Date
Nov. 28, 2024, 2:36 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.896223] ================================================================== [ 32.897677] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.898760] Read of size 1 at addr fff00000c407e240 by task kunit_try_catch/219 [ 32.899167] [ 32.899487] CPU: 0 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 32.900521] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.901160] Hardware name: linux,dummy-virt (DT) [ 32.902098] Call trace: [ 32.902529] show_stack+0x20/0x38 (C) [ 32.903218] dump_stack_lvl+0x8c/0xd0 [ 32.903827] print_report+0x118/0x5e0 [ 32.904444] kasan_report+0xc8/0x118 [ 32.905298] __asan_report_load1_noabort+0x20/0x30 [ 32.905909] mempool_uaf_helper+0x314/0x340 [ 32.906572] mempool_slab_uaf+0xb8/0x110 [ 32.907169] kunit_try_run_case+0x14c/0x3d0 [ 32.907810] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.908515] kthread+0x24c/0x2d0 [ 32.909133] ret_from_fork+0x10/0x20 [ 32.909883] [ 32.910248] Allocated by task 219: [ 32.910832] kasan_save_stack+0x3c/0x68 [ 32.911436] kasan_save_track+0x20/0x40 [ 32.912023] kasan_save_alloc_info+0x40/0x58 [ 32.912619] __kasan_mempool_unpoison_object+0xbc/0x180 [ 32.913619] remove_element+0x16c/0x1f8 [ 32.914318] mempool_alloc_preallocated+0x58/0xc0 [ 32.914934] mempool_uaf_helper+0xa4/0x340 [ 32.915747] mempool_slab_uaf+0xb8/0x110 [ 32.916255] kunit_try_run_case+0x14c/0x3d0 [ 32.916771] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.918703] kthread+0x24c/0x2d0 [ 32.919267] ret_from_fork+0x10/0x20 [ 32.919821] [ 32.920412] Freed by task 219: [ 32.920890] kasan_save_stack+0x3c/0x68 [ 32.921759] kasan_save_track+0x20/0x40 [ 32.922302] kasan_save_free_info+0x4c/0x78 [ 32.922819] __kasan_mempool_poison_object+0xc0/0x150 [ 32.923633] mempool_free+0x28c/0x328 [ 32.924040] mempool_uaf_helper+0x104/0x340 [ 32.924751] mempool_slab_uaf+0xb8/0x110 [ 32.925677] kunit_try_run_case+0x14c/0x3d0 [ 32.926393] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.927199] kthread+0x24c/0x2d0 [ 32.927789] ret_from_fork+0x10/0x20 [ 32.928403] [ 32.928845] The buggy address belongs to the object at fff00000c407e240 [ 32.928845] which belongs to the cache test_cache of size 123 [ 32.930487] The buggy address is located 0 bytes inside of [ 32.930487] freed 123-byte region [fff00000c407e240, fff00000c407e2bb) [ 32.931729] [ 32.932137] The buggy address belongs to the physical page: [ 32.932876] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10407e [ 32.933853] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.934616] page_type: f5(slab) [ 32.935180] raw: 0bfffe0000000000 fff00000c5b9f8c0 dead000000000122 0000000000000000 [ 32.936005] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 32.936844] page dumped because: kasan: bad access detected [ 32.938019] [ 32.938310] Memory state around the buggy address: [ 32.938940] fff00000c407e100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.939707] fff00000c407e180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.941253] >fff00000c407e200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 32.942330] ^ [ 32.942900] fff00000c407e280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.943641] fff00000c407e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.944657] ================================================================== [ 32.795024] ================================================================== [ 32.796287] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.797147] Read of size 1 at addr fff00000c406b300 by task kunit_try_catch/215 [ 32.797888] [ 32.798282] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 32.799401] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.799964] Hardware name: linux,dummy-virt (DT) [ 32.800609] Call trace: [ 32.801235] show_stack+0x20/0x38 (C) [ 32.801838] dump_stack_lvl+0x8c/0xd0 [ 32.802346] print_report+0x118/0x5e0 [ 32.802923] kasan_report+0xc8/0x118 [ 32.803521] __asan_report_load1_noabort+0x20/0x30 [ 32.804162] mempool_uaf_helper+0x314/0x340 [ 32.804802] mempool_kmalloc_uaf+0xbc/0x118 [ 32.805646] kunit_try_run_case+0x14c/0x3d0 [ 32.806319] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.807051] kthread+0x24c/0x2d0 [ 32.807616] ret_from_fork+0x10/0x20 [ 32.808196] [ 32.808513] Allocated by task 215: [ 32.809639] kasan_save_stack+0x3c/0x68 [ 32.810161] kasan_save_track+0x20/0x40 [ 32.810700] kasan_save_alloc_info+0x40/0x58 [ 32.811363] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.812028] remove_element+0x130/0x1f8 [ 32.812651] mempool_alloc_preallocated+0x58/0xc0 [ 32.813591] mempool_uaf_helper+0xa4/0x340 [ 32.814008] mempool_kmalloc_uaf+0xbc/0x118 [ 32.814638] kunit_try_run_case+0x14c/0x3d0 [ 32.815314] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.815929] kthread+0x24c/0x2d0 [ 32.816513] ret_from_fork+0x10/0x20 [ 32.817232] [ 32.817827] Freed by task 215: [ 32.818181] kasan_save_stack+0x3c/0x68 [ 32.818604] kasan_save_track+0x20/0x40 [ 32.819025] kasan_save_free_info+0x4c/0x78 [ 32.819766] __kasan_mempool_poison_object+0xc0/0x150 [ 32.820994] mempool_free+0x28c/0x328 [ 32.821455] mempool_uaf_helper+0x104/0x340 [ 32.822050] mempool_kmalloc_uaf+0xbc/0x118 [ 32.822608] kunit_try_run_case+0x14c/0x3d0 [ 32.823247] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.823991] kthread+0x24c/0x2d0 [ 32.824504] ret_from_fork+0x10/0x20 [ 32.824970] [ 32.825330] The buggy address belongs to the object at fff00000c406b300 [ 32.825330] which belongs to the cache kmalloc-128 of size 128 [ 32.826474] The buggy address is located 0 bytes inside of [ 32.826474] freed 128-byte region [fff00000c406b300, fff00000c406b380) [ 32.827641] [ 32.827977] The buggy address belongs to the physical page: [ 32.828689] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10406b [ 32.829510] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.830210] page_type: f5(slab) [ 32.830729] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.831579] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.832434] page dumped because: kasan: bad access detected [ 32.833077] [ 32.833434] Memory state around the buggy address: [ 32.834056] fff00000c406b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.834778] fff00000c406b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.835575] >fff00000c406b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.836386] ^ [ 32.836895] fff00000c406b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.837683] fff00000c406b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.838463] ==================================================================
[ 23.663822] ================================================================== [ 23.664842] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 23.665276] Read of size 1 at addr ffff888101b61f00 by task kunit_try_catch/235 [ 23.665708] [ 23.666143] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 23.668215] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.668537] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.669631] Call Trace: [ 23.669895] <TASK> [ 23.670115] dump_stack_lvl+0x73/0xb0 [ 23.670501] print_report+0xd1/0x640 [ 23.670937] ? __virt_addr_valid+0x1db/0x2d0 [ 23.671924] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.672759] kasan_report+0x102/0x140 [ 23.673004] ? mempool_uaf_helper+0x394/0x400 [ 23.674023] ? mempool_uaf_helper+0x394/0x400 [ 23.674843] __asan_report_load1_noabort+0x18/0x20 [ 23.675380] mempool_uaf_helper+0x394/0x400 [ 23.675704] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.676867] ? finish_task_switch.isra.0+0x153/0x700 [ 23.677573] mempool_kmalloc_uaf+0xb3/0x100 [ 23.678031] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 23.678508] ? __switch_to+0x5d9/0xf60 [ 23.678880] ? __pfx_mempool_kmalloc+0x10/0x10 [ 23.679321] ? __pfx_mempool_kfree+0x10/0x10 [ 23.680567] ? __pfx_read_tsc+0x10/0x10 [ 23.681101] ? ktime_get_ts64+0x84/0x230 [ 23.682129] kunit_try_run_case+0x1b3/0x490 [ 23.682705] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.683531] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.683825] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.684153] ? __kthread_parkme+0x82/0x160 [ 23.684878] ? preempt_count_sub+0x50/0x80 [ 23.685237] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.686190] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.686899] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.687719] kthread+0x257/0x310 [ 23.687896] ? __pfx_kthread+0x10/0x10 [ 23.688098] ret_from_fork+0x41/0x80 [ 23.689604] ? __pfx_kthread+0x10/0x10 [ 23.690091] ret_from_fork_asm+0x1a/0x30 [ 23.690839] </TASK> [ 23.691504] [ 23.691943] Allocated by task 235: [ 23.692245] kasan_save_stack+0x3d/0x60 [ 23.693108] kasan_save_track+0x18/0x40 [ 23.693437] kasan_save_alloc_info+0x3b/0x50 [ 23.694194] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 23.695030] remove_element+0x11e/0x190 [ 23.695633] mempool_alloc_preallocated+0x4d/0x90 [ 23.696154] mempool_uaf_helper+0x97/0x400 [ 23.697499] mempool_kmalloc_uaf+0xb3/0x100 [ 23.698143] kunit_try_run_case+0x1b3/0x490 [ 23.698871] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.699632] kthread+0x257/0x310 [ 23.700105] ret_from_fork+0x41/0x80 [ 23.700908] ret_from_fork_asm+0x1a/0x30 [ 23.701838] [ 23.702172] Freed by task 235: [ 23.702775] kasan_save_stack+0x3d/0x60 [ 23.703389] kasan_save_track+0x18/0x40 [ 23.703969] kasan_save_free_info+0x3f/0x60 [ 23.704857] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.705740] mempool_free+0x2ec/0x380 [ 23.706228] mempool_uaf_helper+0x11b/0x400 [ 23.706864] mempool_kmalloc_uaf+0xb3/0x100 [ 23.707443] kunit_try_run_case+0x1b3/0x490 [ 23.708052] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.709211] kthread+0x257/0x310 [ 23.709970] ret_from_fork+0x41/0x80 [ 23.710306] ret_from_fork_asm+0x1a/0x30 [ 23.710849] [ 23.711055] The buggy address belongs to the object at ffff888101b61f00 [ 23.711055] which belongs to the cache kmalloc-128 of size 128 [ 23.712108] The buggy address is located 0 bytes inside of [ 23.712108] freed 128-byte region [ffff888101b61f00, ffff888101b61f80) [ 23.714159] [ 23.714310] The buggy address belongs to the physical page: [ 23.715401] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b61 [ 23.716747] flags: 0x200000000000000(node=0|zone=2) [ 23.717197] page_type: f5(slab) [ 23.717870] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.718816] raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 [ 23.720605] page dumped because: kasan: bad access detected [ 23.721187] [ 23.721792] Memory state around the buggy address: [ 23.722383] ffff888101b61e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.723074] ffff888101b61e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.724237] >ffff888101b61f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.724751] ^ [ 23.725135] ffff888101b61f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.726112] ffff888101b62000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.727295] ================================================================== [ 23.780191] ================================================================== [ 23.781175] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 23.781745] Read of size 1 at addr ffff888101b65240 by task kunit_try_catch/239 [ 23.782421] [ 23.782777] CPU: 1 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 23.783709] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.784298] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.784846] Call Trace: [ 23.785362] <TASK> [ 23.785737] dump_stack_lvl+0x73/0xb0 [ 23.786888] print_report+0xd1/0x640 [ 23.787300] ? __virt_addr_valid+0x1db/0x2d0 [ 23.787890] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.788325] kasan_report+0x102/0x140 [ 23.788909] ? mempool_uaf_helper+0x394/0x400 [ 23.789502] ? mempool_uaf_helper+0x394/0x400 [ 23.790038] __asan_report_load1_noabort+0x18/0x20 [ 23.790658] mempool_uaf_helper+0x394/0x400 [ 23.791083] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.791948] ? finish_task_switch.isra.0+0x153/0x700 [ 23.792556] mempool_slab_uaf+0xae/0x100 [ 23.792963] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 23.793520] ? __switch_to+0x5d9/0xf60 [ 23.793840] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 23.794908] ? __pfx_mempool_free_slab+0x10/0x10 [ 23.795617] ? __pfx_read_tsc+0x10/0x10 [ 23.796071] ? ktime_get_ts64+0x84/0x230 [ 23.796589] kunit_try_run_case+0x1b3/0x490 [ 23.797035] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.797513] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.798016] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.798792] ? __kthread_parkme+0x82/0x160 [ 23.799113] ? preempt_count_sub+0x50/0x80 [ 23.800186] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.800985] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.802095] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.803005] kthread+0x257/0x310 [ 23.803492] ? __pfx_kthread+0x10/0x10 [ 23.803785] ret_from_fork+0x41/0x80 [ 23.804419] ? __pfx_kthread+0x10/0x10 [ 23.804723] ret_from_fork_asm+0x1a/0x30 [ 23.805961] </TASK> [ 23.806430] [ 23.806754] Allocated by task 239: [ 23.807047] kasan_save_stack+0x3d/0x60 [ 23.807808] kasan_save_track+0x18/0x40 [ 23.808115] kasan_save_alloc_info+0x3b/0x50 [ 23.808631] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 23.809258] remove_element+0x11e/0x190 [ 23.809831] mempool_alloc_preallocated+0x4d/0x90 [ 23.810577] mempool_uaf_helper+0x97/0x400 [ 23.811022] mempool_slab_uaf+0xae/0x100 [ 23.812443] kunit_try_run_case+0x1b3/0x490 [ 23.813183] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.813931] kthread+0x257/0x310 [ 23.814510] ret_from_fork+0x41/0x80 [ 23.814973] ret_from_fork_asm+0x1a/0x30 [ 23.815511] [ 23.815702] Freed by task 239: [ 23.816897] kasan_save_stack+0x3d/0x60 [ 23.817389] kasan_save_track+0x18/0x40 [ 23.818010] kasan_save_free_info+0x3f/0x60 [ 23.818704] __kasan_mempool_poison_object+0x131/0x1d0 [ 23.819432] mempool_free+0x2ec/0x380 [ 23.819883] mempool_uaf_helper+0x11b/0x400 [ 23.820395] mempool_slab_uaf+0xae/0x100 [ 23.820904] kunit_try_run_case+0x1b3/0x490 [ 23.821324] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.823091] kthread+0x257/0x310 [ 23.823534] ret_from_fork+0x41/0x80 [ 23.824139] ret_from_fork_asm+0x1a/0x30 [ 23.824743] [ 23.825010] The buggy address belongs to the object at ffff888101b65240 [ 23.825010] which belongs to the cache test_cache of size 123 [ 23.826523] The buggy address is located 0 bytes inside of [ 23.826523] freed 123-byte region [ffff888101b65240, ffff888101b652bb) [ 23.827610] [ 23.828433] The buggy address belongs to the physical page: [ 23.829578] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b65 [ 23.830452] flags: 0x200000000000000(node=0|zone=2) [ 23.830953] page_type: f5(slab) [ 23.831305] raw: 0200000000000000 ffff888101af9b40 dead000000000122 0000000000000000 [ 23.832169] raw: 0000000000000000 0000000080150015 00000001f5000000 0000000000000000 [ 23.832858] page dumped because: kasan: bad access detected [ 23.833761] [ 23.834061] Memory state around the buggy address: [ 23.834393] ffff888101b65100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.834800] ffff888101b65180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.835500] >ffff888101b65200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 23.836233] ^ [ 23.836626] ffff888101b65280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.838072] ffff888101b65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.838984] ==================================================================