Hay
Sign in
Date
July 22, 2025, 5:13 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   30.753916] ==================================================================
[   30.753985] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   30.754053] Read of size 8 at addr fff00000c9257080 by task kunit_try_catch/231
[   30.754192] 
[   30.754237] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc7-next-20250722 #1 PREEMPT 
[   30.754521] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   30.754587] Hardware name: linux,dummy-virt (DT)
[   30.754682] Call trace:
[   30.754709]  show_stack+0x20/0x38 (C)
[   30.754849]  dump_stack_lvl+0x8c/0xd0
[   30.754904]  print_report+0x118/0x5e8
[   30.754948]  kasan_report+0xdc/0x128
[   30.754992]  __asan_report_load8_noabort+0x20/0x30
[   30.755048]  workqueue_uaf+0x480/0x4a8
[   30.755368]  kunit_try_run_case+0x170/0x3f0
[   30.755489]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.755549]  kthread+0x328/0x630
[   30.755594]  ret_from_fork+0x10/0x20
[   30.755643] 
[   30.755662] Allocated by task 231:
[   30.756025]  kasan_save_stack+0x3c/0x68
[   30.756090]  kasan_save_track+0x20/0x40
[   30.756128]  kasan_save_alloc_info+0x40/0x58
[   30.756169]  __kasan_kmalloc+0xd4/0xd8
[   30.756348]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.756392]  workqueue_uaf+0x13c/0x4a8
[   30.756536]  kunit_try_run_case+0x170/0x3f0
[   30.756849]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.756917]  kthread+0x328/0x630
[   30.757021]  ret_from_fork+0x10/0x20
[   30.757152] 
[   30.757252] Freed by task 24:
[   30.757331]  kasan_save_stack+0x3c/0x68
[   30.757375]  kasan_save_track+0x20/0x40
[   30.757412]  kasan_save_free_info+0x4c/0x78
[   30.757449]  __kasan_slab_free+0x6c/0x98
[   30.757741]  kfree+0x214/0x3c8
[   30.757905]  workqueue_uaf_work+0x18/0x30
[   30.757973]  process_one_work+0x530/0xf88
[   30.758076]  worker_thread+0x618/0xf38
[   30.758134]  kthread+0x328/0x630
[   30.758502]  ret_from_fork+0x10/0x20
[   30.758567] 
[   30.758612] Last potentially related work creation:
[   30.758703]  kasan_save_stack+0x3c/0x68
[   30.758752]  kasan_record_aux_stack+0xb4/0xc8
[   30.758862]  __queue_work+0x65c/0xfe0
[   30.758922]  queue_work_on+0xbc/0xf8
[   30.758959]  workqueue_uaf+0x210/0x4a8
[   30.758996]  kunit_try_run_case+0x170/0x3f0
[   30.759035]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.759076]  kthread+0x328/0x630
[   30.759118]  ret_from_fork+0x10/0x20
[   30.759156] 
[   30.759177] The buggy address belongs to the object at fff00000c9257080
[   30.759177]  which belongs to the cache kmalloc-32 of size 32
[   30.759250] The buggy address is located 0 bytes inside of
[   30.759250]  freed 32-byte region [fff00000c9257080, fff00000c92570a0)
[   30.759311] 
[   30.759331] The buggy address belongs to the physical page:
[   30.759381] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109257
[   30.759448] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.759499] page_type: f5(slab)
[   30.759552] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   30.759611] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   30.759652] page dumped because: kasan: bad access detected
[   30.759682] 
[   30.759714] Memory state around the buggy address:
[   30.759762]  fff00000c9256f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.759830]  fff00000c9257000: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   30.759873] >fff00000c9257080: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   30.759919]                    ^
[   30.759946]  fff00000c9257100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.759996]  fff00000c9257180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.760043] ==================================================================
Metadata Full log Test run details 

[   25.695511] ==================================================================
[   25.696041] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   25.696803] Read of size 8 at addr ffff888104974840 by task kunit_try_catch/248
[   25.697133] 
[   25.697460] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) 
[   25.697861] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.697879] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.697902] Call Trace:
[   25.697916]  <TASK>
[   25.697932]  dump_stack_lvl+0x73/0xb0
[   25.697972]  print_report+0xd1/0x640
[   25.697995]  ? __virt_addr_valid+0x1db/0x2d0
[   25.698019]  ? workqueue_uaf+0x4d6/0x560
[   25.698040]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.698066]  ? workqueue_uaf+0x4d6/0x560
[   25.698088]  kasan_report+0x141/0x180
[   25.698111]  ? workqueue_uaf+0x4d6/0x560
[   25.698137]  __asan_report_load8_noabort+0x18/0x20
[   25.698193]  workqueue_uaf+0x4d6/0x560
[   25.698218]  ? __pfx_workqueue_uaf+0x10/0x10
[   25.698242]  ? __schedule+0x10da/0x2b60
[   25.698268]  ? __pfx_read_tsc+0x10/0x10
[   25.698290]  ? ktime_get_ts64+0x86/0x230
[   25.698314]  kunit_try_run_case+0x1a5/0x480
[   25.698340]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.698363]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.698389]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.698415]  ? __kthread_parkme+0x82/0x180
[   25.698436]  ? preempt_count_sub+0x50/0x80
[   25.698603]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.698637]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.698662]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.698686]  kthread+0x337/0x6f0
[   25.698706]  ? trace_preempt_on+0x20/0xc0
[   25.698731]  ? __pfx_kthread+0x10/0x10
[   25.698752]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.698776]  ? calculate_sigpending+0x7b/0xa0
[   25.698800]  ? __pfx_kthread+0x10/0x10
[   25.698822]  ret_from_fork+0x116/0x1d0
[   25.698856]  ? __pfx_kthread+0x10/0x10
[   25.698877]  ret_from_fork_asm+0x1a/0x30
[   25.698909]  </TASK>
[   25.698921] 
[   25.711377] Allocated by task 248:
[   25.711790]  kasan_save_stack+0x45/0x70
[   25.712003]  kasan_save_track+0x18/0x40
[   25.712449]  kasan_save_alloc_info+0x3b/0x50
[   25.712838]  __kasan_kmalloc+0xb7/0xc0
[   25.713031]  __kmalloc_cache_noprof+0x189/0x420
[   25.713309]  workqueue_uaf+0x152/0x560
[   25.713777]  kunit_try_run_case+0x1a5/0x480
[   25.714269]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.714659]  kthread+0x337/0x6f0
[   25.714840]  ret_from_fork+0x116/0x1d0
[   25.715002]  ret_from_fork_asm+0x1a/0x30
[   25.715204] 
[   25.715290] Freed by task 9:
[   25.715421]  kasan_save_stack+0x45/0x70
[   25.716057]  kasan_save_track+0x18/0x40
[   25.716620]  kasan_save_free_info+0x3f/0x60
[   25.716992]  __kasan_slab_free+0x56/0x70
[   25.717377]  kfree+0x222/0x3f0
[   25.717749]  workqueue_uaf_work+0x12/0x20
[   25.717957]  process_one_work+0x5ee/0xf60
[   25.718132]  worker_thread+0x758/0x1220
[   25.718294]  kthread+0x337/0x6f0
[   25.718446]  ret_from_fork+0x116/0x1d0
[   25.718965]  ret_from_fork_asm+0x1a/0x30
[   25.719146] 
[   25.719230] Last potentially related work creation:
[   25.719416]  kasan_save_stack+0x45/0x70
[   25.719958]  kasan_record_aux_stack+0xb2/0xc0
[   25.720452]  __queue_work+0x61a/0xe70
[   25.720744]  queue_work_on+0xb6/0xc0
[   25.720941]  workqueue_uaf+0x26d/0x560
[   25.721117]  kunit_try_run_case+0x1a5/0x480
[   25.721626]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.721884]  kthread+0x337/0x6f0
[   25.722028]  ret_from_fork+0x116/0x1d0
[   25.722445]  ret_from_fork_asm+0x1a/0x30
[   25.722913] 
[   25.723013] The buggy address belongs to the object at ffff888104974840
[   25.723013]  which belongs to the cache kmalloc-32 of size 32
[   25.724227] The buggy address is located 0 bytes inside of
[   25.724227]  freed 32-byte region [ffff888104974840, ffff888104974860)
[   25.724969] 
[   25.725069] The buggy address belongs to the physical page:
[   25.725624] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104974
[   25.725969] flags: 0x200000000000000(node=0|zone=2)
[   25.726401] page_type: f5(slab)
[   25.726860] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   25.727427] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   25.727946] page dumped because: kasan: bad access detected
[   25.728423] 
[   25.728806] Memory state around the buggy address:
[   25.729112]  ffff888104974700: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc
[   25.729902]  ffff888104974780: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   25.730295] >ffff888104974800: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   25.730732]                                            ^
[   25.730965]  ffff888104974880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.731950]  ffff888104974900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.732360] ==================================================================
Metadata Full log Test run details