Date
Dec. 9, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 25.115594] ================================================================== [ 25.116625] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 25.117295] Read of size 4 at addr fff00000c6371180 by task swapper/1/0 [ 25.117972] [ 25.118317] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 25.119236] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.120267] Hardware name: linux,dummy-virt (DT) [ 25.120957] Call trace: [ 25.121324] show_stack+0x20/0x38 (C) [ 25.121905] dump_stack_lvl+0x8c/0xd0 [ 25.122472] print_report+0x118/0x5e0 [ 25.123268] kasan_report+0xc8/0x118 [ 25.123797] __asan_report_load4_noabort+0x20/0x30 [ 25.124408] rcu_uaf_reclaim+0x64/0x70 [ 25.124981] rcu_core+0x9f4/0x1e20 [ 25.125536] rcu_core_si+0x18/0x30 [ 25.126052] handle_softirqs+0x374/0xb20 [ 25.126590] __do_softirq+0x1c/0x28 [ 25.127096] ____do_softirq+0x18/0x30 [ 25.127649] call_on_irq_stack+0x24/0x58 [ 25.128207] do_softirq_own_stack+0x24/0x38 [ 25.129039] __irq_exit_rcu+0x1fc/0x318 [ 25.129548] irq_exit_rcu+0x1c/0x80 [ 25.130130] el1_interrupt+0x38/0x58 [ 25.130725] el1h_64_irq_handler+0x18/0x28 [ 25.131650] el1h_64_irq+0x6c/0x70 [ 25.132291] arch_local_irq_enable+0x4/0x8 (P) [ 25.132974] default_idle_call+0x6c/0x78 (L) [ 25.133622] do_idle+0x384/0x4e8 [ 25.134281] cpu_startup_entry+0x68/0x80 [ 25.135298] secondary_start_kernel+0x288/0x340 [ 25.135841] __secondary_switched+0xc0/0xc8 [ 25.136481] [ 25.136799] Allocated by task 186: [ 25.137460] kasan_save_stack+0x3c/0x68 [ 25.138052] kasan_save_track+0x20/0x40 [ 25.138672] kasan_save_alloc_info+0x40/0x58 [ 25.139370] __kasan_kmalloc+0xd4/0xd8 [ 25.140118] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.140782] rcu_uaf+0xb0/0x2d0 [ 25.141338] kunit_try_run_case+0x14c/0x3d0 [ 25.141991] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.142736] kthread+0x24c/0x2d0 [ 25.143450] ret_from_fork+0x10/0x20 [ 25.144030] [ 25.144405] Freed by task 0: [ 25.144897] kasan_save_stack+0x3c/0x68 [ 25.145427] kasan_save_track+0x20/0x40 [ 25.146041] kasan_save_free_info+0x4c/0x78 [ 25.146651] __kasan_slab_free+0x6c/0x98 [ 25.147468] kfree+0x114/0x3c8 [ 25.147953] rcu_uaf_reclaim+0x28/0x70 [ 25.148485] rcu_core+0x9f4/0x1e20 [ 25.149207] rcu_core_si+0x18/0x30 [ 25.149764] handle_softirqs+0x374/0xb20 [ 25.150338] __do_softirq+0x1c/0x28 [ 25.151072] [ 25.151465] Last potentially related work creation: [ 25.152085] kasan_save_stack+0x3c/0x68 [ 25.152689] kasan_record_aux_stack+0xb4/0xc8 [ 25.153398] __call_rcu_common.constprop.0+0x74/0xa10 [ 25.154181] call_rcu+0x18/0x30 [ 25.154690] rcu_uaf+0x14c/0x2d0 [ 25.155530] kunit_try_run_case+0x14c/0x3d0 [ 25.155991] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.156286] kthread+0x24c/0x2d0 [ 25.156505] ret_from_fork+0x10/0x20 [ 25.156823] [ 25.157176] The buggy address belongs to the object at fff00000c6371180 [ 25.157176] which belongs to the cache kmalloc-32 of size 32 [ 25.158272] The buggy address is located 0 bytes inside of [ 25.158272] freed 32-byte region [fff00000c6371180, fff00000c63711a0) [ 25.159487] [ 25.160173] The buggy address belongs to the physical page: [ 25.160780] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106371 [ 25.161886] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.162953] page_type: f5(slab) [ 25.163694] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 25.164737] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 25.165497] page dumped because: kasan: bad access detected [ 25.166170] [ 25.166549] Memory state around the buggy address: [ 25.167556] fff00000c6371080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.168247] fff00000c6371100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.169084] >fff00000c6371180: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 25.169887] ^ [ 25.170404] fff00000c6371200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.171468] fff00000c6371280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.172379] ==================================================================
[ 25.228446] ================================================================== [ 25.229454] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 25.230143] Read of size 4 at addr ffff888102407a00 by task swapper/1/0 [ 25.230564] [ 25.230823] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 25.231657] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.232177] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.232884] Call Trace: [ 25.233273] <IRQ> [ 25.233610] dump_stack_lvl+0x73/0xb0 [ 25.233968] print_report+0xd1/0x640 [ 25.234451] ? __virt_addr_valid+0x1db/0x2d0 [ 25.235011] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.235518] kasan_report+0x102/0x140 [ 25.235981] ? rcu_uaf_reclaim+0x50/0x60 [ 25.236388] ? rcu_uaf_reclaim+0x50/0x60 [ 25.236851] __asan_report_load4_noabort+0x18/0x20 [ 25.237456] rcu_uaf_reclaim+0x50/0x60 [ 25.237930] rcu_core+0x680/0x1d70 [ 25.238239] ? __pfx_rcu_core+0x10/0x10 [ 25.238749] ? ktime_get+0x6b/0x150 [ 25.239100] ? handle_softirqs+0x18e/0x720 [ 25.239429] rcu_core_si+0x12/0x20 [ 25.239924] handle_softirqs+0x209/0x720 [ 25.240437] ? hrtimer_interrupt+0x2fe/0x780 [ 25.240929] ? __pfx_handle_softirqs+0x10/0x10 [ 25.241322] __irq_exit_rcu+0xc9/0x110 [ 25.241824] irq_exit_rcu+0x12/0x20 [ 25.242169] sysvec_apic_timer_interrupt+0x81/0x90 [ 25.242709] </IRQ> [ 25.242956] <TASK> [ 25.243145] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 25.243957] RIP: 0010:default_idle+0xf/0x20 [ 25.244676] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 53 fb 12 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [ 25.246260] RSP: 0000:ffff888100877de0 EFLAGS: 00010212 [ 25.247116] RAX: ffff88815b100000 RBX: ffff888100845000 RCX: ffffffff9b52b165 [ 25.247802] RDX: ffffed102b626b23 RSI: 0000000000000004 RDI: 000000000000eabc [ 25.248375] RBP: ffff888100877de8 R08: 0000000000000001 R09: ffffed102b626b22 [ 25.249251] R10: ffff88815b135913 R11: 0000000000000000 R12: 0000000000000001 [ 25.250065] R13: ffffed1020108a00 R14: ffffffff9d183490 R15: 0000000000000000 [ 25.250757] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 25.251507] ? arch_cpu_idle+0xd/0x20 [ 25.251989] default_idle_call+0x48/0x80 [ 25.252331] do_idle+0x310/0x3c0 [ 25.252750] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.253218] ? __pfx_do_idle+0x10/0x10 [ 25.253697] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 25.254199] ? complete+0x15b/0x1d0 [ 25.254635] cpu_startup_entry+0x5c/0x70 [ 25.255011] start_secondary+0x216/0x290 [ 25.255483] ? __pfx_start_secondary+0x10/0x10 [ 25.255966] common_startup_64+0x12c/0x138 [ 25.256557] </TASK> [ 25.256816] [ 25.257052] Allocated by task 205: [ 25.257424] kasan_save_stack+0x3d/0x60 [ 25.258365] kasan_save_track+0x18/0x40 [ 25.259016] kasan_save_alloc_info+0x3b/0x50 [ 25.259647] __kasan_kmalloc+0xb7/0xc0 [ 25.259972] __kmalloc_cache_noprof+0x184/0x410 [ 25.260514] rcu_uaf+0xb1/0x330 [ 25.260950] kunit_try_run_case+0x1b3/0x490 [ 25.261421] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.261988] kthread+0x257/0x310 [ 25.262341] ret_from_fork+0x41/0x80 [ 25.262653] ret_from_fork_asm+0x1a/0x30 [ 25.263168] [ 25.263387] Freed by task 0: [ 25.263645] kasan_save_stack+0x3d/0x60 [ 25.264117] kasan_save_track+0x18/0x40 [ 25.264643] kasan_save_free_info+0x3f/0x60 [ 25.265077] __kasan_slab_free+0x56/0x70 [ 25.265418] kfree+0x123/0x3f0 [ 25.265850] rcu_uaf_reclaim+0x1f/0x60 [ 25.266339] rcu_core+0x680/0x1d70 [ 25.266706] rcu_core_si+0x12/0x20 [ 25.267091] handle_softirqs+0x209/0x720 [ 25.267495] __irq_exit_rcu+0xc9/0x110 [ 25.267874] irq_exit_rcu+0x12/0x20 [ 25.268141] sysvec_apic_timer_interrupt+0x81/0x90 [ 25.268747] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 25.269289] [ 25.269504] Last potentially related work creation: [ 25.270042] kasan_save_stack+0x3d/0x60 [ 25.270579] kasan_record_aux_stack+0xb2/0xc0 [ 25.271160] __call_rcu_common.constprop.0+0x72/0xaa0 [ 25.271582] call_rcu+0x12/0x20 [ 25.271990] rcu_uaf+0x169/0x330 [ 25.272396] kunit_try_run_case+0x1b3/0x490 [ 25.272755] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.273264] kthread+0x257/0x310 [ 25.273542] ret_from_fork+0x41/0x80 [ 25.273973] ret_from_fork_asm+0x1a/0x30 [ 25.274535] [ 25.274864] The buggy address belongs to the object at ffff888102407a00 [ 25.274864] which belongs to the cache kmalloc-32 of size 32 [ 25.275942] The buggy address is located 0 bytes inside of [ 25.275942] freed 32-byte region [ffff888102407a00, ffff888102407a20) [ 25.276977] [ 25.277169] The buggy address belongs to the physical page: [ 25.277712] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102407 [ 25.278364] flags: 0x200000000000000(node=0|zone=2) [ 25.278984] page_type: f5(slab) [ 25.279362] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 25.280045] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 25.280665] page dumped because: kasan: bad access detected [ 25.281090] [ 25.281244] Memory state around the buggy address: [ 25.281567] ffff888102407900: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 25.282374] ffff888102407980: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 25.283069] >ffff888102407a00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 25.283699] ^ [ 25.284162] ffff888102407a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.284711] ffff888102407b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.285340] ==================================================================