Date
Dec. 6, 2024, 3:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.162372] ================================================================== [ 32.163385] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 32.164305] Read of size 8 at addr fff00000c671a2c0 by task kunit_try_catch/189 [ 32.165480] [ 32.165914] CPU: 0 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 32.168426] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.169097] Hardware name: linux,dummy-virt (DT) [ 32.169692] Call trace: [ 32.170152] show_stack+0x20/0x38 (C) [ 32.171236] dump_stack_lvl+0x8c/0xd0 [ 32.171809] print_report+0x118/0x5e0 [ 32.172338] kasan_report+0xc8/0x118 [ 32.172995] __asan_report_load8_noabort+0x20/0x30 [ 32.173660] workqueue_uaf+0x480/0x4a8 [ 32.174611] kunit_try_run_case+0x14c/0x3d0 [ 32.175160] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.175989] kthread+0x24c/0x2d0 [ 32.176624] ret_from_fork+0x10/0x20 [ 32.177257] [ 32.177636] Allocated by task 189: [ 32.178218] kasan_save_stack+0x3c/0x68 [ 32.178854] kasan_save_track+0x20/0x40 [ 32.179407] kasan_save_alloc_info+0x40/0x58 [ 32.180130] __kasan_kmalloc+0xd4/0xd8 [ 32.180750] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.181431] workqueue_uaf+0x13c/0x4a8 [ 32.183010] kunit_try_run_case+0x14c/0x3d0 [ 32.183640] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.184809] kthread+0x24c/0x2d0 [ 32.185547] ret_from_fork+0x10/0x20 [ 32.186318] [ 32.186985] Freed by task 49: [ 32.187600] kasan_save_stack+0x3c/0x68 [ 32.188358] kasan_save_track+0x20/0x40 [ 32.188958] kasan_save_free_info+0x4c/0x78 [ 32.189615] __kasan_slab_free+0x6c/0x98 [ 32.190221] kfree+0x114/0x3c8 [ 32.190746] workqueue_uaf_work+0x18/0x30 [ 32.191274] process_one_work+0x530/0xf98 [ 32.192621] worker_thread+0x614/0xf28 [ 32.193442] kthread+0x24c/0x2d0 [ 32.194201] ret_from_fork+0x10/0x20 [ 32.194897] [ 32.195351] Last potentially related work creation: [ 32.196169] kasan_save_stack+0x3c/0x68 [ 32.196876] kasan_record_aux_stack+0xb4/0xc8 [ 32.197575] __queue_work+0x65c/0xfd8 [ 32.198137] queue_work_on+0xbc/0xf8 [ 32.199367] workqueue_uaf+0x210/0x4a8 [ 32.199906] kunit_try_run_case+0x14c/0x3d0 [ 32.200576] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.201264] kthread+0x24c/0x2d0 [ 32.202091] ret_from_fork+0x10/0x20 [ 32.203075] [ 32.203431] The buggy address belongs to the object at fff00000c671a2c0 [ 32.203431] which belongs to the cache kmalloc-32 of size 32 [ 32.204626] The buggy address is located 0 bytes inside of [ 32.204626] freed 32-byte region [fff00000c671a2c0, fff00000c671a2e0) [ 32.205849] [ 32.206153] The buggy address belongs to the physical page: [ 32.207278] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10671a [ 32.208764] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.209458] page_type: f5(slab) [ 32.210042] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 32.211112] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 32.211968] page dumped because: kasan: bad access detected [ 32.212995] [ 32.213360] Memory state around the buggy address: [ 32.213917] fff00000c671a180: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 32.215384] fff00000c671a200: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 32.216385] >fff00000c671a280: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 32.217221] ^ [ 32.218050] fff00000c671a300: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.219004] fff00000c671a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.220160] ==================================================================
[ 24.919647] ================================================================== [ 24.920600] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d8/0x560 [ 24.922373] Read of size 8 at addr ffff888102475240 by task kunit_try_catch/208 [ 24.923224] [ 24.923676] CPU: 1 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 24.924819] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.925388] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.926973] Call Trace: [ 24.927261] <TASK> [ 24.927570] dump_stack_lvl+0x73/0xb0 [ 24.928073] print_report+0xd1/0x640 [ 24.928637] ? __virt_addr_valid+0x1db/0x2d0 [ 24.929124] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.930089] kasan_report+0x102/0x140 [ 24.930427] ? workqueue_uaf+0x4d8/0x560 [ 24.931024] ? workqueue_uaf+0x4d8/0x560 [ 24.931728] __asan_report_load8_noabort+0x18/0x20 [ 24.932115] workqueue_uaf+0x4d8/0x560 [ 24.932680] ? __pfx_workqueue_uaf+0x10/0x10 [ 24.933104] ? __schedule+0xc70/0x27e0 [ 24.933488] ? __pfx_read_tsc+0x10/0x10 [ 24.934026] ? ktime_get_ts64+0x86/0x230 [ 24.935385] kunit_try_run_case+0x1b3/0x490 [ 24.935826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.936865] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 24.937676] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.938523] ? __kthread_parkme+0x82/0x160 [ 24.939392] ? preempt_count_sub+0x50/0x80 [ 24.939840] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.940311] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.940784] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.942362] kthread+0x257/0x310 [ 24.942999] ? __pfx_kthread+0x10/0x10 [ 24.943439] ret_from_fork+0x41/0x80 [ 24.944061] ? __pfx_kthread+0x10/0x10 [ 24.944456] ret_from_fork_asm+0x1a/0x30 [ 24.945066] </TASK> [ 24.945409] [ 24.945824] Allocated by task 208: [ 24.946322] kasan_save_stack+0x3d/0x60 [ 24.947549] kasan_save_track+0x18/0x40 [ 24.948319] kasan_save_alloc_info+0x3b/0x50 [ 24.948822] __kasan_kmalloc+0xb7/0xc0 [ 24.949355] __kmalloc_cache_noprof+0x184/0x410 [ 24.950069] workqueue_uaf+0x153/0x560 [ 24.950431] kunit_try_run_case+0x1b3/0x490 [ 24.951165] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.951681] kthread+0x257/0x310 [ 24.952124] ret_from_fork+0x41/0x80 [ 24.952534] ret_from_fork_asm+0x1a/0x30 [ 24.952888] [ 24.954081] Freed by task 26: [ 24.954628] kasan_save_stack+0x3d/0x60 [ 24.955014] kasan_save_track+0x18/0x40 [ 24.955467] kasan_save_free_info+0x3f/0x60 [ 24.956048] __kasan_slab_free+0x56/0x70 [ 24.956723] kfree+0x123/0x3f0 [ 24.957128] workqueue_uaf_work+0x12/0x20 [ 24.958388] process_one_work+0x5ee/0xf60 [ 24.958832] worker_thread+0x720/0x1300 [ 24.959637] kthread+0x257/0x310 [ 24.959972] ret_from_fork+0x41/0x80 [ 24.960359] ret_from_fork_asm+0x1a/0x30 [ 24.960661] [ 24.960913] Last potentially related work creation: [ 24.961261] kasan_save_stack+0x3d/0x60 [ 24.961740] kasan_record_aux_stack+0xb2/0xc0 [ 24.962633] __queue_work+0x626/0xe60 [ 24.963051] queue_work_on+0x74/0xa0 [ 24.964777] workqueue_uaf+0x26e/0x560 [ 24.965410] kunit_try_run_case+0x1b3/0x490 [ 24.965858] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.966400] kthread+0x257/0x310 [ 24.966758] ret_from_fork+0x41/0x80 [ 24.967379] ret_from_fork_asm+0x1a/0x30 [ 24.967798] [ 24.968026] The buggy address belongs to the object at ffff888102475240 [ 24.968026] which belongs to the cache kmalloc-32 of size 32 [ 24.971013] The buggy address is located 0 bytes inside of [ 24.971013] freed 32-byte region [ffff888102475240, ffff888102475260) [ 24.973149] [ 24.973381] The buggy address belongs to the physical page: [ 24.974220] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102475 [ 24.975001] flags: 0x200000000000000(node=0|zone=2) [ 24.975737] page_type: f5(slab) [ 24.976040] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 24.977503] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.978174] page dumped because: kasan: bad access detected [ 24.978675] [ 24.978840] Memory state around the buggy address: [ 24.979740] ffff888102475100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.980440] ffff888102475180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.981402] >ffff888102475200: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 24.982156] ^ [ 24.982822] ffff888102475280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.984077] ffff888102475300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.985139] ==================================================================