Date
July 15, 2025, 11:35 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 49.632706] ================================================================== [ 49.632875] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 49.632992] Read of size 4 at addr ffff000808530040 by task swapper/0/0 [ 49.634946] [ 49.636433] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 49.636486] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.636503] Hardware name: WinLink E850-96 board (DT) [ 49.636524] Call trace: [ 49.636539] show_stack+0x20/0x38 (C) [ 49.636575] dump_stack_lvl+0x8c/0xd0 [ 49.636609] print_report+0x118/0x5d0 [ 49.636639] kasan_report+0xdc/0x128 [ 49.636666] __asan_report_load4_noabort+0x20/0x30 [ 49.636698] rcu_uaf_reclaim+0x64/0x70 [ 49.636726] rcu_core+0x9f4/0x1e20 [ 49.636758] rcu_core_si+0x18/0x30 [ 49.636788] handle_softirqs+0x374/0xb28 [ 49.636822] __do_softirq+0x1c/0x28 [ 49.636850] ____do_softirq+0x18/0x30 [ 49.636882] call_on_irq_stack+0x24/0x30 [ 49.636909] do_softirq_own_stack+0x24/0x38 [ 49.636939] __irq_exit_rcu+0x1fc/0x318 [ 49.636968] irq_exit_rcu+0x1c/0x80 [ 49.636997] el1_interrupt+0x38/0x58 [ 49.637033] el1h_64_irq_handler+0x18/0x28 [ 49.637067] el1h_64_irq+0x6c/0x70 [ 49.637093] arch_local_irq_enable+0x4/0x8 (P) [ 49.637128] do_idle+0x384/0x4e8 [ 49.637158] cpu_startup_entry+0x64/0x80 [ 49.637189] rest_init+0x160/0x188 [ 49.637218] start_kernel+0x30c/0x3d0 [ 49.637251] __primary_switched+0x8c/0xa0 [ 49.637283] [ 49.749703] Allocated by task 279: [ 49.753091] kasan_save_stack+0x3c/0x68 [ 49.756906] kasan_save_track+0x20/0x40 [ 49.760726] kasan_save_alloc_info+0x40/0x58 [ 49.764979] __kasan_kmalloc+0xd4/0xd8 [ 49.768712] __kmalloc_cache_noprof+0x16c/0x3c0 [ 49.773226] rcu_uaf+0xb0/0x2d8 [ 49.776350] kunit_try_run_case+0x170/0x3f0 [ 49.780517] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.785986] kthread+0x328/0x630 [ 49.789197] ret_from_fork+0x10/0x20 [ 49.792757] [ 49.794233] Freed by task 0: [ 49.797097] kasan_save_stack+0x3c/0x68 [ 49.800916] kasan_save_track+0x20/0x40 [ 49.804736] kasan_save_free_info+0x4c/0x78 [ 49.808902] __kasan_slab_free+0x6c/0x98 [ 49.812808] kfree+0x214/0x3c8 [ 49.815847] rcu_uaf_reclaim+0x28/0x70 [ 49.819579] rcu_core+0x9f4/0x1e20 [ 49.822965] rcu_core_si+0x18/0x30 [ 49.826351] handle_softirqs+0x374/0xb28 [ 49.830256] __do_softirq+0x1c/0x28 [ 49.833728] [ 49.835204] Last potentially related work creation: [ 49.840064] kasan_save_stack+0x3c/0x68 [ 49.843884] kasan_record_aux_stack+0xb4/0xc8 [ 49.848225] __call_rcu_common.constprop.0+0x74/0x8c8 [ 49.853259] call_rcu+0x18/0x30 [ 49.856384] rcu_uaf+0x14c/0x2d8 [ 49.859596] kunit_try_run_case+0x170/0x3f0 [ 49.863763] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.869231] kthread+0x328/0x630 [ 49.872443] ret_from_fork+0x10/0x20 [ 49.876002] [ 49.877479] The buggy address belongs to the object at ffff000808530040 [ 49.877479] which belongs to the cache kmalloc-32 of size 32 [ 49.889806] The buggy address is located 0 bytes inside of [ 49.889806] freed 32-byte region [ffff000808530040, ffff000808530060) [ 49.901783] [ 49.903261] The buggy address belongs to the physical page: [ 49.908819] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x888530 [ 49.916803] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 49.923312] page_type: f5(slab) [ 49.926450] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 49.934167] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 49.941889] page dumped because: kasan: bad access detected [ 49.947441] [ 49.948917] Memory state around the buggy address: [ 49.953700] ffff00080852ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.960900] ffff00080852ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.968105] >ffff000808530000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 49.975306] ^ [ 49.980605] ffff000808530080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.987809] ffff000808530100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.995012] ==================================================================
[ 30.959127] ================================================================== [ 30.959245] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 30.959309] Read of size 4 at addr fff00000c6500bc0 by task swapper/0/0 [ 30.959355] [ 30.959392] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 30.961994] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.962403] Hardware name: linux,dummy-virt (DT) [ 30.963042] Call trace: [ 30.963585] show_stack+0x20/0x38 (C) [ 30.964043] dump_stack_lvl+0x8c/0xd0 [ 30.964480] print_report+0x118/0x5d0 [ 30.964536] kasan_report+0xdc/0x128 [ 30.965043] __asan_report_load4_noabort+0x20/0x30 [ 30.965541] rcu_uaf_reclaim+0x64/0x70 [ 30.966063] rcu_core+0x9f4/0x1e20 [ 30.966117] rcu_core_si+0x18/0x30 [ 30.966834] handle_softirqs+0x374/0xb28 [ 30.968148] __do_softirq+0x1c/0x28 [ 30.968212] ____do_softirq+0x18/0x30 [ 30.968260] call_on_irq_stack+0x24/0x30 [ 30.968307] do_softirq_own_stack+0x24/0x38 [ 30.968355] __irq_exit_rcu+0x1fc/0x318 [ 30.968401] irq_exit_rcu+0x1c/0x80 [ 30.968822] el1_interrupt+0x38/0x58 [ 30.968884] el1h_64_irq_handler+0x18/0x28 [ 30.968943] el1h_64_irq+0x6c/0x70 [ 30.969051] finish_task_switch.isra.0+0x120/0x5e8 (P) [ 30.969108] __schedule+0xab4/0x2840 [ 30.969156] schedule_idle+0x60/0xa8 [ 30.969200] do_idle+0x2c4/0x4e8 [ 30.969248] cpu_startup_entry+0x64/0x80 [ 30.969295] rest_init+0x160/0x188 [ 30.969339] start_kernel+0x30c/0x3d0 [ 30.969391] __primary_switched+0x8c/0xa0 [ 30.969455] [ 30.970675] Allocated by task 230: [ 30.970715] kasan_save_stack+0x3c/0x68 [ 30.970766] kasan_save_track+0x20/0x40 [ 30.970806] kasan_save_alloc_info+0x40/0x58 [ 30.970845] __kasan_kmalloc+0xd4/0xd8 [ 30.970883] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.970925] rcu_uaf+0xb0/0x2d8 [ 30.971234] kunit_try_run_case+0x170/0x3f0 [ 30.971285] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.971331] kthread+0x328/0x630 [ 30.971839] ret_from_fork+0x10/0x20 [ 30.971952] [ 30.971972] Freed by task 0: [ 30.972154] kasan_save_stack+0x3c/0x68 [ 30.972201] kasan_save_track+0x20/0x40 [ 30.972239] kasan_save_free_info+0x4c/0x78 [ 30.972277] __kasan_slab_free+0x6c/0x98 [ 30.972935] kfree+0x214/0x3c8 [ 30.973837] rcu_uaf_reclaim+0x28/0x70 [ 30.973884] rcu_core+0x9f4/0x1e20 [ 30.973920] rcu_core_si+0x18/0x30 [ 30.973955] handle_softirqs+0x374/0xb28 [ 30.973993] __do_softirq+0x1c/0x28 [ 30.974029] [ 30.974065] Last potentially related work creation: [ 30.974486] kasan_save_stack+0x3c/0x68 [ 30.974536] kasan_record_aux_stack+0xb4/0xc8 [ 30.974576] __call_rcu_common.constprop.0+0x74/0x8c8 [ 30.974620] call_rcu+0x18/0x30 [ 30.974654] rcu_uaf+0x14c/0x2d8 [ 30.974691] kunit_try_run_case+0x170/0x3f0 [ 30.974729] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.974772] kthread+0x328/0x630 [ 30.974805] ret_from_fork+0x10/0x20 [ 30.974848] [ 30.974875] The buggy address belongs to the object at fff00000c6500bc0 [ 30.974875] which belongs to the cache kmalloc-32 of size 32 [ 30.974935] The buggy address is located 0 bytes inside of [ 30.974935] freed 32-byte region [fff00000c6500bc0, fff00000c6500be0) [ 30.974994] [ 30.975014] The buggy address belongs to the physical page: [ 30.975047] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106500 [ 30.975100] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.975160] page_type: f5(slab) [ 30.975206] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 30.975256] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 30.975297] page dumped because: kasan: bad access detected [ 30.975327] [ 30.975344] Memory state around the buggy address: [ 30.975378] fff00000c6500a80: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc [ 30.975420] fff00000c6500b00: fa fb fb fb fc fc fc fc 00 00 05 fc fc fc fc fc [ 30.975491] >fff00000c6500b80: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 30.975530] ^ [ 30.975564] fff00000c6500c00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.975605] fff00000c6500c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.975644] ==================================================================
[ 24.597731] ================================================================== [ 24.599102] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 24.599327] Read of size 4 at addr ffff8881055e0b40 by task swapper/1/0 [ 24.599534] [ 24.599645] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) [ 24.599693] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.599705] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.599726] Call Trace: [ 24.599755] <IRQ> [ 24.599772] dump_stack_lvl+0x73/0xb0 [ 24.599802] print_report+0xd1/0x610 [ 24.599824] ? __virt_addr_valid+0x1db/0x2d0 [ 24.599846] ? rcu_uaf_reclaim+0x50/0x60 [ 24.599866] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.599891] ? rcu_uaf_reclaim+0x50/0x60 [ 24.599911] kasan_report+0x141/0x180 [ 24.599932] ? rcu_uaf_reclaim+0x50/0x60 [ 24.599956] __asan_report_load4_noabort+0x18/0x20 [ 24.599980] rcu_uaf_reclaim+0x50/0x60 [ 24.600000] rcu_core+0x66f/0x1c40 [ 24.600029] ? __pfx_rcu_core+0x10/0x10 [ 24.600050] ? ktime_get+0x6b/0x150 [ 24.600072] ? handle_softirqs+0x18e/0x730 [ 24.600096] rcu_core_si+0x12/0x20 [ 24.600116] handle_softirqs+0x209/0x730 [ 24.600135] ? hrtimer_interrupt+0x2fe/0x780 [ 24.600162] ? __pfx_handle_softirqs+0x10/0x10 [ 24.600188] __irq_exit_rcu+0xc9/0x110 [ 24.600208] irq_exit_rcu+0x12/0x20 [ 24.600227] sysvec_apic_timer_interrupt+0x81/0x90 [ 24.600251] </IRQ> [ 24.600276] <TASK> [ 24.600287] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 24.600380] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 24.601279] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d e3 22 17 00 fb f4 <e9> 7c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 24.601957] RSP: 0000:ffff88810087fdc8 EFLAGS: 00010216 [ 24.602473] RAX: ffff88819d115000 RBX: ffff88810085b000 RCX: ffffffffbbb19a25 [ 24.602549] RDX: ffffed102b626193 RSI: 0000000000000004 RDI: 000000000001c67c [ 24.602690] RBP: ffff88810087fdd0 R08: 0000000000000001 R09: ffffed102b626192 [ 24.602737] R10: ffff88815b130c93 R11: ffff88815b1363c8 R12: 0000000000000001 [ 24.602781] R13: ffffed102010b600 R14: ffffffffbd7f91d0 R15: 0000000000000000 [ 24.602843] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 24.602902] ? default_idle+0xd/0x20 [ 24.602926] arch_cpu_idle+0xd/0x20 [ 24.602948] default_idle_call+0x48/0x80 [ 24.602969] do_idle+0x379/0x4f0 [ 24.602996] ? __pfx_do_idle+0x10/0x10 [ 24.603017] ? _raw_spin_unlock_irqrestore+0x49/0x90 [ 24.603040] ? complete+0x15b/0x1d0 [ 24.603066] cpu_startup_entry+0x5c/0x70 [ 24.603089] start_secondary+0x211/0x290 [ 24.603111] ? __pfx_start_secondary+0x10/0x10 [ 24.603137] common_startup_64+0x13e/0x148 [ 24.603170] </TASK> [ 24.603181] [ 24.616785] Allocated by task 246: [ 24.616933] kasan_save_stack+0x45/0x70 [ 24.617116] kasan_save_track+0x18/0x40 [ 24.617245] kasan_save_alloc_info+0x3b/0x50 [ 24.617388] __kasan_kmalloc+0xb7/0xc0 [ 24.617512] __kmalloc_cache_noprof+0x189/0x420 [ 24.617813] rcu_uaf+0xb0/0x330 [ 24.617983] kunit_try_run_case+0x1a5/0x480 [ 24.618196] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.618442] kthread+0x337/0x6f0 [ 24.618711] ret_from_fork+0x116/0x1d0 [ 24.618900] ret_from_fork_asm+0x1a/0x30 [ 24.619057] [ 24.619120] Freed by task 0: [ 24.619219] kasan_save_stack+0x45/0x70 [ 24.619347] kasan_save_track+0x18/0x40 [ 24.619514] kasan_save_free_info+0x3f/0x60 [ 24.619800] __kasan_slab_free+0x56/0x70 [ 24.619992] kfree+0x222/0x3f0 [ 24.620144] rcu_uaf_reclaim+0x1f/0x60 [ 24.620267] rcu_core+0x66f/0x1c40 [ 24.620387] rcu_core_si+0x12/0x20 [ 24.620503] handle_softirqs+0x209/0x730 [ 24.620887] __irq_exit_rcu+0xc9/0x110 [ 24.621095] irq_exit_rcu+0x12/0x20 [ 24.621277] sysvec_apic_timer_interrupt+0x81/0x90 [ 24.621505] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 24.621836] [ 24.621954] Last potentially related work creation: [ 24.622191] kasan_save_stack+0x45/0x70 [ 24.622333] kasan_record_aux_stack+0xb2/0xc0 [ 24.622484] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 24.622792] call_rcu+0x12/0x20 [ 24.622967] rcu_uaf+0x168/0x330 [ 24.623128] kunit_try_run_case+0x1a5/0x480 [ 24.623321] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.623535] kthread+0x337/0x6f0 [ 24.623770] ret_from_fork+0x116/0x1d0 [ 24.623921] ret_from_fork_asm+0x1a/0x30 [ 24.624120] [ 24.624220] The buggy address belongs to the object at ffff8881055e0b40 [ 24.624220] which belongs to the cache kmalloc-32 of size 32 [ 24.624769] The buggy address is located 0 bytes inside of [ 24.624769] freed 32-byte region [ffff8881055e0b40, ffff8881055e0b60) [ 24.625110] [ 24.625176] The buggy address belongs to the physical page: [ 24.625380] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1055e0 [ 24.625923] flags: 0x200000000000000(node=0|zone=2) [ 24.626163] page_type: f5(slab) [ 24.626325] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 24.626740] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.627054] page dumped because: kasan: bad access detected [ 24.627250] [ 24.627311] Memory state around the buggy address: [ 24.627459] ffff8881055e0a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.627854] ffff8881055e0a80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.628169] >ffff8881055e0b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.628476] ^ [ 24.628785] ffff8881055e0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.629055] ffff8881055e0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.629330] ==================================================================