Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 33.091473] ================================================================== [ 33.091629] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 33.095580] Read of size 8 at addr ffff000804990f80 by task kunit_try_catch/244 [ 33.102870] [ 33.104357] CPU: 4 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 33.104411] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.104428] Hardware name: WinLink E850-96 board (DT) [ 33.104448] Call trace: [ 33.104465] show_stack+0x20/0x38 (C) [ 33.104502] dump_stack_lvl+0x8c/0xd0 [ 33.104538] print_report+0x118/0x608 [ 33.104575] kasan_report+0xdc/0x128 [ 33.104607] __asan_report_load8_noabort+0x20/0x30 [ 33.104640] workqueue_uaf+0x480/0x4a8 [ 33.104671] kunit_try_run_case+0x170/0x3f0 [ 33.104711] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.104748] kthread+0x328/0x630 [ 33.104773] ret_from_fork+0x10/0x20 [ 33.104809] [ 33.167626] Allocated by task 244: [ 33.171015] kasan_save_stack+0x3c/0x68 [ 33.174831] kasan_save_track+0x20/0x40 [ 33.178652] kasan_save_alloc_info+0x40/0x58 [ 33.182904] __kasan_kmalloc+0xd4/0xd8 [ 33.186636] __kmalloc_cache_noprof+0x15c/0x3c0 [ 33.191150] workqueue_uaf+0x13c/0x4a8 [ 33.194883] kunit_try_run_case+0x170/0x3f0 [ 33.199049] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.204518] kthread+0x328/0x630 [ 33.207730] ret_from_fork+0x10/0x20 [ 33.211289] [ 33.212763] Freed by task 118: [ 33.215804] kasan_save_stack+0x3c/0x68 [ 33.219622] kasan_save_track+0x20/0x40 [ 33.223441] kasan_save_free_info+0x4c/0x78 [ 33.227608] __kasan_slab_free+0x6c/0x98 [ 33.231514] kfree+0x214/0x3c8 [ 33.234552] workqueue_uaf_work+0x18/0x30 [ 33.238545] process_one_work+0x530/0xf98 [ 33.242539] worker_thread+0x8ac/0xf28 [ 33.246271] kthread+0x328/0x630 [ 33.249483] ret_from_fork+0x10/0x20 [ 33.253042] [ 33.254519] Last potentially related work creation: [ 33.259380] kasan_save_stack+0x3c/0x68 [ 33.263198] kasan_record_aux_stack+0xb4/0xc8 [ 33.267538] __queue_work+0x65c/0x1010 [ 33.271271] queue_work_on+0xbc/0xf8 [ 33.274830] workqueue_uaf+0x210/0x4a8 [ 33.278562] kunit_try_run_case+0x170/0x3f0 [ 33.282728] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.288197] kthread+0x328/0x630 [ 33.291409] ret_from_fork+0x10/0x20 [ 33.294968] [ 33.296445] The buggy address belongs to the object at ffff000804990f80 [ 33.296445] which belongs to the cache kmalloc-32 of size 32 [ 33.308770] The buggy address is located 0 bytes inside of [ 33.308770] freed 32-byte region [ffff000804990f80, ffff000804990fa0) [ 33.320749] [ 33.322227] The buggy address belongs to the physical page: [ 33.327785] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x884990 [ 33.335771] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.342278] page_type: f5(slab) [ 33.345415] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 33.353133] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.360854] page dumped because: kasan: bad access detected [ 33.366409] [ 33.367883] Memory state around the buggy address: [ 33.372665] ffff000804990e80: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 33.379866] ffff000804990f00: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 33.387071] >ffff000804990f80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 33.394272] ^ [ 33.397489] ffff000804991000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.404692] ffff000804991080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.411893] ==================================================================
[ 25.643936] ================================================================== [ 25.646072] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 25.646204] Read of size 8 at addr fff00000c77ed380 by task kunit_try_catch/201 [ 25.649478] [ 25.649583] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.652175] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.652561] Hardware name: linux,dummy-virt (DT) [ 25.652650] Call trace: [ 25.652736] show_stack+0x20/0x38 (C) [ 25.652889] dump_stack_lvl+0x8c/0xd0 [ 25.653021] print_report+0x118/0x608 [ 25.653763] kasan_report+0xdc/0x128 [ 25.653888] __asan_report_load8_noabort+0x20/0x30 [ 25.654011] workqueue_uaf+0x480/0x4a8 [ 25.654118] kunit_try_run_case+0x170/0x3f0 [ 25.654240] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.654364] kthread+0x328/0x630 [ 25.654468] ret_from_fork+0x10/0x20 [ 25.654579] [ 25.654626] Allocated by task 201: [ 25.654714] kasan_save_stack+0x3c/0x68 [ 25.654826] kasan_save_track+0x20/0x40 [ 25.655034] kasan_save_alloc_info+0x40/0x58 [ 25.655782] __kasan_kmalloc+0xd4/0xd8 [ 25.655902] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.656354] workqueue_uaf+0x13c/0x4a8 [ 25.656471] kunit_try_run_case+0x170/0x3f0 [ 25.656566] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.656671] kthread+0x328/0x630 [ 25.656773] ret_from_fork+0x10/0x20 [ 25.656856] [ 25.656899] Freed by task 76: [ 25.656966] kasan_save_stack+0x3c/0x68 [ 25.657811] kasan_save_track+0x20/0x40 [ 25.657911] kasan_save_free_info+0x4c/0x78 [ 25.658004] __kasan_slab_free+0x6c/0x98 [ 25.658099] kfree+0x214/0x3c8 [ 25.658210] workqueue_uaf_work+0x18/0x30 [ 25.658428] process_one_work+0x530/0xf98 [ 25.658565] worker_thread+0x8ac/0xf28 [ 25.658653] kthread+0x328/0x630 [ 25.658760] ret_from_fork+0x10/0x20 [ 25.658859] [ 25.659000] Last potentially related work creation: [ 25.659180] kasan_save_stack+0x3c/0x68 [ 25.659470] kasan_record_aux_stack+0xb4/0xc8 [ 25.659587] __queue_work+0x65c/0x1010 [ 25.659758] queue_work_on+0xbc/0xf8 [ 25.659865] workqueue_uaf+0x210/0x4a8 [ 25.659981] kunit_try_run_case+0x170/0x3f0 [ 25.660098] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.660222] kthread+0x328/0x630 [ 25.660568] ret_from_fork+0x10/0x20 [ 25.661029] [ 25.661462] The buggy address belongs to the object at fff00000c77ed380 [ 25.661462] which belongs to the cache kmalloc-32 of size 32 [ 25.661611] The buggy address is located 0 bytes inside of [ 25.661611] freed 32-byte region [fff00000c77ed380, fff00000c77ed3a0) [ 25.661969] [ 25.662056] The buggy address belongs to the physical page: [ 25.662135] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077ed [ 25.662271] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.662411] page_type: f5(slab) [ 25.662719] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 25.662851] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 25.662953] page dumped because: kasan: bad access detected [ 25.663035] [ 25.663081] Memory state around the buggy address: [ 25.663189] fff00000c77ed280: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 25.663310] fff00000c77ed300: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 25.663656] >fff00000c77ed380: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 25.664110] ^ [ 25.664189] fff00000c77ed400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.664298] fff00000c77ed480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.664406] ==================================================================
[ 19.294050] ================================================================== [ 19.295070] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 19.296210] Read of size 8 at addr ffff888102b696c0 by task kunit_try_catch/217 [ 19.297572] [ 19.298188] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 19.298269] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.298296] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.298326] Call Trace: [ 19.298343] <TASK> [ 19.298365] dump_stack_lvl+0x73/0xb0 [ 19.298405] print_report+0xd1/0x650 [ 19.298437] ? __virt_addr_valid+0x1db/0x2d0 [ 19.298469] ? workqueue_uaf+0x4d6/0x560 [ 19.298499] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.298530] ? workqueue_uaf+0x4d6/0x560 [ 19.298560] kasan_report+0x141/0x180 [ 19.298590] ? workqueue_uaf+0x4d6/0x560 [ 19.298626] __asan_report_load8_noabort+0x18/0x20 [ 19.298655] workqueue_uaf+0x4d6/0x560 [ 19.298687] ? __pfx_workqueue_uaf+0x10/0x10 [ 19.298732] ? __schedule+0x10cc/0x2b60 [ 19.298785] ? __pfx_read_tsc+0x10/0x10 [ 19.298817] ? ktime_get_ts64+0x86/0x230 [ 19.298851] kunit_try_run_case+0x1a5/0x480 [ 19.298883] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.298910] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.298945] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.298979] ? __kthread_parkme+0x82/0x180 [ 19.299034] ? preempt_count_sub+0x50/0x80 [ 19.299067] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.299096] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.299131] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.299165] kthread+0x337/0x6f0 [ 19.299191] ? trace_preempt_on+0x20/0xc0 [ 19.299224] ? __pfx_kthread+0x10/0x10 [ 19.299253] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.299285] ? calculate_sigpending+0x7b/0xa0 [ 19.299318] ? __pfx_kthread+0x10/0x10 [ 19.299347] ret_from_fork+0x116/0x1d0 [ 19.299371] ? __pfx_kthread+0x10/0x10 [ 19.299399] ret_from_fork_asm+0x1a/0x30 [ 19.299439] </TASK> [ 19.299453] [ 19.317874] Allocated by task 217: [ 19.318376] kasan_save_stack+0x45/0x70 [ 19.318816] kasan_save_track+0x18/0x40 [ 19.319245] kasan_save_alloc_info+0x3b/0x50 [ 19.319664] __kasan_kmalloc+0xb7/0xc0 [ 19.320377] __kmalloc_cache_noprof+0x189/0x420 [ 19.320808] workqueue_uaf+0x152/0x560 [ 19.321665] kunit_try_run_case+0x1a5/0x480 [ 19.322150] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.322666] kthread+0x337/0x6f0 [ 19.323075] ret_from_fork+0x116/0x1d0 [ 19.323667] ret_from_fork_asm+0x1a/0x30 [ 19.324324] [ 19.324636] Freed by task 9: [ 19.325032] kasan_save_stack+0x45/0x70 [ 19.325608] kasan_save_track+0x18/0x40 [ 19.326145] kasan_save_free_info+0x3f/0x60 [ 19.327097] __kasan_slab_free+0x56/0x70 [ 19.327625] kfree+0x222/0x3f0 [ 19.327958] workqueue_uaf_work+0x12/0x20 [ 19.328663] process_one_work+0x5ee/0xf60 [ 19.330054] worker_thread+0x758/0x1220 [ 19.331145] kthread+0x337/0x6f0 [ 19.331431] ret_from_fork+0x116/0x1d0 [ 19.331730] ret_from_fork_asm+0x1a/0x30 [ 19.332066] [ 19.332229] Last potentially related work creation: [ 19.332573] kasan_save_stack+0x45/0x70 [ 19.332879] kasan_record_aux_stack+0xb2/0xc0 [ 19.334405] __queue_work+0x626/0xeb0 [ 19.335643] queue_work_on+0xb6/0xc0 [ 19.336353] workqueue_uaf+0x26d/0x560 [ 19.337463] kunit_try_run_case+0x1a5/0x480 [ 19.337952] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.338668] kthread+0x337/0x6f0 [ 19.339244] ret_from_fork+0x116/0x1d0 [ 19.340092] ret_from_fork_asm+0x1a/0x30 [ 19.340527] [ 19.340965] The buggy address belongs to the object at ffff888102b696c0 [ 19.340965] which belongs to the cache kmalloc-32 of size 32 [ 19.343096] The buggy address is located 0 bytes inside of [ 19.343096] freed 32-byte region [ffff888102b696c0, ffff888102b696e0) [ 19.344065] [ 19.344773] The buggy address belongs to the physical page: [ 19.345844] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b69 [ 19.346926] flags: 0x200000000000000(node=0|zone=2) [ 19.347625] page_type: f5(slab) [ 19.348232] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 19.349193] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.349595] page dumped because: kasan: bad access detected [ 19.349788] [ 19.349873] Memory state around the buggy address: [ 19.350249] ffff888102b69580: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 19.352113] ffff888102b69600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.353319] >ffff888102b69680: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 19.354118] ^ [ 19.355031] ffff888102b69700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.355533] ffff888102b69780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.356327] ==================================================================
[ 59.628509] ================================================================== [ 59.638763] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x580/0x5b8 [ 59.645538] Read of size 4 at addr cc859080 by task kunit_try_catch/252 [ 59.652191] [ 59.653686] CPU: 1 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 59.653717] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 59.653747] Hardware name: Generic DRA74X (Flattened Device Tree) [ 59.653747] Call trace: [ 59.653747] unwind_backtrace from show_stack+0x18/0x1c [ 59.653778] show_stack from dump_stack_lvl+0x70/0x90 [ 59.653808] dump_stack_lvl from print_report+0x158/0x528 [ 59.653839] print_report from kasan_report+0xdc/0x118 [ 59.653869] kasan_report from workqueue_uaf+0x580/0x5b8 [ 59.653869] workqueue_uaf from kunit_try_run_case+0x22c/0x5a8 [ 59.653900] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.653930] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 59.653961] kthread from ret_from_fork+0x14/0x20 [ 59.653991] Exception stack(0xf181bfb0 to 0xf181bff8) [ 59.653991] bfa0: 00000000 00000000 00000000 00000000 [ 59.654022] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 59.654022] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 59.654052] [ 59.759094] Allocated by task 252: [ 59.762512] kasan_save_track+0x30/0x5c [ 59.766387] __kasan_kmalloc+0x8c/0x94 [ 59.770172] workqueue_uaf+0x184/0x5b8 [ 59.773925] kunit_try_run_case+0x22c/0x5a8 [ 59.778167] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.783691] kthread+0x464/0x810 [ 59.786926] ret_from_fork+0x14/0x20 [ 59.790557] [ 59.792053] Freed by task 81: [ 59.795043] kasan_save_track+0x30/0x5c [ 59.798889] kasan_save_free_info+0x3c/0x48 [ 59.803131] __kasan_slab_free+0x40/0x50 [ 59.807067] kfree+0xe8/0x384 [ 59.810058] process_one_work+0x7dc/0x1304 [ 59.814208] worker_thread+0xb98/0x1658 [ 59.818084] kthread+0x464/0x810 [ 59.821319] ret_from_fork+0x14/0x20 [ 59.824920] [ 59.826446] Last potentially related work creation: [ 59.831329] kasan_save_stack+0x30/0x4c [ 59.835205] kasan_record_aux_stack+0x80/0x88 [ 59.839599] __queue_work+0x878/0x1780 [ 59.843383] queue_work_on+0xbc/0xc0 [ 59.846984] workqueue_uaf+0x2e4/0x5b8 [ 59.850769] kunit_try_run_case+0x22c/0x5a8 [ 59.854980] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.860504] kthread+0x464/0x810 [ 59.863769] ret_from_fork+0x14/0x20 [ 59.867370] [ 59.868865] The buggy address belongs to the object at cc859080 [ 59.868865] which belongs to the cache kmalloc-64 of size 64 [ 59.880615] The buggy address is located 0 bytes inside of [ 59.880615] freed 64-byte region [cc859080, cc8590c0) [ 59.891265] [ 59.892791] The buggy address belongs to the physical page: [ 59.898376] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c859 [ 59.905670] flags: 0x0(zone=0) [ 59.908752] page_type: f5(slab) [ 59.911926] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 59.920043] raw: 00000000 [ 59.922698] page dumped because: kasan: bad access detected [ 59.928314] [ 59.929809] Memory state around the buggy address: [ 59.934631] cc858f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.941192] cc859000: 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc fc [ 59.947784] >cc859080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.954345] ^ [ 59.956878] cc859100: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.963470] cc859180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.970031] ==================================================================