Date
May 15, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 |
[ 32.660143] ================================================================== [ 32.660322] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 32.660441] Read of size 4 at addr ffff000803280c40 by task swapper/6/0 [ 32.661511] [ 32.662997] CPU: 6 UID: 0 PID: 0 Comm: swapper/6 Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 32.663054] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.663072] Hardware name: WinLink E850-96 board (DT) [ 32.663093] Call trace: [ 32.663105] show_stack+0x20/0x38 (C) [ 32.663142] dump_stack_lvl+0x8c/0xd0 [ 32.663174] print_report+0x118/0x608 [ 32.663210] kasan_report+0xdc/0x128 [ 32.663241] __asan_report_load4_noabort+0x20/0x30 [ 32.663279] rcu_uaf_reclaim+0x64/0x70 [ 32.663307] rcu_core+0x9f4/0x1e20 [ 32.663339] rcu_core_si+0x18/0x30 [ 32.663366] handle_softirqs+0x374/0xb28 [ 32.663396] __do_softirq+0x1c/0x28 [ 32.663426] ____do_softirq+0x18/0x30 [ 32.663457] call_on_irq_stack+0x24/0x30 [ 32.663489] do_softirq_own_stack+0x24/0x38 [ 32.663519] __irq_exit_rcu+0x1fc/0x318 [ 32.663547] irq_exit_rcu+0x1c/0x80 [ 32.663575] el1_interrupt+0x38/0x58 [ 32.663608] el1h_64_irq_handler+0x18/0x28 [ 32.663640] el1h_64_irq+0x6c/0x70 [ 32.663665] arch_local_irq_enable+0x4/0x8 (P) [ 32.663701] do_idle+0x384/0x4e8 [ 32.663732] cpu_startup_entry+0x64/0x80 [ 32.663764] secondary_start_kernel+0x288/0x340 [ 32.663795] __secondary_switched+0xc0/0xc8 [ 32.663836] [ 32.773921] Allocated by task 243: [ 32.777310] kasan_save_stack+0x3c/0x68 [ 32.781125] kasan_save_track+0x20/0x40 [ 32.784945] kasan_save_alloc_info+0x40/0x58 [ 32.789198] __kasan_kmalloc+0xd4/0xd8 [ 32.792932] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.797445] rcu_uaf+0xb0/0x2d8 [ 32.800570] kunit_try_run_case+0x170/0x3f0 [ 32.804736] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.810205] kthread+0x328/0x630 [ 32.813417] ret_from_fork+0x10/0x20 [ 32.816976] [ 32.818452] Freed by task 0: [ 32.821318] kasan_save_stack+0x3c/0x68 [ 32.825135] kasan_save_track+0x20/0x40 [ 32.828955] kasan_save_free_info+0x4c/0x78 [ 32.833121] __kasan_slab_free+0x6c/0x98 [ 32.837028] kfree+0x214/0x3c8 [ 32.840066] rcu_uaf_reclaim+0x28/0x70 [ 32.843798] rcu_core+0x9f4/0x1e20 [ 32.847183] rcu_core_si+0x18/0x30 [ 32.850570] handle_softirqs+0x374/0xb28 [ 32.854475] __do_softirq+0x1c/0x28 [ 32.857947] [ 32.859424] Last potentially related work creation: [ 32.864285] kasan_save_stack+0x3c/0x68 [ 32.868103] kasan_record_aux_stack+0xb4/0xc8 [ 32.872444] __call_rcu_common.constprop.0+0x70/0x8b0 [ 32.877478] call_rcu+0x18/0x30 [ 32.880603] rcu_uaf+0x14c/0x2d8 [ 32.883815] kunit_try_run_case+0x170/0x3f0 [ 32.887982] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.893450] kthread+0x328/0x630 [ 32.896662] ret_from_fork+0x10/0x20 [ 32.900221] [ 32.901698] The buggy address belongs to the object at ffff000803280c40 [ 32.901698] which belongs to the cache kmalloc-32 of size 32 [ 32.914026] The buggy address is located 0 bytes inside of [ 32.914026] freed 32-byte region [ffff000803280c40, ffff000803280c60) [ 32.926002] [ 32.927481] The buggy address belongs to the physical page: [ 32.933037] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883280 [ 32.941022] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.947531] page_type: f5(slab) [ 32.950669] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 32.958386] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.966106] page dumped because: kasan: bad access detected [ 32.971661] [ 32.973136] Memory state around the buggy address: [ 32.977919] ffff000803280b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.985119] ffff000803280b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.992327] >ffff000803280c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.999525] ^ [ 33.004824] ffff000803280c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.012029] ffff000803280d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.019231] ==================================================================