Hay
Sign in
Date
Nov. 22, 2024, 6:35 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   36.490308] ==================================================================
[   36.491789] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340
[   36.492784] Read of size 1 at addr fff00000c6b90000 by task kunit_try_catch/222
[   36.494702] 
[   36.495501] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241122 #1
[   36.497981] Tainted: [B]=BAD_PAGE, [N]=TEST
[   36.498872] Hardware name: linux,dummy-virt (DT)
[   36.499601] Call trace:
[   36.500011]  show_stack+0x20/0x38 (C)
[   36.501301]  dump_stack_lvl+0x8c/0xd0
[   36.502222]  print_report+0x118/0x5e0
[   36.502688]  kasan_report+0xc8/0x118
[   36.503552]  __asan_report_load1_noabort+0x20/0x30
[   36.504269]  mempool_uaf_helper+0x314/0x340
[   36.505269]  mempool_page_alloc_uaf+0xb8/0x118
[   36.505952]  kunit_try_run_case+0x14c/0x3d0
[   36.506638]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.507493]  kthread+0x24c/0x2d0
[   36.508089]  ret_from_fork+0x10/0x20
[   36.509131] 
[   36.509466] The buggy address belongs to the physical page:
[   36.510690] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106b90
[   36.511979] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   36.513219] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000
[   36.514365] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   36.515555] page dumped because: kasan: bad access detected
[   36.516550] 
[   36.516990] Memory state around the buggy address:
[   36.517657]  fff00000c6b8ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.518759]  fff00000c6b8ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.519756] >fff00000c6b90000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.520874]                    ^
[   36.521695]  fff00000c6b90080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.522784]  fff00000c6b90100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.523836] ==================================================================
[   36.354056] ==================================================================
[   36.355483] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340
[   36.356877] Read of size 1 at addr fff00000c6b80000 by task kunit_try_catch/218
[   36.358608] 
[   36.358932] CPU: 1 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241122 #1
[   36.360730] Tainted: [B]=BAD_PAGE, [N]=TEST
[   36.361674] Hardware name: linux,dummy-virt (DT)
[   36.362135] Call trace:
[   36.362847]  show_stack+0x20/0x38 (C)
[   36.363412]  dump_stack_lvl+0x8c/0xd0
[   36.364011]  print_report+0x118/0x5e0
[   36.364994]  kasan_report+0xc8/0x118
[   36.365559]  __asan_report_load1_noabort+0x20/0x30
[   36.366338]  mempool_uaf_helper+0x314/0x340
[   36.368030]  mempool_kmalloc_large_uaf+0xbc/0x118
[   36.368763]  kunit_try_run_case+0x14c/0x3d0
[   36.369511]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.370379]  kthread+0x24c/0x2d0
[   36.371018]  ret_from_fork+0x10/0x20
[   36.371624] 
[   36.371977] The buggy address belongs to the physical page:
[   36.373418] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106b80
[   36.374170] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   36.375240] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   36.376143] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   36.377173] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   36.378277] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   36.380007] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   36.381267] head: 0bfffe0000000002 ffffc1ffc31ae001 ffffffffffffffff 0000000000000000
[   36.382753] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   36.383773] page dumped because: kasan: bad access detected
[   36.384607] 
[   36.384968] Memory state around the buggy address:
[   36.386041]  fff00000c6b7ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.387210]  fff00000c6b7ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.388402] >fff00000c6b80000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.390203]                    ^
[   36.390766]  fff00000c6b80080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.391905]  fff00000c6b80100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   36.393246] ==================================================================
Metadata Full log Test run details 

[   27.355678] ==================================================================
[   27.356354] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400
[   27.356854] Read of size 1 at addr ffff888102cf4000 by task kunit_try_catch/237
[   27.357260] 
[   27.357494] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241122 #1
[   27.358475] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.359033] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.360204] Call Trace:
[   27.360581]  <TASK>
[   27.361051]  dump_stack_lvl+0x73/0xb0
[   27.361559]  print_report+0xd1/0x640
[   27.362610]  ? __virt_addr_valid+0x1db/0x2d0
[   27.363243]  ? kasan_addr_to_slab+0x11/0xa0
[   27.363735]  kasan_report+0x102/0x140
[   27.364503]  ? mempool_uaf_helper+0x394/0x400
[   27.365015]  ? mempool_uaf_helper+0x394/0x400
[   27.365530]  __asan_report_load1_noabort+0x18/0x20
[   27.366089]  mempool_uaf_helper+0x394/0x400
[   27.366585]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   27.367068]  ? finish_task_switch.isra.0+0x153/0x700
[   27.367612]  mempool_kmalloc_large_uaf+0xb3/0x100
[   27.367974]  ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10
[   27.368500]  ? __switch_to+0x5d9/0xf60
[   27.369383]  ? __pfx_mempool_kmalloc+0x10/0x10
[   27.369746]  ? __pfx_mempool_kfree+0x10/0x10
[   27.370483]  ? __pfx_read_tsc+0x10/0x10
[   27.370851]  ? ktime_get_ts64+0x84/0x230
[   27.371442]  kunit_try_run_case+0x1b3/0x490
[   27.371987]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.372362]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   27.372841]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.373765]  ? __kthread_parkme+0x82/0x160
[   27.374455]  ? preempt_count_sub+0x50/0x80
[   27.375078]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.375491]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.376217]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.376624]  kthread+0x257/0x310
[   27.377380]  ? __pfx_kthread+0x10/0x10
[   27.378052]  ret_from_fork+0x41/0x80
[   27.378441]  ? __pfx_kthread+0x10/0x10
[   27.378714]  ret_from_fork_asm+0x1a/0x30
[   27.379416]  </TASK>
[   27.379626] 
[   27.380000] The buggy address belongs to the physical page:
[   27.380453] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102cf4
[   27.381098] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   27.381722] flags: 0x200000000000040(head|node=0|zone=2)
[   27.382604] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   27.383305] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   27.384585] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   27.385431] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   27.386468] head: 0200000000000002 ffffea00040b3d01 ffffffffffffffff 0000000000000000
[   27.387285] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   27.387908] page dumped because: kasan: bad access detected
[   27.388299] 
[   27.388452] Memory state around the buggy address:
[   27.388804]  ffff888102cf3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.389547]  ffff888102cf3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.390605] >ffff888102cf4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.391282]                    ^
[   27.391643]  ffff888102cf4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.392240]  ffff888102cf4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.393047] ==================================================================
[   27.477776] ==================================================================
[   27.478806] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400
[   27.479638] Read of size 1 at addr ffff888102d20000 by task kunit_try_catch/241
[   27.481317] 
[   27.482141] CPU: 0 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241122 #1
[   27.483181] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.484205] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.484614] Call Trace:
[   27.484778]  <TASK>
[   27.484962]  dump_stack_lvl+0x73/0xb0
[   27.485224]  print_report+0xd1/0x640
[   27.486178]  ? __virt_addr_valid+0x1db/0x2d0
[   27.486728]  ? kasan_addr_to_slab+0x11/0xa0
[   27.487548]  kasan_report+0x102/0x140
[   27.487934]  ? mempool_uaf_helper+0x394/0x400
[   27.489017]  ? mempool_uaf_helper+0x394/0x400
[   27.489749]  __asan_report_load1_noabort+0x18/0x20
[   27.490923]  mempool_uaf_helper+0x394/0x400
[   27.491414]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   27.491708]  ? finish_task_switch.isra.0+0x153/0x700
[   27.492752]  mempool_page_alloc_uaf+0xb1/0x100
[   27.493103]  ? __pfx_mempool_page_alloc_uaf+0x10/0x10
[   27.493641]  ? __switch_to+0x5d9/0xf60
[   27.494564]  ? __pfx_mempool_alloc_pages+0x10/0x10
[   27.494997]  ? __pfx_mempool_free_pages+0x10/0x10
[   27.495653]  ? __pfx_read_tsc+0x10/0x10
[   27.495997]  ? ktime_get_ts64+0x84/0x230
[   27.496713]  kunit_try_run_case+0x1b3/0x490
[   27.498208]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.498970]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   27.499731]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.500605]  ? __kthread_parkme+0x82/0x160
[   27.501790]  ? preempt_count_sub+0x50/0x80
[   27.502211]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.503130]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.503602]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.504123]  kthread+0x257/0x310
[   27.504977]  ? __pfx_kthread+0x10/0x10
[   27.505206]  ret_from_fork+0x41/0x80
[   27.505424]  ? __pfx_kthread+0x10/0x10
[   27.505802]  ret_from_fork_asm+0x1a/0x30
[   27.506631]  </TASK>
[   27.507591] 
[   27.507775] The buggy address belongs to the physical page:
[   27.508777] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d20
[   27.510326] flags: 0x200000000000000(node=0|zone=2)
[   27.510703] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
[   27.511804] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   27.512336] page dumped because: kasan: bad access detected
[   27.512803] 
[   27.513021] Memory state around the buggy address:
[   27.513473]  ffff888102d1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.514735]  ffff888102d1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.515896] >ffff888102d20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.516837]                    ^
[   27.517044]  ffff888102d20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.518103]  ffff888102d20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.518565] ==================================================================
Metadata Full log Test run details