Date
May 12, 2025, 11:48 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.316193] ================================================================== [ 17.316418] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 17.316616] Read of size 4 at addr fff00000c7943340 by task swapper/1/0 [ 17.316742] [ 17.316826] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT [ 17.317082] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.317132] Hardware name: linux,dummy-virt (DT) [ 17.317199] Call trace: [ 17.317491] show_stack+0x20/0x38 (C) [ 17.317701] dump_stack_lvl+0x8c/0xd0 [ 17.317801] print_report+0x118/0x608 [ 17.317907] kasan_report+0xdc/0x128 [ 17.318505] __asan_report_load4_noabort+0x20/0x30 [ 17.318556] rcu_uaf_reclaim+0x64/0x70 [ 17.318656] rcu_core+0x9f4/0x1e20 [ 17.318807] rcu_core_si+0x18/0x30 [ 17.318932] handle_softirqs+0x374/0xb28 [ 17.319016] __do_softirq+0x1c/0x28 [ 17.319360] ____do_softirq+0x18/0x30 [ 17.319582] call_on_irq_stack+0x24/0x30 [ 17.319692] do_softirq_own_stack+0x24/0x38 [ 17.319800] __irq_exit_rcu+0x1fc/0x318 [ 17.319893] irq_exit_rcu+0x1c/0x80 [ 17.319981] el1_interrupt+0x38/0x58 [ 17.320091] el1h_64_irq_handler+0x18/0x28 [ 17.320189] el1h_64_irq+0x6c/0x70 [ 17.320391] arch_local_irq_enable+0x4/0x8 (P) [ 17.320529] do_idle+0x384/0x4e8 [ 17.320658] cpu_startup_entry+0x68/0x80 [ 17.320784] secondary_start_kernel+0x288/0x340 [ 17.320928] __secondary_switched+0xc0/0xc8 [ 17.321103] [ 17.321141] Allocated by task 198: [ 17.321199] kasan_save_stack+0x3c/0x68 [ 17.321288] kasan_save_track+0x20/0x40 [ 17.321632] kasan_save_alloc_info+0x40/0x58 [ 17.321909] __kasan_kmalloc+0xd4/0xd8 [ 17.322018] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.322132] rcu_uaf+0xb0/0x2d8 [ 17.322228] kunit_try_run_case+0x170/0x3f0 [ 17.322341] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.322462] kthread+0x328/0x630 [ 17.322560] ret_from_fork+0x10/0x20 [ 17.322645] [ 17.322695] Freed by task 0: [ 17.322772] kasan_save_stack+0x3c/0x68 [ 17.322884] kasan_save_track+0x20/0x40 [ 17.322956] kasan_save_free_info+0x4c/0x78 [ 17.323062] __kasan_slab_free+0x6c/0x98 [ 17.323128] kfree+0x214/0x3c8 [ 17.323190] rcu_uaf_reclaim+0x28/0x70 [ 17.323764] rcu_core+0x9f4/0x1e20 [ 17.324001] rcu_core_si+0x18/0x30 [ 17.324088] handle_softirqs+0x374/0xb28 [ 17.324338] __do_softirq+0x1c/0x28 [ 17.324427] [ 17.324509] Last potentially related work creation: [ 17.324620] kasan_save_stack+0x3c/0x68 [ 17.324710] kasan_record_aux_stack+0xb4/0xc8 [ 17.324858] __call_rcu_common.constprop.0+0x70/0x8b0 [ 17.324980] call_rcu+0x18/0x30 [ 17.325083] rcu_uaf+0x14c/0x2d8 [ 17.325152] kunit_try_run_case+0x170/0x3f0 [ 17.325237] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.325328] kthread+0x328/0x630 [ 17.325402] ret_from_fork+0x10/0x20 [ 17.325487] [ 17.325543] The buggy address belongs to the object at fff00000c7943340 [ 17.325543] which belongs to the cache kmalloc-32 of size 32 [ 17.325674] The buggy address is located 0 bytes inside of [ 17.325674] freed 32-byte region [fff00000c7943340, fff00000c7943360) [ 17.325805] [ 17.325852] The buggy address belongs to the physical page: [ 17.325922] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107943 [ 17.326024] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.326345] page_type: f5(slab) [ 17.326440] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.326531] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.326610] page dumped because: kasan: bad access detected [ 17.326668] [ 17.327230] Memory state around the buggy address: [ 17.327376] fff00000c7943200: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.327478] fff00000c7943280: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.327583] >fff00000c7943300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.327703] ^ [ 17.327798] fff00000c7943380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.327917] fff00000c7943400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.327999] ==================================================================
[ 17.367245] ================================================================== [ 17.368148] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 17.368846] Read of size 4 at addr ffff8881023191c0 by task swapper/0/0 [ 17.369249] [ 17.369655] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT(voluntary) [ 17.369785] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.369812] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.369852] Call Trace: [ 17.369912] <IRQ> [ 17.369950] dump_stack_lvl+0x73/0xb0 [ 17.370030] print_report+0xd1/0x650 [ 17.370097] ? __virt_addr_valid+0x1db/0x2d0 [ 17.370148] ? rcu_uaf_reclaim+0x50/0x60 [ 17.370185] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.370227] ? rcu_uaf_reclaim+0x50/0x60 [ 17.370278] kasan_report+0x141/0x180 [ 17.370465] ? rcu_uaf_reclaim+0x50/0x60 [ 17.370510] __asan_report_load4_noabort+0x18/0x20 [ 17.370546] rcu_uaf_reclaim+0x50/0x60 [ 17.370584] rcu_core+0x66f/0x1c40 [ 17.370641] ? __pfx_rcu_core+0x10/0x10 [ 17.370689] ? ktime_get+0x6b/0x150 [ 17.370856] rcu_core_si+0x12/0x20 [ 17.370911] handle_softirqs+0x209/0x730 [ 17.371188] ? hrtimer_interrupt+0x2fe/0x780 [ 17.371237] ? __pfx_handle_softirqs+0x10/0x10 [ 17.371288] __irq_exit_rcu+0xc9/0x110 [ 17.371314] irq_exit_rcu+0x12/0x20 [ 17.371335] sysvec_apic_timer_interrupt+0x81/0x90 [ 17.371364] </IRQ> [ 17.371410] <TASK> [ 17.371422] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 17.371543] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 17.371842] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 71 23 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 17.371941] RSP: 0000:ffffffff91e07dd8 EFLAGS: 00010206 [ 17.372314] RAX: ffff8881c7e77000 RBX: ffffffff91e1cac0 RCX: ffffffff90c543e5 [ 17.372421] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 0000000000007d34 [ 17.372476] RBP: ffffffff91e07de0 R08: 0000000000000001 R09: ffffed102b60618a [ 17.372527] R10: ffff88815b030c53 R11: 000000000003e400 R12: 0000000000000000 [ 17.372575] R13: fffffbfff23c3958 R14: ffffffff929b0290 R15: 0000000000000000 [ 17.372646] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 17.372762] ? default_idle+0xd/0x20 [ 17.372789] arch_cpu_idle+0xd/0x20 [ 17.372811] default_idle_call+0x48/0x80 [ 17.372834] do_idle+0x379/0x4f0 [ 17.372858] ? __pfx_do_idle+0x10/0x10 [ 17.372877] ? trace_preempt_on+0x20/0xc0 [ 17.372901] ? schedule+0x86/0x2e0 [ 17.372921] ? preempt_count_sub+0x50/0x80 [ 17.372944] cpu_startup_entry+0x5c/0x70 [ 17.372964] rest_init+0x11a/0x140 [ 17.372986] ? acpi_subsystem_init+0x5d/0x150 [ 17.373012] start_kernel+0x330/0x410 [ 17.373041] x86_64_start_reservations+0x1c/0x30 [ 17.373158] x86_64_start_kernel+0xcf/0xe0 [ 17.373183] common_startup_64+0x13e/0x148 [ 17.373216] </TASK> [ 17.373230] [ 17.392545] Allocated by task 215: [ 17.392979] kasan_save_stack+0x45/0x70 [ 17.393723] kasan_save_track+0x18/0x40 [ 17.394285] kasan_save_alloc_info+0x3b/0x50 [ 17.394501] __kasan_kmalloc+0xb7/0xc0 [ 17.394876] __kmalloc_cache_noprof+0x189/0x420 [ 17.395117] rcu_uaf+0xb0/0x330 [ 17.395992] kunit_try_run_case+0x1a5/0x480 [ 17.396309] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.397200] kthread+0x337/0x6f0 [ 17.397460] ret_from_fork+0x116/0x1d0 [ 17.397645] ret_from_fork_asm+0x1a/0x30 [ 17.398056] [ 17.398690] Freed by task 0: [ 17.398881] kasan_save_stack+0x45/0x70 [ 17.399298] kasan_save_track+0x18/0x40 [ 17.399498] kasan_save_free_info+0x3f/0x60 [ 17.399859] __kasan_slab_free+0x56/0x70 [ 17.400124] kfree+0x222/0x3f0 [ 17.400637] rcu_uaf_reclaim+0x1f/0x60 [ 17.401544] rcu_core+0x66f/0x1c40 [ 17.401774] rcu_core_si+0x12/0x20 [ 17.402279] handle_softirqs+0x209/0x730 [ 17.402602] __irq_exit_rcu+0xc9/0x110 [ 17.402828] irq_exit_rcu+0x12/0x20 [ 17.403332] sysvec_apic_timer_interrupt+0x81/0x90 [ 17.403622] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 17.404165] [ 17.404444] Last potentially related work creation: [ 17.404844] kasan_save_stack+0x45/0x70 [ 17.405282] kasan_record_aux_stack+0xb2/0xc0 [ 17.405570] __call_rcu_common.constprop.0+0x72/0x9d0 [ 17.406695] call_rcu+0x12/0x20 [ 17.407043] rcu_uaf+0x168/0x330 [ 17.407540] kunit_try_run_case+0x1a5/0x480 [ 17.407839] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.408288] kthread+0x337/0x6f0 [ 17.408628] ret_from_fork+0x116/0x1d0 [ 17.409031] ret_from_fork_asm+0x1a/0x30 [ 17.409281] [ 17.409648] The buggy address belongs to the object at ffff8881023191c0 [ 17.409648] which belongs to the cache kmalloc-32 of size 32 [ 17.410383] The buggy address is located 0 bytes inside of [ 17.410383] freed 32-byte region [ffff8881023191c0, ffff8881023191e0) [ 17.411277] [ 17.411604] The buggy address belongs to the physical page: [ 17.412061] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102319 [ 17.412684] flags: 0x200000000000000(node=0|zone=2) [ 17.412953] page_type: f5(slab) [ 17.413809] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 17.414669] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.415068] page dumped because: kasan: bad access detected [ 17.415928] [ 17.416327] Memory state around the buggy address: [ 17.416829] ffff888102319080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.417380] ffff888102319100: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 17.417830] >ffff888102319180: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 17.418450] ^ [ 17.419172] ffff888102319200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.419701] ffff888102319280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.420331] ==================================================================