Hay
Sign in
Date
June 2, 2025, 2:13 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   19.508825] ==================================================================
[   19.509290] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   19.509554] Read of size 8 at addr fff00000c65c6dc0 by task kunit_try_catch/190
[   19.509988] 
[   19.510879] CPU: 1 UID: 0 PID: 190 Comm: kunit_try_catch Tainted: G    B            N 6.14.10-rc1 #1
[   19.510996] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.511025] Hardware name: linux,dummy-virt (DT)
[   19.511062] Call trace:
[   19.511087]  show_stack+0x20/0x38 (C)
[   19.511179]  dump_stack_lvl+0x8c/0xd0
[   19.511234]  print_report+0x118/0x608
[   19.511285]  kasan_report+0xdc/0x128
[   19.511331]  __asan_report_load8_noabort+0x20/0x30
[   19.511381]  workqueue_uaf+0x480/0x4a8
[   19.511426]  kunit_try_run_case+0x170/0x3f0
[   19.511477]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.511530]  kthread+0x318/0x620
[   19.511577]  ret_from_fork+0x10/0x20
[   19.511626] 
[   19.514511] Allocated by task 190:
[   19.514741]  kasan_save_stack+0x3c/0x68
[   19.514926]  kasan_save_track+0x20/0x40
[   19.515512]  kasan_save_alloc_info+0x40/0x58
[   19.515918]  __kasan_kmalloc+0xd4/0xd8
[   19.516222]  __kmalloc_cache_noprof+0x16c/0x3c0
[   19.516576]  workqueue_uaf+0x13c/0x4a8
[   19.516740]  kunit_try_run_case+0x170/0x3f0
[   19.517016]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.517370]  kthread+0x318/0x620
[   19.517573]  ret_from_fork+0x10/0x20
[   19.517813] 
[   19.517984] Freed by task 9:
[   19.518362]  kasan_save_stack+0x3c/0x68
[   19.518628]  kasan_save_track+0x20/0x40
[   19.518831]  kasan_save_free_info+0x4c/0x78
[   19.519040]  __kasan_slab_free+0x6c/0x98
[   19.519360]  kfree+0x214/0x3c8
[   19.519564]  workqueue_uaf_work+0x18/0x30
[   19.519864]  process_one_work+0x530/0xf98
[   19.520218]  worker_thread+0x610/0xf18
[   19.520447]  kthread+0x318/0x620
[   19.520661]  ret_from_fork+0x10/0x20
[   19.520897] 
[   19.521073] Last potentially related work creation:
[   19.521302]  kasan_save_stack+0x3c/0x68
[   19.521632]  kasan_record_aux_stack+0xb4/0xc8
[   19.521877]  __queue_work+0x65c/0x1008
[   19.522371]  queue_work_on+0xbc/0xf8
[   19.522580]  workqueue_uaf+0x210/0x4a8
[   19.522868]  kunit_try_run_case+0x170/0x3f0
[   19.523207]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.523472]  kthread+0x318/0x620
[   19.523661]  ret_from_fork+0x10/0x20
[   19.523926] 
[   19.524108] The buggy address belongs to the object at fff00000c65c6dc0
[   19.524108]  which belongs to the cache kmalloc-32 of size 32
[   19.524660] The buggy address is located 0 bytes inside of
[   19.524660]  freed 32-byte region [fff00000c65c6dc0, fff00000c65c6de0)
[   19.525143] 
[   19.525327] The buggy address belongs to the physical page:
[   19.525643] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065c6
[   19.526305] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.526728] page_type: f5(slab)
[   19.526925] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   19.527295] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   19.527705] page dumped because: kasan: bad access detected
[   19.528056] 
[   19.528196] Memory state around the buggy address:
[   19.528449]  fff00000c65c6c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   19.528799]  fff00000c65c6d00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   19.529162] >fff00000c65c6d80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   19.529468]                                            ^
[   19.529792]  fff00000c65c6e00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.530425]  fff00000c65c6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.530732] ==================================================================
Metadata Full log Test run details 

[   13.284337] ==================================================================
[   13.285104] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d8/0x560
[   13.285647] Read of size 8 at addr ffff888102a2ab80 by task kunit_try_catch/208
[   13.285960] 
[   13.286080] CPU: 0 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G    B            N 6.14.10-rc1 #1
[   13.286122] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.286133] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.286154] Call Trace:
[   13.286166]  <TASK>
[   13.286182]  dump_stack_lvl+0x73/0xb0
[   13.286210]  print_report+0xd1/0x650
[   13.286234]  ? __virt_addr_valid+0x1db/0x2d0
[   13.286259]  ? workqueue_uaf+0x4d8/0x560
[   13.286282]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.286310]  ? workqueue_uaf+0x4d8/0x560
[   13.286333]  kasan_report+0x140/0x180
[   13.286356]  ? workqueue_uaf+0x4d8/0x560
[   13.286384]  __asan_report_load8_noabort+0x18/0x20
[   13.286410]  workqueue_uaf+0x4d8/0x560
[   13.286434]  ? __pfx_workqueue_uaf+0x10/0x10
[   13.286458]  ? __schedule+0xce8/0x2840
[   13.286483]  ? __pfx_read_tsc+0x10/0x10
[   13.286507]  ? ktime_get_ts64+0x86/0x230
[   13.286536]  kunit_try_run_case+0x1a6/0x480
[   13.286562]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.286585]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   13.286611]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.286636]  ? __kthread_parkme+0x82/0x160
[   13.286661]  ? preempt_count_sub+0x50/0x80
[   13.286688]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.286712]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.286740]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.286768]  kthread+0x324/0x6e0
[   13.286792]  ? trace_preempt_on+0x20/0xc0
[   13.286817]  ? __pfx_kthread+0x10/0x10
[   13.286842]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.286866]  ? calculate_sigpending+0x7b/0xa0
[   13.286891]  ? __pfx_kthread+0x10/0x10
[   13.286916]  ret_from_fork+0x41/0x80
[   13.286937]  ? __pfx_kthread+0x10/0x10
[   13.286961]  ret_from_fork_asm+0x1a/0x30
[   13.286994]  </TASK>
[   13.287004] 
[   13.296269] Allocated by task 208:
[   13.296676]  kasan_save_stack+0x45/0x70
[   13.296863]  kasan_save_track+0x18/0x40
[   13.297183]  kasan_save_alloc_info+0x3b/0x50
[   13.297458]  __kasan_kmalloc+0xb7/0xc0
[   13.297618]  __kmalloc_cache_noprof+0x18a/0x420
[   13.298006]  workqueue_uaf+0x153/0x560
[   13.298362]  kunit_try_run_case+0x1a6/0x480
[   13.298799]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.299065]  kthread+0x324/0x6e0
[   13.299237]  ret_from_fork+0x41/0x80
[   13.299397]  ret_from_fork_asm+0x1a/0x30
[   13.299904] 
[   13.300005] Freed by task 9:
[   13.300150]  kasan_save_stack+0x45/0x70
[   13.300335]  kasan_save_track+0x18/0x40
[   13.300814]  kasan_save_free_info+0x3f/0x60
[   13.301093]  __kasan_slab_free+0x56/0x70
[   13.301292]  kfree+0x224/0x3f0
[   13.301522]  workqueue_uaf_work+0x12/0x20
[   13.301672]  process_one_work+0x5ee/0xf60
[   13.301879]  worker_thread+0x753/0x1200
[   13.302066]  kthread+0x324/0x6e0
[   13.302227]  ret_from_fork+0x41/0x80
[   13.302387]  ret_from_fork_asm+0x1a/0x30
[   13.302972] 
[   13.303086] Last potentially related work creation:
[   13.303290]  kasan_save_stack+0x45/0x70
[   13.303480]  kasan_record_aux_stack+0xb2/0xc0
[   13.303915]  __queue_work+0x626/0xeb0
[   13.304071]  queue_work_on+0x74/0xa0
[   13.304263]  workqueue_uaf+0x26e/0x560
[   13.304466]  kunit_try_run_case+0x1a6/0x480
[   13.304908]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.305269]  kthread+0x324/0x6e0
[   13.305408]  ret_from_fork+0x41/0x80
[   13.305599]  ret_from_fork_asm+0x1a/0x30
[   13.306232] 
[   13.306313] The buggy address belongs to the object at ffff888102a2ab80
[   13.306313]  which belongs to the cache kmalloc-32 of size 32
[   13.306980] The buggy address is located 0 bytes inside of
[   13.306980]  freed 32-byte region [ffff888102a2ab80, ffff888102a2aba0)
[   13.307451] 
[   13.307549] The buggy address belongs to the physical page:
[   13.308069] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a2a
[   13.308481] flags: 0x200000000000000(node=0|zone=2)
[   13.308899] page_type: f5(slab)
[   13.309150] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   13.309557] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   13.309852] page dumped because: kasan: bad access detected
[   13.310090] 
[   13.310172] Memory state around the buggy address:
[   13.310364]  ffff888102a2aa80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   13.310971]  ffff888102a2ab00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   13.311229] >ffff888102a2ab80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   13.311741]                    ^
[   13.311881]  ffff888102a2ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.312314]  ffff888102a2ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.312866] ==================================================================
Metadata Full log Test run details