lkft/linux-next-master - next-20250515 - log-parser-test/kasan-bug-kasan-slab-use-after-free-in-mempool_uaf_helper

Date
May 15, 2025, 10:38 a.m.
Environment
e850-96
[   37.133333] ==================================================================
[   37.142710] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   37.149823] Read of size 1 at addr ffff0008065c6240 by task kunit_try_catch/276
[   37.157113] 
[   37.158597] CPU: 5 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250515 #1 PREEMPT 
[   37.158654] Tainted: [B]=BAD_PAGE, [N]=TEST
[   37.158673] Hardware name: WinLink E850-96 board (DT)
[   37.158693] Call trace:
[   37.158705]  show_stack+0x20/0x38 (C)
[   37.158743]  dump_stack_lvl+0x8c/0xd0
[   37.158777]  print_report+0x118/0x608
[   37.158813]  kasan_report+0xdc/0x128
[   37.158844]  __asan_report_load1_noabort+0x20/0x30
[   37.158881]  mempool_uaf_helper+0x314/0x340
[   37.158907]  mempool_slab_uaf+0xc0/0x118
[   37.158940]  kunit_try_run_case+0x170/0x3f0
[   37.158974]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   37.159008]  kthread+0x328/0x630
[   37.159044]  ret_from_fork+0x10/0x20
[   37.159081] 
[   37.226558] Allocated by task 276:
[   37.229944]  kasan_save_stack+0x3c/0x68
[   37.233761]  kasan_save_track+0x20/0x40
[   37.237580]  kasan_save_alloc_info+0x40/0x58
[   37.241833]  __kasan_mempool_unpoison_object+0xbc/0x180
[   37.247041]  remove_element+0x16c/0x1f8
[   37.250861]  mempool_alloc_preallocated+0x58/0xc0
[   37.255548]  mempool_uaf_helper+0xa4/0x340
[   37.259628]  mempool_slab_uaf+0xc0/0x118
[   37.263534]  kunit_try_run_case+0x170/0x3f0
[   37.267700]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   37.273169]  kthread+0x328/0x630
[   37.276381]  ret_from_fork+0x10/0x20
[   37.279940] 
[   37.281417] Freed by task 276:
[   37.284454]  kasan_save_stack+0x3c/0x68
[   37.288274]  kasan_save_track+0x20/0x40
[   37.292092]  kasan_save_free_info+0x4c/0x78
[   37.296260]  __kasan_mempool_poison_object+0xc0/0x150
[   37.301294]  mempool_free+0x28c/0x328
[   37.304940]  mempool_uaf_helper+0x104/0x340
[   37.309107]  mempool_slab_uaf+0xc0/0x118
[   37.313012]  kunit_try_run_case+0x170/0x3f0
[   37.317179]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   37.322648]  kthread+0x328/0x630
[   37.325860]  ret_from_fork+0x10/0x20
[   37.329419] 
[   37.330896] The buggy address belongs to the object at ffff0008065c6240
[   37.330896]  which belongs to the cache test_cache of size 123
[   37.343309] The buggy address is located 0 bytes inside of
[   37.343309]  freed 123-byte region [ffff0008065c6240, ffff0008065c62bb)
[   37.355373] 
[   37.356853] The buggy address belongs to the physical page:
[   37.362408] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8865c6
[   37.370393] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   37.376903] page_type: f5(slab)
[   37.380039] raw: 0bfffe0000000000 ffff000801eae000 dead000000000122 0000000000000000
[   37.387758] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   37.395477] page dumped because: kasan: bad access detected
[   37.401032] 
[   37.402507] Memory state around the buggy address:
[   37.407288]  ffff0008065c6100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.414491]  ffff0008065c6180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.421695] >ffff0008065c6200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   37.428896]                                            ^
[   37.434195]  ffff0008065c6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.441400]  ffff0008065c6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.448602] ==================================================================
[   36.546600] ==================================================================
[   36.547839] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   36.554954] Read of size 1 at addr ffff000801f1c700 by task kunit_try_catch/272
[   36.562245] 
[   36.563731] CPU: 7 UID: 0 PID: 272 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250515 #1 PREEMPT 
[   36.563794] Tainted: [B]=BAD_PAGE, [N]=TEST
[   36.563812] Hardware name: WinLink E850-96 board (DT)
[   36.563834] Call trace:
[   36.563850]  show_stack+0x20/0x38 (C)
[   36.563886]  dump_stack_lvl+0x8c/0xd0
[   36.563920]  print_report+0x118/0x608
[   36.563953]  kasan_report+0xdc/0x128
[   36.563982]  __asan_report_load1_noabort+0x20/0x30
[   36.564021]  mempool_uaf_helper+0x314/0x340
[   36.564049]  mempool_kmalloc_uaf+0xc4/0x120
[   36.564077]  kunit_try_run_case+0x170/0x3f0
[   36.564109]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.564141]  kthread+0x328/0x630
[   36.564175]  ret_from_fork+0x10/0x20
[   36.564208] 
[   36.631949] Allocated by task 272:
[   36.635336]  kasan_save_stack+0x3c/0x68
[   36.639151]  kasan_save_track+0x20/0x40
[   36.642971]  kasan_save_alloc_info+0x40/0x58
[   36.647224]  __kasan_mempool_unpoison_object+0x11c/0x180
[   36.652519]  remove_element+0x130/0x1f8
[   36.656339]  mempool_alloc_preallocated+0x58/0xc0
[   36.661026]  mempool_uaf_helper+0xa4/0x340
[   36.665106]  mempool_kmalloc_uaf+0xc4/0x120
[   36.669274]  kunit_try_run_case+0x170/0x3f0
[   36.673439]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.678909]  kthread+0x328/0x630
[   36.682119]  ret_from_fork+0x10/0x20
[   36.685679] 
[   36.687155] Freed by task 272:
[   36.690194]  kasan_save_stack+0x3c/0x68
[   36.694012]  kasan_save_track+0x20/0x40
[   36.697831]  kasan_save_free_info+0x4c/0x78
[   36.701998]  __kasan_mempool_poison_object+0xc0/0x150
[   36.707032]  mempool_free+0x28c/0x328
[   36.710678]  mempool_uaf_helper+0x104/0x340
[   36.714845]  mempool_kmalloc_uaf+0xc4/0x120
[   36.719011]  kunit_try_run_case+0x170/0x3f0
[   36.723179]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.728646]  kthread+0x328/0x630
[   36.731858]  ret_from_fork+0x10/0x20
[   36.735417] 
[   36.736895] The buggy address belongs to the object at ffff000801f1c700
[   36.736895]  which belongs to the cache kmalloc-128 of size 128
[   36.749397] The buggy address is located 0 bytes inside of
[   36.749397]  freed 128-byte region [ffff000801f1c700, ffff000801f1c780)
[   36.761459] 
[   36.762938] The buggy address belongs to the physical page:
[   36.768494] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881f1c
[   36.776477] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   36.784116] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   36.791060] page_type: f5(slab)
[   36.794198] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   36.801916] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   36.809642] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   36.817454] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   36.825267] head: 0bfffe0000000001 fffffdffe007c701 00000000ffffffff 00000000ffffffff
[   36.833079] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   36.840884] page dumped because: kasan: bad access detected
[   36.846440] 
[   36.847915] Memory state around the buggy address:
[   36.852699]  ffff000801f1c600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.859898]  ffff000801f1c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.867104] >ffff000801f1c700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.874304]                    ^
[   36.877519]  ffff000801f1c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.884726]  ffff000801f1c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.891927] ==================================================================
KNOWN ISSUE - log-parser-test/kasan-bug-kasan-slab-use-after-free-in-mempool_uaf_helper: Failure
Metadata Full log Test run details
Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit KNOWN ISSUE
