Date
June 26, 2025, 11:12 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-x86_64 |
[ 32.620986] ================================================================== [ 32.621160] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 32.621286] Read of size 4 at addr ffff000800d63b80 by task swapper/7/0 [ 32.622349] [ 32.623833] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 32.623884] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.623898] Hardware name: WinLink E850-96 board (DT) [ 32.623921] Call trace: [ 32.623935] show_stack+0x20/0x38 (C) [ 32.623970] dump_stack_lvl+0x8c/0xd0 [ 32.624010] print_report+0x118/0x608 [ 32.624041] kasan_report+0xdc/0x128 [ 32.624071] __asan_report_load4_noabort+0x20/0x30 [ 32.624108] rcu_uaf_reclaim+0x64/0x70 [ 32.624139] rcu_core+0x9f4/0x1e20 [ 32.624172] rcu_core_si+0x18/0x30 [ 32.624200] handle_softirqs+0x374/0xb28 [ 32.624234] __do_softirq+0x1c/0x28 [ 32.624264] ____do_softirq+0x18/0x30 [ 32.624297] call_on_irq_stack+0x24/0x30 [ 32.624325] do_softirq_own_stack+0x24/0x38 [ 32.624355] __irq_exit_rcu+0x1fc/0x318 [ 32.624384] irq_exit_rcu+0x1c/0x80 [ 32.624414] el1_interrupt+0x38/0x58 [ 32.624442] el1h_64_irq_handler+0x18/0x28 [ 32.624475] el1h_64_irq+0x6c/0x70 [ 32.624503] arch_local_irq_enable+0x4/0x8 (P) [ 32.624536] do_idle+0x384/0x4e8 [ 32.624567] cpu_startup_entry+0x68/0x80 [ 32.624595] secondary_start_kernel+0x288/0x340 [ 32.624633] __secondary_switched+0xc0/0xc8 [ 32.624670] [ 32.733543] Allocated by task 247: [ 32.736930] kasan_save_stack+0x3c/0x68 [ 32.740748] kasan_save_track+0x20/0x40 [ 32.744569] kasan_save_alloc_info+0x40/0x58 [ 32.748821] __kasan_kmalloc+0xd4/0xd8 [ 32.752553] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.757067] rcu_uaf+0xb0/0x2d8 [ 32.760192] kunit_try_run_case+0x170/0x3f0 [ 32.764359] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.769827] kthread+0x328/0x630 [ 32.773039] ret_from_fork+0x10/0x20 [ 32.776598] [ 32.778074] Freed by task 0: [ 32.780938] kasan_save_stack+0x3c/0x68 [ 32.784758] kasan_save_track+0x20/0x40 [ 32.788577] kasan_save_free_info+0x4c/0x78 [ 32.792744] __kasan_slab_free+0x6c/0x98 [ 32.796650] kfree+0x214/0x3c8 [ 32.799688] rcu_uaf_reclaim+0x28/0x70 [ 32.803422] rcu_core+0x9f4/0x1e20 [ 32.806806] rcu_core_si+0x18/0x30 [ 32.810192] handle_softirqs+0x374/0xb28 [ 32.814098] __do_softirq+0x1c/0x28 [ 32.817569] [ 32.819048] Last potentially related work creation: [ 32.823908] kasan_save_stack+0x3c/0x68 [ 32.827726] kasan_record_aux_stack+0xb4/0xc8 [ 32.832066] __call_rcu_common.constprop.0+0x70/0x8b0 [ 32.837101] call_rcu+0x18/0x30 [ 32.840226] rcu_uaf+0x14c/0x2d8 [ 32.843437] kunit_try_run_case+0x170/0x3f0 [ 32.847604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.853073] kthread+0x328/0x630 [ 32.856285] ret_from_fork+0x10/0x20 [ 32.859844] [ 32.861320] The buggy address belongs to the object at ffff000800d63b80 [ 32.861320] which belongs to the cache kmalloc-32 of size 32 [ 32.873649] The buggy address is located 0 bytes inside of [ 32.873649] freed 32-byte region [ffff000800d63b80, ffff000800d63ba0) [ 32.885624] [ 32.887104] The buggy address belongs to the physical page: [ 32.892660] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880d63 [ 32.900644] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.907155] page_type: f5(slab) [ 32.910293] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 32.918009] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.925728] page dumped because: kasan: bad access detected [ 32.931285] [ 32.932760] Memory state around the buggy address: [ 32.937543] ffff000800d63a80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.944742] ffff000800d63b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 32.951947] >ffff000800d63b80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.959148] ^ [ 32.962365] ffff000800d63c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.969568] ffff000800d63c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.976770] ==================================================================
[ 11.481885] ================================================================== [ 11.482386] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 11.482664] Read of size 4 at addr ffff8881029fc640 by task swapper/0/0 [ 11.482978] [ 11.483101] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 11.483149] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.483161] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.483185] Call Trace: [ 11.483212] <IRQ> [ 11.483263] dump_stack_lvl+0x73/0xb0 [ 11.483306] print_report+0xd1/0x650 [ 11.483331] ? __virt_addr_valid+0x1db/0x2d0 [ 11.483355] ? rcu_uaf_reclaim+0x50/0x60 [ 11.483375] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.483397] ? rcu_uaf_reclaim+0x50/0x60 [ 11.483418] kasan_report+0x141/0x180 [ 11.483440] ? rcu_uaf_reclaim+0x50/0x60 [ 11.483466] __asan_report_load4_noabort+0x18/0x20 [ 11.483488] rcu_uaf_reclaim+0x50/0x60 [ 11.483509] rcu_core+0x66c/0x1c30 [ 11.483534] ? enqueue_hrtimer+0xfe/0x210 [ 11.483575] ? __pfx_rcu_core+0x10/0x10 [ 11.483607] ? ktime_get+0x6b/0x150 [ 11.483630] ? handle_softirqs+0x18e/0x730 [ 11.483657] rcu_core_si+0x12/0x20 [ 11.483684] handle_softirqs+0x209/0x730 [ 11.483733] ? hrtimer_interrupt+0x2fe/0x780 [ 11.483757] ? __pfx_handle_softirqs+0x10/0x10 [ 11.483783] __irq_exit_rcu+0xc9/0x110 [ 11.483804] irq_exit_rcu+0x12/0x20 [ 11.483822] sysvec_apic_timer_interrupt+0x81/0x90 [ 11.483847] </IRQ> [ 11.483873] <TASK> [ 11.483883] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 11.484001] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 11.484232] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 83 cd 27 00 fb f4 <e9> fc 1f 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 11.484318] RSP: 0000:ffffffff89207dd8 EFLAGS: 00010202 [ 11.484411] RAX: ffff8881d0a93000 RBX: ffffffff8921ca80 RCX: ffffffff8800d015 [ 11.484455] RDX: ffffed102b606103 RSI: 0000000000000004 RDI: 00000000000066d4 [ 11.484496] RBP: ffffffff89207de0 R08: 0000000000000001 R09: ffffed102b606102 [ 11.484538] R10: ffff88815b030813 R11: 000000000000c400 R12: 0000000000000000 [ 11.484614] R13: fffffbfff1243950 R14: ffffffff89d9c210 R15: 0000000000000000 [ 11.484672] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 11.484742] ? default_idle+0xd/0x20 [ 11.484764] arch_cpu_idle+0xd/0x20 [ 11.484782] default_idle_call+0x48/0x80 [ 11.484801] do_idle+0x379/0x4f0 [ 11.484825] ? __pfx_do_idle+0x10/0x10 [ 11.484845] ? trace_preempt_on+0x20/0xc0 [ 11.484868] ? schedule+0x86/0x2e0 [ 11.484889] ? preempt_count_sub+0x50/0x80 [ 11.484914] cpu_startup_entry+0x5c/0x70 [ 11.484944] rest_init+0x11a/0x140 [ 11.484962] ? acpi_subsystem_init+0x5d/0x150 [ 11.484988] start_kernel+0x32b/0x410 [ 11.485010] x86_64_start_reservations+0x1c/0x30 [ 11.485032] x86_64_start_kernel+0xcf/0xe0 [ 11.485053] common_startup_64+0x13e/0x148 [ 11.485085] </TASK> [ 11.485097] [ 11.502497] Allocated by task 217: [ 11.502799] kasan_save_stack+0x45/0x70 [ 11.503185] kasan_save_track+0x18/0x40 [ 11.503547] kasan_save_alloc_info+0x3b/0x50 [ 11.504040] __kasan_kmalloc+0xb7/0xc0 [ 11.504407] __kmalloc_cache_noprof+0x189/0x420 [ 11.504930] rcu_uaf+0xb0/0x330 [ 11.505186] kunit_try_run_case+0x1a5/0x480 [ 11.505524] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.506027] kthread+0x337/0x6f0 [ 11.506294] ret_from_fork+0x41/0x80 [ 11.506535] ret_from_fork_asm+0x1a/0x30 [ 11.507045] [ 11.507223] Freed by task 0: [ 11.507473] kasan_save_stack+0x45/0x70 [ 11.507869] kasan_save_track+0x18/0x40 [ 11.508154] kasan_save_free_info+0x3f/0x60 [ 11.508303] __kasan_slab_free+0x56/0x70 [ 11.508440] kfree+0x222/0x3f0 [ 11.508553] rcu_uaf_reclaim+0x1f/0x60 [ 11.508972] rcu_core+0x66c/0x1c30 [ 11.509292] rcu_core_si+0x12/0x20 [ 11.509650] handle_softirqs+0x209/0x730 [ 11.510089] __irq_exit_rcu+0xc9/0x110 [ 11.510455] irq_exit_rcu+0x12/0x20 [ 11.510862] sysvec_apic_timer_interrupt+0x81/0x90 [ 11.511306] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 11.511605] [ 11.511927] Last potentially related work creation: [ 11.512311] kasan_save_stack+0x45/0x70 [ 11.512456] kasan_record_aux_stack+0xb2/0xc0 [ 11.512605] __call_rcu_common.constprop.0+0x72/0x9c0 [ 11.513160] call_rcu+0x12/0x20 [ 11.513472] rcu_uaf+0x168/0x330 [ 11.513817] kunit_try_run_case+0x1a5/0x480 [ 11.514214] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.514471] kthread+0x337/0x6f0 [ 11.514807] ret_from_fork+0x41/0x80 [ 11.515124] ret_from_fork_asm+0x1a/0x30 [ 11.515283] [ 11.515365] The buggy address belongs to the object at ffff8881029fc640 [ 11.515365] which belongs to the cache kmalloc-32 of size 32 [ 11.516220] The buggy address is located 0 bytes inside of [ 11.516220] freed 32-byte region [ffff8881029fc640, ffff8881029fc660) [ 11.517367] [ 11.517545] The buggy address belongs to the physical page: [ 11.518168] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029fc [ 11.518717] flags: 0x200000000000000(node=0|zone=2) [ 11.518980] page_type: f5(slab) [ 11.519326] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 11.519914] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 11.520155] page dumped because: kasan: bad access detected [ 11.520335] [ 11.520404] Memory state around the buggy address: [ 11.520583] ffff8881029fc500: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 11.521311] ffff8881029fc580: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 11.521953] >ffff8881029fc600: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 11.522388] ^ [ 11.522806] ffff8881029fc680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.523765] ffff8881029fc700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.524261] ==================================================================