Date
June 20, 2025, 12:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.565738] ================================================================== [ 33.565949] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 33.566124] Read of size 1 at addr fff00000c769b000 by task kunit_try_catch/224 [ 33.566258] [ 33.566353] CPU: 0 UID: 0 PID: 224 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 33.566574] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.567679] Hardware name: linux,dummy-virt (DT) [ 33.567842] Call trace: [ 33.567920] show_stack+0x20/0x38 (C) [ 33.568067] dump_stack_lvl+0x8c/0xd0 [ 33.568541] print_report+0x118/0x608 [ 33.568850] kasan_report+0xdc/0x128 [ 33.569113] __asan_report_load1_noabort+0x20/0x30 [ 33.569216] kmem_cache_rcu_uaf+0x388/0x468 [ 33.569303] kunit_try_run_case+0x170/0x3f0 [ 33.569672] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.569891] kthread+0x328/0x630 [ 33.570001] ret_from_fork+0x10/0x20 [ 33.570324] [ 33.570395] Allocated by task 224: [ 33.570537] kasan_save_stack+0x3c/0x68 [ 33.570768] kasan_save_track+0x20/0x40 [ 33.571005] kasan_save_alloc_info+0x40/0x58 [ 33.571182] __kasan_slab_alloc+0xa8/0xb0 [ 33.571324] kmem_cache_alloc_noprof+0x10c/0x398 [ 33.571652] kmem_cache_rcu_uaf+0x12c/0x468 [ 33.571752] kunit_try_run_case+0x170/0x3f0 [ 33.571997] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.572273] kthread+0x328/0x630 [ 33.572529] ret_from_fork+0x10/0x20 [ 33.572776] [ 33.573087] Freed by task 0: [ 33.573266] kasan_save_stack+0x3c/0x68 [ 33.573400] kasan_save_track+0x20/0x40 [ 33.573490] kasan_save_free_info+0x4c/0x78 [ 33.573646] __kasan_slab_free+0x6c/0x98 [ 33.573911] slab_free_after_rcu_debug+0xd4/0x2f8 [ 33.574115] rcu_core+0x9f4/0x1e20 [ 33.574273] rcu_core_si+0x18/0x30 [ 33.574419] handle_softirqs+0x374/0xb28 [ 33.574735] __do_softirq+0x1c/0x28 [ 33.574938] [ 33.574986] Last potentially related work creation: [ 33.575055] kasan_save_stack+0x3c/0x68 [ 33.575694] kasan_record_aux_stack+0xb4/0xc8 [ 33.575935] kmem_cache_free+0x120/0x468 [ 33.576030] kmem_cache_rcu_uaf+0x16c/0x468 [ 33.576374] kunit_try_run_case+0x170/0x3f0 [ 33.576478] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.576588] kthread+0x328/0x630 [ 33.576819] ret_from_fork+0x10/0x20 [ 33.577042] [ 33.577112] The buggy address belongs to the object at fff00000c769b000 [ 33.577112] which belongs to the cache test_cache of size 200 [ 33.577547] The buggy address is located 0 bytes inside of [ 33.577547] freed 200-byte region [fff00000c769b000, fff00000c769b0c8) [ 33.577683] [ 33.577810] The buggy address belongs to the physical page: [ 33.578053] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10769b [ 33.578370] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.578738] page_type: f5(slab) [ 33.578981] raw: 0bfffe0000000000 fff00000c1b9ea00 dead000000000122 0000000000000000 [ 33.579358] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 33.579556] page dumped because: kasan: bad access detected [ 33.579726] [ 33.579799] Memory state around the buggy address: [ 33.580041] fff00000c769af00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.580282] fff00000c769af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.580466] >fff00000c769b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.580551] ^ [ 33.580618] fff00000c769b080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 33.581030] fff00000c769b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.581136] ==================================================================
[ 26.526012] ================================================================== [ 26.526588] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 26.527046] Read of size 1 at addr ffff888102331000 by task kunit_try_catch/242 [ 26.527495] [ 26.528008] CPU: 0 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 26.528090] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.528105] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.528132] Call Trace: [ 26.528150] <TASK> [ 26.528176] dump_stack_lvl+0x73/0xb0 [ 26.528216] print_report+0xd1/0x650 [ 26.528242] ? __virt_addr_valid+0x1db/0x2d0 [ 26.528271] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 26.528297] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.528327] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 26.528353] kasan_report+0x141/0x180 [ 26.528377] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 26.528408] __asan_report_load1_noabort+0x18/0x20 [ 26.528436] kmem_cache_rcu_uaf+0x3e3/0x510 [ 26.528477] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 26.528502] ? finish_task_switch.isra.0+0x153/0x700 [ 26.528530] ? __switch_to+0x47/0xf50 [ 26.528582] ? __pfx_read_tsc+0x10/0x10 [ 26.528609] ? ktime_get_ts64+0x86/0x230 [ 26.528651] kunit_try_run_case+0x1a5/0x480 [ 26.528683] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.528709] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.528736] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.528762] ? __kthread_parkme+0x82/0x180 [ 26.528787] ? preempt_count_sub+0x50/0x80 [ 26.528813] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.528855] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.528885] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.528911] kthread+0x337/0x6f0 [ 26.528934] ? trace_preempt_on+0x20/0xc0 [ 26.528962] ? __pfx_kthread+0x10/0x10 [ 26.528986] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.529010] ? calculate_sigpending+0x7b/0xa0 [ 26.529039] ? __pfx_kthread+0x10/0x10 [ 26.529063] ret_from_fork+0x116/0x1d0 [ 26.529084] ? __pfx_kthread+0x10/0x10 [ 26.529107] ret_from_fork_asm+0x1a/0x30 [ 26.529141] </TASK> [ 26.529157] [ 26.540085] Allocated by task 242: [ 26.540234] kasan_save_stack+0x45/0x70 [ 26.540533] kasan_save_track+0x18/0x40 [ 26.540701] kasan_save_alloc_info+0x3b/0x50 [ 26.540813] __kasan_slab_alloc+0x91/0xa0 [ 26.541106] kmem_cache_alloc_noprof+0x123/0x3f0 [ 26.541487] kmem_cache_rcu_uaf+0x155/0x510 [ 26.541959] kunit_try_run_case+0x1a5/0x480 [ 26.542309] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.542794] kthread+0x337/0x6f0 [ 26.542993] ret_from_fork+0x116/0x1d0 [ 26.543289] ret_from_fork_asm+0x1a/0x30 [ 26.543468] [ 26.543537] Freed by task 0: [ 26.543802] kasan_save_stack+0x45/0x70 [ 26.544022] kasan_save_track+0x18/0x40 [ 26.544263] kasan_save_free_info+0x3f/0x60 [ 26.544519] __kasan_slab_free+0x56/0x70 [ 26.544747] slab_free_after_rcu_debug+0xe4/0x310 [ 26.545469] rcu_core+0x66f/0x1c40 [ 26.545692] rcu_core_si+0x12/0x20 [ 26.545902] handle_softirqs+0x209/0x730 [ 26.546150] __irq_exit_rcu+0xc9/0x110 [ 26.546378] irq_exit_rcu+0x12/0x20 [ 26.546617] sysvec_apic_timer_interrupt+0x81/0x90 [ 26.546888] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 26.547107] [ 26.547199] Last potentially related work creation: [ 26.547436] kasan_save_stack+0x45/0x70 [ 26.548113] kasan_record_aux_stack+0xb2/0xc0 [ 26.548255] kmem_cache_free+0x131/0x420 [ 26.548359] kmem_cache_rcu_uaf+0x194/0x510 [ 26.548479] kunit_try_run_case+0x1a5/0x480 [ 26.548883] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.549365] kthread+0x337/0x6f0 [ 26.549725] ret_from_fork+0x116/0x1d0 [ 26.549911] ret_from_fork_asm+0x1a/0x30 [ 26.550022] [ 26.550091] The buggy address belongs to the object at ffff888102331000 [ 26.550091] which belongs to the cache test_cache of size 200 [ 26.550991] The buggy address is located 0 bytes inside of [ 26.550991] freed 200-byte region [ffff888102331000, ffff8881023310c8) [ 26.551426] [ 26.551989] The buggy address belongs to the physical page: [ 26.552382] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102331 [ 26.552949] flags: 0x200000000000000(node=0|zone=2) [ 26.553197] page_type: f5(slab) [ 26.553437] raw: 0200000000000000 ffff8881017a3780 dead000000000122 0000000000000000 [ 26.554009] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 26.554389] page dumped because: kasan: bad access detected [ 26.554849] [ 26.554960] Memory state around the buggy address: [ 26.555160] ffff888102330f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.555527] ffff888102330f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.555937] >ffff888102331000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.556097] ^ [ 26.556571] ffff888102331080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 26.556984] ffff888102331100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.557485] ==================================================================