Date
June 26, 2025, 11:12 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.987014] ================================================================== [ 32.994135] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 33.000814] Read of size 8 at addr ffff000800d63c40 by task kunit_try_catch/249 [ 33.008105] [ 33.009591] CPU: 0 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 33.009648] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.009666] Hardware name: WinLink E850-96 board (DT) [ 33.009689] Call trace: [ 33.009702] show_stack+0x20/0x38 (C) [ 33.009736] dump_stack_lvl+0x8c/0xd0 [ 33.009776] print_report+0x118/0x608 [ 33.009807] kasan_report+0xdc/0x128 [ 33.009837] __asan_report_load8_noabort+0x20/0x30 [ 33.009873] workqueue_uaf+0x480/0x4a8 [ 33.009907] kunit_try_run_case+0x170/0x3f0 [ 33.009946] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.009986] kthread+0x328/0x630 [ 33.010021] ret_from_fork+0x10/0x20 [ 33.010057] [ 33.071995] Allocated by task 249: [ 33.075383] kasan_save_stack+0x3c/0x68 [ 33.079198] kasan_save_track+0x20/0x40 [ 33.083017] kasan_save_alloc_info+0x40/0x58 [ 33.087271] __kasan_kmalloc+0xd4/0xd8 [ 33.091003] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.095517] workqueue_uaf+0x13c/0x4a8 [ 33.099250] kunit_try_run_case+0x170/0x3f0 [ 33.103416] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.108886] kthread+0x328/0x630 [ 33.112097] ret_from_fork+0x10/0x20 [ 33.115656] [ 33.117132] Freed by task 87: [ 33.120085] kasan_save_stack+0x3c/0x68 [ 33.123902] kasan_save_track+0x20/0x40 [ 33.127721] kasan_save_free_info+0x4c/0x78 [ 33.131888] __kasan_slab_free+0x6c/0x98 [ 33.135794] kfree+0x214/0x3c8 [ 33.138832] workqueue_uaf_work+0x18/0x30 [ 33.142825] process_one_work+0x530/0xf98 [ 33.146818] worker_thread+0x618/0xf38 [ 33.150551] kthread+0x328/0x630 [ 33.153763] ret_from_fork+0x10/0x20 [ 33.157322] [ 33.158799] Last potentially related work creation: [ 33.163658] kasan_save_stack+0x3c/0x68 [ 33.167478] kasan_record_aux_stack+0xb4/0xc8 [ 33.171819] __queue_work+0x65c/0x1008 [ 33.175551] queue_work_on+0xbc/0xf8 [ 33.179109] workqueue_uaf+0x210/0x4a8 [ 33.182842] kunit_try_run_case+0x170/0x3f0 [ 33.187009] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.192477] kthread+0x328/0x630 [ 33.195689] ret_from_fork+0x10/0x20 [ 33.199248] [ 33.200725] The buggy address belongs to the object at ffff000800d63c40 [ 33.200725] which belongs to the cache kmalloc-32 of size 32 [ 33.213053] The buggy address is located 0 bytes inside of [ 33.213053] freed 32-byte region [ffff000800d63c40, ffff000800d63c60) [ 33.225029] [ 33.226509] The buggy address belongs to the physical page: [ 33.232066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880d63 [ 33.240049] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.246559] page_type: f5(slab) [ 33.249697] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 33.257414] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.265134] page dumped because: kasan: bad access detected [ 33.270689] [ 33.272165] Memory state around the buggy address: [ 33.276945] ffff000800d63b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.284146] ffff000800d63b80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.291351] >ffff000800d63c00: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 33.298552] ^ [ 33.303851] ffff000800d63c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.311056] ffff000800d63d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.318257] ==================================================================
[ 18.549580] ================================================================== [ 18.549770] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 18.550083] Read of size 8 at addr fff00000c797f680 by task kunit_try_catch/202 [ 18.550220] [ 18.550327] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 18.550528] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.550606] Hardware name: linux,dummy-virt (DT) [ 18.550671] Call trace: [ 18.550729] show_stack+0x20/0x38 (C) [ 18.550786] dump_stack_lvl+0x8c/0xd0 [ 18.550841] print_report+0x118/0x608 [ 18.550896] kasan_report+0xdc/0x128 [ 18.550942] __asan_report_load8_noabort+0x20/0x30 [ 18.550992] workqueue_uaf+0x480/0x4a8 [ 18.551038] kunit_try_run_case+0x170/0x3f0 [ 18.551543] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.551621] kthread+0x328/0x630 [ 18.551990] ret_from_fork+0x10/0x20 [ 18.552400] [ 18.552582] Allocated by task 202: [ 18.552682] kasan_save_stack+0x3c/0x68 [ 18.552729] kasan_save_track+0x20/0x40 [ 18.552765] kasan_save_alloc_info+0x40/0x58 [ 18.552836] __kasan_kmalloc+0xd4/0xd8 [ 18.552883] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.552923] workqueue_uaf+0x13c/0x4a8 [ 18.552962] kunit_try_run_case+0x170/0x3f0 [ 18.553000] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.553046] kthread+0x328/0x630 [ 18.553081] ret_from_fork+0x10/0x20 [ 18.553117] [ 18.553135] Freed by task 75: [ 18.553162] kasan_save_stack+0x3c/0x68 [ 18.553527] kasan_save_track+0x20/0x40 [ 18.553603] kasan_save_free_info+0x4c/0x78 [ 18.553747] __kasan_slab_free+0x6c/0x98 [ 18.553785] kfree+0x214/0x3c8 [ 18.554227] workqueue_uaf_work+0x18/0x30 [ 18.554293] process_one_work+0x530/0xf98 [ 18.554351] worker_thread+0x618/0xf38 [ 18.554405] kthread+0x328/0x630 [ 18.554440] ret_from_fork+0x10/0x20 [ 18.554478] [ 18.554532] Last potentially related work creation: [ 18.554569] kasan_save_stack+0x3c/0x68 [ 18.554621] kasan_record_aux_stack+0xb4/0xc8 [ 18.554661] __queue_work+0x65c/0x1008 [ 18.554711] queue_work_on+0xbc/0xf8 [ 18.554768] workqueue_uaf+0x210/0x4a8 [ 18.554810] kunit_try_run_case+0x170/0x3f0 [ 18.554872] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.554921] kthread+0x328/0x630 [ 18.554968] ret_from_fork+0x10/0x20 [ 18.555011] [ 18.555056] The buggy address belongs to the object at fff00000c797f680 [ 18.555056] which belongs to the cache kmalloc-32 of size 32 [ 18.555122] The buggy address is located 0 bytes inside of [ 18.555122] freed 32-byte region [fff00000c797f680, fff00000c797f6a0) [ 18.555201] [ 18.555223] The buggy address belongs to the physical page: [ 18.555260] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10797f [ 18.555333] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.555401] page_type: f5(slab) [ 18.555455] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 18.555508] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.555561] page dumped because: kasan: bad access detected [ 18.555602] [ 18.555620] Memory state around the buggy address: [ 18.555658] fff00000c797f580: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 18.555705] fff00000c797f600: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc [ 18.555751] >fff00000c797f680: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 18.555794] ^ [ 18.555821] fff00000c797f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.556640] fff00000c797f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.556754] ==================================================================
[ 11.530006] ================================================================== [ 11.530439] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 11.530692] Read of size 8 at addr ffff888102f6b940 by task kunit_try_catch/219 [ 11.531081] [ 11.531179] CPU: 1 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 11.531228] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.531240] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.531261] Call Trace: [ 11.531275] <TASK> [ 11.531294] dump_stack_lvl+0x73/0xb0 [ 11.531322] print_report+0xd1/0x650 [ 11.531345] ? __virt_addr_valid+0x1db/0x2d0 [ 11.531367] ? workqueue_uaf+0x4d6/0x560 [ 11.531388] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.531411] ? workqueue_uaf+0x4d6/0x560 [ 11.531432] kasan_report+0x141/0x180 [ 11.531454] ? workqueue_uaf+0x4d6/0x560 [ 11.531480] __asan_report_load8_noabort+0x18/0x20 [ 11.531500] workqueue_uaf+0x4d6/0x560 [ 11.531522] ? __pfx_workqueue_uaf+0x10/0x10 [ 11.531544] ? __schedule+0x10cc/0x2b60 [ 11.531581] ? __pfx_read_tsc+0x10/0x10 [ 11.531601] ? ktime_get_ts64+0x86/0x230 [ 11.531627] kunit_try_run_case+0x1a5/0x480 [ 11.531652] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.531674] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.531697] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.531720] ? __kthread_parkme+0x82/0x180 [ 11.531742] ? preempt_count_sub+0x50/0x80 [ 11.531768] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.531792] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.531814] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.531837] kthread+0x337/0x6f0 [ 11.531853] ? trace_preempt_on+0x20/0xc0 [ 11.531876] ? __pfx_kthread+0x10/0x10 [ 11.531894] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.531914] ? calculate_sigpending+0x7b/0xa0 [ 11.532002] ? __pfx_kthread+0x10/0x10 [ 11.532024] ret_from_fork+0x41/0x80 [ 11.532045] ? __pfx_kthread+0x10/0x10 [ 11.532063] ret_from_fork_asm+0x1a/0x30 [ 11.532094] </TASK> [ 11.532106] [ 11.544349] Allocated by task 219: [ 11.544535] kasan_save_stack+0x45/0x70 [ 11.544997] kasan_save_track+0x18/0x40 [ 11.545368] kasan_save_alloc_info+0x3b/0x50 [ 11.545837] __kasan_kmalloc+0xb7/0xc0 [ 11.546082] __kmalloc_cache_noprof+0x189/0x420 [ 11.546240] workqueue_uaf+0x152/0x560 [ 11.546373] kunit_try_run_case+0x1a5/0x480 [ 11.546522] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.546725] kthread+0x337/0x6f0 [ 11.546980] ret_from_fork+0x41/0x80 [ 11.547329] ret_from_fork_asm+0x1a/0x30 [ 11.547725] [ 11.547935] Freed by task 48: [ 11.548400] kasan_save_stack+0x45/0x70 [ 11.548771] kasan_save_track+0x18/0x40 [ 11.548908] kasan_save_free_info+0x3f/0x60 [ 11.549063] __kasan_slab_free+0x56/0x70 [ 11.549198] kfree+0x222/0x3f0 [ 11.549311] workqueue_uaf_work+0x12/0x20 [ 11.549449] process_one_work+0x5ee/0xf60 [ 11.549587] worker_thread+0x758/0x1220 [ 11.549717] kthread+0x337/0x6f0 [ 11.549832] ret_from_fork+0x41/0x80 [ 11.550049] ret_from_fork_asm+0x1a/0x30 [ 11.550526] [ 11.550792] Last potentially related work creation: [ 11.551232] kasan_save_stack+0x45/0x70 [ 11.551656] kasan_record_aux_stack+0xb2/0xc0 [ 11.552137] __queue_work+0x626/0xeb0 [ 11.552591] queue_work_on+0xb6/0xc0 [ 11.552999] workqueue_uaf+0x26d/0x560 [ 11.553359] kunit_try_run_case+0x1a5/0x480 [ 11.553982] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.554514] kthread+0x337/0x6f0 [ 11.554914] ret_from_fork+0x41/0x80 [ 11.555288] ret_from_fork_asm+0x1a/0x30 [ 11.555667] [ 11.555905] The buggy address belongs to the object at ffff888102f6b940 [ 11.555905] which belongs to the cache kmalloc-32 of size 32 [ 11.557081] The buggy address is located 0 bytes inside of [ 11.557081] freed 32-byte region [ffff888102f6b940, ffff888102f6b960) [ 11.557826] [ 11.558036] The buggy address belongs to the physical page: [ 11.558280] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f6b [ 11.558518] flags: 0x200000000000000(node=0|zone=2) [ 11.559215] page_type: f5(slab) [ 11.559559] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 11.560412] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 11.561255] page dumped because: kasan: bad access detected [ 11.561546] [ 11.561731] Memory state around the buggy address: [ 11.562222] ffff888102f6b800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 11.562677] ffff888102f6b880: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 11.563201] >ffff888102f6b900: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 11.563409] ^ [ 11.563574] ffff888102f6b980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.564003] ffff888102f6ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.564632] ==================================================================