Date
July 2, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.651102] ================================================================== [ 18.652400] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 18.653168] Read of size 4 at addr fff00000c706c8c0 by task swapper/0/0 [ 18.653736] [ 18.653802] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.654234] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.654266] Hardware name: linux,dummy-virt (DT) [ 18.654592] Call trace: [ 18.655172] show_stack+0x20/0x38 (C) [ 18.655525] dump_stack_lvl+0x8c/0xd0 [ 18.656038] print_report+0x118/0x608 [ 18.656230] kasan_report+0xdc/0x128 [ 18.656306] __asan_report_load4_noabort+0x20/0x30 [ 18.656621] rcu_uaf_reclaim+0x64/0x70 [ 18.656678] rcu_core+0x9f4/0x1e20 [ 18.656733] rcu_core_si+0x18/0x30 [ 18.656780] handle_softirqs+0x374/0xb28 [ 18.656829] __do_softirq+0x1c/0x28 [ 18.657689] ____do_softirq+0x18/0x30 [ 18.658075] call_on_irq_stack+0x24/0x30 [ 18.658123] do_softirq_own_stack+0x24/0x38 [ 18.658199] __irq_exit_rcu+0x1fc/0x318 [ 18.658245] irq_exit_rcu+0x1c/0x80 [ 18.658289] el1_interrupt+0x38/0x58 [ 18.658447] el1h_64_irq_handler+0x18/0x28 [ 18.658496] el1h_64_irq+0x6c/0x70 [ 18.658616] arch_local_irq_enable+0x4/0x8 (P) [ 18.658669] do_idle+0x384/0x4e8 [ 18.658713] cpu_startup_entry+0x64/0x80 [ 18.658757] rest_init+0x160/0x188 [ 18.658800] start_kernel+0x30c/0x3d0 [ 18.658856] __primary_switched+0x8c/0xa0 [ 18.658907] [ 18.658927] Allocated by task 198: [ 18.658956] kasan_save_stack+0x3c/0x68 [ 18.658997] kasan_save_track+0x20/0x40 [ 18.659035] kasan_save_alloc_info+0x40/0x58 [ 18.659075] __kasan_kmalloc+0xd4/0xd8 [ 18.659112] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.659151] rcu_uaf+0xb0/0x2d8 [ 18.659183] kunit_try_run_case+0x170/0x3f0 [ 18.659223] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.659267] kthread+0x328/0x630 [ 18.659301] ret_from_fork+0x10/0x20 [ 18.659337] [ 18.659355] Freed by task 0: [ 18.659381] kasan_save_stack+0x3c/0x68 [ 18.659418] kasan_save_track+0x20/0x40 [ 18.659456] kasan_save_free_info+0x4c/0x78 [ 18.659496] __kasan_slab_free+0x6c/0x98 [ 18.659531] kfree+0x214/0x3c8 [ 18.659565] rcu_uaf_reclaim+0x28/0x70 [ 18.659609] rcu_core+0x9f4/0x1e20 [ 18.659665] rcu_core_si+0x18/0x30 [ 18.659700] handle_softirqs+0x374/0xb28 [ 18.659826] __do_softirq+0x1c/0x28 [ 18.659939] [ 18.660016] Last potentially related work creation: [ 18.660054] kasan_save_stack+0x3c/0x68 [ 18.660106] kasan_record_aux_stack+0xb4/0xc8 [ 18.660147] __call_rcu_common.constprop.0+0x74/0x8c8 [ 18.660188] call_rcu+0x18/0x30 [ 18.660220] rcu_uaf+0x14c/0x2d8 [ 18.660269] kunit_try_run_case+0x170/0x3f0 [ 18.660307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.660360] kthread+0x328/0x630 [ 18.660392] ret_from_fork+0x10/0x20 [ 18.660433] [ 18.660465] The buggy address belongs to the object at fff00000c706c8c0 [ 18.660465] which belongs to the cache kmalloc-32 of size 32 [ 18.660543] The buggy address is located 0 bytes inside of [ 18.660543] freed 32-byte region [fff00000c706c8c0, fff00000c706c8e0) [ 18.660623] [ 18.660653] The buggy address belongs to the physical page: [ 18.661030] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10706c [ 18.661142] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.661264] page_type: f5(slab) [ 18.661362] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 18.661535] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.661588] page dumped because: kasan: bad access detected [ 18.661629] [ 18.661941] Memory state around the buggy address: [ 18.662043] fff00000c706c780: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 18.662128] fff00000c706c800: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 18.662239] >fff00000c706c880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.662340] ^ [ 18.662458] fff00000c706c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.662557] fff00000c706c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.662758] ==================================================================
[ 11.959694] ================================================================== [ 11.960178] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 11.960705] Read of size 4 at addr ffff88810312f0c0 by task swapper/1/0 [ 11.961075] [ 11.961303] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.961350] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.961361] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.961393] Call Trace: [ 11.961422] <IRQ> [ 11.961441] dump_stack_lvl+0x73/0xb0 [ 11.961474] print_report+0xd1/0x650 [ 11.961497] ? __virt_addr_valid+0x1db/0x2d0 [ 11.961521] ? rcu_uaf_reclaim+0x50/0x60 [ 11.961540] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.961561] ? rcu_uaf_reclaim+0x50/0x60 [ 11.961580] kasan_report+0x141/0x180 [ 11.961601] ? rcu_uaf_reclaim+0x50/0x60 [ 11.961624] __asan_report_load4_noabort+0x18/0x20 [ 11.961647] rcu_uaf_reclaim+0x50/0x60 [ 11.961666] rcu_core+0x66f/0x1c40 [ 11.961695] ? __pfx_rcu_core+0x10/0x10 [ 11.961715] ? ktime_get+0x6b/0x150 [ 11.961739] rcu_core_si+0x12/0x20 [ 11.961758] handle_softirqs+0x209/0x730 [ 11.961779] ? hrtimer_interrupt+0x2fe/0x780 [ 11.961800] ? __pfx_handle_softirqs+0x10/0x10 [ 11.961823] __irq_exit_rcu+0xc9/0x110 [ 11.961842] irq_exit_rcu+0x12/0x20 [ 11.961860] sysvec_apic_timer_interrupt+0x81/0x90 [ 11.961883] </IRQ> [ 11.961908] <TASK> [ 11.961918] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 11.962007] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 11.962215] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 03 8a 21 00 fb f4 <e9> 7c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 11.962292] RSP: 0000:ffff888100877dc8 EFLAGS: 00010216 [ 11.962387] RAX: ffff8881ce374000 RBX: ffff888100853000 RCX: ffffffff8a8730e5 [ 11.962432] RDX: ffffed102b62618b RSI: 0000000000000004 RDI: 000000000000ed7c [ 11.962474] RBP: ffff888100877dd0 R08: 0000000000000001 R09: ffffed102b62618a [ 11.962525] R10: ffff88815b130c53 R11: 00000000000a1c00 R12: 0000000000000001 [ 11.962567] R13: ffffed102010a600 R14: ffffffff8c5b0690 R15: 0000000000000000 [ 11.962622] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 11.962672] ? default_idle+0xd/0x20 [ 11.962693] arch_cpu_idle+0xd/0x20 [ 11.962713] default_idle_call+0x48/0x80 [ 11.962734] do_idle+0x379/0x4f0 [ 11.962757] ? complete+0x15b/0x1d0 [ 11.962774] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.962798] ? __pfx_do_idle+0x10/0x10 [ 11.962818] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 11.962839] ? complete+0x15b/0x1d0 [ 11.962859] cpu_startup_entry+0x5c/0x70 [ 11.962881] start_secondary+0x211/0x290 [ 11.962902] ? __pfx_start_secondary+0x10/0x10 [ 11.962926] common_startup_64+0x13e/0x148 [ 11.962956] </TASK> [ 11.962967] [ 11.976507] Allocated by task 217: [ 11.976731] kasan_save_stack+0x45/0x70 [ 11.977403] kasan_save_track+0x18/0x40 [ 11.977583] kasan_save_alloc_info+0x3b/0x50 [ 11.977971] __kasan_kmalloc+0xb7/0xc0 [ 11.978239] __kmalloc_cache_noprof+0x189/0x420 [ 11.978423] rcu_uaf+0xb0/0x330 [ 11.978767] kunit_try_run_case+0x1a5/0x480 [ 11.979187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.979457] kthread+0x337/0x6f0 [ 11.979618] ret_from_fork+0x116/0x1d0 [ 11.979792] ret_from_fork_asm+0x1a/0x30 [ 11.979969] [ 11.980057] Freed by task 0: [ 11.980206] kasan_save_stack+0x45/0x70 [ 11.980392] kasan_save_track+0x18/0x40 [ 11.980555] kasan_save_free_info+0x3f/0x60 [ 11.980753] __kasan_slab_free+0x56/0x70 [ 11.981600] kfree+0x222/0x3f0 [ 11.981863] rcu_uaf_reclaim+0x1f/0x60 [ 11.982049] rcu_core+0x66f/0x1c40 [ 11.982226] rcu_core_si+0x12/0x20 [ 11.982409] handle_softirqs+0x209/0x730 [ 11.982595] __irq_exit_rcu+0xc9/0x110 [ 11.982768] irq_exit_rcu+0x12/0x20 [ 11.983383] sysvec_apic_timer_interrupt+0x81/0x90 [ 11.983729] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 11.984228] [ 11.984555] Last potentially related work creation: [ 11.984985] kasan_save_stack+0x45/0x70 [ 11.985296] kasan_record_aux_stack+0xb2/0xc0 [ 11.985677] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 11.986098] call_rcu+0x12/0x20 [ 11.986321] rcu_uaf+0x168/0x330 [ 11.986479] kunit_try_run_case+0x1a5/0x480 [ 11.986883] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.987271] kthread+0x337/0x6f0 [ 11.987462] ret_from_fork+0x116/0x1d0 [ 11.987938] ret_from_fork_asm+0x1a/0x30 [ 11.988138] [ 11.988248] The buggy address belongs to the object at ffff88810312f0c0 [ 11.988248] which belongs to the cache kmalloc-32 of size 32 [ 11.989071] The buggy address is located 0 bytes inside of [ 11.989071] freed 32-byte region [ffff88810312f0c0, ffff88810312f0e0) [ 11.989823] [ 11.990011] The buggy address belongs to the physical page: [ 11.990279] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10312f [ 11.990612] flags: 0x200000000000000(node=0|zone=2) [ 11.991030] page_type: f5(slab) [ 11.991260] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 11.991572] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 11.991984] page dumped because: kasan: bad access detected [ 11.992196] [ 11.992290] Memory state around the buggy address: [ 11.992552] ffff88810312ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.992917] ffff88810312f000: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 11.993401] >ffff88810312f080: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 11.993718] ^ [ 11.994060] ffff88810312f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.994400] ffff88810312f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.994673] ==================================================================