Date
Nov. 26, 2024, 6:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.291052] ================================================================== [ 32.292132] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 32.292952] Read of size 8 at addr fff00000c5e26fc0 by task kunit_try_catch/189 [ 32.294001] [ 32.294402] CPU: 1 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.295716] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.296340] Hardware name: linux,dummy-virt (DT) [ 32.296982] Call trace: [ 32.297435] show_stack+0x20/0x38 (C) [ 32.298805] dump_stack_lvl+0x8c/0xd0 [ 32.299516] print_report+0x118/0x5e0 [ 32.300186] kasan_report+0xc8/0x118 [ 32.300826] __asan_report_load8_noabort+0x20/0x30 [ 32.301556] workqueue_uaf+0x480/0x4a8 [ 32.302575] kunit_try_run_case+0x14c/0x3d0 [ 32.303340] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.304249] kthread+0x24c/0x2d0 [ 32.305065] ret_from_fork+0x10/0x20 [ 32.305831] [ 32.306462] Allocated by task 189: [ 32.307047] kasan_save_stack+0x3c/0x68 [ 32.307609] kasan_save_track+0x20/0x40 [ 32.308320] kasan_save_alloc_info+0x40/0x58 [ 32.309063] __kasan_kmalloc+0xd4/0xd8 [ 32.309927] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.310522] workqueue_uaf+0x13c/0x4a8 [ 32.311306] kunit_try_run_case+0x14c/0x3d0 [ 32.312024] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.312889] kthread+0x24c/0x2d0 [ 32.313476] ret_from_fork+0x10/0x20 [ 32.314276] [ 32.314992] Freed by task 73: [ 32.315684] kasan_save_stack+0x3c/0x68 [ 32.316336] kasan_save_track+0x20/0x40 [ 32.316847] kasan_save_free_info+0x4c/0x78 [ 32.317422] __kasan_slab_free+0x6c/0x98 [ 32.318493] kfree+0x114/0x3d0 [ 32.319083] workqueue_uaf_work+0x18/0x30 [ 32.319678] process_one_work+0x530/0xfa8 [ 32.320366] worker_thread+0x614/0xf28 [ 32.320989] kthread+0x24c/0x2d0 [ 32.321567] ret_from_fork+0x10/0x20 [ 32.322666] [ 32.323069] Last potentially related work creation: [ 32.323696] kasan_save_stack+0x3c/0x68 [ 32.324316] __kasan_record_aux_stack+0xbc/0xe8 [ 32.325003] kasan_record_aux_stack_noalloc+0x14/0x20 [ 32.326249] __queue_work+0x654/0xfe0 [ 32.326776] queue_work_on+0xbc/0xf8 [ 32.327409] workqueue_uaf+0x210/0x4a8 [ 32.328043] kunit_try_run_case+0x14c/0x3d0 [ 32.328756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.329599] kthread+0x24c/0x2d0 [ 32.330241] ret_from_fork+0x10/0x20 [ 32.331415] [ 32.331821] The buggy address belongs to the object at fff00000c5e26fc0 [ 32.331821] which belongs to the cache kmalloc-32 of size 32 [ 32.333159] The buggy address is located 0 bytes inside of [ 32.333159] freed 32-byte region [fff00000c5e26fc0, fff00000c5e26fe0) [ 32.334499] [ 32.334851] The buggy address belongs to the physical page: [ 32.336076] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e26 [ 32.337040] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.338393] page_type: f5(slab) [ 32.338884] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 32.339896] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 32.340800] page dumped because: kasan: bad access detected [ 32.341494] [ 32.342326] Memory state around the buggy address: [ 32.342909] fff00000c5e26e80: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 32.343796] fff00000c5e26f00: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 32.344660] >fff00000c5e26f80: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 32.345513] ^ [ 32.346680] fff00000c5e27000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.347616] fff00000c5e27080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.348506] ==================================================================
[ 32.301550] ================================================================== [ 32.302935] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 32.303768] Read of size 8 at addr fff00000c647a8c0 by task kunit_try_catch/189 [ 32.305293] [ 32.305616] CPU: 0 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.306637] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.307831] Hardware name: linux,dummy-virt (DT) [ 32.308783] Call trace: [ 32.309161] show_stack+0x20/0x38 (C) [ 32.309815] dump_stack_lvl+0x8c/0xd0 [ 32.310414] print_report+0x118/0x5e0 [ 32.311041] kasan_report+0xc8/0x118 [ 32.311650] __asan_report_load8_noabort+0x20/0x30 [ 32.312384] workqueue_uaf+0x480/0x4a8 [ 32.313362] kunit_try_run_case+0x14c/0x3d0 [ 32.314029] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.315021] kthread+0x24c/0x2d0 [ 32.315322] ret_from_fork+0x10/0x20 [ 32.315593] [ 32.315748] Allocated by task 189: [ 32.315994] kasan_save_stack+0x3c/0x68 [ 32.316517] kasan_save_track+0x20/0x40 [ 32.317485] kasan_save_alloc_info+0x40/0x58 [ 32.318174] __kasan_kmalloc+0xd4/0xd8 [ 32.318727] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.319522] workqueue_uaf+0x13c/0x4a8 [ 32.320298] kunit_try_run_case+0x14c/0x3d0 [ 32.321500] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.322057] kthread+0x24c/0x2d0 [ 32.322685] ret_from_fork+0x10/0x20 [ 32.323278] [ 32.323639] Freed by task 8: [ 32.324198] kasan_save_stack+0x3c/0x68 [ 32.324773] kasan_save_track+0x20/0x40 [ 32.325980] kasan_save_free_info+0x4c/0x78 [ 32.326674] __kasan_slab_free+0x6c/0x98 [ 32.327312] kfree+0x114/0x3d0 [ 32.327881] workqueue_uaf_work+0x18/0x30 [ 32.329343] process_one_work+0x530/0xfa8 [ 32.330193] worker_thread+0x614/0xf28 [ 32.330821] kthread+0x24c/0x2d0 [ 32.331386] ret_from_fork+0x10/0x20 [ 32.332056] [ 32.332576] Last potentially related work creation: [ 32.334086] kasan_save_stack+0x3c/0x68 [ 32.334596] __kasan_record_aux_stack+0xbc/0xe8 [ 32.335464] kasan_record_aux_stack_noalloc+0x14/0x20 [ 32.336323] __queue_work+0x654/0xfe0 [ 32.337075] queue_work_on+0xbc/0xf8 [ 32.337543] workqueue_uaf+0x210/0x4a8 [ 32.338046] kunit_try_run_case+0x14c/0x3d0 [ 32.338577] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.340323] kthread+0x24c/0x2d0 [ 32.340796] ret_from_fork+0x10/0x20 [ 32.341432] [ 32.341769] The buggy address belongs to the object at fff00000c647a8c0 [ 32.341769] which belongs to the cache kmalloc-32 of size 32 [ 32.343155] The buggy address is located 0 bytes inside of [ 32.343155] freed 32-byte region [fff00000c647a8c0, fff00000c647a8e0) [ 32.345495] [ 32.345849] The buggy address belongs to the physical page: [ 32.347172] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10647a [ 32.348056] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.349321] page_type: f5(slab) [ 32.349989] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 32.350943] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 32.351816] page dumped because: kasan: bad access detected [ 32.352495] [ 32.353345] Memory state around the buggy address: [ 32.353999] fff00000c647a780: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 32.354765] fff00000c647a800: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 32.356737] >fff00000c647a880: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 32.357467] ^ [ 32.358126] fff00000c647a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.358950] fff00000c647a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.359688] ==================================================================
[ 26.476856] ================================================================== [ 26.477370] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d8/0x560 [ 26.477370] Read of size 8 at addr ffff88810293ae00 by task kunit_try_catch/209 [ 26.477370] [ 26.477370] CPU: 1 UID: 0 PID: 209 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 26.477370] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.477370] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.477370] Call Trace: [ 26.477370] <TASK> [ 26.477370] dump_stack_lvl+0x73/0xb0 [ 26.477370] print_report+0xd1/0x640 [ 26.477370] ? __virt_addr_valid+0x1db/0x2d0 [ 26.477370] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.477370] kasan_report+0x102/0x140 [ 26.477370] ? workqueue_uaf+0x4d8/0x560 [ 26.477370] ? workqueue_uaf+0x4d8/0x560 [ 26.477370] __asan_report_load8_noabort+0x18/0x20 [ 26.477370] workqueue_uaf+0x4d8/0x560 [ 26.477370] ? __pfx_workqueue_uaf+0x10/0x10 [ 26.477370] ? __pfx_workqueue_uaf+0x10/0x10 [ 26.477370] kunit_try_run_case+0x1b3/0x490 [ 26.477370] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.477370] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.477370] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.477370] ? __kthread_parkme+0x82/0x160 [ 26.477370] ? preempt_count_sub+0x50/0x80 [ 26.477370] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.477370] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.477370] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.477370] kthread+0x257/0x310 [ 26.477370] ? __pfx_kthread+0x10/0x10 [ 26.477370] ret_from_fork+0x41/0x80 [ 26.477370] ? __pfx_kthread+0x10/0x10 [ 26.477370] ret_from_fork_asm+0x1a/0x30 [ 26.477370] </TASK> [ 26.477370] [ 26.477370] Allocated by task 209: [ 26.477370] kasan_save_stack+0x3d/0x60 [ 26.477370] kasan_save_track+0x18/0x40 [ 26.477370] kasan_save_alloc_info+0x3b/0x50 [ 26.477370] __kasan_kmalloc+0xb7/0xc0 [ 26.477370] __kmalloc_cache_noprof+0x184/0x410 [ 26.477370] workqueue_uaf+0x153/0x560 [ 26.477370] kunit_try_run_case+0x1b3/0x490 [ 26.477370] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.477370] kthread+0x257/0x310 [ 26.477370] ret_from_fork+0x41/0x80 [ 26.477370] ret_from_fork_asm+0x1a/0x30 [ 26.477370] [ 26.477370] Freed by task 44: [ 26.477370] kasan_save_stack+0x3d/0x60 [ 26.477370] kasan_save_track+0x18/0x40 [ 26.477370] kasan_save_free_info+0x3f/0x60 [ 26.477370] __kasan_slab_free+0x56/0x70 [ 26.477370] kfree+0x123/0x3f0 [ 26.477370] workqueue_uaf_work+0x12/0x20 [ 26.477370] process_one_work+0x5ee/0xf60 [ 26.477370] worker_thread+0x720/0x1300 [ 26.477370] kthread+0x257/0x310 [ 26.477370] ret_from_fork+0x41/0x80 [ 26.477370] ret_from_fork_asm+0x1a/0x30 [ 26.477370] [ 26.477370] Last potentially related work creation: [ 26.477370] kasan_save_stack+0x3d/0x60 [ 26.477370] __kasan_record_aux_stack+0xae/0xc0 [ 26.477370] kasan_record_aux_stack_noalloc+0xf/0x20 [ 26.477370] __queue_work+0x67e/0xf70 [ 26.477370] queue_work_on+0x74/0xa0 [ 26.477370] workqueue_uaf+0x26e/0x560 [ 26.477370] kunit_try_run_case+0x1b3/0x490 [ 26.477370] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.477370] kthread+0x257/0x310 [ 26.477370] ret_from_fork+0x41/0x80 [ 26.477370] ret_from_fork_asm+0x1a/0x30 [ 26.477370] [ 26.477370] The buggy address belongs to the object at ffff88810293ae00 [ 26.477370] which belongs to the cache kmalloc-32 of size 32 [ 26.477370] The buggy address is located 0 bytes inside of [ 26.477370] freed 32-byte region [ffff88810293ae00, ffff88810293ae20) [ 26.477370] [ 26.477370] The buggy address belongs to the physical page: [ 26.477370] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10293a [ 26.477370] flags: 0x200000000000000(node=0|zone=2) [ 26.477370] page_type: f5(slab) [ 26.477370] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 26.477370] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 26.477370] page dumped because: kasan: bad access detected [ 26.477370] [ 26.477370] Memory state around the buggy address: [ 26.477370] ffff88810293ad00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.477370] ffff88810293ad80: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 26.477370] >ffff88810293ae00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.477370] ^ [ 26.477370] ffff88810293ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.477370] ffff88810293af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.477370] ==================================================================
[ 21.459691] ================================================================== [ 21.461382] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d8/0x560 [ 21.462179] Read of size 8 at addr ffff8881028b8f00 by task kunit_try_catch/207 [ 21.462604] [ 21.463511] CPU: 0 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 21.464382] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.464801] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.466286] Call Trace: [ 21.466518] <TASK> [ 21.466785] dump_stack_lvl+0x73/0xb0 [ 21.467104] print_report+0xd1/0x640 [ 21.467394] ? __virt_addr_valid+0x1db/0x2d0 [ 21.467724] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.468220] kasan_report+0x102/0x140 [ 21.469182] ? workqueue_uaf+0x4d8/0x560 [ 21.469690] ? workqueue_uaf+0x4d8/0x560 [ 21.470329] __asan_report_load8_noabort+0x18/0x20 [ 21.470897] workqueue_uaf+0x4d8/0x560 [ 21.471464] ? __pfx_workqueue_uaf+0x10/0x10 [ 21.471931] ? __schedule+0xc3e/0x2790 [ 21.472523] ? __pfx_read_tsc+0x10/0x10 [ 21.472893] ? ktime_get_ts64+0x84/0x230 [ 21.473791] kunit_try_run_case+0x1b3/0x490 [ 21.474410] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.474869] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.475569] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.476267] ? __kthread_parkme+0x82/0x160 [ 21.476607] ? preempt_count_sub+0x50/0x80 [ 21.477247] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.477729] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.478685] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.479116] kthread+0x257/0x310 [ 21.479515] ? __pfx_kthread+0x10/0x10 [ 21.479908] ret_from_fork+0x41/0x80 [ 21.480250] ? __pfx_kthread+0x10/0x10 [ 21.480874] ret_from_fork_asm+0x1a/0x30 [ 21.481426] </TASK> [ 21.481775] [ 21.482163] Allocated by task 207: [ 21.482478] kasan_save_stack+0x3d/0x60 [ 21.482827] kasan_save_track+0x18/0x40 [ 21.483390] kasan_save_alloc_info+0x3b/0x50 [ 21.483747] __kasan_kmalloc+0xb7/0xc0 [ 21.484016] __kmalloc_cache_noprof+0x184/0x410 [ 21.484301] workqueue_uaf+0x153/0x560 [ 21.485351] kunit_try_run_case+0x1b3/0x490 [ 21.485853] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.486552] kthread+0x257/0x310 [ 21.487113] ret_from_fork+0x41/0x80 [ 21.487532] ret_from_fork_asm+0x1a/0x30 [ 21.488132] [ 21.488316] Freed by task 8: [ 21.488644] kasan_save_stack+0x3d/0x60 [ 21.489508] kasan_save_track+0x18/0x40 [ 21.489782] kasan_save_free_info+0x3f/0x60 [ 21.490118] __kasan_slab_free+0x56/0x70 [ 21.490720] kfree+0x123/0x3f0 [ 21.491223] workqueue_uaf_work+0x12/0x20 [ 21.491778] process_one_work+0x5ee/0xf60 [ 21.493537] worker_thread+0x720/0x1300 [ 21.493927] kthread+0x257/0x310 [ 21.494240] ret_from_fork+0x41/0x80 [ 21.494909] ret_from_fork_asm+0x1a/0x30 [ 21.495416] [ 21.495691] Last potentially related work creation: [ 21.496053] kasan_save_stack+0x3d/0x60 [ 21.496464] __kasan_record_aux_stack+0xae/0xc0 [ 21.496861] kasan_record_aux_stack_noalloc+0xf/0x20 [ 21.497278] __queue_work+0x67e/0xf70 [ 21.497683] queue_work_on+0x74/0xa0 [ 21.498131] workqueue_uaf+0x26e/0x560 [ 21.498476] kunit_try_run_case+0x1b3/0x490 [ 21.498786] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.499158] kthread+0x257/0x310 [ 21.499618] ret_from_fork+0x41/0x80 [ 21.500100] ret_from_fork_asm+0x1a/0x30 [ 21.500532] [ 21.500796] The buggy address belongs to the object at ffff8881028b8f00 [ 21.500796] which belongs to the cache kmalloc-32 of size 32 [ 21.501842] The buggy address is located 0 bytes inside of [ 21.501842] freed 32-byte region [ffff8881028b8f00, ffff8881028b8f20) [ 21.502730] [ 21.502959] The buggy address belongs to the physical page: [ 21.503532] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028b8 [ 21.503947] flags: 0x200000000000000(node=0|zone=2) [ 21.504417] page_type: f5(slab) [ 21.504908] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 21.505322] raw: 0000000000000000 0000000080400040 00000001f5000000 0000000000000000 [ 21.505985] page dumped because: kasan: bad access detected [ 21.506349] [ 21.506598] Memory state around the buggy address: [ 21.507062] ffff8881028b8e00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.507741] ffff8881028b8e80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 21.508310] >ffff8881028b8f00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 21.508795] ^ [ 21.509138] ffff8881028b8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.509993] ffff8881028b9000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.510476] ==================================================================