Date
July 19, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.700465] ================================================================== [ 15.700605] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 15.700678] Read of size 4 at addr fff00000c779ed80 by task swapper/1/0 [ 15.700741] [ 15.700782] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.700868] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.700895] Hardware name: linux,dummy-virt (DT) [ 15.700929] Call trace: [ 15.700954] show_stack+0x20/0x38 (C) [ 15.701006] dump_stack_lvl+0x8c/0xd0 [ 15.701054] print_report+0x118/0x5d0 [ 15.701101] kasan_report+0xdc/0x128 [ 15.701147] __asan_report_load4_noabort+0x20/0x30 [ 15.701198] rcu_uaf_reclaim+0x64/0x70 [ 15.701240] rcu_core+0x9f4/0x1e20 [ 15.701285] rcu_core_si+0x18/0x30 [ 15.701330] handle_softirqs+0x374/0xb28 [ 15.701375] __do_softirq+0x1c/0x28 [ 15.701417] ____do_softirq+0x18/0x30 [ 15.701462] call_on_irq_stack+0x24/0x30 [ 15.701507] do_softirq_own_stack+0x24/0x38 [ 15.701554] __irq_exit_rcu+0x1fc/0x318 [ 15.701604] irq_exit_rcu+0x1c/0x80 [ 15.701648] el1_interrupt+0x38/0x58 [ 15.703727] el1h_64_irq_handler+0x18/0x28 [ 15.703800] el1h_64_irq+0x6c/0x70 [ 15.703902] arch_local_irq_enable+0x4/0x8 (P) [ 15.703954] do_idle+0x384/0x4e8 [ 15.703998] cpu_startup_entry+0x68/0x80 [ 15.704043] secondary_start_kernel+0x288/0x340 [ 15.704090] __secondary_switched+0xc0/0xc8 [ 15.704143] [ 15.704162] Allocated by task 198: [ 15.704194] kasan_save_stack+0x3c/0x68 [ 15.704236] kasan_save_track+0x20/0x40 [ 15.704274] kasan_save_alloc_info+0x40/0x58 [ 15.704313] __kasan_kmalloc+0xd4/0xd8 [ 15.704350] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.704389] rcu_uaf+0xb0/0x2d8 [ 15.704422] kunit_try_run_case+0x170/0x3f0 [ 15.704461] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.704505] kthread+0x328/0x630 [ 15.704540] ret_from_fork+0x10/0x20 [ 15.704576] [ 15.704594] Freed by task 0: [ 15.704621] kasan_save_stack+0x3c/0x68 [ 15.704656] kasan_save_track+0x20/0x40 [ 15.704705] kasan_save_free_info+0x4c/0x78 [ 15.704803] __kasan_slab_free+0x6c/0x98 [ 15.704954] kfree+0x214/0x3c8 [ 15.705063] rcu_uaf_reclaim+0x28/0x70 [ 15.705115] rcu_core+0x9f4/0x1e20 [ 15.705157] rcu_core_si+0x18/0x30 [ 15.705190] handle_softirqs+0x374/0xb28 [ 15.705229] __do_softirq+0x1c/0x28 [ 15.705262] [ 15.705290] Last potentially related work creation: [ 15.705323] kasan_save_stack+0x3c/0x68 [ 15.705363] kasan_record_aux_stack+0xb4/0xc8 [ 15.705403] __call_rcu_common.constprop.0+0x74/0x8c8 [ 15.705455] call_rcu+0x18/0x30 [ 15.705497] rcu_uaf+0x14c/0x2d8 [ 15.705530] kunit_try_run_case+0x170/0x3f0 [ 15.705568] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.705614] kthread+0x328/0x630 [ 15.705648] ret_from_fork+0x10/0x20 [ 15.705707] [ 15.705741] The buggy address belongs to the object at fff00000c779ed80 [ 15.705741] which belongs to the cache kmalloc-32 of size 32 [ 15.705831] The buggy address is located 0 bytes inside of [ 15.705831] freed 32-byte region [fff00000c779ed80, fff00000c779eda0) [ 15.705893] [ 15.705952] The buggy address belongs to the physical page: [ 15.705985] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10779e [ 15.706051] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.706103] page_type: f5(slab) [ 15.706159] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 15.706219] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.706263] page dumped because: kasan: bad access detected [ 15.706295] [ 15.706314] Memory state around the buggy address: [ 15.706348] fff00000c779ec80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.706392] fff00000c779ed00: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 15.706446] >fff00000c779ed80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 15.706503] ^ [ 15.706540] fff00000c779ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.706594] fff00000c779ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.706630] ==================================================================
[ 12.579521] ================================================================== [ 12.579984] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 12.580306] Read of size 4 at addr ffff8881027e49c0 by task swapper/1/0 [ 12.580570] [ 12.580682] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.580724] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.580735] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.580756] Call Trace: [ 12.580781] <IRQ> [ 12.580796] dump_stack_lvl+0x73/0xb0 [ 12.580826] print_report+0xd1/0x610 [ 12.580847] ? __virt_addr_valid+0x1db/0x2d0 [ 12.580869] ? rcu_uaf_reclaim+0x50/0x60 [ 12.580887] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.580908] ? rcu_uaf_reclaim+0x50/0x60 [ 12.580927] kasan_report+0x141/0x180 [ 12.580947] ? rcu_uaf_reclaim+0x50/0x60 [ 12.580977] __asan_report_load4_noabort+0x18/0x20 [ 12.580999] rcu_uaf_reclaim+0x50/0x60 [ 12.581055] rcu_core+0x66f/0x1c40 [ 12.581083] ? __pfx_rcu_core+0x10/0x10 [ 12.581104] ? ktime_get+0x6b/0x150 [ 12.581125] ? handle_softirqs+0x18e/0x730 [ 12.581150] rcu_core_si+0x12/0x20 [ 12.581169] handle_softirqs+0x209/0x730 [ 12.581187] ? hrtimer_interrupt+0x2fe/0x780 [ 12.581208] ? __pfx_handle_softirqs+0x10/0x10 [ 12.581235] __irq_exit_rcu+0xc9/0x110 [ 12.581275] irq_exit_rcu+0x12/0x20 [ 12.581294] sysvec_apic_timer_interrupt+0x81/0x90 [ 12.581317] </IRQ> [ 12.581343] <TASK> [ 12.581390] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 12.581482] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 12.581722] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 52 21 00 fb f4 <e9> 3c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 12.581803] RSP: 0000:ffff888100877dc8 EFLAGS: 00010216 [ 12.581896] RAX: ffff8881c2d72000 RBX: ffff888100853000 RCX: ffffffff95e77125 [ 12.581941] RDX: ffffed102b62618b RSI: 0000000000000004 RDI: 000000000001073c [ 12.581984] RBP: ffff888100877dd0 R08: 0000000000000001 R09: ffffed102b62618a [ 12.582042] R10: ffff88815b130c53 R11: ffffffff983c36c0 R12: 0000000000000001 [ 12.582085] R13: ffffed102010a600 R14: ffffffff97bb1a90 R15: 0000000000000000 [ 12.582145] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 12.582198] ? default_idle+0xd/0x20 [ 12.582217] arch_cpu_idle+0xd/0x20 [ 12.582234] default_idle_call+0x48/0x80 [ 12.582252] do_idle+0x379/0x4f0 [ 12.582273] ? complete+0x15b/0x1d0 [ 12.582290] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.582315] ? __pfx_do_idle+0x10/0x10 [ 12.582335] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 12.582365] ? complete+0x15b/0x1d0 [ 12.582403] cpu_startup_entry+0x5c/0x70 [ 12.582422] start_secondary+0x211/0x290 [ 12.582443] ? __pfx_start_secondary+0x10/0x10 [ 12.582468] common_startup_64+0x13e/0x148 [ 12.582500] </TASK> [ 12.582510] [ 12.594674] Allocated by task 215: [ 12.595081] kasan_save_stack+0x45/0x70 [ 12.595287] kasan_save_track+0x18/0x40 [ 12.595629] kasan_save_alloc_info+0x3b/0x50 [ 12.595798] __kasan_kmalloc+0xb7/0xc0 [ 12.595996] __kmalloc_cache_noprof+0x189/0x420 [ 12.596189] rcu_uaf+0xb0/0x330 [ 12.596353] kunit_try_run_case+0x1a5/0x480 [ 12.596905] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.597237] kthread+0x337/0x6f0 [ 12.597376] ret_from_fork+0x116/0x1d0 [ 12.597710] ret_from_fork_asm+0x1a/0x30 [ 12.598234] [ 12.598317] Freed by task 0: [ 12.598449] kasan_save_stack+0x45/0x70 [ 12.598993] kasan_save_track+0x18/0x40 [ 12.599169] kasan_save_free_info+0x3f/0x60 [ 12.599448] __kasan_slab_free+0x56/0x70 [ 12.599644] kfree+0x222/0x3f0 [ 12.599781] rcu_uaf_reclaim+0x1f/0x60 [ 12.599971] rcu_core+0x66f/0x1c40 [ 12.600136] rcu_core_si+0x12/0x20 [ 12.600300] handle_softirqs+0x209/0x730 [ 12.600479] __irq_exit_rcu+0xc9/0x110 [ 12.601103] irq_exit_rcu+0x12/0x20 [ 12.601236] sysvec_apic_timer_interrupt+0x81/0x90 [ 12.601605] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 12.601995] [ 12.602133] Last potentially related work creation: [ 12.602693] kasan_save_stack+0x45/0x70 [ 12.602910] kasan_record_aux_stack+0xb2/0xc0 [ 12.603268] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 12.603541] call_rcu+0x12/0x20 [ 12.603705] rcu_uaf+0x168/0x330 [ 12.603875] kunit_try_run_case+0x1a5/0x480 [ 12.604090] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.604289] kthread+0x337/0x6f0 [ 12.604469] ret_from_fork+0x116/0x1d0 [ 12.605022] ret_from_fork_asm+0x1a/0x30 [ 12.605227] [ 12.605412] The buggy address belongs to the object at ffff8881027e49c0 [ 12.605412] which belongs to the cache kmalloc-32 of size 32 [ 12.606033] The buggy address is located 0 bytes inside of [ 12.606033] freed 32-byte region [ffff8881027e49c0, ffff8881027e49e0) [ 12.606821] [ 12.606998] The buggy address belongs to the physical page: [ 12.607219] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e4 [ 12.607921] flags: 0x200000000000000(node=0|zone=2) [ 12.608124] page_type: f5(slab) [ 12.608290] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 12.608944] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 12.609287] page dumped because: kasan: bad access detected [ 12.609661] [ 12.609757] Memory state around the buggy address: [ 12.609958] ffff8881027e4880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 12.610276] ffff8881027e4900: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 12.610834] >ffff8881027e4980: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 12.611146] ^ [ 12.611339] ffff8881027e4a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.611940] ffff8881027e4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.612246] ==================================================================