Date
July 9, 2025, 1:08 p.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 30.600297] ================================================================== [ 30.600395] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 30.600475] Read of size 1 at addr fff00000c96a2000 by task kunit_try_catch/245 [ 30.600526] [ 30.600568] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 30.600657] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.600683] Hardware name: linux,dummy-virt (DT) [ 30.600719] Call trace: [ 30.600744] show_stack+0x20/0x38 (C) [ 30.600798] dump_stack_lvl+0x8c/0xd0 [ 30.600850] print_report+0x118/0x5d0 [ 30.600894] kasan_report+0xdc/0x128 [ 30.600936] __asan_report_load1_noabort+0x20/0x30 [ 30.600985] kmem_cache_rcu_uaf+0x388/0x468 [ 30.601032] kunit_try_run_case+0x170/0x3f0 [ 30.601149] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.601234] kthread+0x328/0x630 [ 30.601326] ret_from_fork+0x10/0x20 [ 30.601379] [ 30.601397] Allocated by task 245: [ 30.601454] kasan_save_stack+0x3c/0x68 [ 30.601498] kasan_save_track+0x20/0x40 [ 30.601536] kasan_save_alloc_info+0x40/0x58 [ 30.601572] __kasan_slab_alloc+0xa8/0xb0 [ 30.601610] kmem_cache_alloc_noprof+0x10c/0x398 [ 30.601651] kmem_cache_rcu_uaf+0x12c/0x468 [ 30.601810] kunit_try_run_case+0x170/0x3f0 [ 30.601929] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.602091] kthread+0x328/0x630 [ 30.602128] ret_from_fork+0x10/0x20 [ 30.602164] [ 30.602183] Freed by task 0: [ 30.602210] kasan_save_stack+0x3c/0x68 [ 30.602247] kasan_save_track+0x20/0x40 [ 30.602294] kasan_save_free_info+0x4c/0x78 [ 30.602332] __kasan_slab_free+0x6c/0x98 [ 30.602371] slab_free_after_rcu_debug+0xd4/0x2f8 [ 30.602411] rcu_core+0x9f4/0x1e20 [ 30.602450] rcu_core_si+0x18/0x30 [ 30.602483] handle_softirqs+0x374/0xb28 [ 30.602551] __do_softirq+0x1c/0x28 [ 30.602593] [ 30.602612] Last potentially related work creation: [ 30.602647] kasan_save_stack+0x3c/0x68 [ 30.602844] kasan_record_aux_stack+0xb4/0xc8 [ 30.602880] kmem_cache_free+0x120/0x468 [ 30.602924] kmem_cache_rcu_uaf+0x16c/0x468 [ 30.603541] kunit_try_run_case+0x170/0x3f0 [ 30.603603] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.603649] kthread+0x328/0x630 [ 30.603751] ret_from_fork+0x10/0x20 [ 30.603833] [ 30.603852] The buggy address belongs to the object at fff00000c96a2000 [ 30.603852] which belongs to the cache test_cache of size 200 [ 30.603911] The buggy address is located 0 bytes inside of [ 30.603911] freed 200-byte region [fff00000c96a2000, fff00000c96a20c8) [ 30.603971] [ 30.604034] The buggy address belongs to the physical page: [ 30.604092] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1096a2 [ 30.604301] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.604400] page_type: f5(slab) [ 30.604450] raw: 0bfffe0000000000 fff00000c4412a00 dead000000000122 0000000000000000 [ 30.604501] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 30.604543] page dumped because: kasan: bad access detected [ 30.604622] [ 30.604703] Memory state around the buggy address: [ 30.604838] fff00000c96a1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.604911] fff00000c96a1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.604984] >fff00000c96a2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.605068] ^ [ 30.605101] fff00000c96a2080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 30.605144] fff00000c96a2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.605236] ==================================================================
[ 24.875195] ================================================================== [ 24.875669] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 24.876145] Read of size 1 at addr ffff8881050b5000 by task kunit_try_catch/263 [ 24.876444] [ 24.876536] CPU: 0 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 24.876593] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.876608] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.876633] Call Trace: [ 24.876648] <TASK> [ 24.876671] dump_stack_lvl+0x73/0xb0 [ 24.876719] print_report+0xd1/0x610 [ 24.876743] ? __virt_addr_valid+0x1db/0x2d0 [ 24.876770] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 24.876792] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.876818] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 24.876840] kasan_report+0x141/0x180 [ 24.876862] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 24.876889] __asan_report_load1_noabort+0x18/0x20 [ 24.876913] kmem_cache_rcu_uaf+0x3e3/0x510 [ 24.876988] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 24.877014] ? finish_task_switch.isra.0+0x153/0x700 [ 24.877038] ? __switch_to+0x47/0xf80 [ 24.877067] ? __pfx_read_tsc+0x10/0x10 [ 24.877090] ? ktime_get_ts64+0x86/0x230 [ 24.877117] kunit_try_run_case+0x1a5/0x480 [ 24.877141] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.877161] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.877186] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.877210] ? __kthread_parkme+0x82/0x180 [ 24.877232] ? preempt_count_sub+0x50/0x80 [ 24.877254] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.877276] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.877301] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.877328] kthread+0x337/0x6f0 [ 24.877351] ? trace_preempt_on+0x20/0xc0 [ 24.877376] ? __pfx_kthread+0x10/0x10 [ 24.877397] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.877419] ? calculate_sigpending+0x7b/0xa0 [ 24.877443] ? __pfx_kthread+0x10/0x10 [ 24.877465] ret_from_fork+0x116/0x1d0 [ 24.877483] ? __pfx_kthread+0x10/0x10 [ 24.877504] ret_from_fork_asm+0x1a/0x30 [ 24.877536] </TASK> [ 24.877548] [ 24.884359] Allocated by task 263: [ 24.884489] kasan_save_stack+0x45/0x70 [ 24.884857] kasan_save_track+0x18/0x40 [ 24.885121] kasan_save_alloc_info+0x3b/0x50 [ 24.885391] __kasan_slab_alloc+0x91/0xa0 [ 24.885597] kmem_cache_alloc_noprof+0x123/0x3f0 [ 24.885938] kmem_cache_rcu_uaf+0x155/0x510 [ 24.886155] kunit_try_run_case+0x1a5/0x480 [ 24.886360] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.886612] kthread+0x337/0x6f0 [ 24.886760] ret_from_fork+0x116/0x1d0 [ 24.886950] ret_from_fork_asm+0x1a/0x30 [ 24.887088] [ 24.887153] Freed by task 0: [ 24.887255] kasan_save_stack+0x45/0x70 [ 24.887381] kasan_save_track+0x18/0x40 [ 24.887561] kasan_save_free_info+0x3f/0x60 [ 24.887750] __kasan_slab_free+0x56/0x70 [ 24.887888] slab_free_after_rcu_debug+0xe4/0x310 [ 24.888042] rcu_core+0x66f/0x1c40 [ 24.888164] rcu_core_si+0x12/0x20 [ 24.888282] handle_softirqs+0x209/0x730 [ 24.888412] __irq_exit_rcu+0xc9/0x110 [ 24.888538] irq_exit_rcu+0x12/0x20 [ 24.888659] sysvec_apic_timer_interrupt+0x81/0x90 [ 24.888825] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 24.889225] [ 24.889306] Last potentially related work creation: [ 24.889530] kasan_save_stack+0x45/0x70 [ 24.889733] kasan_record_aux_stack+0xb2/0xc0 [ 24.890029] kmem_cache_free+0x131/0x420 [ 24.890187] kmem_cache_rcu_uaf+0x194/0x510 [ 24.890329] kunit_try_run_case+0x1a5/0x480 [ 24.890472] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.890643] kthread+0x337/0x6f0 [ 24.890772] ret_from_fork+0x116/0x1d0 [ 24.890899] ret_from_fork_asm+0x1a/0x30 [ 24.891033] [ 24.891096] The buggy address belongs to the object at ffff8881050b5000 [ 24.891096] which belongs to the cache test_cache of size 200 [ 24.891446] The buggy address is located 0 bytes inside of [ 24.891446] freed 200-byte region [ffff8881050b5000, ffff8881050b50c8) [ 24.893123] [ 24.893281] The buggy address belongs to the physical page: [ 24.893486] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1050b5 [ 24.893954] flags: 0x200000000000000(node=0|zone=2) [ 24.894176] page_type: f5(slab) [ 24.894350] raw: 0200000000000000 ffff888101d203c0 dead000000000122 0000000000000000 [ 24.894666] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 24.895079] page dumped because: kasan: bad access detected [ 24.895253] [ 24.895315] Memory state around the buggy address: [ 24.895465] ffff8881050b4f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.895675] ffff8881050b4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.895899] >ffff8881050b5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.896104] ^ [ 24.896214] ffff8881050b5080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 24.896420] ffff8881050b5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.896681] ==================================================================