Date
March 19, 2025, 10:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 37.258304] ================================================================== [ 37.258486] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 37.259041] Read of size 1 at addr fff00000c7800000 by task kunit_try_catch/231 [ 37.259736] [ 37.259855] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.14.0-rc7-next-20250319 #1 PREEMPT [ 37.261012] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.261517] Hardware name: linux,dummy-virt (DT) [ 37.261820] Call trace: [ 37.262098] show_stack+0x20/0x38 (C) [ 37.262825] dump_stack_lvl+0x8c/0xd0 [ 37.263122] print_report+0x118/0x5f0 [ 37.263340] kasan_report+0xc8/0x118 [ 37.263501] __asan_report_load1_noabort+0x20/0x30 [ 37.263668] mempool_uaf_helper+0x314/0x340 [ 37.263828] mempool_kmalloc_large_uaf+0xbc/0x118 [ 37.263985] kunit_try_run_case+0x14c/0x3d0 [ 37.264702] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.264929] kthread+0x318/0x618 [ 37.265342] ret_from_fork+0x10/0x20 [ 37.265845] [ 37.266030] The buggy address belongs to the physical page: [ 37.266236] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107800 [ 37.266428] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 37.266580] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 37.266751] page_type: f8(unknown) [ 37.266877] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 37.267920] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 37.268456] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 37.269087] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 37.269625] head: 0bfffe0000000002 ffffc1ffc31e0001 00000000ffffffff 00000000ffffffff [ 37.269811] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 37.269949] page dumped because: kasan: bad access detected [ 37.270332] [ 37.270823] Memory state around the buggy address: [ 37.271045] fff00000c77fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.271283] fff00000c77fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.271963] >fff00000c7800000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.272388] ^ [ 37.272745] fff00000c7800080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.272978] fff00000c7800100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.273237] ================================================================== [ 37.402469] ================================================================== [ 37.402665] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 37.402860] Read of size 1 at addr fff00000c7804000 by task kunit_try_catch/235 [ 37.403028] [ 37.403160] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.14.0-rc7-next-20250319 #1 PREEMPT [ 37.403553] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.403651] Hardware name: linux,dummy-virt (DT) [ 37.404216] Call trace: [ 37.404376] show_stack+0x20/0x38 (C) [ 37.404856] dump_stack_lvl+0x8c/0xd0 [ 37.405382] print_report+0x118/0x5f0 [ 37.406088] kasan_report+0xc8/0x118 [ 37.406242] __asan_report_load1_noabort+0x20/0x30 [ 37.407318] mempool_uaf_helper+0x314/0x340 [ 37.407815] mempool_page_alloc_uaf+0xb8/0x118 [ 37.408492] kunit_try_run_case+0x14c/0x3d0 [ 37.409078] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.409302] kthread+0x318/0x618 [ 37.410245] ret_from_fork+0x10/0x20 [ 37.410570] [ 37.411141] The buggy address belongs to the physical page: [ 37.411543] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107804 [ 37.411902] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.412129] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 37.412303] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 37.412487] page dumped because: kasan: bad access detected [ 37.412589] [ 37.412645] Memory state around the buggy address: [ 37.412811] fff00000c7803f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.412949] fff00000c7803f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.413109] >fff00000c7804000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.413302] ^ [ 37.413470] fff00000c7804080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.413702] fff00000c7804100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.413903] ==================================================================
[ 24.256526] ================================================================== [ 24.257521] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.258239] Read of size 1 at addr ffff8881039c0000 by task kunit_try_catch/254 [ 24.258478] [ 24.258589] CPU: 1 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.14.0-rc7-next-20250319 #1 PREEMPT(voluntary) [ 24.258661] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.258679] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.258734] Call Trace: [ 24.258767] <TASK> [ 24.258802] dump_stack_lvl+0x73/0xb0 [ 24.258886] print_report+0xd1/0x660 [ 24.259016] ? __virt_addr_valid+0x1db/0x2d0 [ 24.259185] ? kasan_addr_to_slab+0x11/0xa0 [ 24.259262] kasan_report+0x104/0x140 [ 24.259321] ? mempool_uaf_helper+0x392/0x400 [ 24.259388] ? mempool_uaf_helper+0x392/0x400 [ 24.259469] __asan_report_load1_noabort+0x18/0x20 [ 24.259529] mempool_uaf_helper+0x392/0x400 [ 24.259601] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.259697] ? finish_task_switch.isra.0+0x153/0x730 [ 24.259781] mempool_page_alloc_uaf+0xb0/0x100 [ 24.259853] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 24.259956] ? __switch_to+0x5d9/0xf70 [ 24.260087] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 24.260192] ? __pfx_mempool_free_pages+0x10/0x10 [ 24.260312] ? __pfx_read_tsc+0x10/0x10 [ 24.260397] ? ktime_get_ts64+0x86/0x240 [ 24.260497] kunit_try_run_case+0x1b2/0x490 [ 24.260615] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.260663] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.260700] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.260790] ? __kthread_parkme+0x82/0x160 [ 24.260833] ? preempt_count_sub+0x50/0x80 [ 24.260870] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.260905] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.260940] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.260973] kthread+0x323/0x710 [ 24.261004] ? trace_preempt_on+0x20/0xc0 [ 24.261038] ? __pfx_kthread+0x10/0x10 [ 24.261070] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.261100] ? calculate_sigpending+0x7b/0xa0 [ 24.261156] ? __pfx_kthread+0x10/0x10 [ 24.261189] ret_from_fork+0x41/0x80 [ 24.261220] ? __pfx_kthread+0x10/0x10 [ 24.261254] ret_from_fork_asm+0x1a/0x30 [ 24.261300] </TASK> [ 24.261316] [ 24.276803] The buggy address belongs to the physical page: [ 24.277368] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c0 [ 24.278278] flags: 0x200000000000000(node=0|zone=2) [ 24.278681] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.279417] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.279888] page dumped because: kasan: bad access detected [ 24.280286] [ 24.280506] Memory state around the buggy address: [ 24.281106] ffff8881039bff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.281798] ffff8881039bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.282303] >ffff8881039c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.283013] ^ [ 24.283273] ffff8881039c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.283678] ffff8881039c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.284346] ================================================================== [ 24.124665] ================================================================== [ 24.126335] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 24.126896] Read of size 1 at addr ffff888103918000 by task kunit_try_catch/250 [ 24.128411] [ 24.128651] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.14.0-rc7-next-20250319 #1 PREEMPT(voluntary) [ 24.129312] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.129351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.129388] Call Trace: [ 24.129407] <TASK> [ 24.129430] dump_stack_lvl+0x73/0xb0 [ 24.129477] print_report+0xd1/0x660 [ 24.129513] ? __virt_addr_valid+0x1db/0x2d0 [ 24.129579] ? kasan_addr_to_slab+0x11/0xa0 [ 24.129614] kasan_report+0x104/0x140 [ 24.129643] ? mempool_uaf_helper+0x392/0x400 [ 24.129685] ? mempool_uaf_helper+0x392/0x400 [ 24.129796] __asan_report_load1_noabort+0x18/0x20 [ 24.129873] mempool_uaf_helper+0x392/0x400 [ 24.129914] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 24.129955] ? finish_task_switch.isra.0+0x153/0x730 [ 24.129999] mempool_kmalloc_large_uaf+0xb2/0x100 [ 24.130035] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 24.130068] ? __switch_to+0x5d9/0xf70 [ 24.130128] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.130163] ? __pfx_mempool_kfree+0x10/0x10 [ 24.130196] ? __pfx_read_tsc+0x10/0x10 [ 24.130228] ? ktime_get_ts64+0x86/0x240 [ 24.130266] kunit_try_run_case+0x1b2/0x490 [ 24.130303] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.130334] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.130367] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.130399] ? __kthread_parkme+0x82/0x160 [ 24.130431] ? preempt_count_sub+0x50/0x80 [ 24.130465] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.130499] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.130532] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.130565] kthread+0x323/0x710 [ 24.130595] ? trace_preempt_on+0x20/0xc0 [ 24.130628] ? __pfx_kthread+0x10/0x10 [ 24.130661] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.130757] ? calculate_sigpending+0x7b/0xa0 [ 24.130887] ? __pfx_kthread+0x10/0x10 [ 24.130929] ret_from_fork+0x41/0x80 [ 24.130964] ? __pfx_kthread+0x10/0x10 [ 24.130996] ret_from_fork_asm+0x1a/0x30 [ 24.131044] </TASK> [ 24.131060] [ 24.154557] The buggy address belongs to the physical page: [ 24.156127] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103918 [ 24.156685] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.158007] flags: 0x200000000000040(head|node=0|zone=2) [ 24.158703] page_type: f8(unknown) [ 24.159226] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.160203] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 24.160833] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.162142] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 24.163349] head: 0200000000000002 ffffea00040e4601 00000000ffffffff 00000000ffffffff [ 24.164179] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.164942] page dumped because: kasan: bad access detected [ 24.165918] [ 24.166103] Memory state around the buggy address: [ 24.166905] ffff888103917f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.167548] ffff888103917f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.168512] >ffff888103918000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.169560] ^ [ 24.170043] ffff888103918080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.170656] ffff888103918100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.171530] ==================================================================