Date
July 11, 2025, 10:11 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 49.748957] ================================================================== [ 49.749131] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 49.749253] Read of size 4 at addr ffff000806d0df80 by task swapper/4/0 [ 49.750317] [ 49.751805] CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 49.751861] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.751876] Hardware name: WinLink E850-96 board (DT) [ 49.751897] Call trace: [ 49.751910] show_stack+0x20/0x38 (C) [ 49.751953] dump_stack_lvl+0x8c/0xd0 [ 49.751985] print_report+0x118/0x5d0 [ 49.752017] kasan_report+0xdc/0x128 [ 49.752044] __asan_report_load4_noabort+0x20/0x30 [ 49.752078] rcu_uaf_reclaim+0x64/0x70 [ 49.752109] rcu_core+0x9f4/0x1e20 [ 49.752145] rcu_core_si+0x18/0x30 [ 49.752174] handle_softirqs+0x374/0xb28 [ 49.752210] __do_softirq+0x1c/0x28 [ 49.752239] ____do_softirq+0x18/0x30 [ 49.752276] call_on_irq_stack+0x24/0x30 [ 49.752307] do_softirq_own_stack+0x24/0x38 [ 49.752336] __irq_exit_rcu+0x1fc/0x318 [ 49.752367] irq_exit_rcu+0x1c/0x80 [ 49.752396] el1_interrupt+0x38/0x58 [ 49.752430] el1h_64_irq_handler+0x18/0x28 [ 49.752461] el1h_64_irq+0x6c/0x70 [ 49.752489] arch_local_irq_enable+0x4/0x8 (P) [ 49.752525] do_idle+0x384/0x4e8 [ 49.752560] cpu_startup_entry+0x64/0x80 [ 49.752589] secondary_start_kernel+0x28c/0x340 [ 49.752622] __secondary_switched+0xc0/0xc8 [ 49.752663] [ 49.862730] Allocated by task 282: [ 49.866117] kasan_save_stack+0x3c/0x68 [ 49.869934] kasan_save_track+0x20/0x40 [ 49.873752] kasan_save_alloc_info+0x40/0x58 [ 49.878006] __kasan_kmalloc+0xd4/0xd8 [ 49.881740] __kmalloc_cache_noprof+0x16c/0x3c0 [ 49.886252] rcu_uaf+0xb0/0x2d8 [ 49.889378] kunit_try_run_case+0x170/0x3f0 [ 49.893544] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.899012] kthread+0x328/0x630 [ 49.902224] ret_from_fork+0x10/0x20 [ 49.905783] [ 49.907259] Freed by task 0: [ 49.910125] kasan_save_stack+0x3c/0x68 [ 49.913944] kasan_save_track+0x20/0x40 [ 49.917762] kasan_save_free_info+0x4c/0x78 [ 49.921929] __kasan_slab_free+0x6c/0x98 [ 49.925835] kfree+0x214/0x3c8 [ 49.928873] rcu_uaf_reclaim+0x28/0x70 [ 49.932606] rcu_core+0x9f4/0x1e20 [ 49.935991] rcu_core_si+0x18/0x30 [ 49.939378] handle_softirqs+0x374/0xb28 [ 49.943282] __do_softirq+0x1c/0x28 [ 49.946755] [ 49.948232] Last potentially related work creation: [ 49.953093] kasan_save_stack+0x3c/0x68 [ 49.956911] kasan_record_aux_stack+0xb4/0xc8 [ 49.961251] __call_rcu_common.constprop.0+0x74/0x8c8 [ 49.966286] call_rcu+0x18/0x30 [ 49.969410] rcu_uaf+0x14c/0x2d8 [ 49.972622] kunit_try_run_case+0x170/0x3f0 [ 49.976789] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.982258] kthread+0x328/0x630 [ 49.985469] ret_from_fork+0x10/0x20 [ 49.989028] [ 49.990505] The buggy address belongs to the object at ffff000806d0df80 [ 49.990505] which belongs to the cache kmalloc-32 of size 32 [ 50.002832] The buggy address is located 0 bytes inside of [ 50.002832] freed 32-byte region [ffff000806d0df80, ffff000806d0dfa0) [ 50.014809] [ 50.016290] The buggy address belongs to the physical page: [ 50.021844] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886d0d [ 50.029829] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.036339] page_type: f5(slab) [ 50.039474] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 50.047195] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 50.054913] page dumped because: kasan: bad access detected [ 50.060468] [ 50.061944] Memory state around the buggy address: [ 50.066724] ffff000806d0de80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 50.073926] ffff000806d0df00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 50.081133] >ffff000806d0df80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 50.088334] ^ [ 50.091549] ffff000806d0e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.098753] ffff000806d0e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.105955] ==================================================================
[ 30.814771] ================================================================== [ 30.814950] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 30.816666] Read of size 4 at addr fff00000c9a4d680 by task swapper/1/0 [ 30.817430] [ 30.817482] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 30.818672] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.818705] Hardware name: linux,dummy-virt (DT) [ 30.818742] Call trace: [ 30.819006] show_stack+0x20/0x38 (C) [ 30.819897] dump_stack_lvl+0x8c/0xd0 [ 30.820655] print_report+0x118/0x5d0 [ 30.820759] kasan_report+0xdc/0x128 [ 30.820832] __asan_report_load4_noabort+0x20/0x30 [ 30.821422] rcu_uaf_reclaim+0x64/0x70 [ 30.821551] rcu_core+0x9f4/0x1e20 [ 30.821916] rcu_core_si+0x18/0x30 [ 30.822920] handle_softirqs+0x374/0xb28 [ 30.823121] __do_softirq+0x1c/0x28 [ 30.823247] ____do_softirq+0x18/0x30 [ 30.823292] call_on_irq_stack+0x24/0x30 [ 30.824177] do_softirq_own_stack+0x24/0x38 [ 30.824254] __irq_exit_rcu+0x1fc/0x318 [ 30.824301] irq_exit_rcu+0x1c/0x80 [ 30.825235] el1_interrupt+0x38/0x58 [ 30.825854] el1h_64_irq_handler+0x18/0x28 [ 30.825975] el1h_64_irq+0x6c/0x70 [ 30.826706] arch_local_irq_enable+0x4/0x8 (P) [ 30.827761] do_idle+0x384/0x4e8 [ 30.828060] cpu_startup_entry+0x64/0x80 [ 30.828636] secondary_start_kernel+0x28c/0x340 [ 30.829203] __secondary_switched+0xc0/0xc8 [ 30.829652] [ 30.830048] Allocated by task 229: [ 30.830568] kasan_save_stack+0x3c/0x68 [ 30.830891] kasan_save_track+0x20/0x40 [ 30.831217] kasan_save_alloc_info+0x40/0x58 [ 30.831567] __kasan_kmalloc+0xd4/0xd8 [ 30.831887] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.832241] rcu_uaf+0xb0/0x2d8 [ 30.832388] kunit_try_run_case+0x170/0x3f0 [ 30.832452] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.832495] kthread+0x328/0x630 [ 30.832530] ret_from_fork+0x10/0x20 [ 30.832567] [ 30.832587] Freed by task 0: [ 30.832613] kasan_save_stack+0x3c/0x68 [ 30.832653] kasan_save_track+0x20/0x40 [ 30.832690] kasan_save_free_info+0x4c/0x78 [ 30.832728] __kasan_slab_free+0x6c/0x98 [ 30.832767] kfree+0x214/0x3c8 [ 30.832804] rcu_uaf_reclaim+0x28/0x70 [ 30.832840] rcu_core+0x9f4/0x1e20 [ 30.832875] rcu_core_si+0x18/0x30 [ 30.832911] handle_softirqs+0x374/0xb28 [ 30.832948] __do_softirq+0x1c/0x28 [ 30.832983] [ 30.833018] Last potentially related work creation: [ 30.833053] kasan_save_stack+0x3c/0x68 [ 30.833094] kasan_record_aux_stack+0xb4/0xc8 [ 30.833131] __call_rcu_common.constprop.0+0x74/0x8c8 [ 30.833173] call_rcu+0x18/0x30 [ 30.833206] rcu_uaf+0x14c/0x2d8 [ 30.833241] kunit_try_run_case+0x170/0x3f0 [ 30.833281] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.833331] kthread+0x328/0x630 [ 30.833366] ret_from_fork+0x10/0x20 [ 30.833406] [ 30.833433] The buggy address belongs to the object at fff00000c9a4d680 [ 30.833433] which belongs to the cache kmalloc-32 of size 32 [ 30.833494] The buggy address is located 0 bytes inside of [ 30.833494] freed 32-byte region [fff00000c9a4d680, fff00000c9a4d6a0) [ 30.833555] [ 30.833577] The buggy address belongs to the physical page: [ 30.833623] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a4d [ 30.833715] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.833819] page_type: f5(slab) [ 30.833898] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 30.833997] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 30.834086] page dumped because: kasan: bad access detected [ 30.834130] [ 30.834148] Memory state around the buggy address: [ 30.834181] fff00000c9a4d580: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 30.834224] fff00000c9a4d600: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 30.834273] >fff00000c9a4d680: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 30.834311] ^ [ 30.834472] fff00000c9a4d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.834612] fff00000c9a4d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.834712] ==================================================================
[ 24.323430] ================================================================== [ 24.323868] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 24.324099] Read of size 4 at addr ffff8881057449c0 by task swapper/1/0 [ 24.324326] [ 24.324419] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.324537] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.324550] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.324785] Call Trace: [ 24.324823] <IRQ> [ 24.324852] dump_stack_lvl+0x73/0xb0 [ 24.324890] print_report+0xd1/0x610 [ 24.324913] ? __virt_addr_valid+0x1db/0x2d0 [ 24.324938] ? rcu_uaf_reclaim+0x50/0x60 [ 24.324959] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.324988] ? rcu_uaf_reclaim+0x50/0x60 [ 24.325009] kasan_report+0x141/0x180 [ 24.325031] ? rcu_uaf_reclaim+0x50/0x60 [ 24.325055] __asan_report_load4_noabort+0x18/0x20 [ 24.325078] rcu_uaf_reclaim+0x50/0x60 [ 24.325098] rcu_core+0x66f/0x1c40 [ 24.325128] ? __pfx_rcu_core+0x10/0x10 [ 24.325150] ? ktime_get+0x6b/0x150 [ 24.325173] ? handle_softirqs+0x18e/0x730 [ 24.325199] rcu_core_si+0x12/0x20 [ 24.325219] handle_softirqs+0x209/0x730 [ 24.325239] ? hrtimer_interrupt+0x2fe/0x780 [ 24.325262] ? __pfx_handle_softirqs+0x10/0x10 [ 24.325287] __irq_exit_rcu+0xc9/0x110 [ 24.325307] irq_exit_rcu+0x12/0x20 [ 24.325327] sysvec_apic_timer_interrupt+0x81/0x90 [ 24.325352] </IRQ> [ 24.325378] <TASK> [ 24.325390] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 24.325537] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 24.325761] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 ff 17 00 fb f4 <e9> 7c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 24.325847] RSP: 0000:ffff88810087fdc8 EFLAGS: 00010216 [ 24.325936] RAX: ffff88819d91d000 RBX: ffff88810085b000 RCX: ffffffffbb30ba25 [ 24.325982] RDX: ffffed102b626193 RSI: 0000000000000004 RDI: 000000000001ba3c [ 24.326031] RBP: ffff88810087fdd0 R08: 0000000000000001 R09: ffffed102b626192 [ 24.326073] R10: ffff88815b130c93 R11: 000000000001bc00 R12: 0000000000000001 [ 24.326115] R13: ffffed102010b600 R14: ffffffffbcff4ad0 R15: 0000000000000000 [ 24.326172] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 24.326225] ? default_idle+0xd/0x20 [ 24.326247] arch_cpu_idle+0xd/0x20 [ 24.326270] default_idle_call+0x48/0x80 [ 24.326289] do_idle+0x379/0x4f0 [ 24.326315] ? __pfx_do_idle+0x10/0x10 [ 24.326338] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 24.326363] ? complete+0x15b/0x1d0 [ 24.326388] cpu_startup_entry+0x5c/0x70 [ 24.326438] start_secondary+0x211/0x290 [ 24.326461] ? __pfx_start_secondary+0x10/0x10 [ 24.326486] common_startup_64+0x13e/0x148 [ 24.326518] </TASK> [ 24.326530] [ 24.343437] Allocated by task 248: [ 24.343816] kasan_save_stack+0x45/0x70 [ 24.344210] kasan_save_track+0x18/0x40 [ 24.344464] kasan_save_alloc_info+0x3b/0x50 [ 24.344605] __kasan_kmalloc+0xb7/0xc0 [ 24.344725] __kmalloc_cache_noprof+0x189/0x420 [ 24.344881] rcu_uaf+0xb0/0x330 [ 24.344990] kunit_try_run_case+0x1a5/0x480 [ 24.345125] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.345289] kthread+0x337/0x6f0 [ 24.345402] ret_from_fork+0x116/0x1d0 [ 24.345585] ret_from_fork_asm+0x1a/0x30 [ 24.345747] [ 24.345811] Freed by task 0: [ 24.345907] kasan_save_stack+0x45/0x70 [ 24.346073] kasan_save_track+0x18/0x40 [ 24.346260] kasan_save_free_info+0x3f/0x60 [ 24.346452] __kasan_slab_free+0x56/0x70 [ 24.346686] kfree+0x222/0x3f0 [ 24.346859] rcu_uaf_reclaim+0x1f/0x60 [ 24.347008] rcu_core+0x66f/0x1c40 [ 24.347150] rcu_core_si+0x12/0x20 [ 24.347278] handle_softirqs+0x209/0x730 [ 24.347610] __irq_exit_rcu+0xc9/0x110 [ 24.347806] irq_exit_rcu+0x12/0x20 [ 24.348040] sysvec_apic_timer_interrupt+0x81/0x90 [ 24.348314] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 24.348723] [ 24.348954] Last potentially related work creation: [ 24.349696] kasan_save_stack+0x45/0x70 [ 24.349870] kasan_record_aux_stack+0xb2/0xc0 [ 24.350126] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 24.350366] call_rcu+0x12/0x20 [ 24.350589] rcu_uaf+0x168/0x330 [ 24.351039] kunit_try_run_case+0x1a5/0x480 [ 24.351256] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.351598] kthread+0x337/0x6f0 [ 24.351894] ret_from_fork+0x116/0x1d0 [ 24.352085] ret_from_fork_asm+0x1a/0x30 [ 24.352499] [ 24.352792] The buggy address belongs to the object at ffff8881057449c0 [ 24.352792] which belongs to the cache kmalloc-32 of size 32 [ 24.353438] The buggy address is located 0 bytes inside of [ 24.353438] freed 32-byte region [ffff8881057449c0, ffff8881057449e0) [ 24.353966] [ 24.354192] The buggy address belongs to the physical page: [ 24.354636] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105744 [ 24.354990] flags: 0x200000000000000(node=0|zone=2) [ 24.355325] page_type: f5(slab) [ 24.355651] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 24.356092] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.356534] page dumped because: kasan: bad access detected [ 24.356868] [ 24.356967] Memory state around the buggy address: [ 24.357272] ffff888105744880: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 24.357786] ffff888105744900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.358214] >ffff888105744980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.358651] ^ [ 24.358865] ffff888105744a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.359304] ffff888105744a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.359761] ==================================================================