Date
July 11, 2025, 10:11 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 50.115917] ================================================================== [ 50.123322] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 50.130001] Read of size 8 at addr ffff0008084f7700 by task kunit_try_catch/284 [ 50.137292] [ 50.138778] CPU: 7 UID: 0 PID: 284 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 50.138836] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.138851] Hardware name: WinLink E850-96 board (DT) [ 50.138875] Call trace: [ 50.138889] show_stack+0x20/0x38 (C) [ 50.138924] dump_stack_lvl+0x8c/0xd0 [ 50.138958] print_report+0x118/0x5d0 [ 50.138985] kasan_report+0xdc/0x128 [ 50.139014] __asan_report_load8_noabort+0x20/0x30 [ 50.139047] workqueue_uaf+0x480/0x4a8 [ 50.139079] kunit_try_run_case+0x170/0x3f0 [ 50.139117] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.139148] kthread+0x328/0x630 [ 50.139180] ret_from_fork+0x10/0x20 [ 50.139216] [ 50.202395] Allocated by task 284: [ 50.205783] kasan_save_stack+0x3c/0x68 [ 50.209598] kasan_save_track+0x20/0x40 [ 50.213419] kasan_save_alloc_info+0x40/0x58 [ 50.217671] __kasan_kmalloc+0xd4/0xd8 [ 50.221403] __kmalloc_cache_noprof+0x16c/0x3c0 [ 50.225917] workqueue_uaf+0x13c/0x4a8 [ 50.229650] kunit_try_run_case+0x170/0x3f0 [ 50.233816] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.239285] kthread+0x328/0x630 [ 50.242497] ret_from_fork+0x10/0x20 [ 50.246056] [ 50.247533] Freed by task 121: [ 50.250570] kasan_save_stack+0x3c/0x68 [ 50.254389] kasan_save_track+0x20/0x40 [ 50.258208] kasan_save_free_info+0x4c/0x78 [ 50.262375] __kasan_slab_free+0x6c/0x98 [ 50.266281] kfree+0x214/0x3c8 [ 50.269319] workqueue_uaf_work+0x18/0x30 [ 50.273312] process_one_work+0x530/0xf98 [ 50.277305] worker_thread+0x618/0xf38 [ 50.281038] kthread+0x328/0x630 [ 50.284250] ret_from_fork+0x10/0x20 [ 50.287809] [ 50.289286] Last potentially related work creation: [ 50.294146] kasan_save_stack+0x3c/0x68 [ 50.297965] kasan_record_aux_stack+0xb4/0xc8 [ 50.302305] __queue_work+0x65c/0xfe0 [ 50.305951] queue_work_on+0xbc/0xf8 [ 50.309510] workqueue_uaf+0x210/0x4a8 [ 50.313242] kunit_try_run_case+0x170/0x3f0 [ 50.317409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.322877] kthread+0x328/0x630 [ 50.326089] ret_from_fork+0x10/0x20 [ 50.329648] [ 50.331125] The buggy address belongs to the object at ffff0008084f7700 [ 50.331125] which belongs to the cache kmalloc-32 of size 32 [ 50.343453] The buggy address is located 0 bytes inside of [ 50.343453] freed 32-byte region [ffff0008084f7700, ffff0008084f7720) [ 50.355431] [ 50.356906] The buggy address belongs to the physical page: [ 50.362465] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8884f7 [ 50.370451] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.376958] page_type: f5(slab) [ 50.380094] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 50.387814] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 50.395534] page dumped because: kasan: bad access detected [ 50.401088] [ 50.402563] Memory state around the buggy address: [ 50.407344] ffff0008084f7600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 50.414547] ffff0008084f7680: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc [ 50.421754] >ffff0008084f7700: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 50.428951] ^ [ 50.432168] ffff0008084f7780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.439374] ffff0008084f7800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.446575] ==================================================================
[ 30.844460] ================================================================== [ 30.844540] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 30.844609] Read of size 8 at addr fff00000c9a4d880 by task kunit_try_catch/231 [ 30.844678] [ 30.844719] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 30.845069] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.845144] Hardware name: linux,dummy-virt (DT) [ 30.845186] Call trace: [ 30.845213] show_stack+0x20/0x38 (C) [ 30.845281] dump_stack_lvl+0x8c/0xd0 [ 30.845369] print_report+0x118/0x5d0 [ 30.845453] kasan_report+0xdc/0x128 [ 30.845526] __asan_report_load8_noabort+0x20/0x30 [ 30.845618] workqueue_uaf+0x480/0x4a8 [ 30.845686] kunit_try_run_case+0x170/0x3f0 [ 30.845808] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.845897] kthread+0x328/0x630 [ 30.845982] ret_from_fork+0x10/0x20 [ 30.846109] [ 30.846158] Allocated by task 231: [ 30.846186] kasan_save_stack+0x3c/0x68 [ 30.846229] kasan_save_track+0x20/0x40 [ 30.847181] kasan_save_alloc_info+0x40/0x58 [ 30.847259] __kasan_kmalloc+0xd4/0xd8 [ 30.847404] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.847515] workqueue_uaf+0x13c/0x4a8 [ 30.847588] kunit_try_run_case+0x170/0x3f0 [ 30.847696] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.847740] kthread+0x328/0x630 [ 30.847772] ret_from_fork+0x10/0x20 [ 30.847817] [ 30.847896] Freed by task 52: [ 30.847974] kasan_save_stack+0x3c/0x68 [ 30.848091] kasan_save_track+0x20/0x40 [ 30.848150] kasan_save_free_info+0x4c/0x78 [ 30.848196] __kasan_slab_free+0x6c/0x98 [ 30.848235] kfree+0x214/0x3c8 [ 30.848269] workqueue_uaf_work+0x18/0x30 [ 30.848306] process_one_work+0x530/0xf98 [ 30.848355] worker_thread+0x618/0xf38 [ 30.848389] kthread+0x328/0x630 [ 30.848423] ret_from_fork+0x10/0x20 [ 30.848459] [ 30.848478] Last potentially related work creation: [ 30.848505] kasan_save_stack+0x3c/0x68 [ 30.848583] kasan_record_aux_stack+0xb4/0xc8 [ 30.848678] __queue_work+0x65c/0xfe0 [ 30.848729] queue_work_on+0xbc/0xf8 [ 30.848806] workqueue_uaf+0x210/0x4a8 [ 30.848884] kunit_try_run_case+0x170/0x3f0 [ 30.848985] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.849052] kthread+0x328/0x630 [ 30.849136] ret_from_fork+0x10/0x20 [ 30.849206] [ 30.849310] The buggy address belongs to the object at fff00000c9a4d880 [ 30.849310] which belongs to the cache kmalloc-32 of size 32 [ 30.849406] The buggy address is located 0 bytes inside of [ 30.849406] freed 32-byte region [fff00000c9a4d880, fff00000c9a4d8a0) [ 30.849496] [ 30.849517] The buggy address belongs to the physical page: [ 30.849558] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a4d [ 30.849621] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.849945] page_type: f5(slab) [ 30.849995] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 30.850053] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 30.850100] page dumped because: kasan: bad access detected [ 30.850135] [ 30.850154] Memory state around the buggy address: [ 30.850189] fff00000c9a4d780: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 30.850237] fff00000c9a4d800: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 30.850403] >fff00000c9a4d880: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 30.850461] ^ [ 30.850509] fff00000c9a4d900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.850556] fff00000c9a4d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.850634] ==================================================================
[ 24.368919] ================================================================== [ 24.369515] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 24.370102] Read of size 8 at addr ffff888104cb8780 by task kunit_try_catch/250 [ 24.371058] [ 24.371389] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.371457] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.371469] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.371492] Call Trace: [ 24.371505] <TASK> [ 24.371524] dump_stack_lvl+0x73/0xb0 [ 24.371971] print_report+0xd1/0x610 [ 24.371997] ? __virt_addr_valid+0x1db/0x2d0 [ 24.372021] ? workqueue_uaf+0x4d6/0x560 [ 24.372046] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.372083] ? workqueue_uaf+0x4d6/0x560 [ 24.372104] kasan_report+0x141/0x180 [ 24.372125] ? workqueue_uaf+0x4d6/0x560 [ 24.372151] __asan_report_load8_noabort+0x18/0x20 [ 24.372174] workqueue_uaf+0x4d6/0x560 [ 24.372195] ? __pfx_workqueue_uaf+0x10/0x10 [ 24.372216] ? __schedule+0x10cc/0x2b60 [ 24.372240] ? __pfx_read_tsc+0x10/0x10 [ 24.372262] ? ktime_get_ts64+0x86/0x230 [ 24.372287] kunit_try_run_case+0x1a5/0x480 [ 24.372310] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.372336] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.372360] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.372383] ? __kthread_parkme+0x82/0x180 [ 24.372405] ? preempt_count_sub+0x50/0x80 [ 24.372428] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.372449] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.372474] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.372498] kthread+0x337/0x6f0 [ 24.372517] ? trace_preempt_on+0x20/0xc0 [ 24.372540] ? __pfx_kthread+0x10/0x10 [ 24.372560] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.372581] ? calculate_sigpending+0x7b/0xa0 [ 24.372606] ? __pfx_kthread+0x10/0x10 [ 24.372627] ret_from_fork+0x116/0x1d0 [ 24.372646] ? __pfx_kthread+0x10/0x10 [ 24.372666] ret_from_fork_asm+0x1a/0x30 [ 24.372696] </TASK> [ 24.372708] [ 24.385381] Allocated by task 250: [ 24.385602] kasan_save_stack+0x45/0x70 [ 24.385821] kasan_save_track+0x18/0x40 [ 24.385991] kasan_save_alloc_info+0x3b/0x50 [ 24.386178] __kasan_kmalloc+0xb7/0xc0 [ 24.386668] __kmalloc_cache_noprof+0x189/0x420 [ 24.387013] workqueue_uaf+0x152/0x560 [ 24.387595] kunit_try_run_case+0x1a5/0x480 [ 24.387823] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.388050] kthread+0x337/0x6f0 [ 24.388207] ret_from_fork+0x116/0x1d0 [ 24.388840] ret_from_fork_asm+0x1a/0x30 [ 24.389124] [ 24.389534] Freed by task 9: [ 24.389707] kasan_save_stack+0x45/0x70 [ 24.389898] kasan_save_track+0x18/0x40 [ 24.390070] kasan_save_free_info+0x3f/0x60 [ 24.390255] __kasan_slab_free+0x56/0x70 [ 24.390816] kfree+0x222/0x3f0 [ 24.390979] workqueue_uaf_work+0x12/0x20 [ 24.391157] process_one_work+0x5ee/0xf60 [ 24.391878] worker_thread+0x758/0x1220 [ 24.392127] kthread+0x337/0x6f0 [ 24.392391] ret_from_fork+0x116/0x1d0 [ 24.392589] ret_from_fork_asm+0x1a/0x30 [ 24.392776] [ 24.392859] Last potentially related work creation: [ 24.393054] kasan_save_stack+0x45/0x70 [ 24.393223] kasan_record_aux_stack+0xb2/0xc0 [ 24.394011] __queue_work+0x61a/0xe70 [ 24.394173] queue_work_on+0xb6/0xc0 [ 24.394528] workqueue_uaf+0x26d/0x560 [ 24.394715] kunit_try_run_case+0x1a5/0x480 [ 24.394913] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.395136] kthread+0x337/0x6f0 [ 24.395506] ret_from_fork+0x116/0x1d0 [ 24.395689] ret_from_fork_asm+0x1a/0x30 [ 24.395881] [ 24.395965] The buggy address belongs to the object at ffff888104cb8780 [ 24.395965] which belongs to the cache kmalloc-32 of size 32 [ 24.396994] The buggy address is located 0 bytes inside of [ 24.396994] freed 32-byte region [ffff888104cb8780, ffff888104cb87a0) [ 24.397482] [ 24.397577] The buggy address belongs to the physical page: [ 24.397825] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cb8 [ 24.398153] flags: 0x200000000000000(node=0|zone=2) [ 24.398436] page_type: f5(slab) [ 24.398595] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 24.398918] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.399217] page dumped because: kasan: bad access detected [ 24.400308] [ 24.400492] Memory state around the buggy address: [ 24.400649] ffff888104cb8680: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 24.400914] ffff888104cb8700: 00 00 05 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 24.401194] >ffff888104cb8780: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 24.402043] ^ [ 24.402215] ffff888104cb8800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.402809] ffff888104cb8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.403098] ==================================================================