Date
July 15, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.971514] ================================================================== [ 15.976216] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 15.976462] Read of size 4 at addr fff00000c5947000 by task swapper/1/0 [ 15.977213] [ 15.977271] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.978176] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.978310] Hardware name: linux,dummy-virt (DT) [ 15.978879] Call trace: [ 15.979320] show_stack+0x20/0x38 (C) [ 15.980045] dump_stack_lvl+0x8c/0xd0 [ 15.980702] print_report+0x118/0x5d0 [ 15.980946] kasan_report+0xdc/0x128 [ 15.981357] __asan_report_load4_noabort+0x20/0x30 [ 15.981408] rcu_uaf_reclaim+0x64/0x70 [ 15.982238] rcu_core+0x9f4/0x1e20 [ 15.982928] rcu_core_si+0x18/0x30 [ 15.983323] handle_softirqs+0x374/0xb28 [ 15.983785] __do_softirq+0x1c/0x28 [ 15.983959] ____do_softirq+0x18/0x30 [ 15.984316] call_on_irq_stack+0x24/0x30 [ 15.984362] do_softirq_own_stack+0x24/0x38 [ 15.984409] __irq_exit_rcu+0x1fc/0x318 [ 15.985258] irq_exit_rcu+0x1c/0x80 [ 15.985315] el1_interrupt+0x38/0x58 [ 15.985365] el1h_64_irq_handler+0x18/0x28 [ 15.985411] el1h_64_irq+0x6c/0x70 [ 15.986562] arch_local_irq_enable+0x4/0x8 (P) [ 15.987285] do_idle+0x384/0x4e8 [ 15.987393] cpu_startup_entry+0x64/0x80 [ 15.987440] secondary_start_kernel+0x288/0x340 [ 15.987488] __secondary_switched+0xc0/0xc8 [ 15.988482] [ 15.988644] Allocated by task 199: [ 15.989395] kasan_save_stack+0x3c/0x68 [ 15.989811] kasan_save_track+0x20/0x40 [ 15.989866] kasan_save_alloc_info+0x40/0x58 [ 15.990452] __kasan_kmalloc+0xd4/0xd8 [ 15.991192] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.991287] rcu_uaf+0xb0/0x2d8 [ 15.991417] kunit_try_run_case+0x170/0x3f0 [ 15.991507] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.991586] kthread+0x328/0x630 [ 15.991623] ret_from_fork+0x10/0x20 [ 15.991660] [ 15.991680] Freed by task 0: [ 15.992152] kasan_save_stack+0x3c/0x68 [ 15.992591] kasan_save_track+0x20/0x40 [ 15.992642] kasan_save_free_info+0x4c/0x78 [ 15.992682] __kasan_slab_free+0x6c/0x98 [ 15.992721] kfree+0x214/0x3c8 [ 15.993633] rcu_uaf_reclaim+0x28/0x70 [ 15.993712] rcu_core+0x9f4/0x1e20 [ 15.993749] rcu_core_si+0x18/0x30 [ 15.994383] handle_softirqs+0x374/0xb28 [ 15.994436] __do_softirq+0x1c/0x28 [ 15.994750] [ 15.995611] Last potentially related work creation: [ 15.995848] kasan_save_stack+0x3c/0x68 [ 15.996289] kasan_record_aux_stack+0xb4/0xc8 [ 15.996414] __call_rcu_common.constprop.0+0x74/0x8c8 [ 15.996990] call_rcu+0x18/0x30 [ 15.997103] rcu_uaf+0x14c/0x2d8 [ 15.997138] kunit_try_run_case+0x170/0x3f0 [ 15.997177] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.997231] kthread+0x328/0x630 [ 15.997264] ret_from_fork+0x10/0x20 [ 15.998358] [ 15.998411] The buggy address belongs to the object at fff00000c5947000 [ 15.998411] which belongs to the cache kmalloc-32 of size 32 [ 15.998481] The buggy address is located 0 bytes inside of [ 15.998481] freed 32-byte region [fff00000c5947000, fff00000c5947020) [ 15.999996] [ 16.000098] The buggy address belongs to the physical page: [ 16.000152] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105947 [ 16.000225] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.001054] page_type: f5(slab) [ 16.001379] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 16.001438] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 16.001833] page dumped because: kasan: bad access detected [ 16.002007] [ 16.002029] Memory state around the buggy address: [ 16.002388] fff00000c5946f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.002534] fff00000c5946f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.002579] >fff00000c5947000: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 16.002617] ^ [ 16.002645] fff00000c5947080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.003176] fff00000c5947100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.004088] ==================================================================
[ 13.121478] ================================================================== [ 13.122001] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 13.122395] Read of size 4 at addr ffff8881032ef700 by task swapper/1/0 [ 13.122661] [ 13.122791] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.122836] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.122847] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.122867] Call Trace: [ 13.122897] <IRQ> [ 13.122913] dump_stack_lvl+0x73/0xb0 [ 13.122945] print_report+0xd1/0x610 [ 13.122967] ? __virt_addr_valid+0x1db/0x2d0 [ 13.122991] ? rcu_uaf_reclaim+0x50/0x60 [ 13.123011] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.123034] ? rcu_uaf_reclaim+0x50/0x60 [ 13.123055] kasan_report+0x141/0x180 [ 13.123078] ? rcu_uaf_reclaim+0x50/0x60 [ 13.123104] __asan_report_load4_noabort+0x18/0x20 [ 13.123129] rcu_uaf_reclaim+0x50/0x60 [ 13.123149] rcu_core+0x66f/0x1c40 [ 13.123178] ? __pfx_rcu_core+0x10/0x10 [ 13.123199] ? ktime_get+0x6b/0x150 [ 13.123220] ? handle_softirqs+0x18e/0x730 [ 13.123245] rcu_core_si+0x12/0x20 [ 13.123265] handle_softirqs+0x209/0x730 [ 13.123284] ? hrtimer_interrupt+0x2fe/0x780 [ 13.123307] ? __pfx_handle_softirqs+0x10/0x10 [ 13.123391] __irq_exit_rcu+0xc9/0x110 [ 13.123415] irq_exit_rcu+0x12/0x20 [ 13.123435] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.123475] </IRQ> [ 13.123501] <TASK> [ 13.123511] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.123603] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 13.123826] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 72 21 00 fb f4 <e9> 3c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 13.123907] RSP: 0000:ffff888100877dc8 EFLAGS: 00010216 [ 13.123994] RAX: ffff8881ae172000 RBX: ffff888100853000 RCX: ffffffffaaa75125 [ 13.124040] RDX: ffffed102b62618b RSI: 0000000000000004 RDI: 00000000000141dc [ 13.124083] RBP: ffff888100877dd0 R08: 0000000000000001 R09: ffffed102b62618a [ 13.124125] R10: ffff88815b130c53 R11: 000000000001f000 R12: 0000000000000001 [ 13.124167] R13: ffffed102010a600 R14: ffffffffac7b1490 R15: 0000000000000000 [ 13.124223] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 13.124277] ? default_idle+0xd/0x20 [ 13.124300] arch_cpu_idle+0xd/0x20 [ 13.124321] default_idle_call+0x48/0x80 [ 13.124340] do_idle+0x379/0x4f0 [ 13.124459] ? complete+0x15b/0x1d0 [ 13.124478] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.124505] ? __pfx_do_idle+0x10/0x10 [ 13.124526] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 13.124550] ? complete+0x15b/0x1d0 [ 13.124570] cpu_startup_entry+0x5c/0x70 [ 13.124591] start_secondary+0x211/0x290 [ 13.124614] ? __pfx_start_secondary+0x10/0x10 [ 13.124639] common_startup_64+0x13e/0x148 [ 13.124672] </TASK> [ 13.124681] [ 13.138389] Allocated by task 215: [ 13.138529] kasan_save_stack+0x45/0x70 [ 13.138684] kasan_save_track+0x18/0x40 [ 13.138963] kasan_save_alloc_info+0x3b/0x50 [ 13.139568] __kasan_kmalloc+0xb7/0xc0 [ 13.139750] __kmalloc_cache_noprof+0x189/0x420 [ 13.140256] rcu_uaf+0xb0/0x330 [ 13.140674] kunit_try_run_case+0x1a5/0x480 [ 13.141140] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.141544] kthread+0x337/0x6f0 [ 13.141908] ret_from_fork+0x116/0x1d0 [ 13.142272] ret_from_fork_asm+0x1a/0x30 [ 13.142751] [ 13.142837] Freed by task 0: [ 13.142944] kasan_save_stack+0x45/0x70 [ 13.143083] kasan_save_track+0x18/0x40 [ 13.143218] kasan_save_free_info+0x3f/0x60 [ 13.143560] __kasan_slab_free+0x56/0x70 [ 13.143949] kfree+0x222/0x3f0 [ 13.144261] rcu_uaf_reclaim+0x1f/0x60 [ 13.144731] rcu_core+0x66f/0x1c40 [ 13.145076] rcu_core_si+0x12/0x20 [ 13.145613] handle_softirqs+0x209/0x730 [ 13.146005] __irq_exit_rcu+0xc9/0x110 [ 13.146463] irq_exit_rcu+0x12/0x20 [ 13.146711] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.147106] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.147278] [ 13.147521] Last potentially related work creation: [ 13.148015] kasan_save_stack+0x45/0x70 [ 13.148505] kasan_record_aux_stack+0xb2/0xc0 [ 13.148870] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 13.149043] call_rcu+0x12/0x20 [ 13.149160] rcu_uaf+0x168/0x330 [ 13.149280] kunit_try_run_case+0x1a5/0x480 [ 13.149433] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.149610] kthread+0x337/0x6f0 [ 13.149732] ret_from_fork+0x116/0x1d0 [ 13.150081] ret_from_fork_asm+0x1a/0x30 [ 13.150494] [ 13.150867] The buggy address belongs to the object at ffff8881032ef700 [ 13.150867] which belongs to the cache kmalloc-32 of size 32 [ 13.152184] The buggy address is located 0 bytes inside of [ 13.152184] freed 32-byte region [ffff8881032ef700, ffff8881032ef720) [ 13.153505] [ 13.153706] The buggy address belongs to the physical page: [ 13.154215] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1032ef [ 13.155072] flags: 0x200000000000000(node=0|zone=2) [ 13.155560] page_type: f5(slab) [ 13.155687] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.155935] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.156162] page dumped because: kasan: bad access detected [ 13.156343] [ 13.156626] Memory state around the buggy address: [ 13.157180] ffff8881032ef600: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.157934] ffff8881032ef680: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 13.158697] >ffff8881032ef700: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 13.159322] ^ [ 13.159697] ffff8881032ef780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.160317] ffff8881032ef800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.161091] ==================================================================