Date
May 23, 2025, 11:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 28.205823] ================================================================== [ 28.206118] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 28.206281] Read of size 4 at addr fff00000c7775040 by task swapper/0/0 [ 28.206419] [ 28.206540] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 28.206779] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.206860] Hardware name: linux,dummy-virt (DT) [ 28.206949] Call trace: [ 28.207016] show_stack+0x20/0x38 (C) [ 28.207160] dump_stack_lvl+0x8c/0xd0 [ 28.207296] print_report+0x118/0x608 [ 28.207435] kasan_report+0xdc/0x128 [ 28.209279] __asan_report_load4_noabort+0x20/0x30 [ 28.209625] rcu_uaf_reclaim+0x64/0x70 [ 28.210583] rcu_core+0x9f4/0x1e20 [ 28.210895] rcu_core_si+0x18/0x30 [ 28.211181] handle_softirqs+0x374/0xb28 [ 28.211577] __do_softirq+0x1c/0x28 [ 28.212244] ____do_softirq+0x18/0x30 [ 28.212513] call_on_irq_stack+0x24/0x58 [ 28.212681] do_softirq_own_stack+0x24/0x38 [ 28.212799] __irq_exit_rcu+0x1fc/0x318 [ 28.212915] irq_exit_rcu+0x1c/0x80 [ 28.213035] el1_interrupt+0x38/0x58 [ 28.213178] el1h_64_irq_handler+0x18/0x28 [ 28.213322] el1h_64_irq+0x6c/0x70 [ 28.215488] arch_local_irq_enable+0x4/0x8 (P) [ 28.215778] do_idle+0x384/0x4e8 [ 28.216707] cpu_startup_entry+0x64/0x80 [ 28.216914] rest_init+0x160/0x188 [ 28.217324] start_kernel+0x310/0x3d8 [ 28.217506] __primary_switched+0x8c/0xa0 [ 28.218299] [ 28.218371] Allocated by task 200: [ 28.218483] kasan_save_stack+0x3c/0x68 [ 28.218610] kasan_save_track+0x20/0x40 [ 28.218718] kasan_save_alloc_info+0x40/0x58 [ 28.218832] __kasan_kmalloc+0xd4/0xd8 [ 28.218943] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.219073] rcu_uaf+0xb0/0x2d8 [ 28.219176] kunit_try_run_case+0x170/0x3f0 [ 28.219299] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.219459] kthread+0x328/0x630 [ 28.219571] ret_from_fork+0x10/0x20 [ 28.219679] [ 28.219740] Freed by task 0: [ 28.219818] kasan_save_stack+0x3c/0x68 [ 28.219924] kasan_save_track+0x20/0x40 [ 28.222395] kasan_save_free_info+0x4c/0x78 [ 28.223390] __kasan_slab_free+0x6c/0x98 [ 28.223674] kfree+0x214/0x3c8 [ 28.223892] rcu_uaf_reclaim+0x28/0x70 [ 28.224058] rcu_core+0x9f4/0x1e20 [ 28.224147] rcu_core_si+0x18/0x30 [ 28.224235] handle_softirqs+0x374/0xb28 [ 28.224345] __do_softirq+0x1c/0x28 [ 28.225498] [ 28.226215] Last potentially related work creation: [ 28.226710] kasan_save_stack+0x3c/0x68 [ 28.226852] kasan_record_aux_stack+0xb4/0xc8 [ 28.227312] __call_rcu_common.constprop.0+0x70/0x8b0 [ 28.228122] call_rcu+0x18/0x30 [ 28.228223] rcu_uaf+0x14c/0x2d8 [ 28.228307] kunit_try_run_case+0x170/0x3f0 [ 28.228411] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.228554] kthread+0x328/0x630 [ 28.230854] ret_from_fork+0x10/0x20 [ 28.231087] [ 28.231183] The buggy address belongs to the object at fff00000c7775040 [ 28.231183] which belongs to the cache kmalloc-32 of size 32 [ 28.231874] The buggy address is located 0 bytes inside of [ 28.231874] freed 32-byte region [fff00000c7775040, fff00000c7775060) [ 28.232431] [ 28.232504] The buggy address belongs to the physical page: [ 28.232581] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107775 [ 28.232735] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.234151] page_type: f5(slab) [ 28.234440] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 28.234871] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 28.235405] page dumped because: kasan: bad access detected [ 28.235892] [ 28.236305] Memory state around the buggy address: [ 28.236620] fff00000c7774f00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.236764] fff00000c7774f80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 28.236900] >fff00000c7775000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 28.237020] ^ [ 28.238378] fff00000c7775080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.239538] fff00000c7775100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.240244] ==================================================================
[ 13.202107] ================================================================== [ 13.202604] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 13.202973] Read of size 4 at addr ffff888102705040 by task swapper/0/0 [ 13.203252] [ 13.203385] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 13.203436] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.203460] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.203481] Call Trace: [ 13.203506] <IRQ> [ 13.203525] dump_stack_lvl+0x73/0xb0 [ 13.203555] print_report+0xd1/0x650 [ 13.203577] ? __virt_addr_valid+0x1db/0x2d0 [ 13.203611] ? rcu_uaf_reclaim+0x50/0x60 [ 13.203632] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.203654] ? rcu_uaf_reclaim+0x50/0x60 [ 13.203685] kasan_report+0x141/0x180 [ 13.203707] ? rcu_uaf_reclaim+0x50/0x60 [ 13.203732] __asan_report_load4_noabort+0x18/0x20 [ 13.203753] rcu_uaf_reclaim+0x50/0x60 [ 13.203773] rcu_core+0x66c/0x1c30 [ 13.203803] ? __pfx_rcu_core+0x10/0x10 [ 13.203826] ? ktime_get+0x6b/0x150 [ 13.203853] rcu_core_si+0x12/0x20 [ 13.203873] handle_softirqs+0x209/0x730 [ 13.203895] ? hrtimer_interrupt+0x2fe/0x780 [ 13.203918] ? __pfx_handle_softirqs+0x10/0x10 [ 13.203944] __irq_exit_rcu+0xc9/0x110 [ 13.203965] irq_exit_rcu+0x12/0x20 [ 13.203982] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.204006] </IRQ> [ 13.204030] <TASK> [ 13.204041] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.204150] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 13.204405] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 83 2d 28 00 fb f4 <e9> fc 1f 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 13.204505] RSP: 0000:ffffffffa3c07dd8 EFLAGS: 00010202 [ 13.204594] RAX: ffff8881b6093000 RBX: ffffffffa3c1ca80 RCX: ffffffffa2a07015 [ 13.204640] RDX: ffffed102b606103 RSI: 0000000000000004 RDI: 0000000000013bd4 [ 13.204683] RBP: ffffffffa3c07de0 R08: 0000000000000001 R09: ffffed102b606102 [ 13.204725] R10: ffff88815b030813 R11: 0000000000000002 R12: 0000000000000000 [ 13.204767] R13: fffffbfff4783950 R14: ffffffffa479bc10 R15: 0000000000000000 [ 13.204824] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 13.204877] ? default_idle+0xd/0x20 [ 13.204895] arch_cpu_idle+0xd/0x20 [ 13.204912] default_idle_call+0x48/0x80 [ 13.204931] do_idle+0x379/0x4f0 [ 13.204953] ? __pfx_do_idle+0x10/0x10 [ 13.204972] ? trace_preempt_on+0x20/0xc0 [ 13.204994] ? schedule+0x86/0x2e0 [ 13.205013] ? preempt_count_sub+0x50/0x80 [ 13.205037] cpu_startup_entry+0x5c/0x70 [ 13.205057] rest_init+0x11a/0x140 [ 13.205074] ? acpi_subsystem_init+0x5d/0x150 [ 13.205099] start_kernel+0x32b/0x410 [ 13.205120] x86_64_start_reservations+0x1c/0x30 [ 13.205141] x86_64_start_kernel+0xcf/0xe0 [ 13.205161] common_startup_64+0x13e/0x148 [ 13.205192] </TASK> [ 13.205204] [ 13.217222] Allocated by task 217: [ 13.217406] kasan_save_stack+0x45/0x70 [ 13.217592] kasan_save_track+0x18/0x40 [ 13.217767] kasan_save_alloc_info+0x3b/0x50 [ 13.217953] __kasan_kmalloc+0xb7/0xc0 [ 13.218119] __kmalloc_cache_noprof+0x189/0x420 [ 13.218321] rcu_uaf+0xb0/0x330 [ 13.218872] kunit_try_run_case+0x1a5/0x480 [ 13.219227] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.219884] kthread+0x337/0x6f0 [ 13.220080] ret_from_fork+0x41/0x80 [ 13.220253] ret_from_fork_asm+0x1a/0x30 [ 13.220663] [ 13.220755] Freed by task 0: [ 13.221166] kasan_save_stack+0x45/0x70 [ 13.221379] kasan_save_track+0x18/0x40 [ 13.221688] kasan_save_free_info+0x3f/0x60 [ 13.222041] __kasan_slab_free+0x56/0x70 [ 13.222220] kfree+0x222/0x3f0 [ 13.222377] rcu_uaf_reclaim+0x1f/0x60 [ 13.222899] rcu_core+0x66c/0x1c30 [ 13.223179] rcu_core_si+0x12/0x20 [ 13.223496] handle_softirqs+0x209/0x730 [ 13.223694] __irq_exit_rcu+0xc9/0x110 [ 13.223873] irq_exit_rcu+0x12/0x20 [ 13.224046] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.224258] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.224473] [ 13.225028] Last potentially related work creation: [ 13.225203] kasan_save_stack+0x45/0x70 [ 13.225515] kasan_record_aux_stack+0xb2/0xc0 [ 13.225674] __call_rcu_common.constprop.0+0x72/0x9c0 [ 13.225844] call_rcu+0x12/0x20 [ 13.225963] rcu_uaf+0x168/0x330 [ 13.226084] kunit_try_run_case+0x1a5/0x480 [ 13.226231] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.226420] kthread+0x337/0x6f0 [ 13.226539] ret_from_fork+0x41/0x80 [ 13.226675] ret_from_fork_asm+0x1a/0x30 [ 13.226829] [ 13.226911] The buggy address belongs to the object at ffff888102705040 [ 13.226911] which belongs to the cache kmalloc-32 of size 32 [ 13.227264] The buggy address is located 0 bytes inside of [ 13.227264] freed 32-byte region [ffff888102705040, ffff888102705060) [ 13.228607] [ 13.228837] The buggy address belongs to the physical page: [ 13.229381] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102705 [ 13.229892] flags: 0x200000000000000(node=0|zone=2) [ 13.230134] page_type: f5(slab) [ 13.230581] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.231272] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.232166] page dumped because: kasan: bad access detected [ 13.233322] [ 13.233470] Memory state around the buggy address: [ 13.233994] ffff888102704f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.234332] ffff888102704f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.235354] >ffff888102705000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.235968] ^ [ 13.236702] ffff888102705080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.237329] ffff888102705100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.237912] ==================================================================