Hay
Sign in
Date
July 8, 2025, 11:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   32.206453] ==================================================================
[   32.206781] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   32.206899] Read of size 1 at addr fff00000c9ad4000 by task kunit_try_catch/244
[   32.206953] 
[   32.207000] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT 
[   32.207194] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.207239] Hardware name: linux,dummy-virt (DT)
[   32.207292] Call trace:
[   32.207548]  show_stack+0x20/0x38 (C)
[   32.207701]  dump_stack_lvl+0x8c/0xd0
[   32.207793]  print_report+0x118/0x5d0
[   32.207869]  kasan_report+0xdc/0x128
[   32.207918]  __asan_report_load1_noabort+0x20/0x30
[   32.208157]  kmem_cache_rcu_uaf+0x388/0x468
[   32.208304]  kunit_try_run_case+0x170/0x3f0
[   32.208371]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.208427]  kthread+0x328/0x630
[   32.208725]  ret_from_fork+0x10/0x20
[   32.208933] 
[   32.208995] Allocated by task 244:
[   32.209165]  kasan_save_stack+0x3c/0x68
[   32.209303]  kasan_save_track+0x20/0x40
[   32.209372]  kasan_save_alloc_info+0x40/0x58
[   32.209435]  __kasan_slab_alloc+0xa8/0xb0
[   32.209557]  kmem_cache_alloc_noprof+0x10c/0x398
[   32.209638]  kmem_cache_rcu_uaf+0x12c/0x468
[   32.209745]  kunit_try_run_case+0x170/0x3f0
[   32.209858]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.210077]  kthread+0x328/0x630
[   32.210177]  ret_from_fork+0x10/0x20
[   32.210350] 
[   32.210425] Freed by task 0:
[   32.210485]  kasan_save_stack+0x3c/0x68
[   32.210715]  kasan_save_track+0x20/0x40
[   32.210804]  kasan_save_free_info+0x4c/0x78
[   32.210953]  __kasan_slab_free+0x6c/0x98
[   32.211017]  slab_free_after_rcu_debug+0xd4/0x2f8
[   32.211147]  rcu_core+0x9f4/0x1e20
[   32.211250]  rcu_core_si+0x18/0x30
[   32.211338]  handle_softirqs+0x374/0xb28
[   32.211427]  __do_softirq+0x1c/0x28
[   32.211500] 
[   32.211789] Last potentially related work creation:
[   32.211844]  kasan_save_stack+0x3c/0x68
[   32.211907]  kasan_record_aux_stack+0xb4/0xc8
[   32.212037]  kmem_cache_free+0x120/0x468
[   32.212106]  kmem_cache_rcu_uaf+0x16c/0x468
[   32.212323]  kunit_try_run_case+0x170/0x3f0
[   32.212445]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.212501]  kthread+0x328/0x630
[   32.212536]  ret_from_fork+0x10/0x20
[   32.212788] 
[   32.213026] The buggy address belongs to the object at fff00000c9ad4000
[   32.213026]  which belongs to the cache test_cache of size 200
[   32.213138] The buggy address is located 0 bytes inside of
[   32.213138]  freed 200-byte region [fff00000c9ad4000, fff00000c9ad40c8)
[   32.213300] 
[   32.213328] The buggy address belongs to the physical page:
[   32.213361] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ad4
[   32.213644] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.213797] page_type: f5(slab)
[   32.213898] raw: 0bfffe0000000000 fff00000c5c50dc0 dead000000000122 0000000000000000
[   32.214015] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   32.214076] page dumped because: kasan: bad access detected
[   32.214196] 
[   32.214269] Memory state around the buggy address:
[   32.214329]  fff00000c9ad3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.214464]  fff00000c9ad3f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   32.214519] >fff00000c9ad4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.214569]                    ^
[   32.214633]  fff00000c9ad4080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   32.214818]  fff00000c9ad4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.214996] ==================================================================
Metadata Full log Test run details 

[   24.163157] ==================================================================
[   24.163622] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   24.164291] Read of size 1 at addr ffff8881059c5000 by task kunit_try_catch/261
[   24.165049] 
[   24.165367] CPU: 0 UID: 0 PID: 261 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) 
[   24.165459] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.165472] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.165498] Call Trace:
[   24.165521]  <TASK>
[   24.165543]  dump_stack_lvl+0x73/0xb0
[   24.165581]  print_report+0xd1/0x610
[   24.165606]  ? __virt_addr_valid+0x1db/0x2d0
[   24.165634]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   24.165660]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.165689]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   24.165715]  kasan_report+0x141/0x180
[   24.165737]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   24.165965]  __asan_report_load1_noabort+0x18/0x20
[   24.165997]  kmem_cache_rcu_uaf+0x3e3/0x510
[   24.166024]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   24.166049]  ? finish_task_switch.isra.0+0x153/0x700
[   24.166074]  ? __switch_to+0x47/0xf50
[   24.166108]  ? __pfx_read_tsc+0x10/0x10
[   24.166134]  ? ktime_get_ts64+0x86/0x230
[   24.166163]  kunit_try_run_case+0x1a5/0x480
[   24.166189]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.166210]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.166234]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.166278]  ? __kthread_parkme+0x82/0x180
[   24.166300]  ? preempt_count_sub+0x50/0x80
[   24.166324]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.166346]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.166374]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.166400]  kthread+0x337/0x6f0
[   24.166422]  ? trace_preempt_on+0x20/0xc0
[   24.166448]  ? __pfx_kthread+0x10/0x10
[   24.166471]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.166498]  ? calculate_sigpending+0x7b/0xa0
[   24.166526]  ? __pfx_kthread+0x10/0x10
[   24.166550]  ret_from_fork+0x116/0x1d0
[   24.166569]  ? __pfx_kthread+0x10/0x10
[   24.166591]  ret_from_fork_asm+0x1a/0x30
[   24.166627]  </TASK>
[   24.166640] 
[   24.176540] Allocated by task 261:
[   24.176744]  kasan_save_stack+0x45/0x70
[   24.177315]  kasan_save_track+0x18/0x40
[   24.177495]  kasan_save_alloc_info+0x3b/0x50
[   24.177654]  __kasan_slab_alloc+0x91/0xa0
[   24.178389]  kmem_cache_alloc_noprof+0x123/0x3f0
[   24.178594]  kmem_cache_rcu_uaf+0x155/0x510
[   24.178945]  kunit_try_run_case+0x1a5/0x480
[   24.179349]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.179560]  kthread+0x337/0x6f0
[   24.179964]  ret_from_fork+0x116/0x1d0
[   24.180284]  ret_from_fork_asm+0x1a/0x30
[   24.180627] 
[   24.180727] Freed by task 0:
[   24.180918]  kasan_save_stack+0x45/0x70
[   24.181395]  kasan_save_track+0x18/0x40
[   24.181588]  kasan_save_free_info+0x3f/0x60
[   24.181953]  __kasan_slab_free+0x56/0x70
[   24.182231]  slab_free_after_rcu_debug+0xe4/0x310
[   24.182469]  rcu_core+0x66f/0x1c40
[   24.182634]  rcu_core_si+0x12/0x20
[   24.183043]  handle_softirqs+0x209/0x730
[   24.183234]  __irq_exit_rcu+0xc9/0x110
[   24.183392]  irq_exit_rcu+0x12/0x20
[   24.183567]  sysvec_apic_timer_interrupt+0x81/0x90
[   24.183731]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   24.184047] 
[   24.184149] Last potentially related work creation:
[   24.184356]  kasan_save_stack+0x45/0x70
[   24.184542]  kasan_record_aux_stack+0xb2/0xc0
[   24.184743]  kmem_cache_free+0x131/0x420
[   24.184981]  kmem_cache_rcu_uaf+0x194/0x510
[   24.185121]  kunit_try_run_case+0x1a5/0x480
[   24.185288]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.185568]  kthread+0x337/0x6f0
[   24.185732]  ret_from_fork+0x116/0x1d0
[   24.185944]  ret_from_fork_asm+0x1a/0x30
[   24.186226] 
[   24.186324] The buggy address belongs to the object at ffff8881059c5000
[   24.186324]  which belongs to the cache test_cache of size 200
[   24.186805] The buggy address is located 0 bytes inside of
[   24.186805]  freed 200-byte region [ffff8881059c5000, ffff8881059c50c8)
[   24.187535] 
[   24.187690] The buggy address belongs to the physical page:
[   24.188205] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059c5
[   24.188626] flags: 0x200000000000000(node=0|zone=2)
[   24.188790] page_type: f5(slab)
[   24.188908] raw: 0200000000000000 ffff888101ea6280 dead000000000122 0000000000000000
[   24.189356] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   24.189701] page dumped because: kasan: bad access detected
[   24.189996] 
[   24.190097] Memory state around the buggy address:
[   24.190349]  ffff8881059c4f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.190558]  ffff8881059c4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.191105] >ffff8881059c5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.191437]                    ^
[   24.191573]  ffff8881059c5080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   24.192192]  ffff8881059c5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.192529] ==================================================================
Metadata Full log Test run details