Date
Dec. 6, 2024, 3:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.428863] ================================================================== [ 33.430184] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.431562] Read of size 1 at addr fff00000c69c6f00 by task kunit_try_catch/216 [ 33.432412] [ 33.433175] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 33.434299] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.434985] Hardware name: linux,dummy-virt (DT) [ 33.435616] Call trace: [ 33.436032] show_stack+0x20/0x38 (C) [ 33.436792] dump_stack_lvl+0x8c/0xd0 [ 33.437447] print_report+0x118/0x5e0 [ 33.438127] kasan_report+0xc8/0x118 [ 33.438728] __asan_report_load1_noabort+0x20/0x30 [ 33.439914] mempool_uaf_helper+0x314/0x340 [ 33.440529] mempool_kmalloc_uaf+0xbc/0x118 [ 33.441188] kunit_try_run_case+0x14c/0x3d0 [ 33.441876] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.442856] kthread+0x24c/0x2d0 [ 33.443397] ret_from_fork+0x10/0x20 [ 33.443986] [ 33.444320] Allocated by task 216: [ 33.445538] kasan_save_stack+0x3c/0x68 [ 33.446084] kasan_save_track+0x20/0x40 [ 33.446740] kasan_save_alloc_info+0x40/0x58 [ 33.447319] __kasan_mempool_unpoison_object+0x11c/0x180 [ 33.448373] remove_element+0x130/0x1f8 [ 33.448905] mempool_alloc_preallocated+0x58/0xc0 [ 33.449633] mempool_uaf_helper+0xa4/0x340 [ 33.451232] mempool_kmalloc_uaf+0xbc/0x118 [ 33.451745] kunit_try_run_case+0x14c/0x3d0 [ 33.452409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.453031] kthread+0x24c/0x2d0 [ 33.453615] ret_from_fork+0x10/0x20 [ 33.454248] [ 33.454580] Freed by task 216: [ 33.455108] kasan_save_stack+0x3c/0x68 [ 33.455715] kasan_save_track+0x20/0x40 [ 33.456325] kasan_save_free_info+0x4c/0x78 [ 33.457253] __kasan_mempool_poison_object+0xc0/0x150 [ 33.458021] mempool_free+0x28c/0x328 [ 33.458913] mempool_uaf_helper+0x104/0x340 [ 33.459527] mempool_kmalloc_uaf+0xbc/0x118 [ 33.460089] kunit_try_run_case+0x14c/0x3d0 [ 33.460669] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.461451] kthread+0x24c/0x2d0 [ 33.461932] ret_from_fork+0x10/0x20 [ 33.462836] [ 33.463208] The buggy address belongs to the object at fff00000c69c6f00 [ 33.463208] which belongs to the cache kmalloc-128 of size 128 [ 33.464446] The buggy address is located 0 bytes inside of [ 33.464446] freed 128-byte region [fff00000c69c6f00, fff00000c69c6f80) [ 33.465735] [ 33.466108] The buggy address belongs to the physical page: [ 33.467004] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069c6 [ 33.468044] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.468933] page_type: f5(slab) [ 33.469428] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.470632] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 33.471600] page dumped because: kasan: bad access detected [ 33.472266] [ 33.473170] Memory state around the buggy address: [ 33.474026] fff00000c69c6e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.475339] fff00000c69c6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.476054] >fff00000c69c6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.477039] ^ [ 33.477607] fff00000c69c6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.478854] fff00000c69c7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.479694] ================================================================== [ 33.540598] ================================================================== [ 33.541722] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 33.543065] Read of size 1 at addr fff00000c69e2240 by task kunit_try_catch/220 [ 33.544027] [ 33.544406] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 33.545374] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.545986] Hardware name: linux,dummy-virt (DT) [ 33.547102] Call trace: [ 33.547572] show_stack+0x20/0x38 (C) [ 33.548213] dump_stack_lvl+0x8c/0xd0 [ 33.548868] print_report+0x118/0x5e0 [ 33.549389] kasan_report+0xc8/0x118 [ 33.550032] __asan_report_load1_noabort+0x20/0x30 [ 33.551158] mempool_uaf_helper+0x314/0x340 [ 33.551809] mempool_slab_uaf+0xb8/0x110 [ 33.552459] kunit_try_run_case+0x14c/0x3d0 [ 33.553108] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.553830] kthread+0x24c/0x2d0 [ 33.554847] ret_from_fork+0x10/0x20 [ 33.555438] [ 33.555817] Allocated by task 220: [ 33.556314] kasan_save_stack+0x3c/0x68 [ 33.556974] kasan_save_track+0x20/0x40 [ 33.557479] kasan_save_alloc_info+0x40/0x58 [ 33.558597] __kasan_mempool_unpoison_object+0xbc/0x180 [ 33.559314] remove_element+0x16c/0x1f8 [ 33.559862] mempool_alloc_preallocated+0x58/0xc0 [ 33.560592] mempool_uaf_helper+0xa4/0x340 [ 33.561155] mempool_slab_uaf+0xb8/0x110 [ 33.561806] kunit_try_run_case+0x14c/0x3d0 [ 33.562757] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.563563] kthread+0x24c/0x2d0 [ 33.564088] ret_from_fork+0x10/0x20 [ 33.564707] [ 33.565055] Freed by task 220: [ 33.565537] kasan_save_stack+0x3c/0x68 [ 33.566164] kasan_save_track+0x20/0x40 [ 33.567200] kasan_save_free_info+0x4c/0x78 [ 33.567805] __kasan_mempool_poison_object+0xc0/0x150 [ 33.568427] mempool_free+0x28c/0x328 [ 33.569069] mempool_uaf_helper+0x104/0x340 [ 33.569686] mempool_slab_uaf+0xb8/0x110 [ 33.570204] kunit_try_run_case+0x14c/0x3d0 [ 33.570910] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.571622] kthread+0x24c/0x2d0 [ 33.572184] ret_from_fork+0x10/0x20 [ 33.573171] [ 33.573550] The buggy address belongs to the object at fff00000c69e2240 [ 33.573550] which belongs to the cache test_cache of size 123 [ 33.575110] The buggy address is located 0 bytes inside of [ 33.575110] freed 123-byte region [fff00000c69e2240, fff00000c69e22bb) [ 33.576448] [ 33.576844] The buggy address belongs to the physical page: [ 33.577426] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069e2 [ 33.578402] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.579837] page_type: f5(slab) [ 33.580394] raw: 0bfffe0000000000 fff00000c13faa00 dead000000000122 0000000000000000 [ 33.581204] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 33.582487] page dumped because: kasan: bad access detected [ 33.583262] [ 33.583651] Memory state around the buggy address: [ 33.584286] fff00000c69e2100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.585723] fff00000c69e2180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.586802] >fff00000c69e2200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 33.587449] ^ [ 33.588196] fff00000c69e2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.589249] fff00000c69e2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.590063] ==================================================================
[ 26.290952] ================================================================== [ 26.292032] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 26.292694] Read of size 1 at addr ffff888102481240 by task kunit_try_catch/239 [ 26.293421] [ 26.293619] CPU: 1 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 26.294691] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.295076] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.295842] Call Trace: [ 26.296257] <TASK> [ 26.296575] dump_stack_lvl+0x73/0xb0 [ 26.296993] print_report+0xd1/0x640 [ 26.297330] ? __virt_addr_valid+0x1db/0x2d0 [ 26.297824] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.298549] kasan_report+0x102/0x140 [ 26.299032] ? mempool_uaf_helper+0x394/0x400 [ 26.299476] ? mempool_uaf_helper+0x394/0x400 [ 26.299883] __asan_report_load1_noabort+0x18/0x20 [ 26.300316] mempool_uaf_helper+0x394/0x400 [ 26.300823] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.301469] ? finish_task_switch.isra.0+0x153/0x700 [ 26.302026] mempool_slab_uaf+0xae/0x100 [ 26.302436] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 26.302907] ? __switch_to+0x5d9/0xf60 [ 26.303497] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 26.303980] ? __pfx_mempool_free_slab+0x10/0x10 [ 26.304456] ? __pfx_read_tsc+0x10/0x10 [ 26.304947] ? ktime_get_ts64+0x86/0x230 [ 26.305328] kunit_try_run_case+0x1b3/0x490 [ 26.305823] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.306495] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.307143] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.307561] ? __kthread_parkme+0x82/0x160 [ 26.308056] ? preempt_count_sub+0x50/0x80 [ 26.308462] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.308787] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.309356] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.309971] kthread+0x257/0x310 [ 26.310476] ? __pfx_kthread+0x10/0x10 [ 26.310875] ret_from_fork+0x41/0x80 [ 26.311360] ? __pfx_kthread+0x10/0x10 [ 26.311768] ret_from_fork_asm+0x1a/0x30 [ 26.312333] </TASK> [ 26.312523] [ 26.312678] Allocated by task 239: [ 26.312927] kasan_save_stack+0x3d/0x60 [ 26.313525] kasan_save_track+0x18/0x40 [ 26.314137] kasan_save_alloc_info+0x3b/0x50 [ 26.314638] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 26.315342] remove_element+0x11e/0x190 [ 26.315672] mempool_alloc_preallocated+0x4d/0x90 [ 26.316059] mempool_uaf_helper+0x97/0x400 [ 26.316619] mempool_slab_uaf+0xae/0x100 [ 26.317142] kunit_try_run_case+0x1b3/0x490 [ 26.317516] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.317993] kthread+0x257/0x310 [ 26.318320] ret_from_fork+0x41/0x80 [ 26.318595] ret_from_fork_asm+0x1a/0x30 [ 26.318887] [ 26.319216] Freed by task 239: [ 26.319621] kasan_save_stack+0x3d/0x60 [ 26.320203] kasan_save_track+0x18/0x40 [ 26.320683] kasan_save_free_info+0x3f/0x60 [ 26.322299] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.323480] mempool_free+0x2ec/0x380 [ 26.323895] mempool_uaf_helper+0x11b/0x400 [ 26.324396] mempool_slab_uaf+0xae/0x100 [ 26.324798] kunit_try_run_case+0x1b3/0x490 [ 26.325653] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.326158] kthread+0x257/0x310 [ 26.326473] ret_from_fork+0x41/0x80 [ 26.326787] ret_from_fork_asm+0x1a/0x30 [ 26.327199] [ 26.327427] The buggy address belongs to the object at ffff888102481240 [ 26.327427] which belongs to the cache test_cache of size 123 [ 26.329040] The buggy address is located 0 bytes inside of [ 26.329040] freed 123-byte region [ffff888102481240, ffff8881024812bb) [ 26.330156] [ 26.330372] The buggy address belongs to the physical page: [ 26.330844] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102481 [ 26.331626] flags: 0x200000000000000(node=0|zone=2) [ 26.332252] page_type: f5(slab) [ 26.332688] raw: 0200000000000000 ffff888101116b40 dead000000000122 0000000000000000 [ 26.333248] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 26.334139] page dumped because: kasan: bad access detected [ 26.334488] [ 26.334720] Memory state around the buggy address: [ 26.335366] ffff888102481100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.335903] ffff888102481180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.336538] >ffff888102481200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 26.336956] ^ [ 26.337609] ffff888102481280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.338463] ffff888102481300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.339170] ================================================================== [ 26.166784] ================================================================== [ 26.167802] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x394/0x400 [ 26.169851] Read of size 1 at addr ffff88810247d500 by task kunit_try_catch/235 [ 26.170383] [ 26.170514] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 26.170903] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.171157] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.171664] Call Trace: [ 26.171991] <TASK> [ 26.172306] dump_stack_lvl+0x73/0xb0 [ 26.173307] print_report+0xd1/0x640 [ 26.173666] ? __virt_addr_valid+0x1db/0x2d0 [ 26.174021] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.174639] kasan_report+0x102/0x140 [ 26.175131] ? mempool_uaf_helper+0x394/0x400 [ 26.175536] ? mempool_uaf_helper+0x394/0x400 [ 26.176053] __asan_report_load1_noabort+0x18/0x20 [ 26.176523] mempool_uaf_helper+0x394/0x400 [ 26.177480] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.177872] ? finish_task_switch.isra.0+0x153/0x700 [ 26.178618] mempool_kmalloc_uaf+0xb3/0x100 [ 26.179472] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.179963] ? __switch_to+0x5d9/0xf60 [ 26.180462] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.181258] ? __pfx_mempool_kfree+0x10/0x10 [ 26.181860] ? __pfx_read_tsc+0x10/0x10 [ 26.182497] ? ktime_get_ts64+0x86/0x230 [ 26.182925] kunit_try_run_case+0x1b3/0x490 [ 26.183792] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.184773] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.185539] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.186144] ? __kthread_parkme+0x82/0x160 [ 26.186898] ? preempt_count_sub+0x50/0x80 [ 26.187529] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.188035] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.189227] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.189724] kthread+0x257/0x310 [ 26.190435] ? __pfx_kthread+0x10/0x10 [ 26.191068] ret_from_fork+0x41/0x80 [ 26.191620] ? __pfx_kthread+0x10/0x10 [ 26.192027] ret_from_fork_asm+0x1a/0x30 [ 26.192964] </TASK> [ 26.193354] [ 26.193714] Allocated by task 235: [ 26.194321] kasan_save_stack+0x3d/0x60 [ 26.194650] kasan_save_track+0x18/0x40 [ 26.195215] kasan_save_alloc_info+0x3b/0x50 [ 26.195705] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 26.196307] remove_element+0x11e/0x190 [ 26.196806] mempool_alloc_preallocated+0x4d/0x90 [ 26.197422] mempool_uaf_helper+0x97/0x400 [ 26.197850] mempool_kmalloc_uaf+0xb3/0x100 [ 26.198382] kunit_try_run_case+0x1b3/0x490 [ 26.198856] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.199431] kthread+0x257/0x310 [ 26.199819] ret_from_fork+0x41/0x80 [ 26.200296] ret_from_fork_asm+0x1a/0x30 [ 26.200775] [ 26.201059] Freed by task 235: [ 26.201481] kasan_save_stack+0x3d/0x60 [ 26.201902] kasan_save_track+0x18/0x40 [ 26.202540] kasan_save_free_info+0x3f/0x60 [ 26.202854] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.203539] mempool_free+0x2ec/0x380 [ 26.203993] mempool_uaf_helper+0x11b/0x400 [ 26.204581] mempool_kmalloc_uaf+0xb3/0x100 [ 26.205025] kunit_try_run_case+0x1b3/0x490 [ 26.205385] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.206182] kthread+0x257/0x310 [ 26.206616] ret_from_fork+0x41/0x80 [ 26.206885] ret_from_fork_asm+0x1a/0x30 [ 26.207460] [ 26.207731] The buggy address belongs to the object at ffff88810247d500 [ 26.207731] which belongs to the cache kmalloc-128 of size 128 [ 26.208831] The buggy address is located 0 bytes inside of [ 26.208831] freed 128-byte region [ffff88810247d500, ffff88810247d580) [ 26.210057] [ 26.210421] The buggy address belongs to the physical page: [ 26.210824] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10247d [ 26.211706] flags: 0x200000000000000(node=0|zone=2) [ 26.212350] page_type: f5(slab) [ 26.212830] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.213664] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.214558] page dumped because: kasan: bad access detected [ 26.215016] [ 26.215258] Memory state around the buggy address: [ 26.215719] ffff88810247d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.216470] ffff88810247d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.217266] >ffff88810247d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.217862] ^ [ 26.218301] ffff88810247d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.218988] ffff88810247d600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.219747] ==================================================================