Date
June 17, 2025, 3:39 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 95.999514] ================================================================== [ 96.001030] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x30/0x50 [ 96.002222] Read of size 4 at addr ffff0000c6091200 by task swapper/0/0 [ 96.003611] [ 96.004159] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.6.94-rc1 #1 [ 96.005403] Hardware name: linux,dummy-virt (DT) [ 96.006264] Call trace: [ 96.006910] dump_backtrace+0x9c/0x128 [ 96.007536] show_stack+0x20/0x38 [ 96.008377] dump_stack_lvl+0x60/0xb0 [ 96.009268] print_report+0xf8/0x5e8 [ 96.010087] kasan_report+0xdc/0x128 [ 96.010659] __asan_load4+0x9c/0xc0 [ 96.011037] rcu_uaf_reclaim+0x30/0x50 [ 96.011383] rcu_core+0x448/0xf40 [ 96.011755] rcu_core_si+0x18/0x30 [ 96.012145] handle_softirqs+0x240/0x680 [ 96.013486] __do_softirq+0x1c/0x28 [ 96.014364] ____do_softirq+0x18/0x30 [ 96.015236] call_on_irq_stack+0x24/0x30 [ 96.016232] do_softirq_own_stack+0x24/0x38 [ 96.017147] irq_exit_rcu+0x110/0x160 [ 96.017919] el1_interrupt+0x38/0x58 [ 96.018780] el1h_64_irq_handler+0x18/0x28 [ 96.019731] el1h_64_irq+0x64/0x68 [ 96.020521] arch_local_irq_enable+0x4/0x8 [ 96.021402] do_idle+0x304/0x388 [ 96.022121] cpu_startup_entry+0x48/0x58 [ 96.022985] rest_init+0x11c/0x128 [ 96.024059] arch_call_rest_init+0x1c/0x28 [ 96.024984] start_kernel+0x2d0/0x398 [ 96.025737] __primary_switched+0xc0/0xd0 [ 96.026498] [ 96.027014] Allocated by task 213: [ 96.027720] kasan_save_stack+0x3c/0x68 [ 96.028588] kasan_set_track+0x2c/0x40 [ 96.029293] kasan_save_alloc_info+0x24/0x38 [ 96.030155] __kasan_kmalloc+0xd4/0xd8 [ 96.030843] kmalloc_trace+0x68/0x130 [ 96.031465] rcu_uaf+0x9c/0x1e0 [ 96.032407] kunit_try_run_case+0x114/0x298 [ 96.032851] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 96.033300] kthread+0x18c/0x1a8 [ 96.033598] ret_from_fork+0x10/0x20 [ 96.033908] [ 96.034076] Freed by task 0: [ 96.034297] kasan_save_stack+0x3c/0x68 [ 96.035901] kasan_set_track+0x2c/0x40 [ 96.036754] kasan_save_free_info+0x38/0x60 [ 96.037611] __kasan_slab_free+0x100/0x170 [ 96.038429] __kmem_cache_free+0x178/0x2c8 [ 96.039393] kfree+0x74/0x138 [ 96.040129] rcu_uaf_reclaim+0x28/0x50 [ 96.040919] rcu_core+0x448/0xf40 [ 96.041620] rcu_core_si+0x18/0x30 [ 96.042376] handle_softirqs+0x240/0x680 [ 96.043342] __do_softirq+0x1c/0x28 [ 96.043904] [ 96.044449] Last potentially related work creation: [ 96.045363] kasan_save_stack+0x3c/0x68 [ 96.046131] __kasan_record_aux_stack+0xb8/0xe8 [ 96.047063] kasan_record_aux_stack_noalloc+0x14/0x20 [ 96.048127] __call_rcu_common.constprop.0+0x58/0x598 [ 96.049152] call_rcu+0x18/0x30 [ 96.049876] rcu_uaf+0xd4/0x1e0 [ 96.050611] kunit_try_run_case+0x114/0x298 [ 96.051589] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 96.052587] kthread+0x18c/0x1a8 [ 96.053393] ret_from_fork+0x10/0x20 [ 96.054193] [ 96.054915] The buggy address belongs to the object at ffff0000c6091200 [ 96.054915] which belongs to the cache kmalloc-32 of size 32 [ 96.056158] The buggy address is located 0 bytes inside of [ 96.056158] freed 32-byte region [ffff0000c6091200, ffff0000c6091220) [ 96.057635] [ 96.058021] The buggy address belongs to the physical page: [ 96.058961] page:0000000008bc5175 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106091 [ 96.060169] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 96.061167] page_type: 0xffffffff() [ 96.062188] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000 [ 96.063270] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 96.064240] page dumped because: kasan: bad access detected [ 96.064843] [ 96.065242] Memory state around the buggy address: [ 96.066125] ffff0000c6091100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 96.067447] ffff0000c6091180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 96.068575] >ffff0000c6091200: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 96.069564] ^ [ 96.070183] ffff0000c6091280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.071542] ffff0000c6091300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.072467] ==================================================================
[ 36.374497] ================================================================== [ 36.375236] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x27/0x40 [ 36.375659] Read of size 4 at addr ffff888102796ac0 by task swapper/1/0 [ 36.376532] [ 36.376705] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B N 6.6.94-rc1 #1 [ 36.377121] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 36.377632] Call Trace: [ 36.377901] <IRQ> [ 36.378067] dump_stack_lvl+0x4e/0x90 [ 36.378308] print_report+0xd2/0x650 [ 36.378569] ? __virt_addr_valid+0x156/0x1e0 [ 36.378835] ? rcu_uaf_reclaim+0x27/0x40 [ 36.379288] ? kasan_complete_mode_report_info+0x64/0x200 [ 36.379685] ? rcu_uaf_reclaim+0x27/0x40 [ 36.380076] kasan_report+0x147/0x180 [ 36.380323] ? rcu_uaf_reclaim+0x27/0x40 [ 36.380666] ? __pfx_rcu_uaf_reclaim+0x10/0x10 [ 36.381015] __asan_load4+0x85/0xb0 [ 36.381246] rcu_uaf_reclaim+0x27/0x40 [ 36.381644] rcu_core+0x4be/0x1020 [ 36.381920] ? rcu_core+0x3ef/0x1020 [ 36.382176] ? __pfx_rcu_core+0x10/0x10 [ 36.382622] ? __pfx_read_tsc+0x10/0x10 [ 36.382939] ? ktime_get+0x55/0xc0 [ 36.383200] ? handle_softirqs+0x12c/0x520 [ 36.383581] rcu_core_si+0x12/0x20 [ 36.383806] handle_softirqs+0x195/0x520 [ 36.384089] ? __pfx_handle_softirqs+0x10/0x10 [ 36.384393] irq_exit_rcu+0x92/0xb0 [ 36.384712] sysvec_apic_timer_interrupt+0x80/0xa0 [ 36.385033] </IRQ> [ 36.385220] <TASK> [ 36.385419] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 36.385932] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 36.386312] Code: 0b 90 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 03 2f 48 00 fb f4 <e9> fc 6f 01 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 36.387635] RSP: 0000:ffff88810082fdd8 EFLAGS: 00010216 [ 36.388125] RAX: ffff888157134340 RBX: ffff888100811f00 RCX: ffffffff92200b38 [ 36.388562] RDX: ffffed102ae26869 RSI: 0000000000000004 RDI: 00000000000758ac [ 36.389107] RBP: ffff88810082fde0 R08: 0000000000000001 R09: ffffed102ae26868 [ 36.389496] R10: ffff888157134343 R11: ffffffff904032bb R12: 0000000000000001 [ 36.390040] R13: ffffffff93e16f90 R14: 0000000000000000 R15: ffff888100811f00 [ 36.390534] ? ret_from_fork_asm+0x1b/0x30 [ 36.390917] ? ct_kernel_exit.constprop.0+0xa8/0xd0 [ 36.391256] ? default_idle+0xd/0x20 [ 36.391578] arch_cpu_idle+0xd/0x20 [ 36.391882] default_idle_call+0x42/0x70 [ 36.392145] do_idle+0x2ba/0x310 [ 36.392382] ? __pfx_do_idle+0x10/0x10 [ 36.392986] ? schedule_idle+0x3f/0x60 [ 36.393239] ? __schedule+0x715/0x11a0 [ 36.393644] cpu_startup_entry+0x3c/0x40 [ 36.393976] start_secondary+0x1ac/0x1d0 [ 36.394266] ? __pfx_start_secondary+0x10/0x10 [ 36.394623] secondary_startup_64_no_verify+0x178/0x17b [ 36.395045] </TASK> [ 36.395228] [ 36.395425] Allocated by task 228: [ 36.395659] kasan_save_stack+0x44/0x70 [ 36.395902] kasan_set_track+0x29/0x40 [ 36.396164] kasan_save_alloc_info+0x22/0x30 [ 36.396473] __kasan_kmalloc+0xb7/0xc0 [ 36.396794] kmalloc_trace+0x4c/0xb0 [ 36.397120] rcu_uaf+0x9b/0x1e0 [ 36.397499] kunit_try_run_case+0x120/0x290 [ 36.397812] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 36.398145] kthread+0x19e/0x1e0 [ 36.398478] ret_from_fork+0x41/0x70 [ 36.398703] ret_from_fork_asm+0x1b/0x30 [ 36.399040] [ 36.399170] Freed by task 0: [ 36.399360] kasan_save_stack+0x44/0x70 [ 36.399665] kasan_set_track+0x29/0x40 [ 36.399951] kasan_save_free_info+0x2f/0x50 [ 36.400188] ____kasan_slab_free+0x172/0x1d0 [ 36.400463] __kasan_slab_free+0x16/0x20 [ 36.400752] __kmem_cache_free+0x190/0x310 [ 36.401053] kfree+0x7c/0x120 [ 36.401258] rcu_uaf_reclaim+0x1f/0x40 [ 36.401605] rcu_core+0x4be/0x1020 [ 36.401901] rcu_core_si+0x12/0x20 [ 36.402120] handle_softirqs+0x195/0x520 [ 36.402374] irq_exit_rcu+0x92/0xb0 [ 36.402744] sysvec_apic_timer_interrupt+0x80/0xa0 [ 36.403123] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 36.403400] [ 36.403555] Last potentially related work creation: [ 36.404030] kasan_save_stack+0x44/0x70 [ 36.404312] __kasan_record_aux_stack+0xb3/0xd0 [ 36.404676] kasan_record_aux_stack_noalloc+0xf/0x20 [ 36.405003] __call_rcu_common.constprop.0+0x4c/0x5e0 [ 36.405373] call_rcu+0x12/0x20 [ 36.405562] rcu_uaf+0xdd/0x1e0 [ 36.405828] kunit_try_run_case+0x120/0x290 [ 36.406100] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 36.406424] kthread+0x19e/0x1e0 [ 36.406669] ret_from_fork+0x41/0x70 [ 36.406931] ret_from_fork_asm+0x1b/0x30 [ 36.407227] [ 36.407370] The buggy address belongs to the object at ffff888102796ac0 [ 36.407370] which belongs to the cache kmalloc-32 of size 32 [ 36.408058] The buggy address is located 0 bytes inside of [ 36.408058] freed 32-byte region [ffff888102796ac0, ffff888102796ae0) [ 36.408662] [ 36.408806] The buggy address belongs to the physical page: [ 36.409102] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102796 [ 36.409678] flags: 0x200000000000800(slab|node=0|zone=2) [ 36.409987] page_type: 0xffffffff() [ 36.410254] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000 [ 36.410670] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 36.411034] page dumped because: kasan: bad access detected [ 36.411450] [ 36.411640] Memory state around the buggy address: [ 36.411892] ffff888102796980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 36.412324] ffff888102796a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 36.412919] >ffff888102796a80: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 36.413273] ^ [ 36.413750] ffff888102796b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.414159] ffff888102796b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.414570] ==================================================================