Date
May 15, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 |
[ 33.029418] ================================================================== [ 33.036595] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 33.043278] Read of size 8 at addr ffff000800e21a00 by task kunit_try_catch/245 [ 33.050567] [ 33.052053] CPU: 7 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 33.052113] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.052127] Hardware name: WinLink E850-96 board (DT) [ 33.052144] Call trace: [ 33.052157] show_stack+0x20/0x38 (C) [ 33.052193] dump_stack_lvl+0x8c/0xd0 [ 33.052224] print_report+0x118/0x608 [ 33.052256] kasan_report+0xdc/0x128 [ 33.052286] __asan_report_load8_noabort+0x20/0x30 [ 33.052324] workqueue_uaf+0x480/0x4a8 [ 33.052352] kunit_try_run_case+0x170/0x3f0 [ 33.052386] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.052421] kthread+0x328/0x630 [ 33.052455] ret_from_fork+0x10/0x20 [ 33.052490] [ 33.115669] Allocated by task 245: [ 33.119058] kasan_save_stack+0x3c/0x68 [ 33.122874] kasan_save_track+0x20/0x40 [ 33.126693] kasan_save_alloc_info+0x40/0x58 [ 33.130947] __kasan_kmalloc+0xd4/0xd8 [ 33.134679] __kmalloc_cache_noprof+0x15c/0x3c0 [ 33.139193] workqueue_uaf+0x13c/0x4a8 [ 33.142925] kunit_try_run_case+0x170/0x3f0 [ 33.147092] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.152561] kthread+0x328/0x630 [ 33.155772] ret_from_fork+0x10/0x20 [ 33.159332] [ 33.160808] Freed by task 84: [ 33.163760] kasan_save_stack+0x3c/0x68 [ 33.167578] kasan_save_track+0x20/0x40 [ 33.171397] kasan_save_free_info+0x4c/0x78 [ 33.175564] __kasan_slab_free+0x6c/0x98 [ 33.179470] kfree+0x214/0x3c8 [ 33.182508] workqueue_uaf_work+0x18/0x30 [ 33.186501] process_one_work+0x530/0xf98 [ 33.190494] worker_thread+0x8ac/0xf28 [ 33.194227] kthread+0x328/0x630 [ 33.197439] ret_from_fork+0x10/0x20 [ 33.200998] [ 33.202475] Last potentially related work creation: [ 33.207336] kasan_save_stack+0x3c/0x68 [ 33.211154] kasan_record_aux_stack+0xb4/0xc8 [ 33.215494] __queue_work+0x65c/0x1010 [ 33.219226] queue_work_on+0xbc/0xf8 [ 33.222785] workqueue_uaf+0x210/0x4a8 [ 33.226518] kunit_try_run_case+0x170/0x3f0 [ 33.230684] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.236153] kthread+0x328/0x630 [ 33.239365] ret_from_fork+0x10/0x20 [ 33.242924] [ 33.244401] The buggy address belongs to the object at ffff000800e21a00 [ 33.244401] which belongs to the cache kmalloc-32 of size 32 [ 33.256728] The buggy address is located 0 bytes inside of [ 33.256728] freed 32-byte region [ffff000800e21a00, ffff000800e21a20) [ 33.268705] [ 33.270184] The buggy address belongs to the physical page: [ 33.275740] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880e21 [ 33.283725] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.290234] page_type: f5(slab) [ 33.293372] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 33.301091] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.308810] page dumped because: kasan: bad access detected [ 33.314364] [ 33.315839] Memory state around the buggy address: [ 33.320622] ffff000800e21900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.327822] ffff000800e21980: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc [ 33.335027] >ffff000800e21a00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 33.342228] ^ [ 33.345444] ffff000800e21a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.352649] ffff000800e21b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.359851] ==================================================================