Date
Dec. 5, 2024, 2:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.560290] ================================================================== [ 32.561453] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.562124] Read of size 1 at addr fff00000c65d0000 by task kunit_try_catch/222 [ 32.563066] [ 32.563808] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 32.565518] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.565949] Hardware name: linux,dummy-virt (DT) [ 32.567237] Call trace: [ 32.567759] show_stack+0x20/0x38 (C) [ 32.568488] dump_stack_lvl+0x8c/0xd0 [ 32.569355] print_report+0x118/0x5e0 [ 32.569997] kasan_report+0xc8/0x118 [ 32.570656] __asan_report_load1_noabort+0x20/0x30 [ 32.571658] mempool_uaf_helper+0x314/0x340 [ 32.572386] mempool_page_alloc_uaf+0xb8/0x118 [ 32.573127] kunit_try_run_case+0x14c/0x3d0 [ 32.573961] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.574865] kthread+0x24c/0x2d0 [ 32.575489] ret_from_fork+0x10/0x20 [ 32.576110] [ 32.576443] The buggy address belongs to the physical page: [ 32.577288] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065d0 [ 32.578293] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.579307] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 32.580319] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.581299] page dumped because: kasan: bad access detected [ 32.582159] [ 32.582744] Memory state around the buggy address: [ 32.583413] fff00000c65cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.584725] fff00000c65cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.585365] >fff00000c65d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.587074] ^ [ 32.587977] fff00000c65d0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.589011] fff00000c65d0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.590061] ================================================================== [ 32.438414] ================================================================== [ 32.440201] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.440987] Read of size 1 at addr fff00000c65d0000 by task kunit_try_catch/218 [ 32.441671] [ 32.442211] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 32.444161] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.444934] Hardware name: linux,dummy-virt (DT) [ 32.445504] Call trace: [ 32.445962] show_stack+0x20/0x38 (C) [ 32.446558] dump_stack_lvl+0x8c/0xd0 [ 32.448007] print_report+0x118/0x5e0 [ 32.448504] kasan_report+0xc8/0x118 [ 32.449083] __asan_report_load1_noabort+0x20/0x30 [ 32.449905] mempool_uaf_helper+0x314/0x340 [ 32.450544] mempool_kmalloc_large_uaf+0xbc/0x118 [ 32.451209] kunit_try_run_case+0x14c/0x3d0 [ 32.452387] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.453204] kthread+0x24c/0x2d0 [ 32.453734] ret_from_fork+0x10/0x20 [ 32.454514] [ 32.455029] The buggy address belongs to the physical page: [ 32.456221] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065d0 [ 32.457259] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.458465] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.459367] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.460437] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.461777] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.462837] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.464256] head: 0bfffe0000000002 ffffc1ffc3197401 ffffffffffffffff 0000000000000000 [ 32.465094] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 32.466029] page dumped because: kasan: bad access detected [ 32.466664] [ 32.467162] Memory state around the buggy address: [ 32.468506] fff00000c65cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.469707] fff00000c65cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.470647] >fff00000c65d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.471659] ^ [ 32.472565] fff00000c65d0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.473721] fff00000c65d0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.474730] ==================================================================
[ 30.332407] ================================================================== [ 30.333352] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 30.334220] Read of size 1 at addr ffff888102d60000 by task kunit_try_catch/240 [ 30.334750] [ 30.335316] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.336496] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.336910] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.337648] Call Trace: [ 30.338052] <TASK> [ 30.338365] dump_stack_lvl+0x73/0xb0 [ 30.338822] print_report+0xd1/0x640 [ 30.339443] ? __virt_addr_valid+0x1db/0x2d0 [ 30.339877] ? kasan_addr_to_slab+0x11/0xa0 [ 30.340188] kasan_report+0x102/0x140 [ 30.340950] ? mempool_uaf_helper+0x394/0x400 [ 30.341652] ? mempool_uaf_helper+0x394/0x400 [ 30.342237] __asan_report_load1_noabort+0x18/0x20 [ 30.342607] mempool_uaf_helper+0x394/0x400 [ 30.343495] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 30.344303] mempool_page_alloc_uaf+0xb1/0x100 [ 30.344836] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 30.345470] ? __switch_to+0x5d9/0xf60 [ 30.346085] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 30.346506] ? __pfx_mempool_free_pages+0x10/0x10 [ 30.346958] ? __pfx_read_tsc+0x10/0x10 [ 30.347341] ? ktime_get_ts64+0x86/0x230 [ 30.347776] kunit_try_run_case+0x1b3/0x490 [ 30.348098] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.348901] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 30.349871] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.350741] ? __kthread_parkme+0x82/0x160 [ 30.351529] ? preempt_count_sub+0x50/0x80 [ 30.352605] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.353262] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.354194] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.354920] kthread+0x257/0x310 [ 30.355186] ? __pfx_kthread+0x10/0x10 [ 30.356339] ret_from_fork+0x41/0x80 [ 30.356675] ? __pfx_kthread+0x10/0x10 [ 30.357601] ret_from_fork_asm+0x1a/0x30 [ 30.358556] </TASK> [ 30.359083] [ 30.359369] The buggy address belongs to the physical page: [ 30.360273] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d60 [ 30.361604] flags: 0x200000000000000(node=0|zone=2) [ 30.362702] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 30.363516] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 30.364477] page dumped because: kasan: bad access detected [ 30.364833] [ 30.365092] Memory state around the buggy address: [ 30.365842] ffff888102d5ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.366668] ffff888102d5ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.367654] >ffff888102d60000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.368999] ^ [ 30.369645] ffff888102d60080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.370812] ffff888102d60100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.372146] ================================================================== [ 30.218958] ================================================================== [ 30.219825] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 30.220530] Read of size 1 at addr ffff888102b5c000 by task kunit_try_catch/236 [ 30.221546] [ 30.221815] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.223172] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.223658] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.224488] Call Trace: [ 30.224808] <TASK> [ 30.225138] dump_stack_lvl+0x73/0xb0 [ 30.225594] print_report+0xd1/0x640 [ 30.226089] ? __virt_addr_valid+0x1db/0x2d0 [ 30.226510] ? kasan_addr_to_slab+0x11/0xa0 [ 30.227418] kasan_report+0x102/0x140 [ 30.227924] ? mempool_uaf_helper+0x394/0x400 [ 30.228454] ? mempool_uaf_helper+0x394/0x400 [ 30.228975] __asan_report_load1_noabort+0x18/0x20 [ 30.229526] mempool_uaf_helper+0x394/0x400 [ 30.230243] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 30.230832] ? finish_task_switch.isra.0+0x153/0x700 [ 30.231379] mempool_kmalloc_large_uaf+0xb3/0x100 [ 30.232130] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 30.232765] ? __switch_to+0x5d9/0xf60 [ 30.233377] ? __pfx_mempool_kmalloc+0x10/0x10 [ 30.233906] ? __pfx_mempool_kfree+0x10/0x10 [ 30.234660] ? __pfx_read_tsc+0x10/0x10 [ 30.235269] ? ktime_get_ts64+0x86/0x230 [ 30.235778] kunit_try_run_case+0x1b3/0x490 [ 30.236413] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.237045] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 30.237460] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.238036] ? __kthread_parkme+0x82/0x160 [ 30.238433] ? preempt_count_sub+0x50/0x80 [ 30.239279] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.239840] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.240556] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.241220] kthread+0x257/0x310 [ 30.241589] ? __pfx_kthread+0x10/0x10 [ 30.242310] ret_from_fork+0x41/0x80 [ 30.242602] ? __pfx_kthread+0x10/0x10 [ 30.243263] ret_from_fork_asm+0x1a/0x30 [ 30.243732] </TASK> [ 30.244231] [ 30.244448] The buggy address belongs to the physical page: [ 30.245101] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b5c [ 30.245672] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.246760] flags: 0x200000000000040(head|node=0|zone=2) [ 30.247480] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 30.248075] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 30.248797] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 30.249327] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 30.250621] head: 0200000000000002 ffffea00040ad701 ffffffffffffffff 0000000000000000 [ 30.251539] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 30.252155] page dumped because: kasan: bad access detected [ 30.252827] [ 30.253248] Memory state around the buggy address: [ 30.254210] ffff888102b5bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.254645] ffff888102b5bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.255333] >ffff888102b5c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.255919] ^ [ 30.256403] ffff888102b5c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.257173] ffff888102b5c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.257788] ==================================================================