Date
May 15, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 |
[ 34.440184] ================================================================== [ 34.440370] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 34.440496] Read of size 1 at addr ffff000801f20000 by task kunit_try_catch/258 [ 34.443892] [ 34.445379] CPU: 7 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 34.445436] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.445453] Hardware name: WinLink E850-96 board (DT) [ 34.445473] Call trace: [ 34.445485] show_stack+0x20/0x38 (C) [ 34.445522] dump_stack_lvl+0x8c/0xd0 [ 34.445554] print_report+0x118/0x608 [ 34.445587] kasan_report+0xdc/0x128 [ 34.445618] __asan_report_load1_noabort+0x20/0x30 [ 34.445656] kmem_cache_rcu_uaf+0x388/0x468 [ 34.445685] kunit_try_run_case+0x170/0x3f0 [ 34.445717] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.445753] kthread+0x328/0x630 [ 34.445789] ret_from_fork+0x10/0x20 [ 34.445822] [ 34.509430] Allocated by task 258: [ 34.512817] kasan_save_stack+0x3c/0x68 [ 34.516633] kasan_save_track+0x20/0x40 [ 34.520454] kasan_save_alloc_info+0x40/0x58 [ 34.524705] __kasan_slab_alloc+0xa8/0xb0 [ 34.528701] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 34.533299] kmem_cache_rcu_uaf+0x12c/0x468 [ 34.537466] kunit_try_run_case+0x170/0x3f0 [ 34.541632] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.547101] kthread+0x328/0x630 [ 34.550313] ret_from_fork+0x10/0x20 [ 34.553872] [ 34.555349] Freed by task 0: [ 34.558214] kasan_save_stack+0x3c/0x68 [ 34.562031] kasan_save_track+0x20/0x40 [ 34.565851] kasan_save_free_info+0x4c/0x78 [ 34.570017] __kasan_slab_free+0x6c/0x98 [ 34.573923] slab_free_after_rcu_debug+0xd4/0x2f8 [ 34.578611] rcu_core+0x9f4/0x1e20 [ 34.581996] rcu_core_si+0x18/0x30 [ 34.585382] handle_softirqs+0x374/0xb28 [ 34.589288] __do_softirq+0x1c/0x28 [ 34.592762] [ 34.594237] Last potentially related work creation: [ 34.599098] kasan_save_stack+0x3c/0x68 [ 34.602916] kasan_record_aux_stack+0xb4/0xc8 [ 34.607257] kmem_cache_free+0x120/0x470 [ 34.611163] kmem_cache_rcu_uaf+0x16c/0x468 [ 34.615329] kunit_try_run_case+0x170/0x3f0 [ 34.619496] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.624966] kthread+0x328/0x630 [ 34.628176] ret_from_fork+0x10/0x20 [ 34.631737] [ 34.633210] The buggy address belongs to the object at ffff000801f20000 [ 34.633210] which belongs to the cache test_cache of size 200 [ 34.645627] The buggy address is located 0 bytes inside of [ 34.645627] freed 200-byte region [ffff000801f20000, ffff000801f200c8) [ 34.657690] [ 34.659169] The buggy address belongs to the physical page: [ 34.664725] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881f20 [ 34.672708] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.680349] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.687292] page_type: f5(slab) [ 34.690429] raw: 0bfffe0000000040 ffff000801f1e000 dead000000000122 0000000000000000 [ 34.698147] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.705873] head: 0bfffe0000000040 ffff000801f1e000 dead000000000122 0000000000000000 [ 34.713685] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.721498] head: 0bfffe0000000001 fffffdffe007c801 00000000ffffffff 00000000ffffffff [ 34.729310] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 34.737115] page dumped because: kasan: bad access detected [ 34.742671] [ 34.744146] Memory state around the buggy address: [ 34.748928] ffff000801f1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.756129] ffff000801f1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.763336] >ffff000801f20000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.770535] ^ [ 34.773751] ffff000801f20080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 34.780956] ffff000801f20100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.788159] ==================================================================