Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 46.712321] ================================================================== [ 46.724106] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 46.731347] Read of size 1 at addr ffff0000952aa000 by task kunit_try_catch/322 [ 46.738751] [ 46.740292] CPU: 6 UID: 0 PID: 322 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 46.740329] Tainted: [B]=BAD_PAGE, [N]=TEST [ 46.740340] Hardware name: Thundercomm Dragonboard 845c (DT) [ 46.740355] Call trace: [ 46.740364] show_stack+0x20/0x38 (C) [ 46.740386] dump_stack_lvl+0x8c/0xd0 [ 46.740408] print_report+0x118/0x608 [ 46.740429] kasan_report+0xdc/0x128 [ 46.740447] __asan_report_load1_noabort+0x20/0x30 [ 46.740464] kmem_cache_rcu_uaf+0x388/0x468 [ 46.740480] kunit_try_run_case+0x170/0x3f0 [ 46.740502] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.740525] kthread+0x328/0x630 [ 46.740541] ret_from_fork+0x10/0x20 [ 46.740560] [ 46.806243] Allocated by task 322: [ 46.809699] kasan_save_stack+0x3c/0x68 [ 46.813610] kasan_save_track+0x20/0x40 [ 46.817515] kasan_save_alloc_info+0x40/0x58 [ 46.821850] __kasan_slab_alloc+0xa8/0xb0 [ 46.825928] kmem_cache_alloc_noprof+0x10c/0x398 [ 46.830618] kmem_cache_rcu_uaf+0x12c/0x468 [ 46.834870] kunit_try_run_case+0x170/0x3f0 [ 46.839120] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.844685] kthread+0x328/0x630 [ 46.847967] ret_from_fork+0x10/0x20 [ 46.851599] [ 46.853122] Freed by task 0: [ 46.856056] kasan_save_stack+0x3c/0x68 [ 46.859961] kasan_save_track+0x20/0x40 [ 46.863864] kasan_save_free_info+0x4c/0x78 [ 46.868111] __kasan_slab_free+0x6c/0x98 [ 46.872101] slab_free_after_rcu_debug+0xd4/0x2f8 [ 46.876876] rcu_core+0x9f4/0x1e20 [ 46.880337] rcu_core_si+0x18/0x30 [ 46.883796] handle_softirqs+0x374/0xb28 [ 46.887789] __do_softirq+0x1c/0x28 [ 46.891335] [ 46.892858] Last potentially related work creation: [ 46.897797] kasan_save_stack+0x3c/0x68 [ 46.901704] kasan_record_aux_stack+0xb4/0xc8 [ 46.906126] kmem_cache_free+0x120/0x468 [ 46.910120] kmem_cache_rcu_uaf+0x16c/0x468 [ 46.914372] kunit_try_run_case+0x170/0x3f0 [ 46.918622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.924185] kthread+0x328/0x630 [ 46.927469] ret_from_fork+0x10/0x20 [ 46.931103] [ 46.932634] The buggy address belongs to the object at ffff0000952aa000 [ 46.932634] which belongs to the cache test_cache of size 200 [ 46.945207] The buggy address is located 0 bytes inside of [ 46.945207] freed 200-byte region [ffff0000952aa000, ffff0000952aa0c8) [ 46.957422] [ 46.958947] The buggy address belongs to the physical page: [ 46.964590] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1152aa [ 46.972695] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 46.980449] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 46.987505] page_type: f5(slab) [ 46.990711] raw: 0bfffe0000000040 ffff000087bc8f00 dead000000000122 0000000000000000 [ 46.998556] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 47.006398] head: 0bfffe0000000040 ffff000087bc8f00 dead000000000122 0000000000000000 [ 47.014324] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 47.022251] head: 0bfffe0000000001 fffffdffc254aa81 00000000ffffffff 00000000ffffffff [ 47.030176] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 47.038098] page dumped because: kasan: bad access detected [ 47.043746] [ 47.045269] Memory state around the buggy address: [ 47.050133] ffff0000952a9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.057446] ffff0000952a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.064759] >ffff0000952aa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.072074] ^ [ 47.075354] ffff0000952aa080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 47.082672] ffff0000952aa100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.089984] ==================================================================
[ 32.320723] ================================================================== [ 32.320853] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 32.320941] Read of size 1 at addr fff00000c926e000 by task kunit_try_catch/245 [ 32.320996] [ 32.321044] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 32.321137] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.321165] Hardware name: linux,dummy-virt (DT) [ 32.321202] Call trace: [ 32.321228] show_stack+0x20/0x38 (C) [ 32.321282] dump_stack_lvl+0x8c/0xd0 [ 32.321338] print_report+0x118/0x608 [ 32.321388] kasan_report+0xdc/0x128 [ 32.321435] __asan_report_load1_noabort+0x20/0x30 [ 32.321484] kmem_cache_rcu_uaf+0x388/0x468 [ 32.321533] kunit_try_run_case+0x170/0x3f0 [ 32.321588] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.321644] kthread+0x328/0x630 [ 32.321687] ret_from_fork+0x10/0x20 [ 32.321737] [ 32.321757] Allocated by task 245: [ 32.321788] kasan_save_stack+0x3c/0x68 [ 32.321842] kasan_save_track+0x20/0x40 [ 32.321883] kasan_save_alloc_info+0x40/0x58 [ 32.321921] __kasan_slab_alloc+0xa8/0xb0 [ 32.321967] kmem_cache_alloc_noprof+0x10c/0x398 [ 32.322010] kmem_cache_rcu_uaf+0x12c/0x468 [ 32.322049] kunit_try_run_case+0x170/0x3f0 [ 32.322089] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.322135] kthread+0x328/0x630 [ 32.322168] ret_from_fork+0x10/0x20 [ 32.322204] [ 32.322225] Freed by task 0: [ 32.322250] kasan_save_stack+0x3c/0x68 [ 32.322288] kasan_save_track+0x20/0x40 [ 32.322326] kasan_save_free_info+0x4c/0x78 [ 32.322364] __kasan_slab_free+0x6c/0x98 [ 32.322403] slab_free_after_rcu_debug+0xd4/0x2f8 [ 32.322444] rcu_core+0x9f4/0x1e20 [ 32.322484] rcu_core_si+0x18/0x30 [ 32.322518] handle_softirqs+0x374/0xb28 [ 32.322559] __do_softirq+0x1c/0x28 [ 32.322592] [ 32.322611] Last potentially related work creation: [ 32.322638] kasan_save_stack+0x3c/0x68 [ 32.322678] kasan_record_aux_stack+0xb4/0xc8 [ 32.322717] kmem_cache_free+0x120/0x468 [ 32.322755] kmem_cache_rcu_uaf+0x16c/0x468 [ 32.322794] kunit_try_run_case+0x170/0x3f0 [ 32.322841] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.322889] kthread+0x328/0x630 [ 32.322921] ret_from_fork+0x10/0x20 [ 32.322956] [ 32.322975] The buggy address belongs to the object at fff00000c926e000 [ 32.322975] which belongs to the cache test_cache of size 200 [ 32.323035] The buggy address is located 0 bytes inside of [ 32.323035] freed 200-byte region [fff00000c926e000, fff00000c926e0c8) [ 32.323099] [ 32.323120] The buggy address belongs to the physical page: [ 32.323156] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10926e [ 32.323214] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.323269] page_type: f5(slab) [ 32.323315] raw: 0bfffe0000000000 fff00000c593a140 dead000000000122 0000000000000000 [ 32.323368] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 32.323411] page dumped because: kasan: bad access detected [ 32.323443] [ 32.323460] Memory state around the buggy address: [ 32.323495] fff00000c926df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.323540] fff00000c926df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.323583] >fff00000c926e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.323623] ^ [ 32.323651] fff00000c926e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 32.323694] fff00000c926e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.323733] ==================================================================
[ 23.953443] ================================================================== [ 23.953871] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 23.954115] Read of size 1 at addr ffff888105ac6000 by task kunit_try_catch/262 [ 23.955429] [ 23.955707] CPU: 0 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.955765] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.955778] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.955802] Call Trace: [ 23.955816] <TASK> [ 23.956016] dump_stack_lvl+0x73/0xb0 [ 23.956055] print_report+0xd1/0x650 [ 23.956080] ? __virt_addr_valid+0x1db/0x2d0 [ 23.956106] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 23.956129] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.956175] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 23.956222] kasan_report+0x141/0x180 [ 23.956245] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 23.956271] __asan_report_load1_noabort+0x18/0x20 [ 23.956296] kmem_cache_rcu_uaf+0x3e3/0x510 [ 23.956318] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 23.956340] ? irqentry_exit+0x2a/0x60 [ 23.956364] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 23.956392] ? __pfx_read_tsc+0x10/0x10 [ 23.956416] ? ktime_get_ts64+0x86/0x230 [ 23.956442] kunit_try_run_case+0x1a5/0x480 [ 23.956480] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.956504] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.956526] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.956551] ? __kthread_parkme+0x82/0x180 [ 23.956573] ? preempt_count_sub+0x50/0x80 [ 23.956597] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.956622] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.956645] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.956670] kthread+0x337/0x6f0 [ 23.956690] ? trace_preempt_on+0x20/0xc0 [ 23.956713] ? __pfx_kthread+0x10/0x10 [ 23.956734] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.956757] ? calculate_sigpending+0x7b/0xa0 [ 23.956782] ? __pfx_kthread+0x10/0x10 [ 23.956804] ret_from_fork+0x116/0x1d0 [ 23.956822] ? __pfx_kthread+0x10/0x10 [ 23.956843] ret_from_fork_asm+0x1a/0x30 [ 23.956875] </TASK> [ 23.956888] [ 23.971313] Allocated by task 262: [ 23.971669] kasan_save_stack+0x45/0x70 [ 23.971842] kasan_save_track+0x18/0x40 [ 23.972076] kasan_save_alloc_info+0x3b/0x50 [ 23.972310] __kasan_slab_alloc+0x91/0xa0 [ 23.972491] kmem_cache_alloc_noprof+0x123/0x3f0 [ 23.972712] kmem_cache_rcu_uaf+0x155/0x510 [ 23.972854] kunit_try_run_case+0x1a5/0x480 [ 23.973062] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.973624] kthread+0x337/0x6f0 [ 23.973793] ret_from_fork+0x116/0x1d0 [ 23.974011] ret_from_fork_asm+0x1a/0x30 [ 23.974329] [ 23.974452] Freed by task 0: [ 23.974616] kasan_save_stack+0x45/0x70 [ 23.974757] kasan_save_track+0x18/0x40 [ 23.974919] kasan_save_free_info+0x3f/0x60 [ 23.975156] __kasan_slab_free+0x56/0x70 [ 23.975513] slab_free_after_rcu_debug+0xe4/0x310 [ 23.975777] rcu_core+0x66f/0x1c40 [ 23.975970] rcu_core_si+0x12/0x20 [ 23.976140] handle_softirqs+0x209/0x730 [ 23.976328] __irq_exit_rcu+0xc9/0x110 [ 23.976517] irq_exit_rcu+0x12/0x20 [ 23.976728] sysvec_apic_timer_interrupt+0x81/0x90 [ 23.976900] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 23.977142] [ 23.977440] Last potentially related work creation: [ 23.977701] kasan_save_stack+0x45/0x70 [ 23.977961] kasan_record_aux_stack+0xb2/0xc0 [ 23.978239] kmem_cache_free+0x131/0x420 [ 23.978467] kmem_cache_rcu_uaf+0x194/0x510 [ 23.978652] kunit_try_run_case+0x1a5/0x480 [ 23.978800] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.979052] kthread+0x337/0x6f0 [ 23.979354] ret_from_fork+0x116/0x1d0 [ 23.979588] ret_from_fork_asm+0x1a/0x30 [ 23.979875] [ 23.979941] The buggy address belongs to the object at ffff888105ac6000 [ 23.979941] which belongs to the cache test_cache of size 200 [ 23.980376] The buggy address is located 0 bytes inside of [ 23.980376] freed 200-byte region [ffff888105ac6000, ffff888105ac60c8) [ 23.981442] [ 23.981548] The buggy address belongs to the physical page: [ 23.981820] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ac6 [ 23.982635] flags: 0x200000000000000(node=0|zone=2) [ 23.982828] page_type: f5(slab) [ 23.983177] raw: 0200000000000000 ffff888101248c80 dead000000000122 0000000000000000 [ 23.983753] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 23.983989] page dumped because: kasan: bad access detected [ 23.984162] [ 23.984585] Memory state around the buggy address: [ 23.984839] ffff888105ac5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.985103] ffff888105ac5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.985680] >ffff888105ac6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.986292] ^ [ 23.986574] ffff888105ac6080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 23.986990] ffff888105ac6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.987475] ==================================================================