Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 32.571518] ================================================================== [ 32.571693] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 32.571818] Read of size 4 at addr ffff000800c30c00 by task swapper/5/0 [ 32.572879] [ 32.574369] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 32.574425] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.574441] Hardware name: WinLink E850-96 board (DT) [ 32.574464] Call trace: [ 32.574479] show_stack+0x20/0x38 (C) [ 32.574515] dump_stack_lvl+0x8c/0xd0 [ 32.574553] print_report+0x118/0x608 [ 32.574589] kasan_report+0xdc/0x128 [ 32.574625] __asan_report_load4_noabort+0x20/0x30 [ 32.574662] rcu_uaf_reclaim+0x64/0x70 [ 32.574691] rcu_core+0x9f4/0x1e20 [ 32.574724] rcu_core_si+0x18/0x30 [ 32.574754] handle_softirqs+0x374/0xb28 [ 32.574789] __do_softirq+0x1c/0x28 [ 32.574821] ____do_softirq+0x18/0x30 [ 32.574857] call_on_irq_stack+0x24/0x30 [ 32.574886] do_softirq_own_stack+0x24/0x38 [ 32.574916] __irq_exit_rcu+0x1fc/0x318 [ 32.574946] irq_exit_rcu+0x1c/0x80 [ 32.574975] el1_interrupt+0x38/0x58 [ 32.575013] el1h_64_irq_handler+0x18/0x28 [ 32.575041] el1h_64_irq+0x6c/0x70 [ 32.575068] arch_local_irq_enable+0x4/0x8 (P) [ 32.575103] do_idle+0x384/0x4e8 [ 32.575134] cpu_startup_entry+0x64/0x80 [ 32.575167] secondary_start_kernel+0x288/0x340 [ 32.575200] __secondary_switched+0xc0/0xc8 [ 32.575243] [ 32.684076] Allocated by task 245: [ 32.687463] kasan_save_stack+0x3c/0x68 [ 32.691281] kasan_save_track+0x20/0x40 [ 32.695100] kasan_save_alloc_info+0x40/0x58 [ 32.699352] __kasan_kmalloc+0xd4/0xd8 [ 32.703085] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.707599] rcu_uaf+0xb0/0x2d8 [ 32.710724] kunit_try_run_case+0x170/0x3f0 [ 32.714890] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.720359] kthread+0x328/0x630 [ 32.723571] ret_from_fork+0x10/0x20 [ 32.727130] [ 32.728605] Freed by task 0: [ 32.731472] kasan_save_stack+0x3c/0x68 [ 32.735289] kasan_save_track+0x20/0x40 [ 32.739109] kasan_save_free_info+0x4c/0x78 [ 32.743275] __kasan_slab_free+0x6c/0x98 [ 32.747181] kfree+0x214/0x3c8 [ 32.750220] rcu_uaf_reclaim+0x28/0x70 [ 32.753954] rcu_core+0x9f4/0x1e20 [ 32.757338] rcu_core_si+0x18/0x30 [ 32.760725] handle_softirqs+0x374/0xb28 [ 32.764630] __do_softirq+0x1c/0x28 [ 32.768102] [ 32.769579] Last potentially related work creation: [ 32.774440] kasan_save_stack+0x3c/0x68 [ 32.778257] kasan_record_aux_stack+0xb4/0xc8 [ 32.782598] __call_rcu_common.constprop.0+0x70/0x8b0 [ 32.787632] call_rcu+0x18/0x30 [ 32.790759] rcu_uaf+0x14c/0x2d8 [ 32.793969] kunit_try_run_case+0x170/0x3f0 [ 32.798136] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.803604] kthread+0x328/0x630 [ 32.806816] ret_from_fork+0x10/0x20 [ 32.810375] [ 32.811852] The buggy address belongs to the object at ffff000800c30c00 [ 32.811852] which belongs to the cache kmalloc-32 of size 32 [ 32.824180] The buggy address is located 0 bytes inside of [ 32.824180] freed 32-byte region [ffff000800c30c00, ffff000800c30c20) [ 32.836156] [ 32.837635] The buggy address belongs to the physical page: [ 32.843191] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880c30 [ 32.851177] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.857685] page_type: f5(slab) [ 32.860823] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 32.868541] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.876261] page dumped because: kasan: bad access detected [ 32.881815] [ 32.883290] Memory state around the buggy address: [ 32.888071] ffff000800c30b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.895274] ffff000800c30b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.902480] >ffff000800c30c00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.909679] ^ [ 32.912895] ffff000800c30c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.920100] ffff000800c30d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.927302] ==================================================================
[ 26.064049] ================================================================== [ 26.064300] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 26.064458] Read of size 4 at addr fff00000c641c180 by task swapper/0/0 [ 26.064578] [ 26.064774] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.065050] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.065198] Hardware name: linux,dummy-virt (DT) [ 26.065413] Call trace: [ 26.065482] show_stack+0x20/0x38 (C) [ 26.065628] dump_stack_lvl+0x8c/0xd0 [ 26.065755] print_report+0x118/0x608 [ 26.065878] kasan_report+0xdc/0x128 [ 26.066020] __asan_report_load4_noabort+0x20/0x30 [ 26.066152] rcu_uaf_reclaim+0x64/0x70 [ 26.066685] rcu_core+0x9f4/0x1e20 [ 26.066923] rcu_core_si+0x18/0x30 [ 26.067198] handle_softirqs+0x374/0xb28 [ 26.067414] __do_softirq+0x1c/0x28 [ 26.067772] ____do_softirq+0x18/0x30 [ 26.067896] call_on_irq_stack+0x24/0x30 [ 26.068033] do_softirq_own_stack+0x24/0x38 [ 26.070040] __irq_exit_rcu+0x1fc/0x318 [ 26.070663] irq_exit_rcu+0x1c/0x80 [ 26.070785] el1_interrupt+0x38/0x58 [ 26.071439] el1h_64_irq_handler+0x18/0x28 [ 26.071590] el1h_64_irq+0x6c/0x70 [ 26.071849] arch_local_irq_enable+0x4/0x8 (P) [ 26.072057] do_idle+0x384/0x4e8 [ 26.072251] cpu_startup_entry+0x64/0x80 [ 26.073004] rest_init+0x160/0x188 [ 26.073141] start_kernel+0x30c/0x3d0 [ 26.073290] __primary_switched+0x8c/0xa0 [ 26.073433] [ 26.073482] Allocated by task 198: [ 26.073582] kasan_save_stack+0x3c/0x68 [ 26.073690] kasan_save_track+0x20/0x40 [ 26.073785] kasan_save_alloc_info+0x40/0x58 [ 26.073962] __kasan_kmalloc+0xd4/0xd8 [ 26.074068] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.074361] rcu_uaf+0xb0/0x2d8 [ 26.074472] kunit_try_run_case+0x170/0x3f0 [ 26.074686] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.074801] kthread+0x328/0x630 [ 26.074914] ret_from_fork+0x10/0x20 [ 26.075059] [ 26.075158] Freed by task 0: [ 26.075262] kasan_save_stack+0x3c/0x68 [ 26.075386] kasan_save_track+0x20/0x40 [ 26.075492] kasan_save_free_info+0x4c/0x78 [ 26.075611] __kasan_slab_free+0x6c/0x98 [ 26.075784] kfree+0x214/0x3c8 [ 26.075883] rcu_uaf_reclaim+0x28/0x70 [ 26.076013] rcu_core+0x9f4/0x1e20 [ 26.076200] rcu_core_si+0x18/0x30 [ 26.076396] handle_softirqs+0x374/0xb28 [ 26.076558] __do_softirq+0x1c/0x28 [ 26.076684] [ 26.076823] Last potentially related work creation: [ 26.076913] kasan_save_stack+0x3c/0x68 [ 26.077085] kasan_record_aux_stack+0xb4/0xc8 [ 26.077211] __call_rcu_common.constprop.0+0x70/0x8b0 [ 26.077330] call_rcu+0x18/0x30 [ 26.077423] rcu_uaf+0x14c/0x2d8 [ 26.077559] kunit_try_run_case+0x170/0x3f0 [ 26.077656] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.077766] kthread+0x328/0x630 [ 26.077867] ret_from_fork+0x10/0x20 [ 26.078189] [ 26.078254] The buggy address belongs to the object at fff00000c641c180 [ 26.078254] which belongs to the cache kmalloc-32 of size 32 [ 26.078446] The buggy address is located 0 bytes inside of [ 26.078446] freed 32-byte region [fff00000c641c180, fff00000c641c1a0) [ 26.078654] [ 26.078819] The buggy address belongs to the physical page: [ 26.078916] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10641c [ 26.079127] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.079499] page_type: f5(slab) [ 26.079608] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 26.079736] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 26.079837] page dumped because: kasan: bad access detected [ 26.079912] [ 26.079996] Memory state around the buggy address: [ 26.080174] fff00000c641c080: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 26.080391] fff00000c641c100: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 26.080536] >fff00000c641c180: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.080637] ^ [ 26.080721] fff00000c641c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.080866] fff00000c641c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.080988] ==================================================================
[ 26.306313] ================================================================== [ 26.306545] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 26.309457] Read of size 4 at addr fff00000c773e240 by task swapper/0/0 [ 26.310109] [ 26.310201] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.311496] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.311570] Hardware name: linux,dummy-virt (DT) [ 26.312609] Call trace: [ 26.313099] show_stack+0x20/0x38 (C) [ 26.313272] dump_stack_lvl+0x8c/0xd0 [ 26.313404] print_report+0x118/0x608 [ 26.314375] kasan_report+0xdc/0x128 [ 26.314498] __asan_report_load4_noabort+0x20/0x30 [ 26.314628] rcu_uaf_reclaim+0x64/0x70 [ 26.314742] rcu_core+0x9f4/0x1e20 [ 26.317492] rcu_core_si+0x18/0x30 [ 26.318691] handle_softirqs+0x374/0xb28 [ 26.319098] __do_softirq+0x1c/0x28 [ 26.319641] ____do_softirq+0x18/0x30 [ 26.320919] call_on_irq_stack+0x24/0x30 [ 26.321381] do_softirq_own_stack+0x24/0x38 [ 26.321520] __irq_exit_rcu+0x1fc/0x318 [ 26.322486] irq_exit_rcu+0x1c/0x80 [ 26.322608] el1_interrupt+0x38/0x58 [ 26.322728] el1h_64_irq_handler+0x18/0x28 [ 26.322864] el1h_64_irq+0x6c/0x70 [ 26.323562] arch_local_irq_enable+0x4/0x8 (P) [ 26.323704] do_idle+0x384/0x4e8 [ 26.323830] cpu_startup_entry+0x64/0x80 [ 26.323970] rest_init+0x160/0x188 [ 26.324109] start_kernel+0x30c/0x3d0 [ 26.324297] __primary_switched+0x8c/0xa0 [ 26.324609] [ 26.324664] Allocated by task 198: [ 26.324876] kasan_save_stack+0x3c/0x68 [ 26.324991] kasan_save_track+0x20/0x40 [ 26.325195] kasan_save_alloc_info+0x40/0x58 [ 26.325312] __kasan_kmalloc+0xd4/0xd8 [ 26.325426] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.325551] rcu_uaf+0xb0/0x2d8 [ 26.325641] kunit_try_run_case+0x170/0x3f0 [ 26.326124] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.326411] kthread+0x328/0x630 [ 26.326596] ret_from_fork+0x10/0x20 [ 26.326822] [ 26.326890] Freed by task 0: [ 26.326971] kasan_save_stack+0x3c/0x68 [ 26.327296] kasan_save_track+0x20/0x40 [ 26.327418] kasan_save_free_info+0x4c/0x78 [ 26.327537] __kasan_slab_free+0x6c/0x98 [ 26.327826] kfree+0x214/0x3c8 [ 26.327941] rcu_uaf_reclaim+0x28/0x70 [ 26.328052] rcu_core+0x9f4/0x1e20 [ 26.328102] rcu_core_si+0x18/0x30 [ 26.328147] handle_softirqs+0x374/0xb28 [ 26.328194] __do_softirq+0x1c/0x28 [ 26.328239] [ 26.328279] Last potentially related work creation: [ 26.328325] kasan_save_stack+0x3c/0x68 [ 26.328379] kasan_record_aux_stack+0xb4/0xc8 [ 26.328432] __call_rcu_common.constprop.0+0x70/0x8b0 [ 26.328484] call_rcu+0x18/0x30 [ 26.328523] rcu_uaf+0x14c/0x2d8 [ 26.328563] kunit_try_run_case+0x170/0x3f0 [ 26.328610] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.328666] kthread+0x328/0x630 [ 26.328705] ret_from_fork+0x10/0x20 [ 26.328758] [ 26.328792] The buggy address belongs to the object at fff00000c773e240 [ 26.328792] which belongs to the cache kmalloc-32 of size 32 [ 26.328916] The buggy address is located 0 bytes inside of [ 26.328916] freed 32-byte region [fff00000c773e240, fff00000c773e260) [ 26.329595] [ 26.330061] The buggy address belongs to the physical page: [ 26.330619] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10773e [ 26.331347] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.331475] page_type: f5(slab) [ 26.331581] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 26.331705] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 26.331814] page dumped because: kasan: bad access detected [ 26.331908] [ 26.331957] Memory state around the buggy address: [ 26.332040] fff00000c773e100: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.332145] fff00000c773e180: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 26.333282] >fff00000c773e200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 26.333384] ^ [ 26.333480] fff00000c773e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.333643] fff00000c773e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.333751] ==================================================================
[ 19.922858] ================================================================== [ 19.924012] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 19.924824] Read of size 4 at addr ffff8881039cd400 by task swapper/0/0 [ 19.925333] [ 19.925656] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.925780] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.925819] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.925879] Call Trace: [ 19.925956] <IRQ> [ 19.926012] dump_stack_lvl+0x73/0xb0 [ 19.926109] print_report+0xd1/0x650 [ 19.926188] ? __virt_addr_valid+0x1db/0x2d0 [ 19.926267] ? rcu_uaf_reclaim+0x50/0x60 [ 19.926336] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.926407] ? rcu_uaf_reclaim+0x50/0x60 [ 19.926475] kasan_report+0x141/0x180 [ 19.926826] ? rcu_uaf_reclaim+0x50/0x60 [ 19.926872] __asan_report_load4_noabort+0x18/0x20 [ 19.926912] rcu_uaf_reclaim+0x50/0x60 [ 19.926944] rcu_core+0x66f/0x1c40 [ 19.926985] ? __pfx_rcu_core+0x10/0x10 [ 19.927016] ? ktime_get+0x6b/0x150 [ 19.927047] ? handle_softirqs+0x18e/0x730 [ 19.927087] rcu_core_si+0x12/0x20 [ 19.927117] handle_softirqs+0x209/0x730 [ 19.927147] ? hrtimer_interrupt+0x2fe/0x780 [ 19.927187] ? __pfx_handle_softirqs+0x10/0x10 [ 19.927226] __irq_exit_rcu+0xc9/0x110 [ 19.927289] irq_exit_rcu+0x12/0x20 [ 19.927320] sysvec_apic_timer_interrupt+0x81/0x90 [ 19.927360] </IRQ> [ 19.927407] <TASK> [ 19.927426] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 19.927631] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 19.927946] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d a3 c8 1d 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 19.928060] RSP: 0000:ffffffffb3e07dd8 EFLAGS: 00010202 [ 19.928179] RAX: ffff8881a5e5f000 RBX: ffffffffb3e1cac0 RCX: ffffffffb2caf1c5 [ 19.928264] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 0000000000006e74 [ 19.928356] RBP: ffffffffb3e07de0 R08: 0000000000000001 R09: ffffed102b60618a [ 19.928417] R10: ffff88815b030c53 R11: 0000000000028400 R12: 0000000000000000 [ 19.928477] R13: fffffbfff67c3958 R14: ffffffffb49c0490 R15: 0000000000000000 [ 19.928697] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 19.928785] ? default_idle+0xd/0x20 [ 19.928818] arch_cpu_idle+0xd/0x20 [ 19.928848] default_idle_call+0x48/0x80 [ 19.928877] do_idle+0x379/0x4f0 [ 19.928913] ? __pfx_do_idle+0x10/0x10 [ 19.928945] ? trace_preempt_on+0x20/0xc0 [ 19.928978] ? schedule+0x86/0x2e0 [ 19.929008] ? preempt_count_sub+0x50/0x80 [ 19.929041] cpu_startup_entry+0x5c/0x70 [ 19.929077] rest_init+0x11a/0x140 [ 19.929103] ? acpi_subsystem_init+0x5d/0x150 [ 19.929143] start_kernel+0x330/0x410 [ 19.929178] x86_64_start_reservations+0x1c/0x30 [ 19.929213] x86_64_start_kernel+0x10d/0x120 [ 19.929278] common_startup_64+0x13e/0x148 [ 19.929329] </TASK> [ 19.929345] [ 19.959161] Allocated by task 216: [ 19.959834] kasan_save_stack+0x45/0x70 [ 19.961060] kasan_save_track+0x18/0x40 [ 19.961904] kasan_save_alloc_info+0x3b/0x50 [ 19.962324] __kasan_kmalloc+0xb7/0xc0 [ 19.962743] __kmalloc_cache_noprof+0x189/0x420 [ 19.963224] rcu_uaf+0xb0/0x330 [ 19.963654] kunit_try_run_case+0x1a5/0x480 [ 19.964159] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.965043] kthread+0x337/0x6f0 [ 19.965802] ret_from_fork+0x116/0x1d0 [ 19.967200] ret_from_fork_asm+0x1a/0x30 [ 19.968054] [ 19.968276] Freed by task 0: [ 19.968536] kasan_save_stack+0x45/0x70 [ 19.969112] kasan_save_track+0x18/0x40 [ 19.969479] kasan_save_free_info+0x3f/0x60 [ 19.970049] __kasan_slab_free+0x56/0x70 [ 19.971598] kfree+0x222/0x3f0 [ 19.972029] rcu_uaf_reclaim+0x1f/0x60 [ 19.972749] rcu_core+0x66f/0x1c40 [ 19.973120] rcu_core_si+0x12/0x20 [ 19.974043] handle_softirqs+0x209/0x730 [ 19.974626] __irq_exit_rcu+0xc9/0x110 [ 19.975211] irq_exit_rcu+0x12/0x20 [ 19.976011] sysvec_apic_timer_interrupt+0x81/0x90 [ 19.976867] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 19.977241] [ 19.977786] Last potentially related work creation: [ 19.978214] kasan_save_stack+0x45/0x70 [ 19.978593] kasan_record_aux_stack+0xb2/0xc0 [ 19.979011] __call_rcu_common.constprop.0+0x72/0x9d0 [ 19.980168] call_rcu+0x12/0x20 [ 19.981021] rcu_uaf+0x168/0x330 [ 19.981606] kunit_try_run_case+0x1a5/0x480 [ 19.982244] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.983069] kthread+0x337/0x6f0 [ 19.983889] ret_from_fork+0x116/0x1d0 [ 19.984616] ret_from_fork_asm+0x1a/0x30 [ 19.985044] [ 19.985664] The buggy address belongs to the object at ffff8881039cd400 [ 19.985664] which belongs to the cache kmalloc-32 of size 32 [ 19.986894] The buggy address is located 0 bytes inside of [ 19.986894] freed 32-byte region [ffff8881039cd400, ffff8881039cd420) [ 19.988059] [ 19.988804] The buggy address belongs to the physical page: [ 19.989362] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039cd [ 19.990373] flags: 0x200000000000000(node=0|zone=2) [ 19.991062] page_type: f5(slab) [ 19.991438] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 19.992265] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.993214] page dumped because: kasan: bad access detected [ 19.994039] [ 19.994258] Memory state around the buggy address: [ 19.994963] ffff8881039cd300: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 19.996014] ffff8881039cd380: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 19.996654] >ffff8881039cd400: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 19.997192] ^ [ 19.997572] ffff8881039cd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.998182] ffff8881039cd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.998769] ==================================================================
[ 18.862662] ================================================================== [ 18.863554] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 18.864097] Read of size 4 at addr ffff888103305340 by task swapper/0/0 [ 18.864616] [ 18.864874] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.865033] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.865068] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.865165] Call Trace: [ 18.865224] <IRQ> [ 18.865269] dump_stack_lvl+0x73/0xb0 [ 18.865352] print_report+0xd1/0x650 [ 18.865428] ? __virt_addr_valid+0x1db/0x2d0 [ 18.865504] ? rcu_uaf_reclaim+0x50/0x60 [ 18.865581] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.865657] ? rcu_uaf_reclaim+0x50/0x60 [ 18.865726] kasan_report+0x141/0x180 [ 18.865802] ? rcu_uaf_reclaim+0x50/0x60 [ 18.865904] __asan_report_load4_noabort+0x18/0x20 [ 18.865988] rcu_uaf_reclaim+0x50/0x60 [ 18.866064] rcu_core+0x66f/0x1c40 [ 18.866196] ? __pfx_rcu_core+0x10/0x10 [ 18.866284] ? ktime_get+0x6b/0x150 [ 18.866357] ? handle_softirqs+0x18e/0x730 [ 18.866434] rcu_core_si+0x12/0x20 [ 18.866470] handle_softirqs+0x209/0x730 [ 18.866500] ? hrtimer_interrupt+0x2fe/0x780 [ 18.866541] ? __pfx_handle_softirqs+0x10/0x10 [ 18.866577] __irq_exit_rcu+0xc9/0x110 [ 18.866605] irq_exit_rcu+0x12/0x20 [ 18.866633] sysvec_apic_timer_interrupt+0x81/0x90 [ 18.866669] </IRQ> [ 18.866707] <TASK> [ 18.866723] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 18.866842] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 18.867171] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d a3 c8 1d 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 18.867283] RSP: 0000:ffffffffbde07dd8 EFLAGS: 00010202 [ 18.867394] RAX: ffff88819be5f000 RBX: ffffffffbde1cac0 RCX: ffffffffbccaf1c5 [ 18.867457] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 0000000000017714 [ 18.867512] RBP: ffffffffbde07de0 R08: 0000000000000001 R09: ffffed102b60618a [ 18.867567] R10: ffff88815b030c53 R11: 0000000000013400 R12: 0000000000000000 [ 18.867622] R13: fffffbfff7bc3958 R14: ffffffffbe9c0490 R15: 0000000000000000 [ 18.867698] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 18.867776] ? default_idle+0xd/0x20 [ 18.867808] arch_cpu_idle+0xd/0x20 [ 18.867835] default_idle_call+0x48/0x80 [ 18.867862] do_idle+0x379/0x4f0 [ 18.867931] ? __pfx_do_idle+0x10/0x10 [ 18.867965] ? complete+0x15b/0x1d0 [ 18.867990] ? trace_preempt_on+0x20/0xc0 [ 18.868020] ? schedule+0x86/0x2e0 [ 18.868048] ? preempt_count_sub+0x50/0x80 [ 18.868079] cpu_startup_entry+0x5c/0x70 [ 18.868132] rest_init+0x11a/0x140 [ 18.868171] ? acpi_subsystem_init+0x5d/0x150 [ 18.868211] start_kernel+0x330/0x410 [ 18.868244] x86_64_start_reservations+0x1c/0x30 [ 18.868277] x86_64_start_kernel+0x10d/0x120 [ 18.868309] common_startup_64+0x13e/0x148 [ 18.868350] </TASK> [ 18.868364] [ 18.893793] Allocated by task 216: [ 18.894360] kasan_save_stack+0x45/0x70 [ 18.894852] kasan_save_track+0x18/0x40 [ 18.895405] kasan_save_alloc_info+0x3b/0x50 [ 18.895806] __kasan_kmalloc+0xb7/0xc0 [ 18.896517] __kmalloc_cache_noprof+0x189/0x420 [ 18.897028] rcu_uaf+0xb0/0x330 [ 18.897520] kunit_try_run_case+0x1a5/0x480 [ 18.897976] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.898599] kthread+0x337/0x6f0 [ 18.899056] ret_from_fork+0x116/0x1d0 [ 18.899507] ret_from_fork_asm+0x1a/0x30 [ 18.899994] [ 18.900235] Freed by task 0: [ 18.900613] kasan_save_stack+0x45/0x70 [ 18.901198] kasan_save_track+0x18/0x40 [ 18.901682] kasan_save_free_info+0x3f/0x60 [ 18.902242] __kasan_slab_free+0x56/0x70 [ 18.902734] kfree+0x222/0x3f0 [ 18.903063] rcu_uaf_reclaim+0x1f/0x60 [ 18.903660] rcu_core+0x66f/0x1c40 [ 18.904158] rcu_core_si+0x12/0x20 [ 18.904629] handle_softirqs+0x209/0x730 [ 18.905133] __irq_exit_rcu+0xc9/0x110 [ 18.905625] irq_exit_rcu+0x12/0x20 [ 18.906143] sysvec_apic_timer_interrupt+0x81/0x90 [ 18.906682] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 18.907370] [ 18.907698] Last potentially related work creation: [ 18.908308] kasan_save_stack+0x45/0x70 [ 18.908757] kasan_record_aux_stack+0xb2/0xc0 [ 18.909407] __call_rcu_common.constprop.0+0x72/0x9d0 [ 18.910009] call_rcu+0x12/0x20 [ 18.910450] rcu_uaf+0x168/0x330 [ 18.910896] kunit_try_run_case+0x1a5/0x480 [ 18.911486] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.912171] kthread+0x337/0x6f0 [ 18.912564] ret_from_fork+0x116/0x1d0 [ 18.913026] ret_from_fork_asm+0x1a/0x30 [ 18.913581] [ 18.913810] The buggy address belongs to the object at ffff888103305340 [ 18.913810] which belongs to the cache kmalloc-32 of size 32 [ 18.914731] The buggy address is located 0 bytes inside of [ 18.914731] freed 32-byte region [ffff888103305340, ffff888103305360) [ 18.915538] [ 18.915741] The buggy address belongs to the physical page: [ 18.916370] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103305 [ 18.917179] flags: 0x200000000000000(node=0|zone=2) [ 18.917673] page_type: f5(slab) [ 18.918191] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 18.918682] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.919313] page dumped because: kasan: bad access detected [ 18.919932] [ 18.920356] Memory state around the buggy address: [ 18.920926] ffff888103305200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.921514] ffff888103305280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.922299] >ffff888103305300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.923005] ^ [ 18.923605] ffff888103305380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.924287] ffff888103305400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.924923] ==================================================================
[ 21.048733] ================================================================== [ 21.049746] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 21.050397] Read of size 4 at addr ffff00000f201900 by task swapper/1/0 [ 21.051023] [ 21.051194] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 21.051252] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.051269] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.051290] Call trace: [ 21.051303] show_stack+0x20/0x38 (C) [ 21.051344] dump_stack_lvl+0x8c/0xd0 [ 21.051386] print_report+0x118/0x608 [ 21.051428] kasan_report+0xdc/0x128 [ 21.051466] __asan_report_load4_noabort+0x20/0x30 [ 21.051512] rcu_uaf_reclaim+0x64/0x70 [ 21.051545] rcu_core+0x9f4/0x1e20 [ 21.051583] rcu_core_si+0x18/0x30 [ 21.051618] handle_softirqs+0x374/0xb28 [ 21.051657] __do_softirq+0x1c/0x28 [ 21.051690] ____do_softirq+0x18/0x30 [ 21.051726] call_on_irq_stack+0x24/0x30 [ 21.051763] do_softirq_own_stack+0x24/0x38 [ 21.051800] __irq_exit_rcu+0x1fc/0x318 [ 21.051837] irq_exit_rcu+0x1c/0x80 [ 21.051872] el1_interrupt+0x38/0x58 [ 21.051915] el1h_64_irq_handler+0x18/0x28 [ 21.051949] el1h_64_irq+0x6c/0x70 [ 21.051980] arch_local_irq_enable+0x4/0x8 (P) [ 21.052026] cpuidle_enter+0x60/0xb8 [ 21.052065] do_idle+0x36c/0x4e8 [ 21.052102] cpu_startup_entry+0x68/0x80 [ 21.052139] secondary_start_kernel+0x288/0x340 [ 21.052176] __secondary_switched+0xc0/0xc8 [ 21.052223] [ 21.062381] Allocated by task 251: [ 21.062715] kasan_save_stack+0x3c/0x68 [ 21.063101] kasan_save_track+0x20/0x40 [ 21.063486] kasan_save_alloc_info+0x40/0x58 [ 21.063912] __kasan_kmalloc+0xd4/0xd8 [ 21.064290] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.064735] rcu_uaf+0xb0/0x2d8 [ 21.065054] kunit_try_run_case+0x170/0x3f0 [ 21.065472] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.066009] kthread+0x328/0x630 [ 21.066335] ret_from_fork+0x10/0x20 [ 21.066695] [ 21.066854] Freed by task 0: [ 21.067136] kasan_save_stack+0x3c/0x68 [ 21.067523] kasan_save_track+0x20/0x40 [ 21.067908] kasan_save_free_info+0x4c/0x78 [ 21.068326] __kasan_slab_free+0x6c/0x98 [ 21.068718] kfree+0x214/0x3c8 [ 21.069031] rcu_uaf_reclaim+0x28/0x70 [ 21.069403] rcu_core+0x9f4/0x1e20 [ 21.069747] rcu_core_si+0x18/0x30 [ 21.070090] handle_softirqs+0x374/0xb28 [ 21.070482] __do_softirq+0x1c/0x28 [ 21.070830] [ 21.070990] Last potentially related work creation: [ 21.071447] kasan_save_stack+0x3c/0x68 [ 21.071831] kasan_record_aux_stack+0xb4/0xc8 [ 21.072266] __call_rcu_common.constprop.0+0x70/0x8b0 [ 21.072758] call_rcu+0x18/0x30 [ 21.073076] rcu_uaf+0x14c/0x2d8 [ 21.073403] kunit_try_run_case+0x170/0x3f0 [ 21.073819] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.074353] kthread+0x328/0x630 [ 21.074678] ret_from_fork+0x10/0x20 [ 21.075039] [ 21.075197] The buggy address belongs to the object at ffff00000f201900 [ 21.075197] which belongs to the cache kmalloc-32 of size 32 [ 21.076325] The buggy address is located 0 bytes inside of [ 21.076325] freed 32-byte region [ffff00000f201900, ffff00000f201920) [ 21.077425] [ 21.077584] The buggy address belongs to the physical page: [ 21.078106] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf201 [ 21.078841] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.079460] page_type: f5(slab) [ 21.079781] raw: 03fffe0000000000 ffff000000402780 dead000000000122 0000000000000000 [ 21.080507] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.081222] page dumped because: kasan: bad access detected [ 21.081742] [ 21.081900] Memory state around the buggy address: [ 21.082356] ffff00000f201800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.083032] ffff00000f201880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.083706] >ffff00000f201900: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 21.084376] ^ [ 21.084693] ffff00000f201980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.085367] ffff00000f201a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.086036] ==================================================================