kasan_save_alloc_info+0x3b/0x50 [ 30.518353] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 30.519361] remove_element+0x11e/0x190 [ 30.520042] mempool_alloc_preallocated+0x4d/0x90 [ 30.521071] mempool_uaf_helper+0x97/0x400 [ 30.521455] mempool_kmalloc_uaf+0xb3/0x100 [ 30.522401] kunit_try_run_case+0x1b3/0x490 [ 30.523190] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.524263] kthread+0x257/0x310 [ 30.524581] ret_from_fork+0x41/0x80 [ 30.525541] ret_from_fork_asm+0x1a/0x30 [ 30.526148] [ 30.526401] Freed by task 234: [ 30.527295] kasan_save_stack+0x3d/0x60 [ 30.527612] kasan_save_track+0x18/0x40 [ 30.528920] kasan_save_free_info+0x3f/0x60 [ 30.529305] __kasan_mempool_poison_object+0x131/0x1d0 [ 30.530245] mempool_free+0x2ec/0x380 [ 30.531016] mempool_uaf_helper+0x11b/0x400 [ 30.531301] mempool_kmalloc_uaf+0xb3/0x100 [ 30.532070] kunit_try_run_case+0x1b3/0x490 [ 30.532550] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.533348] kthread+0x257/0x310 [ 30.534127] ret_from_fork+0x41/0x80 [ 30.534788] ret_from_fork_asm+0x1a/0x30 [ 30.535540] [ 30.535811] The buggy address belongs to the object at ffff888101acf900 [ 30.535811] which belongs to the cache kmalloc-128 of size 128 [ 30.537515] The buggy address is located 0 bytes inside of [ 30.537515] freed 128-byte region [ffff888101acf900, ffff888101acf980) [ 30.538506] [ 30.538734] The buggy address belongs to the physical page: [ 30.539829] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101acf [ 30.540862] flags: 0x200000000000000(node=0|zone=2) [ 30.541612] page_type: f5(slab) [ 30.541878] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 30.542651] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 30.543275] page dumped because: kasan: bad access detected [ 30.544300] [ 30.544441] Memory state around the buggy address: [ 30.545647] ffff888101acf800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.547051] ffff888101acf880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.547990] >ffff888101acf900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.548966] ^ [ 30.549759] ffff888101acf980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.550940] ffff888101acfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.551651] ==================================================================