Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 32.937319] ================================================================== [ 32.944668] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 32.951351] Read of size 8 at addr ffff000800d64980 by task kunit_try_catch/247 [ 32.958637] [ 32.960125] CPU: 7 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 32.960187] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.960204] Hardware name: WinLink E850-96 board (DT) [ 32.960226] Call trace: [ 32.960240] show_stack+0x20/0x38 (C) [ 32.960276] dump_stack_lvl+0x8c/0xd0 [ 32.960314] print_report+0x118/0x608 [ 32.960351] kasan_report+0xdc/0x128 [ 32.960388] __asan_report_load8_noabort+0x20/0x30 [ 32.960429] workqueue_uaf+0x480/0x4a8 [ 32.960461] kunit_try_run_case+0x170/0x3f0 [ 32.960496] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.960535] kthread+0x328/0x630 [ 32.960564] ret_from_fork+0x10/0x20 [ 32.960602] [ 33.022528] Allocated by task 247: [ 33.025914] kasan_save_stack+0x3c/0x68 [ 33.029730] kasan_save_track+0x20/0x40 [ 33.033550] kasan_save_alloc_info+0x40/0x58 [ 33.037802] __kasan_kmalloc+0xd4/0xd8 [ 33.041535] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.046049] workqueue_uaf+0x13c/0x4a8 [ 33.049781] kunit_try_run_case+0x170/0x3f0 [ 33.053948] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.059418] kthread+0x328/0x630 [ 33.062628] ret_from_fork+0x10/0x20 [ 33.066187] [ 33.067664] Freed by task 83: [ 33.070617] kasan_save_stack+0x3c/0x68 [ 33.074434] kasan_save_track+0x20/0x40 [ 33.078253] kasan_save_free_info+0x4c/0x78 [ 33.082419] __kasan_slab_free+0x6c/0x98 [ 33.086327] kfree+0x214/0x3c8 [ 33.089365] workqueue_uaf_work+0x18/0x30 [ 33.093357] process_one_work+0x530/0xf98 [ 33.097350] worker_thread+0x618/0xf38 [ 33.101082] kthread+0x328/0x630 [ 33.104296] ret_from_fork+0x10/0x20 [ 33.107853] [ 33.109330] Last potentially related work creation: [ 33.114190] kasan_save_stack+0x3c/0x68 [ 33.118011] kasan_record_aux_stack+0xb4/0xc8 [ 33.122351] __queue_work+0x65c/0x1008 [ 33.126082] queue_work_on+0xbc/0xf8 [ 33.129641] workqueue_uaf+0x210/0x4a8 [ 33.133374] kunit_try_run_case+0x170/0x3f0 [ 33.137540] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.143009] kthread+0x328/0x630 [ 33.146222] ret_from_fork+0x10/0x20 [ 33.149780] [ 33.151257] The buggy address belongs to the object at ffff000800d64980 [ 33.151257] which belongs to the cache kmalloc-32 of size 32 [ 33.163585] The buggy address is located 0 bytes inside of [ 33.163585] freed 32-byte region [ffff000800d64980, ffff000800d649a0) [ 33.175560] [ 33.177040] The buggy address belongs to the physical page: [ 33.182596] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880d64 [ 33.190581] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.197090] page_type: f5(slab) [ 33.200230] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 33.207947] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.215666] page dumped because: kasan: bad access detected [ 33.221220] [ 33.222696] Memory state around the buggy address: [ 33.227475] ffff000800d64880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.234680] ffff000800d64900: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc [ 33.241883] >ffff000800d64980: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 33.249084] ^ [ 33.252299] ffff000800d64a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.259504] ffff000800d64a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.266708] ==================================================================
[ 26.112004] ================================================================== [ 26.112168] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 26.112661] Read of size 8 at addr fff00000c641c380 by task kunit_try_catch/200 [ 26.112881] [ 26.112984] CPU: 0 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.113510] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.113605] Hardware name: linux,dummy-virt (DT) [ 26.113822] Call trace: [ 26.113909] show_stack+0x20/0x38 (C) [ 26.114072] dump_stack_lvl+0x8c/0xd0 [ 26.114221] print_report+0x118/0x608 [ 26.114756] kasan_report+0xdc/0x128 [ 26.115018] __asan_report_load8_noabort+0x20/0x30 [ 26.115262] workqueue_uaf+0x480/0x4a8 [ 26.115397] kunit_try_run_case+0x170/0x3f0 [ 26.115746] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.115925] kthread+0x328/0x630 [ 26.116105] ret_from_fork+0x10/0x20 [ 26.116426] [ 26.116503] Allocated by task 200: [ 26.116576] kasan_save_stack+0x3c/0x68 [ 26.116842] kasan_save_track+0x20/0x40 [ 26.116962] kasan_save_alloc_info+0x40/0x58 [ 26.117079] __kasan_kmalloc+0xd4/0xd8 [ 26.117341] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.117451] workqueue_uaf+0x13c/0x4a8 [ 26.117573] kunit_try_run_case+0x170/0x3f0 [ 26.117813] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.117946] kthread+0x328/0x630 [ 26.118051] ret_from_fork+0x10/0x20 [ 26.118166] [ 26.118222] Freed by task 9: [ 26.118295] kasan_save_stack+0x3c/0x68 [ 26.118559] kasan_save_track+0x20/0x40 [ 26.119032] kasan_save_free_info+0x4c/0x78 [ 26.119511] __kasan_slab_free+0x6c/0x98 [ 26.119645] kfree+0x214/0x3c8 [ 26.119750] workqueue_uaf_work+0x18/0x30 [ 26.119953] process_one_work+0x530/0xf98 [ 26.120150] worker_thread+0x618/0xf38 [ 26.120347] kthread+0x328/0x630 [ 26.120443] ret_from_fork+0x10/0x20 [ 26.120589] [ 26.120656] Last potentially related work creation: [ 26.120732] kasan_save_stack+0x3c/0x68 [ 26.120847] kasan_record_aux_stack+0xb4/0xc8 [ 26.121158] __queue_work+0x65c/0x1008 [ 26.121527] queue_work_on+0xbc/0xf8 [ 26.121709] workqueue_uaf+0x210/0x4a8 [ 26.121816] kunit_try_run_case+0x170/0x3f0 [ 26.122026] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.122158] kthread+0x328/0x630 [ 26.122350] ret_from_fork+0x10/0x20 [ 26.122474] [ 26.122582] The buggy address belongs to the object at fff00000c641c380 [ 26.122582] which belongs to the cache kmalloc-32 of size 32 [ 26.122723] The buggy address is located 0 bytes inside of [ 26.122723] freed 32-byte region [fff00000c641c380, fff00000c641c3a0) [ 26.122919] [ 26.123099] The buggy address belongs to the physical page: [ 26.123254] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10641c [ 26.123644] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.123904] page_type: f5(slab) [ 26.124110] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 26.124435] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 26.124546] page dumped because: kasan: bad access detected [ 26.124633] [ 26.124682] Memory state around the buggy address: [ 26.124816] fff00000c641c280: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 26.125119] fff00000c641c300: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 26.125250] >fff00000c641c380: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.125345] ^ [ 26.125424] fff00000c641c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.125704] fff00000c641c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.125813] ==================================================================
[ 26.373608] ================================================================== [ 26.373780] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 26.373947] Read of size 8 at addr fff00000c773e440 by task kunit_try_catch/200 [ 26.374093] [ 26.374200] CPU: 0 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.374421] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.374617] Hardware name: linux,dummy-virt (DT) [ 26.374734] Call trace: [ 26.374829] show_stack+0x20/0x38 (C) [ 26.374977] dump_stack_lvl+0x8c/0xd0 [ 26.375095] print_report+0x118/0x608 [ 26.375214] kasan_report+0xdc/0x128 [ 26.375331] __asan_report_load8_noabort+0x20/0x30 [ 26.375513] workqueue_uaf+0x480/0x4a8 [ 26.375629] kunit_try_run_case+0x170/0x3f0 [ 26.375748] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.375916] kthread+0x328/0x630 [ 26.376094] ret_from_fork+0x10/0x20 [ 26.376315] [ 26.376389] Allocated by task 200: [ 26.376501] kasan_save_stack+0x3c/0x68 [ 26.376688] kasan_save_track+0x20/0x40 [ 26.376796] kasan_save_alloc_info+0x40/0x58 [ 26.376988] __kasan_kmalloc+0xd4/0xd8 [ 26.377147] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.377269] workqueue_uaf+0x13c/0x4a8 [ 26.377388] kunit_try_run_case+0x170/0x3f0 [ 26.377585] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.377769] kthread+0x328/0x630 [ 26.377881] ret_from_fork+0x10/0x20 [ 26.377979] [ 26.378046] Freed by task 75: [ 26.378143] kasan_save_stack+0x3c/0x68 [ 26.378258] kasan_save_track+0x20/0x40 [ 26.378375] kasan_save_free_info+0x4c/0x78 [ 26.378485] __kasan_slab_free+0x6c/0x98 [ 26.378589] kfree+0x214/0x3c8 [ 26.378680] workqueue_uaf_work+0x18/0x30 [ 26.378771] process_one_work+0x530/0xf98 [ 26.378885] worker_thread+0x618/0xf38 [ 26.379082] kthread+0x328/0x630 [ 26.379188] ret_from_fork+0x10/0x20 [ 26.379401] [ 26.379457] Last potentially related work creation: [ 26.379539] kasan_save_stack+0x3c/0x68 [ 26.379810] kasan_record_aux_stack+0xb4/0xc8 [ 26.380045] __queue_work+0x65c/0x1008 [ 26.380183] queue_work_on+0xbc/0xf8 [ 26.380387] workqueue_uaf+0x210/0x4a8 [ 26.380576] kunit_try_run_case+0x170/0x3f0 [ 26.380676] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.380782] kthread+0x328/0x630 [ 26.380900] ret_from_fork+0x10/0x20 [ 26.381000] [ 26.381545] The buggy address belongs to the object at fff00000c773e440 [ 26.381545] which belongs to the cache kmalloc-32 of size 32 [ 26.381968] The buggy address is located 0 bytes inside of [ 26.381968] freed 32-byte region [fff00000c773e440, fff00000c773e460) [ 26.382134] [ 26.382188] The buggy address belongs to the physical page: [ 26.382296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10773e [ 26.382445] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.382578] page_type: f5(slab) [ 26.383547] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 26.384203] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 26.384501] page dumped because: kasan: bad access detected [ 26.385167] [ 26.385307] Memory state around the buggy address: [ 26.386135] fff00000c773e300: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 26.386345] fff00000c773e380: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.386451] >fff00000c773e400: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 26.386920] ^ [ 26.387253] fff00000c773e480: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.387606] fff00000c773e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.388237] ==================================================================
[ 20.008803] ================================================================== [ 20.010340] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 20.011198] Read of size 8 at addr ffff8881039cd580 by task kunit_try_catch/218 [ 20.012084] [ 20.012585] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.012716] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.012754] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.012818] Call Trace: [ 20.012867] <TASK> [ 20.012920] dump_stack_lvl+0x73/0xb0 [ 20.013269] print_report+0xd1/0x650 [ 20.013355] ? __virt_addr_valid+0x1db/0x2d0 [ 20.013424] ? workqueue_uaf+0x4d6/0x560 [ 20.013480] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.013605] ? workqueue_uaf+0x4d6/0x560 [ 20.013725] kasan_report+0x141/0x180 [ 20.013802] ? workqueue_uaf+0x4d6/0x560 [ 20.013851] __asan_report_load8_noabort+0x18/0x20 [ 20.013893] workqueue_uaf+0x4d6/0x560 [ 20.013925] ? __pfx_workqueue_uaf+0x10/0x10 [ 20.013959] ? __schedule+0x10cc/0x2b60 [ 20.013997] ? __pfx_read_tsc+0x10/0x10 [ 20.014028] ? ktime_get_ts64+0x86/0x230 [ 20.014064] kunit_try_run_case+0x1a5/0x480 [ 20.014104] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.014139] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.014173] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.014205] ? __kthread_parkme+0x82/0x180 [ 20.014236] ? preempt_count_sub+0x50/0x80 [ 20.014299] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.014338] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.014374] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.014408] kthread+0x337/0x6f0 [ 20.014437] ? trace_preempt_on+0x20/0xc0 [ 20.014472] ? __pfx_kthread+0x10/0x10 [ 20.014526] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.014599] ? calculate_sigpending+0x7b/0xa0 [ 20.014680] ? __pfx_kthread+0x10/0x10 [ 20.014715] ret_from_fork+0x116/0x1d0 [ 20.014743] ? __pfx_kthread+0x10/0x10 [ 20.014772] ret_from_fork_asm+0x1a/0x30 [ 20.014816] </TASK> [ 20.014831] [ 20.034912] Allocated by task 218: [ 20.035732] kasan_save_stack+0x45/0x70 [ 20.036785] kasan_save_track+0x18/0x40 [ 20.037133] kasan_save_alloc_info+0x3b/0x50 [ 20.037939] __kasan_kmalloc+0xb7/0xc0 [ 20.038800] __kmalloc_cache_noprof+0x189/0x420 [ 20.039798] workqueue_uaf+0x152/0x560 [ 20.040083] kunit_try_run_case+0x1a5/0x480 [ 20.040749] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.042932] kthread+0x337/0x6f0 [ 20.043275] ret_from_fork+0x116/0x1d0 [ 20.043629] ret_from_fork_asm+0x1a/0x30 [ 20.043904] [ 20.044060] Freed by task 9: [ 20.044326] kasan_save_stack+0x45/0x70 [ 20.044652] kasan_save_track+0x18/0x40 [ 20.044958] kasan_save_free_info+0x3f/0x60 [ 20.045398] __kasan_slab_free+0x56/0x70 [ 20.045934] kfree+0x222/0x3f0 [ 20.046389] workqueue_uaf_work+0x12/0x20 [ 20.047087] process_one_work+0x5ee/0xf60 [ 20.047694] worker_thread+0x758/0x1220 [ 20.047965] kthread+0x337/0x6f0 [ 20.048192] ret_from_fork+0x116/0x1d0 [ 20.048801] ret_from_fork_asm+0x1a/0x30 [ 20.049436] [ 20.049821] Last potentially related work creation: [ 20.050643] kasan_save_stack+0x45/0x70 [ 20.051198] kasan_record_aux_stack+0xb2/0xc0 [ 20.051945] __queue_work+0x626/0xeb0 [ 20.052256] queue_work_on+0xb6/0xc0 [ 20.053285] workqueue_uaf+0x26d/0x560 [ 20.055469] kunit_try_run_case+0x1a5/0x480 [ 20.055852] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.057352] kthread+0x337/0x6f0 [ 20.058138] ret_from_fork+0x116/0x1d0 [ 20.058993] ret_from_fork_asm+0x1a/0x30 [ 20.061216] [ 20.061593] The buggy address belongs to the object at ffff8881039cd580 [ 20.061593] which belongs to the cache kmalloc-32 of size 32 [ 20.063798] The buggy address is located 0 bytes inside of [ 20.063798] freed 32-byte region [ffff8881039cd580, ffff8881039cd5a0) [ 20.065441] [ 20.066115] The buggy address belongs to the physical page: [ 20.066782] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039cd [ 20.067372] flags: 0x200000000000000(node=0|zone=2) [ 20.068493] page_type: f5(slab) [ 20.068882] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 20.069399] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 20.070079] page dumped because: kasan: bad access detected [ 20.071072] [ 20.071418] Memory state around the buggy address: [ 20.071844] ffff8881039cd480: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 20.073088] ffff8881039cd500: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 20.074834] >ffff8881039cd580: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 20.076228] ^ [ 20.076572] ffff8881039cd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.078061] ffff8881039cd680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.079376] ==================================================================
[ 18.933810] ================================================================== [ 18.935465] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 18.936178] Read of size 8 at addr ffff888103305400 by task kunit_try_catch/218 [ 18.937073] [ 18.938078] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.938188] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.938225] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.938297] Call Trace: [ 18.938337] <TASK> [ 18.938529] dump_stack_lvl+0x73/0xb0 [ 18.938778] print_report+0xd1/0x650 [ 18.938813] ? __virt_addr_valid+0x1db/0x2d0 [ 18.938847] ? workqueue_uaf+0x4d6/0x560 [ 18.938900] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.938940] ? workqueue_uaf+0x4d6/0x560 [ 18.938972] kasan_report+0x141/0x180 [ 18.939003] ? workqueue_uaf+0x4d6/0x560 [ 18.939039] __asan_report_load8_noabort+0x18/0x20 [ 18.939074] workqueue_uaf+0x4d6/0x560 [ 18.939119] ? __pfx_workqueue_uaf+0x10/0x10 [ 18.939168] ? __schedule+0x10cc/0x2b60 [ 18.939202] ? __pfx_read_tsc+0x10/0x10 [ 18.939232] ? ktime_get_ts64+0x86/0x230 [ 18.939265] kunit_try_run_case+0x1a5/0x480 [ 18.939300] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.939334] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.939367] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.939400] ? __kthread_parkme+0x82/0x180 [ 18.939428] ? preempt_count_sub+0x50/0x80 [ 18.939459] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.939493] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.939583] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.939660] kthread+0x337/0x6f0 [ 18.939691] ? trace_preempt_on+0x20/0xc0 [ 18.939725] ? __pfx_kthread+0x10/0x10 [ 18.939754] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.939785] ? calculate_sigpending+0x7b/0xa0 [ 18.939818] ? __pfx_kthread+0x10/0x10 [ 18.939847] ret_from_fork+0x116/0x1d0 [ 18.939872] ? __pfx_kthread+0x10/0x10 [ 18.939932] ret_from_fork_asm+0x1a/0x30 [ 18.939976] </TASK> [ 18.939991] [ 18.957987] Allocated by task 218: [ 18.958447] kasan_save_stack+0x45/0x70 [ 18.958824] kasan_save_track+0x18/0x40 [ 18.959208] kasan_save_alloc_info+0x3b/0x50 [ 18.959846] __kasan_kmalloc+0xb7/0xc0 [ 18.960237] __kmalloc_cache_noprof+0x189/0x420 [ 18.960706] workqueue_uaf+0x152/0x560 [ 18.961486] kunit_try_run_case+0x1a5/0x480 [ 18.961828] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.962371] kthread+0x337/0x6f0 [ 18.962634] ret_from_fork+0x116/0x1d0 [ 18.963089] ret_from_fork_asm+0x1a/0x30 [ 18.963818] [ 18.964181] Freed by task 9: [ 18.967126] kasan_save_stack+0x45/0x70 [ 18.968267] kasan_save_track+0x18/0x40 [ 18.968576] kasan_save_free_info+0x3f/0x60 [ 18.968846] __kasan_slab_free+0x56/0x70 [ 18.970325] kfree+0x222/0x3f0 [ 18.970671] workqueue_uaf_work+0x12/0x20 [ 18.972632] process_one_work+0x5ee/0xf60 [ 18.973643] worker_thread+0x758/0x1220 [ 18.974210] kthread+0x337/0x6f0 [ 18.974572] ret_from_fork+0x116/0x1d0 [ 18.975161] ret_from_fork_asm+0x1a/0x30 [ 18.975923] [ 18.976630] Last potentially related work creation: [ 18.977287] kasan_save_stack+0x45/0x70 [ 18.977802] kasan_record_aux_stack+0xb2/0xc0 [ 18.978277] __queue_work+0x626/0xeb0 [ 18.978781] queue_work_on+0xb6/0xc0 [ 18.979233] workqueue_uaf+0x26d/0x560 [ 18.979779] kunit_try_run_case+0x1a5/0x480 [ 18.980207] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.981086] kthread+0x337/0x6f0 [ 18.981490] ret_from_fork+0x116/0x1d0 [ 18.981867] ret_from_fork_asm+0x1a/0x30 [ 18.982301] [ 18.982509] The buggy address belongs to the object at ffff888103305400 [ 18.982509] which belongs to the cache kmalloc-32 of size 32 [ 18.983758] The buggy address is located 0 bytes inside of [ 18.983758] freed 32-byte region [ffff888103305400, ffff888103305420) [ 18.984767] [ 18.985020] The buggy address belongs to the physical page: [ 18.985645] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103305 [ 18.986340] flags: 0x200000000000000(node=0|zone=2) [ 18.987186] page_type: f5(slab) [ 18.987705] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 18.988328] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.989032] page dumped because: kasan: bad access detected [ 18.989732] [ 18.989975] Memory state around the buggy address: [ 18.990445] ffff888103305300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.991168] ffff888103305380: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 18.992135] >ffff888103305400: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 18.992923] ^ [ 18.993267] ffff888103305480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.993973] ffff888103305500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.994548] ==================================================================
[ 21.091951] ================================================================== [ 21.092933] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 21.093598] Read of size 8 at addr ffff00000251ddc0 by task kunit_try_catch/253 [ 21.094277] [ 21.094441] CPU: 0 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 21.094491] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.094505] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.094521] Call trace: [ 21.094533] show_stack+0x20/0x38 (C) [ 21.094567] dump_stack_lvl+0x8c/0xd0 [ 21.094603] print_report+0x118/0x608 [ 21.094638] kasan_report+0xdc/0x128 [ 21.094670] __asan_report_load8_noabort+0x20/0x30 [ 21.094708] workqueue_uaf+0x480/0x4a8 [ 21.094737] kunit_try_run_case+0x170/0x3f0 [ 21.094772] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.094809] kthread+0x328/0x630 [ 21.094836] ret_from_fork+0x10/0x20 [ 21.094868] [ 21.100411] Allocated by task 253: [ 21.100738] kasan_save_stack+0x3c/0x68 [ 21.101118] kasan_save_track+0x20/0x40 [ 21.101495] kasan_save_alloc_info+0x40/0x58 [ 21.101911] __kasan_kmalloc+0xd4/0xd8 [ 21.102279] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.102716] workqueue_uaf+0x13c/0x4a8 [ 21.103081] kunit_try_run_case+0x170/0x3f0 [ 21.103487] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.104010] kthread+0x328/0x630 [ 21.104326] ret_from_fork+0x10/0x20 [ 21.104676] [ 21.104828] Freed by task 11: [ 21.105114] kasan_save_stack+0x3c/0x68 [ 21.105491] kasan_save_track+0x20/0x40 [ 21.105866] kasan_save_free_info+0x4c/0x78 [ 21.106275] __kasan_slab_free+0x6c/0x98 [ 21.106656] kfree+0x214/0x3c8 [ 21.106958] workqueue_uaf_work+0x18/0x30 [ 21.107345] process_one_work+0x530/0xf98 [ 21.107734] worker_thread+0x618/0xf38 [ 21.108098] kthread+0x328/0x630 [ 21.108413] ret_from_fork+0x10/0x20 [ 21.108764] [ 21.108917] Last potentially related work creation: [ 21.109369] kasan_save_stack+0x3c/0x68 [ 21.109744] kasan_record_aux_stack+0xb4/0xc8 [ 21.110167] __queue_work+0x65c/0x1008 [ 21.110531] queue_work_on+0xbc/0xf8 [ 21.110881] workqueue_uaf+0x210/0x4a8 [ 21.111245] kunit_try_run_case+0x170/0x3f0 [ 21.111650] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.112173] kthread+0x328/0x630 [ 21.112489] ret_from_fork+0x10/0x20 [ 21.112839] [ 21.112991] The buggy address belongs to the object at ffff00000251ddc0 [ 21.112991] which belongs to the cache kmalloc-32 of size 32 [ 21.114109] The buggy address is located 0 bytes inside of [ 21.114109] freed 32-byte region [ffff00000251ddc0, ffff00000251dde0) [ 21.115198] [ 21.115353] The buggy address belongs to the physical page: [ 21.115867] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251d [ 21.116593] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.117204] page_type: f5(slab) [ 21.117518] raw: 03fffe0000000000 ffff000000402780 dead000000000122 0000000000000000 [ 21.118233] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.118940] page dumped because: kasan: bad access detected [ 21.119454] [ 21.119605] Memory state around the buggy address: [ 21.120054] ffff00000251dc80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.120720] ffff00000251dd00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.121386] >ffff00000251dd80: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 21.122046] ^ [ 21.122541] ffff00000251de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.123206] ffff00000251de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.123868] ==================================================================