Date
June 2, 2025, 2:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.876564] ================================================================== [ 30.883787] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 30.890464] Read of size 8 at addr ffff0008064fc3c0 by task kunit_try_catch/247 [ 30.897755] [ 30.899242] CPU: 5 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 30.899297] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.899312] Hardware name: WinLink E850-96 board (DT) [ 30.899334] Call trace: [ 30.899348] show_stack+0x20/0x38 (C) [ 30.899383] dump_stack_lvl+0x8c/0xd0 [ 30.899421] print_report+0x118/0x608 [ 30.899455] kasan_report+0xdc/0x128 [ 30.899483] __asan_report_load8_noabort+0x20/0x30 [ 30.899517] workqueue_uaf+0x480/0x4a8 [ 30.899549] kunit_try_run_case+0x170/0x3f0 [ 30.899588] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.899627] kthread+0x328/0x630 [ 30.899662] ret_from_fork+0x10/0x20 [ 30.899699] [ 30.961643] Allocated by task 247: [ 30.965032] kasan_save_stack+0x3c/0x68 [ 30.968848] kasan_save_track+0x20/0x40 [ 30.972667] kasan_save_alloc_info+0x40/0x58 [ 30.976920] __kasan_kmalloc+0xd4/0xd8 [ 30.980655] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.985167] workqueue_uaf+0x13c/0x4a8 [ 30.988899] kunit_try_run_case+0x170/0x3f0 [ 30.993066] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.998535] kthread+0x328/0x630 [ 31.001746] ret_from_fork+0x10/0x20 [ 31.005305] [ 31.006782] Freed by task 91: [ 31.009734] kasan_save_stack+0x3c/0x68 [ 31.013552] kasan_save_track+0x20/0x40 [ 31.017372] kasan_save_free_info+0x4c/0x78 [ 31.021538] __kasan_slab_free+0x6c/0x98 [ 31.025444] kfree+0x214/0x3c8 [ 31.028482] workqueue_uaf_work+0x18/0x30 [ 31.032476] process_one_work+0x530/0xf98 [ 31.036468] worker_thread+0x618/0xf38 [ 31.040202] kthread+0x328/0x630 [ 31.043413] ret_from_fork+0x10/0x20 [ 31.046971] [ 31.048448] Last potentially related work creation: [ 31.053310] kasan_save_stack+0x3c/0x68 [ 31.057128] kasan_record_aux_stack+0xb4/0xc8 [ 31.061468] __queue_work+0x65c/0x1008 [ 31.065201] queue_work_on+0xbc/0xf8 [ 31.068759] workqueue_uaf+0x210/0x4a8 [ 31.072492] kunit_try_run_case+0x170/0x3f0 [ 31.076659] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.082127] kthread+0x328/0x630 [ 31.085339] ret_from_fork+0x10/0x20 [ 31.088898] [ 31.090375] The buggy address belongs to the object at ffff0008064fc3c0 [ 31.090375] which belongs to the cache kmalloc-32 of size 32 [ 31.102702] The buggy address is located 0 bytes inside of [ 31.102702] freed 32-byte region [ffff0008064fc3c0, ffff0008064fc3e0) [ 31.114679] [ 31.116157] The buggy address belongs to the physical page: [ 31.121715] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8864fc [ 31.129700] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.136208] page_type: f5(slab) [ 31.139347] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 31.147063] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 31.154784] page dumped because: kasan: bad access detected [ 31.160339] [ 31.161814] Memory state around the buggy address: [ 31.166594] ffff0008064fc280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.173796] ffff0008064fc300: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.181001] >ffff0008064fc380: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 31.188202] ^ [ 31.193502] ffff0008064fc400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.200706] ffff0008064fc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.207908] ==================================================================
[ 19.398933] ================================================================== [ 19.399373] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 19.399447] Read of size 8 at addr fff00000c3faa940 by task kunit_try_catch/203 [ 19.399730] [ 19.399777] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B W N 6.15.1-rc1 #1 PREEMPT [ 19.400860] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.401000] Hardware name: linux,dummy-virt (DT) [ 19.401255] Call trace: [ 19.401723] show_stack+0x20/0x38 (C) [ 19.401812] dump_stack_lvl+0x8c/0xd0 [ 19.401864] print_report+0x118/0x608 [ 19.401909] kasan_report+0xdc/0x128 [ 19.401955] __asan_report_load8_noabort+0x20/0x30 [ 19.402005] workqueue_uaf+0x480/0x4a8 [ 19.402232] kunit_try_run_case+0x170/0x3f0 [ 19.402582] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.402709] kthread+0x328/0x630 [ 19.402962] ret_from_fork+0x10/0x20 [ 19.403189] [ 19.403213] Allocated by task 203: [ 19.403278] kasan_save_stack+0x3c/0x68 [ 19.403461] kasan_save_track+0x20/0x40 [ 19.403822] kasan_save_alloc_info+0x40/0x58 [ 19.403880] __kasan_kmalloc+0xd4/0xd8 [ 19.403924] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.403969] workqueue_uaf+0x13c/0x4a8 [ 19.404547] kunit_try_run_case+0x170/0x3f0 [ 19.404664] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.404844] kthread+0x328/0x630 [ 19.405076] ret_from_fork+0x10/0x20 [ 19.405164] [ 19.405512] Freed by task 24: [ 19.405550] kasan_save_stack+0x3c/0x68 [ 19.405782] kasan_save_track+0x20/0x40 [ 19.405835] kasan_save_free_info+0x4c/0x78 [ 19.405877] __kasan_slab_free+0x6c/0x98 [ 19.405913] kfree+0x214/0x3c8 [ 19.405958] workqueue_uaf_work+0x18/0x30 [ 19.405998] process_one_work+0x530/0xf98 [ 19.406036] worker_thread+0x618/0xf38 [ 19.406072] kthread+0x328/0x630 [ 19.406109] ret_from_fork+0x10/0x20 [ 19.406146] [ 19.406286] Last potentially related work creation: [ 19.406376] kasan_save_stack+0x3c/0x68 [ 19.406715] kasan_record_aux_stack+0xb4/0xc8 [ 19.406758] __queue_work+0x65c/0x1008 [ 19.406796] queue_work_on+0xbc/0xf8 [ 19.406833] workqueue_uaf+0x210/0x4a8 [ 19.406873] kunit_try_run_case+0x170/0x3f0 [ 19.406915] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.406962] kthread+0x328/0x630 [ 19.406998] ret_from_fork+0x10/0x20 [ 19.407434] [ 19.407461] The buggy address belongs to the object at fff00000c3faa940 [ 19.407461] which belongs to the cache kmalloc-32 of size 32 [ 19.408142] The buggy address is located 0 bytes inside of [ 19.408142] freed 32-byte region [fff00000c3faa940, fff00000c3faa960) [ 19.408515] [ 19.408544] The buggy address belongs to the physical page: [ 19.408661] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103faa [ 19.408766] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.409061] page_type: f5(slab) [ 19.409299] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 19.409825] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.409873] page dumped because: kasan: bad access detected [ 19.410012] [ 19.410031] Memory state around the buggy address: [ 19.410065] fff00000c3faa800: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 19.410110] fff00000c3faa880: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 19.410154] >fff00000c3faa900: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 19.410415] ^ [ 19.410835] fff00000c3faa980: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.410909] fff00000c3faaa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.410948] ==================================================================
[ 17.384357] ================================================================== [ 17.385225] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 17.386121] Read of size 8 at addr ffff888102b360c0 by task kunit_try_catch/221 [ 17.386358] [ 17.386817] CPU: 0 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 17.386889] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.386904] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.386931] Call Trace: [ 17.386950] <TASK> [ 17.386975] dump_stack_lvl+0x73/0xb0 [ 17.387094] print_report+0xd1/0x650 [ 17.387273] ? __virt_addr_valid+0x1db/0x2d0 [ 17.387313] ? workqueue_uaf+0x4d6/0x560 [ 17.387341] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.387368] ? workqueue_uaf+0x4d6/0x560 [ 17.387396] kasan_report+0x141/0x180 [ 17.387423] ? workqueue_uaf+0x4d6/0x560 [ 17.387454] __asan_report_load8_noabort+0x18/0x20 [ 17.387478] workqueue_uaf+0x4d6/0x560 [ 17.387504] ? __pfx_workqueue_uaf+0x10/0x10 [ 17.387531] ? __schedule+0x10cc/0x2b30 [ 17.387558] ? __pfx_read_tsc+0x10/0x10 [ 17.387581] ? ktime_get_ts64+0x86/0x230 [ 17.387612] kunit_try_run_case+0x1a5/0x480 [ 17.387703] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.387729] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.387781] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.387810] ? __kthread_parkme+0x82/0x180 [ 17.387837] ? preempt_count_sub+0x50/0x80 [ 17.387868] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.387897] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.387924] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.387950] kthread+0x337/0x6f0 [ 17.387969] ? trace_preempt_on+0x20/0xc0 [ 17.387998] ? __pfx_kthread+0x10/0x10 [ 17.388019] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.388044] ? calculate_sigpending+0x7b/0xa0 [ 17.388069] ? __pfx_kthread+0x10/0x10 [ 17.388091] ret_from_fork+0x41/0x80 [ 17.388143] ? __pfx_kthread+0x10/0x10 [ 17.388167] ret_from_fork_asm+0x1a/0x30 [ 17.388562] </TASK> [ 17.388580] [ 17.397614] Allocated by task 221: [ 17.398268] kasan_save_stack+0x45/0x70 [ 17.398611] kasan_save_track+0x18/0x40 [ 17.398909] kasan_save_alloc_info+0x3b/0x50 [ 17.399254] __kasan_kmalloc+0xb7/0xc0 [ 17.399378] __kmalloc_cache_noprof+0x189/0x420 [ 17.399743] workqueue_uaf+0x152/0x560 [ 17.400064] kunit_try_run_case+0x1a5/0x480 [ 17.400536] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.400890] kthread+0x337/0x6f0 [ 17.401087] ret_from_fork+0x41/0x80 [ 17.401428] ret_from_fork_asm+0x1a/0x30 [ 17.401702] [ 17.401818] Freed by task 91: [ 17.401951] kasan_save_stack+0x45/0x70 [ 17.402320] kasan_save_track+0x18/0x40 [ 17.402618] kasan_save_free_info+0x3f/0x60 [ 17.402914] __kasan_slab_free+0x56/0x70 [ 17.403128] kfree+0x222/0x3f0 [ 17.403419] workqueue_uaf_work+0x12/0x20 [ 17.403556] process_one_work+0x5ee/0xf60 [ 17.403858] worker_thread+0x758/0x1220 [ 17.404059] kthread+0x337/0x6f0 [ 17.404634] ret_from_fork+0x41/0x80 [ 17.404864] ret_from_fork_asm+0x1a/0x30 [ 17.405042] [ 17.405181] Last potentially related work creation: [ 17.405329] kasan_save_stack+0x45/0x70 [ 17.405680] kasan_record_aux_stack+0xb2/0xc0 [ 17.405948] __queue_work+0x626/0xeb0 [ 17.406149] queue_work_on+0xb6/0xc0 [ 17.406478] workqueue_uaf+0x26d/0x560 [ 17.406619] kunit_try_run_case+0x1a5/0x480 [ 17.406885] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.407097] kthread+0x337/0x6f0 [ 17.407374] ret_from_fork+0x41/0x80 [ 17.407579] ret_from_fork_asm+0x1a/0x30 [ 17.407774] [ 17.407844] The buggy address belongs to the object at ffff888102b360c0 [ 17.407844] which belongs to the cache kmalloc-32 of size 32 [ 17.408778] The buggy address is located 0 bytes inside of [ 17.408778] freed 32-byte region [ffff888102b360c0, ffff888102b360e0) [ 17.409260] [ 17.409419] The buggy address belongs to the physical page: [ 17.409629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b36 [ 17.410126] flags: 0x200000000000000(node=0|zone=2) [ 17.410511] page_type: f5(slab) [ 17.410682] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 17.411026] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.411425] page dumped because: kasan: bad access detected [ 17.411704] [ 17.411845] Memory state around the buggy address: [ 17.411984] ffff888102b35f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.412607] ffff888102b36000: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.412874] >ffff888102b36080: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 17.413312] ^ [ 17.413605] ffff888102b36100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.413998] ffff888102b36180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.414289] ==================================================================