Hay
Sign in
Date
July 10, 2025, 9:07 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   30.672209] ==================================================================
[   30.672328] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   30.672410] Read of size 1 at addr fff00000c9974000 by task kunit_try_catch/244
[   30.672475] 
[   30.672521] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT 
[   30.672638] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.672671] Hardware name: linux,dummy-virt (DT)
[   30.672711] Call trace:
[   30.672737]  show_stack+0x20/0x38 (C)
[   30.672793]  dump_stack_lvl+0x8c/0xd0
[   30.672846]  print_report+0x118/0x5d0
[   30.672893]  kasan_report+0xdc/0x128
[   30.672937]  __asan_report_load1_noabort+0x20/0x30
[   30.672993]  kmem_cache_rcu_uaf+0x388/0x468
[   30.673044]  kunit_try_run_case+0x170/0x3f0
[   30.673102]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.673176]  kthread+0x328/0x630
[   30.673222]  ret_from_fork+0x10/0x20
[   30.673275] 
[   30.673294] Allocated by task 244:
[   30.673327]  kasan_save_stack+0x3c/0x68
[   30.673375]  kasan_save_track+0x20/0x40
[   30.673416]  kasan_save_alloc_info+0x40/0x58
[   30.673454]  __kasan_slab_alloc+0xa8/0xb0
[   30.673493]  kmem_cache_alloc_noprof+0x10c/0x398
[   30.673537]  kmem_cache_rcu_uaf+0x12c/0x468
[   30.673576]  kunit_try_run_case+0x170/0x3f0
[   30.673614]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.673659]  kthread+0x328/0x630
[   30.673690]  ret_from_fork+0x10/0x20
[   30.673726] 
[   30.673745] Freed by task 0:
[   30.673771]  kasan_save_stack+0x3c/0x68
[   30.673807]  kasan_save_track+0x20/0x40
[   30.673845]  kasan_save_free_info+0x4c/0x78
[   30.673880]  __kasan_slab_free+0x6c/0x98
[   30.673918]  slab_free_after_rcu_debug+0xd4/0x2f8
[   30.673960]  rcu_core+0x9f4/0x1e20
[   30.673997]  rcu_core_si+0x18/0x30
[   30.674032]  handle_softirqs+0x374/0xb28
[   30.674069]  __do_softirq+0x1c/0x28
[   30.674103] 
[   30.674121] Last potentially related work creation:
[   30.674340]  kasan_save_stack+0x3c/0x68
[   30.674447]  kasan_record_aux_stack+0xb4/0xc8
[   30.674499]  kmem_cache_free+0x120/0x468
[   30.674538]  kmem_cache_rcu_uaf+0x16c/0x468
[   30.674575]  kunit_try_run_case+0x170/0x3f0
[   30.674614]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.674660]  kthread+0x328/0x630
[   30.674693]  ret_from_fork+0x10/0x20
[   30.675199] 
[   30.675220] The buggy address belongs to the object at fff00000c9974000
[   30.675220]  which belongs to the cache test_cache of size 200
[   30.675285] The buggy address is located 0 bytes inside of
[   30.675285]  freed 200-byte region [fff00000c9974000, fff00000c99740c8)
[   30.675349] 
[   30.675371] The buggy address belongs to the physical page:
[   30.675407] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109974
[   30.675465] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.675527] page_type: f5(slab)
[   30.675572] raw: 0bfffe0000000000 fff00000c3e37500 dead000000000122 0000000000000000
[   30.675626] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   30.675672] page dumped because: kasan: bad access detected
[   30.675705] 
[   30.675724] Memory state around the buggy address:
[   30.675758]  fff00000c9973f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.675804]  fff00000c9973f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.675849] >fff00000c9974000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.675890]                    ^
[   30.675918]  fff00000c9974080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   30.675962]  fff00000c9974100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.676003] ==================================================================
Metadata Full log Test run details 

[   25.881112] ==================================================================
[   25.881635] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   25.882152] Read of size 1 at addr ffff8881060c1000 by task kunit_try_catch/261
[   25.882416] 
[   25.882527] CPU: 1 UID: 0 PID: 261 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) 
[   25.882583] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.882595] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.882620] Call Trace:
[   25.882634]  <TASK>
[   25.882694]  dump_stack_lvl+0x73/0xb0
[   25.882739]  print_report+0xd1/0x610
[   25.882764]  ? __virt_addr_valid+0x1db/0x2d0
[   25.882809]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   25.882832]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.882857]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   25.882881]  kasan_report+0x141/0x180
[   25.882903]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   25.882931]  __asan_report_load1_noabort+0x18/0x20
[   25.882956]  kmem_cache_rcu_uaf+0x3e3/0x510
[   25.882978]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   25.883001]  ? finish_task_switch.isra.0+0x153/0x700
[   25.883025]  ? __switch_to+0x47/0xf80
[   25.883055]  ? __pfx_read_tsc+0x10/0x10
[   25.883078]  ? ktime_get_ts64+0x86/0x230
[   25.883104]  kunit_try_run_case+0x1a5/0x480
[   25.883129]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.883150]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.883176]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.883199]  ? __kthread_parkme+0x82/0x180
[   25.883221]  ? preempt_count_sub+0x50/0x80
[   25.883244]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.883266]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.883291]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.883317]  kthread+0x337/0x6f0
[   25.883338]  ? trace_preempt_on+0x20/0xc0
[   25.883362]  ? __pfx_kthread+0x10/0x10
[   25.883383]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.883405]  ? calculate_sigpending+0x7b/0xa0
[   25.883430]  ? __pfx_kthread+0x10/0x10
[   25.883452]  ret_from_fork+0x116/0x1d0
[   25.883471]  ? __pfx_kthread+0x10/0x10
[   25.883523]  ret_from_fork_asm+0x1a/0x30
[   25.883556]  </TASK>
[   25.883569] 
[   25.894207] Allocated by task 261:
[   25.894375]  kasan_save_stack+0x45/0x70
[   25.894606]  kasan_save_track+0x18/0x40
[   25.894844]  kasan_save_alloc_info+0x3b/0x50
[   25.895234]  __kasan_slab_alloc+0x91/0xa0
[   25.895408]  kmem_cache_alloc_noprof+0x123/0x3f0
[   25.895610]  kmem_cache_rcu_uaf+0x155/0x510
[   25.896089]  kunit_try_run_case+0x1a5/0x480
[   25.896472]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.897206]  kthread+0x337/0x6f0
[   25.897401]  ret_from_fork+0x116/0x1d0
[   25.897627]  ret_from_fork_asm+0x1a/0x30
[   25.898084] 
[   25.898254] Freed by task 0:
[   25.898430]  kasan_save_stack+0x45/0x70
[   25.898586]  kasan_save_track+0x18/0x40
[   25.898996]  kasan_save_free_info+0x3f/0x60
[   25.899385]  __kasan_slab_free+0x56/0x70
[   25.899688]  slab_free_after_rcu_debug+0xe4/0x310
[   25.900035]  rcu_core+0x66f/0x1c40
[   25.900360]  rcu_core_si+0x12/0x20
[   25.900667]  handle_softirqs+0x209/0x730
[   25.900986]  __irq_exit_rcu+0xc9/0x110
[   25.901378]  irq_exit_rcu+0x12/0x20
[   25.901762]  sysvec_apic_timer_interrupt+0x81/0x90
[   25.902118]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   25.902287] 
[   25.902355] Last potentially related work creation:
[   25.902547]  kasan_save_stack+0x45/0x70
[   25.902949]  kasan_record_aux_stack+0xb2/0xc0
[   25.903338]  kmem_cache_free+0x131/0x420
[   25.903740]  kmem_cache_rcu_uaf+0x194/0x510
[   25.904225]  kunit_try_run_case+0x1a5/0x480
[   25.904610]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.905229]  kthread+0x337/0x6f0
[   25.905449]  ret_from_fork+0x116/0x1d0
[   25.905807]  ret_from_fork_asm+0x1a/0x30
[   25.906119] 
[   25.906190] The buggy address belongs to the object at ffff8881060c1000
[   25.906190]  which belongs to the cache test_cache of size 200
[   25.906667] The buggy address is located 0 bytes inside of
[   25.906667]  freed 200-byte region [ffff8881060c1000, ffff8881060c10c8)
[   25.907873] 
[   25.908095] The buggy address belongs to the physical page:
[   25.908583] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060c1
[   25.909269] flags: 0x200000000000000(node=0|zone=2)
[   25.909605] page_type: f5(slab)
[   25.909747] raw: 0200000000000000 ffff888101d98b40 dead000000000122 0000000000000000
[   25.910076] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   25.910768] page dumped because: kasan: bad access detected
[   25.911286] 
[   25.911442] Memory state around the buggy address:
[   25.911922]  ffff8881060c0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.912388]  ffff8881060c0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.912746] >ffff8881060c1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.913516]                    ^
[   25.913916]  ffff8881060c1080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   25.914414]  ffff8881060c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.914789] ==================================================================
Metadata Full log Test run details