Date
Nov. 27, 2024, 3:37 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 50.263976] ================================================================== [ 50.265713] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 50.266914] Read of size 1 at addr fff00000c6157240 by task kunit_try_catch/220 [ 50.268121] [ 50.268427] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 50.270190] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.270955] Hardware name: linux,dummy-virt (DT) [ 50.271764] Call trace: [ 50.272178] show_stack+0x20/0x38 (C) [ 50.272759] dump_stack_lvl+0x8c/0xd0 [ 50.273755] print_report+0x118/0x5e0 [ 50.274341] kasan_report+0xc8/0x118 [ 50.274809] __asan_report_load1_noabort+0x20/0x30 [ 50.275487] mempool_uaf_helper+0x314/0x340 [ 50.276089] mempool_slab_uaf+0xb8/0x110 [ 50.276573] kunit_try_run_case+0x14c/0x3d0 [ 50.277242] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.277976] kthread+0x24c/0x2d0 [ 50.278904] ret_from_fork+0x10/0x20 [ 50.279423] [ 50.279760] Allocated by task 220: [ 50.280270] kasan_save_stack+0x3c/0x68 [ 50.280924] kasan_save_track+0x20/0x40 [ 50.282471] kasan_save_alloc_info+0x40/0x58 [ 50.283215] __kasan_mempool_unpoison_object+0xbc/0x180 [ 50.283876] remove_element+0x16c/0x1f8 [ 50.284721] mempool_alloc_preallocated+0x58/0xc0 [ 50.285330] mempool_uaf_helper+0xa4/0x340 [ 50.285921] mempool_slab_uaf+0xb8/0x110 [ 50.286425] kunit_try_run_case+0x14c/0x3d0 [ 50.287329] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.288138] kthread+0x24c/0x2d0 [ 50.288778] ret_from_fork+0x10/0x20 [ 50.289646] [ 50.289997] Freed by task 220: [ 50.290629] kasan_save_stack+0x3c/0x68 [ 50.291316] kasan_save_track+0x20/0x40 [ 50.291888] kasan_save_free_info+0x4c/0x78 [ 50.292525] __kasan_mempool_poison_object+0xc0/0x150 [ 50.293231] mempool_free+0x28c/0x328 [ 50.294141] mempool_uaf_helper+0x104/0x340 [ 50.294863] mempool_slab_uaf+0xb8/0x110 [ 50.295618] kunit_try_run_case+0x14c/0x3d0 [ 50.296405] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.297138] kthread+0x24c/0x2d0 [ 50.297711] ret_from_fork+0x10/0x20 [ 50.298318] [ 50.298744] The buggy address belongs to the object at fff00000c6157240 [ 50.298744] which belongs to the cache test_cache of size 123 [ 50.300186] The buggy address is located 0 bytes inside of [ 50.300186] freed 123-byte region [fff00000c6157240, fff00000c61572bb) [ 50.301517] [ 50.301846] The buggy address belongs to the physical page: [ 50.302520] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106157 [ 50.303534] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.304587] page_type: f5(slab) [ 50.305699] raw: 0bfffe0000000000 fff00000c6181500 dead000000000122 0000000000000000 [ 50.307062] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 50.307903] page dumped because: kasan: bad access detected [ 50.308560] [ 50.308928] Memory state around the buggy address: [ 50.309988] fff00000c6157100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.310999] fff00000c6157180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.311982] >fff00000c6157200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 50.312853] ^ [ 50.313760] fff00000c6157280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.314675] fff00000c6157300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.315532] ================================================================== [ 50.154619] ================================================================== [ 50.155759] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 50.156549] Read of size 1 at addr fff00000c610ac00 by task kunit_try_catch/216 [ 50.157652] [ 50.158054] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 50.159176] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.159772] Hardware name: linux,dummy-virt (DT) [ 50.160462] Call trace: [ 50.160854] show_stack+0x20/0x38 (C) [ 50.161694] dump_stack_lvl+0x8c/0xd0 [ 50.162321] print_report+0x118/0x5e0 [ 50.162815] kasan_report+0xc8/0x118 [ 50.163572] __asan_report_load1_noabort+0x20/0x30 [ 50.164202] mempool_uaf_helper+0x314/0x340 [ 50.164817] mempool_kmalloc_uaf+0xbc/0x118 [ 50.165844] kunit_try_run_case+0x14c/0x3d0 [ 50.167042] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.167806] kthread+0x24c/0x2d0 [ 50.168361] ret_from_fork+0x10/0x20 [ 50.169216] [ 50.169717] Allocated by task 216: [ 50.170175] kasan_save_stack+0x3c/0x68 [ 50.170743] kasan_save_track+0x20/0x40 [ 50.171382] kasan_save_alloc_info+0x40/0x58 [ 50.171998] __kasan_mempool_unpoison_object+0x11c/0x180 [ 50.172793] remove_element+0x130/0x1f8 [ 50.173692] mempool_alloc_preallocated+0x58/0xc0 [ 50.174631] mempool_uaf_helper+0xa4/0x340 [ 50.175184] mempool_kmalloc_uaf+0xbc/0x118 [ 50.175964] kunit_try_run_case+0x14c/0x3d0 [ 50.176492] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.177408] kthread+0x24c/0x2d0 [ 50.178274] ret_from_fork+0x10/0x20 [ 50.179096] [ 50.179386] Freed by task 216: [ 50.179854] kasan_save_stack+0x3c/0x68 [ 50.180607] kasan_save_track+0x20/0x40 [ 50.181527] kasan_save_free_info+0x4c/0x78 [ 50.182326] __kasan_mempool_poison_object+0xc0/0x150 [ 50.183259] mempool_free+0x28c/0x328 [ 50.183947] mempool_uaf_helper+0x104/0x340 [ 50.184645] mempool_kmalloc_uaf+0xbc/0x118 [ 50.185803] kunit_try_run_case+0x14c/0x3d0 [ 50.186404] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.187268] kthread+0x24c/0x2d0 [ 50.187915] ret_from_fork+0x10/0x20 [ 50.188538] [ 50.188886] The buggy address belongs to the object at fff00000c610ac00 [ 50.188886] which belongs to the cache kmalloc-128 of size 128 [ 50.191063] The buggy address is located 0 bytes inside of [ 50.191063] freed 128-byte region [fff00000c610ac00, fff00000c610ac80) [ 50.192795] [ 50.193147] The buggy address belongs to the physical page: [ 50.194361] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10610a [ 50.195376] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.196270] page_type: f5(slab) [ 50.196840] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 50.198092] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 50.199534] page dumped because: kasan: bad access detected [ 50.200307] [ 50.200643] Memory state around the buggy address: [ 50.201542] fff00000c610ab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.202737] fff00000c610ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.203715] >fff00000c610ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.204634] ^ [ 50.205655] fff00000c610ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.206711] fff00000c610ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.207844] ==================================================================
[ 27.547401] ================================================================== [ 27.549895] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 27.551544] Read of size 1 at addr ffff888101ab8240 by task kunit_try_catch/239 [ 27.552492] [ 27.553073] CPU: 1 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 27.555319] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.555820] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.557724] Call Trace: [ 27.558760] <TASK> [ 27.559702] dump_stack_lvl+0x73/0xb0 [ 27.561078] print_report+0xd1/0x640 [ 27.562255] ? __virt_addr_valid+0x1db/0x2d0 [ 27.563504] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.564644] kasan_report+0x102/0x140 [ 27.564969] ? mempool_uaf_helper+0x394/0x400 [ 27.566301] ? mempool_uaf_helper+0x394/0x400 [ 27.567436] __asan_report_load1_noabort+0x18/0x20 [ 27.569109] mempool_uaf_helper+0x394/0x400 [ 27.570053] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.571728] ? ret_from_fork+0x41/0x80 [ 27.572701] mempool_slab_uaf+0xae/0x100 [ 27.573520] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 27.574376] ? __switch_to+0x5d9/0xf60 [ 27.575324] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 27.576309] ? __pfx_mempool_free_slab+0x10/0x10 [ 27.577140] ? __pfx_read_tsc+0x10/0x10 [ 27.577843] ? ktime_get_ts64+0x84/0x230 [ 27.578625] kunit_try_run_case+0x1b3/0x490 [ 27.579630] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.580440] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.581846] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.583682] ? __kthread_parkme+0x82/0x160 [ 27.584709] ? preempt_count_sub+0x50/0x80 [ 27.585797] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.587603] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.588680] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.589947] kthread+0x257/0x310 [ 27.590587] ? __pfx_kthread+0x10/0x10 [ 27.591932] ret_from_fork+0x41/0x80 [ 27.592539] ? __pfx_kthread+0x10/0x10 [ 27.593573] ret_from_fork_asm+0x1a/0x30 [ 27.596331] </TASK> [ 27.596744] [ 27.597139] Allocated by task 239: [ 27.598658] kasan_save_stack+0x3d/0x60 [ 27.599631] kasan_save_track+0x18/0x40 [ 27.600436] kasan_save_alloc_info+0x3b/0x50 [ 27.601683] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 27.602774] remove_element+0x11e/0x190 [ 27.603412] mempool_alloc_preallocated+0x4d/0x90 [ 27.604937] mempool_uaf_helper+0x97/0x400 [ 27.606546] mempool_slab_uaf+0xae/0x100 [ 27.607618] kunit_try_run_case+0x1b3/0x490 [ 27.608551] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.609535] kthread+0x257/0x310 [ 27.609951] ret_from_fork+0x41/0x80 [ 27.610652] ret_from_fork_asm+0x1a/0x30 [ 27.611931] [ 27.612450] Freed by task 239: [ 27.613503] kasan_save_stack+0x3d/0x60 [ 27.614308] kasan_save_track+0x18/0x40 [ 27.615557] kasan_save_free_info+0x3f/0x60 [ 27.616652] __kasan_mempool_poison_object+0x131/0x1d0 [ 27.617724] mempool_free+0x2ec/0x380 [ 27.618673] mempool_uaf_helper+0x11b/0x400 [ 27.619308] mempool_slab_uaf+0xae/0x100 [ 27.620146] kunit_try_run_case+0x1b3/0x490 [ 27.621049] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.622135] kthread+0x257/0x310 [ 27.622909] ret_from_fork+0x41/0x80 [ 27.623775] ret_from_fork_asm+0x1a/0x30 [ 27.624236] [ 27.624640] The buggy address belongs to the object at ffff888101ab8240 [ 27.624640] which belongs to the cache test_cache of size 123 [ 27.625755] The buggy address is located 0 bytes inside of [ 27.625755] freed 123-byte region [ffff888101ab8240, ffff888101ab82bb) [ 27.628524] [ 27.628798] The buggy address belongs to the physical page: [ 27.629926] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ab8 [ 27.630783] flags: 0x200000000000000(node=0|zone=2) [ 27.632201] page_type: f5(slab) [ 27.633082] raw: 0200000000000000 ffff888101ab4140 dead000000000122 0000000000000000 [ 27.633789] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 27.634383] page dumped because: kasan: bad access detected [ 27.635691] [ 27.636120] Memory state around the buggy address: [ 27.636936] ffff888101ab8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.638042] ffff888101ab8180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.639489] >ffff888101ab8200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.640157] ^ [ 27.640929] ffff888101ab8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.641684] ffff888101ab8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.642956] ================================================================== [ 27.351031] ================================================================== [ 27.352457] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 27.353707] Read of size 1 at addr ffff888102a52400 by task kunit_try_catch/235 [ 27.354917] [ 27.355644] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 27.357120] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.358080] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.359151] Call Trace: [ 27.359836] <TASK> [ 27.360386] dump_stack_lvl+0x73/0xb0 [ 27.361432] print_report+0xd1/0x640 [ 27.362455] ? __virt_addr_valid+0x1db/0x2d0 [ 27.363540] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.364473] kasan_report+0x102/0x140 [ 27.365522] ? mempool_uaf_helper+0x394/0x400 [ 27.366622] ? mempool_uaf_helper+0x394/0x400 [ 27.367534] __asan_report_load1_noabort+0x18/0x20 [ 27.368217] mempool_uaf_helper+0x394/0x400 [ 27.369395] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.370526] ? ret_from_fork+0x41/0x80 [ 27.371378] ? kthread+0x257/0x310 [ 27.372263] ? ret_from_fork_asm+0x1a/0x30 [ 27.373326] ? ret_from_fork_asm+0x1a/0x30 [ 27.374194] mempool_kmalloc_uaf+0xb3/0x100 [ 27.374840] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 27.375906] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.376710] ? __pfx_mempool_kfree+0x10/0x10 [ 27.377628] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 27.378839] kunit_try_run_case+0x1b3/0x490 [ 27.379623] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.380312] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.381462] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.382486] ? __kthread_parkme+0x82/0x160 [ 27.383515] ? preempt_count_sub+0x50/0x80 [ 27.384502] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.385517] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.386710] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.387946] kthread+0x257/0x310 [ 27.388713] ? __pfx_kthread+0x10/0x10 [ 27.389670] ret_from_fork+0x41/0x80 [ 27.390605] ? __pfx_kthread+0x10/0x10 [ 27.391436] ret_from_fork_asm+0x1a/0x30 [ 27.392949] </TASK> [ 27.393503] [ 27.394089] Allocated by task 235: [ 27.394929] kasan_save_stack+0x3d/0x60 [ 27.395741] kasan_save_track+0x18/0x40 [ 27.396740] kasan_save_alloc_info+0x3b/0x50 [ 27.397749] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 27.398913] remove_element+0x11e/0x190 [ 27.399889] mempool_alloc_preallocated+0x4d/0x90 [ 27.400682] mempool_uaf_helper+0x97/0x400 [ 27.401624] mempool_kmalloc_uaf+0xb3/0x100 [ 27.402625] kunit_try_run_case+0x1b3/0x490 [ 27.403369] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.404481] kthread+0x257/0x310 [ 27.405332] ret_from_fork+0x41/0x80 [ 27.406227] ret_from_fork_asm+0x1a/0x30 [ 27.407209] [ 27.407795] Freed by task 235: [ 27.408638] kasan_save_stack+0x3d/0x60 [ 27.409301] kasan_save_track+0x18/0x40 [ 27.410458] kasan_save_free_info+0x3f/0x60 [ 27.411207] __kasan_mempool_poison_object+0x131/0x1d0 [ 27.412357] mempool_free+0x2ec/0x380 [ 27.413148] mempool_uaf_helper+0x11b/0x400 [ 27.413946] mempool_kmalloc_uaf+0xb3/0x100 [ 27.415119] kunit_try_run_case+0x1b3/0x490 [ 27.415697] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.416840] kthread+0x257/0x310 [ 27.417570] ret_from_fork+0x41/0x80 [ 27.418170] ret_from_fork_asm+0x1a/0x30 [ 27.419039] [ 27.419540] The buggy address belongs to the object at ffff888102a52400 [ 27.419540] which belongs to the cache kmalloc-128 of size 128 [ 27.420707] The buggy address is located 0 bytes inside of [ 27.420707] freed 128-byte region [ffff888102a52400, ffff888102a52480) [ 27.422541] [ 27.423083] The buggy address belongs to the physical page: [ 27.423951] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a52 [ 27.425171] flags: 0x200000000000000(node=0|zone=2) [ 27.427304] page_type: f5(slab) [ 27.428971] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.429917] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 27.431570] page dumped because: kasan: bad access detected [ 27.432742] [ 27.434133] Memory state around the buggy address: [ 27.434722] ffff888102a52300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.436924] ffff888102a52380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.437796] >ffff888102a52400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.439411] ^ [ 27.440453] ffff888102a52480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.441816] ffff888102a52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.443522] ==================================================================