Hay
Sign in
Date
Nov. 26, 2024, 6:09 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   32.665500] ==================================================================
[   32.666537] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x390/0x468
[   32.667410] Read of size 1 at addr fff00000c64bc000 by task kunit_try_catch/202
[   32.668094] 
[   32.668491] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   32.669982] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.670597] Hardware name: linux,dummy-virt (DT)
[   32.671324] Call trace:
[   32.671810]  show_stack+0x20/0x38 (C)
[   32.673070]  dump_stack_lvl+0x8c/0xd0
[   32.673655]  print_report+0x118/0x5e0
[   32.674358]  kasan_report+0xc8/0x118
[   32.675072]  __asan_report_load1_noabort+0x20/0x30
[   32.675892]  kmem_cache_rcu_uaf+0x390/0x468
[   32.676569]  kunit_try_run_case+0x14c/0x3d0
[   32.677214]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.678295]  kthread+0x24c/0x2d0
[   32.678930]  ret_from_fork+0x10/0x20
[   32.679803] 
[   32.680423] Allocated by task 202:
[   32.680935]  kasan_save_stack+0x3c/0x68
[   32.681678]  kasan_save_track+0x20/0x40
[   32.682398]  kasan_save_alloc_info+0x40/0x58
[   32.683139]  __kasan_slab_alloc+0xa8/0xb0
[   32.683424]  kmem_cache_alloc_noprof+0x108/0x3a0
[   32.683706]  kmem_cache_rcu_uaf+0x12c/0x468
[   32.684046]  kunit_try_run_case+0x14c/0x3d0
[   32.685490]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.686132]  kthread+0x24c/0x2d0
[   32.686569]  ret_from_fork+0x10/0x20
[   32.687464] 
[   32.687867] Freed by task 0:
[   32.688281]  kasan_save_stack+0x3c/0x68
[   32.689427]  kasan_save_track+0x20/0x40
[   32.690122]  kasan_save_free_info+0x4c/0x78
[   32.690839]  __kasan_slab_free+0x6c/0x98
[   32.691557]  slab_free_after_rcu_debug+0xd4/0x2f8
[   32.692493]  rcu_core+0xa54/0x1df8
[   32.693512]  rcu_core_si+0x18/0x30
[   32.693952]  handle_softirqs+0x374/0xb20
[   32.694621]  __do_softirq+0x1c/0x28
[   32.695535] 
[   32.696119] Last potentially related work creation:
[   32.696668]  kasan_save_stack+0x3c/0x68
[   32.697673]  __kasan_record_aux_stack+0xbc/0xe8
[   32.698325]  kasan_record_aux_stack_noalloc+0x14/0x20
[   32.698959]  kmem_cache_free+0x28c/0x470
[   32.699473]  kmem_cache_rcu_uaf+0x16c/0x468
[   32.701562]  kunit_try_run_case+0x14c/0x3d0
[   32.702122]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.702745]  kthread+0x24c/0x2d0
[   32.703331]  ret_from_fork+0x10/0x20
[   32.703983] 
[   32.704312] The buggy address belongs to the object at fff00000c64bc000
[   32.704312]  which belongs to the cache test_cache of size 200
[   32.705526] The buggy address is located 0 bytes inside of
[   32.705526]  freed 200-byte region [fff00000c64bc000, fff00000c64bc0c8)
[   32.706693] 
[   32.707052] The buggy address belongs to the physical page:
[   32.707623] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064bc
[   32.708629] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.709432] page_type: f5(slab)
[   32.710856] raw: 0bfffe0000000000 fff00000c56ba500 dead000000000122 0000000000000000
[   32.711819] raw: 0000000000000000 00000000800f000f 00000001f5000000 0000000000000000
[   32.712583] page dumped because: kasan: bad access detected
[   32.713397] 
[   32.713769] Memory state around the buggy address:
[   32.714838]  fff00000c64bbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.716027]  fff00000c64bbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.717519] >fff00000c64bc000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.718530]                    ^
[   32.719035]  fff00000c64bc080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   32.719721]  fff00000c64bc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.720544] ==================================================================
Metadata Full log Test run details 

[   32.670794] ==================================================================
[   32.671970] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x390/0x468
[   32.672632] Read of size 1 at addr fff00000c5ec1000 by task kunit_try_catch/202
[   32.673547] 
[   32.674750] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   32.676227] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.676928] Hardware name: linux,dummy-virt (DT)
[   32.677681] Call trace:
[   32.678117]  show_stack+0x20/0x38 (C)
[   32.679039]  dump_stack_lvl+0x8c/0xd0
[   32.679611]  print_report+0x118/0x5e0
[   32.680190]  kasan_report+0xc8/0x118
[   32.680804]  __asan_report_load1_noabort+0x20/0x30
[   32.681436]  kmem_cache_rcu_uaf+0x390/0x468
[   32.682576]  kunit_try_run_case+0x14c/0x3d0
[   32.683184]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.683851]  kthread+0x24c/0x2d0
[   32.684461]  ret_from_fork+0x10/0x20
[   32.685004] 
[   32.685362] Allocated by task 202:
[   32.686304]  kasan_save_stack+0x3c/0x68
[   32.687165]  kasan_save_track+0x20/0x40
[   32.687674]  kasan_save_alloc_info+0x40/0x58
[   32.688355]  __kasan_slab_alloc+0xa8/0xb0
[   32.689012]  kmem_cache_alloc_noprof+0x108/0x3a0
[   32.689866]  kmem_cache_rcu_uaf+0x12c/0x468
[   32.690736]  kunit_try_run_case+0x14c/0x3d0
[   32.691877]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.692732]  kthread+0x24c/0x2d0
[   32.693079]  ret_from_fork+0x10/0x20
[   32.693877] 
[   32.694573] Freed by task 0:
[   32.695008]  kasan_save_stack+0x3c/0x68
[   32.695506]  kasan_save_track+0x20/0x40
[   32.696149]  kasan_save_free_info+0x4c/0x78
[   32.696809]  __kasan_slab_free+0x6c/0x98
[   32.697442]  slab_free_after_rcu_debug+0xd4/0x2f8
[   32.698878]  rcu_core+0xa54/0x1df8
[   32.699449]  rcu_core_si+0x18/0x30
[   32.699963]  handle_softirqs+0x374/0xb20
[   32.700667]  __do_softirq+0x1c/0x28
[   32.701646] 
[   32.702249] Last potentially related work creation:
[   32.703295]  kasan_save_stack+0x3c/0x68
[   32.703912]  __kasan_record_aux_stack+0xbc/0xe8
[   32.704504]  kasan_record_aux_stack_noalloc+0x14/0x20
[   32.705266]  kmem_cache_free+0x28c/0x470
[   32.706469]  kmem_cache_rcu_uaf+0x16c/0x468
[   32.707058]  kunit_try_run_case+0x14c/0x3d0
[   32.707838]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.708718]  kthread+0x24c/0x2d0
[   32.709340]  ret_from_fork+0x10/0x20
[   32.710214] 
[   32.710685] The buggy address belongs to the object at fff00000c5ec1000
[   32.710685]  which belongs to the cache test_cache of size 200
[   32.711957] The buggy address is located 0 bytes inside of
[   32.711957]  freed 200-byte region [fff00000c5ec1000, fff00000c5ec10c8)
[   32.713116] 
[   32.713547] The buggy address belongs to the physical page:
[   32.714660] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ec1
[   32.716433] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.717277] page_type: f5(slab)
[   32.718371] raw: 0bfffe0000000000 fff00000c5d7ea00 dead000000000122 0000000000000000
[   32.719191] raw: 0000000000000000 00000000800f000f 00000001f5000000 0000000000000000
[   32.720036] page dumped because: kasan: bad access detected
[   32.720666] 
[   32.721030] Memory state around the buggy address:
[   32.721726]  fff00000c5ec0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.723407]  fff00000c5ec0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.724288] >fff00000c5ec1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.725358]                    ^
[   32.726135]  fff00000c5ec1080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   32.727255]  fff00000c5ec1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.728168] ==================================================================
Metadata Full log Test run details 

[   26.810459] ==================================================================
[   26.811129] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e5/0x510
[   26.811129] Read of size 1 at addr ffff8881028e8000 by task kunit_try_catch/222
[   26.811129] 
[   26.811129] CPU: 0 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   26.811129] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.811129] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   26.811129] Call Trace:
[   26.811129]  <TASK>
[   26.811129]  dump_stack_lvl+0x73/0xb0
[   26.811129]  print_report+0xd1/0x640
[   26.811129]  ? __virt_addr_valid+0x1db/0x2d0
[   26.811129]  ? kasan_complete_mode_report_info+0x64/0x200
[   26.811129]  kasan_report+0x102/0x140
[   26.811129]  ? kmem_cache_rcu_uaf+0x3e5/0x510
[   26.811129]  ? kmem_cache_rcu_uaf+0x3e5/0x510
[   26.811129]  __asan_report_load1_noabort+0x18/0x20
[   26.811129]  kmem_cache_rcu_uaf+0x3e5/0x510
[   26.811129]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   26.811129]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   26.811129]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   26.811129]  kunit_try_run_case+0x1b3/0x490
[   26.811129]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.811129]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   26.811129]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   26.811129]  ? __kthread_parkme+0x82/0x160
[   26.811129]  ? preempt_count_sub+0x50/0x80
[   26.811129]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.811129]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   26.811129]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.811129]  kthread+0x257/0x310
[   26.811129]  ? __pfx_kthread+0x10/0x10
[   26.811129]  ret_from_fork+0x41/0x80
[   26.811129]  ? __pfx_kthread+0x10/0x10
[   26.811129]  ret_from_fork_asm+0x1a/0x30
[   26.811129]  </TASK>
[   26.811129] 
[   26.811129] Allocated by task 222:
[   26.811129]  kasan_save_stack+0x3d/0x60
[   26.811129]  kasan_save_track+0x18/0x40
[   26.811129]  kasan_save_alloc_info+0x3b/0x50
[   26.811129]  __kasan_slab_alloc+0x91/0xa0
[   26.811129]  kmem_cache_alloc_noprof+0x11e/0x3f0
[   26.811129]  kmem_cache_rcu_uaf+0x156/0x510
[   26.811129]  kunit_try_run_case+0x1b3/0x490
[   26.811129]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.811129]  kthread+0x257/0x310
[   26.811129]  ret_from_fork+0x41/0x80
[   26.811129]  ret_from_fork_asm+0x1a/0x30
[   26.811129] 
[   26.811129] Freed by task 0:
[   26.811129]  kasan_save_stack+0x3d/0x60
[   26.811129]  kasan_save_track+0x18/0x40
[   26.811129]  kasan_save_free_info+0x3f/0x60
[   26.811129]  __kasan_slab_free+0x56/0x70
[   26.811129]  slab_free_after_rcu_debug+0xe4/0x310
[   26.811129]  rcu_core+0x680/0x1d70
[   26.811129]  rcu_core_si+0x12/0x20
[   26.811129]  handle_softirqs+0x209/0x720
[   26.811129]  __irq_exit_rcu+0xc9/0x110
[   26.811129]  irq_exit_rcu+0x12/0x20
[   26.811129]  sysvec_apic_timer_interrupt+0x81/0x90
[   26.811129]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   26.811129] 
[   26.811129] Last potentially related work creation:
[   26.811129]  kasan_save_stack+0x3d/0x60
[   26.811129]  __kasan_record_aux_stack+0xae/0xc0
[   26.811129]  kasan_record_aux_stack_noalloc+0xf/0x20
[   26.811129]  kmem_cache_free+0x276/0x420
[   26.811129]  kmem_cache_rcu_uaf+0x195/0x510
[   26.811129]  kunit_try_run_case+0x1b3/0x490
[   26.811129]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.811129]  kthread+0x257/0x310
[   26.811129]  ret_from_fork+0x41/0x80
[   26.811129]  ret_from_fork_asm+0x1a/0x30
[   26.811129] 
[   26.811129] The buggy address belongs to the object at ffff8881028e8000
[   26.811129]  which belongs to the cache test_cache of size 200
[   26.811129] The buggy address is located 0 bytes inside of
[   26.811129]  freed 200-byte region [ffff8881028e8000, ffff8881028e80c8)
[   26.811129] 
[   26.811129] The buggy address belongs to the physical page:
[   26.811129] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028e8
[   26.811129] flags: 0x200000000000000(node=0|zone=2)
[   26.811129] page_type: f5(slab)
[   26.811129] raw: 0200000000000000 ffff888100a2b8c0 dead000000000122 0000000000000000
[   26.811129] raw: 0000000000000000 00000000800f000f 00000001f5000000 0000000000000000
[   26.811129] page dumped because: kasan: bad access detected
[   26.811129] 
[   26.811129] Memory state around the buggy address:
[   26.811129]  ffff8881028e7f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   26.811129]  ffff8881028e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.811129] >ffff8881028e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.811129]                    ^
[   26.811129]  ffff8881028e8080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   26.811129]  ffff8881028e8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.811129] ==================================================================
Metadata Full log Test run details 

[   21.764353] ==================================================================
[   21.765054] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e5/0x510
[   21.765973] Read of size 1 at addr ffff888102ba3000 by task kunit_try_catch/220
[   21.766841] 
[   21.767140] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241126 #1
[   21.768051] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.768305] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   21.768941] Call Trace:
[   21.769254]  <TASK>
[   21.770069]  dump_stack_lvl+0x73/0xb0
[   21.770626]  print_report+0xd1/0x640
[   21.771125]  ? __virt_addr_valid+0x1db/0x2d0
[   21.771629]  ? kasan_complete_mode_report_info+0x64/0x200
[   21.772013]  kasan_report+0x102/0x140
[   21.772470]  ? kmem_cache_rcu_uaf+0x3e5/0x510
[   21.773085]  ? kmem_cache_rcu_uaf+0x3e5/0x510
[   21.773425]  __asan_report_load1_noabort+0x18/0x20
[   21.774098]  kmem_cache_rcu_uaf+0x3e5/0x510
[   21.774628]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   21.775107]  ? finish_task_switch.isra.0+0x153/0x700
[   21.775435]  ? __switch_to+0x5d9/0xf60
[   21.776000]  ? __pfx_read_tsc+0x10/0x10
[   21.776464]  ? ktime_get_ts64+0x84/0x230
[   21.777073]  kunit_try_run_case+0x1b3/0x490
[   21.777471]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.777942]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   21.778563]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   21.778968]  ? __kthread_parkme+0x82/0x160
[   21.779379]  ? preempt_count_sub+0x50/0x80
[   21.779949]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.780275]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   21.780659]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.781228]  kthread+0x257/0x310
[   21.781778]  ? __pfx_kthread+0x10/0x10
[   21.782255]  ret_from_fork+0x41/0x80
[   21.782740]  ? __pfx_kthread+0x10/0x10
[   21.783195]  ret_from_fork_asm+0x1a/0x30
[   21.783556]  </TASK>
[   21.783754] 
[   21.783905] Allocated by task 220:
[   21.784263]  kasan_save_stack+0x3d/0x60
[   21.784843]  kasan_save_track+0x18/0x40
[   21.785985]  kasan_save_alloc_info+0x3b/0x50
[   21.786517]  __kasan_slab_alloc+0x91/0xa0
[   21.787032]  kmem_cache_alloc_noprof+0x11e/0x3f0
[   21.787680]  kmem_cache_rcu_uaf+0x156/0x510
[   21.788211]  kunit_try_run_case+0x1b3/0x490
[   21.788763]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.789408]  kthread+0x257/0x310
[   21.789899]  ret_from_fork+0x41/0x80
[   21.790368]  ret_from_fork_asm+0x1a/0x30
[   21.790663] 
[   21.790944] Freed by task 0:
[   21.791337]  kasan_save_stack+0x3d/0x60
[   21.791903]  kasan_save_track+0x18/0x40
[   21.792372]  kasan_save_free_info+0x3f/0x60
[   21.792970]  __kasan_slab_free+0x56/0x70
[   21.793335]  slab_free_after_rcu_debug+0xe4/0x310
[   21.793955]  rcu_core+0x680/0x1d70
[   21.794431]  rcu_core_si+0x12/0x20
[   21.794924]  handle_softirqs+0x209/0x720
[   21.795321]  __irq_exit_rcu+0xc9/0x110
[   21.795859]  irq_exit_rcu+0x12/0x20
[   21.796183]  sysvec_apic_timer_interrupt+0x81/0x90
[   21.796802]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   21.797354] 
[   21.797593] Last potentially related work creation:
[   21.797920]  kasan_save_stack+0x3d/0x60
[   21.798420]  __kasan_record_aux_stack+0xae/0xc0
[   21.798867]  kasan_record_aux_stack_noalloc+0xf/0x20
[   21.799281]  kmem_cache_free+0x276/0x420
[   21.799817]  kmem_cache_rcu_uaf+0x195/0x510
[   21.800218]  kunit_try_run_case+0x1b3/0x490
[   21.800729]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.801216]  kthread+0x257/0x310
[   21.801557]  ret_from_fork+0x41/0x80
[   21.801972]  ret_from_fork_asm+0x1a/0x30
[   21.802390] 
[   21.802609] The buggy address belongs to the object at ffff888102ba3000
[   21.802609]  which belongs to the cache test_cache of size 200
[   21.803557] The buggy address is located 0 bytes inside of
[   21.803557]  freed 200-byte region [ffff888102ba3000, ffff888102ba30c8)
[   21.804256] 
[   21.804503] The buggy address belongs to the physical page:
[   21.805073] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ba3
[   21.805696] flags: 0x200000000000000(node=0|zone=2)
[   21.806231] page_type: f5(slab)
[   21.806528] raw: 0200000000000000 ffff8881010f4dc0 dead000000000122 0000000000000000
[   21.807096] raw: 0000000000000000 00000000800f000f 00000001f5000000 0000000000000000
[   21.807558] page dumped because: kasan: bad access detected
[   21.808109] 
[   21.808334] Memory state around the buggy address:
[   21.808854]  ffff888102ba2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.809295]  ffff888102ba2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.809929] >ffff888102ba3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.810307]                    ^
[   21.810562]  ffff888102ba3080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   21.811277]  ffff888102ba3100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.811959] ==================================================================
Metadata Full log Test run details