Hay
Sign in
Date
March 19, 2025, 10:35 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   35.917584] ==================================================================
[   35.917812] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x390/0x468
[   35.918003] Read of size 1 at addr fff00000c5d9e000 by task kunit_try_catch/215
[   35.918176] 
[   35.918286] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.14.0-rc7-next-20250319 #1 PREEMPT 
[   35.918571] Tainted: [B]=BAD_PAGE, [N]=TEST
[   35.918661] Hardware name: linux,dummy-virt (DT)
[   35.918766] Call trace:
[   35.918844]  show_stack+0x20/0x38 (C)
[   35.919018]  dump_stack_lvl+0x8c/0xd0
[   35.920528]  print_report+0x118/0x5f0
[   35.920684]  kasan_report+0xc8/0x118
[   35.920831]  __asan_report_load1_noabort+0x20/0x30
[   35.921072]  kmem_cache_rcu_uaf+0x390/0x468
[   35.921268]  kunit_try_run_case+0x14c/0x3d0
[   35.921444]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   35.921607]  kthread+0x318/0x618
[   35.921757]  ret_from_fork+0x10/0x20
[   35.921913] 
[   35.922296] Allocated by task 215:
[   35.922407]  kasan_save_stack+0x3c/0x68
[   35.922859]  kasan_save_track+0x20/0x40
[   35.923155]  kasan_save_alloc_info+0x40/0x58
[   35.923434]  __kasan_slab_alloc+0xa8/0xb0
[   35.923569]  kmem_cache_alloc_noprof+0x108/0x398
[   35.923700]  kmem_cache_rcu_uaf+0x12c/0x468
[   35.923826]  kunit_try_run_case+0x14c/0x3d0
[   35.924549]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   35.924870]  kthread+0x318/0x618
[   35.925004]  ret_from_fork+0x10/0x20
[   35.925291] 
[   35.925368] Freed by task 0:
[   35.925453]  kasan_save_stack+0x3c/0x68
[   35.925570]  kasan_save_track+0x20/0x40
[   35.925675]  kasan_save_free_info+0x4c/0x78
[   35.926047]  __kasan_slab_free+0x6c/0x98
[   35.926988]  slab_free_after_rcu_debug+0xd4/0x2f8
[   35.927170]  rcu_core+0x9f4/0x1e58
[   35.927293]  rcu_core_si+0x18/0x30
[   35.927404]  handle_softirqs+0x374/0xb20
[   35.927531]  __do_softirq+0x1c/0x28
[   35.927908] 
[   35.928251] Last potentially related work creation:
[   35.928350]  kasan_save_stack+0x3c/0x68
[   35.928480]  kasan_record_aux_stack+0xb4/0xc8
[   35.928611]  kmem_cache_free+0x120/0x490
[   35.928724]  kmem_cache_rcu_uaf+0x16c/0x468
[   35.928853]  kunit_try_run_case+0x14c/0x3d0
[   35.929080]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   35.929326]  kthread+0x318/0x618
[   35.929839]  ret_from_fork+0x10/0x20
[   35.929977] 
[   35.930072] The buggy address belongs to the object at fff00000c5d9e000
[   35.930072]  which belongs to the cache test_cache of size 200
[   35.930491] The buggy address is located 0 bytes inside of
[   35.930491]  freed 200-byte region [fff00000c5d9e000, fff00000c5d9e0c8)
[   35.931259] 
[   35.931427] The buggy address belongs to the physical page:
[   35.931556] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105d9e
[   35.932040] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   35.932254] page_type: f5(slab)
[   35.933268] raw: 0bfffe0000000000 fff00000c5d9a140 dead000000000122 0000000000000000
[   35.933454] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   35.933599] page dumped because: kasan: bad access detected
[   35.933708] 
[   35.933760] Memory state around the buggy address:
[   35.933858]  fff00000c5d9df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.933994]  fff00000c5d9df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.938119] >fff00000c5d9e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.938644]                    ^
[   35.938769]  fff00000c5d9e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   35.938932]  fff00000c5d9e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.939078] ==================================================================
Metadata Full log Test run details 

[   23.176292] ==================================================================
[   23.177009] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   23.177663] Read of size 1 at addr ffff888103228000 by task kunit_try_catch/234
[   23.178264] 
[   23.178558] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G    B            N  6.14.0-rc7-next-20250319 #1 PREEMPT(voluntary) 
[   23.178689] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.178771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.178829] Call Trace:
[   23.178864]  <TASK>
[   23.178903]  dump_stack_lvl+0x73/0xb0
[   23.178989]  print_report+0xd1/0x660
[   23.179054]  ? __virt_addr_valid+0x1db/0x2d0
[   23.179199]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.179274]  kasan_report+0x104/0x140
[   23.179330]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   23.179399]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   23.179475]  __asan_report_load1_noabort+0x18/0x20
[   23.179533]  kmem_cache_rcu_uaf+0x3e3/0x510
[   23.179625]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   23.179691]  ? finish_task_switch.isra.0+0x153/0x730
[   23.179815]  ? __switch_to+0x5d9/0xf70
[   23.179903]  ? __pfx_read_tsc+0x10/0x10
[   23.179974]  ? ktime_get_ts64+0x86/0x240
[   23.180044]  kunit_try_run_case+0x1b2/0x490
[   23.180137]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.180197]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.180256]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.180313]  ? __kthread_parkme+0x82/0x160
[   23.180373]  ? preempt_count_sub+0x50/0x80
[   23.180441]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.180508]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.180548]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.180583]  kthread+0x323/0x710
[   23.180613]  ? trace_preempt_on+0x20/0xc0
[   23.180649]  ? __pfx_kthread+0x10/0x10
[   23.180680]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.180781]  ? calculate_sigpending+0x7b/0xa0
[   23.180825]  ? __pfx_kthread+0x10/0x10
[   23.180857]  ret_from_fork+0x41/0x80
[   23.180890]  ? __pfx_kthread+0x10/0x10
[   23.180922]  ret_from_fork_asm+0x1a/0x30
[   23.180969]  </TASK>
[   23.180985] 
[   23.199730] Allocated by task 234:
[   23.200598]  kasan_save_stack+0x3d/0x60
[   23.201386]  kasan_save_track+0x18/0x40
[   23.202088]  kasan_save_alloc_info+0x3b/0x50
[   23.202640]  __kasan_slab_alloc+0x91/0xa0
[   23.203168]  kmem_cache_alloc_noprof+0x11d/0x3f0
[   23.203575]  kmem_cache_rcu_uaf+0x155/0x510
[   23.204136]  kunit_try_run_case+0x1b2/0x490
[   23.204766]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.205316]  kthread+0x323/0x710
[   23.205604]  ret_from_fork+0x41/0x80
[   23.206080]  ret_from_fork_asm+0x1a/0x30
[   23.206886] 
[   23.207358] Freed by task 0:
[   23.208216]  kasan_save_stack+0x3d/0x60
[   23.208631]  kasan_save_track+0x18/0x40
[   23.209524]  kasan_save_free_info+0x3f/0x60
[   23.209977]  __kasan_slab_free+0x56/0x70
[   23.211194]  slab_free_after_rcu_debug+0xe4/0x340
[   23.211664]  rcu_core+0x66c/0x1cd0
[   23.212395]  rcu_core_si+0x12/0x20
[   23.212756]  handle_softirqs+0x209/0x730
[   23.213225]  __irq_exit_rcu+0xc9/0x110
[   23.214051]  irq_exit_rcu+0x12/0x20
[   23.214510]  sysvec_apic_timer_interrupt+0x81/0x90
[   23.215154]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   23.215535] 
[   23.216226] Last potentially related work creation:
[   23.216701]  kasan_save_stack+0x3d/0x60
[   23.217063]  kasan_record_aux_stack+0xb2/0xc0
[   23.217341]  kmem_cache_free+0x131/0x420
[   23.217743]  kmem_cache_rcu_uaf+0x194/0x510
[   23.218551]  kunit_try_run_case+0x1b2/0x490
[   23.219048]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.219431]  kthread+0x323/0x710
[   23.220598]  ret_from_fork+0x41/0x80
[   23.221088]  ret_from_fork_asm+0x1a/0x30
[   23.221379] 
[   23.222029] The buggy address belongs to the object at ffff888103228000
[   23.222029]  which belongs to the cache test_cache of size 200
[   23.223172] The buggy address is located 0 bytes inside of
[   23.223172]  freed 200-byte region [ffff888103228000, ffff8881032280c8)
[   23.224793] 
[   23.224985] The buggy address belongs to the physical page:
[   23.225470] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103228
[   23.226815] flags: 0x200000000000000(node=0|zone=2)
[   23.227762] page_type: f5(slab)
[   23.228094] raw: 0200000000000000 ffff8881020e8b40 dead000000000122 0000000000000000
[   23.229479] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   23.230320] page dumped because: kasan: bad access detected
[   23.230755] 
[   23.231407] Memory state around the buggy address:
[   23.232216]  ffff888103227f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.233513]  ffff888103227f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.233961] >ffff888103228000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.234641]                    ^
[   23.235374]  ffff888103228080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   23.236253]  ffff888103228100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.236723] ==================================================================
Metadata Full log Test run details