Date
July 14, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 48.768249] ================================================================== [ 48.776008] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 48.782687] Read of size 8 at addr ffff000808564740 by task kunit_try_catch/284 [ 48.789976] [ 48.791462] CPU: 2 UID: 0 PID: 284 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 48.791517] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.791535] Hardware name: WinLink E850-96 board (DT) [ 48.791555] Call trace: [ 48.791571] show_stack+0x20/0x38 (C) [ 48.791610] dump_stack_lvl+0x8c/0xd0 [ 48.791647] print_report+0x118/0x5d0 [ 48.791679] kasan_report+0xdc/0x128 [ 48.791707] __asan_report_load8_noabort+0x20/0x30 [ 48.791741] workqueue_uaf+0x480/0x4a8 [ 48.791771] kunit_try_run_case+0x170/0x3f0 [ 48.791807] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.791842] kthread+0x328/0x630 [ 48.791873] ret_from_fork+0x10/0x20 [ 48.791907] [ 48.855082] Allocated by task 284: [ 48.858468] kasan_save_stack+0x3c/0x68 [ 48.862285] kasan_save_track+0x20/0x40 [ 48.866106] kasan_save_alloc_info+0x40/0x58 [ 48.870357] __kasan_kmalloc+0xd4/0xd8 [ 48.874091] __kmalloc_cache_noprof+0x16c/0x3c0 [ 48.878603] workqueue_uaf+0x13c/0x4a8 [ 48.882336] kunit_try_run_case+0x170/0x3f0 [ 48.886504] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.891971] kthread+0x328/0x630 [ 48.895183] ret_from_fork+0x10/0x20 [ 48.898742] [ 48.900217] Freed by task 121: [ 48.903257] kasan_save_stack+0x3c/0x68 [ 48.907075] kasan_save_track+0x20/0x40 [ 48.910895] kasan_save_free_info+0x4c/0x78 [ 48.915061] __kasan_slab_free+0x6c/0x98 [ 48.918967] kfree+0x214/0x3c8 [ 48.922006] workqueue_uaf_work+0x18/0x30 [ 48.926000] process_one_work+0x530/0xf98 [ 48.929991] worker_thread+0x618/0xf38 [ 48.933724] kthread+0x328/0x630 [ 48.936936] ret_from_fork+0x10/0x20 [ 48.940494] [ 48.941972] Last potentially related work creation: [ 48.946833] kasan_save_stack+0x3c/0x68 [ 48.950651] kasan_record_aux_stack+0xb4/0xc8 [ 48.954991] __queue_work+0x65c/0xfe0 [ 48.958637] queue_work_on+0xbc/0xf8 [ 48.962196] workqueue_uaf+0x210/0x4a8 [ 48.965928] kunit_try_run_case+0x170/0x3f0 [ 48.970095] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.975563] kthread+0x328/0x630 [ 48.978775] ret_from_fork+0x10/0x20 [ 48.982334] [ 48.983811] The buggy address belongs to the object at ffff000808564740 [ 48.983811] which belongs to the cache kmalloc-32 of size 32 [ 48.996140] The buggy address is located 0 bytes inside of [ 48.996140] freed 32-byte region [ffff000808564740, ffff000808564760) [ 49.008117] [ 49.009596] The buggy address belongs to the physical page: [ 49.015151] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x888564 [ 49.023136] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 49.029644] page_type: f5(slab) [ 49.032781] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 49.040500] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 49.048220] page dumped because: kasan: bad access detected [ 49.053774] [ 49.055249] Memory state around the buggy address: [ 49.060032] ffff000808564600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 49.067233] ffff000808564680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 49.074439] >ffff000808564700: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 49.081638] ^ [ 49.086937] ffff000808564780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.094143] ffff000808564800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.101344] ==================================================================
[ 29.987224] ================================================================== [ 29.987311] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 29.987385] Read of size 8 at addr fff00000c9aded80 by task kunit_try_catch/231 [ 29.987444] [ 29.987483] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 29.987581] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.987610] Hardware name: linux,dummy-virt (DT) [ 29.987658] Call trace: [ 29.987683] show_stack+0x20/0x38 (C) [ 29.987733] dump_stack_lvl+0x8c/0xd0 [ 29.987778] print_report+0x118/0x5d0 [ 29.987822] kasan_report+0xdc/0x128 [ 29.987864] __asan_report_load8_noabort+0x20/0x30 [ 29.987913] workqueue_uaf+0x480/0x4a8 [ 29.987960] kunit_try_run_case+0x170/0x3f0 [ 29.988016] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.988081] kthread+0x328/0x630 [ 29.988121] ret_from_fork+0x10/0x20 [ 29.988170] [ 29.988215] Allocated by task 231: [ 29.988261] kasan_save_stack+0x3c/0x68 [ 29.988402] kasan_save_track+0x20/0x40 [ 29.988649] kasan_save_alloc_info+0x40/0x58 [ 29.988734] __kasan_kmalloc+0xd4/0xd8 [ 29.988774] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.988817] workqueue_uaf+0x13c/0x4a8 [ 29.988854] kunit_try_run_case+0x170/0x3f0 [ 29.988922] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.988966] kthread+0x328/0x630 [ 29.989082] ret_from_fork+0x10/0x20 [ 29.989128] [ 29.989147] Freed by task 75: [ 29.989173] kasan_save_stack+0x3c/0x68 [ 29.989212] kasan_save_track+0x20/0x40 [ 29.989250] kasan_save_free_info+0x4c/0x78 [ 29.989288] __kasan_slab_free+0x6c/0x98 [ 29.989327] kfree+0x214/0x3c8 [ 29.989404] workqueue_uaf_work+0x18/0x30 [ 29.989535] process_one_work+0x530/0xf98 [ 29.989574] worker_thread+0x618/0xf38 [ 29.989725] kthread+0x328/0x630 [ 29.989758] ret_from_fork+0x10/0x20 [ 29.989860] [ 29.989921] Last potentially related work creation: [ 29.989964] kasan_save_stack+0x3c/0x68 [ 29.990134] kasan_record_aux_stack+0xb4/0xc8 [ 29.990222] __queue_work+0x65c/0xfe0 [ 29.990379] queue_work_on+0xbc/0xf8 [ 29.990512] workqueue_uaf+0x210/0x4a8 [ 29.990559] kunit_try_run_case+0x170/0x3f0 [ 29.990610] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.990651] kthread+0x328/0x630 [ 29.990682] ret_from_fork+0x10/0x20 [ 29.990718] [ 29.990908] The buggy address belongs to the object at fff00000c9aded80 [ 29.990908] which belongs to the cache kmalloc-32 of size 32 [ 29.991005] The buggy address is located 0 bytes inside of [ 29.991005] freed 32-byte region [fff00000c9aded80, fff00000c9adeda0) [ 29.991165] [ 29.991271] The buggy address belongs to the physical page: [ 29.991360] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ade [ 29.991429] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.991552] page_type: f5(slab) [ 29.991675] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 29.991788] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 29.991888] page dumped because: kasan: bad access detected [ 29.991939] [ 29.991956] Memory state around the buggy address: [ 29.991991] fff00000c9adec80: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 29.992034] fff00000c9aded00: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 29.992086] >fff00000c9aded80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 29.992324] ^ [ 29.992415] fff00000c9adee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.992485] fff00000c9adee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.992587] ==================================================================
[ 24.894324] ================================================================== [ 24.894825] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 24.895351] Read of size 8 at addr ffff888103ea5c00 by task kunit_try_catch/249 [ 24.895611] [ 24.895712] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 24.895773] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.895786] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.895810] Call Trace: [ 24.895822] <TASK> [ 24.895841] dump_stack_lvl+0x73/0xb0 [ 24.895874] print_report+0xd1/0x610 [ 24.895897] ? __virt_addr_valid+0x1db/0x2d0 [ 24.895922] ? workqueue_uaf+0x4d6/0x560 [ 24.895942] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.895967] ? workqueue_uaf+0x4d6/0x560 [ 24.895988] kasan_report+0x141/0x180 [ 24.896008] ? workqueue_uaf+0x4d6/0x560 [ 24.896033] __asan_report_load8_noabort+0x18/0x20 [ 24.896056] workqueue_uaf+0x4d6/0x560 [ 24.896077] ? __pfx_workqueue_uaf+0x10/0x10 [ 24.896098] ? __schedule+0x10cc/0x2b60 [ 24.896122] ? __pfx_read_tsc+0x10/0x10 [ 24.896143] ? ktime_get_ts64+0x86/0x230 [ 24.896168] kunit_try_run_case+0x1a5/0x480 [ 24.896190] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.896209] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.896232] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.896254] ? __kthread_parkme+0x82/0x180 [ 24.896276] ? preempt_count_sub+0x50/0x80 [ 24.896298] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.896345] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.896371] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.896396] kthread+0x337/0x6f0 [ 24.896415] ? trace_preempt_on+0x20/0xc0 [ 24.896438] ? __pfx_kthread+0x10/0x10 [ 24.896458] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.896479] ? calculate_sigpending+0x7b/0xa0 [ 24.896502] ? __pfx_kthread+0x10/0x10 [ 24.896523] ret_from_fork+0x116/0x1d0 [ 24.896541] ? __pfx_kthread+0x10/0x10 [ 24.896561] ret_from_fork_asm+0x1a/0x30 [ 24.896591] </TASK> [ 24.896602] [ 24.906737] Allocated by task 249: [ 24.907346] kasan_save_stack+0x45/0x70 [ 24.907634] kasan_save_track+0x18/0x40 [ 24.907887] kasan_save_alloc_info+0x3b/0x50 [ 24.908212] __kasan_kmalloc+0xb7/0xc0 [ 24.908394] __kmalloc_cache_noprof+0x189/0x420 [ 24.908717] workqueue_uaf+0x152/0x560 [ 24.908922] kunit_try_run_case+0x1a5/0x480 [ 24.909311] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.909615] kthread+0x337/0x6f0 [ 24.909772] ret_from_fork+0x116/0x1d0 [ 24.910117] ret_from_fork_asm+0x1a/0x30 [ 24.910271] [ 24.910336] Freed by task 9: [ 24.910593] kasan_save_stack+0x45/0x70 [ 24.910953] kasan_save_track+0x18/0x40 [ 24.911337] kasan_save_free_info+0x3f/0x60 [ 24.911741] __kasan_slab_free+0x56/0x70 [ 24.912164] kfree+0x222/0x3f0 [ 24.912492] workqueue_uaf_work+0x12/0x20 [ 24.912993] process_one_work+0x5ee/0xf60 [ 24.913278] worker_thread+0x758/0x1220 [ 24.913562] kthread+0x337/0x6f0 [ 24.913901] ret_from_fork+0x116/0x1d0 [ 24.914057] ret_from_fork_asm+0x1a/0x30 [ 24.914488] [ 24.914667] Last potentially related work creation: [ 24.914955] kasan_save_stack+0x45/0x70 [ 24.915081] kasan_record_aux_stack+0xb2/0xc0 [ 24.915376] __queue_work+0x61a/0xe70 [ 24.915506] queue_work_on+0xb6/0xc0 [ 24.915717] workqueue_uaf+0x26d/0x560 [ 24.916063] kunit_try_run_case+0x1a5/0x480 [ 24.916496] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.917131] kthread+0x337/0x6f0 [ 24.917591] ret_from_fork+0x116/0x1d0 [ 24.917993] ret_from_fork_asm+0x1a/0x30 [ 24.918196] [ 24.918287] The buggy address belongs to the object at ffff888103ea5c00 [ 24.918287] which belongs to the cache kmalloc-32 of size 32 [ 24.919505] The buggy address is located 0 bytes inside of [ 24.919505] freed 32-byte region [ffff888103ea5c00, ffff888103ea5c20) [ 24.920091] [ 24.920253] The buggy address belongs to the physical page: [ 24.920737] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ea5 [ 24.921524] flags: 0x200000000000000(node=0|zone=2) [ 24.922012] page_type: f5(slab) [ 24.922379] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 24.922843] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 24.923169] page dumped because: kasan: bad access detected [ 24.923331] [ 24.923391] Memory state around the buggy address: [ 24.923537] ffff888103ea5b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 24.923792] ffff888103ea5b80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 24.924018] >ffff888103ea5c00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 24.924424] ^ [ 24.924611] ffff888103ea5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.924821] ffff888103ea5d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.925318] ==================================================================