Date
July 23, 2025, 2:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.924341] ================================================================== [ 15.924478] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 15.924551] Read of size 4 at addr fff00000c3f93580 by task swapper/1/0 [ 15.924602] [ 15.924642] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 15.924725] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.924753] Hardware name: linux,dummy-virt (DT) [ 15.924785] Call trace: [ 15.924808] show_stack+0x20/0x38 (C) [ 15.925466] dump_stack_lvl+0x8c/0xd0 [ 15.925524] print_report+0x118/0x5d0 [ 15.925579] kasan_report+0xdc/0x128 [ 15.925684] __asan_report_load4_noabort+0x20/0x30 [ 15.925784] rcu_uaf_reclaim+0x64/0x70 [ 15.925999] rcu_core+0x9f4/0x1e20 [ 15.926055] rcu_core_si+0x18/0x30 [ 15.926146] handle_softirqs+0x374/0xb28 [ 15.926235] __do_softirq+0x1c/0x28 [ 15.926281] ____do_softirq+0x18/0x30 [ 15.926326] call_on_irq_stack+0x24/0x30 [ 15.926373] do_softirq_own_stack+0x24/0x38 [ 15.926418] __irq_exit_rcu+0x1fc/0x318 [ 15.926473] irq_exit_rcu+0x1c/0x80 [ 15.926517] el1_interrupt+0x38/0x58 [ 15.926572] el1h_64_irq_handler+0x18/0x28 [ 15.926722] el1h_64_irq+0x6c/0x70 [ 15.926819] arch_local_irq_enable+0x4/0x8 (P) [ 15.926935] do_idle+0x384/0x4e8 [ 15.926995] cpu_startup_entry+0x68/0x80 [ 15.927040] secondary_start_kernel+0x288/0x340 [ 15.927087] __secondary_switched+0xc0/0xc8 [ 15.927142] [ 15.927187] Allocated by task 198: [ 15.927218] kasan_save_stack+0x3c/0x68 [ 15.927294] kasan_save_track+0x20/0x40 [ 15.927334] kasan_save_alloc_info+0x40/0x58 [ 15.927377] __kasan_kmalloc+0xd4/0xd8 [ 15.927413] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.927453] rcu_uaf+0xb0/0x2d8 [ 15.927496] kunit_try_run_case+0x170/0x3f0 [ 15.927653] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.927699] kthread+0x328/0x630 [ 15.927861] ret_from_fork+0x10/0x20 [ 15.927900] [ 15.927988] Freed by task 0: [ 15.928016] kasan_save_stack+0x3c/0x68 [ 15.928055] kasan_save_track+0x20/0x40 [ 15.928092] kasan_save_free_info+0x4c/0x78 [ 15.928141] __kasan_slab_free+0x6c/0x98 [ 15.928179] kfree+0x214/0x3c8 [ 15.928213] rcu_uaf_reclaim+0x28/0x70 [ 15.928397] rcu_core+0x9f4/0x1e20 [ 15.928435] rcu_core_si+0x18/0x30 [ 15.928471] handle_softirqs+0x374/0xb28 [ 15.928508] __do_softirq+0x1c/0x28 [ 15.928570] [ 15.928683] Last potentially related work creation: [ 15.928719] kasan_save_stack+0x3c/0x68 [ 15.928767] kasan_record_aux_stack+0xb4/0xc8 [ 15.928832] __call_rcu_common.constprop.0+0x74/0x8c8 [ 15.928885] call_rcu+0x18/0x30 [ 15.928919] rcu_uaf+0x14c/0x2d8 [ 15.929037] kunit_try_run_case+0x170/0x3f0 [ 15.929083] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.929127] kthread+0x328/0x630 [ 15.929207] ret_from_fork+0x10/0x20 [ 15.929405] [ 15.929546] The buggy address belongs to the object at fff00000c3f93580 [ 15.929546] which belongs to the cache kmalloc-32 of size 32 [ 15.929686] The buggy address is located 0 bytes inside of [ 15.929686] freed 32-byte region [fff00000c3f93580, fff00000c3f935a0) [ 15.929779] [ 15.929894] The buggy address belongs to the physical page: [ 15.929931] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f93 [ 15.929996] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.930246] page_type: f5(slab) [ 15.930357] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 15.930480] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.930876] page dumped because: kasan: bad access detected [ 15.931002] [ 15.931023] Memory state around the buggy address: [ 15.931108] fff00000c3f93480: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.931363] fff00000c3f93500: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 15.931516] >fff00000c3f93580: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.931644] ^ [ 15.931675] fff00000c3f93600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.932402] fff00000c3f93680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.932632] ==================================================================
[ 13.153331] ================================================================== [ 13.154536] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x50/0x60 [ 13.155025] Read of size 4 at addr ffff888102b05b00 by task swapper/0/0 [ 13.155532] [ 13.155877] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.155924] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.155936] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.155958] Call Trace: [ 13.156081] <IRQ> [ 13.156103] dump_stack_lvl+0x73/0xb0 [ 13.156137] print_report+0xd1/0x610 [ 13.156160] ? __virt_addr_valid+0x1db/0x2d0 [ 13.156184] ? rcu_uaf_reclaim+0x50/0x60 [ 13.156203] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.156225] ? rcu_uaf_reclaim+0x50/0x60 [ 13.156245] kasan_report+0x141/0x180 [ 13.156267] ? rcu_uaf_reclaim+0x50/0x60 [ 13.156291] __asan_report_load4_noabort+0x18/0x20 [ 13.156315] rcu_uaf_reclaim+0x50/0x60 [ 13.156335] rcu_core+0x66f/0x1c40 [ 13.156364] ? __pfx_rcu_core+0x10/0x10 [ 13.156385] ? ktime_get+0x6b/0x150 [ 13.156407] ? handle_softirqs+0x18e/0x730 [ 13.156433] rcu_core_si+0x12/0x20 [ 13.156455] handle_softirqs+0x209/0x730 [ 13.156475] ? hrtimer_interrupt+0x2fe/0x780 [ 13.156497] ? __pfx_handle_softirqs+0x10/0x10 [ 13.156524] __irq_exit_rcu+0xc9/0x110 [ 13.156544] irq_exit_rcu+0x12/0x20 [ 13.156563] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.156588] </IRQ> [ 13.156614] <TASK> [ 13.156625] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.156719] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 13.156956] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 52 21 00 fb f4 <e9> 3c 1d 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 [ 13.157039] RSP: 0000:ffffffff92607dd8 EFLAGS: 00010216 [ 13.157125] RAX: ffff8881c7672000 RBX: ffffffff9261cac0 RCX: ffffffff91477125 [ 13.157170] RDX: ffffed102b60618b RSI: 0000000000000004 RDI: 00000000000159cc [ 13.157213] RBP: ffffffff92607de0 R08: 0000000000000001 R09: ffffed102b60618a [ 13.157255] R10: ffff88815b030c53 R11: 0000000000011400 R12: 0000000000000000 [ 13.157298] R13: fffffbfff24c3958 R14: ffffffff931b1a90 R15: 0000000000000000 [ 13.157358] ? ct_kernel_exit.constprop.0+0xa5/0xd0 [ 13.157411] ? default_idle+0xd/0x20 [ 13.157430] arch_cpu_idle+0xd/0x20 [ 13.157447] default_idle_call+0x48/0x80 [ 13.157466] do_idle+0x379/0x4f0 [ 13.157491] ? __pfx_do_idle+0x10/0x10 [ 13.157512] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.157534] ? trace_preempt_on+0x20/0xc0 [ 13.157555] ? schedule+0x86/0x2e0 [ 13.157575] ? preempt_count_sub+0x50/0x80 [ 13.157598] cpu_startup_entry+0x5c/0x70 [ 13.157617] rest_init+0x11a/0x140 [ 13.157635] ? acpi_subsystem_init+0x5d/0x150 [ 13.157660] start_kernel+0x330/0x410 [ 13.157681] x86_64_start_reservations+0x1c/0x30 [ 13.157701] x86_64_start_kernel+0x10d/0x120 [ 13.157722] common_startup_64+0x13e/0x148 [ 13.157755] </TASK> [ 13.157765] [ 13.173082] Allocated by task 215: [ 13.173272] kasan_save_stack+0x45/0x70 [ 13.173449] kasan_save_track+0x18/0x40 [ 13.173587] kasan_save_alloc_info+0x3b/0x50 [ 13.173737] __kasan_kmalloc+0xb7/0xc0 [ 13.173964] __kmalloc_cache_noprof+0x189/0x420 [ 13.174311] rcu_uaf+0xb0/0x330 [ 13.174491] kunit_try_run_case+0x1a5/0x480 [ 13.174717] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.174981] kthread+0x337/0x6f0 [ 13.175260] ret_from_fork+0x116/0x1d0 [ 13.175429] ret_from_fork_asm+0x1a/0x30 [ 13.175650] [ 13.175723] Freed by task 0: [ 13.175874] kasan_save_stack+0x45/0x70 [ 13.176140] kasan_save_track+0x18/0x40 [ 13.176450] kasan_save_free_info+0x3f/0x60 [ 13.176648] __kasan_slab_free+0x56/0x70 [ 13.176883] kfree+0x222/0x3f0 [ 13.177018] rcu_uaf_reclaim+0x1f/0x60 [ 13.177312] rcu_core+0x66f/0x1c40 [ 13.177499] rcu_core_si+0x12/0x20 [ 13.177657] handle_softirqs+0x209/0x730 [ 13.177868] __irq_exit_rcu+0xc9/0x110 [ 13.178052] irq_exit_rcu+0x12/0x20 [ 13.178285] sysvec_apic_timer_interrupt+0x81/0x90 [ 13.178454] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 13.178624] [ 13.178740] Last potentially related work creation: [ 13.179034] kasan_save_stack+0x45/0x70 [ 13.179375] kasan_record_aux_stack+0xb2/0xc0 [ 13.179595] __call_rcu_common.constprop.0+0x7b/0x9e0 [ 13.179831] call_rcu+0x12/0x20 [ 13.179996] rcu_uaf+0x168/0x330 [ 13.180257] kunit_try_run_case+0x1a5/0x480 [ 13.180442] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.180718] kthread+0x337/0x6f0 [ 13.180918] ret_from_fork+0x116/0x1d0 [ 13.181100] ret_from_fork_asm+0x1a/0x30 [ 13.181456] [ 13.181573] The buggy address belongs to the object at ffff888102b05b00 [ 13.181573] which belongs to the cache kmalloc-32 of size 32 [ 13.182095] The buggy address is located 0 bytes inside of [ 13.182095] freed 32-byte region [ffff888102b05b00, ffff888102b05b20) [ 13.182684] [ 13.182787] The buggy address belongs to the physical page: [ 13.182992] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b05 [ 13.183318] flags: 0x200000000000000(node=0|zone=2) [ 13.183558] page_type: f5(slab) [ 13.183740] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.184117] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.184524] page dumped because: kasan: bad access detected [ 13.184820] [ 13.184913] Memory state around the buggy address: [ 13.185069] ffff888102b05a00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.185467] ffff888102b05a80: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 13.185795] >ffff888102b05b00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 13.186171] ^ [ 13.186428] ffff888102b05b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.186741] ffff888102b05c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.187050] ==================================================================