Hay
Sign in
Date
May 23, 2025, 11:07 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   28.281011] ==================================================================
[   28.281417] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   28.281798] Read of size 8 at addr fff00000c7775200 by task kunit_try_catch/202
[   28.282212] 
[   28.282466] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc7 #1 PREEMPT 
[   28.282874] Tainted: [B]=BAD_PAGE, [N]=TEST
[   28.282962] Hardware name: linux,dummy-virt (DT)
[   28.283060] Call trace:
[   28.283209]  show_stack+0x20/0x38 (C)
[   28.283517]  dump_stack_lvl+0x8c/0xd0
[   28.283966]  print_report+0x118/0x608
[   28.284155]  kasan_report+0xdc/0x128
[   28.284301]  __asan_report_load8_noabort+0x20/0x30
[   28.284468]  workqueue_uaf+0x480/0x4a8
[   28.284613]  kunit_try_run_case+0x170/0x3f0
[   28.284882]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   28.285150]  kthread+0x328/0x630
[   28.285539]  ret_from_fork+0x10/0x20
[   28.286462] 
[   28.286533] Allocated by task 202:
[   28.286638]  kasan_save_stack+0x3c/0x68
[   28.286769]  kasan_save_track+0x20/0x40
[   28.286869]  kasan_save_alloc_info+0x40/0x58
[   28.287074]  __kasan_kmalloc+0xd4/0xd8
[   28.287246]  __kmalloc_cache_noprof+0x15c/0x3c0
[   28.287462]  workqueue_uaf+0x13c/0x4a8
[   28.287637]  kunit_try_run_case+0x170/0x3f0
[   28.287778]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   28.287930]  kthread+0x328/0x630
[   28.288239]  ret_from_fork+0x10/0x20
[   28.288443] 
[   28.288556] Freed by task 9:
[   28.288667]  kasan_save_stack+0x3c/0x68
[   28.288851]  kasan_save_track+0x20/0x40
[   28.289021]  kasan_save_free_info+0x4c/0x78
[   28.289143]  __kasan_slab_free+0x6c/0x98
[   28.289765]  kfree+0x214/0x3c8
[   28.289894]  workqueue_uaf_work+0x18/0x30
[   28.290080]  process_one_work+0x530/0xf98
[   28.290189]  worker_thread+0x8ac/0xf28
[   28.290490]  kthread+0x328/0x630
[   28.290607]  ret_from_fork+0x10/0x20
[   28.290716] 
[   28.290771] Last potentially related work creation:
[   28.290852]  kasan_save_stack+0x3c/0x68
[   28.290997]  kasan_record_aux_stack+0xb4/0xc8
[   28.291155]  __queue_work+0x65c/0x1010
[   28.291300]  queue_work_on+0xbc/0xf8
[   28.291586]  workqueue_uaf+0x210/0x4a8
[   28.291833]  kunit_try_run_case+0x170/0x3f0
[   28.292046]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   28.292400]  kthread+0x328/0x630
[   28.292548]  ret_from_fork+0x10/0x20
[   28.293236] 
[   28.293396] The buggy address belongs to the object at fff00000c7775200
[   28.293396]  which belongs to the cache kmalloc-32 of size 32
[   28.294135] The buggy address is located 0 bytes inside of
[   28.294135]  freed 32-byte region [fff00000c7775200, fff00000c7775220)
[   28.294574] 
[   28.294683] The buggy address belongs to the physical page:
[   28.295242] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107775
[   28.295658] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   28.296053] page_type: f5(slab)
[   28.296665] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   28.297097] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   28.297561] page dumped because: kasan: bad access detected
[   28.298114] 
[   28.298460] Memory state around the buggy address:
[   28.298907]  fff00000c7775100: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   28.299104]  fff00000c7775180: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   28.300381] >fff00000c7775200: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   28.300893]                    ^
[   28.300994]  fff00000c7775280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.301547]  fff00000c7775300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.301681] ==================================================================
Metadata Full log Test run details 

[   13.242931] ==================================================================
[   13.243925] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   13.244412] Read of size 8 at addr ffff888102705100 by task kunit_try_catch/219
[   13.245144] 
[   13.245464] CPU: 0 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc7 #1 PREEMPT(voluntary) 
[   13.245519] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.245532] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.245554] Call Trace:
[   13.245699]  <TASK>
[   13.245722]  dump_stack_lvl+0x73/0xb0
[   13.245767]  print_report+0xd1/0x650
[   13.245789]  ? __virt_addr_valid+0x1db/0x2d0
[   13.245810]  ? workqueue_uaf+0x4d6/0x560
[   13.245831]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.245885]  ? workqueue_uaf+0x4d6/0x560
[   13.245906]  kasan_report+0x141/0x180
[   13.245928]  ? workqueue_uaf+0x4d6/0x560
[   13.245954]  __asan_report_load8_noabort+0x18/0x20
[   13.245974]  workqueue_uaf+0x4d6/0x560
[   13.245996]  ? __pfx_workqueue_uaf+0x10/0x10
[   13.246019]  ? __schedule+0x10cc/0x2b30
[   13.246040]  ? __pfx_read_tsc+0x10/0x10
[   13.246060]  ? ktime_get_ts64+0x86/0x230
[   13.246085]  kunit_try_run_case+0x1a5/0x480
[   13.246108]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.246129]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.246152]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.246174]  ? __kthread_parkme+0x82/0x180
[   13.246195]  ? preempt_count_sub+0x50/0x80
[   13.246220]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.246242]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.246264]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.246286]  kthread+0x337/0x6f0
[   13.246312]  ? trace_preempt_on+0x20/0xc0
[   13.246335]  ? __pfx_kthread+0x10/0x10
[   13.246352]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.246372]  ? calculate_sigpending+0x7b/0xa0
[   13.246393]  ? __pfx_kthread+0x10/0x10
[   13.246411]  ret_from_fork+0x41/0x80
[   13.246430]  ? __pfx_kthread+0x10/0x10
[   13.246448]  ret_from_fork_asm+0x1a/0x30
[   13.246479]  </TASK>
[   13.246491] 
[   13.255705] Allocated by task 219:
[   13.256129]  kasan_save_stack+0x45/0x70
[   13.256453]  kasan_save_track+0x18/0x40
[   13.256715]  kasan_save_alloc_info+0x3b/0x50
[   13.257029]  __kasan_kmalloc+0xb7/0xc0
[   13.257171]  __kmalloc_cache_noprof+0x189/0x420
[   13.257463]  workqueue_uaf+0x152/0x560
[   13.257670]  kunit_try_run_case+0x1a5/0x480
[   13.258570]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.258839]  kthread+0x337/0x6f0
[   13.259185]  ret_from_fork+0x41/0x80
[   13.259423]  ret_from_fork_asm+0x1a/0x30
[   13.259623] 
[   13.259720] Freed by task 9:
[   13.260083]  kasan_save_stack+0x45/0x70
[   13.260276]  kasan_save_track+0x18/0x40
[   13.260450]  kasan_save_free_info+0x3f/0x60
[   13.260916]  __kasan_slab_free+0x56/0x70
[   13.261244]  kfree+0x222/0x3f0
[   13.261446]  workqueue_uaf_work+0x12/0x20
[   13.261984]  process_one_work+0x5ee/0xf60
[   13.262306]  worker_thread+0x758/0x1220
[   13.262712]  kthread+0x337/0x6f0
[   13.262930]  ret_from_fork+0x41/0x80
[   13.263117]  ret_from_fork_asm+0x1a/0x30
[   13.263320] 
[   13.263403] Last potentially related work creation:
[   13.263867]  kasan_save_stack+0x45/0x70
[   13.264030]  kasan_record_aux_stack+0xb2/0xc0
[   13.264389]  __queue_work+0x626/0xeb0
[   13.264884]  queue_work_on+0xb6/0xc0
[   13.265080]  workqueue_uaf+0x26d/0x560
[   13.265378]  kunit_try_run_case+0x1a5/0x480
[   13.265668]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.266193]  kthread+0x337/0x6f0
[   13.266391]  ret_from_fork+0x41/0x80
[   13.266703]  ret_from_fork_asm+0x1a/0x30
[   13.266873] 
[   13.267121] The buggy address belongs to the object at ffff888102705100
[   13.267121]  which belongs to the cache kmalloc-32 of size 32
[   13.267673] The buggy address is located 0 bytes inside of
[   13.267673]  freed 32-byte region [ffff888102705100, ffff888102705120)
[   13.268206] 
[   13.268323] The buggy address belongs to the physical page:
[   13.268656] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102705
[   13.269476] flags: 0x200000000000000(node=0|zone=2)
[   13.269875] page_type: f5(slab)
[   13.270276] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   13.270782] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   13.271272] page dumped because: kasan: bad access detected
[   13.271575] 
[   13.271717] Memory state around the buggy address:
[   13.271970]  ffff888102705000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   13.272497]  ffff888102705080: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   13.273165] >ffff888102705100: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   13.273533]                    ^
[   13.273725]  ffff888102705180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.274039]  ffff888102705200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.274693] ==================================================================
Metadata Full log Test run details