Date
Nov. 26, 2024, 6:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.202362] ================================================================== [ 32.203482] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 32.204229] Read of size 4 at addr fff00000c5e26e40 by task swapper/1/0 [ 32.204994] [ 32.205386] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.12.0-next-20241126 #1 [ 32.206417] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.207065] Hardware name: linux,dummy-virt (DT) [ 32.207982] Call trace: [ 32.208376] show_stack+0x20/0x38 (C) [ 32.209015] dump_stack_lvl+0x8c/0xd0 [ 32.209626] print_report+0x118/0x5e0 [ 32.210451] kasan_report+0xc8/0x118 [ 32.211099] __asan_report_load4_noabort+0x20/0x30 [ 32.211859] rcu_uaf_reclaim+0x64/0x70 [ 32.212374] rcu_core+0xa54/0x1df8 [ 32.213005] rcu_core_si+0x18/0x30 [ 32.213551] handle_softirqs+0x374/0xb20 [ 32.214209] __do_softirq+0x1c/0x28 [ 32.214977] ____do_softirq+0x18/0x30 [ 32.215639] call_on_irq_stack+0x24/0x58 [ 32.216294] do_softirq_own_stack+0x24/0x38 [ 32.217007] __irq_exit_rcu+0x1fc/0x318 [ 32.217602] irq_exit_rcu+0x1c/0x80 [ 32.218454] el1_interrupt+0x38/0x58 [ 32.219084] el1h_64_irq_handler+0x18/0x28 [ 32.219769] el1h_64_irq+0x6c/0x70 [ 32.220455] arch_local_irq_enable+0x4/0x8 (P) [ 32.221148] default_idle_call+0x6c/0x78 (L) [ 32.221841] do_idle+0x384/0x4e8 [ 32.222599] cpu_startup_entry+0x68/0x80 [ 32.223229] secondary_start_kernel+0x288/0x340 [ 32.223918] __secondary_switched+0xc0/0xc8 [ 32.224496] [ 32.224883] Allocated by task 187: [ 32.225441] kasan_save_stack+0x3c/0x68 [ 32.226218] kasan_save_track+0x20/0x40 [ 32.227511] kasan_save_alloc_info+0x40/0x58 [ 32.228218] __kasan_kmalloc+0xd4/0xd8 [ 32.228742] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.229347] rcu_uaf+0xb0/0x2d0 [ 32.230211] kunit_try_run_case+0x14c/0x3d0 [ 32.231023] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.231786] kthread+0x24c/0x2d0 [ 32.232337] ret_from_fork+0x10/0x20 [ 32.232967] [ 32.233326] Freed by task 0: [ 32.234335] kasan_save_stack+0x3c/0x68 [ 32.234946] kasan_save_track+0x20/0x40 [ 32.235474] kasan_save_free_info+0x4c/0x78 [ 32.236057] __kasan_slab_free+0x6c/0x98 [ 32.237210] kfree+0x114/0x3d0 [ 32.238118] rcu_uaf_reclaim+0x28/0x70 [ 32.238650] rcu_core+0xa54/0x1df8 [ 32.239446] rcu_core_si+0x18/0x30 [ 32.240243] handle_softirqs+0x374/0xb20 [ 32.241056] __do_softirq+0x1c/0x28 [ 32.241567] [ 32.242417] Last potentially related work creation: [ 32.243197] kasan_save_stack+0x3c/0x68 [ 32.243718] __kasan_record_aux_stack+0xbc/0xe8 [ 32.244420] kasan_record_aux_stack_noalloc+0x14/0x20 [ 32.245130] __call_rcu_common.constprop.0+0x74/0xa18 [ 32.246047] call_rcu+0x18/0x30 [ 32.246583] rcu_uaf+0x14c/0x2d0 [ 32.247099] kunit_try_run_case+0x14c/0x3d0 [ 32.248195] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.249323] kthread+0x24c/0x2d0 [ 32.249837] ret_from_fork+0x10/0x20 [ 32.250563] [ 32.251316] The buggy address belongs to the object at fff00000c5e26e40 [ 32.251316] which belongs to the cache kmalloc-32 of size 32 [ 32.252654] The buggy address is located 0 bytes inside of [ 32.252654] freed 32-byte region [fff00000c5e26e40, fff00000c5e26e60) [ 32.254144] [ 32.254634] The buggy address belongs to the physical page: [ 32.255470] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e26 [ 32.256462] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.257403] page_type: f5(slab) [ 32.258208] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 32.258920] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 32.259940] page dumped because: kasan: bad access detected [ 32.260726] [ 32.261096] Memory state around the buggy address: [ 32.261668] fff00000c5e26d00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 32.262801] fff00000c5e26d80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.263726] >fff00000c5e26e00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.264520] ^ [ 32.265328] fff00000c5e26e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.266768] fff00000c5e26f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.267838] ==================================================================
[ 32.221099] ================================================================== [ 32.222018] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 32.222855] Read of size 4 at addr fff00000c58e0280 by task swapper/1/0 [ 32.223529] [ 32.223934] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.12.0-next-20241126 #1 [ 32.224782] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.225401] Hardware name: linux,dummy-virt (DT) [ 32.226065] Call trace: [ 32.226513] show_stack+0x20/0x38 (C) [ 32.227321] dump_stack_lvl+0x8c/0xd0 [ 32.227958] print_report+0x118/0x5e0 [ 32.228462] kasan_report+0xc8/0x118 [ 32.229343] __asan_report_load4_noabort+0x20/0x30 [ 32.230035] rcu_uaf_reclaim+0x64/0x70 [ 32.230663] rcu_core+0xa54/0x1df8 [ 32.231261] rcu_core_si+0x18/0x30 [ 32.231762] handle_softirqs+0x374/0xb20 [ 32.232599] __do_softirq+0x1c/0x28 [ 32.233174] ____do_softirq+0x18/0x30 [ 32.234016] call_on_irq_stack+0x24/0x58 [ 32.234741] do_softirq_own_stack+0x24/0x38 [ 32.235437] __irq_exit_rcu+0x1fc/0x318 [ 32.235988] irq_exit_rcu+0x1c/0x80 [ 32.236937] el1_interrupt+0x38/0x58 [ 32.237441] el1h_64_irq_handler+0x18/0x28 [ 32.238085] el1h_64_irq+0x6c/0x70 [ 32.238776] arch_local_irq_enable+0x4/0x8 (P) [ 32.239449] default_idle_call+0x6c/0x78 (L) [ 32.240112] do_idle+0x384/0x4e8 [ 32.240926] cpu_startup_entry+0x64/0x80 [ 32.241603] secondary_start_kernel+0x288/0x340 [ 32.242278] __secondary_switched+0xc0/0xc8 [ 32.242825] [ 32.243197] Allocated by task 187: [ 32.243700] kasan_save_stack+0x3c/0x68 [ 32.244250] kasan_save_track+0x20/0x40 [ 32.245147] kasan_save_alloc_info+0x40/0x58 [ 32.245658] __kasan_kmalloc+0xd4/0xd8 [ 32.246101] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.246578] rcu_uaf+0xb0/0x2d0 [ 32.247323] kunit_try_run_case+0x14c/0x3d0 [ 32.248038] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.249216] kthread+0x24c/0x2d0 [ 32.249754] ret_from_fork+0x10/0x20 [ 32.250186] [ 32.250491] Freed by task 0: [ 32.251043] kasan_save_stack+0x3c/0x68 [ 32.251582] kasan_save_track+0x20/0x40 [ 32.252316] kasan_save_free_info+0x4c/0x78 [ 32.253235] __kasan_slab_free+0x6c/0x98 [ 32.253924] kfree+0x114/0x3d0 [ 32.254552] rcu_uaf_reclaim+0x28/0x70 [ 32.255101] rcu_core+0xa54/0x1df8 [ 32.255764] rcu_core_si+0x18/0x30 [ 32.256359] handle_softirqs+0x374/0xb20 [ 32.256988] __do_softirq+0x1c/0x28 [ 32.257482] [ 32.257876] Last potentially related work creation: [ 32.258794] kasan_save_stack+0x3c/0x68 [ 32.259475] __kasan_record_aux_stack+0xbc/0xe8 [ 32.260078] kasan_record_aux_stack_noalloc+0x14/0x20 [ 32.261065] __call_rcu_common.constprop.0+0x74/0xa18 [ 32.261788] call_rcu+0x18/0x30 [ 32.262342] rcu_uaf+0x14c/0x2d0 [ 32.262921] kunit_try_run_case+0x14c/0x3d0 [ 32.263579] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.264993] kthread+0x24c/0x2d0 [ 32.265742] ret_from_fork+0x10/0x20 [ 32.266280] [ 32.266692] The buggy address belongs to the object at fff00000c58e0280 [ 32.266692] which belongs to the cache kmalloc-32 of size 32 [ 32.267960] The buggy address is located 0 bytes inside of [ 32.267960] freed 32-byte region [fff00000c58e0280, fff00000c58e02a0) [ 32.269551] [ 32.269938] The buggy address belongs to the physical page: [ 32.270676] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058e0 [ 32.271617] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.272814] page_type: f5(slab) [ 32.273352] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 32.274266] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 32.275183] page dumped because: kasan: bad access detected [ 32.275917] [ 32.276560] Memory state around the buggy address: [ 32.277281] fff00000c58e0180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.278035] fff00000c58e0200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.278895] >fff00000c58e0280: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.279745] ^ [ 32.280601] fff00000c58e0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.281547] fff00000c58e0380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.282434] ==================================================================
[ 26.387367] ================================================================== [ 26.388010] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 26.388158] Read of size 4 at addr ffff8881028e0980 by task swapper/0/0 [ 26.388158] [ 26.388158] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.12.0-next-20241126 #1 [ 26.388158] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.388158] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.388158] Call Trace: [ 26.388158] <IRQ> [ 26.388158] dump_stack_lvl+0x73/0xb0 [ 26.388158] print_report+0xd1/0x640 [ 26.388158] ? __virt_addr_valid+0x1db/0x2d0 [ 26.388158] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.388158] kasan_report+0x102/0x140 [ 26.388158] ? rcu_uaf_reclaim+0x50/0x60 [ 26.388158] ? rcu_uaf_reclaim+0x50/0x60 [ 26.388158] __asan_report_load4_noabort+0x18/0x20 [ 26.388158] rcu_uaf_reclaim+0x50/0x60 [ 26.388158] rcu_core+0x680/0x1d70 [ 26.388158] ? __pfx_rcu_core+0x10/0x10 [ 26.388158] ? ktime_get+0x69/0x150 [ 26.388158] ? handle_softirqs+0x18e/0x720 [ 26.388158] rcu_core_si+0x12/0x20 [ 26.388158] handle_softirqs+0x209/0x720 [ 26.388158] ? hrtimer_interrupt+0x2fe/0x780 [ 26.388158] ? __pfx_handle_softirqs+0x10/0x10 [ 26.388158] __irq_exit_rcu+0xc9/0x110 [ 26.388158] irq_exit_rcu+0x12/0x20 [ 26.388158] sysvec_apic_timer_interrupt+0x81/0x90 [ 26.403337] </IRQ> [ 26.403337] <TASK> [ 26.403337] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 26.403337] RIP: 0010:default_idle+0xf/0x20 [ 26.403337] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 13 e0 34 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [ 26.403337] RSP: 0000:ffffffff94607df0 EFLAGS: 00010202 [ 26.403337] RAX: ffff88815b000000 RBX: ffffffff9461a680 RCX: ffffffff9330c925 [ 26.403337] RDX: ffffed102b606b23 RSI: 0000000000000004 RDI: 0000000000064ee4 [ 26.403337] RBP: ffffffff94607df8 R08: 0000000000000001 R09: ffffed102b606b22 [ 26.403337] R10: ffff88815b035913 R11: 0000000000000000 R12: 0000000000000000 [ 26.403337] R13: fffffbfff28c34d0 R14: ffffffff95172c90 R15: 0000000000000000 [ 26.403337] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 26.403337] ? arch_cpu_idle+0xd/0x20 [ 26.403337] default_idle_call+0x48/0x80 [ 26.403337] do_idle+0x310/0x3c0 [ 26.403337] ? __pfx_do_idle+0x10/0x10 [ 26.403337] ? trace_preempt_on+0x20/0xc0 [ 26.403337] ? schedule+0x86/0x310 [ 26.403337] ? preempt_count_sub+0x50/0x80 [ 26.403337] cpu_startup_entry+0x5c/0x70 [ 26.403337] rest_init+0x11a/0x140 [ 26.403337] ? acpi_subsystem_init+0x5d/0x150 [ 26.403337] start_kernel+0x320/0x400 [ 26.403337] x86_64_start_reservations+0x1c/0x30 [ 26.403337] x86_64_start_kernel+0xcf/0xe0 [ 26.403337] common_startup_64+0x12c/0x138 [ 26.403337] </TASK> [ 26.403337] [ 26.403337] Allocated by task 207: [ 26.403337] kasan_save_stack+0x3d/0x60 [ 26.403337] kasan_save_track+0x18/0x40 [ 26.403337] kasan_save_alloc_info+0x3b/0x50 [ 26.403337] __kasan_kmalloc+0xb7/0xc0 [ 26.403337] __kmalloc_cache_noprof+0x184/0x410 [ 26.403337] rcu_uaf+0xb1/0x330 [ 26.403337] kunit_try_run_case+0x1b3/0x490 [ 26.403337] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.403337] kthread+0x257/0x310 [ 26.403337] ret_from_fork+0x41/0x80 [ 26.403337] ret_from_fork_asm+0x1a/0x30 [ 26.403337] [ 26.403337] Freed by task 0: [ 26.403337] kasan_save_stack+0x3d/0x60 [ 26.403337] kasan_save_track+0x18/0x40 [ 26.403337] kasan_save_free_info+0x3f/0x60 [ 26.403337] __kasan_slab_free+0x56/0x70 [ 26.403337] kfree+0x123/0x3f0 [ 26.403337] rcu_uaf_reclaim+0x1f/0x60 [ 26.403337] rcu_core+0x680/0x1d70 [ 26.403337] rcu_core_si+0x12/0x20 [ 26.403337] handle_softirqs+0x209/0x720 [ 26.403337] __irq_exit_rcu+0xc9/0x110 [ 26.403337] irq_exit_rcu+0x12/0x20 [ 26.403337] sysvec_apic_timer_interrupt+0x81/0x90 [ 26.403337] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 26.403337] [ 26.403337] Last potentially related work creation: [ 26.403337] kasan_save_stack+0x3d/0x60 [ 26.403337] __kasan_record_aux_stack+0xae/0xc0 [ 26.403337] kasan_record_aux_stack_noalloc+0xf/0x20 [ 26.403337] __call_rcu_common.constprop.0+0x72/0xaa0 [ 26.403337] call_rcu+0x12/0x20 [ 26.403337] rcu_uaf+0x169/0x330 [ 26.403337] kunit_try_run_case+0x1b3/0x490 [ 26.403337] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.403337] kthread+0x257/0x310 [ 26.403337] ret_from_fork+0x41/0x80 [ 26.403337] ret_from_fork_asm+0x1a/0x30 [ 26.403337] [ 26.403337] The buggy address belongs to the object at ffff8881028e0980 [ 26.403337] which belongs to the cache kmalloc-32 of size 32 [ 26.403337] The buggy address is located 0 bytes inside of [ 26.403337] freed 32-byte region [ffff8881028e0980, ffff8881028e09a0) [ 26.403337] [ 26.403337] The buggy address belongs to the physical page: [ 26.403337] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028e0 [ 26.403337] flags: 0x200000000000000(node=0|zone=2) [ 26.403337] page_type: f5(slab) [ 26.403337] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 26.403337] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 26.403337] page dumped because: kasan: bad access detected [ 26.403337] [ 26.403337] Memory state around the buggy address: [ 26.403337] ffff8881028e0880: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.403337] ffff8881028e0900: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 26.403337] >ffff8881028e0980: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.403337] ^ [ 26.403337] ffff8881028e0a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.403337] ffff8881028e0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.403337] ==================================================================
[ 21.379223] ================================================================== [ 21.379846] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 21.380581] Read of size 4 at addr ffff8881028b8e40 by task swapper/0/0 [ 21.381698] [ 21.381965] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.12.0-next-20241126 #1 [ 21.383195] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.384540] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.385033] Call Trace: [ 21.385992] <IRQ> [ 21.386381] dump_stack_lvl+0x73/0xb0 [ 21.387135] print_report+0xd1/0x640 [ 21.387772] ? __virt_addr_valid+0x1db/0x2d0 [ 21.388357] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.389553] kasan_report+0x102/0x140 [ 21.390091] ? rcu_uaf_reclaim+0x50/0x60 [ 21.390568] ? rcu_uaf_reclaim+0x50/0x60 [ 21.391130] __asan_report_load4_noabort+0x18/0x20 [ 21.391723] rcu_uaf_reclaim+0x50/0x60 [ 21.392250] rcu_core+0x680/0x1d70 [ 21.392751] ? __pfx_rcu_core+0x10/0x10 [ 21.393283] ? ktime_get+0x69/0x150 [ 21.393789] ? handle_softirqs+0x18e/0x720 [ 21.394350] rcu_core_si+0x12/0x20 [ 21.394847] handle_softirqs+0x209/0x720 [ 21.395386] ? hrtimer_interrupt+0x2fe/0x780 [ 21.395981] ? __pfx_handle_softirqs+0x10/0x10 [ 21.397003] __irq_exit_rcu+0xc9/0x110 [ 21.397744] irq_exit_rcu+0x12/0x20 [ 21.398171] sysvec_apic_timer_interrupt+0x81/0x90 [ 21.398709] </IRQ> [ 21.399562] <TASK> [ 21.399768] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 21.401035] RIP: 0010:default_idle+0xf/0x20 [ 21.401792] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 13 e0 34 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [ 21.403177] RSP: 0000:ffffffffa7407df0 EFLAGS: 00010202 [ 21.403872] RAX: ffff888154a00000 RBX: ffffffffa741a680 RCX: ffffffffa610c925 [ 21.404822] RDX: ffffed102a946b23 RSI: 0000000000000004 RDI: 000000000001de74 [ 21.405441] RBP: ffffffffa7407df8 R08: 0000000000000001 R09: ffffed102a946b22 [ 21.406339] R10: ffff888154a35913 R11: ffff888102b2f6b0 R12: 0000000000000000 [ 21.407055] R13: fffffbfff4e834d0 R14: ffffffffa7f72c90 R15: 0000000000000000 [ 21.407602] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 21.408204] ? arch_cpu_idle+0xd/0x20 [ 21.408996] default_idle_call+0x48/0x80 [ 21.409409] do_idle+0x310/0x3c0 [ 21.410126] ? __pfx_do_idle+0x10/0x10 [ 21.410581] ? trace_preempt_on+0x20/0xc0 [ 21.411343] ? schedule+0x86/0x310 [ 21.411887] ? preempt_count_sub+0x50/0x80 [ 21.412352] cpu_startup_entry+0x5c/0x70 [ 21.412725] rest_init+0x11a/0x140 [ 21.413125] start_kernel+0x320/0x400 [ 21.413781] x86_64_start_reservations+0x1c/0x30 [ 21.414430] x86_64_start_kernel+0xcf/0xe0 [ 21.414877] common_startup_64+0x12c/0x138 [ 21.415468] </TASK> [ 21.415982] [ 21.416267] Allocated by task 205: [ 21.416726] kasan_save_stack+0x3d/0x60 [ 21.417307] kasan_save_track+0x18/0x40 [ 21.417772] kasan_save_alloc_info+0x3b/0x50 [ 21.418345] __kasan_kmalloc+0xb7/0xc0 [ 21.418869] __kmalloc_cache_noprof+0x184/0x410 [ 21.419269] rcu_uaf+0xb1/0x330 [ 21.419846] kunit_try_run_case+0x1b3/0x490 [ 21.420421] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.420925] kthread+0x257/0x310 [ 21.421778] ret_from_fork+0x41/0x80 [ 21.422562] ret_from_fork_asm+0x1a/0x30 [ 21.422869] [ 21.423047] Freed by task 0: [ 21.423370] kasan_save_stack+0x3d/0x60 [ 21.423743] kasan_save_track+0x18/0x40 [ 21.424089] kasan_save_free_info+0x3f/0x60 [ 21.424374] __kasan_slab_free+0x56/0x70 [ 21.425335] kfree+0x123/0x3f0 [ 21.425752] rcu_uaf_reclaim+0x1f/0x60 [ 21.426345] rcu_core+0x680/0x1d70 [ 21.426798] rcu_core_si+0x12/0x20 [ 21.427345] handle_softirqs+0x209/0x720 [ 21.427830] __irq_exit_rcu+0xc9/0x110 [ 21.428243] irq_exit_rcu+0x12/0x20 [ 21.428535] sysvec_apic_timer_interrupt+0x81/0x90 [ 21.428893] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 21.429391] [ 21.430270] Last potentially related work creation: [ 21.431623] kasan_save_stack+0x3d/0x60 [ 21.432052] __kasan_record_aux_stack+0xae/0xc0 [ 21.432416] kasan_record_aux_stack_noalloc+0xf/0x20 [ 21.432934] __call_rcu_common.constprop.0+0x72/0xaa0 [ 21.433328] call_rcu+0x12/0x20 [ 21.434314] rcu_uaf+0x169/0x330 [ 21.434741] kunit_try_run_case+0x1b3/0x490 [ 21.435210] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.435790] kthread+0x257/0x310 [ 21.436305] ret_from_fork+0x41/0x80 [ 21.436722] ret_from_fork_asm+0x1a/0x30 [ 21.437555] [ 21.437823] The buggy address belongs to the object at ffff8881028b8e40 [ 21.437823] which belongs to the cache kmalloc-32 of size 32 [ 21.438780] The buggy address is located 0 bytes inside of [ 21.438780] freed 32-byte region [ffff8881028b8e40, ffff8881028b8e60) [ 21.439920] [ 21.440313] The buggy address belongs to the physical page: [ 21.440882] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028b8 [ 21.441902] flags: 0x200000000000000(node=0|zone=2) [ 21.442412] page_type: f5(slab) [ 21.442816] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 21.443398] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 21.443859] page dumped because: kasan: bad access detected [ 21.444345] [ 21.444800] Memory state around the buggy address: [ 21.445560] ffff8881028b8d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.446418] ffff8881028b8d80: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 21.447149] >ffff8881028b8e00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.447833] ^ [ 21.448512] ffff8881028b8e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.449399] ffff8881028b8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.450116] ==================================================================