Hay
Sign in
Date
March 19, 2025, 10:35 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   35.073664] ==================================================================
[   35.074110] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   35.074282] Read of size 8 at addr fff00000c5d93440 by task kunit_try_catch/202
[   35.074455] 
[   35.074564] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.14.0-rc7-next-20250319 #1 PREEMPT 
[   35.074846] Tainted: [B]=BAD_PAGE, [N]=TEST
[   35.074939] Hardware name: linux,dummy-virt (DT)
[   35.075034] Call trace:
[   35.075119]  show_stack+0x20/0x38 (C)
[   35.075273]  dump_stack_lvl+0x8c/0xd0
[   35.075425]  print_report+0x118/0x5f0
[   35.075566]  kasan_report+0xc8/0x118
[   35.076085]  __asan_report_load8_noabort+0x20/0x30
[   35.077104]  workqueue_uaf+0x480/0x4a8
[   35.077289]  kunit_try_run_case+0x14c/0x3d0
[   35.077449]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   35.077615]  kthread+0x318/0x618
[   35.077774]  ret_from_fork+0x10/0x20
[   35.078158] 
[   35.078280] Allocated by task 202:
[   35.078624]  kasan_save_stack+0x3c/0x68
[   35.079358]  kasan_save_track+0x20/0x40
[   35.079520]  kasan_save_alloc_info+0x40/0x58
[   35.079739]  __kasan_kmalloc+0xd4/0xd8
[   35.079873]  __kmalloc_cache_noprof+0x15c/0x3c0
[   35.080016]  workqueue_uaf+0x13c/0x4a8
[   35.080158]  kunit_try_run_case+0x14c/0x3d0
[   35.080290]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   35.080511]  kthread+0x318/0x618
[   35.080722]  ret_from_fork+0x10/0x20
[   35.080943] 
[   35.081018] Freed by task 50:
[   35.081148]  kasan_save_stack+0x3c/0x68
[   35.081963]  kasan_save_track+0x20/0x40
[   35.082485]  kasan_save_free_info+0x4c/0x78
[   35.083138]  __kasan_slab_free+0x6c/0x98
[   35.083339]  kfree+0x214/0x3c8
[   35.084395]  workqueue_uaf_work+0x18/0x30
[   35.085797]  process_one_work+0x530/0xf98
[   35.086722]  worker_thread+0x644/0xf48
[   35.086799]  kthread+0x318/0x618
[   35.086859]  ret_from_fork+0x10/0x20
[   35.087030] 
[   35.087117] Last potentially related work creation:
[   35.087217]  kasan_save_stack+0x3c/0x68
[   35.087614]  kasan_record_aux_stack+0xb4/0xc8
[   35.087749]  __queue_work+0x65c/0x1018
[   35.087867]  queue_work_on+0xbc/0xf8
[   35.087983]  workqueue_uaf+0x210/0x4a8
[   35.088120]  kunit_try_run_case+0x14c/0x3d0
[   35.088307]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   35.088913]  kthread+0x318/0x618
[   35.089192]  ret_from_fork+0x10/0x20
[   35.089580] 
[   35.089635] The buggy address belongs to the object at fff00000c5d93440
[   35.089635]  which belongs to the cache kmalloc-32 of size 32
[   35.089741] The buggy address is located 0 bytes inside of
[   35.089741]  freed 32-byte region [fff00000c5d93440, fff00000c5d93460)
[   35.089841] 
[   35.089875] The buggy address belongs to the physical page:
[   35.089929] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105d93
[   35.090015] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   35.090157] page_type: f5(slab)
[   35.090645] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   35.090872] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   35.091093] page dumped because: kasan: bad access detected
[   35.091259] 
[   35.091321] Memory state around the buggy address:
[   35.091432]  fff00000c5d93300: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   35.091599]  fff00000c5d93380: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   35.091747] >fff00000c5d93400: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   35.091880]                                            ^
[   35.091993]  fff00000c5d93480: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.092146]  fff00000c5d93500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.092270] ==================================================================
Metadata Full log Test run details 

[   22.843828] ==================================================================
[   22.844674] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   22.845303] Read of size 8 at addr ffff88810321af00 by task kunit_try_catch/221
[   22.846012] 
[   22.847014] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G    B            N  6.14.0-rc7-next-20250319 #1 PREEMPT(voluntary) 
[   22.847173] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.847209] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.847264] Call Trace:
[   22.847297]  <TASK>
[   22.847336]  dump_stack_lvl+0x73/0xb0
[   22.847419]  print_report+0xd1/0x660
[   22.847481]  ? __virt_addr_valid+0x1db/0x2d0
[   22.847632]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.847959]  kasan_report+0x104/0x140
[   22.848035]  ? workqueue_uaf+0x4d6/0x560
[   22.848075]  ? workqueue_uaf+0x4d6/0x560
[   22.848138]  __asan_report_load8_noabort+0x18/0x20
[   22.848172]  workqueue_uaf+0x4d6/0x560
[   22.848206]  ? __pfx_workqueue_uaf+0x10/0x10
[   22.848239]  ? __schedule+0xd46/0x29c0
[   22.848272]  ? __pfx_read_tsc+0x10/0x10
[   22.848303]  ? ktime_get_ts64+0x86/0x240
[   22.848342]  kunit_try_run_case+0x1b2/0x490
[   22.848379]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.848411]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   22.848441]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.848472]  ? __kthread_parkme+0x82/0x160
[   22.848503]  ? preempt_count_sub+0x50/0x80
[   22.848539]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.848572]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.848604]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.848637]  kthread+0x323/0x710
[   22.848665]  ? calculate_sigpending+0x7b/0xa0
[   22.848881]  ? trace_preempt_on+0x20/0xc0
[   22.848923]  ? __pfx_kthread+0x10/0x10
[   22.848955]  ? _raw_spin_unlock_irq+0x47/0x80
[   22.848985]  ? calculate_sigpending+0x7b/0xa0
[   22.849015]  ? __pfx_kthread+0x10/0x10
[   22.849047]  ret_from_fork+0x41/0x80
[   22.849080]  ? __pfx_kthread+0x10/0x10
[   22.849128]  ret_from_fork_asm+0x1a/0x30
[   22.849177]  </TASK>
[   22.849193] 
[   22.875537] Allocated by task 221:
[   22.876337]  kasan_save_stack+0x3d/0x60
[   22.876622]  kasan_save_track+0x18/0x40
[   22.877225]  kasan_save_alloc_info+0x3b/0x50
[   22.877861]  __kasan_kmalloc+0xb7/0xc0
[   22.878365]  __kmalloc_cache_noprof+0x183/0x410
[   22.879086]  workqueue_uaf+0x152/0x560
[   22.879554]  kunit_try_run_case+0x1b2/0x490
[   22.880430]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.881230]  kthread+0x323/0x710
[   22.881582]  ret_from_fork+0x41/0x80
[   22.882165]  ret_from_fork_asm+0x1a/0x30
[   22.882585] 
[   22.883089] Freed by task 24:
[   22.883436]  kasan_save_stack+0x3d/0x60
[   22.884255]  kasan_save_track+0x18/0x40
[   22.884728]  kasan_save_free_info+0x3f/0x60
[   22.885201]  __kasan_slab_free+0x56/0x70
[   22.885570]  kfree+0x222/0x3f0
[   22.885943]  workqueue_uaf_work+0x12/0x20
[   22.886599]  process_one_work+0x5fe/0xf80
[   22.887174]  worker_thread+0x703/0x12a0
[   22.887624]  kthread+0x323/0x710
[   22.888482]  ret_from_fork+0x41/0x80
[   22.889140]  ret_from_fork_asm+0x1a/0x30
[   22.889566] 
[   22.889932] Last potentially related work creation:
[   22.890444]  kasan_save_stack+0x3d/0x60
[   22.891155]  kasan_record_aux_stack+0xb2/0xc0
[   22.891582]  __queue_work+0x626/0xf50
[   22.892426]  queue_work_on+0xb6/0xc0
[   22.893049]  workqueue_uaf+0x26d/0x560
[   22.893485]  kunit_try_run_case+0x1b2/0x490
[   22.894106]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.894627]  kthread+0x323/0x710
[   22.895255]  ret_from_fork+0x41/0x80
[   22.895691]  ret_from_fork_asm+0x1a/0x30
[   22.896601] 
[   22.897022] The buggy address belongs to the object at ffff88810321af00
[   22.897022]  which belongs to the cache kmalloc-32 of size 32
[   22.897910] The buggy address is located 0 bytes inside of
[   22.897910]  freed 32-byte region [ffff88810321af00, ffff88810321af20)
[   22.899073] 
[   22.899374] The buggy address belongs to the physical page:
[   22.900254] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10321a
[   22.901130] flags: 0x200000000000000(node=0|zone=2)
[   22.901649] page_type: f5(slab)
[   22.902268] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   22.903039] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   22.904087] page dumped because: kasan: bad access detected
[   22.904517] 
[   22.904947] Memory state around the buggy address:
[   22.905400]  ffff88810321ae00: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   22.906218]  ffff88810321ae80: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   22.906967] >ffff88810321af00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   22.907630]                    ^
[   22.908452]  ffff88810321af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.909233]  ffff88810321b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.910012] ==================================================================
Metadata Full log Test run details