Hay
Sign in
Date
June 17, 2025, 3:40 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   22.553014] ==================================================================
[   22.553218] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   22.555349] Read of size 8 at addr fff00000c58e1d00 by task kunit_try_catch/202
[   22.555491] 
[   22.555660] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.15.3-rc1 #1 PREEMPT 
[   22.555952] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.556363] Hardware name: linux,dummy-virt (DT)
[   22.556623] Call trace:
[   22.556744]  show_stack+0x20/0x38 (C)
[   22.557077]  dump_stack_lvl+0x8c/0xd0
[   22.557445]  print_report+0x118/0x608
[   22.557584]  kasan_report+0xdc/0x128
[   22.557689]  __asan_report_load8_noabort+0x20/0x30
[   22.557893]  workqueue_uaf+0x480/0x4a8
[   22.558060]  kunit_try_run_case+0x170/0x3f0
[   22.558219]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   22.558382]  kthread+0x328/0x630
[   22.558471]  ret_from_fork+0x10/0x20
[   22.558563] 
[   22.558636] Allocated by task 202:
[   22.558706]  kasan_save_stack+0x3c/0x68
[   22.558971]  kasan_save_track+0x20/0x40
[   22.559151]  kasan_save_alloc_info+0x40/0x58
[   22.559267]  __kasan_kmalloc+0xd4/0xd8
[   22.559357]  __kmalloc_cache_noprof+0x16c/0x3c0
[   22.559445]  workqueue_uaf+0x13c/0x4a8
[   22.559534]  kunit_try_run_case+0x170/0x3f0
[   22.559626]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   22.559742]  kthread+0x328/0x630
[   22.559839]  ret_from_fork+0x10/0x20
[   22.559981] 
[   22.560053] Freed by task 9:
[   22.560165]  kasan_save_stack+0x3c/0x68
[   22.560261]  kasan_save_track+0x20/0x40
[   22.560350]  kasan_save_free_info+0x4c/0x78
[   22.560443]  __kasan_slab_free+0x6c/0x98
[   22.560540]  kfree+0x214/0x3c8
[   22.560647]  workqueue_uaf_work+0x18/0x30
[   22.560766]  process_one_work+0x530/0xf98
[   22.560882]  worker_thread+0x618/0xf38
[   22.560967]  kthread+0x328/0x630
[   22.561082]  ret_from_fork+0x10/0x20
[   22.561180] 
[   22.561226] Last potentially related work creation:
[   22.561310]  kasan_save_stack+0x3c/0x68
[   22.561493]  kasan_record_aux_stack+0xb4/0xc8
[   22.561584]  __queue_work+0x65c/0x1008
[   22.561663]  queue_work_on+0xbc/0xf8
[   22.561751]  workqueue_uaf+0x210/0x4a8
[   22.561820]  kunit_try_run_case+0x170/0x3f0
[   22.561915]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   22.562017]  kthread+0x328/0x630
[   22.562121]  ret_from_fork+0x10/0x20
[   22.562243] 
[   22.562315] The buggy address belongs to the object at fff00000c58e1d00
[   22.562315]  which belongs to the cache kmalloc-32 of size 32
[   22.562468] The buggy address is located 0 bytes inside of
[   22.562468]  freed 32-byte region [fff00000c58e1d00, fff00000c58e1d20)
[   22.562625] 
[   22.562671] The buggy address belongs to the physical page:
[   22.562760] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058e1
[   22.562901] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   22.563027] page_type: f5(slab)
[   22.563132] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   22.563458] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   22.563580] page dumped because: kasan: bad access detected
[   22.563666] 
[   22.563710] Memory state around the buggy address:
[   22.563811]  fff00000c58e1c00: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   22.563922]  fff00000c58e1c80: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   22.564025] >fff00000c58e1d00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   22.564129]                    ^
[   22.564205]  fff00000c58e1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.565355]  fff00000c58e1e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.565564] ==================================================================
Metadata Full log Test run details 

[   20.337910] ==================================================================
[   20.338889] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   20.339575] Read of size 8 at addr ffff888102edc900 by task kunit_try_catch/220
[   20.340716] 
[   20.341030] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N  6.15.3-rc1 #1 PREEMPT(voluntary) 
[   20.341169] Tainted: [B]=BAD_PAGE, [N]=TEST
[   20.341224] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   20.341313] Call Trace:
[   20.341360]  <TASK>
[   20.341413]  dump_stack_lvl+0x73/0xb0
[   20.341494]  print_report+0xd1/0x650
[   20.341571]  ? __virt_addr_valid+0x1db/0x2d0
[   20.341672]  ? workqueue_uaf+0x4d6/0x560
[   20.341749]  ? kasan_complete_mode_report_info+0x64/0x200
[   20.341976]  ? workqueue_uaf+0x4d6/0x560
[   20.342192]  kasan_report+0x141/0x180
[   20.342335]  ? workqueue_uaf+0x4d6/0x560
[   20.342430]  __asan_report_load8_noabort+0x18/0x20
[   20.342501]  workqueue_uaf+0x4d6/0x560
[   20.342544]  ? __pfx_workqueue_uaf+0x10/0x10
[   20.342582]  ? __schedule+0x10cc/0x2b60
[   20.342619]  ? __pfx_read_tsc+0x10/0x10
[   20.342651]  ? ktime_get_ts64+0x86/0x230
[   20.342693]  kunit_try_run_case+0x1a5/0x480
[   20.342732]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.342766]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   20.342803]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   20.342838]  ? __kthread_parkme+0x82/0x180
[   20.342872]  ? preempt_count_sub+0x50/0x80
[   20.342909]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.342948]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.343027]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   20.343110]  kthread+0x337/0x6f0
[   20.343147]  ? trace_preempt_on+0x20/0xc0
[   20.343184]  ? __pfx_kthread+0x10/0x10
[   20.343210]  ? _raw_spin_unlock_irq+0x47/0x80
[   20.343242]  ? calculate_sigpending+0x7b/0xa0
[   20.343274]  ? __pfx_kthread+0x10/0x10
[   20.343329]  ret_from_fork+0x41/0x80
[   20.343364]  ? __pfx_kthread+0x10/0x10
[   20.343391]  ret_from_fork_asm+0x1a/0x30
[   20.343437]  </TASK>
[   20.343453] 
[   20.365953] Allocated by task 220:
[   20.366597]  kasan_save_stack+0x45/0x70
[   20.366986]  kasan_save_track+0x18/0x40
[   20.367842]  kasan_save_alloc_info+0x3b/0x50
[   20.368404]  __kasan_kmalloc+0xb7/0xc0
[   20.368729]  __kmalloc_cache_noprof+0x189/0x420
[   20.369475]  workqueue_uaf+0x152/0x560
[   20.369817]  kunit_try_run_case+0x1a5/0x480
[   20.370279]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.370825]  kthread+0x337/0x6f0
[   20.371192]  ret_from_fork+0x41/0x80
[   20.372329]  ret_from_fork_asm+0x1a/0x30
[   20.372783] 
[   20.373155] Freed by task 24:
[   20.373559]  kasan_save_stack+0x45/0x70
[   20.374207]  kasan_save_track+0x18/0x40
[   20.374645]  kasan_save_free_info+0x3f/0x60
[   20.375538]  __kasan_slab_free+0x56/0x70
[   20.376199]  kfree+0x222/0x3f0
[   20.376562]  workqueue_uaf_work+0x12/0x20
[   20.377232]  process_one_work+0x5ee/0xf60
[   20.377733]  worker_thread+0x758/0x1220
[   20.378301]  kthread+0x337/0x6f0
[   20.378690]  ret_from_fork+0x41/0x80
[   20.379593]  ret_from_fork_asm+0x1a/0x30
[   20.380325] 
[   20.380554] Last potentially related work creation:
[   20.381158]  kasan_save_stack+0x45/0x70
[   20.381702]  kasan_record_aux_stack+0xb2/0xc0
[   20.382167]  __queue_work+0x626/0xeb0
[   20.382753]  queue_work_on+0xb6/0xc0
[   20.383176]  workqueue_uaf+0x26d/0x560
[   20.383744]  kunit_try_run_case+0x1a5/0x480
[   20.384315]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.384804]  kthread+0x337/0x6f0
[   20.385223]  ret_from_fork+0x41/0x80
[   20.386211]  ret_from_fork_asm+0x1a/0x30
[   20.386660] 
[   20.386898] The buggy address belongs to the object at ffff888102edc900
[   20.386898]  which belongs to the cache kmalloc-32 of size 32
[   20.388069] The buggy address is located 0 bytes inside of
[   20.388069]  freed 32-byte region [ffff888102edc900, ffff888102edc920)
[   20.389232] 
[   20.389827] The buggy address belongs to the physical page:
[   20.390254] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102edc
[   20.392085] flags: 0x200000000000000(node=0|zone=2)
[   20.392655] page_type: f5(slab)
[   20.392950] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   20.393548] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   20.393943] page dumped because: kasan: bad access detected
[   20.394261] 
[   20.394484] Memory state around the buggy address:
[   20.394951]  ffff888102edc800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   20.395587]  ffff888102edc880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   20.396220] >ffff888102edc900: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   20.396673]                    ^
[   20.396953]  ffff888102edc980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   20.397428]  ffff888102edca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   20.401218] ==================================================================
Metadata Full log Test run details