Date
April 22, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 18.309168] ================================================================== [ 18.309344] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 18.309487] Read of size 8 at addr fff00000c62b9ec0 by task kunit_try_catch/202 [ 18.309636] [ 18.309719] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 18.309881] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.309930] Hardware name: linux,dummy-virt (DT) [ 18.309990] Call trace: [ 18.310067] show_stack+0x20/0x38 (C) [ 18.310202] dump_stack_lvl+0x8c/0xd0 [ 18.310288] print_report+0x118/0x608 [ 18.310391] kasan_report+0xdc/0x128 [ 18.310489] __asan_report_load8_noabort+0x20/0x30 [ 18.310596] workqueue_uaf+0x480/0x4a8 [ 18.310692] kunit_try_run_case+0x170/0x3f0 [ 18.310776] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.310881] kthread+0x328/0x630 [ 18.311010] ret_from_fork+0x10/0x20 [ 18.311165] [ 18.311222] Allocated by task 202: [ 18.311396] kasan_save_stack+0x3c/0x68 [ 18.311504] kasan_save_track+0x20/0x40 [ 18.311628] kasan_save_alloc_info+0x40/0x58 [ 18.311783] __kasan_kmalloc+0xd4/0xd8 [ 18.311916] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.312004] workqueue_uaf+0x13c/0x4a8 [ 18.312075] kunit_try_run_case+0x170/0x3f0 [ 18.312139] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.312215] kthread+0x328/0x630 [ 18.312281] ret_from_fork+0x10/0x20 [ 18.312360] [ 18.312402] Freed by task 50: [ 18.312461] kasan_save_stack+0x3c/0x68 [ 18.312550] kasan_save_track+0x20/0x40 [ 18.312633] kasan_save_free_info+0x4c/0x78 [ 18.312715] __kasan_slab_free+0x6c/0x98 [ 18.312788] kfree+0x214/0x3c8 [ 18.312862] workqueue_uaf_work+0x18/0x30 [ 18.312940] process_one_work+0x530/0xf98 [ 18.313016] worker_thread+0x8ac/0xf28 [ 18.313090] kthread+0x328/0x630 [ 18.313165] ret_from_fork+0x10/0x20 [ 18.313246] [ 18.313741] Last potentially related work creation: [ 18.313979] kasan_save_stack+0x3c/0x68 [ 18.314372] kasan_record_aux_stack+0xb4/0xc8 [ 18.314756] __queue_work+0x65c/0x1010 [ 18.314958] queue_work_on+0xbc/0xf8 [ 18.315250] workqueue_uaf+0x210/0x4a8 [ 18.315329] kunit_try_run_case+0x170/0x3f0 [ 18.315471] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.315645] kthread+0x328/0x630 [ 18.315783] ret_from_fork+0x10/0x20 [ 18.315989] [ 18.316141] The buggy address belongs to the object at fff00000c62b9ec0 [ 18.316141] which belongs to the cache kmalloc-32 of size 32 [ 18.316407] The buggy address is located 0 bytes inside of [ 18.316407] freed 32-byte region [fff00000c62b9ec0, fff00000c62b9ee0) [ 18.316735] [ 18.316791] The buggy address belongs to the physical page: [ 18.316864] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062b9 [ 18.317045] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.317276] page_type: f5(slab) [ 18.317496] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 18.317783] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.317879] page dumped because: kasan: bad access detected [ 18.317952] [ 18.318234] Memory state around the buggy address: [ 18.318486] fff00000c62b9d80: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 18.318598] fff00000c62b9e00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 18.318697] >fff00000c62b9e80: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 18.318783] ^ [ 18.318864] fff00000c62b9f00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.318951] fff00000c62b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.319391] ==================================================================
[ 19.157179] ================================================================== [ 19.160160] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 19.161162] Read of size 8 at addr ffff8881031af1c0 by task kunit_try_catch/220 [ 19.162262] [ 19.162529] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 19.162663] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.162701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.162758] Call Trace: [ 19.162807] <TASK> [ 19.162862] dump_stack_lvl+0x73/0xb0 [ 19.162950] print_report+0xd1/0x650 [ 19.163030] ? __virt_addr_valid+0x1db/0x2d0 [ 19.163110] ? workqueue_uaf+0x4d6/0x560 [ 19.163182] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.163256] ? workqueue_uaf+0x4d6/0x560 [ 19.163333] kasan_report+0x141/0x180 [ 19.163410] ? workqueue_uaf+0x4d6/0x560 [ 19.163955] __asan_report_load8_noabort+0x18/0x20 [ 19.164037] workqueue_uaf+0x4d6/0x560 [ 19.164111] ? __pfx_workqueue_uaf+0x10/0x10 [ 19.164184] ? __schedule+0x10cc/0x2b30 [ 19.164255] ? __pfx_read_tsc+0x10/0x10 [ 19.164289] ? ktime_get_ts64+0x86/0x230 [ 19.164329] kunit_try_run_case+0x1a5/0x480 [ 19.164366] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.164398] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.164557] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.164611] ? __kthread_parkme+0x82/0x180 [ 19.164646] ? preempt_count_sub+0x50/0x80 [ 19.164681] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.164715] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.164746] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.164776] kthread+0x337/0x6f0 [ 19.164806] ? trace_preempt_on+0x20/0xc0 [ 19.164841] ? __pfx_kthread+0x10/0x10 [ 19.164871] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.164901] ? calculate_sigpending+0x7b/0xa0 [ 19.164930] ? __pfx_kthread+0x10/0x10 [ 19.164960] ret_from_fork+0x41/0x80 [ 19.164989] ? __pfx_kthread+0x10/0x10 [ 19.165019] ret_from_fork_asm+0x1a/0x30 [ 19.165062] </TASK> [ 19.165076] [ 19.183234] Allocated by task 220: [ 19.184077] kasan_save_stack+0x45/0x70 [ 19.184486] kasan_save_track+0x18/0x40 [ 19.185109] kasan_save_alloc_info+0x3b/0x50 [ 19.185622] __kasan_kmalloc+0xb7/0xc0 [ 19.186038] __kmalloc_cache_noprof+0x189/0x420 [ 19.186606] workqueue_uaf+0x152/0x560 [ 19.187047] kunit_try_run_case+0x1a5/0x480 [ 19.187598] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.188140] kthread+0x337/0x6f0 [ 19.188641] ret_from_fork+0x41/0x80 [ 19.189127] ret_from_fork_asm+0x1a/0x30 [ 19.189621] [ 19.189860] Freed by task 9: [ 19.190902] kasan_save_stack+0x45/0x70 [ 19.191796] kasan_save_track+0x18/0x40 [ 19.192185] kasan_save_free_info+0x3f/0x60 [ 19.192660] __kasan_slab_free+0x56/0x70 [ 19.193055] kfree+0x222/0x3f0 [ 19.193513] workqueue_uaf_work+0x12/0x20 [ 19.193887] process_one_work+0x5ee/0xf60 [ 19.194360] worker_thread+0x725/0x1320 [ 19.194860] kthread+0x337/0x6f0 [ 19.195160] ret_from_fork+0x41/0x80 [ 19.195629] ret_from_fork_asm+0x1a/0x30 [ 19.196053] [ 19.196289] Last potentially related work creation: [ 19.196733] kasan_save_stack+0x45/0x70 [ 19.197126] kasan_record_aux_stack+0xb2/0xc0 [ 19.197462] __queue_work+0x626/0xeb0 [ 19.197798] queue_work_on+0xb6/0xc0 [ 19.198230] workqueue_uaf+0x26d/0x560 [ 19.198884] kunit_try_run_case+0x1a5/0x480 [ 19.199599] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.199805] kthread+0x337/0x6f0 [ 19.199946] ret_from_fork+0x41/0x80 [ 19.200096] ret_from_fork_asm+0x1a/0x30 [ 19.200251] [ 19.200334] The buggy address belongs to the object at ffff8881031af1c0 [ 19.200334] which belongs to the cache kmalloc-32 of size 32 [ 19.201922] The buggy address is located 0 bytes inside of [ 19.201922] freed 32-byte region [ffff8881031af1c0, ffff8881031af1e0) [ 19.203758] [ 19.203912] The buggy address belongs to the physical page: [ 19.205017] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031af [ 19.206373] flags: 0x200000000000000(node=0|zone=2) [ 19.207381] page_type: f5(slab) [ 19.208169] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 19.209023] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.209692] page dumped because: kasan: bad access detected [ 19.210908] [ 19.211122] Memory state around the buggy address: [ 19.212183] ffff8881031af080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.213014] ffff8881031af100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.213950] >ffff8881031af180: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 19.214957] ^ [ 19.215291] ffff8881031af200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.216112] ffff8881031af280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.216641] ==================================================================
[ 20.346602] ================================================================== [ 20.347591] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 20.348237] Read of size 8 at addr ffff00000e73bac0 by task kunit_try_catch/258 [ 20.348916] [ 20.349081] CPU: 2 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 20.349129] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.349144] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.349161] Call trace: [ 20.349173] show_stack+0x20/0x38 (C) [ 20.349206] dump_stack_lvl+0x8c/0xd0 [ 20.349238] print_report+0x118/0x608 [ 20.349268] kasan_report+0xdc/0x128 [ 20.349297] __asan_report_load8_noabort+0x20/0x30 [ 20.349330] workqueue_uaf+0x480/0x4a8 [ 20.349365] kunit_try_run_case+0x170/0x3f0 [ 20.349400] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.349440] kthread+0x328/0x630 [ 20.349475] ret_from_fork+0x10/0x20 [ 20.349508] [ 20.355054] Allocated by task 258: [ 20.355383] kasan_save_stack+0x3c/0x68 [ 20.355757] kasan_save_track+0x20/0x40 [ 20.356129] kasan_save_alloc_info+0x40/0x58 [ 20.356543] __kasan_kmalloc+0xd4/0xd8 [ 20.356906] __kmalloc_cache_noprof+0x15c/0x3c0 [ 20.357348] workqueue_uaf+0x13c/0x4a8 [ 20.357716] kunit_try_run_case+0x170/0x3f0 [ 20.358124] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.358647] kthread+0x328/0x630 [ 20.358973] ret_from_fork+0x10/0x20 [ 20.359323] [ 20.359476] Freed by task 72: [ 20.359764] kasan_save_stack+0x3c/0x68 [ 20.360136] kasan_save_track+0x20/0x40 [ 20.360507] kasan_save_free_info+0x4c/0x78 [ 20.360911] __kasan_slab_free+0x6c/0x98 [ 20.361289] kfree+0x214/0x3c8 [ 20.361596] workqueue_uaf_work+0x18/0x30 [ 20.361988] process_one_work+0x530/0xf98 [ 20.362375] worker_thread+0x8ac/0xf28 [ 20.362738] kthread+0x328/0x630 [ 20.363061] ret_from_fork+0x10/0x20 [ 20.363411] [ 20.363564] Last potentially related work creation: [ 20.364015] kasan_save_stack+0x3c/0x68 [ 20.364387] kasan_record_aux_stack+0xb4/0xc8 [ 20.364807] __queue_work+0x65c/0x1010 [ 20.365170] queue_work_on+0xbc/0xf8 [ 20.365518] workqueue_uaf+0x210/0x4a8 [ 20.365888] kunit_try_run_case+0x170/0x3f0 [ 20.366295] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.366821] kthread+0x328/0x630 [ 20.367143] ret_from_fork+0x10/0x20 [ 20.367494] [ 20.367647] The buggy address belongs to the object at ffff00000e73bac0 [ 20.367647] which belongs to the cache kmalloc-32 of size 32 [ 20.368766] The buggy address is located 0 bytes inside of [ 20.368766] freed 32-byte region [ffff00000e73bac0, ffff00000e73bae0) [ 20.369857] [ 20.370011] The buggy address belongs to the physical page: [ 20.370529] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xe73b [ 20.371254] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.371867] page_type: f5(slab) [ 20.372180] raw: 03fffe0000000000 ffff000000402780 dead000000000122 0000000000000000 [ 20.372897] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 20.373605] page dumped because: kasan: bad access detected [ 20.374120] [ 20.374273] Memory state around the buggy address: [ 20.374721] ffff00000e73b980: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 20.375388] ffff00000e73ba00: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 20.376053] >ffff00000e73ba80: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 20.376715] ^ [ 20.377210] ffff00000e73bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.377877] ffff00000e73bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.378540] ==================================================================