Hay
Sign in
Date
July 9, 2025, 12:11 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   20.866236] ==================================================================
[   20.866366] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   20.866463] Read of size 1 at addr fff00000c6472000 by task kunit_try_catch/214
[   20.866518] 
[   20.866565] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   20.866653] Tainted: [B]=BAD_PAGE, [N]=TEST
[   20.866681] Hardware name: linux,dummy-virt (DT)
[   20.866714] Call trace:
[   20.866741]  show_stack+0x20/0x38 (C)
[   20.866796]  dump_stack_lvl+0x8c/0xd0
[   20.866846]  print_report+0x118/0x608
[   20.866896]  kasan_report+0xdc/0x128
[   20.866941]  __asan_report_load1_noabort+0x20/0x30
[   20.866995]  kmem_cache_rcu_uaf+0x388/0x468
[   20.867043]  kunit_try_run_case+0x170/0x3f0
[   20.867107]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   20.867167]  kthread+0x328/0x630
[   20.867213]  ret_from_fork+0x10/0x20
[   20.867265] 
[   20.867284] Allocated by task 214:
[   20.867318]  kasan_save_stack+0x3c/0x68
[   20.867361]  kasan_save_track+0x20/0x40
[   20.867440]  kasan_save_alloc_info+0x40/0x58
[   20.867483]  __kasan_slab_alloc+0xa8/0xb0
[   20.867522]  kmem_cache_alloc_noprof+0x10c/0x398
[   20.867573]  kmem_cache_rcu_uaf+0x12c/0x468
[   20.867790]  kunit_try_run_case+0x170/0x3f0
[   20.867842]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   20.868014]  kthread+0x328/0x630
[   20.868430]  ret_from_fork+0x10/0x20
[   20.869027] 
[   20.869057] Freed by task 0:
[   20.869252]  kasan_save_stack+0x3c/0x68
[   20.869341]  kasan_save_track+0x20/0x40
[   20.869610]  kasan_save_free_info+0x4c/0x78
[   20.869675]  __kasan_slab_free+0x6c/0x98
[   20.869712]  slab_free_after_rcu_debug+0xd4/0x2f8
[   20.869754]  rcu_core+0x9f4/0x1e20
[   20.870677]  rcu_core_si+0x18/0x30
[   20.871233]  handle_softirqs+0x374/0xb28
[   20.871289]  __do_softirq+0x1c/0x28
[   20.871325] 
[   20.871362] Last potentially related work creation:
[   20.871392]  kasan_save_stack+0x3c/0x68
[   20.871819]  kasan_record_aux_stack+0xb4/0xc8
[   20.872051]  kmem_cache_free+0x120/0x468
[   20.872755]  kmem_cache_rcu_uaf+0x16c/0x468
[   20.873427]  kunit_try_run_case+0x170/0x3f0
[   20.873583]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   20.873631]  kthread+0x328/0x630
[   20.874142]  ret_from_fork+0x10/0x20
[   20.874595] 
[   20.874619] The buggy address belongs to the object at fff00000c6472000
[   20.874619]  which belongs to the cache test_cache of size 200
[   20.875247] The buggy address is located 0 bytes inside of
[   20.875247]  freed 200-byte region [fff00000c6472000, fff00000c64720c8)
[   20.875812] 
[   20.875845] The buggy address belongs to the physical page:
[   20.876264] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106472
[   20.876607] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   20.877089] page_type: f5(slab)
[   20.877297] raw: 0bfffe0000000000 fff00000c471a780 dead000000000122 0000000000000000
[   20.877507] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   20.878263] page dumped because: kasan: bad access detected
[   20.878604] 
[   20.878753] Memory state around the buggy address:
[   20.878932]  fff00000c6471f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.878980]  fff00000c6471f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   20.879025] >fff00000c6472000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.880077]                    ^
[   20.880456]  fff00000c6472080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   20.881016]  fff00000c6472100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   20.881486] ==================================================================
Metadata Full log Test run details 

[   13.469115] ==================================================================
[   13.469752] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   13.470211] Read of size 1 at addr ffff888102ab6000 by task kunit_try_catch/230
[   13.470660] 
[   13.470982] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.471033] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.471045] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.471067] Call Trace:
[   13.471545]  <TASK>
[   13.471574]  dump_stack_lvl+0x73/0xb0
[   13.471613]  print_report+0xd1/0x650
[   13.471637]  ? __virt_addr_valid+0x1db/0x2d0
[   13.471660]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.471683]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.471706]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.471729]  kasan_report+0x141/0x180
[   13.471750]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.471777]  __asan_report_load1_noabort+0x18/0x20
[   13.471801]  kmem_cache_rcu_uaf+0x3e3/0x510
[   13.471824]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   13.471847]  ? finish_task_switch.isra.0+0x153/0x700
[   13.471871]  ? __switch_to+0x47/0xf50
[   13.471898]  ? __pfx_read_tsc+0x10/0x10
[   13.471920]  ? ktime_get_ts64+0x86/0x230
[   13.472116]  kunit_try_run_case+0x1a5/0x480
[   13.472147]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.472170]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.472195]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.472464]  ? __kthread_parkme+0x82/0x180
[   13.472488]  ? preempt_count_sub+0x50/0x80
[   13.472512]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.472537]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.472561]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.472587]  kthread+0x337/0x6f0
[   13.472605]  ? trace_preempt_on+0x20/0xc0
[   13.472629]  ? __pfx_kthread+0x10/0x10
[   13.472650]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.472672]  ? calculate_sigpending+0x7b/0xa0
[   13.472696]  ? __pfx_kthread+0x10/0x10
[   13.472717]  ret_from_fork+0x116/0x1d0
[   13.472736]  ? __pfx_kthread+0x10/0x10
[   13.472756]  ret_from_fork_asm+0x1a/0x30
[   13.472787]  </TASK>
[   13.472798] 
[   13.484685] Allocated by task 230:
[   13.484896]  kasan_save_stack+0x45/0x70
[   13.485409]  kasan_save_track+0x18/0x40
[   13.485584]  kasan_save_alloc_info+0x3b/0x50
[   13.485970]  __kasan_slab_alloc+0x91/0xa0
[   13.486188]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.486459]  kmem_cache_rcu_uaf+0x155/0x510
[   13.486660]  kunit_try_run_case+0x1a5/0x480
[   13.486858]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.487109]  kthread+0x337/0x6f0
[   13.487354]  ret_from_fork+0x116/0x1d0
[   13.487518]  ret_from_fork_asm+0x1a/0x30
[   13.488268] 
[   13.488372] Freed by task 0:
[   13.488559]  kasan_save_stack+0x45/0x70
[   13.488794]  kasan_save_track+0x18/0x40
[   13.489357]  kasan_save_free_info+0x3f/0x60
[   13.489658]  __kasan_slab_free+0x56/0x70
[   13.489884]  slab_free_after_rcu_debug+0xe4/0x310
[   13.490275]  rcu_core+0x66f/0x1c40
[   13.490737]  rcu_core_si+0x12/0x20
[   13.490963]  handle_softirqs+0x209/0x730
[   13.491414]  __irq_exit_rcu+0xc9/0x110
[   13.491577]  irq_exit_rcu+0x12/0x20
[   13.491786]  sysvec_apic_timer_interrupt+0x81/0x90
[   13.492431]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   13.492659] 
[   13.492745] Last potentially related work creation:
[   13.493100]  kasan_save_stack+0x45/0x70
[   13.493680]  kasan_record_aux_stack+0xb2/0xc0
[   13.493854]  kmem_cache_free+0x131/0x420
[   13.494371]  kmem_cache_rcu_uaf+0x194/0x510
[   13.494583]  kunit_try_run_case+0x1a5/0x480
[   13.494921]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.495354]  kthread+0x337/0x6f0
[   13.495603]  ret_from_fork+0x116/0x1d0
[   13.495847]  ret_from_fork_asm+0x1a/0x30
[   13.496095] 
[   13.496505] The buggy address belongs to the object at ffff888102ab6000
[   13.496505]  which belongs to the cache test_cache of size 200
[   13.497351] The buggy address is located 0 bytes inside of
[   13.497351]  freed 200-byte region [ffff888102ab6000, ffff888102ab60c8)
[   13.497854] 
[   13.498180] The buggy address belongs to the physical page:
[   13.498605] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ab6
[   13.498963] flags: 0x200000000000000(node=0|zone=2)
[   13.499404] page_type: f5(slab)
[   13.499674] raw: 0200000000000000 ffff888100929b40 dead000000000122 0000000000000000
[   13.500347] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   13.500776] page dumped because: kasan: bad access detected
[   13.501030] 
[   13.501132] Memory state around the buggy address:
[   13.501630]  ffff888102ab5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.501946]  ffff888102ab5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.502576] >ffff888102ab6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.503085]                    ^
[   13.503244]  ffff888102ab6080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   13.503761]  ffff888102ab6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.504269] ==================================================================
Metadata Full log Test run details