Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 17.393354] ================================================================== [ 17.393467] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 17.393521] Read of size 8 at addr fff00000c77d50c0 by task kunit_try_catch/201 [ 17.393607] [ 17.393668] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.393750] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.393777] Hardware name: linux,dummy-virt (DT) [ 17.393806] Call trace: [ 17.393859] show_stack+0x20/0x38 (C) [ 17.393925] dump_stack_lvl+0x8c/0xd0 [ 17.393998] print_report+0x118/0x608 [ 17.394063] kasan_report+0xdc/0x128 [ 17.394144] __asan_report_load8_noabort+0x20/0x30 [ 17.394222] workqueue_uaf+0x480/0x4a8 [ 17.394267] kunit_try_run_case+0x170/0x3f0 [ 17.394313] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.394562] kthread+0x328/0x630 [ 17.394660] ret_from_fork+0x10/0x20 [ 17.394853] [ 17.394929] Allocated by task 201: [ 17.395085] kasan_save_stack+0x3c/0x68 [ 17.395179] kasan_save_track+0x20/0x40 [ 17.395319] kasan_save_alloc_info+0x40/0x58 [ 17.395454] __kasan_kmalloc+0xd4/0xd8 [ 17.395527] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.395578] workqueue_uaf+0x13c/0x4a8 [ 17.395620] kunit_try_run_case+0x170/0x3f0 [ 17.395658] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.395699] kthread+0x328/0x630 [ 17.395732] ret_from_fork+0x10/0x20 [ 17.395767] [ 17.395784] Freed by task 76: [ 17.395811] kasan_save_stack+0x3c/0x68 [ 17.395847] kasan_save_track+0x20/0x40 [ 17.395903] kasan_save_free_info+0x4c/0x78 [ 17.395943] __kasan_slab_free+0x6c/0x98 [ 17.395991] kfree+0x214/0x3c8 [ 17.396024] workqueue_uaf_work+0x18/0x30 [ 17.396124] process_one_work+0x530/0xf98 [ 17.396196] worker_thread+0x618/0xf38 [ 17.396355] kthread+0x328/0x630 [ 17.396489] ret_from_fork+0x10/0x20 [ 17.396638] [ 17.396716] Last potentially related work creation: [ 17.396824] kasan_save_stack+0x3c/0x68 [ 17.396874] kasan_record_aux_stack+0xb4/0xc8 [ 17.396914] __queue_work+0x65c/0x1008 [ 17.397126] queue_work_on+0xbc/0xf8 [ 17.397255] workqueue_uaf+0x210/0x4a8 [ 17.397386] kunit_try_run_case+0x170/0x3f0 [ 17.397424] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.397590] kthread+0x328/0x630 [ 17.397629] ret_from_fork+0x10/0x20 [ 17.397666] [ 17.397686] The buggy address belongs to the object at fff00000c77d50c0 [ 17.397686] which belongs to the cache kmalloc-32 of size 32 [ 17.397856] The buggy address is located 0 bytes inside of [ 17.397856] freed 32-byte region [fff00000c77d50c0, fff00000c77d50e0) [ 17.397973] [ 17.398078] The buggy address belongs to the physical page: [ 17.398137] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077d5 [ 17.398223] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.398325] page_type: f5(slab) [ 17.398398] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.398462] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.398800] page dumped because: kasan: bad access detected [ 17.398920] [ 17.398989] Memory state around the buggy address: [ 17.399050] fff00000c77d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.399104] fff00000c77d5000: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.399145] >fff00000c77d5080: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 17.399182] ^ [ 17.399222] fff00000c77d5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.399273] fff00000c77d5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.399319] ==================================================================
[ 17.173699] ================================================================== [ 17.173877] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 17.173950] Read of size 8 at addr fff00000c7770f00 by task kunit_try_catch/201 [ 17.174547] [ 17.174593] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.174680] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.174705] Hardware name: linux,dummy-virt (DT) [ 17.174737] Call trace: [ 17.174758] show_stack+0x20/0x38 (C) [ 17.174809] dump_stack_lvl+0x8c/0xd0 [ 17.174857] print_report+0x118/0x608 [ 17.174902] kasan_report+0xdc/0x128 [ 17.175778] __asan_report_load8_noabort+0x20/0x30 [ 17.175961] workqueue_uaf+0x480/0x4a8 [ 17.176075] kunit_try_run_case+0x170/0x3f0 [ 17.176223] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.176629] kthread+0x328/0x630 [ 17.176737] ret_from_fork+0x10/0x20 [ 17.176866] [ 17.176887] Allocated by task 201: [ 17.176954] kasan_save_stack+0x3c/0x68 [ 17.177300] kasan_save_track+0x20/0x40 [ 17.177454] kasan_save_alloc_info+0x40/0x58 [ 17.177500] __kasan_kmalloc+0xd4/0xd8 [ 17.177849] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.178096] workqueue_uaf+0x13c/0x4a8 [ 17.178298] kunit_try_run_case+0x170/0x3f0 [ 17.178345] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.178390] kthread+0x328/0x630 [ 17.178445] ret_from_fork+0x10/0x20 [ 17.178483] [ 17.178505] Freed by task 57: [ 17.178978] kasan_save_stack+0x3c/0x68 [ 17.179040] kasan_save_track+0x20/0x40 [ 17.179225] kasan_save_free_info+0x4c/0x78 [ 17.179494] __kasan_slab_free+0x6c/0x98 [ 17.179564] kfree+0x214/0x3c8 [ 17.179765] workqueue_uaf_work+0x18/0x30 [ 17.179843] process_one_work+0x530/0xf98 [ 17.180155] worker_thread+0x618/0xf38 [ 17.180470] kthread+0x328/0x630 [ 17.180601] ret_from_fork+0x10/0x20 [ 17.180642] [ 17.180823] Last potentially related work creation: [ 17.180908] kasan_save_stack+0x3c/0x68 [ 17.180963] kasan_record_aux_stack+0xb4/0xc8 [ 17.181125] __queue_work+0x65c/0x1008 [ 17.181243] queue_work_on+0xbc/0xf8 [ 17.181581] workqueue_uaf+0x210/0x4a8 [ 17.181759] kunit_try_run_case+0x170/0x3f0 [ 17.181836] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.182226] kthread+0x328/0x630 [ 17.182433] ret_from_fork+0x10/0x20 [ 17.182473] [ 17.182500] The buggy address belongs to the object at fff00000c7770f00 [ 17.182500] which belongs to the cache kmalloc-32 of size 32 [ 17.182559] The buggy address is located 0 bytes inside of [ 17.182559] freed 32-byte region [fff00000c7770f00, fff00000c7770f20) [ 17.182620] [ 17.182642] The buggy address belongs to the physical page: [ 17.182674] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107770 [ 17.182728] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.182776] page_type: f5(slab) [ 17.182814] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.183273] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.183320] page dumped because: kasan: bad access detected [ 17.183362] [ 17.183420] Memory state around the buggy address: [ 17.183456] fff00000c7770e00: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.183499] fff00000c7770e80: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 17.183551] >fff00000c7770f00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.183596] ^ [ 17.183625] fff00000c7770f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.183677] fff00000c7771000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.183716] ==================================================================
[ 14.041274] ================================================================== [ 14.041953] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 14.042720] Read of size 8 at addr ffff888102aaa840 by task kunit_try_catch/218 [ 14.042975] [ 14.043162] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.043239] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.043260] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.043297] Call Trace: [ 14.043320] <TASK> [ 14.043347] dump_stack_lvl+0x73/0xb0 [ 14.043457] print_report+0xd1/0x650 [ 14.043498] ? __virt_addr_valid+0x1db/0x2d0 [ 14.043539] ? workqueue_uaf+0x4d6/0x560 [ 14.043571] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.043605] ? workqueue_uaf+0x4d6/0x560 [ 14.043651] kasan_report+0x141/0x180 [ 14.043682] ? workqueue_uaf+0x4d6/0x560 [ 14.043721] __asan_report_load8_noabort+0x18/0x20 [ 14.043759] workqueue_uaf+0x4d6/0x560 [ 14.043795] ? __pfx_workqueue_uaf+0x10/0x10 [ 14.043828] ? __schedule+0x10cc/0x2b60 [ 14.043877] ? __pfx_read_tsc+0x10/0x10 [ 14.043927] ? ktime_get_ts64+0x86/0x230 [ 14.043976] kunit_try_run_case+0x1a5/0x480 [ 14.044017] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.044068] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.044139] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.044181] ? __kthread_parkme+0x82/0x180 [ 14.044213] ? preempt_count_sub+0x50/0x80 [ 14.044255] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.044294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.044341] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.044396] kthread+0x337/0x6f0 [ 14.044432] ? trace_preempt_on+0x20/0xc0 [ 14.044476] ? __pfx_kthread+0x10/0x10 [ 14.044536] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.044574] ? calculate_sigpending+0x7b/0xa0 [ 14.044631] ? __pfx_kthread+0x10/0x10 [ 14.044664] ret_from_fork+0x116/0x1d0 [ 14.044692] ? __pfx_kthread+0x10/0x10 [ 14.044721] ret_from_fork_asm+0x1a/0x30 [ 14.044775] </TASK> [ 14.044798] [ 14.054864] Allocated by task 218: [ 14.055047] kasan_save_stack+0x45/0x70 [ 14.055397] kasan_save_track+0x18/0x40 [ 14.055826] kasan_save_alloc_info+0x3b/0x50 [ 14.056171] __kasan_kmalloc+0xb7/0xc0 [ 14.056471] __kmalloc_cache_noprof+0x189/0x420 [ 14.056920] workqueue_uaf+0x152/0x560 [ 14.057216] kunit_try_run_case+0x1a5/0x480 [ 14.057447] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.058246] kthread+0x337/0x6f0 [ 14.058713] ret_from_fork+0x116/0x1d0 [ 14.059023] ret_from_fork_asm+0x1a/0x30 [ 14.059262] [ 14.059373] Freed by task 9: [ 14.059638] kasan_save_stack+0x45/0x70 [ 14.059989] kasan_save_track+0x18/0x40 [ 14.060316] kasan_save_free_info+0x3f/0x60 [ 14.060766] __kasan_slab_free+0x56/0x70 [ 14.061078] kfree+0x222/0x3f0 [ 14.061332] workqueue_uaf_work+0x12/0x20 [ 14.061715] process_one_work+0x5ee/0xf60 [ 14.062077] worker_thread+0x758/0x1220 [ 14.062360] kthread+0x337/0x6f0 [ 14.063135] ret_from_fork+0x116/0x1d0 [ 14.063373] ret_from_fork_asm+0x1a/0x30 [ 14.063853] [ 14.063959] Last potentially related work creation: [ 14.064299] kasan_save_stack+0x45/0x70 [ 14.064667] kasan_record_aux_stack+0xb2/0xc0 [ 14.065020] __queue_work+0x626/0xeb0 [ 14.065280] queue_work_on+0xb6/0xc0 [ 14.065710] workqueue_uaf+0x26d/0x560 [ 14.066026] kunit_try_run_case+0x1a5/0x480 [ 14.066266] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.066795] kthread+0x337/0x6f0 [ 14.067090] ret_from_fork+0x116/0x1d0 [ 14.067298] ret_from_fork_asm+0x1a/0x30 [ 14.067816] [ 14.068015] The buggy address belongs to the object at ffff888102aaa840 [ 14.068015] which belongs to the cache kmalloc-32 of size 32 [ 14.068993] The buggy address is located 0 bytes inside of [ 14.068993] freed 32-byte region [ffff888102aaa840, ffff888102aaa860) [ 14.069860] [ 14.070003] The buggy address belongs to the physical page: [ 14.070188] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102aaa [ 14.070933] flags: 0x200000000000000(node=0|zone=2) [ 14.071233] page_type: f5(slab) [ 14.071596] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.071934] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.072447] page dumped because: kasan: bad access detected [ 14.073236] [ 14.073420] Memory state around the buggy address: [ 14.073773] ffff888102aaa700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.074292] ffff888102aaa780: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.074661] >ffff888102aaa800: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.075155] ^ [ 14.075375] ffff888102aaa880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.075994] ffff888102aaa900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.076419] ==================================================================
[ 14.184538] ================================================================== [ 14.185767] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 14.186245] Read of size 8 at addr ffff8881031bbf40 by task kunit_try_catch/217 [ 14.187304] [ 14.187707] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.187757] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.187769] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.187790] Call Trace: [ 14.187804] <TASK> [ 14.187820] dump_stack_lvl+0x73/0xb0 [ 14.187850] print_report+0xd1/0x650 [ 14.187872] ? __virt_addr_valid+0x1db/0x2d0 [ 14.187894] ? workqueue_uaf+0x4d6/0x560 [ 14.188013] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.188041] ? workqueue_uaf+0x4d6/0x560 [ 14.188094] kasan_report+0x141/0x180 [ 14.188116] ? workqueue_uaf+0x4d6/0x560 [ 14.188143] __asan_report_load8_noabort+0x18/0x20 [ 14.188167] workqueue_uaf+0x4d6/0x560 [ 14.188189] ? __pfx_workqueue_uaf+0x10/0x10 [ 14.188211] ? __schedule+0x10cc/0x2b60 [ 14.188233] ? __pfx_read_tsc+0x10/0x10 [ 14.188255] ? ktime_get_ts64+0x86/0x230 [ 14.188280] kunit_try_run_case+0x1a5/0x480 [ 14.188304] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.188326] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.188350] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.188373] ? __kthread_parkme+0x82/0x180 [ 14.188393] ? preempt_count_sub+0x50/0x80 [ 14.188417] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.188440] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.188462] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.188485] kthread+0x337/0x6f0 [ 14.188504] ? trace_preempt_on+0x20/0xc0 [ 14.188529] ? __pfx_kthread+0x10/0x10 [ 14.188550] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.188570] ? calculate_sigpending+0x7b/0xa0 [ 14.188594] ? __pfx_kthread+0x10/0x10 [ 14.188616] ret_from_fork+0x116/0x1d0 [ 14.188634] ? __pfx_kthread+0x10/0x10 [ 14.188654] ret_from_fork_asm+0x1a/0x30 [ 14.188685] </TASK> [ 14.188697] [ 14.204503] Allocated by task 217: [ 14.205143] kasan_save_stack+0x45/0x70 [ 14.205659] kasan_save_track+0x18/0x40 [ 14.206235] kasan_save_alloc_info+0x3b/0x50 [ 14.206787] __kasan_kmalloc+0xb7/0xc0 [ 14.207152] __kmalloc_cache_noprof+0x189/0x420 [ 14.207347] workqueue_uaf+0x152/0x560 [ 14.207486] kunit_try_run_case+0x1a5/0x480 [ 14.207633] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.207819] kthread+0x337/0x6f0 [ 14.207941] ret_from_fork+0x116/0x1d0 [ 14.208083] ret_from_fork_asm+0x1a/0x30 [ 14.208286] [ 14.208382] Freed by task 24: [ 14.208539] kasan_save_stack+0x45/0x70 [ 14.208733] kasan_save_track+0x18/0x40 [ 14.210019] kasan_save_free_info+0x3f/0x60 [ 14.210776] __kasan_slab_free+0x56/0x70 [ 14.211418] kfree+0x222/0x3f0 [ 14.211555] workqueue_uaf_work+0x12/0x20 [ 14.212383] process_one_work+0x5ee/0xf60 [ 14.212883] worker_thread+0x758/0x1220 [ 14.213037] kthread+0x337/0x6f0 [ 14.213829] ret_from_fork+0x116/0x1d0 [ 14.214317] ret_from_fork_asm+0x1a/0x30 [ 14.214886] [ 14.215161] Last potentially related work creation: [ 14.215401] kasan_save_stack+0x45/0x70 [ 14.215549] kasan_record_aux_stack+0xb2/0xc0 [ 14.216132] __queue_work+0x626/0xeb0 [ 14.216611] queue_work_on+0xb6/0xc0 [ 14.217224] workqueue_uaf+0x26d/0x560 [ 14.217923] kunit_try_run_case+0x1a5/0x480 [ 14.218475] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.219289] kthread+0x337/0x6f0 [ 14.219428] ret_from_fork+0x116/0x1d0 [ 14.219567] ret_from_fork_asm+0x1a/0x30 [ 14.220099] [ 14.220573] The buggy address belongs to the object at ffff8881031bbf40 [ 14.220573] which belongs to the cache kmalloc-32 of size 32 [ 14.222203] The buggy address is located 0 bytes inside of [ 14.222203] freed 32-byte region [ffff8881031bbf40, ffff8881031bbf60) [ 14.222598] [ 14.222677] The buggy address belongs to the physical page: [ 14.223808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031bb [ 14.224894] flags: 0x200000000000000(node=0|zone=2) [ 14.225127] page_type: f5(slab) [ 14.225259] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.225496] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.226496] page dumped because: kasan: bad access detected [ 14.227271] [ 14.227603] Memory state around the buggy address: [ 14.228344] ffff8881031bbe00: 00 00 05 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 14.229090] ffff8881031bbe80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.229931] >ffff8881031bbf00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.230764] ^ [ 14.231403] ffff8881031bbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.232204] ffff8881031bc000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.232975] ==================================================================
[ 32.283182] ================================================================== [ 32.293406] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 32.300117] Read of size 8 at addr ffff88810134bfc0 by task kunit_try_catch/241 [ 32.307431] [ 32.308932] CPU: 2 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 32.308941] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 32.308944] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 32.308947] Call Trace: [ 32.308949] <TASK> [ 32.308951] dump_stack_lvl+0x73/0xb0 [ 32.308957] print_report+0xd1/0x650 [ 32.308961] ? __virt_addr_valid+0x1db/0x2d0 [ 32.308966] ? workqueue_uaf+0x4d6/0x560 [ 32.308970] ? kasan_complete_mode_report_info+0x64/0x200 [ 32.308975] ? workqueue_uaf+0x4d6/0x560 [ 32.308979] kasan_report+0x141/0x180 [ 32.308983] ? workqueue_uaf+0x4d6/0x560 [ 32.308988] __asan_report_load8_noabort+0x18/0x20 [ 32.308993] workqueue_uaf+0x4d6/0x560 [ 32.308997] ? __pfx_workqueue_uaf+0x10/0x10 [ 32.309001] ? __schedule+0x10cc/0x2b60 [ 32.309005] ? ktime_get_ts64+0x83/0x230 [ 32.309010] kunit_try_run_case+0x1a2/0x480 [ 32.309015] ? __pfx_kunit_try_run_case+0x10/0x10 [ 32.309019] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 32.309024] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 32.309028] ? __kthread_parkme+0x82/0x180 [ 32.309032] ? preempt_count_sub+0x50/0x80 [ 32.309037] ? __pfx_kunit_try_run_case+0x10/0x10 [ 32.309041] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.309045] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 32.309049] kthread+0x334/0x6f0 [ 32.309053] ? trace_preempt_on+0x20/0xc0 [ 32.309058] ? __pfx_kthread+0x10/0x10 [ 32.309061] ? _raw_spin_unlock_irq+0x47/0x80 [ 32.309065] ? calculate_sigpending+0x7b/0xa0 [ 32.309070] ? __pfx_kthread+0x10/0x10 [ 32.309074] ret_from_fork+0x113/0x1d0 [ 32.309078] ? __pfx_kthread+0x10/0x10 [ 32.309081] ret_from_fork_asm+0x1a/0x30 [ 32.309087] </TASK> [ 32.309089] [ 32.472216] Allocated by task 241: [ 32.475623] kasan_save_stack+0x45/0x70 [ 32.479463] kasan_save_track+0x18/0x40 [ 32.483301] kasan_save_alloc_info+0x3b/0x50 [ 32.487574] __kasan_kmalloc+0xb7/0xc0 [ 32.491328] __kmalloc_cache_noprof+0x189/0x420 [ 32.495886] workqueue_uaf+0x152/0x560 [ 32.499639] kunit_try_run_case+0x1a2/0x480 [ 32.503823] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.509223] kthread+0x334/0x6f0 [ 32.512458] ret_from_fork+0x113/0x1d0 [ 32.516210] ret_from_fork_asm+0x1a/0x30 [ 32.520134] [ 32.521636] Freed by task 49: [ 32.524606] kasan_save_stack+0x45/0x70 [ 32.528445] kasan_save_track+0x18/0x40 [ 32.532286] kasan_save_free_info+0x3f/0x60 [ 32.536470] __kasan_slab_free+0x56/0x70 [ 32.540404] kfree+0x222/0x3f0 [ 32.543466] workqueue_uaf_work+0x12/0x20 [ 32.547478] process_one_work+0x5eb/0xf60 [ 32.551492] worker_thread+0x758/0x1220 [ 32.555348] kthread+0x334/0x6f0 [ 32.558590] ret_from_fork+0x113/0x1d0 [ 32.562361] ret_from_fork_asm+0x1a/0x30 [ 32.566312] [ 32.567812] Last potentially related work creation: [ 32.572689] kasan_save_stack+0x45/0x70 [ 32.576529] kasan_record_aux_stack+0xb2/0xc0 [ 32.580895] __queue_work+0x626/0xeb0 [ 32.584564] queue_work_on+0xb6/0xc0 [ 32.588141] workqueue_uaf+0x26d/0x560 [ 32.591895] kunit_try_run_case+0x1a2/0x480 [ 32.596081] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 32.601479] kthread+0x334/0x6f0 [ 32.604712] ret_from_fork+0x113/0x1d0 [ 32.608465] ret_from_fork_asm+0x1a/0x30 [ 32.612407] [ 32.613901] The buggy address belongs to the object at ffff88810134bfc0 [ 32.613901] which belongs to the cache kmalloc-32 of size 32 [ 32.626242] The buggy address is located 0 bytes inside of [ 32.626242] freed 32-byte region [ffff88810134bfc0, ffff88810134bfe0) [ 32.638236] [ 32.639736] The buggy address belongs to the physical page: [ 32.645307] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10134b [ 32.653315] flags: 0x200000000000000(node=0|zone=2) [ 32.658230] page_type: f5(slab) [ 32.661378] raw: 0200000000000000 ffff888100042780 dead000000000122 0000000000000000 [ 32.669143] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.676887] page dumped because: kasan: bad access detected [ 32.682461] [ 32.683961] Memory state around the buggy address: [ 32.688754] ffff88810134be80: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 32.695973] ffff88810134bf00: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 32.703191] >ffff88810134bf80: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 32.710410] ^ [ 32.715723] ffff88810134c000: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 32.722944] ffff88810134c080: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 32.730163] ==================================================================