Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 59.540405] ================================================================== [ 59.550842] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x5c/0x60 [ 59.557617] Read of size 4 at addr cc22c700 by task ksoftirqd/1/22 [ 59.563842] [ 59.565368] CPU: 1 UID: 0 PID: 22 Comm: ksoftirqd/1 Tainted: G B W N 6.15.0-rc3 #1 NONE [ 59.565399] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 59.565429] Hardware name: Generic DRA74X (Flattened Device Tree) [ 59.565429] Call trace: [ 59.565460] unwind_backtrace from show_stack+0x18/0x1c [ 59.565490] show_stack from dump_stack_lvl+0x70/0x90 [ 59.565521] dump_stack_lvl from print_report+0x158/0x528 [ 59.565551] print_report from kasan_report+0xdc/0x118 [ 59.565582] kasan_report from rcu_uaf_reclaim+0x5c/0x60 [ 59.565612] rcu_uaf_reclaim from rcu_core+0x84c/0x1aa4 [ 59.565673] rcu_core from handle_softirqs+0x3d8/0xc7c [ 59.565704] handle_softirqs from run_ksoftirqd+0x7c/0x9c [ 59.565734] run_ksoftirqd from smpboot_thread_fn+0x46c/0xa68 [ 59.565765] smpboot_thread_fn from kthread+0x464/0x810 [ 59.565795] kthread from ret_from_fork+0x14/0x20 [ 59.565826] Exception stack(0xf00c3fb0 to 0xf00c3ff8) [ 59.565856] 3fa0: 00000000 00000000 00000000 00000000 [ 59.565887] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 59.565917] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 59.565917] [ 59.676361] Allocated by task 254: [ 59.679809] kasan_save_track+0x30/0x5c [ 59.683685] __kasan_kmalloc+0x8c/0x94 [ 59.687469] rcu_uaf+0xd0/0x354 [ 59.690673] kunit_try_run_case+0x22c/0x5a8 [ 59.694885] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.700439] kthread+0x464/0x810 [ 59.703704] ret_from_fork+0x14/0x20 [ 59.707305] [ 59.708831] Freed by task 22: [ 59.711822] kasan_save_track+0x30/0x5c [ 59.715698] kasan_save_free_info+0x3c/0x48 [ 59.719940] __kasan_slab_free+0x40/0x50 [ 59.723876] kfree+0xe8/0x384 [ 59.726898] rcu_uaf_reclaim+0x1c/0x60 [ 59.730682] rcu_core+0x84c/0x1aa4 [ 59.734130] handle_softirqs+0x3d8/0xc7c [ 59.738098] run_ksoftirqd+0x7c/0x9c [ 59.741729] smpboot_thread_fn+0x46c/0xa68 [ 59.745849] kthread+0x464/0x810 [ 59.749114] ret_from_fork+0x14/0x20 [ 59.752746] [ 59.754241] Last potentially related work creation: [ 59.759155] kasan_save_stack+0x30/0x4c [ 59.763061] kasan_record_aux_stack+0x80/0x88 [ 59.767456] __call_rcu_common.constprop.0+0x98/0xb80 [ 59.772552] rcu_uaf+0x1a4/0x354 [ 59.775817] kunit_try_run_case+0x22c/0x5a8 [ 59.780059] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.785614] kthread+0x464/0x810 [ 59.788879] ret_from_fork+0x14/0x20 [ 59.792480] [ 59.793975] The buggy address belongs to the object at cc22c700 [ 59.793975] which belongs to the cache kmalloc-64 of size 64 [ 59.805725] The buggy address is located 0 bytes inside of [ 59.805725] freed 64-byte region [cc22c700, cc22c740) [ 59.816406] [ 59.817932] The buggy address belongs to the physical page: [ 59.823547] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c22c [ 59.830841] flags: 0x0(zone=0) [ 59.833923] page_type: f5(slab) [ 59.837097] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 59.845275] raw: 00000000 [ 59.847900] page dumped because: kasan: bad access detected [ 59.853515] [ 59.855041] Memory state around the buggy address: [ 59.859863] cc22c600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.866455] cc22c680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.873046] >cc22c700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.879608] ^ [ 59.882171] cc22c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.888763] cc22c800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.895355] ==================================================================
[ 31.489776] ================================================================== [ 31.500171] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 31.506884] Read of size 4 at addr ffff888107f04880 by task swapper/1/0 [ 31.513497] [ 31.514998] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 31.515006] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.515009] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 31.515012] Call Trace: [ 31.515014] <IRQ> [ 31.515016] dump_stack_lvl+0x73/0xb0 [ 31.515021] print_report+0xd1/0x650 [ 31.515026] ? __virt_addr_valid+0x1db/0x2d0 [ 31.515030] ? rcu_uaf_reclaim+0x50/0x60 [ 31.515034] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.515038] ? rcu_uaf_reclaim+0x50/0x60 [ 31.515042] kasan_report+0x141/0x180 [ 31.515046] ? rcu_uaf_reclaim+0x50/0x60 [ 31.515051] __asan_report_load4_noabort+0x18/0x20 [ 31.515054] rcu_uaf_reclaim+0x50/0x60 [ 31.515058] rcu_core+0x669/0x1c30 [ 31.515063] ? enqueue_hrtimer+0xfe/0x210 [ 31.515068] ? __pfx_rcu_core+0x10/0x10 [ 31.515072] ? ktime_get+0x68/0x150 [ 31.515077] ? handle_softirqs+0x18e/0x730 [ 31.515082] rcu_core_si+0x12/0x20 [ 31.515086] handle_softirqs+0x206/0x730 [ 31.515090] ? hrtimer_interrupt+0x2fe/0x780 [ 31.515094] ? __pfx_handle_softirqs+0x10/0x10 [ 31.515099] __irq_exit_rcu+0xc9/0x110 [ 31.515103] irq_exit_rcu+0x12/0x20 [ 31.515108] sysvec_apic_timer_interrupt+0x81/0x90 [ 31.515113] </IRQ> [ 31.515114] <TASK> [ 31.515116] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 31.515120] RIP: 0010:cpuidle_enter_state+0xe5/0x2f0 [ 31.515125] Code: ff ff ff 48 89 45 c0 e8 89 e3 f3 fe 31 ff e8 42 27 6b fc 80 7d d0 00 0f 85 27 01 00 00 e8 23 ef f3 fe 84 c0 0f 84 0f 01 00 00 <45> 85 ed 0f 88 ef 00 00 00 4d 63 fd 48 8b 7d c0 4b 8d 04 7f 49 8d [ 31.515133] RSP: 0000:ffff8881008efd70 EFLAGS: 00000246 [ 31.515137] RAX: 0000000000000000 RBX: ffff8881042a6000 RCX: 000000000000001f [ 31.515141] RDX: 1ffff11083ed6c0f RSI: 0000000000000001 RDI: ffff88841f6b6078 [ 31.515145] RBP: ffff8881008efdb8 R08: 0000000000000002 R09: ffffed1083ed6102 [ 31.515148] R10: ffff88841f6b0813 R11: 0000000000000006 R12: ffffffffba5a6e80 [ 31.515151] R13: 0000000000000002 R14: 0000000000000002 R15: ffffffffba5a6f68 [ 31.515156] ? check_tsc_sync_source+0x260/0x290 [ 31.515161] cpuidle_enter+0x53/0xb0 [ 31.515165] ? cpuidle_select+0x5f/0xb0 [ 31.515169] do_idle+0x360/0x4f0 [ 31.515173] ? __pfx_do_idle+0x10/0x10 [ 31.515176] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 31.515181] ? complete+0x15b/0x1d0 [ 31.515186] cpu_startup_entry+0x5c/0x70 [ 31.515189] start_secondary+0x211/0x290 [ 31.515193] ? __pfx_start_secondary+0x10/0x10 [ 31.515197] common_startup_64+0x13e/0x148 [ 31.515203] </TASK> [ 31.515205] [ 31.750633] Allocated by task 241: [ 31.754038] kasan_save_stack+0x45/0x70 [ 31.757879] kasan_save_track+0x18/0x40 [ 31.761737] kasan_save_alloc_info+0x3b/0x50 [ 31.766014] __kasan_kmalloc+0xb7/0xc0 [ 31.769769] __kmalloc_cache_noprof+0x189/0x420 [ 31.774309] rcu_uaf+0xb0/0x330 [ 31.777455] kunit_try_run_case+0x1a2/0x480 [ 31.781649] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.787048] kthread+0x334/0x6f0 [ 31.790280] ret_from_fork+0x3e/0x80 [ 31.793859] ret_from_fork_asm+0x1a/0x30 [ 31.797786] [ 31.799284] Freed by task 0: [ 31.802171] kasan_save_stack+0x45/0x70 [ 31.806011] kasan_save_track+0x18/0x40 [ 31.809850] kasan_save_free_info+0x3f/0x60 [ 31.814036] __kasan_slab_free+0x56/0x70 [ 31.817960] kfree+0x222/0x3f0 [ 31.821021] rcu_uaf_reclaim+0x1f/0x60 [ 31.824780] rcu_core+0x669/0x1c30 [ 31.828187] rcu_core_si+0x12/0x20 [ 31.831593] handle_softirqs+0x206/0x730 [ 31.835527] __irq_exit_rcu+0xc9/0x110 [ 31.839281] irq_exit_rcu+0x12/0x20 [ 31.842780] sysvec_apic_timer_interrupt+0x81/0x90 [ 31.847573] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 31.852734] [ 31.854230] Last potentially related work creation: [ 31.859107] kasan_save_stack+0x45/0x70 [ 31.862947] kasan_record_aux_stack+0xb2/0xc0 [ 31.867305] __call_rcu_common.constprop.0+0x72/0x9c0 [ 31.872359] call_rcu+0x12/0x20 [ 31.875503] rcu_uaf+0x168/0x330 [ 31.878757] kunit_try_run_case+0x1a2/0x480 [ 31.882948] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.888349] kthread+0x334/0x6f0 [ 31.891580] ret_from_fork+0x3e/0x80 [ 31.895160] ret_from_fork_asm+0x1a/0x30 [ 31.899087] [ 31.900585] The buggy address belongs to the object at ffff888107f04880 [ 31.900585] which belongs to the cache kmalloc-32 of size 32 [ 31.912925] The buggy address is located 0 bytes inside of [ 31.912925] freed 32-byte region [ffff888107f04880, ffff888107f048a0) [ 31.924920] [ 31.926418] The buggy address belongs to the physical page: [ 31.931991] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107f04 [ 31.939989] flags: 0x200000000000000(node=0|zone=2) [ 31.944868] page_type: f5(slab) [ 31.948016] raw: 0200000000000000 ffff888100042780 dead000000000122 0000000000000000 [ 31.955765] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 31.963510] page dumped because: kasan: bad access detected [ 31.969082] [ 31.970581] Memory state around the buggy address: [ 31.975376] ffff888107f04780: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.982593] ffff888107f04800: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 31.989814] >ffff888107f04880: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 31.997031] ^ [ 32.000265] ffff888107f04900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.007484] ffff888107f04980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.014715] ==================================================================