Date
July 5, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.578525] ================================================================== [ 19.578753] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 19.578892] Read of size 4 at addr fff00000c78abd00 by task swapper/0/0 [ 19.579004] [ 19.579081] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 19.579270] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.579333] Hardware name: linux,dummy-virt (DT) [ 19.579427] Call trace: [ 19.579482] show_stack+0x20/0x38 (C) [ 19.579594] dump_stack_lvl+0x8c/0xd0 [ 19.579701] print_report+0x118/0x608 [ 19.579810] kasan_report+0xdc/0x128 [ 19.579916] __asan_report_load4_noabort+0x20/0x30 [ 19.580037] rcu_uaf_reclaim+0x64/0x70 [ 19.580133] rcu_core+0x9f4/0x1e20 [ 19.580234] rcu_core_si+0x18/0x30 [ 19.580335] handle_softirqs+0x374/0xb28 [ 19.580435] __do_softirq+0x1c/0x28 [ 19.580521] ____do_softirq+0x18/0x30 [ 19.580659] call_on_irq_stack+0x24/0x30 [ 19.580779] do_softirq_own_stack+0x24/0x38 [ 19.580878] __irq_exit_rcu+0x1fc/0x318 [ 19.580968] irq_exit_rcu+0x1c/0x80 [ 19.581063] el1_interrupt+0x38/0x58 [ 19.581175] el1h_64_irq_handler+0x18/0x28 [ 19.581291] el1h_64_irq+0x6c/0x70 [ 19.581490] arch_local_irq_enable+0x4/0x8 (P) [ 19.581607] do_idle+0x384/0x4e8 [ 19.581720] cpu_startup_entry+0x64/0x80 [ 19.581815] rest_init+0x160/0x188 [ 19.581900] start_kernel+0x30c/0x3d0 [ 19.582000] __primary_switched+0x8c/0xa0 [ 19.583093] [ 19.583149] Allocated by task 199: [ 19.583217] kasan_save_stack+0x3c/0x68 [ 19.583318] kasan_save_track+0x20/0x40 [ 19.583385] kasan_save_alloc_info+0x40/0x58 [ 19.583433] __kasan_kmalloc+0xd4/0xd8 [ 19.583478] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.583529] rcu_uaf+0xb0/0x2d8 [ 19.583564] kunit_try_run_case+0x170/0x3f0 [ 19.583621] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.583708] kthread+0x328/0x630 [ 19.583822] ret_from_fork+0x10/0x20 [ 19.583920] [ 19.583974] Freed by task 0: [ 19.584033] kasan_save_stack+0x3c/0x68 [ 19.584581] kasan_save_track+0x20/0x40 [ 19.584837] kasan_save_free_info+0x4c/0x78 [ 19.585548] __kasan_slab_free+0x6c/0x98 [ 19.585873] kfree+0x214/0x3c8 [ 19.586053] rcu_uaf_reclaim+0x28/0x70 [ 19.586146] rcu_core+0x9f4/0x1e20 [ 19.586232] rcu_core_si+0x18/0x30 [ 19.586314] handle_softirqs+0x374/0xb28 [ 19.586416] __do_softirq+0x1c/0x28 [ 19.586582] [ 19.586650] Last potentially related work creation: [ 19.586724] kasan_save_stack+0x3c/0x68 [ 19.587103] kasan_record_aux_stack+0xb4/0xc8 [ 19.587200] __call_rcu_common.constprop.0+0x74/0x8c8 [ 19.587281] call_rcu+0x18/0x30 [ 19.587341] rcu_uaf+0x14c/0x2d8 [ 19.587456] kunit_try_run_case+0x170/0x3f0 [ 19.587569] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.587719] kthread+0x328/0x630 [ 19.587825] ret_from_fork+0x10/0x20 [ 19.587964] [ 19.588014] The buggy address belongs to the object at fff00000c78abd00 [ 19.588014] which belongs to the cache kmalloc-32 of size 32 [ 19.588136] The buggy address is located 0 bytes inside of [ 19.588136] freed 32-byte region [fff00000c78abd00, fff00000c78abd20) [ 19.588595] [ 19.588669] The buggy address belongs to the physical page: [ 19.588753] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078ab [ 19.588902] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.589007] page_type: f5(slab) [ 19.589085] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 19.589272] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.589514] page dumped because: kasan: bad access detected [ 19.589686] [ 19.589731] Memory state around the buggy address: [ 19.589811] fff00000c78abc00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 19.589912] fff00000c78abc80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 19.590047] >fff00000c78abd00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 19.590156] ^ [ 19.590214] fff00000c78abd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.590303] fff00000c78abe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.590554] ==================================================================
[ 14.262931] ================================================================== [ 14.263445] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 14.263754] Read of size 4 at addr ffff8881038d86c0 by task swapper/0/0 [ 14.264018] [ 14.264578] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 14.264646] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.264674] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.264797] Call Trace: [ 14.264852] <IRQ> [ 14.264997] dump_stack_lvl+0x73/0xb0 [ 14.265046] print_report+0xd1/0x650 [ 14.265075] ? __virt_addr_valid+0x1db/0x2d0 [ 14.265106] ? rcu_uaf_reclaim+0x50/0x60 [ 14.265132] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.265160] ? rcu_uaf_reclaim+0x50/0x60 [ 14.265185] kasan_report+0x141/0x180 [ 14.265211] ? rcu_uaf_reclaim+0x50/0x60 [ 14.265241] __asan_report_load4_noabort+0x18/0x20 [ 14.265271] rcu_uaf_reclaim+0x50/0x60 [ 14.265296] rcu_core+0x66f/0x1c40 [ 14.265332] ? __pfx_rcu_core+0x10/0x10 [ 14.265358] ? ktime_get+0x6b/0x150 [ 14.265384] ? handle_softirqs+0x18e/0x730 [ 14.265415] rcu_core_si+0x12/0x20 [ 14.265439] handle_softirqs+0x209/0x730 [ 14.265462] ? hrtimer_interrupt+0x2fe/0x780 [ 14.265489] ? __pfx_handle_softirqs+0x10/0x10 [ 14.265520] __irq_exit_rcu+0xc9/0x110 [ 14.265545] irq_exit_rcu+0x12/0x20 [ 14.265568] sysvec_apic_timer_interrupt+0x81/0x90 [ 14.265599] </IRQ> [ 14.265635] <TASK> [ 14.265661] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 14.265773] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 14.266027] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 03 9a 21 00 fb f4 <e9> 7c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 14.266161] RSP: 0000:ffffffff98a07dd8 EFLAGS: 00010212 [ 14.266268] RAX: ffff8881c1274000 RBX: ffffffff98a1cac0 RCX: ffffffff978720e5 [ 14.266324] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 000000000001442c [ 14.266381] RBP: ffffffff98a07de0 R08: 0000000000000001 R09: ffffed102b60618a [ 14.266442] R10: ffff88815b030c53 R11: 0000000000013000 R12: 0000000000000000 [ 14.266497] R13: fffffbfff3143958 R14: ffffffff995b0e90 R15: 0000000000000000 [ 14.266568] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 14.266633] ? default_idle+0xd/0x20 [ 14.266674] arch_cpu_idle+0xd/0x20 [ 14.266700] default_idle_call+0x48/0x80 [ 14.266723] do_idle+0x379/0x4f0 [ 14.266753] ? __pfx_do_idle+0x10/0x10 [ 14.266796] ? rest_init+0x10b/0x140 [ 14.266821] cpu_startup_entry+0x5c/0x70 [ 14.266849] rest_init+0x11a/0x140 [ 14.266870] ? acpi_subsystem_init+0x5d/0x150 [ 14.266901] start_kernel+0x330/0x410 [ 14.266930] x86_64_start_reservations+0x1c/0x30 [ 14.266961] x86_64_start_kernel+0x10d/0x120 [ 14.266990] common_startup_64+0x13e/0x148 [ 14.267030] </TASK> [ 14.267045] [ 14.283781] Allocated by task 215: [ 14.284010] kasan_save_stack+0x45/0x70 [ 14.284251] kasan_save_track+0x18/0x40 [ 14.284487] kasan_save_alloc_info+0x3b/0x50 [ 14.284865] __kasan_kmalloc+0xb7/0xc0 [ 14.285107] __kmalloc_cache_noprof+0x189/0x420 [ 14.285345] rcu_uaf+0xb0/0x330 [ 14.285490] kunit_try_run_case+0x1a5/0x480 [ 14.285813] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.286450] kthread+0x337/0x6f0 [ 14.286808] ret_from_fork+0x116/0x1d0 [ 14.287159] ret_from_fork_asm+0x1a/0x30 [ 14.287363] [ 14.287484] Freed by task 0: [ 14.287735] kasan_save_stack+0x45/0x70 [ 14.288105] kasan_save_track+0x18/0x40 [ 14.288331] kasan_save_free_info+0x3f/0x60 [ 14.288620] __kasan_slab_free+0x56/0x70 [ 14.288935] kfree+0x222/0x3f0 [ 14.289174] rcu_uaf_reclaim+0x1f/0x60 [ 14.289430] rcu_core+0x66f/0x1c40 [ 14.289697] rcu_core_si+0x12/0x20 [ 14.290112] handle_softirqs+0x209/0x730 [ 14.290480] __irq_exit_rcu+0xc9/0x110 [ 14.290730] irq_exit_rcu+0x12/0x20 [ 14.291059] sysvec_apic_timer_interrupt+0x81/0x90 [ 14.291307] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 14.291592] [ 14.291744] Last potentially related work creation: [ 14.292065] kasan_save_stack+0x45/0x70 [ 14.292235] kasan_record_aux_stack+0xb2/0xc0 [ 14.292495] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 14.292799] call_rcu+0x12/0x20 [ 14.293274] rcu_uaf+0x168/0x330 [ 14.293584] kunit_try_run_case+0x1a5/0x480 [ 14.294117] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.294418] kthread+0x337/0x6f0 [ 14.294573] ret_from_fork+0x116/0x1d0 [ 14.294846] ret_from_fork_asm+0x1a/0x30 [ 14.295233] [ 14.295421] The buggy address belongs to the object at ffff8881038d86c0 [ 14.295421] which belongs to the cache kmalloc-32 of size 32 [ 14.296170] The buggy address is located 0 bytes inside of [ 14.296170] freed 32-byte region [ffff8881038d86c0, ffff8881038d86e0) [ 14.297060] [ 14.297169] The buggy address belongs to the physical page: [ 14.297987] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038d8 [ 14.298431] flags: 0x200000000000000(node=0|zone=2) [ 14.298727] page_type: f5(slab) [ 14.299167] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.299550] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.299907] page dumped because: kasan: bad access detected [ 14.300295] [ 14.300512] Memory state around the buggy address: [ 14.300799] ffff8881038d8580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.301226] ffff8881038d8600: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 14.301603] >ffff8881038d8680: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.301999] ^ [ 14.302363] ffff8881038d8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.302771] ffff8881038d8780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.303130] ==================================================================