Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 147.957421] ================================================================== [ 147.958802] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x24/0x2c [ 147.959768] Read of size 4 at addr c8fbdb80 by task ksoftirqd/1/20 [ 147.960489] [ 147.960812] CPU: 1 PID: 20 Comm: ksoftirqd/1 Tainted: G B N 6.6.76-rc1 #1 [ 147.961700] Hardware name: Generic DT based system [ 147.962307] unwind_backtrace from show_stack+0x18/0x1c [ 147.962890] show_stack from dump_stack_lvl+0x58/0x70 [ 147.963689] dump_stack_lvl from print_report+0x164/0x51c [ 147.964706] print_report from kasan_report+0xc8/0x104 [ 147.965465] kasan_report from rcu_uaf_reclaim+0x24/0x2c [ 147.966769] rcu_uaf_reclaim from rcu_core+0x418/0xc84 [ 147.967509] rcu_core from handle_softirqs+0x23c/0x5fc [ 147.968330] handle_softirqs from run_ksoftirqd+0x50/0x68 [ 147.969123] run_ksoftirqd from smpboot_thread_fn+0x154/0x258 [ 147.969963] smpboot_thread_fn from kthread+0x184/0x1a8 [ 147.970728] kthread from ret_from_fork+0x14/0x30 [ 147.971388] Exception stack(0xf186bfb0 to 0xf186bff8) [ 147.972140] bfa0: 00000000 00000000 00000000 00000000 [ 147.973158] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 147.974085] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 147.974886] [ 147.975207] Allocated by task 207: [ 147.975555] kasan_set_track+0x3c/0x5c [ 147.976811] __kasan_kmalloc+0x8c/0x94 [ 147.977390] rcu_uaf+0xa0/0x1dc [ 147.977810] kunit_try_run_case+0x11c/0x2e4 [ 147.978490] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.979306] kthread+0x184/0x1a8 [ 147.979774] ret_from_fork+0x14/0x30 [ 147.980360] [ 147.980661] Freed by task 20: [ 147.981164] kasan_set_track+0x3c/0x5c [ 147.981838] kasan_save_free_info+0x30/0x3c [ 147.982412] __kasan_slab_free+0xdc/0x124 [ 147.983209] __kmem_cache_free+0x140/0x2a8 [ 147.983814] rcu_uaf_reclaim+0x1c/0x2c [ 147.984478] rcu_core+0x418/0xc84 [ 147.985028] handle_softirqs+0x23c/0x5fc [ 147.985634] run_ksoftirqd+0x50/0x68 [ 147.986170] smpboot_thread_fn+0x154/0x258 [ 147.986816] kthread+0x184/0x1a8 [ 147.987495] ret_from_fork+0x14/0x30 [ 147.988103] [ 147.988458] Last potentially related work creation: [ 147.989036] kasan_save_stack+0x30/0x4c [ 147.989650] __kasan_record_aux_stack+0x84/0x8c [ 147.990431] __call_rcu_common.constprop.0+0x44/0x59c [ 147.991213] rcu_uaf+0xdc/0x1dc [ 147.991689] kunit_try_run_case+0x11c/0x2e4 [ 147.992354] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.993164] kthread+0x184/0x1a8 [ 147.993629] ret_from_fork+0x14/0x30 [ 147.994190] [ 147.994573] The buggy address belongs to the object at c8fbdb80 [ 147.994573] which belongs to the cache kmalloc-64 of size 64 [ 147.996029] The buggy address is located 0 bytes inside of [ 147.996029] freed 64-byte region [c8fbdb80, c8fbdbc0) [ 147.997738] [ 147.998078] The buggy address belongs to the physical page: [ 147.998715] page:652e16b7 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48fbd [ 147.999773] flags: 0x800(slab|zone=0) [ 148.000284] page_type: 0xffffffff() [ 148.000887] raw: 00000800 c4801200 00000122 00000000 00000000 80200020 ffffffff 00000001 [ 148.001705] raw: 00000000 [ 148.002140] page dumped because: kasan: bad access detected [ 148.002719] [ 148.003083] Memory state around the buggy address: [ 148.003667] c8fbda80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 148.004502] c8fbdb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 148.005285] >c8fbdb80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 148.005993] ^ [ 148.006337] c8fbdc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 148.007230] c8fbdc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 148.007856] ==================================================================
[ 51.785240] ================================================================== [ 51.786086] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x27/0x40 [ 51.787386] Read of size 4 at addr ffff8881028429c0 by task swapper/0/0 [ 51.788456] [ 51.788731] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.6.76-rc1 #1 [ 51.789675] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 51.790646] Call Trace: [ 51.791185] <IRQ> [ 51.791624] dump_stack_lvl+0x4e/0x90 [ 51.792225] print_report+0xd2/0x660 [ 51.792836] ? __virt_addr_valid+0x156/0x1e0 [ 51.793543] ? kasan_complete_mode_report_info+0x64/0x200 [ 51.794342] kasan_report+0xff/0x140 [ 51.794830] ? rcu_uaf_reclaim+0x27/0x40 [ 51.795398] ? rcu_uaf_reclaim+0x27/0x40 [ 51.796000] ? __pfx_rcu_uaf_reclaim+0x10/0x10 [ 51.796523] __asan_load4+0x85/0xb0 [ 51.797043] rcu_uaf_reclaim+0x27/0x40 [ 51.797545] rcu_core+0x4be/0x1020 [ 51.798059] ? rcu_core+0x3ef/0x1020 [ 51.798530] ? __pfx_rcu_core+0x10/0x10 [ 51.799093] rcu_core_si+0x12/0x20 [ 51.799619] handle_softirqs+0x195/0x520 [ 51.800176] ? __pfx_handle_softirqs+0x10/0x10 [ 51.800843] irq_exit_rcu+0x92/0xb0 [ 51.801319] sysvec_apic_timer_interrupt+0x80/0xa0 [ 51.802037] </IRQ> [ 51.802345] <TASK> [ 51.802631] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 51.803564] RIP: 0010:default_idle+0xf/0x20 [ 51.804347] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 e4 28 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [ 51.806097] RSP: 0000:ffffffff98407df0 EFLAGS: 00010212 [ 51.806934] RAX: ffff88815b4342c0 RBX: ffffffff98418540 RCX: ffffffff973c96c8 [ 51.807661] RDX: ffffed102b686859 RSI: 0000000000000004 RDI: 0000000000043c2c [ 51.808422] RBP: ffffffff98407df8 R08: 0000000000000001 R09: ffffed102b686858 [ 51.809117] R10: ffff88815b4342c3 R11: ffffffff9560325b R12: 0000000000000000 [ 51.810004] R13: ffffffff98e15b50 R14: 0000000000000000 R15: ffffffff98418540 [ 51.810812] ? ret_from_fork_asm+0x1b/0x30 [ 51.811418] ? ct_kernel_exit.constprop.0+0xa8/0xd0 [ 51.812081] ? arch_cpu_idle+0xd/0x20 [ 51.812556] default_idle_call+0x42/0x70 [ 51.813086] do_idle+0x2ba/0x310 [ 51.813569] ? __pfx_do_idle+0x10/0x10 [ 51.814130] ? trace_preempt_on+0x20/0xa0 [ 51.814754] ? schedule+0xa7/0x130 [ 51.815290] ? preempt_count_sub+0x50/0x80 [ 51.815878] cpu_startup_entry+0x3c/0x40 [ 51.816487] rest_init+0xe9/0xf0 [ 51.817019] arch_call_rest_init+0x17/0x50 [ 51.817554] start_kernel+0x2e3/0x3c0 [ 51.818170] x86_64_start_reservations+0x1c/0x30 [ 51.818837] x86_64_start_kernel+0xcf/0xe0 [ 51.819348] secondary_startup_64_no_verify+0x178/0x17b [ 51.819991] </TASK> [ 51.820361] [ 51.820595] Allocated by task 230: [ 51.821124] kasan_save_stack+0x3c/0x60 [ 51.821666] kasan_set_track+0x29/0x40 [ 51.822310] kasan_save_alloc_info+0x22/0x30 [ 51.823036] __kasan_kmalloc+0xb7/0xc0 [ 51.823505] kmalloc_trace+0x4c/0xb0 [ 51.824151] rcu_uaf+0x9b/0x1e0 [ 51.824746] kunit_try_run_case+0x126/0x290 [ 51.825468] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 51.826170] kthread+0x19e/0x1e0 [ 51.826779] ret_from_fork+0x41/0x70 [ 51.827381] ret_from_fork_asm+0x1b/0x30 [ 51.828026] [ 51.828300] Freed by task 0: [ 51.828770] kasan_save_stack+0x3c/0x60 [ 51.829371] kasan_set_track+0x29/0x40 [ 51.830018] kasan_save_free_info+0x2f/0x50 [ 51.830617] ____kasan_slab_free+0x172/0x1d0 [ 51.831304] __kasan_slab_free+0x16/0x20 [ 51.831905] __kmem_cache_free+0x190/0x310 [ 51.832523] kfree+0x7c/0x120 [ 51.833031] rcu_uaf_reclaim+0x1f/0x40 [ 51.833409] rcu_core+0x4be/0x1020 [ 51.833964] rcu_core_si+0x12/0x20 [ 51.834472] handle_softirqs+0x195/0x520 [ 51.835897] irq_exit_rcu+0x92/0xb0 [ 51.836437] sysvec_apic_timer_interrupt+0x80/0xa0 [ 51.837596] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 51.838389] [ 51.838624] Last potentially related work creation: [ 51.839600] kasan_save_stack+0x3c/0x60 [ 51.839989] __kasan_record_aux_stack+0xb3/0xd0 [ 51.841411] kasan_record_aux_stack_noalloc+0xf/0x20 [ 51.841992] __call_rcu_common.constprop.0+0x4c/0x5e0 [ 51.842554] call_rcu+0x12/0x20 [ 51.843206] rcu_uaf+0xdd/0x1e0 [ 51.843433] kunit_try_run_case+0x126/0x290 [ 51.843684] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 51.844195] kthread+0x19e/0x1e0 [ 51.844646] ret_from_fork+0x41/0x70 [ 51.845104] ret_from_fork_asm+0x1b/0x30 [ 51.845688] [ 51.846025] The buggy address belongs to the object at ffff8881028429c0 [ 51.846025] which belongs to the cache kmalloc-32 of size 32 [ 51.847212] The buggy address is located 0 bytes inside of [ 51.847212] freed 32-byte region [ffff8881028429c0, ffff8881028429e0) [ 51.848309] [ 51.848557] The buggy address belongs to the physical page: [ 51.849236] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102842 [ 51.850084] flags: 0x200000000000800(slab|node=0|zone=2) [ 51.850757] page_type: 0xffffffff() [ 51.851276] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000 [ 51.852018] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 51.852864] page dumped because: kasan: bad access detected [ 51.853316] [ 51.853587] Memory state around the buggy address: [ 51.854213] ffff888102842880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.854831] ffff888102842900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.855630] >ffff888102842980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.856421] ^ [ 51.856975] ffff888102842a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.857791] ffff888102842a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.858455] ==================================================================