Hay
Sign in
Date
July 20, 2025, 8:11 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   16.343114] ==================================================================
[   16.343547] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   16.343817] Read of size 1 at addr fff00000c7706000 by task kunit_try_catch/214
[   16.344171] 
[   16.344246] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.344664] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.344726] Hardware name: linux,dummy-virt (DT)
[   16.344763] Call trace:
[   16.344789]  show_stack+0x20/0x38 (C)
[   16.344846]  dump_stack_lvl+0x8c/0xd0
[   16.344955]  print_report+0x118/0x5d0
[   16.345159]  kasan_report+0xdc/0x128
[   16.345375]  __asan_report_load1_noabort+0x20/0x30
[   16.345661]  kmem_cache_rcu_uaf+0x388/0x468
[   16.346037]  kunit_try_run_case+0x170/0x3f0
[   16.346143]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.346458]  kthread+0x328/0x630
[   16.346521]  ret_from_fork+0x10/0x20
[   16.347039] 
[   16.347069] Allocated by task 214:
[   16.347116]  kasan_save_stack+0x3c/0x68
[   16.347617]  kasan_save_track+0x20/0x40
[   16.347745]  kasan_save_alloc_info+0x40/0x58
[   16.347821]  __kasan_slab_alloc+0xa8/0xb0
[   16.347886]  kmem_cache_alloc_noprof+0x10c/0x398
[   16.348122]  kmem_cache_rcu_uaf+0x12c/0x468
[   16.348507]  kunit_try_run_case+0x170/0x3f0
[   16.348704]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.348963]  kthread+0x328/0x630
[   16.349006]  ret_from_fork+0x10/0x20
[   16.349059] 
[   16.349079] Freed by task 0:
[   16.349563]  kasan_save_stack+0x3c/0x68
[   16.349839]  kasan_save_track+0x20/0x40
[   16.349908]  kasan_save_free_info+0x4c/0x78
[   16.349954]  __kasan_slab_free+0x6c/0x98
[   16.351477]  slab_free_after_rcu_debug+0xd4/0x2f8
[   16.351912]  rcu_core+0x9f4/0x1e20
[   16.352305]  rcu_core_si+0x18/0x30
[   16.352380]  handle_softirqs+0x374/0xb28
[   16.352445]  __do_softirq+0x1c/0x28
[   16.352504] 
[   16.352817] Last potentially related work creation:
[   16.353093]  kasan_save_stack+0x3c/0x68
[   16.353149]  kasan_record_aux_stack+0xb4/0xc8
[   16.353553]  kmem_cache_free+0x120/0x468
[   16.353732]  kmem_cache_rcu_uaf+0x16c/0x468
[   16.353797]  kunit_try_run_case+0x170/0x3f0
[   16.353843]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.354043]  kthread+0x328/0x630
[   16.354294]  ret_from_fork+0x10/0x20
[   16.354558] 
[   16.354631] The buggy address belongs to the object at fff00000c7706000
[   16.354631]  which belongs to the cache test_cache of size 200
[   16.354843] The buggy address is located 0 bytes inside of
[   16.354843]  freed 200-byte region [fff00000c7706000, fff00000c77060c8)
[   16.355115] 
[   16.355179] The buggy address belongs to the physical page:
[   16.355494] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107706
[   16.355596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.355837] page_type: f5(slab)
[   16.356033] raw: 0bfffe0000000000 fff00000c5bc0780 dead000000000122 0000000000000000
[   16.356299] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   16.356571] page dumped because: kasan: bad access detected
[   16.356638] 
[   16.356691] Memory state around the buggy address:
[   16.356818]  fff00000c7705f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   16.356888]  fff00000c7705f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.357029] >fff00000c7706000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   16.357097]                    ^
[   16.357135]  fff00000c7706080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   16.358061]  fff00000c7706100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.358238] ==================================================================
Metadata Full log Test run details 

[   13.741419] ==================================================================
[   13.741936] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   13.742311] Read of size 1 at addr ffff888103263000 by task kunit_try_catch/231
[   13.742638] 
[   13.742756] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   13.742806] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.742818] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.742841] Call Trace:
[   13.742855]  <TASK>
[   13.742872]  dump_stack_lvl+0x73/0xb0
[   13.742905]  print_report+0xd1/0x610
[   13.742928]  ? __virt_addr_valid+0x1db/0x2d0
[   13.742952]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.742975]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.742996]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.743503]  kasan_report+0x141/0x180
[   13.743533]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.743562]  __asan_report_load1_noabort+0x18/0x20
[   13.743586]  kmem_cache_rcu_uaf+0x3e3/0x510
[   13.743609]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   13.743632]  ? finish_task_switch.isra.0+0x153/0x700
[   13.743658]  ? __switch_to+0x47/0xf50
[   13.743689]  ? __pfx_read_tsc+0x10/0x10
[   13.743711]  ? ktime_get_ts64+0x86/0x230
[   13.743737]  kunit_try_run_case+0x1a5/0x480
[   13.743763]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.743801]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.743827]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.743851]  ? __kthread_parkme+0x82/0x180
[   13.743873]  ? preempt_count_sub+0x50/0x80
[   13.743895]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.743919]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.744195]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.744221]  kthread+0x337/0x6f0
[   13.744242]  ? trace_preempt_on+0x20/0xc0
[   13.744269]  ? __pfx_kthread+0x10/0x10
[   13.744290]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.744313]  ? calculate_sigpending+0x7b/0xa0
[   13.744339]  ? __pfx_kthread+0x10/0x10
[   13.744360]  ret_from_fork+0x116/0x1d0
[   13.744380]  ? __pfx_kthread+0x10/0x10
[   13.744402]  ret_from_fork_asm+0x1a/0x30
[   13.744433]  </TASK>
[   13.744445] 
[   13.754352] Allocated by task 231:
[   13.754569]  kasan_save_stack+0x45/0x70
[   13.754780]  kasan_save_track+0x18/0x40
[   13.755385]  kasan_save_alloc_info+0x3b/0x50
[   13.755579]  __kasan_slab_alloc+0x91/0xa0
[   13.755883]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.756281]  kmem_cache_rcu_uaf+0x155/0x510
[   13.756510]  kunit_try_run_case+0x1a5/0x480
[   13.756709]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.757282]  kthread+0x337/0x6f0
[   13.757422]  ret_from_fork+0x116/0x1d0
[   13.757716]  ret_from_fork_asm+0x1a/0x30
[   13.757927] 
[   13.758004] Freed by task 0:
[   13.758176]  kasan_save_stack+0x45/0x70
[   13.758484]  kasan_save_track+0x18/0x40
[   13.758634]  kasan_save_free_info+0x3f/0x60
[   13.758881]  __kasan_slab_free+0x56/0x70
[   13.759437]  slab_free_after_rcu_debug+0xe4/0x310
[   13.759751]  rcu_core+0x66f/0x1c40
[   13.759916]  rcu_core_si+0x12/0x20
[   13.760455]  handle_softirqs+0x209/0x730
[   13.760679]  __irq_exit_rcu+0xc9/0x110
[   13.760825]  irq_exit_rcu+0x12/0x20
[   13.761013]  sysvec_apic_timer_interrupt+0x81/0x90
[   13.761526]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   13.761831] 
[   13.761917] Last potentially related work creation:
[   13.762252]  kasan_save_stack+0x45/0x70
[   13.762438]  kasan_record_aux_stack+0xb2/0xc0
[   13.762650]  kmem_cache_free+0x131/0x420
[   13.763120]  kmem_cache_rcu_uaf+0x194/0x510
[   13.763339]  kunit_try_run_case+0x1a5/0x480
[   13.763554]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.763964]  kthread+0x337/0x6f0
[   13.764171]  ret_from_fork+0x116/0x1d0
[   13.764405]  ret_from_fork_asm+0x1a/0x30
[   13.764629] 
[   13.764723] The buggy address belongs to the object at ffff888103263000
[   13.764723]  which belongs to the cache test_cache of size 200
[   13.765518] The buggy address is located 0 bytes inside of
[   13.765518]  freed 200-byte region [ffff888103263000, ffff8881032630c8)
[   13.766369] 
[   13.766491] The buggy address belongs to the physical page:
[   13.766897] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103263
[   13.767292] flags: 0x200000000000000(node=0|zone=2)
[   13.767558] page_type: f5(slab)
[   13.767701] raw: 0200000000000000 ffff888103260000 dead000000000122 0000000000000000
[   13.768054] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   13.768444] page dumped because: kasan: bad access detected
[   13.768673] 
[   13.768771] Memory state around the buggy address:
[   13.768988]  ffff888103262f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.769294]  ffff888103262f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.769625] >ffff888103263000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.770112]                    ^
[   13.770328]  ffff888103263080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   13.770563]  ffff888103263100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.770937] ==================================================================
Metadata Full log Test run details