Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 59.915161] ================================================================== [ 59.925415] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x580/0x5b8 [ 59.932159] Read of size 4 at addr cc22cc00 by task kunit_try_catch/256 [ 59.938842] [ 59.940338] CPU: 1 UID: 0 PID: 256 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 59.940368] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 59.940368] Hardware name: Generic DRA74X (Flattened Device Tree) [ 59.940399] Call trace: [ 59.940399] unwind_backtrace from show_stack+0x18/0x1c [ 59.940429] show_stack from dump_stack_lvl+0x70/0x90 [ 59.940460] dump_stack_lvl from print_report+0x158/0x528 [ 59.940460] print_report from kasan_report+0xdc/0x118 [ 59.940490] kasan_report from workqueue_uaf+0x580/0x5b8 [ 59.940521] workqueue_uaf from kunit_try_run_case+0x22c/0x5a8 [ 59.940551] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.940582] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 59.940582] kthread from ret_from_fork+0x14/0x20 [ 59.940612] Exception stack(0xf2513fb0 to 0xf2513ff8) [ 59.940643] 3fa0: 00000000 00000000 00000000 00000000 [ 59.940643] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 59.940673] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 59.940673] [ 60.044860] Allocated by task 256: [ 60.048278] kasan_save_track+0x30/0x5c [ 60.052154] __kasan_kmalloc+0x8c/0x94 [ 60.055938] workqueue_uaf+0x184/0x5b8 [ 60.059722] kunit_try_run_case+0x22c/0x5a8 [ 60.063934] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 60.069458] kthread+0x464/0x810 [ 60.072723] ret_from_fork+0x14/0x20 [ 60.076324] [ 60.077819] Freed by task 80: [ 60.080810] kasan_save_track+0x30/0x5c [ 60.084686] kasan_save_free_info+0x3c/0x48 [ 60.088897] __kasan_slab_free+0x40/0x50 [ 60.092864] kfree+0xe8/0x384 [ 60.095855] process_one_work+0x7dc/0x1304 [ 60.099975] worker_thread+0xb98/0x1658 [ 60.103851] kthread+0x464/0x810 [ 60.107116] ret_from_fork+0x14/0x20 [ 60.110717] [ 60.112213] Last potentially related work creation: [ 60.117126] kasan_save_stack+0x30/0x4c [ 60.121002] kasan_record_aux_stack+0x80/0x88 [ 60.125396] __queue_work+0x878/0x1780 [ 60.129150] queue_work_on+0xbc/0xc0 [ 60.132781] workqueue_uaf+0x2e4/0x5b8 [ 60.136535] kunit_try_run_case+0x22c/0x5a8 [ 60.140777] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 60.146301] kthread+0x464/0x810 [ 60.149536] ret_from_fork+0x14/0x20 [ 60.153167] [ 60.154663] The buggy address belongs to the object at cc22cc00 [ 60.154663] which belongs to the cache kmalloc-64 of size 64 [ 60.166381] The buggy address is located 0 bytes inside of [ 60.166381] freed 64-byte region [cc22cc00, cc22cc40) [ 60.177062] [ 60.178558] The buggy address belongs to the physical page: [ 60.184173] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c22c [ 60.191436] flags: 0x0(zone=0) [ 60.194519] page_type: f5(slab) [ 60.197692] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 60.205841] raw: 00000000 [ 60.208496] page dumped because: kasan: bad access detected [ 60.214080] [ 60.215576] Memory state around the buggy address: [ 60.220428] cc22cb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 60.226989] cc22cb80: 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc fc [ 60.233551] >cc22cc00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 60.240142] ^ [ 60.242675] cc22cc80: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.249267] cc22cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.255828] ==================================================================
[ 32.025420] ================================================================== [ 32.035614] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 32.042330] Read of size 8 at addr ffff888105bf9a00 by task kunit_try_catch/243 [ 32.049635] [ 32.051137] CPU: 0 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 32.051146] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.051148] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 32.051152] Call Trace: [ 32.051154] <TASK> [ 32.051156] dump_stack_lvl+0x73/0xb0 [ 32.051161] print_report+0xd1/0x650 [ 32.051165] ? __virt_addr_valid+0x1db/0x2d0 [ 32.051170] ? workqueue_uaf+0x4d6/0x560 [ 32.051174] ? kasan_complete_mode_report_info+0x64/0x200 [ 32.051178] ? workqueue_uaf+0x4d6/0x560 [ 32.051182] kasan_report+0x141/0x180 [ 32.051186] ? workqueue_uaf+0x4d6/0x560 [ 32.051191] __asan_report_load8_noabort+0x18/0x20 [ 32.051195] workqueue_uaf+0x4d6/0x560 [ 32.051199] ? __pfx_workqueue_uaf+0x10/0x10 [ 32.051203] ? __schedule+0x10cc/0x2b30 [ 32.051208] ? ktime_get_ts64+0x83/0x230 [ 32.051214] kunit_try_run_case+0x1a2/0x480 [ 32.051219] ? __pfx_kunit_try_run_case+0x10/0x10 [ 32.051223] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 32.051227] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 32.051232] ? __kthread_parkme+0x82/0x180 [ 32.051236] ? preempt_count_sub+0x50/0x80 [ 32.051241] ? __pfx_kunit_try_run_case+0x10/0x10 [ 32.051245] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.051250] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 32.051253] kthread+0x334/0x6f0 [ 32.051258] ? trace_preempt_on+0x20/0xc0 [ 32.051262] ? __pfx_kthread+0x10/0x10 [ 32.051267] ? _raw_spin_unlock_irq+0x47/0x80 [ 32.051271] ? calculate_sigpending+0x7b/0xa0 [ 32.051275] ? __pfx_kthread+0x10/0x10 [ 32.051279] ret_from_fork+0x3e/0x80 [ 32.051284] ? __pfx_kthread+0x10/0x10 [ 32.051288] ret_from_fork_asm+0x1a/0x30 [ 32.051294] </TASK> [ 32.051296] [ 32.212474] Allocated by task 243: [ 32.215881] kasan_save_stack+0x45/0x70 [ 32.219755] kasan_save_track+0x18/0x40 [ 32.223593] kasan_save_alloc_info+0x3b/0x50 [ 32.227867] __kasan_kmalloc+0xb7/0xc0 [ 32.231619] __kmalloc_cache_noprof+0x189/0x420 [ 32.236151] workqueue_uaf+0x152/0x560 [ 32.239902] kunit_try_run_case+0x1a2/0x480 [ 32.244091] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.249490] kthread+0x334/0x6f0 [ 32.252749] ret_from_fork+0x3e/0x80 [ 32.256336] ret_from_fork_asm+0x1a/0x30 [ 32.260271] [ 32.261769] Freed by task 10: [ 32.264762] kasan_save_stack+0x45/0x70 [ 32.268607] kasan_save_track+0x18/0x40 [ 32.272447] kasan_save_free_info+0x3f/0x60 [ 32.276631] __kasan_slab_free+0x56/0x70 [ 32.280558] kfree+0x222/0x3f0 [ 32.283617] workqueue_uaf_work+0x12/0x20 [ 32.287630] process_one_work+0x5eb/0xf60 [ 32.291651] worker_thread+0x725/0x1320 [ 32.295524] kthread+0x334/0x6f0 [ 32.298763] ret_from_fork+0x3e/0x80 [ 32.302343] ret_from_fork_asm+0x1a/0x30 [ 32.306269] [ 32.307767] Last potentially related work creation: [ 32.312649] kasan_save_stack+0x45/0x70 [ 32.316487] kasan_record_aux_stack+0xb2/0xc0 [ 32.320846] __queue_work+0x626/0xeb0 [ 32.324513] queue_work_on+0xb6/0xc0 [ 32.328093] workqueue_uaf+0x26d/0x560 [ 32.331843] kunit_try_run_case+0x1a2/0x480 [ 32.336029] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.341430] kthread+0x334/0x6f0 [ 32.344660] ret_from_fork+0x3e/0x80 [ 32.348268] ret_from_fork_asm+0x1a/0x30 [ 32.352192] [ 32.353702] The buggy address belongs to the object at ffff888105bf9a00 [ 32.353702] which belongs to the cache kmalloc-32 of size 32 [ 32.366086] The buggy address is located 0 bytes inside of [ 32.366086] freed 32-byte region [ffff888105bf9a00, ffff888105bf9a20) [ 32.378080] [ 32.379578] The buggy address belongs to the physical page: [ 32.385150] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bf9 [ 32.393150] flags: 0x200000000000000(node=0|zone=2) [ 32.398029] page_type: f5(slab) [ 32.401175] raw: 0200000000000000 ffff888100042780 dead000000000122 0000000000000000 [ 32.408913] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.416653] page dumped because: kasan: bad access detected [ 32.422260] [ 32.423761] Memory state around the buggy address: [ 32.428552] ffff888105bf9900: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 32.435769] ffff888105bf9980: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 32.442988] >ffff888105bf9a00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.450209] ^ [ 32.453442] ffff888105bf9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.460698] ffff888105bf9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.467964] ==================================================================