Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 34.351644] ================================================================== [ 34.351833] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 34.351966] Read of size 1 at addr ffff000802cca000 by task kunit_try_catch/260 [ 34.355351] [ 34.356838] CPU: 0 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 34.356896] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.356913] Hardware name: WinLink E850-96 board (DT) [ 34.356936] Call trace: [ 34.356951] show_stack+0x20/0x38 (C) [ 34.356989] dump_stack_lvl+0x8c/0xd0 [ 34.357026] print_report+0x118/0x608 [ 34.357061] kasan_report+0xdc/0x128 [ 34.357096] __asan_report_load1_noabort+0x20/0x30 [ 34.357135] kmem_cache_rcu_uaf+0x388/0x468 [ 34.357169] kunit_try_run_case+0x170/0x3f0 [ 34.357209] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.357249] kthread+0x328/0x630 [ 34.357278] ret_from_fork+0x10/0x20 [ 34.357315] [ 34.419675] Allocated by task 260: [ 34.423062] kasan_save_stack+0x3c/0x68 [ 34.426878] kasan_save_track+0x20/0x40 [ 34.430697] kasan_save_alloc_info+0x40/0x58 [ 34.434950] __kasan_slab_alloc+0xa8/0xb0 [ 34.438943] kmem_cache_alloc_noprof+0x10c/0x398 [ 34.443544] kmem_cache_rcu_uaf+0x12c/0x468 [ 34.447710] kunit_try_run_case+0x170/0x3f0 [ 34.451877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.457346] kthread+0x328/0x630 [ 34.460558] ret_from_fork+0x10/0x20 [ 34.464118] [ 34.465594] Freed by task 0: [ 34.468460] kasan_save_stack+0x3c/0x68 [ 34.472276] kasan_save_track+0x20/0x40 [ 34.476096] kasan_save_free_info+0x4c/0x78 [ 34.480262] __kasan_slab_free+0x6c/0x98 [ 34.484170] slab_free_after_rcu_debug+0xd4/0x2f8 [ 34.488856] rcu_core+0x9f4/0x1e20 [ 34.492241] rcu_core_si+0x18/0x30 [ 34.495627] handle_softirqs+0x374/0xb28 [ 34.499533] __do_softirq+0x1c/0x28 [ 34.503005] [ 34.504482] Last potentially related work creation: [ 34.509343] kasan_save_stack+0x3c/0x68 [ 34.513161] kasan_record_aux_stack+0xb4/0xc8 [ 34.517501] kmem_cache_free+0x120/0x468 [ 34.521407] kmem_cache_rcu_uaf+0x16c/0x468 [ 34.525574] kunit_try_run_case+0x170/0x3f0 [ 34.529740] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.535209] kthread+0x328/0x630 [ 34.538421] ret_from_fork+0x10/0x20 [ 34.541980] [ 34.543455] The buggy address belongs to the object at ffff000802cca000 [ 34.543455] which belongs to the cache test_cache of size 200 [ 34.555872] The buggy address is located 0 bytes inside of [ 34.555872] freed 200-byte region [ffff000802cca000, ffff000802cca0c8) [ 34.567934] [ 34.569414] The buggy address belongs to the physical page: [ 34.574970] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882cca [ 34.582954] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.590593] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.597538] page_type: f5(slab) [ 34.600675] raw: 0bfffe0000000040 ffff00080179fa40 dead000000000122 0000000000000000 [ 34.608392] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.616120] head: 0bfffe0000000040 ffff00080179fa40 dead000000000122 0000000000000000 [ 34.623930] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.631743] head: 0bfffe0000000001 fffffdffe00b3281 00000000ffffffff 00000000ffffffff [ 34.639555] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 34.647360] page dumped because: kasan: bad access detected [ 34.652915] [ 34.654391] Memory state around the buggy address: [ 34.659173] ffff000802cc9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.666374] ffff000802cc9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.673580] >ffff000802cca000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.680780] ^ [ 34.683995] ffff000802cca080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 34.691200] ffff000802cca100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.698402] ==================================================================
[ 27.285288] ================================================================== [ 27.285478] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 27.285636] Read of size 1 at addr fff00000c6427000 by task kunit_try_catch/213 [ 27.285757] [ 27.285848] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 27.288255] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.288343] Hardware name: linux,dummy-virt (DT) [ 27.288435] Call trace: [ 27.288503] show_stack+0x20/0x38 (C) [ 27.288743] dump_stack_lvl+0x8c/0xd0 [ 27.290546] print_report+0x118/0x608 [ 27.291225] kasan_report+0xdc/0x128 [ 27.292235] __asan_report_load1_noabort+0x20/0x30 [ 27.292372] kmem_cache_rcu_uaf+0x388/0x468 [ 27.293034] kunit_try_run_case+0x170/0x3f0 [ 27.293728] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.294212] kthread+0x328/0x630 [ 27.294884] ret_from_fork+0x10/0x20 [ 27.295045] [ 27.295097] Allocated by task 213: [ 27.295714] kasan_save_stack+0x3c/0x68 [ 27.295991] kasan_save_track+0x20/0x40 [ 27.296156] kasan_save_alloc_info+0x40/0x58 [ 27.296535] __kasan_slab_alloc+0xa8/0xb0 [ 27.296637] kmem_cache_alloc_noprof+0x10c/0x398 [ 27.297370] kmem_cache_rcu_uaf+0x12c/0x468 [ 27.297479] kunit_try_run_case+0x170/0x3f0 [ 27.297535] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.297592] kthread+0x328/0x630 [ 27.297637] ret_from_fork+0x10/0x20 [ 27.297685] [ 27.297708] Freed by task 0: [ 27.297744] kasan_save_stack+0x3c/0x68 [ 27.297796] kasan_save_track+0x20/0x40 [ 27.297846] kasan_save_free_info+0x4c/0x78 [ 27.297898] __kasan_slab_free+0x6c/0x98 [ 27.298462] slab_free_after_rcu_debug+0xd4/0x2f8 [ 27.298573] rcu_core+0x9f4/0x1e20 [ 27.298667] rcu_core_si+0x18/0x30 [ 27.299182] handle_softirqs+0x374/0xb28 [ 27.299871] __do_softirq+0x1c/0x28 [ 27.299991] [ 27.300037] Last potentially related work creation: [ 27.300564] kasan_save_stack+0x3c/0x68 [ 27.300726] kasan_record_aux_stack+0xb4/0xc8 [ 27.301291] kmem_cache_free+0x120/0x468 [ 27.301394] kmem_cache_rcu_uaf+0x16c/0x468 [ 27.301492] kunit_try_run_case+0x170/0x3f0 [ 27.301584] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.301970] kthread+0x328/0x630 [ 27.302085] ret_from_fork+0x10/0x20 [ 27.302390] [ 27.302483] The buggy address belongs to the object at fff00000c6427000 [ 27.302483] which belongs to the cache test_cache of size 200 [ 27.302776] The buggy address is located 0 bytes inside of [ 27.302776] freed 200-byte region [fff00000c6427000, fff00000c64270c8) [ 27.302952] [ 27.303086] The buggy address belongs to the physical page: [ 27.303492] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106427 [ 27.303709] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.304550] page_type: f5(slab) [ 27.304967] raw: 0bfffe0000000000 fff00000c569fa00 dead000000000122 0000000000000000 [ 27.305134] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 27.305437] page dumped because: kasan: bad access detected [ 27.305516] [ 27.305962] Memory state around the buggy address: [ 27.306057] fff00000c6426f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 27.306165] fff00000c6426f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.306273] >fff00000c6427000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.306530] ^ [ 27.307014] fff00000c6427080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 27.307251] fff00000c6427100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.307694] ==================================================================
[ 27.340191] ================================================================== [ 27.340419] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 27.340949] Read of size 1 at addr fff00000c7708000 by task kunit_try_catch/213 [ 27.341931] [ 27.342094] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 27.342294] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.342700] Hardware name: linux,dummy-virt (DT) [ 27.343253] Call trace: [ 27.343735] show_stack+0x20/0x38 (C) [ 27.344268] dump_stack_lvl+0x8c/0xd0 [ 27.344811] print_report+0x118/0x608 [ 27.344962] kasan_report+0xdc/0x128 [ 27.345140] __asan_report_load1_noabort+0x20/0x30 [ 27.345444] kmem_cache_rcu_uaf+0x388/0x468 [ 27.345771] kunit_try_run_case+0x170/0x3f0 [ 27.345951] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.346201] kthread+0x328/0x630 [ 27.346318] ret_from_fork+0x10/0x20 [ 27.346463] [ 27.346604] Allocated by task 213: [ 27.346771] kasan_save_stack+0x3c/0x68 [ 27.346901] kasan_save_track+0x20/0x40 [ 27.347083] kasan_save_alloc_info+0x40/0x58 [ 27.347262] __kasan_slab_alloc+0xa8/0xb0 [ 27.347377] kmem_cache_alloc_noprof+0x10c/0x398 [ 27.347494] kmem_cache_rcu_uaf+0x12c/0x468 [ 27.347615] kunit_try_run_case+0x170/0x3f0 [ 27.347823] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.347995] kthread+0x328/0x630 [ 27.348088] ret_from_fork+0x10/0x20 [ 27.348178] [ 27.348235] Freed by task 0: [ 27.348371] kasan_save_stack+0x3c/0x68 [ 27.348476] kasan_save_track+0x20/0x40 [ 27.348586] kasan_save_free_info+0x4c/0x78 [ 27.348768] __kasan_slab_free+0x6c/0x98 [ 27.348920] slab_free_after_rcu_debug+0xd4/0x2f8 [ 27.349090] rcu_core+0x9f4/0x1e20 [ 27.349159] rcu_core_si+0x18/0x30 [ 27.349246] handle_softirqs+0x374/0xb28 [ 27.349369] __do_softirq+0x1c/0x28 [ 27.349578] [ 27.349634] Last potentially related work creation: [ 27.349708] kasan_save_stack+0x3c/0x68 [ 27.349976] kasan_record_aux_stack+0xb4/0xc8 [ 27.350113] kmem_cache_free+0x120/0x468 [ 27.350350] kmem_cache_rcu_uaf+0x16c/0x468 [ 27.350450] kunit_try_run_case+0x170/0x3f0 [ 27.350554] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.350713] kthread+0x328/0x630 [ 27.350978] ret_from_fork+0x10/0x20 [ 27.351109] [ 27.351238] The buggy address belongs to the object at fff00000c7708000 [ 27.351238] which belongs to the cache test_cache of size 200 [ 27.351443] The buggy address is located 0 bytes inside of [ 27.351443] freed 200-byte region [fff00000c7708000, fff00000c77080c8) [ 27.351596] [ 27.351717] The buggy address belongs to the physical page: [ 27.351815] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107708 [ 27.351970] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.352110] page_type: f5(slab) [ 27.352757] raw: 0bfffe0000000000 fff00000c770b000 dead000000000122 0000000000000000 [ 27.352931] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 27.353046] page dumped because: kasan: bad access detected [ 27.353547] [ 27.354064] Memory state around the buggy address: [ 27.354379] fff00000c7707f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.354769] fff00000c7707f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.354900] >fff00000c7708000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.355011] ^ [ 27.355094] fff00000c7708080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 27.355203] fff00000c7708100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.355366] ==================================================================
[ 20.357110] ================================================================== [ 20.358785] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 20.359898] Read of size 1 at addr ffff888101b3b000 by task kunit_try_catch/231 [ 20.360833] [ 20.361534] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.361691] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.361729] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.361793] Call Trace: [ 20.361848] <TASK> [ 20.361903] dump_stack_lvl+0x73/0xb0 [ 20.361986] print_report+0xd1/0x650 [ 20.362024] ? __virt_addr_valid+0x1db/0x2d0 [ 20.362060] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 20.362098] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.362129] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 20.362163] kasan_report+0x141/0x180 [ 20.362193] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 20.362245] __asan_report_load1_noabort+0x18/0x20 [ 20.362302] kmem_cache_rcu_uaf+0x3e3/0x510 [ 20.362338] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 20.362370] ? finish_task_switch.isra.0+0x153/0x700 [ 20.362403] ? __switch_to+0x47/0xf50 [ 20.362442] ? __pfx_read_tsc+0x10/0x10 [ 20.362471] ? ktime_get_ts64+0x86/0x230 [ 20.362534] kunit_try_run_case+0x1a5/0x480 [ 20.362749] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.362787] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.362824] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.362859] ? __kthread_parkme+0x82/0x180 [ 20.362888] ? preempt_count_sub+0x50/0x80 [ 20.362918] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.362955] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.362988] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.363022] kthread+0x337/0x6f0 [ 20.363049] ? trace_preempt_on+0x20/0xc0 [ 20.363082] ? __pfx_kthread+0x10/0x10 [ 20.363110] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.363140] ? calculate_sigpending+0x7b/0xa0 [ 20.363175] ? __pfx_kthread+0x10/0x10 [ 20.363204] ret_from_fork+0x116/0x1d0 [ 20.363238] ? __pfx_kthread+0x10/0x10 [ 20.363306] ret_from_fork_asm+0x1a/0x30 [ 20.363353] </TASK> [ 20.363369] [ 20.384338] Allocated by task 231: [ 20.385051] kasan_save_stack+0x45/0x70 [ 20.385451] kasan_save_track+0x18/0x40 [ 20.385811] kasan_save_alloc_info+0x3b/0x50 [ 20.386148] __kasan_slab_alloc+0x91/0xa0 [ 20.386578] kmem_cache_alloc_noprof+0x123/0x3f0 [ 20.387094] kmem_cache_rcu_uaf+0x155/0x510 [ 20.387780] kunit_try_run_case+0x1a5/0x480 [ 20.388706] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.389043] kthread+0x337/0x6f0 [ 20.389287] ret_from_fork+0x116/0x1d0 [ 20.390336] ret_from_fork_asm+0x1a/0x30 [ 20.391348] [ 20.391862] Freed by task 0: [ 20.392634] kasan_save_stack+0x45/0x70 [ 20.393643] kasan_save_track+0x18/0x40 [ 20.394676] kasan_save_free_info+0x3f/0x60 [ 20.395062] __kasan_slab_free+0x56/0x70 [ 20.395808] slab_free_after_rcu_debug+0xe4/0x310 [ 20.396374] rcu_core+0x66f/0x1c40 [ 20.397074] rcu_core_si+0x12/0x20 [ 20.397471] handle_softirqs+0x209/0x730 [ 20.398156] __irq_exit_rcu+0xc9/0x110 [ 20.399117] irq_exit_rcu+0x12/0x20 [ 20.400027] sysvec_apic_timer_interrupt+0x81/0x90 [ 20.400528] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 20.400945] [ 20.401182] Last potentially related work creation: [ 20.401644] kasan_save_stack+0x45/0x70 [ 20.402416] kasan_record_aux_stack+0xb2/0xc0 [ 20.402989] kmem_cache_free+0x131/0x420 [ 20.403463] kmem_cache_rcu_uaf+0x194/0x510 [ 20.404717] kunit_try_run_case+0x1a5/0x480 [ 20.405107] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.405948] kthread+0x337/0x6f0 [ 20.406345] ret_from_fork+0x116/0x1d0 [ 20.406904] ret_from_fork_asm+0x1a/0x30 [ 20.407329] [ 20.408089] The buggy address belongs to the object at ffff888101b3b000 [ 20.408089] which belongs to the cache test_cache of size 200 [ 20.409458] The buggy address is located 0 bytes inside of [ 20.409458] freed 200-byte region [ffff888101b3b000, ffff888101b3b0c8) [ 20.411022] [ 20.411415] The buggy address belongs to the physical page: [ 20.413284] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b3b [ 20.413896] flags: 0x200000000000000(node=0|zone=2) [ 20.414406] page_type: f5(slab) [ 20.414771] raw: 0200000000000000 ffff8881010fd640 dead000000000122 0000000000000000 [ 20.415436] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 20.417093] page dumped because: kasan: bad access detected [ 20.417752] [ 20.417962] Memory state around the buggy address: [ 20.418435] ffff888101b3af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.418984] ffff888101b3af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.420022] >ffff888101b3b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.420686] ^ [ 20.421146] ffff888101b3b080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 20.422588] ffff888101b3b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.423344] ==================================================================
[ 19.229080] ================================================================== [ 19.230076] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.231970] Read of size 1 at addr ffff8881038e4000 by task kunit_try_catch/231 [ 19.233419] [ 19.234024] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.234167] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.234204] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.234274] Call Trace: [ 19.234315] <TASK> [ 19.234365] dump_stack_lvl+0x73/0xb0 [ 19.234460] print_report+0xd1/0x650 [ 19.234524] ? __virt_addr_valid+0x1db/0x2d0 [ 19.234584] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.234637] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.234772] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.234856] kasan_report+0x141/0x180 [ 19.234967] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.235174] __asan_report_load1_noabort+0x18/0x20 [ 19.235262] kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.235344] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 19.235419] ? finish_task_switch.isra.0+0x153/0x700 [ 19.235488] ? __switch_to+0x47/0xf50 [ 19.235665] ? __pfx_read_tsc+0x10/0x10 [ 19.235744] ? ktime_get_ts64+0x86/0x230 [ 19.235869] kunit_try_run_case+0x1a5/0x480 [ 19.235946] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.236008] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.236045] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.236080] ? __kthread_parkme+0x82/0x180 [ 19.236153] ? preempt_count_sub+0x50/0x80 [ 19.236191] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.236228] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.236263] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.236299] kthread+0x337/0x6f0 [ 19.236327] ? trace_preempt_on+0x20/0xc0 [ 19.236362] ? __pfx_kthread+0x10/0x10 [ 19.236390] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.236421] ? calculate_sigpending+0x7b/0xa0 [ 19.236455] ? __pfx_kthread+0x10/0x10 [ 19.236485] ret_from_fork+0x116/0x1d0 [ 19.236518] ? __pfx_kthread+0x10/0x10 [ 19.236609] ret_from_fork_asm+0x1a/0x30 [ 19.236676] </TASK> [ 19.236693] [ 19.258980] Allocated by task 231: [ 19.259349] kasan_save_stack+0x45/0x70 [ 19.259783] kasan_save_track+0x18/0x40 [ 19.260298] kasan_save_alloc_info+0x3b/0x50 [ 19.260720] __kasan_slab_alloc+0x91/0xa0 [ 19.261252] kmem_cache_alloc_noprof+0x123/0x3f0 [ 19.261717] kmem_cache_rcu_uaf+0x155/0x510 [ 19.262082] kunit_try_run_case+0x1a5/0x480 [ 19.263022] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.263491] kthread+0x337/0x6f0 [ 19.264416] ret_from_fork+0x116/0x1d0 [ 19.265205] ret_from_fork_asm+0x1a/0x30 [ 19.265897] [ 19.266242] Freed by task 0: [ 19.266970] kasan_save_stack+0x45/0x70 [ 19.267918] kasan_save_track+0x18/0x40 [ 19.268448] kasan_save_free_info+0x3f/0x60 [ 19.269182] __kasan_slab_free+0x56/0x70 [ 19.269506] slab_free_after_rcu_debug+0xe4/0x310 [ 19.270428] rcu_core+0x66f/0x1c40 [ 19.271040] rcu_core_si+0x12/0x20 [ 19.272119] handle_softirqs+0x209/0x730 [ 19.272512] __irq_exit_rcu+0xc9/0x110 [ 19.273591] irq_exit_rcu+0x12/0x20 [ 19.274257] sysvec_apic_timer_interrupt+0x81/0x90 [ 19.274789] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 19.275250] [ 19.275487] Last potentially related work creation: [ 19.275870] kasan_save_stack+0x45/0x70 [ 19.276368] kasan_record_aux_stack+0xb2/0xc0 [ 19.276784] kmem_cache_free+0x131/0x420 [ 19.277160] kmem_cache_rcu_uaf+0x194/0x510 [ 19.277622] kunit_try_run_case+0x1a5/0x480 [ 19.278426] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.278862] kthread+0x337/0x6f0 [ 19.279573] ret_from_fork+0x116/0x1d0 [ 19.279932] ret_from_fork_asm+0x1a/0x30 [ 19.280632] [ 19.280867] The buggy address belongs to the object at ffff8881038e4000 [ 19.280867] which belongs to the cache test_cache of size 200 [ 19.282752] The buggy address is located 0 bytes inside of [ 19.282752] freed 200-byte region [ffff8881038e4000, ffff8881038e40c8) [ 19.284784] [ 19.285333] The buggy address belongs to the physical page: [ 19.286401] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038e4 [ 19.287457] flags: 0x200000000000000(node=0|zone=2) [ 19.287945] page_type: f5(slab) [ 19.288943] raw: 0200000000000000 ffff88810111b280 dead000000000122 0000000000000000 [ 19.289715] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 19.290777] page dumped because: kasan: bad access detected [ 19.291392] [ 19.291574] Memory state around the buggy address: [ 19.291970] ffff8881038e3f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 19.292961] ffff8881038e3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.293998] >ffff8881038e4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.294540] ^ [ 19.294816] ffff8881038e4080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 19.295331] ffff8881038e4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.295836] ==================================================================
[ 21.380943] ================================================================== [ 21.382067] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 21.382752] Read of size 1 at addr ffff00000f560000 by task kunit_try_catch/266 [ 21.383431] [ 21.383596] CPU: 3 UID: 0 PID: 266 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 21.383645] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.383659] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.383677] Call trace: [ 21.383688] show_stack+0x20/0x38 (C) [ 21.383722] dump_stack_lvl+0x8c/0xd0 [ 21.383757] print_report+0x118/0x608 [ 21.383792] kasan_report+0xdc/0x128 [ 21.383823] __asan_report_load1_noabort+0x20/0x30 [ 21.383861] kmem_cache_rcu_uaf+0x388/0x468 [ 21.383892] kunit_try_run_case+0x170/0x3f0 [ 21.383926] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.383963] kthread+0x328/0x630 [ 21.383990] ret_from_fork+0x10/0x20 [ 21.384023] [ 21.389602] Allocated by task 266: [ 21.389930] kasan_save_stack+0x3c/0x68 [ 21.390307] kasan_save_track+0x20/0x40 [ 21.390682] kasan_save_alloc_info+0x40/0x58 [ 21.391099] __kasan_slab_alloc+0xa8/0xb0 [ 21.391490] kmem_cache_alloc_noprof+0x10c/0x398 [ 21.391936] kmem_cache_rcu_uaf+0x12c/0x468 [ 21.392341] kunit_try_run_case+0x170/0x3f0 [ 21.392746] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.393270] kthread+0x328/0x630 [ 21.393585] ret_from_fork+0x10/0x20 [ 21.393935] [ 21.394088] Freed by task 0: [ 21.394366] kasan_save_stack+0x3c/0x68 [ 21.394741] kasan_save_track+0x20/0x40 [ 21.395116] kasan_save_free_info+0x4c/0x78 [ 21.395524] __kasan_slab_free+0x6c/0x98 [ 21.395907] slab_free_after_rcu_debug+0xd4/0x2f8 [ 21.396358] rcu_core+0x9f4/0x1e20 [ 21.396694] rcu_core_si+0x18/0x30 [ 21.397029] handle_softirqs+0x374/0xb28 [ 21.397412] __do_softirq+0x1c/0x28 [ 21.397752] [ 21.397905] Last potentially related work creation: [ 21.398356] kasan_save_stack+0x3c/0x68 [ 21.398732] kasan_record_aux_stack+0xb4/0xc8 [ 21.399156] kmem_cache_free+0x120/0x468 [ 21.399537] kmem_cache_rcu_uaf+0x16c/0x468 [ 21.399941] kunit_try_run_case+0x170/0x3f0 [ 21.400347] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.400870] kthread+0x328/0x630 [ 21.401187] ret_from_fork+0x10/0x20 [ 21.401536] [ 21.401689] The buggy address belongs to the object at ffff00000f560000 [ 21.401689] which belongs to the cache test_cache of size 200 [ 21.402814] The buggy address is located 0 bytes inside of [ 21.402814] freed 200-byte region [ffff00000f560000, ffff00000f5600c8) [ 21.403910] [ 21.404065] The buggy address belongs to the physical page: [ 21.404580] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf560 [ 21.405305] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.406012] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 21.406663] page_type: f5(slab) [ 21.406976] raw: 03fffe0000000040 ffff00000daa4000 dead000000000122 0000000000000000 [ 21.407690] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 21.408405] head: 03fffe0000000040 ffff00000daa4000 dead000000000122 0000000000000000 [ 21.409128] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 21.409852] head: 03fffe0000000001 fffffdffc03d5801 00000000ffffffff 00000000ffffffff [ 21.410574] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 21.411288] page dumped because: kasan: bad access detected [ 21.411803] [ 21.411955] Memory state around the buggy address: [ 21.412404] ffff00000f55ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.413069] ffff00000f55ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.413734] >ffff00000f560000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.414395] ^ [ 21.414704] ffff00000f560080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 21.415370] ffff00000f560100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.416031] ==================================================================