Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 23.988269] ================================================================== [ 23.988391] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 23.990918] Read of size 8 at addr fff00000c6824080 by task kunit_try_catch/202 [ 23.991079] [ 23.991161] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.991401] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.991474] Hardware name: linux,dummy-virt (DT) [ 23.991690] Call trace: [ 23.991758] show_stack+0x20/0x38 (C) [ 23.991886] dump_stack_lvl+0x8c/0xd0 [ 23.992020] print_report+0x118/0x608 [ 23.992151] kasan_report+0xdc/0x128 [ 23.992360] __asan_report_load8_noabort+0x20/0x30 [ 23.992605] workqueue_uaf+0x480/0x4a8 [ 23.992850] kunit_try_run_case+0x170/0x3f0 [ 23.992998] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.993190] kthread+0x328/0x630 [ 23.993555] ret_from_fork+0x10/0x20 [ 23.993943] [ 23.994005] Allocated by task 202: [ 23.994173] kasan_save_stack+0x3c/0x68 [ 23.994318] kasan_save_track+0x20/0x40 [ 23.994457] kasan_save_alloc_info+0x40/0x58 [ 23.994694] __kasan_kmalloc+0xd4/0xd8 [ 23.994841] __kmalloc_cache_noprof+0x15c/0x3c0 [ 23.994964] workqueue_uaf+0x13c/0x4a8 [ 23.995064] kunit_try_run_case+0x170/0x3f0 [ 23.995156] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.995313] kthread+0x328/0x630 [ 23.995585] ret_from_fork+0x10/0x20 [ 23.995710] [ 23.996171] Freed by task 75: [ 23.996353] kasan_save_stack+0x3c/0x68 [ 23.996455] kasan_save_track+0x20/0x40 [ 23.996587] kasan_save_free_info+0x4c/0x78 [ 23.996706] __kasan_slab_free+0x6c/0x98 [ 23.997151] kfree+0x214/0x3c8 [ 23.997257] workqueue_uaf_work+0x18/0x30 [ 23.997413] process_one_work+0x530/0xf98 [ 23.997514] worker_thread+0x8ac/0xf28 [ 23.997602] kthread+0x328/0x630 [ 23.997704] ret_from_fork+0x10/0x20 [ 23.997962] [ 23.998094] Last potentially related work creation: [ 23.998275] kasan_save_stack+0x3c/0x68 [ 23.998540] kasan_record_aux_stack+0xb4/0xc8 [ 23.998831] __queue_work+0x65c/0x1010 [ 23.999313] queue_work_on+0xbc/0xf8 [ 23.999417] workqueue_uaf+0x210/0x4a8 [ 23.999572] kunit_try_run_case+0x170/0x3f0 [ 23.999967] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.000088] kthread+0x328/0x630 [ 24.000172] ret_from_fork+0x10/0x20 [ 24.000278] [ 24.000472] The buggy address belongs to the object at fff00000c6824080 [ 24.000472] which belongs to the cache kmalloc-32 of size 32 [ 24.001002] The buggy address is located 0 bytes inside of [ 24.001002] freed 32-byte region [fff00000c6824080, fff00000c68240a0) [ 24.001356] [ 24.001423] The buggy address belongs to the physical page: [ 24.001527] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106824 [ 24.001878] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.002029] page_type: f5(slab) [ 24.002121] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 24.002241] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.002334] page dumped because: kasan: bad access detected [ 24.002410] [ 24.002803] Memory state around the buggy address: [ 24.003182] fff00000c6823f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.003467] fff00000c6824000: 00 00 00 07 fc fc fc fc 00 00 00 fc fc fc fc fc [ 24.003714] >fff00000c6824080: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 24.003833] ^ [ 24.003953] fff00000c6824100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.004127] fff00000c6824180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.004321] ==================================================================
[ 12.081831] ================================================================== [ 12.082344] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 12.082582] Read of size 8 at addr ffff888102741f00 by task kunit_try_catch/220 [ 12.082830] [ 12.082946] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 12.082989] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.083000] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.083020] Call Trace: [ 12.083033] <TASK> [ 12.083049] dump_stack_lvl+0x73/0xb0 [ 12.083074] print_report+0xd1/0x650 [ 12.083096] ? __virt_addr_valid+0x1db/0x2d0 [ 12.083118] ? workqueue_uaf+0x4d6/0x560 [ 12.083347] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.083375] ? workqueue_uaf+0x4d6/0x560 [ 12.083397] kasan_report+0x141/0x180 [ 12.083420] ? workqueue_uaf+0x4d6/0x560 [ 12.083446] __asan_report_load8_noabort+0x18/0x20 [ 12.083466] workqueue_uaf+0x4d6/0x560 [ 12.083535] ? __pfx_workqueue_uaf+0x10/0x10 [ 12.083560] ? __pfx_workqueue_uaf+0x10/0x10 [ 12.083585] kunit_try_run_case+0x1a5/0x480 [ 12.083608] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.083629] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.083653] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.083676] ? __kthread_parkme+0x82/0x180 [ 12.083696] ? preempt_count_sub+0x50/0x80 [ 12.083721] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.083743] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.083765] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.083787] kthread+0x337/0x6f0 [ 12.083807] ? trace_preempt_on+0x20/0xc0 [ 12.083830] ? __pfx_kthread+0x10/0x10 [ 12.083851] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.083872] ? calculate_sigpending+0x7b/0xa0 [ 12.083893] ? __pfx_kthread+0x10/0x10 [ 12.083915] ret_from_fork+0x41/0x80 [ 12.083935] ? __pfx_kthread+0x10/0x10 [ 12.083957] ret_from_fork_asm+0x1a/0x30 [ 12.083987] </TASK> [ 12.083997] [ 12.093944] Allocated by task 220: [ 12.094139] kasan_save_stack+0x45/0x70 [ 12.094355] kasan_save_track+0x18/0x40 [ 12.094781] kasan_save_alloc_info+0x3b/0x50 [ 12.094995] __kasan_kmalloc+0xb7/0xc0 [ 12.095244] __kmalloc_cache_noprof+0x189/0x420 [ 12.095633] workqueue_uaf+0x152/0x560 [ 12.095828] kunit_try_run_case+0x1a5/0x480 [ 12.096036] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.096260] kthread+0x337/0x6f0 [ 12.096541] ret_from_fork+0x41/0x80 [ 12.096757] ret_from_fork_asm+0x1a/0x30 [ 12.096953] [ 12.097045] Freed by task 9: [ 12.097200] kasan_save_stack+0x45/0x70 [ 12.097471] kasan_save_track+0x18/0x40 [ 12.097674] kasan_save_free_info+0x3f/0x60 [ 12.097829] __kasan_slab_free+0x56/0x70 [ 12.097965] kfree+0x222/0x3f0 [ 12.098077] workqueue_uaf_work+0x12/0x20 [ 12.098267] process_one_work+0x5ee/0xf60 [ 12.098479] worker_thread+0x725/0x1320 [ 12.098849] kthread+0x337/0x6f0 [ 12.099043] ret_from_fork+0x41/0x80 [ 12.099535] ret_from_fork_asm+0x1a/0x30 [ 12.099953] [ 12.100288] Last potentially related work creation: [ 12.100542] kasan_save_stack+0x45/0x70 [ 12.101424] kasan_record_aux_stack+0xb2/0xc0 [ 12.101932] __queue_work+0x626/0xeb0 [ 12.102067] queue_work_on+0xb6/0xc0 [ 12.102745] workqueue_uaf+0x26d/0x560 [ 12.103320] kunit_try_run_case+0x1a5/0x480 [ 12.103913] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.104092] kthread+0x337/0x6f0 [ 12.104750] ret_from_fork+0x41/0x80 [ 12.105315] ret_from_fork_asm+0x1a/0x30 [ 12.105915] [ 12.106015] The buggy address belongs to the object at ffff888102741f00 [ 12.106015] which belongs to the cache kmalloc-32 of size 32 [ 12.107342] The buggy address is located 0 bytes inside of [ 12.107342] freed 32-byte region [ffff888102741f00, ffff888102741f20) [ 12.108585] [ 12.108703] The buggy address belongs to the physical page: [ 12.108987] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102741 [ 12.109403] flags: 0x200000000000000(node=0|zone=2) [ 12.109882] page_type: f5(slab) [ 12.110181] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 12.110575] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 12.111100] page dumped because: kasan: bad access detected [ 12.111665] [ 12.111765] Memory state around the buggy address: [ 12.112087] ffff888102741e00: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 12.112625] ffff888102741e80: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 12.112926] >ffff888102741f00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 12.113363] ^ [ 12.113664] ffff888102741f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.113944] ffff888102742000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.114549] ==================================================================
[ 22.046334] ================================================================== [ 22.047316] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 22.047954] Read of size 8 at addr ffff00000fe3b940 by task kunit_try_catch/254 [ 22.048625] [ 22.048786] CPU: 3 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 22.048829] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.048841] Hardware name: Radxa ROCK Pi 4B (DT) [ 22.048856] Call trace: [ 22.048867] show_stack+0x20/0x38 (C) [ 22.048894] dump_stack_lvl+0x8c/0xd0 [ 22.048922] print_report+0x118/0x608 [ 22.048947] kasan_report+0xdc/0x128 [ 22.048971] __asan_report_load8_noabort+0x20/0x30 [ 22.049000] workqueue_uaf+0x480/0x4a8 [ 22.049028] kunit_try_run_case+0x170/0x3f0 [ 22.049058] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.049092] kthread+0x328/0x630 [ 22.049120] ret_from_fork+0x10/0x20 [ 22.049148] [ 22.054674] Allocated by task 254: [ 22.055005] kasan_save_stack+0x3c/0x68 [ 22.055383] kasan_save_track+0x20/0x40 [ 22.055755] kasan_save_alloc_info+0x40/0x58 [ 22.056168] __kasan_kmalloc+0xd4/0xd8 [ 22.056531] __kmalloc_cache_noprof+0x15c/0x3c0 [ 22.056972] workqueue_uaf+0x13c/0x4a8 [ 22.057341] kunit_try_run_case+0x170/0x3f0 [ 22.057748] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.058274] kthread+0x328/0x630 [ 22.058598] ret_from_fork+0x10/0x20 [ 22.058949] [ 22.059102] Freed by task 84: [ 22.059389] kasan_save_stack+0x3c/0x68 [ 22.059761] kasan_save_track+0x20/0x40 [ 22.060132] kasan_save_free_info+0x4c/0x78 [ 22.060536] __kasan_slab_free+0x6c/0x98 [ 22.060914] kfree+0x214/0x3c8 [ 22.061221] workqueue_uaf_work+0x18/0x30 [ 22.061613] process_one_work+0x530/0xf98 [ 22.062000] worker_thread+0x8ac/0xf28 [ 22.062364] kthread+0x328/0x630 [ 22.062686] ret_from_fork+0x10/0x20 [ 22.063036] [ 22.063189] Last potentially related work creation: [ 22.063639] kasan_save_stack+0x3c/0x68 [ 22.064011] kasan_record_aux_stack+0xb4/0xc8 [ 22.064431] __queue_work+0x65c/0x1010 [ 22.064795] queue_work_on+0xbc/0xf8 [ 22.065144] workqueue_uaf+0x210/0x4a8 [ 22.065512] kunit_try_run_case+0x170/0x3f0 [ 22.065920] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.066445] kthread+0x328/0x630 [ 22.066769] ret_from_fork+0x10/0x20 [ 22.067119] [ 22.067271] The buggy address belongs to the object at ffff00000fe3b940 [ 22.067271] which belongs to the cache kmalloc-32 of size 32 [ 22.068391] The buggy address is located 0 bytes inside of [ 22.068391] freed 32-byte region [ffff00000fe3b940, ffff00000fe3b960) [ 22.069481] [ 22.069636] The buggy address belongs to the physical page: [ 22.070153] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfe3b [ 22.070879] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 22.071492] page_type: f5(slab) [ 22.071805] raw: 03fffe0000000000 ffff000000402780 dead000000000122 0000000000000000 [ 22.072521] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 22.073228] page dumped because: kasan: bad access detected [ 22.073744] [ 22.073896] Memory state around the buggy address: [ 22.074345] ffff00000fe3b800: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 22.075013] ffff00000fe3b880: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 22.075680] >ffff00000fe3b900: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 22.076342] ^ [ 22.076837] ffff00000fe3b980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.077503] ffff00000fe3ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.078166] ==================================================================