Hay
Sign in
Date
July 9, 2025, 11:07 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   17.207022] ==================================================================
[   17.207677] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   17.207766] Read of size 8 at addr fff00000c6cd36c0 by task kunit_try_catch/200
[   17.207837] 
[   17.208159] CPU: 1 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.208597] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.208626] Hardware name: linux,dummy-virt (DT)
[   17.208669] Call trace:
[   17.209025]  show_stack+0x20/0x38 (C)
[   17.209598]  dump_stack_lvl+0x8c/0xd0
[   17.209877]  print_report+0x118/0x608
[   17.210577]  kasan_report+0xdc/0x128
[   17.210938]  __asan_report_load8_noabort+0x20/0x30
[   17.211349]  workqueue_uaf+0x480/0x4a8
[   17.211428]  kunit_try_run_case+0x170/0x3f0
[   17.211719]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.211776]  kthread+0x328/0x630
[   17.211842]  ret_from_fork+0x10/0x20
[   17.212251] 
[   17.212610] Allocated by task 200:
[   17.212649]  kasan_save_stack+0x3c/0x68
[   17.213155]  kasan_save_track+0x20/0x40
[   17.213203]  kasan_save_alloc_info+0x40/0x58
[   17.213246]  __kasan_kmalloc+0xd4/0xd8
[   17.213283]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.213895]  workqueue_uaf+0x13c/0x4a8
[   17.214209]  kunit_try_run_case+0x170/0x3f0
[   17.214259]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.214304]  kthread+0x328/0x630
[   17.214339]  ret_from_fork+0x10/0x20
[   17.214377] 
[   17.214739] Freed by task 48:
[   17.214800]  kasan_save_stack+0x3c/0x68
[   17.214845]  kasan_save_track+0x20/0x40
[   17.215162]  kasan_save_free_info+0x4c/0x78
[   17.215476]  __kasan_slab_free+0x6c/0x98
[   17.215525]  kfree+0x214/0x3c8
[   17.215569]  workqueue_uaf_work+0x18/0x30
[   17.215860]  process_one_work+0x530/0xf98
[   17.215905]  worker_thread+0x618/0xf38
[   17.216158]  kthread+0x328/0x630
[   17.216414]  ret_from_fork+0x10/0x20
[   17.216470] 
[   17.216747] Last potentially related work creation:
[   17.216988]  kasan_save_stack+0x3c/0x68
[   17.217235]  kasan_record_aux_stack+0xb4/0xc8
[   17.217328]  __queue_work+0x65c/0x1008
[   17.217367]  queue_work_on+0xbc/0xf8
[   17.217448]  workqueue_uaf+0x210/0x4a8
[   17.217844]  kunit_try_run_case+0x170/0x3f0
[   17.218069]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.218359]  kthread+0x328/0x630
[   17.218636]  ret_from_fork+0x10/0x20
[   17.218729] 
[   17.218750] The buggy address belongs to the object at fff00000c6cd36c0
[   17.218750]  which belongs to the cache kmalloc-32 of size 32
[   17.219761] The buggy address is located 0 bytes inside of
[   17.219761]  freed 32-byte region [fff00000c6cd36c0, fff00000c6cd36e0)
[   17.220316] 
[   17.220624] The buggy address belongs to the physical page:
[   17.221193] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106cd3
[   17.221257] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.221691] page_type: f5(slab)
[   17.222049] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   17.222353] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   17.222639] page dumped because: kasan: bad access detected
[   17.222674] 
[   17.222692] Memory state around the buggy address:
[   17.223127]  fff00000c6cd3580: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   17.223362]  fff00000c6cd3600: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   17.223578] >fff00000c6cd3680: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   17.223908]                                            ^
[   17.223988]  fff00000c6cd3700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.224191]  fff00000c6cd3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.224249] ==================================================================
Metadata Full log Test run details 

[   13.145829] ==================================================================
[   13.147125] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   13.147537] Read of size 8 at addr ffff8881031eaa80 by task kunit_try_catch/217
[   13.147772] 
[   13.147867] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.147921] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.147934] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.147963] Call Trace:
[   13.147976]  <TASK>
[   13.147992]  dump_stack_lvl+0x73/0xb0
[   13.148048]  print_report+0xd1/0x650
[   13.148071]  ? __virt_addr_valid+0x1db/0x2d0
[   13.148097]  ? workqueue_uaf+0x4d6/0x560
[   13.148118]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.148215]  ? workqueue_uaf+0x4d6/0x560
[   13.148238]  kasan_report+0x141/0x180
[   13.148260]  ? workqueue_uaf+0x4d6/0x560
[   13.148287]  __asan_report_load8_noabort+0x18/0x20
[   13.148340]  workqueue_uaf+0x4d6/0x560
[   13.148379]  ? __pfx_workqueue_uaf+0x10/0x10
[   13.148403]  ? __schedule+0x10cc/0x2b60
[   13.148428]  ? __pfx_read_tsc+0x10/0x10
[   13.148452]  ? ktime_get_ts64+0x86/0x230
[   13.148479]  kunit_try_run_case+0x1a5/0x480
[   13.148506]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.148531]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.148558]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.148584]  ? __kthread_parkme+0x82/0x180
[   13.148607]  ? preempt_count_sub+0x50/0x80
[   13.148633]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.148679]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.148717]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.148746]  kthread+0x337/0x6f0
[   13.148765]  ? trace_preempt_on+0x20/0xc0
[   13.148791]  ? __pfx_kthread+0x10/0x10
[   13.148812]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.148853]  ? calculate_sigpending+0x7b/0xa0
[   13.148879]  ? __pfx_kthread+0x10/0x10
[   13.148901]  ret_from_fork+0x116/0x1d0
[   13.148920]  ? __pfx_kthread+0x10/0x10
[   13.148942]  ret_from_fork_asm+0x1a/0x30
[   13.148975]  </TASK>
[   13.148985] 
[   13.161922] Allocated by task 217:
[   13.162277]  kasan_save_stack+0x45/0x70
[   13.162755]  kasan_save_track+0x18/0x40
[   13.163197]  kasan_save_alloc_info+0x3b/0x50
[   13.163606]  __kasan_kmalloc+0xb7/0xc0
[   13.163973]  __kmalloc_cache_noprof+0x189/0x420
[   13.164501]  workqueue_uaf+0x152/0x560
[   13.164875]  kunit_try_run_case+0x1a5/0x480
[   13.165296]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.165760]  kthread+0x337/0x6f0
[   13.165892]  ret_from_fork+0x116/0x1d0
[   13.166045]  ret_from_fork_asm+0x1a/0x30
[   13.166545] 
[   13.166740] Freed by task 9:
[   13.167021]  kasan_save_stack+0x45/0x70
[   13.167485]  kasan_save_track+0x18/0x40
[   13.167866]  kasan_save_free_info+0x3f/0x60
[   13.168228]  __kasan_slab_free+0x56/0x70
[   13.168555]  kfree+0x222/0x3f0
[   13.168673]  workqueue_uaf_work+0x12/0x20
[   13.168822]  process_one_work+0x5ee/0xf60
[   13.168962]  worker_thread+0x758/0x1220
[   13.169232]  kthread+0x337/0x6f0
[   13.169607]  ret_from_fork+0x116/0x1d0
[   13.170163]  ret_from_fork_asm+0x1a/0x30
[   13.170550] 
[   13.170741] Last potentially related work creation:
[   13.171245]  kasan_save_stack+0x45/0x70
[   13.171608]  kasan_record_aux_stack+0xb2/0xc0
[   13.172080]  __queue_work+0x626/0xeb0
[   13.172456]  queue_work_on+0xb6/0xc0
[   13.172809]  workqueue_uaf+0x26d/0x560
[   13.173264]  kunit_try_run_case+0x1a5/0x480
[   13.173479]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.173654]  kthread+0x337/0x6f0
[   13.173785]  ret_from_fork+0x116/0x1d0
[   13.173914]  ret_from_fork_asm+0x1a/0x30
[   13.174129] 
[   13.174290] The buggy address belongs to the object at ffff8881031eaa80
[   13.174290]  which belongs to the cache kmalloc-32 of size 32
[   13.175577] The buggy address is located 0 bytes inside of
[   13.175577]  freed 32-byte region [ffff8881031eaa80, ffff8881031eaaa0)
[   13.176690] 
[   13.176867] The buggy address belongs to the physical page:
[   13.177363] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031ea
[   13.178179] flags: 0x200000000000000(node=0|zone=2)
[   13.178519] page_type: f5(slab)
[   13.178650] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   13.178901] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   13.179419] page dumped because: kasan: bad access detected
[   13.180015] 
[   13.180233] Memory state around the buggy address:
[   13.180677]  ffff8881031ea980: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   13.181345]  ffff8881031eaa00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   13.181958] >ffff8881031eaa80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   13.182739]                    ^
[   13.183033]  ffff8881031eab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.183390]  ffff8881031eab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.183611] ==================================================================
Metadata Full log Test run details