Date
Dec. 9, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 25.499364] ================================================================== [ 25.500570] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x390/0x468 [ 25.501328] Read of size 1 at addr fff00000c6524000 by task kunit_try_catch/201 [ 25.502298] [ 25.502828] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 25.504018] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.504738] Hardware name: linux,dummy-virt (DT) [ 25.505411] Call trace: [ 25.505813] show_stack+0x20/0x38 (C) [ 25.506290] dump_stack_lvl+0x8c/0xd0 [ 25.506852] print_report+0x118/0x5e0 [ 25.507420] kasan_report+0xc8/0x118 [ 25.507985] __asan_report_load1_noabort+0x20/0x30 [ 25.508794] kmem_cache_rcu_uaf+0x390/0x468 [ 25.509438] kunit_try_run_case+0x14c/0x3d0 [ 25.510126] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.510934] kthread+0x24c/0x2d0 [ 25.511521] ret_from_fork+0x10/0x20 [ 25.512157] [ 25.512533] Allocated by task 201: [ 25.513107] kasan_save_stack+0x3c/0x68 [ 25.513755] kasan_save_track+0x20/0x40 [ 25.514362] kasan_save_alloc_info+0x40/0x58 [ 25.515036] __kasan_slab_alloc+0xa8/0xb0 [ 25.515663] kmem_cache_alloc_noprof+0x108/0x398 [ 25.516363] kmem_cache_rcu_uaf+0x12c/0x468 [ 25.517018] kunit_try_run_case+0x14c/0x3d0 [ 25.517678] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.518418] kthread+0x24c/0x2d0 [ 25.519030] ret_from_fork+0x10/0x20 [ 25.519692] [ 25.520087] Freed by task 0: [ 25.520632] kasan_save_stack+0x3c/0x68 [ 25.521282] kasan_save_track+0x20/0x40 [ 25.521917] kasan_save_free_info+0x4c/0x78 [ 25.522550] __kasan_slab_free+0x6c/0x98 [ 25.523172] slab_free_after_rcu_debug+0xd4/0x2f8 [ 25.523864] rcu_core+0x9f4/0x1e20 [ 25.524445] rcu_core_si+0x18/0x30 [ 25.525023] handle_softirqs+0x374/0xb20 [ 25.525650] __do_softirq+0x1c/0x28 [ 25.526244] [ 25.526618] Last potentially related work creation: [ 25.527348] kasan_save_stack+0x3c/0x68 [ 25.527996] kasan_record_aux_stack+0xb4/0xc8 [ 25.528658] kmem_cache_free+0x28c/0x470 [ 25.529295] kmem_cache_rcu_uaf+0x16c/0x468 [ 25.529946] kunit_try_run_case+0x14c/0x3d0 [ 25.530600] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.531349] kthread+0x24c/0x2d0 [ 25.531934] ret_from_fork+0x10/0x20 [ 25.532549] [ 25.532860] The buggy address belongs to the object at fff00000c6524000 [ 25.532860] which belongs to the cache test_cache of size 200 [ 25.534053] The buggy address is located 0 bytes inside of [ 25.534053] freed 200-byte region [fff00000c6524000, fff00000c65240c8) [ 25.535530] [ 25.535958] The buggy address belongs to the physical page: [ 25.536822] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106524 [ 25.537806] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.538638] page_type: f5(slab) [ 25.539194] raw: 0bfffe0000000000 fff00000c57983c0 dead000000000122 0000000000000000 [ 25.540159] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 25.541023] page dumped because: kasan: bad access detected [ 25.541748] [ 25.542134] Memory state around the buggy address: [ 25.542835] fff00000c6523f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.543676] fff00000c6523f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.544515] >fff00000c6524000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.545388] ^ [ 25.545929] fff00000c6524080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 25.546799] fff00000c6524100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.547639] ==================================================================
[ 25.631619] ================================================================== [ 25.632583] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e5/0x510 [ 25.633319] Read of size 1 at addr ffff888102411000 by task kunit_try_catch/220 [ 25.634399] [ 25.634677] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 25.636259] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.636792] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.637580] Call Trace: [ 25.637869] <TASK> [ 25.638146] dump_stack_lvl+0x73/0xb0 [ 25.638588] print_report+0xd1/0x640 [ 25.639072] ? __virt_addr_valid+0x1db/0x2d0 [ 25.639409] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.640051] kasan_report+0x102/0x140 [ 25.640624] ? kmem_cache_rcu_uaf+0x3e5/0x510 [ 25.641162] ? kmem_cache_rcu_uaf+0x3e5/0x510 [ 25.641678] __asan_report_load1_noabort+0x18/0x20 [ 25.642309] kmem_cache_rcu_uaf+0x3e5/0x510 [ 25.642656] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 25.643362] ? finish_task_switch.isra.0+0x153/0x700 [ 25.643836] ? __switch_to+0x5d9/0xf60 [ 25.644381] ? __pfx_read_tsc+0x10/0x10 [ 25.645031] ? ktime_get_ts64+0x86/0x230 [ 25.645436] kunit_try_run_case+0x1b3/0x490 [ 25.646069] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.646540] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.647140] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.647632] ? __kthread_parkme+0x82/0x160 [ 25.648174] ? preempt_count_sub+0x50/0x80 [ 25.648736] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.649180] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.649979] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.650500] kthread+0x257/0x310 [ 25.651049] ? __pfx_kthread+0x10/0x10 [ 25.651421] ret_from_fork+0x41/0x80 [ 25.651952] ? __pfx_kthread+0x10/0x10 [ 25.652432] ret_from_fork_asm+0x1a/0x30 [ 25.652930] </TASK> [ 25.653327] [ 25.653503] Allocated by task 220: [ 25.653966] kasan_save_stack+0x3d/0x60 [ 25.654456] kasan_save_track+0x18/0x40 [ 25.655006] kasan_save_alloc_info+0x3b/0x50 [ 25.655512] __kasan_slab_alloc+0x91/0xa0 [ 25.656037] kmem_cache_alloc_noprof+0x11e/0x3e0 [ 25.656479] kmem_cache_rcu_uaf+0x156/0x510 [ 25.657062] kunit_try_run_case+0x1b3/0x490 [ 25.657474] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.658083] kthread+0x257/0x310 [ 25.658446] ret_from_fork+0x41/0x80 [ 25.658948] ret_from_fork_asm+0x1a/0x30 [ 25.659387] [ 25.659695] Freed by task 0: [ 25.660089] kasan_save_stack+0x3d/0x60 [ 25.660638] kasan_save_track+0x18/0x40 [ 25.661168] kasan_save_free_info+0x3f/0x60 [ 25.661574] __kasan_slab_free+0x56/0x70 [ 25.662153] slab_free_after_rcu_debug+0xe4/0x310 [ 25.662590] rcu_core+0x680/0x1d70 [ 25.663155] rcu_core_si+0x12/0x20 [ 25.663589] handle_softirqs+0x209/0x720 [ 25.664075] __irq_exit_rcu+0xc9/0x110 [ 25.664582] irq_exit_rcu+0x12/0x20 [ 25.665116] sysvec_apic_timer_interrupt+0x81/0x90 [ 25.665726] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 25.666321] [ 25.666640] Last potentially related work creation: [ 25.667180] kasan_save_stack+0x3d/0x60 [ 25.667590] kasan_record_aux_stack+0xb2/0xc0 [ 25.668065] kmem_cache_free+0x284/0x420 [ 25.668623] kmem_cache_rcu_uaf+0x195/0x510 [ 25.669138] kunit_try_run_case+0x1b3/0x490 [ 25.669696] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.670243] kthread+0x257/0x310 [ 25.670690] ret_from_fork+0x41/0x80 [ 25.671180] ret_from_fork_asm+0x1a/0x30 [ 25.671597] [ 25.671842] The buggy address belongs to the object at ffff888102411000 [ 25.671842] which belongs to the cache test_cache of size 200 [ 25.672756] The buggy address is located 0 bytes inside of [ 25.672756] freed 200-byte region [ffff888102411000, ffff8881024110c8) [ 25.674095] [ 25.674410] The buggy address belongs to the physical page: [ 25.674837] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102411 [ 25.675696] flags: 0x200000000000000(node=0|zone=2) [ 25.676327] page_type: f5(slab) [ 25.676789] raw: 0200000000000000 ffff888101012c80 dead000000000122 0000000000000000 [ 25.677473] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 25.678095] page dumped because: kasan: bad access detected [ 25.678680] [ 25.679035] Memory state around the buggy address: [ 25.679452] ffff888102410f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.680334] ffff888102410f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.681089] >ffff888102411000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.682003] ^ [ 25.682225] ffff888102411080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 25.683604] ffff888102411100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.684483] ==================================================================