Date
July 4, 2025, 11:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.321104] ================================================================== [ 19.321206] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 19.321286] Read of size 1 at addr fff00000c76e6000 by task kunit_try_catch/213 [ 19.321596] [ 19.321696] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 19.322108] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.322155] Hardware name: linux,dummy-virt (DT) [ 19.322192] Call trace: [ 19.322226] show_stack+0x20/0x38 (C) [ 19.322283] dump_stack_lvl+0x8c/0xd0 [ 19.322374] print_report+0x118/0x608 [ 19.322434] kasan_report+0xdc/0x128 [ 19.322481] __asan_report_load1_noabort+0x20/0x30 [ 19.322532] kmem_cache_rcu_uaf+0x388/0x468 [ 19.322577] kunit_try_run_case+0x170/0x3f0 [ 19.322628] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.322680] kthread+0x328/0x630 [ 19.322723] ret_from_fork+0x10/0x20 [ 19.322782] [ 19.322801] Allocated by task 213: [ 19.323045] kasan_save_stack+0x3c/0x68 [ 19.323209] kasan_save_track+0x20/0x40 [ 19.323255] kasan_save_alloc_info+0x40/0x58 [ 19.323508] __kasan_slab_alloc+0xa8/0xb0 [ 19.323728] kmem_cache_alloc_noprof+0x10c/0x398 [ 19.323897] kmem_cache_rcu_uaf+0x12c/0x468 [ 19.324018] kunit_try_run_case+0x170/0x3f0 [ 19.324166] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.324215] kthread+0x328/0x630 [ 19.324249] ret_from_fork+0x10/0x20 [ 19.324292] [ 19.324587] Freed by task 0: [ 19.324780] kasan_save_stack+0x3c/0x68 [ 19.325005] kasan_save_track+0x20/0x40 [ 19.325045] kasan_save_free_info+0x4c/0x78 [ 19.325307] __kasan_slab_free+0x6c/0x98 [ 19.325448] slab_free_after_rcu_debug+0xd4/0x2f8 [ 19.325677] rcu_core+0x9f4/0x1e20 [ 19.325746] rcu_core_si+0x18/0x30 [ 19.326006] handle_softirqs+0x374/0xb28 [ 19.326088] __do_softirq+0x1c/0x28 [ 19.326248] [ 19.326769] Last potentially related work creation: [ 19.326986] kasan_save_stack+0x3c/0x68 [ 19.327172] kasan_record_aux_stack+0xb4/0xc8 [ 19.327228] kmem_cache_free+0x120/0x468 [ 19.327267] kmem_cache_rcu_uaf+0x16c/0x468 [ 19.327615] kunit_try_run_case+0x170/0x3f0 [ 19.327720] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.327784] kthread+0x328/0x630 [ 19.327826] ret_from_fork+0x10/0x20 [ 19.327862] [ 19.327882] The buggy address belongs to the object at fff00000c76e6000 [ 19.327882] which belongs to the cache test_cache of size 200 [ 19.327973] The buggy address is located 0 bytes inside of [ 19.327973] freed 200-byte region [fff00000c76e6000, fff00000c76e60c8) [ 19.328037] [ 19.328059] The buggy address belongs to the physical page: [ 19.328093] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076e6 [ 19.328180] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.328234] page_type: f5(slab) [ 19.328282] raw: 0bfffe0000000000 fff00000c46f5c80 dead000000000122 0000000000000000 [ 19.328342] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 19.328391] page dumped because: kasan: bad access detected [ 19.328422] [ 19.328445] Memory state around the buggy address: [ 19.328479] fff00000c76e5f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.328523] fff00000c76e5f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.328564] >fff00000c76e6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.328602] ^ [ 19.328629] fff00000c76e6080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 19.328674] fff00000c76e6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.328718] ==================================================================
[ 12.778474] ================================================================== [ 12.779086] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 12.779593] Read of size 1 at addr ffff88810398e000 by task kunit_try_catch/230 [ 12.779937] [ 12.780053] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.780135] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.780148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.780172] Call Trace: [ 12.780187] <TASK> [ 12.780279] dump_stack_lvl+0x73/0xb0 [ 12.780318] print_report+0xd1/0x650 [ 12.780341] ? __virt_addr_valid+0x1db/0x2d0 [ 12.780365] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 12.780386] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.780407] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 12.780456] kasan_report+0x141/0x180 [ 12.780492] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 12.780518] __asan_report_load1_noabort+0x18/0x20 [ 12.780541] kmem_cache_rcu_uaf+0x3e3/0x510 [ 12.780563] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 12.780584] ? finish_task_switch.isra.0+0x153/0x700 [ 12.780606] ? __switch_to+0x47/0xf50 [ 12.780634] ? __pfx_read_tsc+0x10/0x10 [ 12.780654] ? ktime_get_ts64+0x86/0x230 [ 12.780677] kunit_try_run_case+0x1a5/0x480 [ 12.780702] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.780723] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.780746] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.780767] ? __kthread_parkme+0x82/0x180 [ 12.780796] ? preempt_count_sub+0x50/0x80 [ 12.780818] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.780839] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.780860] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.780881] kthread+0x337/0x6f0 [ 12.780900] ? trace_preempt_on+0x20/0xc0 [ 12.781169] ? __pfx_kthread+0x10/0x10 [ 12.781190] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.781540] ? calculate_sigpending+0x7b/0xa0 [ 12.781571] ? __pfx_kthread+0x10/0x10 [ 12.781593] ret_from_fork+0x116/0x1d0 [ 12.781612] ? __pfx_kthread+0x10/0x10 [ 12.781631] ret_from_fork_asm+0x1a/0x30 [ 12.781664] </TASK> [ 12.781676] [ 12.790672] Allocated by task 230: [ 12.790890] kasan_save_stack+0x45/0x70 [ 12.791052] kasan_save_track+0x18/0x40 [ 12.791719] kasan_save_alloc_info+0x3b/0x50 [ 12.792188] __kasan_slab_alloc+0x91/0xa0 [ 12.792530] kmem_cache_alloc_noprof+0x123/0x3f0 [ 12.792794] kmem_cache_rcu_uaf+0x155/0x510 [ 12.792966] kunit_try_run_case+0x1a5/0x480 [ 12.793272] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.793478] kthread+0x337/0x6f0 [ 12.793626] ret_from_fork+0x116/0x1d0 [ 12.793889] ret_from_fork_asm+0x1a/0x30 [ 12.794105] [ 12.794277] Freed by task 0: [ 12.794457] kasan_save_stack+0x45/0x70 [ 12.794668] kasan_save_track+0x18/0x40 [ 12.794868] kasan_save_free_info+0x3f/0x60 [ 12.795033] __kasan_slab_free+0x56/0x70 [ 12.795449] slab_free_after_rcu_debug+0xe4/0x310 [ 12.795659] rcu_core+0x66f/0x1c40 [ 12.795798] rcu_core_si+0x12/0x20 [ 12.795951] handle_softirqs+0x209/0x730 [ 12.796149] __irq_exit_rcu+0xc9/0x110 [ 12.796475] irq_exit_rcu+0x12/0x20 [ 12.797039] sysvec_apic_timer_interrupt+0x81/0x90 [ 12.797258] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 12.797518] [ 12.797746] Last potentially related work creation: [ 12.798028] kasan_save_stack+0x45/0x70 [ 12.798228] kasan_record_aux_stack+0xb2/0xc0 [ 12.798527] kmem_cache_free+0x131/0x420 [ 12.798788] kmem_cache_rcu_uaf+0x194/0x510 [ 12.798931] kunit_try_run_case+0x1a5/0x480 [ 12.799116] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.799483] kthread+0x337/0x6f0 [ 12.799765] ret_from_fork+0x116/0x1d0 [ 12.800031] ret_from_fork_asm+0x1a/0x30 [ 12.800210] [ 12.800735] The buggy address belongs to the object at ffff88810398e000 [ 12.800735] which belongs to the cache test_cache of size 200 [ 12.801152] The buggy address is located 0 bytes inside of [ 12.801152] freed 200-byte region [ffff88810398e000, ffff88810398e0c8) [ 12.802122] [ 12.802300] The buggy address belongs to the physical page: [ 12.802566] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10398e [ 12.802949] flags: 0x200000000000000(node=0|zone=2) [ 12.803201] page_type: f5(slab) [ 12.803470] raw: 0200000000000000 ffff888101d0c8c0 dead000000000122 0000000000000000 [ 12.803847] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 12.804173] page dumped because: kasan: bad access detected [ 12.804542] [ 12.804617] Memory state around the buggy address: [ 12.804856] ffff88810398df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.805153] ffff88810398df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.805924] >ffff88810398e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.806297] ^ [ 12.806545] ffff88810398e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 12.806874] ffff88810398e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.807329] ==================================================================