Date
June 3, 2025, 7:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.670330] ================================================================== [ 18.670420] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 18.670503] Read of size 8 at addr fff00000c5933840 by task kunit_try_catch/200 [ 18.670556] [ 18.671081] CPU: 1 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.671487] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.671553] Hardware name: linux,dummy-virt (DT) [ 18.671614] Call trace: [ 18.671811] show_stack+0x20/0x38 (C) [ 18.672076] dump_stack_lvl+0x8c/0xd0 [ 18.672135] print_report+0x118/0x608 [ 18.672326] kasan_report+0xdc/0x128 [ 18.672376] __asan_report_load8_noabort+0x20/0x30 [ 18.672516] workqueue_uaf+0x480/0x4a8 [ 18.672691] kunit_try_run_case+0x170/0x3f0 [ 18.672742] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.672797] kthread+0x328/0x630 [ 18.672848] ret_from_fork+0x10/0x20 [ 18.672900] [ 18.673776] Allocated by task 200: [ 18.673912] kasan_save_stack+0x3c/0x68 [ 18.674240] kasan_save_track+0x20/0x40 [ 18.674281] kasan_save_alloc_info+0x40/0x58 [ 18.674318] __kasan_kmalloc+0xd4/0xd8 [ 18.674357] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.674550] workqueue_uaf+0x13c/0x4a8 [ 18.674595] kunit_try_run_case+0x170/0x3f0 [ 18.674634] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.674676] kthread+0x328/0x630 [ 18.674834] ret_from_fork+0x10/0x20 [ 18.674901] [ 18.675016] Freed by task 47: [ 18.675219] kasan_save_stack+0x3c/0x68 [ 18.675266] kasan_save_track+0x20/0x40 [ 18.675302] kasan_save_free_info+0x4c/0x78 [ 18.675871] __kasan_slab_free+0x6c/0x98 [ 18.676193] kfree+0x214/0x3c8 [ 18.676241] workqueue_uaf_work+0x18/0x30 [ 18.676278] process_one_work+0x530/0xf98 [ 18.676317] worker_thread+0x618/0xf38 [ 18.676354] kthread+0x328/0x630 [ 18.676385] ret_from_fork+0x10/0x20 [ 18.676421] [ 18.676454] Last potentially related work creation: [ 18.676481] kasan_save_stack+0x3c/0x68 [ 18.676520] kasan_record_aux_stack+0xb4/0xc8 [ 18.676557] __queue_work+0x65c/0x1008 [ 18.676592] queue_work_on+0xbc/0xf8 [ 18.676628] workqueue_uaf+0x210/0x4a8 [ 18.677348] kunit_try_run_case+0x170/0x3f0 [ 18.677649] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.677752] kthread+0x328/0x630 [ 18.678198] ret_from_fork+0x10/0x20 [ 18.678254] [ 18.678275] The buggy address belongs to the object at fff00000c5933840 [ 18.678275] which belongs to the cache kmalloc-32 of size 32 [ 18.678574] The buggy address is located 0 bytes inside of [ 18.678574] freed 32-byte region [fff00000c5933840, fff00000c5933860) [ 18.678634] [ 18.678655] The buggy address belongs to the physical page: [ 18.679257] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105933 [ 18.679567] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.679626] page_type: f5(slab) [ 18.679670] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 18.680070] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.680339] page dumped because: kasan: bad access detected [ 18.680613] [ 18.680904] Memory state around the buggy address: [ 18.680942] fff00000c5933700: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 18.680987] fff00000c5933780: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 18.681462] >fff00000c5933800: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 18.681508] ^ [ 18.681544] fff00000c5933880: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.681597] fff00000c5933900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.681729] ==================================================================
[ 15.338717] ================================================================== [ 15.339155] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 15.339428] Read of size 8 at addr ffff8881033355c0 by task kunit_try_catch/217 [ 15.340046] [ 15.340406] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 15.340483] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.340499] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.340523] Call Trace: [ 15.340540] <TASK> [ 15.340583] dump_stack_lvl+0x73/0xb0 [ 15.340622] print_report+0xd1/0x650 [ 15.340649] ? __virt_addr_valid+0x1db/0x2d0 [ 15.340677] ? workqueue_uaf+0x4d6/0x560 [ 15.340807] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.340835] ? workqueue_uaf+0x4d6/0x560 [ 15.340859] kasan_report+0x141/0x180 [ 15.340884] ? workqueue_uaf+0x4d6/0x560 [ 15.340913] __asan_report_load8_noabort+0x18/0x20 [ 15.340936] workqueue_uaf+0x4d6/0x560 [ 15.340960] ? __pfx_workqueue_uaf+0x10/0x10 [ 15.340985] ? __schedule+0x10cc/0x2b60 [ 15.341013] ? __pfx_read_tsc+0x10/0x10 [ 15.341040] ? ktime_get_ts64+0x86/0x230 [ 15.341069] kunit_try_run_case+0x1a5/0x480 [ 15.341093] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.341114] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.341140] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.341164] ? __kthread_parkme+0x82/0x180 [ 15.341211] ? preempt_count_sub+0x50/0x80 [ 15.341238] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.341260] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.341297] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.341321] kthread+0x337/0x6f0 [ 15.341343] ? trace_preempt_on+0x20/0xc0 [ 15.341368] ? __pfx_kthread+0x10/0x10 [ 15.341412] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.341436] ? calculate_sigpending+0x7b/0xa0 [ 15.341476] ? __pfx_kthread+0x10/0x10 [ 15.341501] ret_from_fork+0x116/0x1d0 [ 15.341522] ? __pfx_kthread+0x10/0x10 [ 15.341543] ret_from_fork_asm+0x1a/0x30 [ 15.341580] </TASK> [ 15.341594] [ 15.350474] Allocated by task 217: [ 15.350782] kasan_save_stack+0x45/0x70 [ 15.351241] kasan_save_track+0x18/0x40 [ 15.351545] kasan_save_alloc_info+0x3b/0x50 [ 15.352076] __kasan_kmalloc+0xb7/0xc0 [ 15.352477] __kmalloc_cache_noprof+0x189/0x420 [ 15.352971] workqueue_uaf+0x152/0x560 [ 15.353166] kunit_try_run_case+0x1a5/0x480 [ 15.353301] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.353541] kthread+0x337/0x6f0 [ 15.354129] ret_from_fork+0x116/0x1d0 [ 15.354569] ret_from_fork_asm+0x1a/0x30 [ 15.354960] [ 15.355186] Freed by task 41: [ 15.355606] kasan_save_stack+0x45/0x70 [ 15.356026] kasan_save_track+0x18/0x40 [ 15.356534] kasan_save_free_info+0x3f/0x60 [ 15.356738] __kasan_slab_free+0x56/0x70 [ 15.357011] kfree+0x222/0x3f0 [ 15.357158] workqueue_uaf_work+0x12/0x20 [ 15.357489] process_one_work+0x5ee/0xf60 [ 15.358042] worker_thread+0x758/0x1220 [ 15.358464] kthread+0x337/0x6f0 [ 15.358780] ret_from_fork+0x116/0x1d0 [ 15.359154] ret_from_fork_asm+0x1a/0x30 [ 15.359310] [ 15.359523] Last potentially related work creation: [ 15.359867] kasan_save_stack+0x45/0x70 [ 15.360507] kasan_record_aux_stack+0xb2/0xc0 [ 15.360864] __queue_work+0x626/0xeb0 [ 15.361170] queue_work_on+0xb6/0xc0 [ 15.361487] workqueue_uaf+0x26d/0x560 [ 15.361623] kunit_try_run_case+0x1a5/0x480 [ 15.361991] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.362332] kthread+0x337/0x6f0 [ 15.362576] ret_from_fork+0x116/0x1d0 [ 15.362774] ret_from_fork_asm+0x1a/0x30 [ 15.362981] [ 15.363074] The buggy address belongs to the object at ffff8881033355c0 [ 15.363074] which belongs to the cache kmalloc-32 of size 32 [ 15.364208] The buggy address is located 0 bytes inside of [ 15.364208] freed 32-byte region [ffff8881033355c0, ffff8881033355e0) [ 15.365014] [ 15.365086] The buggy address belongs to the physical page: [ 15.365758] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103335 [ 15.366312] flags: 0x200000000000000(node=0|zone=2) [ 15.367060] page_type: f5(slab) [ 15.367473] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 15.368046] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.368253] page dumped because: kasan: bad access detected [ 15.368589] [ 15.368828] Memory state around the buggy address: [ 15.369235] ffff888103335480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 15.369739] ffff888103335500: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc [ 15.369912] >ffff888103335580: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 15.370066] ^ [ 15.370196] ffff888103335600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.370352] ffff888103335680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.370549] ==================================================================