Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 61.430297] ================================================================== [ 61.441955] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x430/0x550 [ 61.449188] Read of size 1 at addr cc235000 by task kunit_try_catch/269 [ 61.455841] [ 61.457366] CPU: 1 UID: 0 PID: 269 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 61.457397] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 61.457427] Hardware name: Generic DRA74X (Flattened Device Tree) [ 61.457427] Call trace: [ 61.457458] unwind_backtrace from show_stack+0x18/0x1c [ 61.457489] show_stack from dump_stack_lvl+0x70/0x90 [ 61.457519] dump_stack_lvl from print_report+0x158/0x528 [ 61.457580] print_report from kasan_report+0xdc/0x118 [ 61.457611] kasan_report from kmem_cache_rcu_uaf+0x430/0x550 [ 61.457641] kmem_cache_rcu_uaf from kunit_try_run_case+0x22c/0x5a8 [ 61.457672] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.457733] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 61.457763] kthread from ret_from_fork+0x14/0x20 [ 61.457794] Exception stack(0xf257bfb0 to 0xf257bff8) [ 61.457824] bfa0: 00000000 00000000 00000000 00000000 [ 61.457824] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 61.457855] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 61.457885] [ 61.562988] Allocated by task 269: [ 61.566406] kasan_save_track+0x30/0x5c [ 61.570312] __kasan_slab_alloc+0x60/0x68 [ 61.574340] kmem_cache_alloc_noprof+0x17c/0x36c [ 61.579040] kmem_cache_rcu_uaf+0x174/0x550 [ 61.583251] kunit_try_run_case+0x22c/0x5a8 [ 61.587493] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.593017] kthread+0x464/0x810 [ 61.596282] ret_from_fork+0x14/0x20 [ 61.599914] [ 61.601409] Freed by task 22: [ 61.604431] kasan_save_track+0x30/0x5c [ 61.608306] kasan_save_free_info+0x3c/0x48 [ 61.612518] __kasan_slab_free+0x40/0x50 [ 61.616485] slab_free_after_rcu_debug+0xb0/0x290 [ 61.621246] rcu_core+0x84c/0x1aa4 [ 61.624694] handle_softirqs+0x3d8/0xc7c [ 61.628662] run_ksoftirqd+0x7c/0x9c [ 61.632263] smpboot_thread_fn+0x46c/0xa68 [ 61.636413] kthread+0x464/0x810 [ 61.639678] ret_from_fork+0x14/0x20 [ 61.643310] [ 61.644805] Last potentially related work creation: [ 61.649719] kasan_save_stack+0x30/0x4c [ 61.653625] kasan_record_aux_stack+0x80/0x88 [ 61.658020] kmem_cache_free+0x1f0/0x470 [ 61.661987] kmem_cache_rcu_uaf+0x1b8/0x550 [ 61.666198] kunit_try_run_case+0x22c/0x5a8 [ 61.670440] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.675994] kthread+0x464/0x810 [ 61.679260] ret_from_fork+0x14/0x20 [ 61.682861] [ 61.684387] The buggy address belongs to the object at cc235000 [ 61.684387] which belongs to the cache test_cache of size 200 [ 61.696197] The buggy address is located 0 bytes inside of [ 61.696197] freed 200-byte region [cc235000, cc2350c8) [ 61.706970] [ 61.708496] The buggy address belongs to the physical page: [ 61.714111] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c235 [ 61.721405] flags: 0x0(zone=0) [ 61.724487] page_type: f5(slab) [ 61.727661] raw: 00000000 cc22f300 00000122 00000000 00000000 800f000f f5000000 00000000 [ 61.735809] raw: 00000000 [ 61.738464] page dumped because: kasan: bad access detected [ 61.744079] [ 61.745605] Memory state around the buggy address: [ 61.750427] cc234f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.757019] cc234f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.763610] >cc235000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.770172] ^ [ 61.772735] cc235080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 61.779327] cc235100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.785919] ==================================================================
[ 33.856965] ================================================================== [ 33.868583] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 33.875747] Read of size 1 at addr ffff888100e06000 by task kunit_try_catch/256 [ 33.883054] [ 33.884556] CPU: 2 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 33.884565] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.884567] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 33.884571] Call Trace: [ 33.884572] <TASK> [ 33.884575] dump_stack_lvl+0x73/0xb0 [ 33.884580] print_report+0xd1/0x650 [ 33.884585] ? __virt_addr_valid+0x1db/0x2d0 [ 33.884589] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 33.884593] ? kasan_complete_mode_report_info+0x64/0x200 [ 33.884597] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 33.884600] kasan_report+0x141/0x180 [ 33.884605] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 33.884609] __asan_report_load1_noabort+0x18/0x20 [ 33.884613] kmem_cache_rcu_uaf+0x3e3/0x510 [ 33.884616] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 33.884619] ? finish_task_switch.isra.0+0x153/0x700 [ 33.884624] ? __switch_to+0x5d9/0xf60 [ 33.884628] ? dequeue_task_fair+0x166/0x4e0 [ 33.884634] ? ktime_get_ts64+0x83/0x230 [ 33.884639] kunit_try_run_case+0x1a2/0x480 [ 33.884644] ? __pfx_kunit_try_run_case+0x10/0x10 [ 33.884648] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 33.884654] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 33.884658] ? __kthread_parkme+0x82/0x180 [ 33.884663] ? preempt_count_sub+0x50/0x80 [ 33.884667] ? __pfx_kunit_try_run_case+0x10/0x10 [ 33.884689] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 33.884693] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 33.884697] kthread+0x334/0x6f0 [ 33.884719] ? trace_preempt_on+0x20/0xc0 [ 33.884725] ? __pfx_kthread+0x10/0x10 [ 33.884741] ? _raw_spin_unlock_irq+0x47/0x80 [ 33.884746] ? calculate_sigpending+0x7b/0xa0 [ 33.884750] ? __pfx_kthread+0x10/0x10 [ 33.884755] ret_from_fork+0x3e/0x80 [ 33.884759] ? __pfx_kthread+0x10/0x10 [ 33.884764] ret_from_fork_asm+0x1a/0x30 [ 33.884782] </TASK> [ 33.884784] [ 34.057195] Allocated by task 256: [ 34.060601] kasan_save_stack+0x45/0x70 [ 34.064447] kasan_save_track+0x18/0x40 [ 34.068288] kasan_save_alloc_info+0x3b/0x50 [ 34.072560] __kasan_slab_alloc+0x91/0xa0 [ 34.076580] kmem_cache_alloc_noprof+0x123/0x3f0 [ 34.081199] kmem_cache_rcu_uaf+0x155/0x510 [ 34.085386] kunit_try_run_case+0x1a2/0x480 [ 34.089570] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 34.094971] kthread+0x334/0x6f0 [ 34.098202] ret_from_fork+0x3e/0x80 [ 34.101782] ret_from_fork_asm+0x1a/0x30 [ 34.105708] [ 34.107223] Freed by task 0: [ 34.110111] kasan_save_stack+0x45/0x70 [ 34.113949] kasan_save_track+0x18/0x40 [ 34.117788] kasan_save_free_info+0x3f/0x60 [ 34.121974] __kasan_slab_free+0x56/0x70 [ 34.125899] slab_free_after_rcu_debug+0xe4/0x310 [ 34.130606] rcu_core+0x669/0x1c30 [ 34.134013] rcu_core_si+0x12/0x20 [ 34.137427] handle_softirqs+0x206/0x730 [ 34.141360] __irq_exit_rcu+0xc9/0x110 [ 34.145112] irq_exit_rcu+0x12/0x20 [ 34.148607] sysvec_apic_timer_interrupt+0x81/0x90 [ 34.153406] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 34.158546] [ 34.160045] Last potentially related work creation: [ 34.164925] kasan_save_stack+0x45/0x70 [ 34.168787] kasan_record_aux_stack+0xb2/0xc0 [ 34.173148] kmem_cache_free+0x131/0x420 [ 34.177073] kmem_cache_rcu_uaf+0x194/0x510 [ 34.181259] kunit_try_run_case+0x1a2/0x480 [ 34.185446] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 34.190845] kthread+0x334/0x6f0 [ 34.194077] ret_from_fork+0x3e/0x80 [ 34.197656] ret_from_fork_asm+0x1a/0x30 [ 34.201610] [ 34.203108] The buggy address belongs to the object at ffff888100e06000 [ 34.203108] which belongs to the cache test_cache of size 200 [ 34.215537] The buggy address is located 0 bytes inside of [ 34.215537] freed 200-byte region [ffff888100e06000, ffff888100e060c8) [ 34.227624] [ 34.229123] The buggy address belongs to the physical page: [ 34.234702] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100e06 [ 34.242738] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.250390] flags: 0x200000000000040(head|node=0|zone=2) [ 34.255703] page_type: f5(slab) [ 34.258878] raw: 0200000000000040 ffff888100dbcc80 dead000000000122 0000000000000000 [ 34.266624] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.274373] head: 0200000000000040 ffff888100dbcc80 dead000000000122 0000000000000000 [ 34.282206] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.290031] head: 0200000000000001 ffffea0004038181 00000000ffffffff 00000000ffffffff [ 34.297857] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 34.305700] page dumped because: kasan: bad access detected [ 34.311325] [ 34.312823] Memory state around the buggy address: [ 34.317616] ffff888100e05f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.324835] ffff888100e05f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.332053] >ffff888100e06000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.339271] ^ [ 34.342505] ffff888100e06080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 34.349747] ffff888100e06100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.356970] ==================================================================