Date
June 2, 2025, 2:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.510633] ================================================================== [ 30.510812] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 30.510940] Read of size 4 at addr ffff000806717080 by task swapper/6/0 [ 30.511997] [ 30.513484] CPU: 6 UID: 0 PID: 0 Comm: swapper/6 Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 30.513535] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.513551] Hardware name: WinLink E850-96 board (DT) [ 30.513573] Call trace: [ 30.513586] show_stack+0x20/0x38 (C) [ 30.513627] dump_stack_lvl+0x8c/0xd0 [ 30.513662] print_report+0x118/0x608 [ 30.513692] kasan_report+0xdc/0x128 [ 30.513720] __asan_report_load4_noabort+0x20/0x30 [ 30.513755] rcu_uaf_reclaim+0x64/0x70 [ 30.513786] rcu_core+0x9f4/0x1e20 [ 30.513819] rcu_core_si+0x18/0x30 [ 30.513846] handle_softirqs+0x374/0xb28 [ 30.513881] __do_softirq+0x1c/0x28 [ 30.513908] ____do_softirq+0x18/0x30 [ 30.513938] call_on_irq_stack+0x24/0x58 [ 30.513969] do_softirq_own_stack+0x24/0x38 [ 30.514001] __irq_exit_rcu+0x1fc/0x318 [ 30.514031] irq_exit_rcu+0x1c/0x80 [ 30.514057] el1_interrupt+0x38/0x58 [ 30.514091] el1h_64_irq_handler+0x18/0x28 [ 30.514124] el1h_64_irq+0x6c/0x70 [ 30.514152] arch_local_irq_enable+0x4/0x8 (P) [ 30.514184] do_idle+0x384/0x4e8 [ 30.514214] cpu_startup_entry+0x68/0x80 [ 30.514245] secondary_start_kernel+0x288/0x340 [ 30.514285] __secondary_switched+0xc0/0xc8 [ 30.514323] [ 30.623196] Allocated by task 245: [ 30.626579] kasan_save_stack+0x3c/0x68 [ 30.630398] kasan_save_track+0x20/0x40 [ 30.634217] kasan_save_alloc_info+0x40/0x58 [ 30.638471] __kasan_kmalloc+0xd4/0xd8 [ 30.642203] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.646717] rcu_uaf+0xb0/0x2d8 [ 30.649842] kunit_try_run_case+0x170/0x3f0 [ 30.654008] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.659479] kthread+0x328/0x630 [ 30.662689] ret_from_fork+0x10/0x20 [ 30.666248] [ 30.667725] Freed by task 0: [ 30.670589] kasan_save_stack+0x3c/0x68 [ 30.674408] kasan_save_track+0x20/0x40 [ 30.678227] kasan_save_free_info+0x4c/0x78 [ 30.682394] __kasan_slab_free+0x6c/0x98 [ 30.686301] kfree+0x214/0x3c8 [ 30.689338] rcu_uaf_reclaim+0x28/0x70 [ 30.693071] rcu_core+0x9f4/0x1e20 [ 30.696456] rcu_core_si+0x18/0x30 [ 30.699841] handle_softirqs+0x374/0xb28 [ 30.703748] __do_softirq+0x1c/0x28 [ 30.707220] [ 30.708697] Last potentially related work creation: [ 30.713556] kasan_save_stack+0x3c/0x68 [ 30.717376] kasan_record_aux_stack+0xb4/0xc8 [ 30.721717] __call_rcu_common.constprop.0+0x70/0x8b0 [ 30.726751] call_rcu+0x18/0x30 [ 30.729876] rcu_uaf+0x14c/0x2d8 [ 30.733087] kunit_try_run_case+0x170/0x3f0 [ 30.737254] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.742723] kthread+0x328/0x630 [ 30.745934] ret_from_fork+0x10/0x20 [ 30.749493] [ 30.750972] The buggy address belongs to the object at ffff000806717080 [ 30.750972] which belongs to the cache kmalloc-32 of size 32 [ 30.763298] The buggy address is located 0 bytes inside of [ 30.763298] freed 32-byte region [ffff000806717080, ffff0008067170a0) [ 30.775274] [ 30.776752] The buggy address belongs to the physical page: [ 30.782310] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886717 [ 30.790295] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.796804] page_type: f5(slab) [ 30.799941] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 30.807659] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 30.815379] page dumped because: kasan: bad access detected [ 30.820933] [ 30.822409] Memory state around the buggy address: [ 30.827189] ffff000806716f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.834393] ffff000806717000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 30.841598] >ffff000806717080: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 30.848798] ^ [ 30.852013] ffff000806717100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.859218] ffff000806717180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.866420] ==================================================================
[ 19.370979] ================================================================== [ 19.371127] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 19.371204] Read of size 4 at addr fff00000c3faa740 by task swapper/1/0 [ 19.371251] [ 19.371291] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B W N 6.15.1-rc1 #1 PREEMPT [ 19.371393] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.371423] Hardware name: linux,dummy-virt (DT) [ 19.371456] Call trace: [ 19.371482] show_stack+0x20/0x38 (C) [ 19.371533] dump_stack_lvl+0x8c/0xd0 [ 19.371584] print_report+0x118/0x608 [ 19.371629] kasan_report+0xdc/0x128 [ 19.371675] __asan_report_load4_noabort+0x20/0x30 [ 19.371727] rcu_uaf_reclaim+0x64/0x70 [ 19.371773] rcu_core+0x9f4/0x1e20 [ 19.371820] rcu_core_si+0x18/0x30 [ 19.371864] handle_softirqs+0x374/0xb28 [ 19.371911] __do_softirq+0x1c/0x28 [ 19.371956] ____do_softirq+0x18/0x30 [ 19.372000] call_on_irq_stack+0x24/0x58 [ 19.372047] do_softirq_own_stack+0x24/0x38 [ 19.372094] __irq_exit_rcu+0x1fc/0x318 [ 19.372140] irq_exit_rcu+0x1c/0x80 [ 19.372185] el1_interrupt+0x38/0x58 [ 19.372232] el1h_64_irq_handler+0x18/0x28 [ 19.372282] el1h_64_irq+0x6c/0x70 [ 19.374047] arch_local_irq_enable+0x4/0x8 (P) [ 19.374621] do_idle+0x384/0x4e8 [ 19.374683] cpu_startup_entry+0x64/0x80 [ 19.374734] secondary_start_kernel+0x288/0x340 [ 19.374788] __secondary_switched+0xc0/0xc8 [ 19.374844] [ 19.374864] Allocated by task 201: [ 19.374896] kasan_save_stack+0x3c/0x68 [ 19.374938] kasan_save_track+0x20/0x40 [ 19.374977] kasan_save_alloc_info+0x40/0x58 [ 19.375023] __kasan_kmalloc+0xd4/0xd8 [ 19.375061] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.375105] rcu_uaf+0xb0/0x2d8 [ 19.375142] kunit_try_run_case+0x170/0x3f0 [ 19.375185] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.375235] kthread+0x328/0x630 [ 19.375274] ret_from_fork+0x10/0x20 [ 19.375310] [ 19.375328] Freed by task 0: [ 19.375366] kasan_save_stack+0x3c/0x68 [ 19.375405] kasan_save_track+0x20/0x40 [ 19.375443] kasan_save_free_info+0x4c/0x78 [ 19.375484] __kasan_slab_free+0x6c/0x98 [ 19.375521] kfree+0x214/0x3c8 [ 19.375556] rcu_uaf_reclaim+0x28/0x70 [ 19.375596] rcu_core+0x9f4/0x1e20 [ 19.375630] rcu_core_si+0x18/0x30 [ 19.375665] handle_softirqs+0x374/0xb28 [ 19.375702] __do_softirq+0x1c/0x28 [ 19.375738] [ 19.375757] Last potentially related work creation: [ 19.375783] kasan_save_stack+0x3c/0x68 [ 19.375821] kasan_record_aux_stack+0xb4/0xc8 [ 19.375863] __call_rcu_common.constprop.0+0x70/0x8b0 [ 19.375906] call_rcu+0x18/0x30 [ 19.375939] rcu_uaf+0x14c/0x2d8 [ 19.375974] kunit_try_run_case+0x170/0x3f0 [ 19.376015] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.376063] kthread+0x328/0x630 [ 19.376098] ret_from_fork+0x10/0x20 [ 19.376135] [ 19.376155] The buggy address belongs to the object at fff00000c3faa740 [ 19.376155] which belongs to the cache kmalloc-32 of size 32 [ 19.376213] The buggy address is located 0 bytes inside of [ 19.376213] freed 32-byte region [fff00000c3faa740, fff00000c3faa760) [ 19.376273] [ 19.376295] The buggy address belongs to the physical page: [ 19.376329] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103faa [ 19.378632] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.378691] page_type: f5(slab) [ 19.378735] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 19.378787] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.378829] page dumped because: kasan: bad access detected [ 19.378862] [ 19.378880] Memory state around the buggy address: [ 19.378916] fff00000c3faa600: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 19.378961] fff00000c3faa680: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 19.379005] >fff00000c3faa700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.379051] ^ [ 19.379087] fff00000c3faa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.379129] fff00000c3faa800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.379168] ==================================================================
[ 17.335511] ================================================================== [ 17.336237] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 17.336455] Read of size 4 at addr ffff888102b2ef40 by task swapper/0/0 [ 17.336939] [ 17.337126] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 17.337192] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.337208] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.337236] Call Trace: [ 17.337274] <IRQ> [ 17.337299] dump_stack_lvl+0x73/0xb0 [ 17.337337] print_report+0xd1/0x650 [ 17.337364] ? __virt_addr_valid+0x1db/0x2d0 [ 17.337393] ? rcu_uaf_reclaim+0x50/0x60 [ 17.337416] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.337441] ? rcu_uaf_reclaim+0x50/0x60 [ 17.337465] kasan_report+0x141/0x180 [ 17.337491] ? rcu_uaf_reclaim+0x50/0x60 [ 17.337520] __asan_report_load4_noabort+0x18/0x20 [ 17.337543] rcu_uaf_reclaim+0x50/0x60 [ 17.337567] rcu_core+0x66c/0x1c30 [ 17.337596] ? enqueue_hrtimer+0xfe/0x210 [ 17.337624] ? __pfx_rcu_core+0x10/0x10 [ 17.337649] ? ktime_get+0x6b/0x150 [ 17.337673] ? handle_softirqs+0x18e/0x730 [ 17.337703] rcu_core_si+0x12/0x20 [ 17.337727] handle_softirqs+0x209/0x730 [ 17.337779] ? hrtimer_interrupt+0x2fe/0x780 [ 17.337807] ? __pfx_handle_softirqs+0x10/0x10 [ 17.337838] __irq_exit_rcu+0xc9/0x110 [ 17.337863] irq_exit_rcu+0x12/0x20 [ 17.337882] sysvec_apic_timer_interrupt+0x81/0x90 [ 17.337911] </IRQ> [ 17.337944] <TASK> [ 17.337958] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 17.338075] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 17.338532] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 83 2d 28 00 fb f4 <e9> fc 1f 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 17.338709] RSP: 0000:ffffffff93207dd8 EFLAGS: 00010212 [ 17.338868] RAX: ffff8881c6a93000 RBX: ffffffff9321ca80 RCX: ffffffff92007015 [ 17.338925] RDX: ffffed102b606103 RSI: 0000000000000004 RDI: 000000000000609c [ 17.338978] RBP: ffffffff93207de0 R08: 0000000000000001 R09: ffffed102b606102 [ 17.339029] R10: ffff88815b030813 R11: 0000000000042400 R12: 0000000000000000 [ 17.339083] R13: fffffbfff2643950 R14: ffffffff93d9bc10 R15: 0000000000000000 [ 17.339286] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 17.339396] ? default_idle+0xd/0x20 [ 17.339426] arch_cpu_idle+0xd/0x20 [ 17.339450] default_idle_call+0x48/0x80 [ 17.339475] do_idle+0x379/0x4f0 [ 17.339506] ? __pfx_do_idle+0x10/0x10 [ 17.339534] ? rest_init+0x10b/0x140 [ 17.339560] cpu_startup_entry+0x5c/0x70 [ 17.339587] rest_init+0x11a/0x140 [ 17.339610] ? acpi_subsystem_init+0x5d/0x150 [ 17.339686] start_kernel+0x32b/0x410 [ 17.339715] x86_64_start_reservations+0x1c/0x30 [ 17.339742] x86_64_start_kernel+0xcf/0xe0 [ 17.339786] common_startup_64+0x13e/0x148 [ 17.339830] </TASK> [ 17.339849] [ 17.355098] Allocated by task 219: [ 17.355491] kasan_save_stack+0x45/0x70 [ 17.355818] kasan_save_track+0x18/0x40 [ 17.356250] kasan_save_alloc_info+0x3b/0x50 [ 17.356794] __kasan_kmalloc+0xb7/0xc0 [ 17.357051] __kmalloc_cache_noprof+0x189/0x420 [ 17.357591] rcu_uaf+0xb0/0x330 [ 17.357969] kunit_try_run_case+0x1a5/0x480 [ 17.358359] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.358567] kthread+0x337/0x6f0 [ 17.358792] ret_from_fork+0x41/0x80 [ 17.359237] ret_from_fork_asm+0x1a/0x30 [ 17.359495] [ 17.359906] Freed by task 0: [ 17.360228] kasan_save_stack+0x45/0x70 [ 17.360390] kasan_save_track+0x18/0x40 [ 17.360712] kasan_save_free_info+0x3f/0x60 [ 17.361002] __kasan_slab_free+0x56/0x70 [ 17.361202] kfree+0x222/0x3f0 [ 17.361457] rcu_uaf_reclaim+0x1f/0x60 [ 17.361582] rcu_core+0x66c/0x1c30 [ 17.361904] rcu_core_si+0x12/0x20 [ 17.362505] handle_softirqs+0x209/0x730 [ 17.362729] __irq_exit_rcu+0xc9/0x110 [ 17.363000] irq_exit_rcu+0x12/0x20 [ 17.363408] sysvec_apic_timer_interrupt+0x81/0x90 [ 17.363658] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 17.364050] [ 17.364393] Last potentially related work creation: [ 17.364701] kasan_save_stack+0x45/0x70 [ 17.365019] kasan_record_aux_stack+0xb2/0xc0 [ 17.365460] __call_rcu_common.constprop.0+0x72/0x9c0 [ 17.365852] call_rcu+0x12/0x20 [ 17.365992] rcu_uaf+0x168/0x330 [ 17.366468] kunit_try_run_case+0x1a5/0x480 [ 17.366705] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.366993] kthread+0x337/0x6f0 [ 17.367391] ret_from_fork+0x41/0x80 [ 17.367714] ret_from_fork_asm+0x1a/0x30 [ 17.367973] [ 17.368170] The buggy address belongs to the object at ffff888102b2ef40 [ 17.368170] which belongs to the cache kmalloc-32 of size 32 [ 17.368818] The buggy address is located 0 bytes inside of [ 17.368818] freed 32-byte region [ffff888102b2ef40, ffff888102b2ef60) [ 17.369507] [ 17.369612] The buggy address belongs to the physical page: [ 17.369905] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b2e [ 17.370455] flags: 0x200000000000000(node=0|zone=2) [ 17.370768] page_type: f5(slab) [ 17.371006] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 17.371344] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.371669] page dumped because: kasan: bad access detected [ 17.372033] [ 17.372163] Memory state around the buggy address: [ 17.372392] ffff888102b2ee00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.373262] ffff888102b2ee80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.373536] >ffff888102b2ef00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.373984] ^ [ 17.374487] ffff888102b2ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.374937] ffff888102b2f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.375520] ==================================================================