Date
Nov. 28, 2024, 2:36 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.851785] ================================================================== [ 32.852750] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.853811] Read of size 1 at addr fff00000c660c000 by task kunit_try_catch/217 [ 32.854617] [ 32.854999] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 32.856777] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.857360] Hardware name: linux,dummy-virt (DT) [ 32.858004] Call trace: [ 32.858688] show_stack+0x20/0x38 (C) [ 32.859522] dump_stack_lvl+0x8c/0xd0 [ 32.860077] print_report+0x118/0x5e0 [ 32.860745] kasan_report+0xc8/0x118 [ 32.861604] __asan_report_load1_noabort+0x20/0x30 [ 32.862144] mempool_uaf_helper+0x314/0x340 [ 32.862852] mempool_kmalloc_large_uaf+0xbc/0x118 [ 32.863451] kunit_try_run_case+0x14c/0x3d0 [ 32.864188] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.865041] kthread+0x24c/0x2d0 [ 32.865540] ret_from_fork+0x10/0x20 [ 32.866311] [ 32.866627] The buggy address belongs to the physical page: [ 32.867227] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10660c [ 32.868031] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.868882] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.869699] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.870566] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.871655] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.872687] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.873887] head: 0bfffe0000000002 ffffc1ffc3198301 ffffffffffffffff 0000000000000000 [ 32.874975] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 32.875803] page dumped because: kasan: bad access detected [ 32.876706] [ 32.877287] Memory state around the buggy address: [ 32.878197] fff00000c660bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.878938] fff00000c660bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.879695] >fff00000c660c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.880782] ^ [ 32.882049] fff00000c660c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.882987] fff00000c660c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.883749] ================================================================== [ 32.967177] ================================================================== [ 32.967960] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.968762] Read of size 1 at addr fff00000c6610000 by task kunit_try_catch/221 [ 32.969439] [ 32.969803] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 32.970928] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.971445] Hardware name: linux,dummy-virt (DT) [ 32.972024] Call trace: [ 32.972467] show_stack+0x20/0x38 (C) [ 32.973064] dump_stack_lvl+0x8c/0xd0 [ 32.973575] print_report+0x118/0x5e0 [ 32.974177] kasan_report+0xc8/0x118 [ 32.974753] __asan_report_load1_noabort+0x20/0x30 [ 32.975365] mempool_uaf_helper+0x314/0x340 [ 32.975944] mempool_page_alloc_uaf+0xb8/0x118 [ 32.976616] kunit_try_run_case+0x14c/0x3d0 [ 32.977256] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.977980] kthread+0x24c/0x2d0 [ 32.978545] ret_from_fork+0x10/0x20 [ 32.979058] [ 32.979407] The buggy address belongs to the physical page: [ 32.980063] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106610 [ 32.980997] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.981798] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 32.982595] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.983432] page dumped because: kasan: bad access detected [ 32.984032] [ 32.984353] Memory state around the buggy address: [ 32.984932] fff00000c660ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.985707] fff00000c660ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.986456] >fff00000c6610000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.987179] ^ [ 32.987621] fff00000c6610080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.988489] fff00000c6610100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.989148] ==================================================================
[ 23.851538] ================================================================== [ 23.852251] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 23.853412] Read of size 1 at addr ffff888102da4000 by task kunit_try_catch/241 [ 23.854717] [ 23.854919] CPU: 1 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 23.855877] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.856268] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.857149] Call Trace: [ 23.857664] <TASK> [ 23.858101] dump_stack_lvl+0x73/0xb0 [ 23.858777] print_report+0xd1/0x640 [ 23.859421] ? __virt_addr_valid+0x1db/0x2d0 [ 23.860110] ? kasan_addr_to_slab+0x11/0xa0 [ 23.860641] kasan_report+0x102/0x140 [ 23.861170] ? mempool_uaf_helper+0x394/0x400 [ 23.861911] ? mempool_uaf_helper+0x394/0x400 [ 23.862613] __asan_report_load1_noabort+0x18/0x20 [ 23.863457] mempool_uaf_helper+0x394/0x400 [ 23.863947] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.864770] mempool_page_alloc_uaf+0xb1/0x100 [ 23.865559] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 23.866060] ? __switch_to+0x5d9/0xf60 [ 23.866767] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 23.867533] ? __pfx_mempool_free_pages+0x10/0x10 [ 23.868015] ? __pfx_read_tsc+0x10/0x10 [ 23.869045] ? ktime_get_ts64+0x84/0x230 [ 23.869426] kunit_try_run_case+0x1b3/0x490 [ 23.869900] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.870612] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.871122] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.871971] ? __kthread_parkme+0x82/0x160 [ 23.872270] ? preempt_count_sub+0x50/0x80 [ 23.872588] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.873173] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.874109] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.874794] kthread+0x257/0x310 [ 23.875568] ? __pfx_kthread+0x10/0x10 [ 23.876410] ret_from_fork+0x41/0x80 [ 23.876800] ? __pfx_kthread+0x10/0x10 [ 23.877194] ret_from_fork_asm+0x1a/0x30 [ 23.878100] </TASK> [ 23.878463] [ 23.878716] The buggy address belongs to the physical page: [ 23.879532] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102da4 [ 23.880563] flags: 0x200000000000000(node=0|zone=2) [ 23.880938] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 23.881913] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.882660] page dumped because: kasan: bad access detected [ 23.883270] [ 23.884119] Memory state around the buggy address: [ 23.884543] ffff888102da3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.885769] ffff888102da3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.886229] >ffff888102da4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.887323] ^ [ 23.887863] ffff888102da4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.889051] ffff888102da4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.890460] ================================================================== [ 23.733816] ================================================================== [ 23.734577] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 23.735455] Read of size 1 at addr ffff888102da4000 by task kunit_try_catch/237 [ 23.737144] [ 23.737558] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 23.738552] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.738918] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.739814] Call Trace: [ 23.740035] <TASK> [ 23.740445] dump_stack_lvl+0x73/0xb0 [ 23.740977] print_report+0xd1/0x640 [ 23.741400] ? __virt_addr_valid+0x1db/0x2d0 [ 23.742007] ? kasan_addr_to_slab+0x11/0xa0 [ 23.742435] kasan_report+0x102/0x140 [ 23.742822] ? mempool_uaf_helper+0x394/0x400 [ 23.743240] ? mempool_uaf_helper+0x394/0x400 [ 23.743787] __asan_report_load1_noabort+0x18/0x20 [ 23.744357] mempool_uaf_helper+0x394/0x400 [ 23.744753] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 23.745391] ? finish_task_switch.isra.0+0x153/0x700 [ 23.745800] mempool_kmalloc_large_uaf+0xb3/0x100 [ 23.746190] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 23.746973] ? __switch_to+0x5d9/0xf60 [ 23.747551] ? __pfx_mempool_kmalloc+0x10/0x10 [ 23.748115] ? __pfx_mempool_kfree+0x10/0x10 [ 23.748521] ? __pfx_read_tsc+0x10/0x10 [ 23.749061] ? ktime_get_ts64+0x84/0x230 [ 23.749683] kunit_try_run_case+0x1b3/0x490 [ 23.750227] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.750807] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.751404] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.751884] ? __kthread_parkme+0x82/0x160 [ 23.752394] ? preempt_count_sub+0x50/0x80 [ 23.752861] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.753508] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.753949] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.754789] kthread+0x257/0x310 [ 23.755317] ? __pfx_kthread+0x10/0x10 [ 23.755713] ret_from_fork+0x41/0x80 [ 23.756266] ? __pfx_kthread+0x10/0x10 [ 23.756670] ret_from_fork_asm+0x1a/0x30 [ 23.757146] </TASK> [ 23.757456] [ 23.757735] The buggy address belongs to the physical page: [ 23.758453] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102da4 [ 23.759204] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.759859] flags: 0x200000000000040(head|node=0|zone=2) [ 23.760546] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 23.761377] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.762137] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 23.762807] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.763592] head: 0200000000000002 ffffea00040b6901 ffffffffffffffff 0000000000000000 [ 23.764637] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 23.765306] page dumped because: kasan: bad access detected [ 23.765736] [ 23.765971] Memory state around the buggy address: [ 23.766460] ffff888102da3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.767064] ffff888102da3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.767731] >ffff888102da4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.768385] ^ [ 23.768781] ffff888102da4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.769316] ffff888102da4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.769921] ==================================================================