Date
Dec. 5, 2024, 2:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.485870] ================================================================== [ 32.487035] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.488136] Read of size 1 at addr fff00000c63b8240 by task kunit_try_catch/220 [ 32.489046] [ 32.489431] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 32.490739] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.491335] Hardware name: linux,dummy-virt (DT) [ 32.492797] Call trace: [ 32.493221] show_stack+0x20/0x38 (C) [ 32.493716] dump_stack_lvl+0x8c/0xd0 [ 32.494317] print_report+0x118/0x5e0 [ 32.494944] kasan_report+0xc8/0x118 [ 32.495704] __asan_report_load1_noabort+0x20/0x30 [ 32.496740] mempool_uaf_helper+0x314/0x340 [ 32.497417] mempool_slab_uaf+0xb8/0x110 [ 32.497923] kunit_try_run_case+0x14c/0x3d0 [ 32.498618] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.499302] kthread+0x24c/0x2d0 [ 32.499798] ret_from_fork+0x10/0x20 [ 32.500259] [ 32.500514] Allocated by task 220: [ 32.500971] kasan_save_stack+0x3c/0x68 [ 32.501823] kasan_save_track+0x20/0x40 [ 32.502657] kasan_save_alloc_info+0x40/0x58 [ 32.503362] __kasan_mempool_unpoison_object+0xbc/0x180 [ 32.504239] remove_element+0x16c/0x1f8 [ 32.504702] mempool_alloc_preallocated+0x58/0xc0 [ 32.505380] mempool_uaf_helper+0xa4/0x340 [ 32.505976] mempool_slab_uaf+0xb8/0x110 [ 32.506633] kunit_try_run_case+0x14c/0x3d0 [ 32.507611] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.508809] kthread+0x24c/0x2d0 [ 32.509536] ret_from_fork+0x10/0x20 [ 32.510360] [ 32.510688] Freed by task 220: [ 32.511134] kasan_save_stack+0x3c/0x68 [ 32.512404] kasan_save_track+0x20/0x40 [ 32.512999] kasan_save_free_info+0x4c/0x78 [ 32.513510] __kasan_mempool_poison_object+0xc0/0x150 [ 32.514293] mempool_free+0x28c/0x328 [ 32.514919] mempool_uaf_helper+0x104/0x340 [ 32.515659] mempool_slab_uaf+0xb8/0x110 [ 32.516314] kunit_try_run_case+0x14c/0x3d0 [ 32.516930] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.517635] kthread+0x24c/0x2d0 [ 32.518859] ret_from_fork+0x10/0x20 [ 32.519767] [ 32.520036] The buggy address belongs to the object at fff00000c63b8240 [ 32.520036] which belongs to the cache test_cache of size 123 [ 32.521455] The buggy address is located 0 bytes inside of [ 32.521455] freed 123-byte region [fff00000c63b8240, fff00000c63b82bb) [ 32.522775] [ 32.523080] The buggy address belongs to the physical page: [ 32.524618] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063b8 [ 32.525563] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.526545] page_type: f5(slab) [ 32.527093] raw: 0bfffe0000000000 fff00000c63a83c0 dead000000000122 0000000000000000 [ 32.528446] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 32.529298] page dumped because: kasan: bad access detected [ 32.529948] [ 32.530252] Memory state around the buggy address: [ 32.531068] fff00000c63b8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.532322] fff00000c63b8180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.533831] >fff00000c63b8200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 32.534864] ^ [ 32.535981] fff00000c63b8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.536807] fff00000c63b8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.537603] ================================================================== [ 32.378336] ================================================================== [ 32.380178] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.381101] Read of size 1 at addr fff00000c64e4d00 by task kunit_try_catch/216 [ 32.381944] [ 32.382388] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 32.383981] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.384315] Hardware name: linux,dummy-virt (DT) [ 32.384616] Call trace: [ 32.384824] show_stack+0x20/0x38 (C) [ 32.385305] dump_stack_lvl+0x8c/0xd0 [ 32.385988] print_report+0x118/0x5e0 [ 32.386631] kasan_report+0xc8/0x118 [ 32.387117] __asan_report_load1_noabort+0x20/0x30 [ 32.387663] mempool_uaf_helper+0x314/0x340 [ 32.388562] mempool_kmalloc_uaf+0xbc/0x118 [ 32.389294] kunit_try_run_case+0x14c/0x3d0 [ 32.390222] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.390894] kthread+0x24c/0x2d0 [ 32.391869] ret_from_fork+0x10/0x20 [ 32.393271] [ 32.393775] Allocated by task 216: [ 32.394249] kasan_save_stack+0x3c/0x68 [ 32.395044] kasan_save_track+0x20/0x40 [ 32.396114] kasan_save_alloc_info+0x40/0x58 [ 32.396732] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.397528] remove_element+0x130/0x1f8 [ 32.398185] mempool_alloc_preallocated+0x58/0xc0 [ 32.398937] mempool_uaf_helper+0xa4/0x340 [ 32.399666] mempool_kmalloc_uaf+0xbc/0x118 [ 32.400474] kunit_try_run_case+0x14c/0x3d0 [ 32.401107] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.401805] kthread+0x24c/0x2d0 [ 32.402391] ret_from_fork+0x10/0x20 [ 32.402960] [ 32.403315] Freed by task 216: [ 32.403843] kasan_save_stack+0x3c/0x68 [ 32.404319] kasan_save_track+0x20/0x40 [ 32.405069] kasan_save_free_info+0x4c/0x78 [ 32.405691] __kasan_mempool_poison_object+0xc0/0x150 [ 32.406713] mempool_free+0x28c/0x328 [ 32.407569] mempool_uaf_helper+0x104/0x340 [ 32.408271] mempool_kmalloc_uaf+0xbc/0x118 [ 32.408831] kunit_try_run_case+0x14c/0x3d0 [ 32.409474] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.410299] kthread+0x24c/0x2d0 [ 32.410822] ret_from_fork+0x10/0x20 [ 32.411783] [ 32.412103] The buggy address belongs to the object at fff00000c64e4d00 [ 32.412103] which belongs to the cache kmalloc-128 of size 128 [ 32.413398] The buggy address is located 0 bytes inside of [ 32.413398] freed 128-byte region [fff00000c64e4d00, fff00000c64e4d80) [ 32.414725] [ 32.415100] The buggy address belongs to the physical page: [ 32.416212] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064e4 [ 32.417138] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.417978] page_type: f5(slab) [ 32.418488] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.420037] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.421000] page dumped because: kasan: bad access detected [ 32.421631] [ 32.421939] Memory state around the buggy address: [ 32.422668] fff00000c64e4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.424026] fff00000c64e4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.424925] >fff00000c64e4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.425833] ^ [ 32.426282] fff00000c64e4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.427518] fff00000c64e4e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.428401] ==================================================================
[ 30.266943] ================================================================== [ 30.267971] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 30.268580] Read of size 1 at addr ffff888101ac4240 by task kunit_try_catch/238 [ 30.269350] [ 30.269554] CPU: 0 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.270478] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.270931] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.272123] Call Trace: [ 30.272436] <TASK> [ 30.272704] dump_stack_lvl+0x73/0xb0 [ 30.273586] print_report+0xd1/0x640 [ 30.273984] ? __virt_addr_valid+0x1db/0x2d0 [ 30.274558] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.275084] kasan_report+0x102/0x140 [ 30.275501] ? mempool_uaf_helper+0x394/0x400 [ 30.275886] ? mempool_uaf_helper+0x394/0x400 [ 30.276363] __asan_report_load1_noabort+0x18/0x20 [ 30.277123] mempool_uaf_helper+0x394/0x400 [ 30.277581] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 30.278166] ? irqentry_exit+0x2a/0x60 [ 30.278643] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 30.279473] mempool_slab_uaf+0xae/0x100 [ 30.280117] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 30.280706] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 30.281509] ? __pfx_mempool_free_slab+0x10/0x10 [ 30.281931] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 30.282622] kunit_try_run_case+0x1b3/0x490 [ 30.283223] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.283795] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 30.284517] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.285260] ? __kthread_parkme+0x82/0x160 [ 30.285643] ? preempt_count_sub+0x50/0x80 [ 30.286259] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.286748] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.287238] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.287933] kthread+0x257/0x310 [ 30.288450] ? __pfx_kthread+0x10/0x10 [ 30.288807] ret_from_fork+0x41/0x80 [ 30.289528] ? __pfx_kthread+0x10/0x10 [ 30.289954] ret_from_fork_asm+0x1a/0x30 [ 30.290472] </TASK> [ 30.290720] [ 30.290943] Allocated by task 238: [ 30.291333] kasan_save_stack+0x3d/0x60 [ 30.291915] kasan_save_track+0x18/0x40 [ 30.292321] kasan_save_alloc_info+0x3b/0x50 [ 30.292839] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 30.293587] remove_element+0x11e/0x190 [ 30.294215] mempool_alloc_preallocated+0x4d/0x90 [ 30.294649] mempool_uaf_helper+0x97/0x400 [ 30.295451] mempool_slab_uaf+0xae/0x100 [ 30.295986] kunit_try_run_case+0x1b3/0x490 [ 30.296597] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.297223] kthread+0x257/0x310 [ 30.297631] ret_from_fork+0x41/0x80 [ 30.298141] ret_from_fork_asm+0x1a/0x30 [ 30.298477] [ 30.298857] Freed by task 238: [ 30.299239] kasan_save_stack+0x3d/0x60 [ 30.299676] kasan_save_track+0x18/0x40 [ 30.300360] kasan_save_free_info+0x3f/0x60 [ 30.300886] __kasan_mempool_poison_object+0x131/0x1d0 [ 30.301473] mempool_free+0x2ec/0x380 [ 30.301968] mempool_uaf_helper+0x11b/0x400 [ 30.302308] mempool_slab_uaf+0xae/0x100 [ 30.302825] kunit_try_run_case+0x1b3/0x490 [ 30.303331] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.303936] kthread+0x257/0x310 [ 30.304367] ret_from_fork+0x41/0x80 [ 30.304648] ret_from_fork_asm+0x1a/0x30 [ 30.305288] [ 30.305551] The buggy address belongs to the object at ffff888101ac4240 [ 30.305551] which belongs to the cache test_cache of size 123 [ 30.306766] The buggy address is located 0 bytes inside of [ 30.306766] freed 123-byte region [ffff888101ac4240, ffff888101ac42bb) [ 30.307741] [ 30.307964] The buggy address belongs to the physical page: [ 30.308663] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ac4 [ 30.309547] flags: 0x200000000000000(node=0|zone=2) [ 30.310086] page_type: f5(slab) [ 30.310351] raw: 0200000000000000 ffff888101abe280 dead000000000122 0000000000000000 [ 30.311523] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 30.313028] page dumped because: kasan: bad access detected [ 30.313646] [ 30.313785] Memory state around the buggy address: [ 30.314658] ffff888101ac4100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.315978] ffff888101ac4180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.316928] >ffff888101ac4200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 30.318116] ^ [ 30.318521] ffff888101ac4280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.319552] ffff888101ac4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.320755] ================================================================== [ 30.142458] ================================================================== [ 30.144126] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 30.145588] Read of size 1 at addr ffff888102a0ca00 by task kunit_try_catch/234 [ 30.146380] [ 30.146613] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.147639] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.148279] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.149213] Call Trace: [ 30.149517] <TASK> [ 30.149764] dump_stack_lvl+0x73/0xb0 [ 30.150437] print_report+0xd1/0x640 [ 30.151357] ? __virt_addr_valid+0x1db/0x2d0 [ 30.151722] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.152930] kasan_report+0x102/0x140 [ 30.153443] ? mempool_uaf_helper+0x394/0x400 [ 30.153930] ? mempool_uaf_helper+0x394/0x400 [ 30.154925] __asan_report_load1_noabort+0x18/0x20 [ 30.155606] mempool_uaf_helper+0x394/0x400 [ 30.156277] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 30.156502] ? ret_from_fork+0x41/0x80 [ 30.156722] ? kthread+0x257/0x310 [ 30.157017] ? ret_from_fork_asm+0x1a/0x30 [ 30.158460] ? ret_from_fork_asm+0x1a/0x30 [ 30.159202] mempool_kmalloc_uaf+0xb3/0x100 [ 30.159876] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 30.160612] ? __switch_to+0x5d9/0xf60 [ 30.161366] ? __pfx_mempool_kmalloc+0x10/0x10 [ 30.161849] ? __pfx_mempool_kfree+0x10/0x10 [ 30.162694] ? __pfx_read_tsc+0x10/0x10 [ 30.164027] ? ktime_get_ts64+0x86/0x230 [ 30.164493] kunit_try_run_case+0x1b3/0x490 [ 30.165739] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.166630] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 30.167233] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.167947] ? __kthread_parkme+0x82/0x160 [ 30.168581] ? preempt_count_sub+0x50/0x80 [ 30.169305] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.169529] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.170217] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.171378] kthread+0x257/0x310 [ 30.171796] ? __pfx_kthread+0x10/0x10 [ 30.172253] ret_from_fork+0x41/0x80 [ 30.172608] ? __pfx_kthread+0x10/0x10 [ 30.173076] ret_from_fork_asm+0x1a/0x30 [ 30.173468] </TASK> [ 30.174415] [ 30.174585] Allocated by task 234: [ 30.174888] kasan_save_stack+0x3d/0x60 [ 30.175934] kasan_save_track+0x18/0x40 [ 30.176763] kasan_save_alloc_info+0x3b/0x50 [ 30.177037] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 30.178165] remove_element+0x11e/0x190 [ 30.179030] mempool_alloc_preallocated+0x4d/0x90 [ 30.180009] mempool_uaf_helper+0x97/0x400 [ 30.180503] mempool_kmalloc_uaf+0xb3/0x100 [ 30.181449] kunit_try_run_case+0x1b3/0x490 [ 30.181851] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.182503] kthread+0x257/0x310 [ 30.182816] ret_from_fork+0x41/0x80 [ 30.183283] ret_from_fork_asm+0x1a/0x30 [ 30.183666] [ 30.184867] Freed by task 234: [ 30.185191] kasan_save_stack+0x3d/0x60 [ 30.186167] kasan_save_track+0x18/0x40 [ 30.186814] kasan_save_free_info+0x3f/0x60 [ 30.187743] __kasan_mempool_poison_object+0x131/0x1d0 [ 30.188446] mempool_free+0x2ec/0x380 [ 30.189208] mempool_uaf_helper+0x11b/0x400 [ 30.189947] mempool_kmalloc_uaf+0xb3/0x100 [ 30.190441] kunit_try_run_case+0x1b3/0x490 [ 30.190855] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.192300] kthread+0x257/0x310 [ 30.192648] ret_from_fork+0x41/0x80 [ 30.193452] ret_from_fork_asm+0x1a/0x30 [ 30.194433] [ 30.194665] The buggy address belongs to the object at ffff888102a0ca00 [ 30.194665] which belongs to the cache kmalloc-128 of size 128 [ 30.196220] The buggy address is located 0 bytes inside of [ 30.196220] freed 128-byte region [ffff888102a0ca00, ffff888102a0ca80) [ 30.197740] [ 30.197959] The buggy address belongs to the physical page: [ 30.198818] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a0c [ 30.200140] flags: 0x200000000000000(node=0|zone=2) [ 30.201410] page_type: f5(slab) [ 30.201762] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 30.202618] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.203763] page dumped because: kasan: bad access detected [ 30.204646] [ 30.204805] Memory state around the buggy address: [ 30.205881] ffff888102a0c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.207092] ffff888102a0c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.207731] >ffff888102a0ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.208859] ^ [ 30.209224] ffff888102a0ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.209836] ffff888102a0cb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.211302] ==================================================================