Date
July 14, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 50.205785] ================================================================== [ 50.205983] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 50.206114] Read of size 1 at addr ffff000801e68000 by task kunit_try_catch/297 [ 50.209497] [ 50.210986] CPU: 6 UID: 0 PID: 297 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 50.211044] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.211062] Hardware name: WinLink E850-96 board (DT) [ 50.211086] Call trace: [ 50.211100] show_stack+0x20/0x38 (C) [ 50.211139] dump_stack_lvl+0x8c/0xd0 [ 50.211172] print_report+0x118/0x5d0 [ 50.211202] kasan_report+0xdc/0x128 [ 50.211230] __asan_report_load1_noabort+0x20/0x30 [ 50.211265] kmem_cache_rcu_uaf+0x388/0x468 [ 50.211298] kunit_try_run_case+0x170/0x3f0 [ 50.211337] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.211369] kthread+0x328/0x630 [ 50.211398] ret_from_fork+0x10/0x20 [ 50.211435] [ 50.275036] Allocated by task 297: [ 50.278422] kasan_save_stack+0x3c/0x68 [ 50.282239] kasan_save_track+0x20/0x40 [ 50.286059] kasan_save_alloc_info+0x40/0x58 [ 50.290312] __kasan_slab_alloc+0xa8/0xb0 [ 50.294305] kmem_cache_alloc_noprof+0x10c/0x398 [ 50.298906] kmem_cache_rcu_uaf+0x12c/0x468 [ 50.303073] kunit_try_run_case+0x170/0x3f0 [ 50.307240] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.312709] kthread+0x328/0x630 [ 50.315919] ret_from_fork+0x10/0x20 [ 50.319478] [ 50.320955] Freed by task 0: [ 50.323822] kasan_save_stack+0x3c/0x68 [ 50.327638] kasan_save_track+0x20/0x40 [ 50.331459] kasan_save_free_info+0x4c/0x78 [ 50.335624] __kasan_slab_free+0x6c/0x98 [ 50.339530] slab_free_after_rcu_debug+0xd4/0x2f8 [ 50.344218] rcu_core+0x9f4/0x1e20 [ 50.347603] rcu_core_si+0x18/0x30 [ 50.350988] handle_softirqs+0x374/0xb28 [ 50.354894] __do_softirq+0x1c/0x28 [ 50.358367] [ 50.359844] Last potentially related work creation: [ 50.364705] kasan_save_stack+0x3c/0x68 [ 50.368523] kasan_record_aux_stack+0xb4/0xc8 [ 50.372864] kmem_cache_free+0x120/0x468 [ 50.376769] kmem_cache_rcu_uaf+0x16c/0x468 [ 50.380936] kunit_try_run_case+0x170/0x3f0 [ 50.385102] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.390571] kthread+0x328/0x630 [ 50.393783] ret_from_fork+0x10/0x20 [ 50.397341] [ 50.398817] The buggy address belongs to the object at ffff000801e68000 [ 50.398817] which belongs to the cache test_cache of size 200 [ 50.411234] The buggy address is located 0 bytes inside of [ 50.411234] freed 200-byte region [ffff000801e68000, ffff000801e680c8) [ 50.423296] [ 50.424776] The buggy address belongs to the physical page: [ 50.430333] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881e68 [ 50.438316] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 50.445957] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 50.452898] page_type: f5(slab) [ 50.456035] raw: 0bfffe0000000040 ffff000801e66000 dead000000000122 0000000000000000 [ 50.463754] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 50.471480] head: 0bfffe0000000040 ffff000801e66000 dead000000000122 0000000000000000 [ 50.479292] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 50.487105] head: 0bfffe0000000001 fffffdffe0079a01 00000000ffffffff 00000000ffffffff [ 50.494917] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 50.502724] page dumped because: kasan: bad access detected [ 50.508278] [ 50.509753] Memory state around the buggy address: [ 50.514533] ffff000801e67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.521736] ffff000801e67f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.528942] >ffff000801e68000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.536142] ^ [ 50.539357] ffff000801e68080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 50.546562] ffff000801e68100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.553765] ==================================================================
[ 30.921169] ================================================================== [ 30.921272] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468 [ 30.921354] Read of size 1 at addr fff00000c9b87000 by task kunit_try_catch/244 [ 30.921580] [ 30.921836] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 30.922328] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.922358] Hardware name: linux,dummy-virt (DT) [ 30.922394] Call trace: [ 30.922421] show_stack+0x20/0x38 (C) [ 30.923145] dump_stack_lvl+0x8c/0xd0 [ 30.923448] print_report+0x118/0x5d0 [ 30.923509] kasan_report+0xdc/0x128 [ 30.923712] __asan_report_load1_noabort+0x20/0x30 [ 30.923853] kmem_cache_rcu_uaf+0x388/0x468 [ 30.924033] kunit_try_run_case+0x170/0x3f0 [ 30.924111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.924425] kthread+0x328/0x630 [ 30.924501] ret_from_fork+0x10/0x20 [ 30.924714] [ 30.924828] Allocated by task 244: [ 30.925002] kasan_save_stack+0x3c/0x68 [ 30.925066] kasan_save_track+0x20/0x40 [ 30.925521] kasan_save_alloc_info+0x40/0x58 [ 30.925702] __kasan_slab_alloc+0xa8/0xb0 [ 30.925794] kmem_cache_alloc_noprof+0x10c/0x398 [ 30.925837] kmem_cache_rcu_uaf+0x12c/0x468 [ 30.925887] kunit_try_run_case+0x170/0x3f0 [ 30.925925] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.926108] kthread+0x328/0x630 [ 30.926411] ret_from_fork+0x10/0x20 [ 30.926462] [ 30.926509] Freed by task 0: [ 30.926541] kasan_save_stack+0x3c/0x68 [ 30.926579] kasan_save_track+0x20/0x40 [ 30.926839] kasan_save_free_info+0x4c/0x78 [ 30.926883] __kasan_slab_free+0x6c/0x98 [ 30.926922] slab_free_after_rcu_debug+0xd4/0x2f8 [ 30.926963] rcu_core+0x9f4/0x1e20 [ 30.927002] rcu_core_si+0x18/0x30 [ 30.927037] handle_softirqs+0x374/0xb28 [ 30.927085] __do_softirq+0x1c/0x28 [ 30.927119] [ 30.927138] Last potentially related work creation: [ 30.927165] kasan_save_stack+0x3c/0x68 [ 30.927514] kasan_record_aux_stack+0xb4/0xc8 [ 30.927619] kmem_cache_free+0x120/0x468 [ 30.927661] kmem_cache_rcu_uaf+0x16c/0x468 [ 30.927698] kunit_try_run_case+0x170/0x3f0 [ 30.928213] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.928258] kthread+0x328/0x630 [ 30.928570] ret_from_fork+0x10/0x20 [ 30.928719] [ 30.928743] The buggy address belongs to the object at fff00000c9b87000 [ 30.928743] which belongs to the cache test_cache of size 200 [ 30.928881] The buggy address is located 0 bytes inside of [ 30.928881] freed 200-byte region [fff00000c9b87000, fff00000c9b870c8) [ 30.928974] [ 30.928997] The buggy address belongs to the physical page: [ 30.929032] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b87 [ 30.929345] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.929487] page_type: f5(slab) [ 30.929612] raw: 0bfffe0000000000 fff00000c5687780 dead000000000122 0000000000000000 [ 30.929707] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 30.929749] page dumped because: kasan: bad access detected [ 30.929782] [ 30.929800] Memory state around the buggy address: [ 30.929906] fff00000c9b86f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.930063] fff00000c9b86f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.930106] >fff00000c9b87000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.930192] ^ [ 30.930221] fff00000c9b87080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 30.930711] fff00000c9b87100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.930759] ==================================================================
[ 25.086367] ================================================================== [ 25.086912] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510 [ 25.087463] Read of size 1 at addr ffff8881060a2000 by task kunit_try_catch/262 [ 25.087923] [ 25.088019] CPU: 1 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 25.088077] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 25.088091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.088116] Call Trace: [ 25.088132] <TASK> [ 25.088152] dump_stack_lvl+0x73/0xb0 [ 25.088188] print_report+0xd1/0x610 [ 25.088212] ? __virt_addr_valid+0x1db/0x2d0 [ 25.088237] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 25.088260] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.088286] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 25.088308] kasan_report+0x141/0x180 [ 25.088330] ? kmem_cache_rcu_uaf+0x3e3/0x510 [ 25.088356] __asan_report_load1_noabort+0x18/0x20 [ 25.088460] kmem_cache_rcu_uaf+0x3e3/0x510 [ 25.088487] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [ 25.088510] ? finish_task_switch.isra.0+0x153/0x700 [ 25.088534] ? __switch_to+0x47/0xf80 [ 25.088564] ? __pfx_read_tsc+0x10/0x10 [ 25.088587] ? ktime_get_ts64+0x86/0x230 [ 25.088615] kunit_try_run_case+0x1a5/0x480 [ 25.088639] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.088671] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.088696] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.088719] ? __kthread_parkme+0x82/0x180 [ 25.088740] ? preempt_count_sub+0x50/0x80 [ 25.088774] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.088796] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.088821] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.088845] kthread+0x337/0x6f0 [ 25.088865] ? trace_preempt_on+0x20/0xc0 [ 25.088890] ? __pfx_kthread+0x10/0x10 [ 25.088911] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.088932] ? calculate_sigpending+0x7b/0xa0 [ 25.088967] ? __pfx_kthread+0x10/0x10 [ 25.088988] ret_from_fork+0x116/0x1d0 [ 25.089009] ? __pfx_kthread+0x10/0x10 [ 25.089029] ret_from_fork_asm+0x1a/0x30 [ 25.089060] </TASK> [ 25.089072] [ 25.099565] Allocated by task 262: [ 25.099769] kasan_save_stack+0x45/0x70 [ 25.100420] kasan_save_track+0x18/0x40 [ 25.100596] kasan_save_alloc_info+0x3b/0x50 [ 25.100815] __kasan_slab_alloc+0x91/0xa0 [ 25.101197] kmem_cache_alloc_noprof+0x123/0x3f0 [ 25.101639] kmem_cache_rcu_uaf+0x155/0x510 [ 25.101970] kunit_try_run_case+0x1a5/0x480 [ 25.102183] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.102404] kthread+0x337/0x6f0 [ 25.102572] ret_from_fork+0x116/0x1d0 [ 25.102745] ret_from_fork_asm+0x1a/0x30 [ 25.103229] [ 25.103323] Freed by task 0: [ 25.103434] kasan_save_stack+0x45/0x70 [ 25.103621] kasan_save_track+0x18/0x40 [ 25.104222] kasan_save_free_info+0x3f/0x60 [ 25.104401] __kasan_slab_free+0x56/0x70 [ 25.104755] slab_free_after_rcu_debug+0xe4/0x310 [ 25.105041] rcu_core+0x66f/0x1c40 [ 25.105288] rcu_core_si+0x12/0x20 [ 25.105474] handle_softirqs+0x209/0x730 [ 25.105885] __irq_exit_rcu+0xc9/0x110 [ 25.106031] irq_exit_rcu+0x12/0x20 [ 25.106384] sysvec_apic_timer_interrupt+0x81/0x90 [ 25.106619] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 25.106890] [ 25.106964] Last potentially related work creation: [ 25.107180] kasan_save_stack+0x45/0x70 [ 25.107366] kasan_record_aux_stack+0xb2/0xc0 [ 25.107531] kmem_cache_free+0x131/0x420 [ 25.107732] kmem_cache_rcu_uaf+0x194/0x510 [ 25.108584] kunit_try_run_case+0x1a5/0x480 [ 25.108741] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.109242] kthread+0x337/0x6f0 [ 25.109427] ret_from_fork+0x116/0x1d0 [ 25.109584] ret_from_fork_asm+0x1a/0x30 [ 25.109946] [ 25.110165] The buggy address belongs to the object at ffff8881060a2000 [ 25.110165] which belongs to the cache test_cache of size 200 [ 25.110829] The buggy address is located 0 bytes inside of [ 25.110829] freed 200-byte region [ffff8881060a2000, ffff8881060a20c8) [ 25.111695] [ 25.111863] The buggy address belongs to the physical page: [ 25.112311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060a2 [ 25.112653] flags: 0x200000000000000(node=0|zone=2) [ 25.113125] page_type: f5(slab) [ 25.113287] raw: 0200000000000000 ffff8881060a0000 dead000000000122 0000000000000000 [ 25.113751] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 25.114263] page dumped because: kasan: bad access detected [ 25.114583] [ 25.114678] Memory state around the buggy address: [ 25.114892] ffff8881060a1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.115256] ffff8881060a1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.116150] >ffff8881060a2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.116470] ^ [ 25.116718] ffff8881060a2080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 25.117189] ffff8881060a2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.117733] ==================================================================