Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.334495] ================================================================== [ 16.334626] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 16.334695] Read of size 4 at addr fff00000c654b6c0 by task swapper/0/0 [ 16.334743] [ 16.334783] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.334866] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.334893] Hardware name: linux,dummy-virt (DT) [ 16.334927] Call trace: [ 16.334951] show_stack+0x20/0x38 (C) [ 16.335003] dump_stack_lvl+0x8c/0xd0 [ 16.335051] print_report+0x118/0x5d0 [ 16.335098] kasan_report+0xdc/0x128 [ 16.335142] __asan_report_load4_noabort+0x20/0x30 [ 16.335194] rcu_uaf_reclaim+0x64/0x70 [ 16.335250] rcu_core+0x9f4/0x1e20 [ 16.335294] rcu_core_si+0x18/0x30 [ 16.335337] handle_softirqs+0x374/0xb28 [ 16.335383] __do_softirq+0x1c/0x28 [ 16.335424] ____do_softirq+0x18/0x30 [ 16.335468] call_on_irq_stack+0x24/0x30 [ 16.335513] do_softirq_own_stack+0x24/0x38 [ 16.335559] __irq_exit_rcu+0x1fc/0x318 [ 16.335602] irq_exit_rcu+0x1c/0x80 [ 16.335645] el1_interrupt+0x38/0x58 [ 16.335690] el1h_64_irq_handler+0x18/0x28 [ 16.335736] el1h_64_irq+0x6c/0x70 [ 16.335822] arch_local_irq_enable+0x4/0x8 (P) [ 16.335872] do_idle+0x384/0x4e8 [ 16.335915] cpu_startup_entry+0x68/0x80 [ 16.335958] rest_init+0x160/0x188 [ 16.336000] start_kernel+0x30c/0x3d0 [ 16.336048] __primary_switched+0x8c/0xa0 [ 16.336098] [ 16.336116] Allocated by task 199: [ 16.336144] kasan_save_stack+0x3c/0x68 [ 16.336230] kasan_save_track+0x20/0x40 [ 16.336633] kasan_save_alloc_info+0x40/0x58 [ 16.336675] __kasan_kmalloc+0xd4/0xd8 [ 16.336712] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.336754] rcu_uaf+0xb0/0x2d8 [ 16.336787] kunit_try_run_case+0x170/0x3f0 [ 16.336839] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.336892] kthread+0x328/0x630 [ 16.336971] ret_from_fork+0x10/0x20 [ 16.337011] [ 16.337029] Freed by task 0: [ 16.337053] kasan_save_stack+0x3c/0x68 [ 16.337091] kasan_save_track+0x20/0x40 [ 16.337126] kasan_save_free_info+0x4c/0x78 [ 16.337208] __kasan_slab_free+0x6c/0x98 [ 16.337570] kfree+0x214/0x3c8 [ 16.337657] rcu_uaf_reclaim+0x28/0x70 [ 16.337699] rcu_core+0x9f4/0x1e20 [ 16.337734] rcu_core_si+0x18/0x30 [ 16.337772] handle_softirqs+0x374/0xb28 [ 16.337809] __do_softirq+0x1c/0x28 [ 16.337845] [ 16.337921] Last potentially related work creation: [ 16.337974] kasan_save_stack+0x3c/0x68 [ 16.338015] kasan_record_aux_stack+0xb4/0xc8 [ 16.338240] __call_rcu_common.constprop.0+0x74/0x8c8 [ 16.338546] call_rcu+0x18/0x30 [ 16.338851] rcu_uaf+0x14c/0x2d8 [ 16.338918] kunit_try_run_case+0x170/0x3f0 [ 16.339194] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.339253] kthread+0x328/0x630 [ 16.339805] ret_from_fork+0x10/0x20 [ 16.340491] [ 16.340524] The buggy address belongs to the object at fff00000c654b6c0 [ 16.340524] which belongs to the cache kmalloc-32 of size 32 [ 16.340589] The buggy address is located 0 bytes inside of [ 16.340589] freed 32-byte region [fff00000c654b6c0, fff00000c654b6e0) [ 16.340653] [ 16.340675] The buggy address belongs to the physical page: [ 16.340709] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10654b [ 16.340768] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.340821] page_type: f5(slab) [ 16.340861] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 16.340914] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 16.340957] page dumped because: kasan: bad access detected [ 16.340990] [ 16.341008] Memory state around the buggy address: [ 16.343000] fff00000c654b580: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 16.343389] fff00000c654b600: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 16.343725] >fff00000c654b680: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 16.344087] ^ [ 16.344243] fff00000c654b700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.344288] fff00000c654b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.344326] ==================================================================
[ 17.008800] ================================================================== [ 17.008997] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 17.009068] Read of size 4 at addr fff00000c5ac90c0 by task swapper/1/0 [ 17.009165] [ 17.009250] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.009375] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.009403] Hardware name: linux,dummy-virt (DT) [ 17.009438] Call trace: [ 17.009462] show_stack+0x20/0x38 (C) [ 17.009759] dump_stack_lvl+0x8c/0xd0 [ 17.009831] print_report+0x118/0x5d0 [ 17.009877] kasan_report+0xdc/0x128 [ 17.009953] __asan_report_load4_noabort+0x20/0x30 [ 17.010010] rcu_uaf_reclaim+0x64/0x70 [ 17.010054] rcu_core+0x9f4/0x1e20 [ 17.010101] rcu_core_si+0x18/0x30 [ 17.010145] handle_softirqs+0x374/0xb28 [ 17.010419] __do_softirq+0x1c/0x28 [ 17.010512] ____do_softirq+0x18/0x30 [ 17.010634] call_on_irq_stack+0x24/0x30 [ 17.011404] do_softirq_own_stack+0x24/0x38 [ 17.011475] __irq_exit_rcu+0x1fc/0x318 [ 17.012522] irq_exit_rcu+0x1c/0x80 [ 17.012579] el1_interrupt+0x38/0x58 [ 17.012631] el1h_64_irq_handler+0x18/0x28 [ 17.012686] el1h_64_irq+0x6c/0x70 [ 17.012792] arch_local_irq_enable+0x4/0x8 (P) [ 17.012843] do_idle+0x384/0x4e8 [ 17.012885] cpu_startup_entry+0x68/0x80 [ 17.012930] secondary_start_kernel+0x288/0x340 [ 17.012978] __secondary_switched+0xc0/0xc8 [ 17.013033] [ 17.013051] Allocated by task 199: [ 17.013083] kasan_save_stack+0x3c/0x68 [ 17.013124] kasan_save_track+0x20/0x40 [ 17.013160] kasan_save_alloc_info+0x40/0x58 [ 17.013214] __kasan_kmalloc+0xd4/0xd8 [ 17.013251] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.013292] rcu_uaf+0xb0/0x2d8 [ 17.013324] kunit_try_run_case+0x170/0x3f0 [ 17.013364] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.013407] kthread+0x328/0x630 [ 17.013439] ret_from_fork+0x10/0x20 [ 17.013477] [ 17.013495] Freed by task 0: [ 17.013520] kasan_save_stack+0x3c/0x68 [ 17.013558] kasan_save_track+0x20/0x40 [ 17.013595] kasan_save_free_info+0x4c/0x78 [ 17.013635] __kasan_slab_free+0x6c/0x98 [ 17.013673] kfree+0x214/0x3c8 [ 17.013704] rcu_uaf_reclaim+0x28/0x70 [ 17.013739] rcu_core+0x9f4/0x1e20 [ 17.013774] rcu_core_si+0x18/0x30 [ 17.013807] handle_softirqs+0x374/0xb28 [ 17.013844] __do_softirq+0x1c/0x28 [ 17.013877] [ 17.013906] Last potentially related work creation: [ 17.013942] kasan_save_stack+0x3c/0x68 [ 17.013981] kasan_record_aux_stack+0xb4/0xc8 [ 17.014035] __call_rcu_common.constprop.0+0x74/0x8c8 [ 17.014778] call_rcu+0x18/0x30 [ 17.014815] rcu_uaf+0x14c/0x2d8 [ 17.015279] kunit_try_run_case+0x170/0x3f0 [ 17.015342] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.015396] kthread+0x328/0x630 [ 17.015433] ret_from_fork+0x10/0x20 [ 17.015483] [ 17.015515] The buggy address belongs to the object at fff00000c5ac90c0 [ 17.015515] which belongs to the cache kmalloc-32 of size 32 [ 17.015950] The buggy address is located 0 bytes inside of [ 17.015950] freed 32-byte region [fff00000c5ac90c0, fff00000c5ac90e0) [ 17.016027] [ 17.016050] The buggy address belongs to the physical page: [ 17.016128] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ac9 [ 17.016211] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.016263] page_type: f5(slab) [ 17.016308] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.016364] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.016407] page dumped because: kasan: bad access detected [ 17.016439] [ 17.016456] Memory state around the buggy address: [ 17.016490] fff00000c5ac8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.016536] fff00000c5ac9000: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.016581] >fff00000c5ac9080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.016620] ^ [ 17.016656] fff00000c5ac9100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.016699] fff00000c5ac9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.016738] ==================================================================
[ 13.227665] ================================================================== [ 13.228110] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 13.228676] Read of size 4 at addr ffff8881026c5540 by task swapper/0/0 [ 13.229030] [ 13.229207] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.229251] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.229262] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.229281] Call Trace: [ 13.229314] <IRQ> [ 13.229328] dump_stack_lvl+0x73/0xb0 [ 13.229358] print_report+0xd1/0x610 [ 13.229380] ? __virt_addr_valid+0x1db/0x2d0 [ 13.229403] ? rcu_uaf_reclaim+0x50/0x60 [ 13.229608] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.229635] ? rcu_uaf_reclaim+0x50/0x60 [ 13.229656] kasan_report+0x141/0x180 [ 13.229678] ? rcu_uaf_reclaim+0x50/0x60 [ 13.229703] __asan_report_load4_noabort+0x18/0x20 [ 13.229728] rcu_uaf_reclaim+0x50/0x60 [ 13.229748] rcu_core+0x66f/0x1c40 [ 13.229777] ? __pfx_rcu_core+0x10/0x10 [ 13.229798] ? ktime_get+0x6b/0x150 [ 13.229819] ? handle_softirqs+0x18e/0x730 [ 13.229844] rcu_core_si+0x12/0x20 [ 13.229863] handle_softirqs+0x209/0x730 [ 13.229883] ? hrtimer_interrupt+0x2fe/0x780 [ 13.229906] ? __pfx_handle_softirqs+0x10/0x10 [ 13.229932] __irq_exit_rcu+0xc9/0x110 [ 13.229952] irq_exit_rcu+0x12/0x20 [ 13.229972] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.229998] </IRQ> [ 13.230025] <TASK> [ 13.230035] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.230124] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 13.230335] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 72 21 00 fb f4 <e9> 3c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 13.230413] RSP: 0000:ffffffffa1e07dd8 EFLAGS: 00010202 [ 13.230512] RAX: ffff8881b7e72000 RBX: ffffffffa1e1cac0 RCX: ffffffffa0c75125 [ 13.230559] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 0000000000005074 [ 13.230602] RBP: ffffffffa1e07de0 R08: 0000000000000001 R09: ffffed102b60618a [ 13.230644] R10: ffff88815b030c53 R11: 00000000000b5400 R12: 0000000000000000 [ 13.230686] R13: fffffbfff43c3958 R14: ffffffffa29b1490 R15: 0000000000000000 [ 13.230742] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 13.230795] ? default_idle+0xd/0x20 [ 13.230817] arch_cpu_idle+0xd/0x20 [ 13.230838] default_idle_call+0x48/0x80 [ 13.230857] do_idle+0x379/0x4f0 [ 13.230882] ? __pfx_do_idle+0x10/0x10 [ 13.230909] cpu_startup_entry+0x5c/0x70 [ 13.230929] rest_init+0x11a/0x140 [ 13.230946] ? acpi_subsystem_init+0x5d/0x150 [ 13.230971] start_kernel+0x330/0x410 [ 13.230996] x86_64_start_reservations+0x1c/0x30 [ 13.231022] x86_64_start_kernel+0x10d/0x120 [ 13.231046] common_startup_64+0x13e/0x148 [ 13.231077] </TASK> [ 13.231087] [ 13.245992] Allocated by task 215: [ 13.246177] kasan_save_stack+0x45/0x70 [ 13.246342] kasan_save_track+0x18/0x40 [ 13.246911] kasan_save_alloc_info+0x3b/0x50 [ 13.247114] __kasan_kmalloc+0xb7/0xc0 [ 13.247469] __kmalloc_cache_noprof+0x189/0x420 [ 13.247853] rcu_uaf+0xb0/0x330 [ 13.248018] kunit_try_run_case+0x1a5/0x480 [ 13.248187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.248419] kthread+0x337/0x6f0 [ 13.249022] ret_from_fork+0x116/0x1d0 [ 13.249192] ret_from_fork_asm+0x1a/0x30 [ 13.249749] [ 13.249973] Freed by task 0: [ 13.250130] kasan_save_stack+0x45/0x70 [ 13.250732] kasan_save_track+0x18/0x40 [ 13.250930] kasan_save_free_info+0x3f/0x60 [ 13.251210] __kasan_slab_free+0x56/0x70 [ 13.251513] kfree+0x222/0x3f0 [ 13.251786] rcu_uaf_reclaim+0x1f/0x60 [ 13.251966] rcu_core+0x66f/0x1c40 [ 13.252144] rcu_core_si+0x12/0x20 [ 13.252314] handle_softirqs+0x209/0x730 [ 13.252871] __irq_exit_rcu+0xc9/0x110 [ 13.253035] irq_exit_rcu+0x12/0x20 [ 13.253369] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.253912] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.254160] [ 13.254274] Last potentially related work creation: [ 13.254490] kasan_save_stack+0x45/0x70 [ 13.255055] kasan_record_aux_stack+0xb2/0xc0 [ 13.255244] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 13.255524] call_rcu+0x12/0x20 [ 13.255764] rcu_uaf+0x168/0x330 [ 13.255915] kunit_try_run_case+0x1a5/0x480 [ 13.256122] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.256394] kthread+0x337/0x6f0 [ 13.257042] ret_from_fork+0x116/0x1d0 [ 13.257200] ret_from_fork_asm+0x1a/0x30 [ 13.257573] [ 13.257963] The buggy address belongs to the object at ffff8881026c5540 [ 13.257963] which belongs to the cache kmalloc-32 of size 32 [ 13.258750] The buggy address is located 0 bytes inside of [ 13.258750] freed 32-byte region [ffff8881026c5540, ffff8881026c5560) [ 13.259316] [ 13.259417] The buggy address belongs to the physical page: [ 13.259935] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026c5 [ 13.260393] flags: 0x200000000000000(node=0|zone=2) [ 13.260935] page_type: f5(slab) [ 13.261088] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.261616] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.262156] page dumped because: kasan: bad access detected [ 13.262594] [ 13.262690] Memory state around the buggy address: [ 13.262914] ffff8881026c5400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.263221] ffff8881026c5480: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 13.263849] >ffff8881026c5500: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.264112] ^ [ 13.264523] ffff8881026c5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.264994] ffff8881026c5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.265381] ==================================================================
[ 13.428748] ================================================================== [ 13.429261] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 13.429642] Read of size 4 at addr ffff88810259be80 by task swapper/0/0 [ 13.429943] [ 13.430232] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.430328] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.430343] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.430364] Call Trace: [ 13.430436] <IRQ> [ 13.430455] dump_stack_lvl+0x73/0xb0 [ 13.430516] print_report+0xd1/0x610 [ 13.430539] ? __virt_addr_valid+0x1db/0x2d0 [ 13.430564] ? rcu_uaf_reclaim+0x50/0x60 [ 13.430584] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.430608] ? rcu_uaf_reclaim+0x50/0x60 [ 13.430697] kasan_report+0x141/0x180 [ 13.430765] ? rcu_uaf_reclaim+0x50/0x60 [ 13.430791] __asan_report_load4_noabort+0x18/0x20 [ 13.430828] rcu_uaf_reclaim+0x50/0x60 [ 13.430849] rcu_core+0x66f/0x1c40 [ 13.430878] ? __pfx_rcu_core+0x10/0x10 [ 13.430900] ? ktime_get+0x6b/0x150 [ 13.430922] ? handle_softirqs+0x18e/0x730 [ 13.430948] rcu_core_si+0x12/0x20 [ 13.430968] handle_softirqs+0x209/0x730 [ 13.430988] ? hrtimer_interrupt+0x2fe/0x780 [ 13.431010] ? __pfx_handle_softirqs+0x10/0x10 [ 13.431037] __irq_exit_rcu+0xc9/0x110 [ 13.431068] irq_exit_rcu+0x12/0x20 [ 13.431088] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.431133] </IRQ> [ 13.431162] <TASK> [ 13.431172] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.431273] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 13.431489] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 72 21 00 fb f4 <e9> 3c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 13.431571] RSP: 0000:ffffffffb3007dd8 EFLAGS: 00010202 [ 13.431744] RAX: ffff8881a0272000 RBX: ffffffffb301cac0 RCX: ffffffffb1e75125 [ 13.431803] RDX: ffffed102a8c618b RSI: 0000000000000004 RDI: 0000000000005c84 [ 13.431848] RBP: ffffffffb3007de0 R08: 0000000000000001 R09: ffffed102a8c618a [ 13.431891] R10: ffff888154630c53 R11: 0000000000000002 R12: 0000000000000000 [ 13.431936] R13: fffffbfff6603958 R14: ffffffffb3bb1490 R15: 0000000000000000 [ 13.431996] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 13.432068] ? default_idle+0xd/0x20 [ 13.432091] arch_cpu_idle+0xd/0x20 [ 13.432113] default_idle_call+0x48/0x80 [ 13.432132] do_idle+0x379/0x4f0 [ 13.432180] ? __pfx_do_idle+0x10/0x10 [ 13.432202] ? trace_preempt_on+0x20/0xc0 [ 13.432226] ? schedule+0x86/0x2e0 [ 13.432246] ? preempt_count_sub+0x50/0x80 [ 13.432270] cpu_startup_entry+0x5c/0x70 [ 13.432291] rest_init+0x11a/0x140 [ 13.432308] ? acpi_subsystem_init+0x5d/0x150 [ 13.432334] start_kernel+0x330/0x410 [ 13.432360] x86_64_start_reservations+0x1c/0x30 [ 13.432385] x86_64_start_kernel+0x10d/0x120 [ 13.432410] common_startup_64+0x13e/0x148 [ 13.432442] </TASK> [ 13.432452] [ 13.444102] Allocated by task 216: [ 13.444363] kasan_save_stack+0x45/0x70 [ 13.444723] kasan_save_track+0x18/0x40 [ 13.444952] kasan_save_alloc_info+0x3b/0x50 [ 13.445215] __kasan_kmalloc+0xb7/0xc0 [ 13.445439] __kmalloc_cache_noprof+0x189/0x420 [ 13.445884] rcu_uaf+0xb0/0x330 [ 13.446041] kunit_try_run_case+0x1a5/0x480 [ 13.446335] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.446561] kthread+0x337/0x6f0 [ 13.446897] ret_from_fork+0x116/0x1d0 [ 13.447107] ret_from_fork_asm+0x1a/0x30 [ 13.447335] [ 13.447465] Freed by task 0: [ 13.447599] kasan_save_stack+0x45/0x70 [ 13.447913] kasan_save_track+0x18/0x40 [ 13.448122] kasan_save_free_info+0x3f/0x60 [ 13.448341] __kasan_slab_free+0x56/0x70 [ 13.448570] kfree+0x222/0x3f0 [ 13.448841] rcu_uaf_reclaim+0x1f/0x60 [ 13.449072] rcu_core+0x66f/0x1c40 [ 13.449258] rcu_core_si+0x12/0x20 [ 13.449487] handle_softirqs+0x209/0x730 [ 13.449787] __irq_exit_rcu+0xc9/0x110 [ 13.449937] irq_exit_rcu+0x12/0x20 [ 13.450128] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.450429] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.450918] [ 13.451022] Last potentially related work creation: [ 13.451242] kasan_save_stack+0x45/0x70 [ 13.451435] kasan_record_aux_stack+0xb2/0xc0 [ 13.451637] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 13.451872] call_rcu+0x12/0x20 [ 13.452036] rcu_uaf+0x168/0x330 [ 13.452202] kunit_try_run_case+0x1a5/0x480 [ 13.452402] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.452646] kthread+0x337/0x6f0 [ 13.452798] ret_from_fork+0x116/0x1d0 [ 13.453038] ret_from_fork_asm+0x1a/0x30 [ 13.453299] [ 13.453383] The buggy address belongs to the object at ffff88810259be80 [ 13.453383] which belongs to the cache kmalloc-32 of size 32 [ 13.454427] The buggy address is located 0 bytes inside of [ 13.454427] freed 32-byte region [ffff88810259be80, ffff88810259bea0) [ 13.454997] [ 13.455128] The buggy address belongs to the physical page: [ 13.455747] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10259b [ 13.456483] flags: 0x200000000000000(node=0|zone=2) [ 13.457018] page_type: f5(slab) [ 13.457198] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.457599] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.457997] page dumped because: kasan: bad access detected [ 13.458296] [ 13.458401] Memory state around the buggy address: [ 13.458581] ffff88810259bd80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.459029] ffff88810259be00: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 13.459392] >ffff88810259be80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 13.459765] ^ [ 13.459911] ffff88810259bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.460293] ffff88810259bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.460621] ==================================================================