Date
Nov. 27, 2024, 3:37 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 50.218410] ================================================================== [ 50.219617] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 50.220370] Read of size 1 at addr fff00000c66e0000 by task kunit_try_catch/218 [ 50.221308] [ 50.222233] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 50.223423] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.223972] Hardware name: linux,dummy-virt (DT) [ 50.224771] Call trace: [ 50.225217] show_stack+0x20/0x38 (C) [ 50.225771] dump_stack_lvl+0x8c/0xd0 [ 50.226700] print_report+0x118/0x5e0 [ 50.227399] kasan_report+0xc8/0x118 [ 50.227962] __asan_report_load1_noabort+0x20/0x30 [ 50.228825] mempool_uaf_helper+0x314/0x340 [ 50.229903] mempool_kmalloc_large_uaf+0xbc/0x118 [ 50.230577] kunit_try_run_case+0x14c/0x3d0 [ 50.231170] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.232003] kthread+0x24c/0x2d0 [ 50.232546] ret_from_fork+0x10/0x20 [ 50.233509] [ 50.233795] The buggy address belongs to the physical page: [ 50.234432] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066e0 [ 50.235401] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 50.236281] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 50.237331] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 50.238211] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.239440] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 50.240387] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.241758] head: 0bfffe0000000002 ffffc1ffc319b801 ffffffffffffffff 0000000000000000 [ 50.242555] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 50.243417] page dumped because: kasan: bad access detected [ 50.244203] [ 50.244621] Memory state around the buggy address: [ 50.245709] fff00000c66dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.246591] fff00000c66dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.247515] >fff00000c66e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.248468] ^ [ 50.248950] fff00000c66e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.250069] fff00000c66e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.251127] ================================================================== [ 50.332202] ================================================================== [ 50.333572] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 50.335484] Read of size 1 at addr fff00000c66e4000 by task kunit_try_catch/222 [ 50.336901] [ 50.337682] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 50.338870] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.339602] Hardware name: linux,dummy-virt (DT) [ 50.340252] Call trace: [ 50.340715] show_stack+0x20/0x38 (C) [ 50.342129] dump_stack_lvl+0x8c/0xd0 [ 50.342667] print_report+0x118/0x5e0 [ 50.343168] kasan_report+0xc8/0x118 [ 50.343976] __asan_report_load1_noabort+0x20/0x30 [ 50.344598] mempool_uaf_helper+0x314/0x340 [ 50.345208] mempool_page_alloc_uaf+0xb8/0x118 [ 50.346269] kunit_try_run_case+0x14c/0x3d0 [ 50.347119] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.347733] kthread+0x24c/0x2d0 [ 50.348361] ret_from_fork+0x10/0x20 [ 50.349011] [ 50.349453] The buggy address belongs to the physical page: [ 50.350888] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066e4 [ 50.352058] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.352956] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 50.354190] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.355106] page dumped because: kasan: bad access detected [ 50.355856] [ 50.356185] Memory state around the buggy address: [ 50.356834] fff00000c66e3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.358110] fff00000c66e3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.359128] >fff00000c66e4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.359895] ^ [ 50.360611] fff00000c66e4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.361794] fff00000c66e4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.362662] ==================================================================
[ 27.661080] ================================================================== [ 27.662280] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 27.662607] Read of size 1 at addr ffff888102cdc000 by task kunit_try_catch/241 [ 27.662884] [ 27.663050] CPU: 0 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 27.664893] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.665505] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.666313] Call Trace: [ 27.666577] <TASK> [ 27.666945] dump_stack_lvl+0x73/0xb0 [ 27.667538] print_report+0xd1/0x640 [ 27.668000] ? __virt_addr_valid+0x1db/0x2d0 [ 27.668590] ? kasan_addr_to_slab+0x11/0xa0 [ 27.669127] kasan_report+0x102/0x140 [ 27.669615] ? mempool_uaf_helper+0x394/0x400 [ 27.670215] ? mempool_uaf_helper+0x394/0x400 [ 27.670613] __asan_report_load1_noabort+0x18/0x20 [ 27.671362] mempool_uaf_helper+0x394/0x400 [ 27.671801] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.672444] ? irqentry_exit+0x2a/0x60 [ 27.672956] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 27.673527] mempool_page_alloc_uaf+0xb1/0x100 [ 27.674212] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 27.674693] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 27.675230] ? __pfx_mempool_free_pages+0x10/0x10 [ 27.675715] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 27.676196] kunit_try_run_case+0x1b3/0x490 [ 27.676651] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.677206] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.677665] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.678300] ? __kthread_parkme+0x82/0x160 [ 27.678688] ? preempt_count_sub+0x50/0x80 [ 27.679251] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.679656] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.680363] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.680892] kthread+0x257/0x310 [ 27.681371] ? __pfx_kthread+0x10/0x10 [ 27.681699] ret_from_fork+0x41/0x80 [ 27.682283] ? __pfx_kthread+0x10/0x10 [ 27.682626] ret_from_fork_asm+0x1a/0x30 [ 27.683257] </TASK> [ 27.683511] [ 27.683667] The buggy address belongs to the physical page: [ 27.684460] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102cdc [ 27.685144] flags: 0x200000000000000(node=0|zone=2) [ 27.685683] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 27.686553] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.687293] page dumped because: kasan: bad access detected [ 27.687846] [ 27.688177] Memory state around the buggy address: [ 27.688590] ffff888102cdbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.689385] ffff888102cdbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.690102] >ffff888102cdc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.690768] ^ [ 27.691219] ffff888102cdc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.691925] ffff888102cdc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.692583] ================================================================== [ 27.461558] ================================================================== [ 27.463396] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 27.464973] Read of size 1 at addr ffff888102c6c000 by task kunit_try_catch/237 [ 27.467528] [ 27.468119] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 27.469303] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.470199] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.471482] Call Trace: [ 27.472254] <TASK> [ 27.472879] dump_stack_lvl+0x73/0xb0 [ 27.473863] print_report+0xd1/0x640 [ 27.474810] ? __virt_addr_valid+0x1db/0x2d0 [ 27.475783] ? kasan_addr_to_slab+0x11/0xa0 [ 27.476704] kasan_report+0x102/0x140 [ 27.477694] ? mempool_uaf_helper+0x394/0x400 [ 27.478578] ? mempool_uaf_helper+0x394/0x400 [ 27.479671] __asan_report_load1_noabort+0x18/0x20 [ 27.480659] mempool_uaf_helper+0x394/0x400 [ 27.481472] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 27.482547] ? finish_task_switch.isra.0+0x153/0x700 [ 27.483665] mempool_kmalloc_large_uaf+0xb3/0x100 [ 27.484776] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 27.485659] ? __switch_to+0x5d9/0xf60 [ 27.486685] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.487622] ? __pfx_mempool_kfree+0x10/0x10 [ 27.488799] ? __pfx_read_tsc+0x10/0x10 [ 27.489853] ? ktime_get_ts64+0x84/0x230 [ 27.490896] kunit_try_run_case+0x1b3/0x490 [ 27.492145] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.493404] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.494107] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.495320] ? __kthread_parkme+0x82/0x160 [ 27.496172] ? preempt_count_sub+0x50/0x80 [ 27.496973] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.498515] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.499681] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.500940] kthread+0x257/0x310 [ 27.501768] ? __pfx_kthread+0x10/0x10 [ 27.502849] ret_from_fork+0x41/0x80 [ 27.503743] ? __pfx_kthread+0x10/0x10 [ 27.504611] ret_from_fork_asm+0x1a/0x30 [ 27.505316] </TASK> [ 27.505853] [ 27.506461] The buggy address belongs to the physical page: [ 27.507089] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c6c [ 27.508397] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 27.509241] flags: 0x200000000000040(head|node=0|zone=2) [ 27.510183] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.511442] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.512552] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.513733] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 27.514880] head: 0200000000000002 ffffea00040b1b01 ffffffffffffffff 0000000000000000 [ 27.515890] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 27.516961] page dumped because: kasan: bad access detected [ 27.517932] [ 27.518642] Memory state around the buggy address: [ 27.519322] ffff888102c6bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.520605] ffff888102c6bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.521574] >ffff888102c6c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.522760] ^ [ 27.523669] ffff888102c6c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.524453] ffff888102c6c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.525575] ==================================================================