Date
Nov. 28, 2024, 2:36 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.457446] ================================================================== [ 31.458657] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 31.459490] Read of size 4 at addr fff00000c405e4c0 by task swapper/1/0 [ 31.460146] [ 31.460580] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.12.0-next-20241128 #1 [ 31.462288] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.462829] Hardware name: linux,dummy-virt (DT) [ 31.463431] Call trace: [ 31.463827] show_stack+0x20/0x38 (C) [ 31.464439] dump_stack_lvl+0x8c/0xd0 [ 31.465012] print_report+0x118/0x5e0 [ 31.465619] kasan_report+0xc8/0x118 [ 31.466580] __asan_report_load4_noabort+0x20/0x30 [ 31.467327] rcu_uaf_reclaim+0x64/0x70 [ 31.467956] rcu_core+0x9f4/0x1e20 [ 31.468474] rcu_core_si+0x18/0x30 [ 31.469062] handle_softirqs+0x374/0xb20 [ 31.470289] __do_softirq+0x1c/0x28 [ 31.470891] ____do_softirq+0x18/0x30 [ 31.471439] call_on_irq_stack+0x24/0x58 [ 31.472094] do_softirq_own_stack+0x24/0x38 [ 31.472669] __irq_exit_rcu+0x1fc/0x318 [ 31.473321] irq_exit_rcu+0x1c/0x80 [ 31.473873] el1_interrupt+0x38/0x58 [ 31.474912] el1h_64_irq_handler+0x18/0x28 [ 31.475532] el1h_64_irq+0x6c/0x70 [ 31.476370] arch_local_irq_enable+0x4/0x8 (P) [ 31.477070] default_idle_call+0x6c/0x78 (L) [ 31.477649] do_idle+0x384/0x4e8 [ 31.478270] cpu_startup_entry+0x64/0x80 [ 31.479399] secondary_start_kernel+0x288/0x340 [ 31.480139] __secondary_switched+0xc0/0xc8 [ 31.480804] [ 31.481589] Allocated by task 186: [ 31.482091] kasan_save_stack+0x3c/0x68 [ 31.482744] kasan_save_track+0x20/0x40 [ 31.483252] kasan_save_alloc_info+0x40/0x58 [ 31.483823] __kasan_kmalloc+0xd4/0xd8 [ 31.484392] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.485053] rcu_uaf+0xb0/0x2d0 [ 31.485527] kunit_try_run_case+0x14c/0x3d0 [ 31.486085] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.487329] kthread+0x24c/0x2d0 [ 31.487891] ret_from_fork+0x10/0x20 [ 31.488504] [ 31.488861] Freed by task 0: [ 31.489816] kasan_save_stack+0x3c/0x68 [ 31.490444] kasan_save_track+0x20/0x40 [ 31.490960] kasan_save_free_info+0x4c/0x78 [ 31.491699] __kasan_slab_free+0x6c/0x98 [ 31.492238] kfree+0x114/0x3c8 [ 31.492762] rcu_uaf_reclaim+0x28/0x70 [ 31.493767] rcu_core+0x9f4/0x1e20 [ 31.494248] rcu_core_si+0x18/0x30 [ 31.494835] handle_softirqs+0x374/0xb20 [ 31.495490] __do_softirq+0x1c/0x28 [ 31.496077] [ 31.496486] Last potentially related work creation: [ 31.497240] kasan_save_stack+0x3c/0x68 [ 31.498057] __kasan_record_aux_stack+0xbc/0xe8 [ 31.498996] kasan_record_aux_stack_noalloc+0x14/0x20 [ 31.499767] __call_rcu_common.constprop.0+0x74/0xa10 [ 31.500465] call_rcu+0x18/0x30 [ 31.501720] rcu_uaf+0x14c/0x2d0 [ 31.502227] kunit_try_run_case+0x14c/0x3d0 [ 31.502854] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.503494] kthread+0x24c/0x2d0 [ 31.504078] ret_from_fork+0x10/0x20 [ 31.504719] [ 31.505394] The buggy address belongs to the object at fff00000c405e4c0 [ 31.505394] which belongs to the cache kmalloc-32 of size 32 [ 31.506752] The buggy address is located 0 bytes inside of [ 31.506752] freed 32-byte region [fff00000c405e4c0, fff00000c405e4e0) [ 31.507878] [ 31.508236] The buggy address belongs to the physical page: [ 31.509152] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10405e [ 31.510722] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.511569] page_type: f5(slab) [ 31.512198] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 31.513222] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 31.514229] page dumped because: kasan: bad access detected [ 31.515161] [ 31.515485] Memory state around the buggy address: [ 31.516173] fff00000c405e380: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.516955] fff00000c405e400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.517748] >fff00000c405e480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.518468] ^ [ 31.519263] fff00000c405e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.520237] fff00000c405e580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.520917] ==================================================================
[ 22.408481] ================================================================== [ 22.409274] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 22.410378] Read of size 4 at addr ffff888101b55bc0 by task swapper/1/0 [ 22.411062] [ 22.411245] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.12.0-next-20241128 #1 [ 22.412159] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.412522] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.413237] Call Trace: [ 22.413661] <IRQ> [ 22.413965] dump_stack_lvl+0x73/0xb0 [ 22.414448] print_report+0xd1/0x640 [ 22.414816] ? __virt_addr_valid+0x1db/0x2d0 [ 22.415257] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.415672] kasan_report+0x102/0x140 [ 22.415949] ? rcu_uaf_reclaim+0x50/0x60 [ 22.416514] ? rcu_uaf_reclaim+0x50/0x60 [ 22.417203] __asan_report_load4_noabort+0x18/0x20 [ 22.417734] rcu_uaf_reclaim+0x50/0x60 [ 22.418303] rcu_core+0x680/0x1d70 [ 22.418637] ? __pfx_rcu_core+0x10/0x10 [ 22.418981] ? ktime_get+0x69/0x150 [ 22.419613] ? handle_softirqs+0x18e/0x720 [ 22.420135] rcu_core_si+0x12/0x20 [ 22.420574] handle_softirqs+0x209/0x720 [ 22.421019] ? hrtimer_interrupt+0x2fe/0x780 [ 22.422490] ? __pfx_handle_softirqs+0x10/0x10 [ 22.422836] __irq_exit_rcu+0xc9/0x110 [ 22.423393] irq_exit_rcu+0x12/0x20 [ 22.424063] sysvec_apic_timer_interrupt+0x81/0x90 [ 22.424665] </IRQ> [ 22.425167] <TASK> [ 22.425466] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 22.426427] RIP: 0010:default_idle+0xf/0x20 [ 22.427047] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d f3 e5 34 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [ 22.428785] RSP: 0000:ffff888100877de0 EFLAGS: 00010212 [ 22.429160] RAX: ffff88815b100000 RBX: ffff888100845000 RCX: ffffffff92d0c345 [ 22.429785] RDX: ffffed102b626b23 RSI: 0000000000000004 RDI: 0000000000028cec [ 22.430459] RBP: ffff888100877de8 R08: 0000000000000001 R09: ffffed102b626b22 [ 22.430942] R10: ffff88815b135913 R11: 0000000000000000 R12: 0000000000000001 [ 22.431773] R13: ffffed1020108a00 R14: ffffffff94b73090 R15: 0000000000000000 [ 22.432636] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 22.433083] ? arch_cpu_idle+0xd/0x20 [ 22.433612] default_idle_call+0x48/0x80 [ 22.433983] do_idle+0x310/0x3c0 [ 22.434466] ? __pfx_do_idle+0x10/0x10 [ 22.435058] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 22.435933] ? complete+0x15b/0x1d0 [ 22.436762] cpu_startup_entry+0x5c/0x70 [ 22.437391] start_secondary+0x216/0x290 [ 22.438035] ? __pfx_start_secondary+0x10/0x10 [ 22.438623] common_startup_64+0x12c/0x138 [ 22.438991] </TASK> [ 22.439404] [ 22.439709] Allocated by task 206: [ 22.440267] kasan_save_stack+0x3d/0x60 [ 22.440868] kasan_save_track+0x18/0x40 [ 22.441503] kasan_save_alloc_info+0x3b/0x50 [ 22.442099] __kasan_kmalloc+0xb7/0xc0 [ 22.442482] __kmalloc_cache_noprof+0x184/0x410 [ 22.442784] rcu_uaf+0xb1/0x330 [ 22.443297] kunit_try_run_case+0x1b3/0x490 [ 22.443697] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.444040] kthread+0x257/0x310 [ 22.444420] ret_from_fork+0x41/0x80 [ 22.444876] ret_from_fork_asm+0x1a/0x30 [ 22.445274] [ 22.445511] Freed by task 0: [ 22.445828] kasan_save_stack+0x3d/0x60 [ 22.446250] kasan_save_track+0x18/0x40 [ 22.446681] kasan_save_free_info+0x3f/0x60 [ 22.447025] __kasan_slab_free+0x56/0x70 [ 22.447467] kfree+0x123/0x3f0 [ 22.447670] rcu_uaf_reclaim+0x1f/0x60 [ 22.448039] rcu_core+0x680/0x1d70 [ 22.448454] rcu_core_si+0x12/0x20 [ 22.448814] handle_softirqs+0x209/0x720 [ 22.449309] __irq_exit_rcu+0xc9/0x110 [ 22.449681] irq_exit_rcu+0x12/0x20 [ 22.450066] sysvec_apic_timer_interrupt+0x81/0x90 [ 22.450567] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 22.450938] [ 22.451188] Last potentially related work creation: [ 22.451703] kasan_save_stack+0x3d/0x60 [ 22.452230] __kasan_record_aux_stack+0xae/0xc0 [ 22.452643] kasan_record_aux_stack_noalloc+0xf/0x20 [ 22.452968] __call_rcu_common.constprop.0+0x72/0xaa0 [ 22.453594] call_rcu+0x12/0x20 [ 22.454001] rcu_uaf+0x169/0x330 [ 22.454485] kunit_try_run_case+0x1b3/0x490 [ 22.454822] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.455289] kthread+0x257/0x310 [ 22.455555] ret_from_fork+0x41/0x80 [ 22.456031] ret_from_fork_asm+0x1a/0x30 [ 22.456570] [ 22.456849] The buggy address belongs to the object at ffff888101b55bc0 [ 22.456849] which belongs to the cache kmalloc-32 of size 32 [ 22.457787] The buggy address is located 0 bytes inside of [ 22.457787] freed 32-byte region [ffff888101b55bc0, ffff888101b55be0) [ 22.458925] [ 22.459188] The buggy address belongs to the physical page: [ 22.459563] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b55 [ 22.460289] flags: 0x200000000000000(node=0|zone=2) [ 22.460736] page_type: f5(slab) [ 22.461047] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 22.461838] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 22.462417] page dumped because: kasan: bad access detected [ 22.462923] [ 22.463211] Memory state around the buggy address: [ 22.463739] ffff888101b55a80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.464376] ffff888101b55b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.464929] >ffff888101b55b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.465406] ^ [ 22.465969] ffff888101b55c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.466662] ffff888101b55c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.467254] ==================================================================