Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 34.480983] ================================================================== [ 34.481178] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 34.481305] Read of size 1 at addr ffff000801e2e000 by task kunit_try_catch/257 [ 34.484694] [ 34.486181] CPU: 1 UID: 0 PID: 257 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 34.486238] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.486256] Hardware name: WinLink E850-96 board (DT) [ 34.486275] Call trace: [ 34.486287] show_stack+0x20/0x38 (C) [ 34.486326] dump_stack_lvl+0x8c/0xd0 [ 34.486364] print_report+0x118/0x608 [ 34.486401] kasan_report+0xdc/0x128 [ 34.486434] __asan_report_load1_noabort+0x20/0x30 [ 34.486468] kmem_cache_rcu_uaf+0x388/0x468 [ 34.486501] kunit_try_run_case+0x170/0x3f0 [ 34.486538] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.486579] kthread+0x328/0x630 [ 34.486608] ret_from_fork+0x10/0x20 [ 34.486644] [ 34.549884] Allocated by task 257: [ 34.553274] kasan_save_stack+0x3c/0x68 [ 34.557089] kasan_save_track+0x20/0x40 [ 34.560908] kasan_save_alloc_info+0x40/0x58 [ 34.565161] __kasan_slab_alloc+0xa8/0xb0 [ 34.569156] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 34.573755] kmem_cache_rcu_uaf+0x12c/0x468 [ 34.577922] kunit_try_run_case+0x170/0x3f0 [ 34.582090] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.587557] kthread+0x328/0x630 [ 34.590769] ret_from_fork+0x10/0x20 [ 34.594328] [ 34.595805] Freed by task 0: [ 34.598672] kasan_save_stack+0x3c/0x68 [ 34.602487] kasan_save_track+0x20/0x40 [ 34.606307] kasan_save_free_info+0x4c/0x78 [ 34.610473] __kasan_slab_free+0x6c/0x98 [ 34.614381] slab_free_after_rcu_debug+0xd4/0x2f8 [ 34.619067] rcu_core+0x9f4/0x1e20 [ 34.622452] rcu_core_si+0x18/0x30 [ 34.625838] handle_softirqs+0x374/0xb28 [ 34.629744] __do_softirq+0x1c/0x28 [ 34.633216] [ 34.634693] Last potentially related work creation: [ 34.639554] kasan_save_stack+0x3c/0x68 [ 34.643372] kasan_record_aux_stack+0xb4/0xc8 [ 34.647713] kmem_cache_free+0x120/0x470 [ 34.651619] kmem_cache_rcu_uaf+0x16c/0x468 [ 34.655785] kunit_try_run_case+0x170/0x3f0 [ 34.659952] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.665422] kthread+0x328/0x630 [ 34.668632] ret_from_fork+0x10/0x20 [ 34.672191] [ 34.673668] The buggy address belongs to the object at ffff000801e2e000 [ 34.673668] which belongs to the cache test_cache of size 200 [ 34.686083] The buggy address is located 0 bytes inside of [ 34.686083] freed 200-byte region [ffff000801e2e000, ffff000801e2e0c8) [ 34.698146] [ 34.699624] The buggy address belongs to the physical page: [ 34.705182] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881e2e [ 34.713166] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.720804] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.727748] page_type: f5(slab) [ 34.730885] raw: 0bfffe0000000040 ffff00080193e140 dead000000000122 0000000000000000 [ 34.738603] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.746332] head: 0bfffe0000000040 ffff00080193e140 dead000000000122 0000000000000000 [ 34.754141] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 34.761954] head: 0bfffe0000000001 fffffdffe0078b81 00000000ffffffff 00000000ffffffff [ 34.769766] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 34.777571] page dumped because: kasan: bad access detected [ 34.783127] [ 34.784603] Memory state around the buggy address: [ 34.789385] ffff000801e2df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.796585] ffff000801e2df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.803793] >ffff000801e2e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.810991] ^ [ 34.814207] ffff000801e2e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 34.821411] ffff000801e2e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.828614] ==================================================================
[ 26.764774] ================================================================== [ 26.764952] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 26.766670] Read of size 1 at addr fff00000c77f9000 by task kunit_try_catch/214 [ 26.767914] [ 26.768008] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 26.768751] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.768839] Hardware name: linux,dummy-virt (DT) [ 26.768935] Call trace: [ 26.768992] show_stack+0x20/0x38 (C) [ 26.769103] dump_stack_lvl+0x8c/0xd0 [ 26.769170] print_report+0x118/0x608 [ 26.769229] kasan_report+0xdc/0x128 [ 26.769304] __asan_report_load1_noabort+0x20/0x30 [ 26.769364] kmem_cache_rcu_uaf+0x388/0x468 [ 26.769422] kunit_try_run_case+0x170/0x3f0 [ 26.769489] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.769566] kthread+0x328/0x630 [ 26.769631] ret_from_fork+0x10/0x20 [ 26.769814] [ 26.769880] Allocated by task 214: [ 26.770251] kasan_save_stack+0x3c/0x68 [ 26.770524] kasan_save_track+0x20/0x40 [ 26.770718] kasan_save_alloc_info+0x40/0x58 [ 26.770805] __kasan_slab_alloc+0xa8/0xb0 [ 26.770859] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 26.770916] kmem_cache_rcu_uaf+0x12c/0x468 [ 26.771017] kunit_try_run_case+0x170/0x3f0 [ 26.771209] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.771391] kthread+0x328/0x630 [ 26.771483] ret_from_fork+0x10/0x20 [ 26.771575] [ 26.771656] Freed by task 0: [ 26.771746] kasan_save_stack+0x3c/0x68 [ 26.771843] kasan_save_track+0x20/0x40 [ 26.771948] kasan_save_free_info+0x4c/0x78 [ 26.772054] __kasan_slab_free+0x6c/0x98 [ 26.772153] slab_free_after_rcu_debug+0xd4/0x2f8 [ 26.772252] rcu_core+0x9f4/0x1e20 [ 26.772355] rcu_core_si+0x18/0x30 [ 26.772442] handle_softirqs+0x374/0xb28 [ 26.772556] __do_softirq+0x1c/0x28 [ 26.772659] [ 26.772869] Last potentially related work creation: [ 26.772936] kasan_save_stack+0x3c/0x68 [ 26.773161] kasan_record_aux_stack+0xb4/0xc8 [ 26.773542] kmem_cache_free+0x120/0x470 [ 26.773788] kmem_cache_rcu_uaf+0x16c/0x468 [ 26.774012] kunit_try_run_case+0x170/0x3f0 [ 26.774177] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.774303] kthread+0x328/0x630 [ 26.774392] ret_from_fork+0x10/0x20 [ 26.774511] [ 26.774611] The buggy address belongs to the object at fff00000c77f9000 [ 26.774611] which belongs to the cache test_cache of size 200 [ 26.774973] The buggy address is located 0 bytes inside of [ 26.774973] freed 200-byte region [fff00000c77f9000, fff00000c77f90c8) [ 26.775598] [ 26.775654] The buggy address belongs to the physical page: [ 26.775754] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077f9 [ 26.776130] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.776649] page_type: f5(slab) [ 26.777292] raw: 0bfffe0000000000 fff00000c5bfec80 dead000000000122 0000000000000000 [ 26.777945] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 26.778363] page dumped because: kasan: bad access detected [ 26.779085] [ 26.779299] Memory state around the buggy address: [ 26.779625] fff00000c77f8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.780116] fff00000c77f8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.780278] >fff00000c77f9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.781259] ^ [ 26.781336] fff00000c77f9080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 26.781995] fff00000c77f9100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.782151] ==================================================================
[ 19.616515] ================================================================== [ 19.617340] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.618384] Read of size 1 at addr ffff888102b6e000 by task kunit_try_catch/230 [ 19.618750] [ 19.618875] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 19.618940] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.618957] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.619041] Call Trace: [ 19.619087] <TASK> [ 19.619137] dump_stack_lvl+0x73/0xb0 [ 19.619226] print_report+0xd1/0x650 [ 19.619301] ? __virt_addr_valid+0x1db/0x2d0 [ 19.619870] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.619946] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.620039] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.620126] kasan_report+0x141/0x180 [ 19.620202] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.620287] __asan_report_load1_noabort+0x18/0x20 [ 19.620358] kmem_cache_rcu_uaf+0x3e3/0x510 [ 19.620434] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 19.620497] ? finish_task_switch.isra.0+0x153/0x700 [ 19.620548] ? __switch_to+0x47/0xf50 [ 19.620591] ? __pfx_read_tsc+0x10/0x10 [ 19.620621] ? ktime_get_ts64+0x86/0x230 [ 19.620657] kunit_try_run_case+0x1a5/0x480 [ 19.620690] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.620764] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.620809] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.620845] ? __kthread_parkme+0x82/0x180 [ 19.620876] ? preempt_count_sub+0x50/0x80 [ 19.620906] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.620936] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.620973] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.621039] kthread+0x337/0x6f0 [ 19.621070] ? trace_preempt_on+0x20/0xc0 [ 19.621107] ? __pfx_kthread+0x10/0x10 [ 19.621138] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.621174] ? calculate_sigpending+0x7b/0xa0 [ 19.621209] ? __pfx_kthread+0x10/0x10 [ 19.621239] ret_from_fork+0x116/0x1d0 [ 19.621265] ? __pfx_kthread+0x10/0x10 [ 19.621295] ret_from_fork_asm+0x1a/0x30 [ 19.621338] </TASK> [ 19.621355] [ 19.634804] Allocated by task 230: [ 19.635116] kasan_save_stack+0x45/0x70 [ 19.635437] kasan_save_track+0x18/0x40 [ 19.635877] kasan_save_alloc_info+0x3b/0x50 [ 19.636352] __kasan_slab_alloc+0x91/0xa0 [ 19.636795] kmem_cache_alloc_noprof+0x123/0x3f0 [ 19.637538] kmem_cache_rcu_uaf+0x155/0x510 [ 19.638071] kunit_try_run_case+0x1a5/0x480 [ 19.638414] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.638810] kthread+0x337/0x6f0 [ 19.639197] ret_from_fork+0x116/0x1d0 [ 19.639869] ret_from_fork_asm+0x1a/0x30 [ 19.640309] [ 19.640537] Freed by task 0: [ 19.640913] kasan_save_stack+0x45/0x70 [ 19.641354] kasan_save_track+0x18/0x40 [ 19.641716] kasan_save_free_info+0x3f/0x60 [ 19.642173] __kasan_slab_free+0x56/0x70 [ 19.642529] slab_free_after_rcu_debug+0xe4/0x310 [ 19.643133] rcu_core+0x66f/0x1c40 [ 19.643519] rcu_core_si+0x12/0x20 [ 19.643913] handle_softirqs+0x209/0x730 [ 19.644262] __irq_exit_rcu+0xc9/0x110 [ 19.644567] irq_exit_rcu+0x12/0x20 [ 19.645155] sysvec_apic_timer_interrupt+0x81/0x90 [ 19.645653] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 19.646180] [ 19.646421] Last potentially related work creation: [ 19.646750] kasan_save_stack+0x45/0x70 [ 19.647183] kasan_record_aux_stack+0xb2/0xc0 [ 19.647627] kmem_cache_free+0x131/0x420 [ 19.648042] kmem_cache_rcu_uaf+0x194/0x510 [ 19.648431] kunit_try_run_case+0x1a5/0x480 [ 19.648766] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.649423] kthread+0x337/0x6f0 [ 19.649802] ret_from_fork+0x116/0x1d0 [ 19.650339] ret_from_fork_asm+0x1a/0x30 [ 19.650806] [ 19.651025] The buggy address belongs to the object at ffff888102b6e000 [ 19.651025] which belongs to the cache test_cache of size 200 [ 19.651902] The buggy address is located 0 bytes inside of [ 19.651902] freed 200-byte region [ffff888102b6e000, ffff888102b6e0c8) [ 19.652862] [ 19.653127] The buggy address belongs to the physical page: [ 19.653576] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b6e [ 19.654280] flags: 0x200000000000000(node=0|zone=2) [ 19.654644] page_type: f5(slab) [ 19.655033] raw: 0200000000000000 ffff888101934a00 dead000000000122 0000000000000000 [ 19.655750] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 19.656380] page dumped because: kasan: bad access detected [ 19.656796] [ 19.657041] Memory state around the buggy address: [ 19.657497] ffff888102b6df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.658191] ffff888102b6df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.658654] >ffff888102b6e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.659305] ^ [ 19.659686] ffff888102b6e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 19.660273] ffff888102b6e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.660804] ==================================================================
[ 61.103240] ================================================================== [ 61.114898] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x430/0x550 [ 61.122131] Read of size 1 at addr cc896000 by task kunit_try_catch/265 [ 61.128814] [ 61.130310] CPU: 1 UID: 0 PID: 265 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 61.130371] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 61.130371] Hardware name: Generic DRA74X (Flattened Device Tree) [ 61.130401] Call trace: [ 61.130401] unwind_backtrace from show_stack+0x18/0x1c [ 61.130462] show_stack from dump_stack_lvl+0x70/0x90 [ 61.130493] dump_stack_lvl from print_report+0x158/0x528 [ 61.130523] print_report from kasan_report+0xdc/0x118 [ 61.130554] kasan_report from kmem_cache_rcu_uaf+0x430/0x550 [ 61.130584] kmem_cache_rcu_uaf from kunit_try_run_case+0x22c/0x5a8 [ 61.130645] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.130676] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 61.130737] kthread from ret_from_fork+0x14/0x20 [ 61.130767] Exception stack(0xf23a3fb0 to 0xf23a3ff8) [ 61.130767] 3fa0: 00000000 00000000 00000000 00000000 [ 61.130798] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 61.130828] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 61.130828] [ 61.236816] Allocated by task 265: [ 61.240264] kasan_save_track+0x30/0x5c [ 61.244140] __kasan_slab_alloc+0x60/0x68 [ 61.248168] kmem_cache_alloc_noprof+0x17c/0x36c [ 61.252838] kmem_cache_rcu_uaf+0x174/0x550 [ 61.257080] kunit_try_run_case+0x22c/0x5a8 [ 61.261322] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.266845] kthread+0x464/0x810 [ 61.270111] ret_from_fork+0x14/0x20 [ 61.273742] [ 61.275238] Freed by task 22: [ 61.278228] kasan_save_track+0x30/0x5c [ 61.282104] kasan_save_free_info+0x3c/0x48 [ 61.286346] __kasan_slab_free+0x40/0x50 [ 61.290313] slab_free_after_rcu_debug+0xb0/0x290 [ 61.295043] rcu_core+0x84c/0x1aa4 [ 61.298492] handle_softirqs+0x3d8/0xc7c [ 61.302459] run_ksoftirqd+0x7c/0x9c [ 61.306091] smpboot_thread_fn+0x46c/0xa68 [ 61.310241] kthread+0x464/0x810 [ 61.313507] ret_from_fork+0x14/0x20 [ 61.317108] [ 61.318603] Last potentially related work creation: [ 61.323516] kasan_save_stack+0x30/0x4c [ 61.327392] kasan_record_aux_stack+0x80/0x88 [ 61.331817] kmem_cache_free+0x1f0/0x470 [ 61.335784] kmem_cache_rcu_uaf+0x1b8/0x550 [ 61.339996] kunit_try_run_case+0x22c/0x5a8 [ 61.344238] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.349792] kthread+0x464/0x810 [ 61.353057] ret_from_fork+0x14/0x20 [ 61.356658] [ 61.358154] The buggy address belongs to the object at cc896000 [ 61.358154] which belongs to the cache test_cache of size 200 [ 61.369995] The buggy address is located 0 bytes inside of [ 61.369995] freed 200-byte region [cc896000, cc8960c8) [ 61.380767] [ 61.382293] The buggy address belongs to the physical page: [ 61.387908] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c896 [ 61.395172] flags: 0x0(zone=0) [ 61.398284] page_type: f5(slab) [ 61.401458] raw: 00000000 cc85a300 00000122 00000000 00000000 800f000f f5000000 00000000 [ 61.409606] raw: 00000000 [ 61.412261] page dumped because: kasan: bad access detected [ 61.417877] [ 61.419372] Memory state around the buggy address: [ 61.424224] cc895f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.430786] cc895f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.437377] >cc896000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.443969] ^ [ 61.446502] cc896080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 61.453094] cc896100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.459686] ==================================================================