Date
Nov. 26, 2024, 6:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.751865] ================================================================== [ 33.753082] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.754012] Read of size 1 at addr fff00000c65e0000 by task kunit_try_catch/222 [ 33.754890] [ 33.755315] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 33.756585] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.757213] Hardware name: linux,dummy-virt (DT) [ 33.757949] Call trace: [ 33.758378] show_stack+0x20/0x38 (C) [ 33.759124] dump_stack_lvl+0x8c/0xd0 [ 33.759699] print_report+0x118/0x5e0 [ 33.760270] kasan_report+0xc8/0x118 [ 33.760894] __asan_report_load1_noabort+0x20/0x30 [ 33.761760] mempool_uaf_helper+0x314/0x340 [ 33.762394] mempool_page_alloc_uaf+0xb8/0x118 [ 33.763148] kunit_try_run_case+0x14c/0x3d0 [ 33.763842] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.764635] kthread+0x24c/0x2d0 [ 33.765141] ret_from_fork+0x10/0x20 [ 33.765652] [ 33.766048] The buggy address belongs to the physical page: [ 33.766712] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065e0 [ 33.767793] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.768676] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 33.769573] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.770416] page dumped because: kasan: bad access detected [ 33.771211] [ 33.771636] Memory state around the buggy address: [ 33.772339] fff00000c65dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.773219] fff00000c65dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.774120] >fff00000c65e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.774987] ^ [ 33.775556] fff00000c65e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.776430] fff00000c65e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.777196] ================================================================== [ 33.630377] ================================================================== [ 33.631396] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.632117] Read of size 1 at addr fff00000c65e0000 by task kunit_try_catch/218 [ 33.633648] [ 33.633936] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 33.634810] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.635469] Hardware name: linux,dummy-virt (DT) [ 33.636080] Call trace: [ 33.636885] show_stack+0x20/0x38 (C) [ 33.637407] dump_stack_lvl+0x8c/0xd0 [ 33.638115] print_report+0x118/0x5e0 [ 33.638787] kasan_report+0xc8/0x118 [ 33.639488] __asan_report_load1_noabort+0x20/0x30 [ 33.640346] mempool_uaf_helper+0x314/0x340 [ 33.641261] mempool_kmalloc_large_uaf+0xbc/0x118 [ 33.641975] kunit_try_run_case+0x14c/0x3d0 [ 33.642663] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.643450] kthread+0x24c/0x2d0 [ 33.644060] ret_from_fork+0x10/0x20 [ 33.644891] [ 33.645260] The buggy address belongs to the physical page: [ 33.645857] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065e0 [ 33.646872] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.648005] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 33.649265] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.650335] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.651410] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.652713] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.653563] head: 0bfffe0000000002 ffffc1ffc3197801 ffffffffffffffff 0000000000000000 [ 33.654393] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 33.655980] page dumped because: kasan: bad access detected [ 33.657483] [ 33.657715] Memory state around the buggy address: [ 33.658394] fff00000c65dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.659255] fff00000c65dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.660019] >fff00000c65e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.661324] ^ [ 33.661759] fff00000c65e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.662934] fff00000c65e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.663960] ==================================================================
[ 33.654899] ================================================================== [ 33.656880] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.658092] Read of size 1 at addr fff00000c6588000 by task kunit_try_catch/218 [ 33.658998] [ 33.659443] CPU: 1 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 33.660549] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.661220] Hardware name: linux,dummy-virt (DT) [ 33.661919] Call trace: [ 33.662614] show_stack+0x20/0x38 (C) [ 33.663371] dump_stack_lvl+0x8c/0xd0 [ 33.664162] print_report+0x118/0x5e0 [ 33.664991] kasan_report+0xc8/0x118 [ 33.665870] __asan_report_load1_noabort+0x20/0x30 [ 33.666246] mempool_uaf_helper+0x314/0x340 [ 33.666553] mempool_kmalloc_large_uaf+0xbc/0x118 [ 33.666856] kunit_try_run_case+0x14c/0x3d0 [ 33.667142] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.667463] kthread+0x24c/0x2d0 [ 33.668622] ret_from_fork+0x10/0x20 [ 33.669362] [ 33.670065] The buggy address belongs to the physical page: [ 33.671092] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106588 [ 33.672215] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.673324] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 33.674617] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.675597] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.676579] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.677419] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.678179] head: 0bfffe0000000002 ffffc1ffc3196201 ffffffffffffffff 0000000000000000 [ 33.679172] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 33.680643] page dumped because: kasan: bad access detected [ 33.681261] [ 33.681593] Memory state around the buggy address: [ 33.682277] fff00000c6587f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.683068] fff00000c6587f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.684236] >fff00000c6588000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.685009] ^ [ 33.685568] fff00000c6588080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.686700] fff00000c6588100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.687475] ================================================================== [ 33.774867] ================================================================== [ 33.776150] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.776770] Read of size 1 at addr fff00000c662c000 by task kunit_try_catch/222 [ 33.777704] [ 33.778040] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 33.779239] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.779864] Hardware name: linux,dummy-virt (DT) [ 33.780486] Call trace: [ 33.780959] show_stack+0x20/0x38 (C) [ 33.781616] dump_stack_lvl+0x8c/0xd0 [ 33.782117] print_report+0x118/0x5e0 [ 33.782772] kasan_report+0xc8/0x118 [ 33.783388] __asan_report_load1_noabort+0x20/0x30 [ 33.784015] mempool_uaf_helper+0x314/0x340 [ 33.784693] mempool_page_alloc_uaf+0xb8/0x118 [ 33.785394] kunit_try_run_case+0x14c/0x3d0 [ 33.786019] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.786730] kthread+0x24c/0x2d0 [ 33.787327] ret_from_fork+0x10/0x20 [ 33.787976] [ 33.788359] The buggy address belongs to the physical page: [ 33.789048] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10662c [ 33.789952] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.790773] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 33.791752] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.792653] page dumped because: kasan: bad access detected [ 33.793263] [ 33.793649] Memory state around the buggy address: [ 33.794285] fff00000c662bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.795092] fff00000c662bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.795971] >fff00000c662c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.796764] ^ [ 33.797308] fff00000c662c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.798077] fff00000c662c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.798889] ==================================================================
[ 27.877756] ================================================================== [ 27.878156] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 27.878156] Read of size 1 at addr ffff888102b24000 by task kunit_try_catch/242 [ 27.878156] [ 27.878156] CPU: 1 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 27.878156] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.878156] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.878156] Call Trace: [ 27.878156] <TASK> [ 27.878156] dump_stack_lvl+0x73/0xb0 [ 27.878156] print_report+0xd1/0x640 [ 27.878156] ? __virt_addr_valid+0x1db/0x2d0 [ 27.878156] ? kasan_addr_to_slab+0x11/0xa0 [ 27.878156] kasan_report+0x102/0x140 [ 27.878156] ? mempool_uaf_helper+0x394/0x400 [ 27.878156] ? mempool_uaf_helper+0x394/0x400 [ 27.878156] __asan_report_load1_noabort+0x18/0x20 [ 27.878156] mempool_uaf_helper+0x394/0x400 [ 27.878156] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.878156] ? read_hpet+0x1f0/0x230 [ 27.878156] ? ktime_get_ts64+0x84/0x230 [ 27.878156] ? trace_hardirqs_on+0x37/0xe0 [ 27.878156] mempool_page_alloc_uaf+0xb1/0x100 [ 27.878156] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 27.878156] ? __switch_to+0x5d9/0xf60 [ 27.878156] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 27.878156] ? __pfx_mempool_free_pages+0x10/0x10 [ 27.878156] ? ktime_get_ts64+0x84/0x230 [ 27.878156] kunit_try_run_case+0x1b3/0x490 [ 27.878156] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.878156] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.878156] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.878156] ? __kthread_parkme+0x82/0x160 [ 27.878156] ? preempt_count_sub+0x50/0x80 [ 27.878156] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.878156] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.878156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.878156] kthread+0x257/0x310 [ 27.878156] ? __pfx_kthread+0x10/0x10 [ 27.878156] ret_from_fork+0x41/0x80 [ 27.878156] ? __pfx_kthread+0x10/0x10 [ 27.878156] ret_from_fork_asm+0x1a/0x30 [ 27.878156] </TASK> [ 27.878156] [ 27.878156] The buggy address belongs to the physical page: [ 27.878156] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b24 [ 27.878156] flags: 0x200000000000000(node=0|zone=2) [ 27.878156] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 27.878156] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.878156] page dumped because: kasan: bad access detected [ 27.878156] [ 27.878156] Memory state around the buggy address: [ 27.878156] ffff888102b23f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.878156] ffff888102b23f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.878156] >ffff888102b24000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.878156] ^ [ 27.878156] ffff888102b24080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.878156] ffff888102b24100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.878156] ================================================================== [ 27.756984] ================================================================== [ 27.757660] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 27.757660] Read of size 1 at addr ffff888102b24000 by task kunit_try_catch/238 [ 27.757660] [ 27.757660] CPU: 1 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 27.757660] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.757660] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.757660] Call Trace: [ 27.757660] <TASK> [ 27.757660] dump_stack_lvl+0x73/0xb0 [ 27.757660] print_report+0xd1/0x640 [ 27.757660] ? __virt_addr_valid+0x1db/0x2d0 [ 27.757660] ? kasan_addr_to_slab+0x11/0xa0 [ 27.757660] kasan_report+0x102/0x140 [ 27.757660] ? mempool_uaf_helper+0x394/0x400 [ 27.757660] ? mempool_uaf_helper+0x394/0x400 [ 27.757660] __asan_report_load1_noabort+0x18/0x20 [ 27.757660] mempool_uaf_helper+0x394/0x400 [ 27.757660] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.757660] ? read_hpet+0x1f0/0x230 [ 27.757660] ? ktime_get_ts64+0x84/0x230 [ 27.757660] ? trace_hardirqs_on+0x37/0xe0 [ 27.757660] mempool_kmalloc_large_uaf+0xb3/0x100 [ 27.757660] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 27.757660] ? __switch_to+0x5d9/0xf60 [ 27.757660] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.757660] ? __pfx_mempool_kfree+0x10/0x10 [ 27.757660] ? ktime_get_ts64+0x84/0x230 [ 27.757660] kunit_try_run_case+0x1b3/0x490 [ 27.757660] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.757660] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.757660] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.757660] ? __kthread_parkme+0x82/0x160 [ 27.757660] ? preempt_count_sub+0x50/0x80 [ 27.757660] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.757660] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.757660] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.757660] kthread+0x257/0x310 [ 27.757660] ? __pfx_kthread+0x10/0x10 [ 27.757660] ret_from_fork+0x41/0x80 [ 27.757660] ? __pfx_kthread+0x10/0x10 [ 27.757660] ret_from_fork_asm+0x1a/0x30 [ 27.757660] </TASK> [ 27.757660] [ 27.757660] The buggy address belongs to the physical page: [ 27.757660] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b24 [ 27.757660] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 27.757660] flags: 0x200000000000040(head|node=0|zone=2) [ 27.757660] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.757660] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.757660] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.757660] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.757660] head: 0200000000000002 ffffea00040ac901 ffffffffffffffff 0000000000000000 [ 27.757660] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 27.757660] page dumped because: kasan: bad access detected [ 27.757660] [ 27.757660] Memory state around the buggy address: [ 27.757660] ffff888102b23f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.757660] ffff888102b23f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.757660] >ffff888102b24000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.757660] ^ [ 27.757660] ffff888102b24080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.757660] ffff888102b24100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.757660] ==================================================================
[ 22.813394] ================================================================== [ 22.814112] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 22.815441] Read of size 1 at addr ffff888102ad8000 by task kunit_try_catch/240 [ 22.816561] [ 22.816775] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 22.818071] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.818502] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.819523] Call Trace: [ 22.820010] <TASK> [ 22.820528] dump_stack_lvl+0x73/0xb0 [ 22.821266] print_report+0xd1/0x640 [ 22.821662] ? __virt_addr_valid+0x1db/0x2d0 [ 22.822099] ? kasan_addr_to_slab+0x11/0xa0 [ 22.822600] kasan_report+0x102/0x140 [ 22.823033] ? mempool_uaf_helper+0x394/0x400 [ 22.823606] ? mempool_uaf_helper+0x394/0x400 [ 22.824018] __asan_report_load1_noabort+0x18/0x20 [ 22.824349] mempool_uaf_helper+0x394/0x400 [ 22.824737] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 22.825290] ? update_curr+0x7d/0x5a0 [ 22.825672] mempool_page_alloc_uaf+0xb1/0x100 [ 22.826170] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 22.826560] ? schedule+0x7c/0x310 [ 22.826996] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 22.827321] ? __pfx_mempool_free_pages+0x10/0x10 [ 22.827878] ? __pfx_read_tsc+0x10/0x10 [ 22.828239] ? ktime_get_ts64+0x84/0x230 [ 22.828741] kunit_try_run_case+0x1b3/0x490 [ 22.829123] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.829642] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.830120] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.830467] ? __kthread_parkme+0x82/0x160 [ 22.830980] ? preempt_count_sub+0x50/0x80 [ 22.831370] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.831770] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.832137] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.832620] kthread+0x257/0x310 [ 22.833020] ? __pfx_kthread+0x10/0x10 [ 22.833447] ret_from_fork+0x41/0x80 [ 22.833926] ? __pfx_kthread+0x10/0x10 [ 22.834335] ret_from_fork_asm+0x1a/0x30 [ 22.834870] </TASK> [ 22.835099] [ 22.835378] The buggy address belongs to the physical page: [ 22.835942] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ad8 [ 22.836410] flags: 0x200000000000000(node=0|zone=2) [ 22.836992] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 22.837649] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 22.838238] page dumped because: kasan: bad access detected [ 22.838620] [ 22.838842] Memory state around the buggy address: [ 22.839302] ffff888102ad7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.839927] ffff888102ad7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.840572] >ffff888102ad8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.841105] ^ [ 22.841363] ffff888102ad8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.841806] ffff888102ad8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.842326] ================================================================== [ 22.691882] ================================================================== [ 22.692732] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 22.693080] Read of size 1 at addr ffff888102a30000 by task kunit_try_catch/236 [ 22.693713] [ 22.693976] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 22.696047] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.696900] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.698177] Call Trace: [ 22.698438] <TASK> [ 22.698753] dump_stack_lvl+0x73/0xb0 [ 22.699128] print_report+0xd1/0x640 [ 22.699759] ? __virt_addr_valid+0x1db/0x2d0 [ 22.700145] ? kasan_addr_to_slab+0x11/0xa0 [ 22.700445] kasan_report+0x102/0x140 [ 22.701514] ? mempool_uaf_helper+0x394/0x400 [ 22.702060] ? mempool_uaf_helper+0x394/0x400 [ 22.702571] __asan_report_load1_noabort+0x18/0x20 [ 22.703267] mempool_uaf_helper+0x394/0x400 [ 22.703640] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 22.704248] ? finish_task_switch.isra.0+0x153/0x700 [ 22.705346] mempool_kmalloc_large_uaf+0xb3/0x100 [ 22.706016] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 22.706323] ? __switch_to+0x5d9/0xf60 [ 22.707412] ? __pfx_mempool_kmalloc+0x10/0x10 [ 22.708522] ? __pfx_mempool_kfree+0x10/0x10 [ 22.708939] ? __pfx_read_tsc+0x10/0x10 [ 22.709733] ? ktime_get_ts64+0x84/0x230 [ 22.710137] kunit_try_run_case+0x1b3/0x490 [ 22.711282] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.711661] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.712175] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.713285] ? __kthread_parkme+0x82/0x160 [ 22.714017] ? preempt_count_sub+0x50/0x80 [ 22.714520] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.714934] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.715711] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.716309] kthread+0x257/0x310 [ 22.717229] ? __pfx_kthread+0x10/0x10 [ 22.717936] ret_from_fork+0x41/0x80 [ 22.718546] ? __pfx_kthread+0x10/0x10 [ 22.718895] ret_from_fork_asm+0x1a/0x30 [ 22.719637] </TASK> [ 22.719886] [ 22.720127] The buggy address belongs to the physical page: [ 22.720474] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a30 [ 22.721133] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.721630] flags: 0x200000000000040(head|node=0|zone=2) [ 22.722278] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.723038] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 22.723456] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.724357] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 22.724974] head: 0200000000000002 ffffea00040a8c01 ffffffffffffffff 0000000000000000 [ 22.726441] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 22.726874] page dumped because: kasan: bad access detected [ 22.727182] [ 22.728315] Memory state around the buggy address: [ 22.728847] ffff888102a2ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.729665] ffff888102a2ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.730900] >ffff888102a30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.731378] ^ [ 22.731811] ffff888102a30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.732546] ffff888102a30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.733334] ==================================================================