Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 17.377219] ================================================================== [ 17.377576] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 17.377655] Read of size 4 at addr fff00000c69bfec0 by task swapper/0/0 [ 17.377703] [ 17.377742] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.377823] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.377851] Hardware name: linux,dummy-virt (DT) [ 17.378639] Call trace: [ 17.378677] show_stack+0x20/0x38 (C) [ 17.379297] dump_stack_lvl+0x8c/0xd0 [ 17.379359] print_report+0x118/0x608 [ 17.379439] kasan_report+0xdc/0x128 [ 17.379484] __asan_report_load4_noabort+0x20/0x30 [ 17.379565] rcu_uaf_reclaim+0x64/0x70 [ 17.379611] rcu_core+0x9f4/0x1e20 [ 17.379657] rcu_core_si+0x18/0x30 [ 17.379698] handle_softirqs+0x374/0xb28 [ 17.379744] __do_softirq+0x1c/0x28 [ 17.379784] ____do_softirq+0x18/0x30 [ 17.379826] call_on_irq_stack+0x24/0x30 [ 17.379870] do_softirq_own_stack+0x24/0x38 [ 17.379916] __irq_exit_rcu+0x1fc/0x318 [ 17.379959] irq_exit_rcu+0x1c/0x80 [ 17.380049] el1_interrupt+0x38/0x58 [ 17.380119] el1h_64_irq_handler+0x18/0x28 [ 17.380172] el1h_64_irq+0x6c/0x70 [ 17.380302] arch_local_irq_enable+0x4/0x8 (P) [ 17.380355] do_idle+0x384/0x4e8 [ 17.380401] cpu_startup_entry+0x64/0x80 [ 17.380446] rest_init+0x160/0x188 [ 17.380487] start_kernel+0x30c/0x3d0 [ 17.380538] __primary_switched+0x8c/0xa0 [ 17.380604] [ 17.380623] Allocated by task 199: [ 17.380674] kasan_save_stack+0x3c/0x68 [ 17.380716] kasan_save_track+0x20/0x40 [ 17.380795] kasan_save_alloc_info+0x40/0x58 [ 17.380929] __kasan_kmalloc+0xd4/0xd8 [ 17.381013] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.381180] rcu_uaf+0xb0/0x2d8 [ 17.381246] kunit_try_run_case+0x170/0x3f0 [ 17.381285] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.381433] kthread+0x328/0x630 [ 17.381466] ret_from_fork+0x10/0x20 [ 17.381503] [ 17.381554] Freed by task 0: [ 17.381580] kasan_save_stack+0x3c/0x68 [ 17.381689] kasan_save_track+0x20/0x40 [ 17.381733] kasan_save_free_info+0x4c/0x78 [ 17.381771] __kasan_slab_free+0x6c/0x98 [ 17.381950] kfree+0x214/0x3c8 [ 17.382003] rcu_uaf_reclaim+0x28/0x70 [ 17.382038] rcu_core+0x9f4/0x1e20 [ 17.382073] rcu_core_si+0x18/0x30 [ 17.382177] handle_softirqs+0x374/0xb28 [ 17.382306] __do_softirq+0x1c/0x28 [ 17.382340] [ 17.382369] Last potentially related work creation: [ 17.382403] kasan_save_stack+0x3c/0x68 [ 17.382440] kasan_record_aux_stack+0xb4/0xc8 [ 17.382481] __call_rcu_common.constprop.0+0x74/0x8c8 [ 17.382523] call_rcu+0x18/0x30 [ 17.382556] rcu_uaf+0x14c/0x2d8 [ 17.382588] kunit_try_run_case+0x170/0x3f0 [ 17.382624] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.382667] kthread+0x328/0x630 [ 17.382700] ret_from_fork+0x10/0x20 [ 17.382830] [ 17.382902] The buggy address belongs to the object at fff00000c69bfec0 [ 17.382902] which belongs to the cache kmalloc-32 of size 32 [ 17.382989] The buggy address is located 0 bytes inside of [ 17.382989] freed 32-byte region [fff00000c69bfec0, fff00000c69bfee0) [ 17.383052] [ 17.383072] The buggy address belongs to the physical page: [ 17.383105] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069bf [ 17.383163] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.383256] page_type: f5(slab) [ 17.383298] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.383349] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.383389] page dumped because: kasan: bad access detected [ 17.383422] [ 17.383439] Memory state around the buggy address: [ 17.383474] fff00000c69bfd80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.383542] fff00000c69bfe00: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.383625] >fff00000c69bfe80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.383677] ^ [ 17.383731] fff00000c69bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.383827] fff00000c69bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.383875] ==================================================================
[ 17.143882] ================================================================== [ 17.144027] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 17.144087] Read of size 4 at addr fff00000c7770d00 by task swapper/1/0 [ 17.144133] [ 17.144179] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.144265] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.144290] Hardware name: linux,dummy-virt (DT) [ 17.144322] Call trace: [ 17.144344] show_stack+0x20/0x38 (C) [ 17.144391] dump_stack_lvl+0x8c/0xd0 [ 17.144437] print_report+0x118/0x608 [ 17.144491] kasan_report+0xdc/0x128 [ 17.144536] __asan_report_load4_noabort+0x20/0x30 [ 17.144585] rcu_uaf_reclaim+0x64/0x70 [ 17.144630] rcu_core+0x9f4/0x1e20 [ 17.144675] rcu_core_si+0x18/0x30 [ 17.144728] handle_softirqs+0x374/0xb28 [ 17.144776] __do_softirq+0x1c/0x28 [ 17.144831] ____do_softirq+0x18/0x30 [ 17.144884] call_on_irq_stack+0x24/0x30 [ 17.145482] do_softirq_own_stack+0x24/0x38 [ 17.145549] __irq_exit_rcu+0x1fc/0x318 [ 17.146085] irq_exit_rcu+0x1c/0x80 [ 17.146177] el1_interrupt+0x38/0x58 [ 17.146494] el1h_64_irq_handler+0x18/0x28 [ 17.146548] el1h_64_irq+0x6c/0x70 [ 17.147221] arch_local_irq_enable+0x4/0x8 (P) [ 17.147566] do_idle+0x384/0x4e8 [ 17.147686] cpu_startup_entry+0x64/0x80 [ 17.147792] secondary_start_kernel+0x288/0x340 [ 17.147985] __secondary_switched+0xc0/0xc8 [ 17.148418] [ 17.148530] Allocated by task 199: [ 17.148602] kasan_save_stack+0x3c/0x68 [ 17.148869] kasan_save_track+0x20/0x40 [ 17.149087] kasan_save_alloc_info+0x40/0x58 [ 17.149193] __kasan_kmalloc+0xd4/0xd8 [ 17.149540] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.149753] rcu_uaf+0xb0/0x2d8 [ 17.150094] kunit_try_run_case+0x170/0x3f0 [ 17.150336] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.150522] kthread+0x328/0x630 [ 17.150586] ret_from_fork+0x10/0x20 [ 17.150648] [ 17.150830] Freed by task 0: [ 17.151019] kasan_save_stack+0x3c/0x68 [ 17.151157] kasan_save_track+0x20/0x40 [ 17.151237] kasan_save_free_info+0x4c/0x78 [ 17.151487] __kasan_slab_free+0x6c/0x98 [ 17.151960] kfree+0x214/0x3c8 [ 17.152066] rcu_uaf_reclaim+0x28/0x70 [ 17.152178] rcu_core+0x9f4/0x1e20 [ 17.152269] rcu_core_si+0x18/0x30 [ 17.152658] handle_softirqs+0x374/0xb28 [ 17.152851] __do_softirq+0x1c/0x28 [ 17.152921] [ 17.153095] Last potentially related work creation: [ 17.153333] kasan_save_stack+0x3c/0x68 [ 17.153466] kasan_record_aux_stack+0xb4/0xc8 [ 17.153620] __call_rcu_common.constprop.0+0x74/0x8c8 [ 17.153723] call_rcu+0x18/0x30 [ 17.153879] rcu_uaf+0x14c/0x2d8 [ 17.154013] kunit_try_run_case+0x170/0x3f0 [ 17.154062] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.154117] kthread+0x328/0x630 [ 17.154149] ret_from_fork+0x10/0x20 [ 17.154454] [ 17.154724] The buggy address belongs to the object at fff00000c7770d00 [ 17.154724] which belongs to the cache kmalloc-32 of size 32 [ 17.154842] The buggy address is located 0 bytes inside of [ 17.154842] freed 32-byte region [fff00000c7770d00, fff00000c7770d20) [ 17.155057] [ 17.155750] The buggy address belongs to the physical page: [ 17.156036] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107770 [ 17.156108] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.156473] page_type: f5(slab) [ 17.156616] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.156728] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.156953] page dumped because: kasan: bad access detected [ 17.157163] [ 17.157243] Memory state around the buggy address: [ 17.157381] fff00000c7770c00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.157455] fff00000c7770c80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.157566] >fff00000c7770d00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 17.157617] ^ [ 17.157645] fff00000c7770d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.157692] fff00000c7770e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.157767] ==================================================================
[ 13.990684] ================================================================== [ 13.991254] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 13.991709] Read of size 4 at addr ffff888102aaa780 by task swapper/0/0 [ 13.992026] [ 13.992219] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.992294] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.992315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.992349] Call Trace: [ 13.992398] <IRQ> [ 13.992428] dump_stack_lvl+0x73/0xb0 [ 13.992486] print_report+0xd1/0x650 [ 13.992523] ? __virt_addr_valid+0x1db/0x2d0 [ 13.992562] ? rcu_uaf_reclaim+0x50/0x60 [ 13.992595] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.992649] ? rcu_uaf_reclaim+0x50/0x60 [ 13.992681] kasan_report+0x141/0x180 [ 13.992717] ? rcu_uaf_reclaim+0x50/0x60 [ 13.992757] __asan_report_load4_noabort+0x18/0x20 [ 13.992798] rcu_uaf_reclaim+0x50/0x60 [ 13.992834] rcu_core+0x66f/0x1c40 [ 13.992886] ? __pfx_rcu_core+0x10/0x10 [ 13.992920] ? ktime_get+0x6b/0x150 [ 13.992956] ? handle_softirqs+0x18e/0x730 [ 13.992998] rcu_core_si+0x12/0x20 [ 13.993031] handle_softirqs+0x209/0x730 [ 13.993066] ? hrtimer_interrupt+0x2fe/0x780 [ 13.993144] ? __pfx_handle_softirqs+0x10/0x10 [ 13.993184] __irq_exit_rcu+0xc9/0x110 [ 13.993215] irq_exit_rcu+0x12/0x20 [ 13.993250] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.993291] </IRQ> [ 13.993348] <TASK> [ 13.993371] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.993529] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 13.993867] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 83 ba 21 00 fb f4 <e9> 7c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 13.993967] RSP: 0000:ffffffffa5407dd8 EFLAGS: 00010216 [ 13.994064] RAX: ffff8881b4874000 RBX: ffffffffa541cac0 RCX: ffffffffa42700e5 [ 13.994116] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 0000000000006a1c [ 13.994162] RBP: ffffffffa5407de0 R08: 0000000000000001 R09: ffffed102b60618a [ 13.994203] R10: ffff88815b030c53 R11: 000000000001d000 R12: 0000000000000000 [ 13.994244] R13: fffffbfff4a83958 R14: ffffffffa5fb0e90 R15: 0000000000000000 [ 13.994304] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 13.994362] ? default_idle+0xd/0x20 [ 13.994385] arch_cpu_idle+0xd/0x20 [ 13.994406] default_idle_call+0x48/0x80 [ 13.994426] do_idle+0x379/0x4f0 [ 13.994449] ? __pfx_do_idle+0x10/0x10 [ 13.994475] cpu_startup_entry+0x5c/0x70 [ 13.994496] rest_init+0x11a/0x140 [ 13.994581] ? acpi_subsystem_init+0x5d/0x150 [ 13.994606] start_kernel+0x330/0x410 [ 13.994648] x86_64_start_reservations+0x1c/0x30 [ 13.994671] x86_64_start_kernel+0x10d/0x120 [ 13.994692] common_startup_64+0x13e/0x148 [ 13.994723] </TASK> [ 13.994735] [ 14.010363] Allocated by task 216: [ 14.010849] kasan_save_stack+0x45/0x70 [ 14.011206] kasan_save_track+0x18/0x40 [ 14.011629] kasan_save_alloc_info+0x3b/0x50 [ 14.011899] __kasan_kmalloc+0xb7/0xc0 [ 14.012240] __kmalloc_cache_noprof+0x189/0x420 [ 14.012551] rcu_uaf+0xb0/0x330 [ 14.013060] kunit_try_run_case+0x1a5/0x480 [ 14.013432] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.013835] kthread+0x337/0x6f0 [ 14.014180] ret_from_fork+0x116/0x1d0 [ 14.014573] ret_from_fork_asm+0x1a/0x30 [ 14.015010] [ 14.015244] Freed by task 0: [ 14.015462] kasan_save_stack+0x45/0x70 [ 14.015779] kasan_save_track+0x18/0x40 [ 14.016156] kasan_save_free_info+0x3f/0x60 [ 14.016578] __kasan_slab_free+0x56/0x70 [ 14.017016] kfree+0x222/0x3f0 [ 14.017327] rcu_uaf_reclaim+0x1f/0x60 [ 14.017935] rcu_core+0x66f/0x1c40 [ 14.018155] rcu_core_si+0x12/0x20 [ 14.018455] handle_softirqs+0x209/0x730 [ 14.018715] __irq_exit_rcu+0xc9/0x110 [ 14.019094] irq_exit_rcu+0x12/0x20 [ 14.019301] sysvec_apic_timer_interrupt+0x81/0x90 [ 14.019875] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 14.020089] [ 14.020331] Last potentially related work creation: [ 14.020694] kasan_save_stack+0x45/0x70 [ 14.020986] kasan_record_aux_stack+0xb2/0xc0 [ 14.021305] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 14.021807] call_rcu+0x12/0x20 [ 14.022070] rcu_uaf+0x168/0x330 [ 14.022398] kunit_try_run_case+0x1a5/0x480 [ 14.022892] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.023284] kthread+0x337/0x6f0 [ 14.023496] ret_from_fork+0x116/0x1d0 [ 14.023922] ret_from_fork_asm+0x1a/0x30 [ 14.024280] [ 14.024466] The buggy address belongs to the object at ffff888102aaa780 [ 14.024466] which belongs to the cache kmalloc-32 of size 32 [ 14.025103] The buggy address is located 0 bytes inside of [ 14.025103] freed 32-byte region [ffff888102aaa780, ffff888102aaa7a0) [ 14.025827] [ 14.026146] The buggy address belongs to the physical page: [ 14.026647] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102aaa [ 14.026983] flags: 0x200000000000000(node=0|zone=2) [ 14.027390] page_type: f5(slab) [ 14.027874] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.028172] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.028680] page dumped because: kasan: bad access detected [ 14.029050] [ 14.029172] Memory state around the buggy address: [ 14.029369] ffff888102aaa680: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.029791] ffff888102aaa700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.030119] >ffff888102aaa780: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 14.030457] ^ [ 14.030909] ffff888102aaa800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.031268] ffff888102aaa880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.031833] ==================================================================
[ 14.136816] ================================================================== [ 14.137509] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 14.138017] Read of size 4 at addr ffff8881031bbe80 by task swapper/1/0 [ 14.138554] [ 14.138921] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.139101] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.139116] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.139140] Call Trace: [ 14.139170] <IRQ> [ 14.139187] dump_stack_lvl+0x73/0xb0 [ 14.139220] print_report+0xd1/0x650 [ 14.139243] ? __virt_addr_valid+0x1db/0x2d0 [ 14.139268] ? rcu_uaf_reclaim+0x50/0x60 [ 14.139288] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.139314] ? rcu_uaf_reclaim+0x50/0x60 [ 14.139335] kasan_report+0x141/0x180 [ 14.139357] ? rcu_uaf_reclaim+0x50/0x60 [ 14.139383] __asan_report_load4_noabort+0x18/0x20 [ 14.139407] rcu_uaf_reclaim+0x50/0x60 [ 14.139427] rcu_core+0x66f/0x1c40 [ 14.139458] ? __pfx_rcu_core+0x10/0x10 [ 14.139480] ? ktime_get+0x6b/0x150 [ 14.139503] ? handle_softirqs+0x18e/0x730 [ 14.139529] rcu_core_si+0x12/0x20 [ 14.139549] handle_softirqs+0x209/0x730 [ 14.139568] ? hrtimer_interrupt+0x2fe/0x780 [ 14.139596] ? __pfx_handle_softirqs+0x10/0x10 [ 14.139622] __irq_exit_rcu+0xc9/0x110 [ 14.139642] irq_exit_rcu+0x12/0x20 [ 14.139662] sysvec_apic_timer_interrupt+0x81/0x90 [ 14.139685] </IRQ> [ 14.139712] <TASK> [ 14.139723] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 14.139839] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 14.140084] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 83 ba 21 00 fb f4 <e9> 7c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 14.140176] RSP: 0000:ffff888100877dc8 EFLAGS: 00010212 [ 14.140268] RAX: ffff88819e174000 RBX: ffff888100853000 RCX: ffffffffbaa700e5 [ 14.140320] RDX: ffffed102b62618b RSI: 0000000000000004 RDI: 00000000000115ec [ 14.140365] RBP: ffff888100877dd0 R08: 0000000000000001 R09: ffffed102b62618a [ 14.140409] R10: ffff88815b130c53 R11: 000000000002c400 R12: 0000000000000001 [ 14.140453] R13: ffffed102010a600 R14: ffffffffbc7b0e90 R15: 0000000000000000 [ 14.140514] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 14.140568] ? default_idle+0xd/0x20 [ 14.140590] arch_cpu_idle+0xd/0x20 [ 14.140612] default_idle_call+0x48/0x80 [ 14.140635] do_idle+0x379/0x4f0 [ 14.140658] ? complete+0x15b/0x1d0 [ 14.140676] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.140701] ? __pfx_do_idle+0x10/0x10 [ 14.140723] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 14.140746] ? complete+0x15b/0x1d0 [ 14.140768] cpu_startup_entry+0x5c/0x70 [ 14.140792] start_secondary+0x211/0x290 [ 14.140814] ? __pfx_start_secondary+0x10/0x10 [ 14.140841] common_startup_64+0x13e/0x148 [ 14.140875] </TASK> [ 14.140887] [ 14.157444] Allocated by task 215: [ 14.157663] kasan_save_stack+0x45/0x70 [ 14.157947] kasan_save_track+0x18/0x40 [ 14.158786] kasan_save_alloc_info+0x3b/0x50 [ 14.159160] __kasan_kmalloc+0xb7/0xc0 [ 14.159488] __kmalloc_cache_noprof+0x189/0x420 [ 14.159891] rcu_uaf+0xb0/0x330 [ 14.160082] kunit_try_run_case+0x1a5/0x480 [ 14.160294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.160536] kthread+0x337/0x6f0 [ 14.160694] ret_from_fork+0x116/0x1d0 [ 14.161339] ret_from_fork_asm+0x1a/0x30 [ 14.161547] [ 14.161940] Freed by task 0: [ 14.162108] kasan_save_stack+0x45/0x70 [ 14.162320] kasan_save_track+0x18/0x40 [ 14.162510] kasan_save_free_info+0x3f/0x60 [ 14.162779] __kasan_slab_free+0x56/0x70 [ 14.162968] kfree+0x222/0x3f0 [ 14.163150] rcu_uaf_reclaim+0x1f/0x60 [ 14.163334] rcu_core+0x66f/0x1c40 [ 14.163518] rcu_core_si+0x12/0x20 [ 14.163690] handle_softirqs+0x209/0x730 [ 14.164523] __irq_exit_rcu+0xc9/0x110 [ 14.164723] irq_exit_rcu+0x12/0x20 [ 14.164970] sysvec_apic_timer_interrupt+0x81/0x90 [ 14.165237] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 14.165494] [ 14.165628] Last potentially related work creation: [ 14.166414] kasan_save_stack+0x45/0x70 [ 14.166781] kasan_record_aux_stack+0xb2/0xc0 [ 14.167180] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 14.167410] call_rcu+0x12/0x20 [ 14.167583] rcu_uaf+0x168/0x330 [ 14.168123] kunit_try_run_case+0x1a5/0x480 [ 14.168338] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.168663] kthread+0x337/0x6f0 [ 14.168908] ret_from_fork+0x116/0x1d0 [ 14.169361] ret_from_fork_asm+0x1a/0x30 [ 14.169548] [ 14.169699] The buggy address belongs to the object at ffff8881031bbe80 [ 14.169699] which belongs to the cache kmalloc-32 of size 32 [ 14.170570] The buggy address is located 0 bytes inside of [ 14.170570] freed 32-byte region [ffff8881031bbe80, ffff8881031bbea0) [ 14.171612] [ 14.171714] The buggy address belongs to the physical page: [ 14.171901] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031bb [ 14.172399] flags: 0x200000000000000(node=0|zone=2) [ 14.173196] page_type: f5(slab) [ 14.173387] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.174397] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.175077] page dumped because: kasan: bad access detected [ 14.175761] [ 14.175933] Memory state around the buggy address: [ 14.176301] ffff8881031bbd80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.176533] ffff8881031bbe00: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 14.176997] >ffff8881031bbe80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 14.177827] ^ [ 14.178269] ffff8881031bbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.179105] ffff8881031bbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.179977] ==================================================================
[ 31.741541] ================================================================== [ 31.751924] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 31.758634] Read of size 4 at addr ffff8881066f7d00 by task swapper/3/0 [ 31.765253] [ 31.766756] CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 31.766765] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 31.766767] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 31.766771] Call Trace: [ 31.766773] <IRQ> [ 31.766775] dump_stack_lvl+0x73/0xb0 [ 31.766781] print_report+0xd1/0x650 [ 31.766785] ? __virt_addr_valid+0x1db/0x2d0 [ 31.766790] ? rcu_uaf_reclaim+0x50/0x60 [ 31.766794] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.766799] ? rcu_uaf_reclaim+0x50/0x60 [ 31.766803] kasan_report+0x141/0x180 [ 31.766807] ? rcu_uaf_reclaim+0x50/0x60 [ 31.766811] __asan_report_load4_noabort+0x18/0x20 [ 31.766816] rcu_uaf_reclaim+0x50/0x60 [ 31.766819] rcu_core+0x66c/0x1c40 [ 31.766825] ? __pfx_rcu_core+0x10/0x10 [ 31.766829] ? ktime_get+0x68/0x150 [ 31.766833] ? handle_softirqs+0x18e/0x730 [ 31.766838] rcu_core_si+0x12/0x20 [ 31.766841] handle_softirqs+0x206/0x730 [ 31.766845] ? hrtimer_interrupt+0x2fe/0x780 [ 31.766850] ? __pfx_handle_softirqs+0x10/0x10 [ 31.766855] __irq_exit_rcu+0xc9/0x110 [ 31.766859] irq_exit_rcu+0x12/0x20 [ 31.766862] sysvec_apic_timer_interrupt+0x81/0x90 [ 31.766867] </IRQ> [ 31.766868] <TASK> [ 31.766870] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 31.766874] RIP: 0010:cpuidle_enter_state+0xe5/0x2e0 [ 31.766880] Code: ff ff ff 48 89 45 c0 e8 09 ab ff fe 31 ff e8 12 c0 70 fc 80 7d d0 00 0f 85 27 01 00 00 e8 a3 b6 ff fe 84 c0 0f 84 0f 01 00 00 <45> 85 ed 0f 88 ef 00 00 00 4d 63 fd 48 8b 7d c0 4b 8d 04 7f 49 8d [ 31.766888] RSP: 0000:ffff888100907d70 EFLAGS: 00000246 [ 31.766892] RAX: 0000000000000000 RBX: ffff888103847000 RCX: 000000000000001f [ 31.766896] RDX: 1ffff11083ef6c8f RSI: 0000000000000003 RDI: ffff88841f7b6478 [ 31.766900] RBP: ffff888100907db8 R08: 0000000000000004 R09: ffffed1083ef618a [ 31.766903] R10: ffff88841f7b0c53 R11: 0000000000000006 R12: ffffffffa9bb10c0 [ 31.766906] R13: 0000000000000003 R14: 0000000000000003 R15: ffffffffa9bb1210 [ 31.766911] ? tick_nohz_idle_enter+0x13f/0x1b0 [ 31.766916] ? mark_tsc_async_resets+0x10/0x40 [ 31.766921] cpuidle_enter+0x53/0xb0 [ 31.766925] ? cpuidle_select+0x5f/0xb0 [ 31.766930] do_idle+0x360/0x4f0 [ 31.766935] ? __pfx_do_idle+0x10/0x10 [ 31.766939] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 31.766944] ? complete+0x15b/0x1d0 [ 31.766948] cpu_startup_entry+0x5c/0x70 [ 31.766952] start_secondary+0x211/0x290 [ 31.766956] ? __pfx_start_secondary+0x10/0x10 [ 31.766960] common_startup_64+0x13e/0x148 [ 31.766967] </TASK> [ 31.766968] [ 32.004514] Allocated by task 239: [ 32.007920] kasan_save_stack+0x45/0x70 [ 32.011760] kasan_save_track+0x18/0x40 [ 32.015597] kasan_save_alloc_info+0x3b/0x50 [ 32.019872] __kasan_kmalloc+0xb7/0xc0 [ 32.023624] __kmalloc_cache_noprof+0x189/0x420 [ 32.028165] rcu_uaf+0xb0/0x330 [ 32.031313] kunit_try_run_case+0x1a2/0x480 [ 32.035532] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.040933] kthread+0x334/0x6f0 [ 32.044174] ret_from_fork+0x113/0x1d0 [ 32.047926] ret_from_fork_asm+0x1a/0x30 [ 32.051851] [ 32.053364] Freed by task 0: [ 32.056270] kasan_save_stack+0x45/0x70 [ 32.060111] kasan_save_track+0x18/0x40 [ 32.063949] kasan_save_free_info+0x3f/0x60 [ 32.068135] __kasan_slab_free+0x56/0x70 [ 32.072061] kfree+0x222/0x3f0 [ 32.075122] rcu_uaf_reclaim+0x1f/0x60 [ 32.078873] rcu_core+0x66c/0x1c40 [ 32.082280] rcu_core_si+0x12/0x20 [ 32.085684] handle_softirqs+0x206/0x730 [ 32.089612] __irq_exit_rcu+0xc9/0x110 [ 32.093366] irq_exit_rcu+0x12/0x20 [ 32.096883] sysvec_apic_timer_interrupt+0x81/0x90 [ 32.101674] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 32.106814] [ 32.108315] Last potentially related work creation: [ 32.113219] kasan_save_stack+0x45/0x70 [ 32.117059] kasan_record_aux_stack+0xb2/0xc0 [ 32.121418] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 32.126470] call_rcu+0x12/0x20 [ 32.129618] rcu_uaf+0x168/0x330 [ 32.132850] kunit_try_run_case+0x1a2/0x480 [ 32.137043] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.142444] kthread+0x334/0x6f0 [ 32.145675] ret_from_fork+0x113/0x1d0 [ 32.149430] ret_from_fork_asm+0x1a/0x30 [ 32.153362] [ 32.154881] The buggy address belongs to the object at ffff8881066f7d00 [ 32.154881] which belongs to the cache kmalloc-32 of size 32 [ 32.167222] The buggy address is located 0 bytes inside of [ 32.167222] freed 32-byte region [ffff8881066f7d00, ffff8881066f7d20) [ 32.179217] [ 32.180716] The buggy address belongs to the physical page: [ 32.186287] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066f7 [ 32.194286] flags: 0x200000000000000(node=0|zone=2) [ 32.199167] page_type: f5(slab) [ 32.202314] raw: 0200000000000000 ffff888100042780 dead000000000122 0000000000000000 [ 32.210086] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.217827] page dumped because: kasan: bad access detected [ 32.223403] [ 32.224896] Memory state around the buggy address: [ 32.229690] ffff8881066f7c00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 32.236909] ffff8881066f7c80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 32.244128] >ffff8881066f7d00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.251367] ^ [ 32.254617] ffff8881066f7d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.261835] ffff8881066f7e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.269055] ==================================================================