Hay
Sign in
Date
July 8, 2025, 11:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   31.468260] ==================================================================
[   31.468424] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   31.468512] Read of size 8 at addr fff00000c9aa7940 by task kunit_try_catch/231
[   31.468564] 
[   31.468650] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT 
[   31.468740] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.468794] Hardware name: linux,dummy-virt (DT)
[   31.468853] Call trace:
[   31.468932]  show_stack+0x20/0x38 (C)
[   31.469003]  dump_stack_lvl+0x8c/0xd0
[   31.469052]  print_report+0x118/0x5d0
[   31.469100]  kasan_report+0xdc/0x128
[   31.469146]  __asan_report_load8_noabort+0x20/0x30
[   31.469345]  workqueue_uaf+0x480/0x4a8
[   31.469394]  kunit_try_run_case+0x170/0x3f0
[   31.469446]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.469501]  kthread+0x328/0x630
[   31.469543]  ret_from_fork+0x10/0x20
[   31.469590] 
[   31.469655] Allocated by task 231:
[   31.469716]  kasan_save_stack+0x3c/0x68
[   31.469826]  kasan_save_track+0x20/0x40
[   31.469911]  kasan_save_alloc_info+0x40/0x58
[   31.469978]  __kasan_kmalloc+0xd4/0xd8
[   31.470047]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.470140]  workqueue_uaf+0x13c/0x4a8
[   31.470179]  kunit_try_run_case+0x170/0x3f0
[   31.470252]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.470299]  kthread+0x328/0x630
[   31.470625]  ret_from_fork+0x10/0x20
[   31.470716] 
[   31.470766] Freed by task 75:
[   31.470860]  kasan_save_stack+0x3c/0x68
[   31.470921]  kasan_save_track+0x20/0x40
[   31.470992]  kasan_save_free_info+0x4c/0x78
[   31.471053]  __kasan_slab_free+0x6c/0x98
[   31.471275]  kfree+0x214/0x3c8
[   31.471465]  workqueue_uaf_work+0x18/0x30
[   31.471557]  process_one_work+0x530/0xf98
[   31.471661]  worker_thread+0x618/0xf38
[   31.471721]  kthread+0x328/0x630
[   31.471796]  ret_from_fork+0x10/0x20
[   31.471878] 
[   31.471917] Last potentially related work creation:
[   31.471946]  kasan_save_stack+0x3c/0x68
[   31.472010]  kasan_record_aux_stack+0xb4/0xc8
[   31.472281]  __queue_work+0x65c/0xfe0
[   31.472352]  queue_work_on+0xbc/0xf8
[   31.472444]  workqueue_uaf+0x210/0x4a8
[   31.472517]  kunit_try_run_case+0x170/0x3f0
[   31.472645]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.472721]  kthread+0x328/0x630
[   31.472753]  ret_from_fork+0x10/0x20
[   31.472790] 
[   31.472809] The buggy address belongs to the object at fff00000c9aa7940
[   31.472809]  which belongs to the cache kmalloc-32 of size 32
[   31.472869] The buggy address is located 0 bytes inside of
[   31.472869]  freed 32-byte region [fff00000c9aa7940, fff00000c9aa7960)
[   31.472968] 
[   31.472989] The buggy address belongs to the physical page:
[   31.473022] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109aa7
[   31.473076] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.473280] page_type: f5(slab)
[   31.473380] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   31.473460] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   31.473527] page dumped because: kasan: bad access detected
[   31.473590] 
[   31.473640] Memory state around the buggy address:
[   31.473736]  fff00000c9aa7800: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   31.473791]  fff00000c9aa7880: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   31.473843] >fff00000c9aa7900: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   31.473880]                                            ^
[   31.473915]  fff00000c9aa7980: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.474112]  fff00000c9aa7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.474194] ==================================================================
Metadata Full log Test run details 

[   23.969157] ==================================================================
[   23.969602] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   23.969982] Read of size 8 at addr ffff8881059baf00 by task kunit_try_catch/248
[   23.970680] 
[   23.970785] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) 
[   23.970856] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.970869] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.970892] Call Trace:
[   23.970907]  <TASK>
[   23.970929]  dump_stack_lvl+0x73/0xb0
[   23.970961]  print_report+0xd1/0x610
[   23.970985]  ? __virt_addr_valid+0x1db/0x2d0
[   23.971012]  ? workqueue_uaf+0x4d6/0x560
[   23.971034]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.971062]  ? workqueue_uaf+0x4d6/0x560
[   23.971085]  kasan_report+0x141/0x180
[   23.971107]  ? workqueue_uaf+0x4d6/0x560
[   23.971135]  __asan_report_load8_noabort+0x18/0x20
[   23.971161]  workqueue_uaf+0x4d6/0x560
[   23.971184]  ? __pfx_workqueue_uaf+0x10/0x10
[   23.971208]  ? __schedule+0x10cc/0x2b60
[   23.971252]  ? __pfx_read_tsc+0x10/0x10
[   23.971278]  ? ktime_get_ts64+0x86/0x230
[   23.971306]  kunit_try_run_case+0x1a5/0x480
[   23.971330]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.971351]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.971372]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.971401]  ? __kthread_parkme+0x82/0x180
[   23.971423]  ? preempt_count_sub+0x50/0x80
[   23.971448]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.971470]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.971497]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.971524]  kthread+0x337/0x6f0
[   23.971546]  ? trace_preempt_on+0x20/0xc0
[   23.971572]  ? __pfx_kthread+0x10/0x10
[   23.971595]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.971621]  ? calculate_sigpending+0x7b/0xa0
[   23.971649]  ? __pfx_kthread+0x10/0x10
[   23.971673]  ret_from_fork+0x116/0x1d0
[   23.971692]  ? __pfx_kthread+0x10/0x10
[   23.971715]  ret_from_fork_asm+0x1a/0x30
[   23.971750]  </TASK>
[   23.971762] 
[   23.979081] Allocated by task 248:
[   23.979257]  kasan_save_stack+0x45/0x70
[   23.979458]  kasan_save_track+0x18/0x40
[   23.979649]  kasan_save_alloc_info+0x3b/0x50
[   23.980050]  __kasan_kmalloc+0xb7/0xc0
[   23.980206]  __kmalloc_cache_noprof+0x189/0x420
[   23.980397]  workqueue_uaf+0x152/0x560
[   23.980525]  kunit_try_run_case+0x1a5/0x480
[   23.980663]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.981040]  kthread+0x337/0x6f0
[   23.981216]  ret_from_fork+0x116/0x1d0
[   23.981411]  ret_from_fork_asm+0x1a/0x30
[   23.981602] 
[   23.981690] Freed by task 9:
[   23.981811]  kasan_save_stack+0x45/0x70
[   23.982040]  kasan_save_track+0x18/0x40
[   23.982230]  kasan_save_free_info+0x3f/0x60
[   23.982407]  __kasan_slab_free+0x56/0x70
[   23.982581]  kfree+0x222/0x3f0
[   23.982706]  workqueue_uaf_work+0x12/0x20
[   23.983113]  process_one_work+0x5ee/0xf60
[   23.983311]  worker_thread+0x758/0x1220
[   23.983457]  kthread+0x337/0x6f0
[   23.983573]  ret_from_fork+0x116/0x1d0
[   23.983699]  ret_from_fork_asm+0x1a/0x30
[   23.983882] 
[   23.983970] Last potentially related work creation:
[   23.984183]  kasan_save_stack+0x45/0x70
[   23.984360]  kasan_record_aux_stack+0xb2/0xc0
[   23.984510]  __queue_work+0x61a/0xe70
[   23.984641]  queue_work_on+0xb6/0xc0
[   23.984974]  workqueue_uaf+0x26d/0x560
[   23.985169]  kunit_try_run_case+0x1a5/0x480
[   23.985386]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.985643]  kthread+0x337/0x6f0
[   23.985864]  ret_from_fork+0x116/0x1d0
[   23.986032]  ret_from_fork_asm+0x1a/0x30
[   23.986203] 
[   23.986304] The buggy address belongs to the object at ffff8881059baf00
[   23.986304]  which belongs to the cache kmalloc-32 of size 32
[   23.986767] The buggy address is located 0 bytes inside of
[   23.986767]  freed 32-byte region [ffff8881059baf00, ffff8881059baf20)
[   23.987369] 
[   23.987448] The buggy address belongs to the physical page:
[   23.987616] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059ba
[   23.987913] flags: 0x200000000000000(node=0|zone=2)
[   23.988143] page_type: f5(slab)
[   23.988551] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   23.988948] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   23.989286] page dumped because: kasan: bad access detected
[   23.989451] 
[   23.989513] Memory state around the buggy address:
[   23.989662]  ffff8881059bae00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   23.989927]  ffff8881059bae80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   23.990248] >ffff8881059baf00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   23.990563]                    ^
[   23.990732]  ffff8881059baf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.991123]  ffff8881059bb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.991473] ==================================================================
Metadata Full log Test run details