lkft/linux-stable-rc-linux-6.6.y - v6.6.74-439-g3b8d2f9dc632 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-rcu_uaf_reclaim

Date

Feb. 5, 2025, 2:09 p.m.

Environment
qemu-arm64

[  184.522224] ==================================================================
[  184.524498] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x30/0x50
[  184.526144] Read of size 4 at addr ffff0000c5f6ee80 by task swapper/1/0
[  184.527618] 
[  184.528285] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B            N 6.6.76-rc1 #1
[  184.529960] Hardware name: linux,dummy-virt (DT)
[  184.531040] Call trace:
[  184.531775]  dump_backtrace+0x9c/0x128
[  184.532867]  show_stack+0x20/0x38
[  184.533883]  dump_stack_lvl+0x60/0xb0
[  184.535019]  print_report+0xf8/0x5d8
[  184.536125]  kasan_report+0xc8/0x118
[  184.537245]  __asan_load4+0x9c/0xc0
[  184.538353]  rcu_uaf_reclaim+0x30/0x50
[  184.539468]  rcu_core+0x448/0xf40
[  184.540523]  rcu_core_si+0x18/0x30
[  184.541591]  handle_softirqs+0x240/0x678
[  184.542760]  __do_softirq+0x1c/0x28
[  184.543755]  ____do_softirq+0x18/0x30
[  184.544838]  call_on_irq_stack+0x24/0x58
[  184.545982]  do_softirq_own_stack+0x24/0x38
[  184.547162]  irq_exit_rcu+0x110/0x160
[  184.548256]  el1_interrupt+0x38/0x58
[  184.549294]  el1h_64_irq_handler+0x18/0x28
[  184.550419]  el1h_64_irq+0x64/0x68
[  184.551429]  arch_local_irq_enable+0x4/0x8
[  184.552589]  do_idle+0x304/0x388
[  184.553588]  cpu_startup_entry+0x44/0x58
[  184.554734]  secondary_start_kernel+0x1e8/0x228
[  184.556016]  __secondary_switched+0xb8/0xc0
[  184.557253] 
[  184.557878] Allocated by task 212:
[  184.558762]  kasan_save_stack+0x3c/0x68
[  184.559945]  kasan_set_track+0x2c/0x40
[  184.561068]  kasan_save_alloc_info+0x24/0x38
[  184.562361]  __kasan_kmalloc+0xd4/0xd8
[  184.563507]  kmalloc_trace+0x68/0x130
[  184.564560]  rcu_uaf+0x9c/0x1e0
[  184.565498]  kunit_try_run_case+0xf8/0x260
[  184.566735]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  184.568182]  kthread+0x18c/0x1a8
[  184.569124]  ret_from_fork+0x10/0x20
[  184.570226] 
[  184.570751] Freed by task 0:
[  184.571562]  kasan_save_stack+0x3c/0x68
[  184.572728]  kasan_set_track+0x2c/0x40
[  184.573894]  kasan_save_free_info+0x38/0x60
[  184.575174]  __kasan_slab_free+0x100/0x170
[  184.576376]  __kmem_cache_free+0x170/0x2e0
[  184.577556]  kfree+0x74/0x138
[  184.578486]  rcu_uaf_reclaim+0x28/0x50
[  184.579561]  rcu_core+0x448/0xf40
[  184.580651]  rcu_core_si+0x18/0x30
[  184.581729]  handle_softirqs+0x240/0x678
[  184.582972]  __do_softirq+0x1c/0x28
[  184.584007] 
[  184.584608] Last potentially related work creation:
[  184.585738]  kasan_save_stack+0x3c/0x68
[  184.586921]  __kasan_record_aux_stack+0xb8/0xe8
[  184.588241]  kasan_record_aux_stack_noalloc+0x14/0x20
[  184.589805]  __call_rcu_common.constprop.0+0x58/0x598
[  184.591119]  call_rcu+0x18/0x30
[  184.592933]  rcu_uaf+0xd4/0x1e0
[  184.594058]  kunit_try_run_case+0xf8/0x260
[  184.595062]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  184.596586]  kthread+0x18c/0x1a8
[  184.597540]  ret_from_fork+0x10/0x20
[  184.598780] 
[  184.599531] The buggy address belongs to the object at ffff0000c5f6ee80
[  184.599531]  which belongs to the cache kmalloc-32 of size 32
[  184.602201] The buggy address is located 0 bytes inside of
[  184.602201]  freed 32-byte region [ffff0000c5f6ee80, ffff0000c5f6eea0)
[  184.604468] 
[  184.605065] The buggy address belongs to the physical page:
[  184.606431] page:00000000e8269612 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105f6e
[  184.608392] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[  184.609996] page_type: 0xffffffff()
[  184.611149] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000
[  184.612881] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[  184.614462] page dumped because: kasan: bad access detected
[  184.615766] 
[  184.616346] Memory state around the buggy address:
[  184.617607]  ffff0000c5f6ed80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[  184.619234]  ffff0000c5f6ee00: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc
[  184.620882] >ffff0000c5f6ee80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[  184.622439]                    ^
[  184.623340]  ffff0000c5f6ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  184.624950]  ffff0000c5f6ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  184.626526] ==================================================================

KNOWN ISSUE - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-rcu_uaf_reclaim: Failure

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2scp7HAa1iha7YmHo9amhA3Zoaf

job_id

TEST:linaro@lkft#2scpB413ETJoclX4AbSK487g0B2

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2scpB413ETJoclX4AbSK487g0B2

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2scp859D1gQDvwueOeOLhXen96W/Image.gz
sha256sum	8ef350f1ff8c0b86754f9c49d9758f2abfe5f560fd1f13969fb3ac6b6ee5b243

rootfs

url	https://storage.tuxboot.com/debian/trixie/arm64/rootfs.ext4.xz
sha256sum	f592205e64add7389d8a1055c235aa3685e13c7cfdfdbe5f212ab22afdbeb656

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2scp859D1gQDvwueOeOLhXen96W/modules.tar.xz
sha256sum	3823bf9cd7c260091e1cf80cd35f8dbf1c699d0fd388a80fcb6df9ba8db081d6

durations

tests

boot	1583.73
kunit	0

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:9.2.0+ds-2

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit KNOWN ISSUE