Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 43.035976] ================================================================== [ 43.046314] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 43.053115] Read of size 8 at addr ffff000088dd2480 by task kunit_try_catch/298 [ 43.060520] [ 43.062055] CPU: 1 UID: 0 PID: 298 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 43.062085] Tainted: [B]=BAD_PAGE, [N]=TEST [ 43.062095] Hardware name: Thundercomm Dragonboard 845c (DT) [ 43.062108] Call trace: [ 43.062116] show_stack+0x20/0x38 (C) [ 43.062135] dump_stack_lvl+0x8c/0xd0 [ 43.062156] print_report+0x118/0x608 [ 43.062177] kasan_report+0xdc/0x128 [ 43.062196] __asan_report_load8_noabort+0x20/0x30 [ 43.062216] workqueue_uaf+0x480/0x4a8 [ 43.062234] kunit_try_run_case+0x170/0x3f0 [ 43.062256] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.062278] kthread+0x328/0x630 [ 43.062293] ret_from_fork+0x10/0x20 [ 43.062311] [ 43.127591] Allocated by task 298: [ 43.131054] kasan_save_stack+0x3c/0x68 [ 43.134964] kasan_save_track+0x20/0x40 [ 43.138874] kasan_save_alloc_info+0x40/0x58 [ 43.143219] __kasan_kmalloc+0xd4/0xd8 [ 43.147033] __kmalloc_cache_noprof+0x16c/0x3c0 [ 43.151639] workqueue_uaf+0x13c/0x4a8 [ 43.155450] kunit_try_run_case+0x170/0x3f0 [ 43.159702] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.165277] kthread+0x328/0x630 [ 43.168568] ret_from_fork+0x10/0x20 [ 43.172207] [ 43.173737] Freed by task 63: [ 43.176764] kasan_save_stack+0x3c/0x68 [ 43.180673] kasan_save_track+0x20/0x40 [ 43.184583] kasan_save_free_info+0x4c/0x78 [ 43.188833] __kasan_slab_free+0x6c/0x98 [ 43.192831] kfree+0x214/0x3c8 [ 43.195949] workqueue_uaf_work+0x18/0x30 [ 43.200031] process_one_work+0x530/0xf98 [ 43.204116] worker_thread+0x618/0xf38 [ 43.207936] kthread+0x328/0x630 [ 43.211230] ret_from_fork+0x10/0x20 [ 43.214871] [ 43.216406] Last potentially related work creation: [ 43.221353] kasan_save_stack+0x3c/0x68 [ 43.225265] kasan_record_aux_stack+0xb4/0xc8 [ 43.229691] __queue_work+0x65c/0xfe0 [ 43.233415] queue_work_on+0xbc/0xf8 [ 43.237054] workqueue_uaf+0x210/0x4a8 [ 43.240875] kunit_try_run_case+0x170/0x3f0 [ 43.245130] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.250705] kthread+0x328/0x630 [ 43.253995] ret_from_fork+0x10/0x20 [ 43.257635] [ 43.259163] The buggy address belongs to the object at ffff000088dd2480 [ 43.259163] which belongs to the cache kmalloc-32 of size 32 [ 43.271653] The buggy address is located 0 bytes inside of [ 43.271653] freed 32-byte region [ffff000088dd2480, ffff000088dd24a0) [ 43.283791] [ 43.285320] The buggy address belongs to the physical page: [ 43.290971] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108dd2 [ 43.299085] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 43.305698] page_type: f5(slab) [ 43.308902] raw: 0bfffe0000000000 ffff000080002780 dead000000000100 dead000000000122 [ 43.316747] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 43.324589] page dumped because: kasan: bad access detected [ 43.330240] [ 43.331776] Memory state around the buggy address: [ 43.336640] ffff000088dd2380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 43.343954] ffff000088dd2400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 43.351271] >ffff000088dd2480: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc [ 43.358587] ^ [ 43.361876] ffff000088dd2500: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 43.369191] ffff000088dd2580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 43.376512] ==================================================================
[ 33.609727] ================================================================== [ 33.609875] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 33.610022] Read of size 8 at addr fff00000c77385c0 by task kunit_try_catch/211 [ 33.610138] [ 33.610220] CPU: 0 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 33.610443] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.610511] Hardware name: linux,dummy-virt (DT) [ 33.610587] Call trace: [ 33.610644] show_stack+0x20/0x38 (C) [ 33.614081] dump_stack_lvl+0x8c/0xd0 [ 33.614222] print_report+0x118/0x608 [ 33.614367] kasan_report+0xdc/0x128 [ 33.615322] __asan_report_load8_noabort+0x20/0x30 [ 33.615627] workqueue_uaf+0x480/0x4a8 [ 33.615848] kunit_try_run_case+0x170/0x3f0 [ 33.616563] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.616732] kthread+0x328/0x630 [ 33.616930] ret_from_fork+0x10/0x20 [ 33.617354] [ 33.617532] Allocated by task 211: [ 33.617617] kasan_save_stack+0x3c/0x68 [ 33.618010] kasan_save_track+0x20/0x40 [ 33.618138] kasan_save_alloc_info+0x40/0x58 [ 33.618240] __kasan_kmalloc+0xd4/0xd8 [ 33.618706] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.619171] workqueue_uaf+0x13c/0x4a8 [ 33.619290] kunit_try_run_case+0x170/0x3f0 [ 33.619398] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.619516] kthread+0x328/0x630 [ 33.619827] ret_from_fork+0x10/0x20 [ 33.620174] [ 33.620292] Freed by task 75: [ 33.620398] kasan_save_stack+0x3c/0x68 [ 33.620535] kasan_save_track+0x20/0x40 [ 33.620656] kasan_save_free_info+0x4c/0x78 [ 33.620752] __kasan_slab_free+0x6c/0x98 [ 33.620878] kfree+0x214/0x3c8 [ 33.621134] workqueue_uaf_work+0x18/0x30 [ 33.621250] process_one_work+0x530/0xf98 [ 33.621468] worker_thread+0x618/0xf38 [ 33.621609] kthread+0x328/0x630 [ 33.621836] ret_from_fork+0x10/0x20 [ 33.622165] [ 33.622222] Last potentially related work creation: [ 33.622260] kasan_save_stack+0x3c/0x68 [ 33.622375] kasan_record_aux_stack+0xb4/0xc8 [ 33.622437] __queue_work+0x65c/0xfe0 [ 33.622481] queue_work_on+0xbc/0xf8 [ 33.622525] workqueue_uaf+0x210/0x4a8 [ 33.622568] kunit_try_run_case+0x170/0x3f0 [ 33.622615] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.622672] kthread+0x328/0x630 [ 33.622711] ret_from_fork+0x10/0x20 [ 33.622756] [ 33.622779] The buggy address belongs to the object at fff00000c77385c0 [ 33.622779] which belongs to the cache kmalloc-32 of size 32 [ 33.622850] The buggy address is located 0 bytes inside of [ 33.622850] freed 32-byte region [fff00000c77385c0, fff00000c77385e0) [ 33.623162] [ 33.623214] The buggy address belongs to the physical page: [ 33.623286] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107738 [ 33.623468] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.623623] page_type: f5(slab) [ 33.623717] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 33.623838] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.623954] page dumped because: kasan: bad access detected [ 33.624078] [ 33.624164] Memory state around the buggy address: [ 33.624250] fff00000c7738480: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 33.624405] fff00000c7738500: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.624657] >fff00000c7738580: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 33.624882] ^ [ 33.625009] fff00000c7738600: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.625129] fff00000c7738680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.625235] ==================================================================
[ 29.910158] ================================================================== [ 29.911882] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 29.912651] Read of size 8 at addr ffff888102de1400 by task kunit_try_catch/230 [ 29.913351] [ 29.913605] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 29.913720] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.913750] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.913792] Call Trace: [ 29.913822] <TASK> [ 29.913861] dump_stack_lvl+0x73/0xb0 [ 29.913938] print_report+0xd1/0x650 [ 29.913990] ? __virt_addr_valid+0x1db/0x2d0 [ 29.914054] ? workqueue_uaf+0x4d6/0x560 [ 29.914103] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.914171] ? workqueue_uaf+0x4d6/0x560 [ 29.914288] kasan_report+0x141/0x180 [ 29.914349] ? workqueue_uaf+0x4d6/0x560 [ 29.914418] __asan_report_load8_noabort+0x18/0x20 [ 29.914481] workqueue_uaf+0x4d6/0x560 [ 29.914597] ? __pfx_workqueue_uaf+0x10/0x10 [ 29.914662] ? __schedule+0x10cc/0x2b60 [ 29.914723] ? __pfx_read_tsc+0x10/0x10 [ 29.914778] ? ktime_get_ts64+0x86/0x230 [ 29.914847] kunit_try_run_case+0x1a5/0x480 [ 29.914919] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.914981] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.915047] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.915114] ? __kthread_parkme+0x82/0x180 [ 29.915174] ? preempt_count_sub+0x50/0x80 [ 29.915234] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.915299] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.915365] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.915433] kthread+0x337/0x6f0 [ 29.915487] ? trace_preempt_on+0x20/0xc0 [ 29.915568] ? __pfx_kthread+0x10/0x10 [ 29.915612] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.915662] ? calculate_sigpending+0x7b/0xa0 [ 29.915748] ? __pfx_kthread+0x10/0x10 [ 29.915793] ret_from_fork+0x116/0x1d0 [ 29.915835] ? __pfx_kthread+0x10/0x10 [ 29.915864] ret_from_fork_asm+0x1a/0x30 [ 29.915906] </TASK> [ 29.915921] [ 29.933176] Allocated by task 230: [ 29.933732] kasan_save_stack+0x45/0x70 [ 29.934325] kasan_save_track+0x18/0x40 [ 29.934673] kasan_save_alloc_info+0x3b/0x50 [ 29.935719] __kasan_kmalloc+0xb7/0xc0 [ 29.936238] __kmalloc_cache_noprof+0x189/0x420 [ 29.936773] workqueue_uaf+0x152/0x560 [ 29.937198] kunit_try_run_case+0x1a5/0x480 [ 29.937628] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.938303] kthread+0x337/0x6f0 [ 29.938594] ret_from_fork+0x116/0x1d0 [ 29.939049] ret_from_fork_asm+0x1a/0x30 [ 29.939383] [ 29.939603] Freed by task 9: [ 29.940099] kasan_save_stack+0x45/0x70 [ 29.940926] kasan_save_track+0x18/0x40 [ 29.941457] kasan_save_free_info+0x3f/0x60 [ 29.941890] __kasan_slab_free+0x56/0x70 [ 29.942444] kfree+0x222/0x3f0 [ 29.942822] workqueue_uaf_work+0x12/0x20 [ 29.943243] process_one_work+0x5ee/0xf60 [ 29.943759] worker_thread+0x758/0x1220 [ 29.944312] kthread+0x337/0x6f0 [ 29.944578] ret_from_fork+0x116/0x1d0 [ 29.945022] ret_from_fork_asm+0x1a/0x30 [ 29.945628] [ 29.945834] Last potentially related work creation: [ 29.946161] kasan_save_stack+0x45/0x70 [ 29.947209] kasan_record_aux_stack+0xb2/0xc0 [ 29.947701] __queue_work+0x61a/0xe70 [ 29.948030] queue_work_on+0xb6/0xc0 [ 29.948522] workqueue_uaf+0x26d/0x560 [ 29.948950] kunit_try_run_case+0x1a5/0x480 [ 29.949437] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.950173] kthread+0x337/0x6f0 [ 29.950829] ret_from_fork+0x116/0x1d0 [ 29.951306] ret_from_fork_asm+0x1a/0x30 [ 29.951650] [ 29.951892] The buggy address belongs to the object at ffff888102de1400 [ 29.951892] which belongs to the cache kmalloc-32 of size 32 [ 29.952875] The buggy address is located 0 bytes inside of [ 29.952875] freed 32-byte region [ffff888102de1400, ffff888102de1420) [ 29.953851] [ 29.954085] The buggy address belongs to the physical page: [ 29.954787] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102de1 [ 29.955535] flags: 0x200000000000000(node=0|zone=2) [ 29.956313] page_type: f5(slab) [ 29.956621] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 29.957598] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 29.958597] page dumped because: kasan: bad access detected [ 29.958845] [ 29.959079] Memory state around the buggy address: [ 29.959586] ffff888102de1300: 00 00 05 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 29.960277] ffff888102de1380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 29.961081] >ffff888102de1400: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 29.961580] ^ [ 29.962196] ffff888102de1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.962894] ffff888102de1500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.963507] ==================================================================