Date
June 24, 2025, 12:47 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 24.610273] ================================================================== [ 24.612260] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 24.612519] Read of size 4 at addr fff00000c5a2cd00 by task swapper/0/0 [ 24.612642] [ 24.612748] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.4-rc2 #1 PREEMPT [ 24.613097] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.613173] Hardware name: linux,dummy-virt (DT) [ 24.613811] Call trace: [ 24.613916] show_stack+0x20/0x38 (C) [ 24.614026] dump_stack_lvl+0x8c/0xd0 [ 24.614092] print_report+0x118/0x608 [ 24.614213] kasan_report+0xdc/0x128 [ 24.614339] __asan_report_load4_noabort+0x20/0x30 [ 24.614592] rcu_uaf_reclaim+0x64/0x70 [ 24.615190] rcu_core+0x9f4/0x1e20 [ 24.615316] rcu_core_si+0x18/0x30 [ 24.616425] handle_softirqs+0x374/0xb28 [ 24.616568] __do_softirq+0x1c/0x28 [ 24.616961] ____do_softirq+0x18/0x30 [ 24.617583] call_on_irq_stack+0x24/0x30 [ 24.617929] do_softirq_own_stack+0x24/0x38 [ 24.618555] __irq_exit_rcu+0x1fc/0x318 [ 24.618693] irq_exit_rcu+0x1c/0x80 [ 24.619529] el1_interrupt+0x38/0x58 [ 24.619684] el1h_64_irq_handler+0x18/0x28 [ 24.619933] el1h_64_irq+0x6c/0x70 [ 24.620231] arch_local_irq_enable+0x4/0x8 (P) [ 24.620363] do_idle+0x384/0x4e8 [ 24.621689] cpu_startup_entry+0x64/0x80 [ 24.622297] rest_init+0x160/0x188 [ 24.623064] start_kernel+0x308/0x3d0 [ 24.623973] __primary_switched+0x8c/0xa0 [ 24.624695] [ 24.624954] Allocated by task 200: [ 24.625038] kasan_save_stack+0x3c/0x68 [ 24.625945] kasan_save_track+0x20/0x40 [ 24.626142] kasan_save_alloc_info+0x40/0x58 [ 24.626247] __kasan_kmalloc+0xd4/0xd8 [ 24.627356] __kmalloc_cache_noprof+0x16c/0x3c0 [ 24.627524] rcu_uaf+0xb0/0x2d8 [ 24.628317] kunit_try_run_case+0x170/0x3f0 [ 24.628465] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.628580] kthread+0x328/0x630 [ 24.629702] ret_from_fork+0x10/0x20 [ 24.630679] [ 24.630917] Freed by task 0: [ 24.631121] kasan_save_stack+0x3c/0x68 [ 24.631223] kasan_save_track+0x20/0x40 [ 24.632076] kasan_save_free_info+0x4c/0x78 [ 24.633243] __kasan_slab_free+0x6c/0x98 [ 24.633504] kfree+0x214/0x3c8 [ 24.633623] rcu_uaf_reclaim+0x28/0x70 [ 24.634104] rcu_core+0x9f4/0x1e20 [ 24.634498] rcu_core_si+0x18/0x30 [ 24.634588] handle_softirqs+0x374/0xb28 [ 24.634673] __do_softirq+0x1c/0x28 [ 24.634759] [ 24.634820] Last potentially related work creation: [ 24.634902] kasan_save_stack+0x3c/0x68 [ 24.634997] kasan_record_aux_stack+0xb4/0xc8 [ 24.635093] __call_rcu_common.constprop.0+0x70/0x8b0 [ 24.635192] call_rcu+0x18/0x30 [ 24.637068] rcu_uaf+0x14c/0x2d8 [ 24.637686] kunit_try_run_case+0x170/0x3f0 [ 24.637993] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.638123] kthread+0x328/0x630 [ 24.638223] ret_from_fork+0x10/0x20 [ 24.638332] [ 24.640200] The buggy address belongs to the object at fff00000c5a2cd00 [ 24.640200] which belongs to the cache kmalloc-32 of size 32 [ 24.640390] The buggy address is located 0 bytes inside of [ 24.640390] freed 32-byte region [fff00000c5a2cd00, fff00000c5a2cd20) [ 24.641419] [ 24.641550] The buggy address belongs to the physical page: [ 24.641710] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a2c [ 24.641852] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.642468] page_type: f5(slab) [ 24.642586] raw: 0bfffe0000000000 fff00000c0001780 dead000000000100 dead000000000122 [ 24.643124] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.643610] page dumped because: kasan: bad access detected [ 24.644212] [ 24.644694] Memory state around the buggy address: [ 24.645025] fff00000c5a2cc00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 24.645263] fff00000c5a2cc80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 24.645391] >fff00000c5a2cd00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 24.646287] ^ [ 24.647016] fff00000c5a2cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.647519] fff00000c5a2ce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.647625] ==================================================================
[ 12.405468] ================================================================== [ 12.406156] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 12.406667] Read of size 4 at addr ffff8881039e02c0 by task swapper/0/0 [ 12.406993] [ 12.407134] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.4-rc2 #1 PREEMPT(voluntary) [ 12.407204] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.407219] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.407248] Call Trace: [ 12.407296] <IRQ> [ 12.407331] dump_stack_lvl+0x73/0xb0 [ 12.407380] print_report+0xd1/0x650 [ 12.407415] ? __virt_addr_valid+0x1db/0x2d0 [ 12.407448] ? rcu_uaf_reclaim+0x50/0x60 [ 12.407480] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.407517] ? rcu_uaf_reclaim+0x50/0x60 [ 12.407551] kasan_report+0x141/0x180 [ 12.407588] ? rcu_uaf_reclaim+0x50/0x60 [ 12.407653] __asan_report_load4_noabort+0x18/0x20 [ 12.407695] rcu_uaf_reclaim+0x50/0x60 [ 12.407735] rcu_core+0x66c/0x1c30 [ 12.407836] ? enqueue_hrtimer+0xfe/0x210 [ 12.407886] ? __pfx_rcu_core+0x10/0x10 [ 12.407918] ? ktime_get+0x6b/0x150 [ 12.407955] ? handle_softirqs+0x18e/0x730 [ 12.407996] rcu_core_si+0x12/0x20 [ 12.408023] handle_softirqs+0x209/0x730 [ 12.408056] ? hrtimer_interrupt+0x2fe/0x780 [ 12.408099] ? __pfx_handle_softirqs+0x10/0x10 [ 12.408150] __irq_exit_rcu+0xc9/0x110 [ 12.408193] irq_exit_rcu+0x12/0x20 [ 12.408227] sysvec_apic_timer_interrupt+0x81/0x90 [ 12.408279] </IRQ> [ 12.408334] <TASK> [ 12.408352] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 12.408509] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 12.408918] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 83 cd 27 00 fb f4 <e9> fc 1f 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 12.409114] RSP: 0000:ffffffffa8407dd8 EFLAGS: 00010206 [ 12.409323] RAX: ffff8881b1893000 RBX: ffffffffa841ca80 RCX: ffffffffa720d015 [ 12.409399] RDX: ffffed102b606103 RSI: 0000000000000004 RDI: 000000000000ec34 [ 12.409476] RBP: ffffffffa8407de0 R08: 0000000000000001 R09: ffffed102b606102 [ 12.409523] R10: ffff88815b030813 R11: 0000000000037800 R12: 0000000000000000 [ 12.409581] R13: fffffbfff5083950 R14: ffffffffa8f9c210 R15: 0000000000000000 [ 12.409665] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 12.409737] ? default_idle+0xd/0x20 [ 12.409758] arch_cpu_idle+0xd/0x20 [ 12.409778] default_idle_call+0x48/0x80 [ 12.409797] do_idle+0x379/0x4f0 [ 12.409820] ? __pfx_do_idle+0x10/0x10 [ 12.409838] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.409860] ? trace_preempt_on+0x20/0xc0 [ 12.409882] ? schedule+0x86/0x2e0 [ 12.409902] ? preempt_count_sub+0x50/0x80 [ 12.409926] cpu_startup_entry+0x5c/0x70 [ 12.409957] rest_init+0x11a/0x140 [ 12.409979] ? acpi_subsystem_init+0x5d/0x150 [ 12.410007] start_kernel+0x32b/0x410 [ 12.410030] x86_64_start_reservations+0x1c/0x30 [ 12.410052] x86_64_start_kernel+0xcf/0xe0 [ 12.410074] common_startup_64+0x13e/0x148 [ 12.410105] </TASK> [ 12.410118] [ 12.424967] Allocated by task 218: [ 12.425311] kasan_save_stack+0x45/0x70 [ 12.425705] kasan_save_track+0x18/0x40 [ 12.426093] kasan_save_alloc_info+0x3b/0x50 [ 12.426449] __kasan_kmalloc+0xb7/0xc0 [ 12.426763] __kmalloc_cache_noprof+0x189/0x420 [ 12.427119] rcu_uaf+0xb0/0x330 [ 12.427454] kunit_try_run_case+0x1a5/0x480 [ 12.427852] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.428444] kthread+0x337/0x6f0 [ 12.428784] ret_from_fork+0x41/0x80 [ 12.429120] ret_from_fork_asm+0x1a/0x30 [ 12.429562] [ 12.429760] Freed by task 0: [ 12.430032] kasan_save_stack+0x45/0x70 [ 12.430389] kasan_save_track+0x18/0x40 [ 12.430874] kasan_save_free_info+0x3f/0x60 [ 12.431166] __kasan_slab_free+0x56/0x70 [ 12.431452] kfree+0x222/0x3f0 [ 12.431756] rcu_uaf_reclaim+0x1f/0x60 [ 12.431962] rcu_core+0x66c/0x1c30 [ 12.432234] rcu_core_si+0x12/0x20 [ 12.432526] handle_softirqs+0x209/0x730 [ 12.432844] __irq_exit_rcu+0xc9/0x110 [ 12.432994] irq_exit_rcu+0x12/0x20 [ 12.433156] sysvec_apic_timer_interrupt+0x81/0x90 [ 12.433594] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 12.434015] [ 12.434270] Last potentially related work creation: [ 12.434766] kasan_save_stack+0x45/0x70 [ 12.435109] kasan_record_aux_stack+0xb2/0xc0 [ 12.435491] __call_rcu_common.constprop.0+0x72/0x9c0 [ 12.435949] call_rcu+0x12/0x20 [ 12.436139] rcu_uaf+0x168/0x330 [ 12.436409] kunit_try_run_case+0x1a5/0x480 [ 12.436841] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.437096] kthread+0x337/0x6f0 [ 12.437206] ret_from_fork+0x41/0x80 [ 12.437320] ret_from_fork_asm+0x1a/0x30 [ 12.437472] [ 12.437690] The buggy address belongs to the object at ffff8881039e02c0 [ 12.437690] which belongs to the cache kmalloc-32 of size 32 [ 12.438528] The buggy address is located 0 bytes inside of [ 12.438528] freed 32-byte region [ffff8881039e02c0, ffff8881039e02e0) [ 12.439433] [ 12.439661] The buggy address belongs to the physical page: [ 12.440264] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039e0 [ 12.441065] flags: 0x200000000000000(node=0|zone=2) [ 12.441569] page_type: f5(slab) [ 12.441969] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 12.442591] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 12.443109] page dumped because: kasan: bad access detected [ 12.443459] [ 12.443654] Memory state around the buggy address: [ 12.443943] ffff8881039e0180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 12.444165] ffff8881039e0200: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 12.444406] >ffff8881039e0280: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 12.445097] ^ [ 12.445693] ffff8881039e0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.446121] ffff8881039e0380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.446639] ==================================================================