Hay
Sign in
Date
June 23, 2025, 1:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   25.377744] ==================================================================
[   25.377918] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   25.378060] Read of size 8 at addr fff00000c76c26c0 by task kunit_try_catch/202
[   25.378179] 
[   25.378265] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc1 #1 PREEMPT 
[   25.378482] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.378560] Hardware name: linux,dummy-virt (DT)
[   25.378638] Call trace:
[   25.379520]  show_stack+0x20/0x38 (C)
[   25.380832]  dump_stack_lvl+0x8c/0xd0
[   25.381368]  print_report+0x118/0x608
[   25.382605]  kasan_report+0xdc/0x128
[   25.382859]  __asan_report_load8_noabort+0x20/0x30
[   25.382998]  workqueue_uaf+0x480/0x4a8
[   25.383213]  kunit_try_run_case+0x170/0x3f0
[   25.383352]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.384520]  kthread+0x328/0x630
[   25.385042]  ret_from_fork+0x10/0x20
[   25.385257] 
[   25.386090] Allocated by task 202:
[   25.386417]  kasan_save_stack+0x3c/0x68
[   25.386632]  kasan_save_track+0x20/0x40
[   25.386742]  kasan_save_alloc_info+0x40/0x58
[   25.386961]  __kasan_kmalloc+0xd4/0xd8
[   25.387057]  __kmalloc_cache_noprof+0x16c/0x3c0
[   25.387216]  workqueue_uaf+0x13c/0x4a8
[   25.387319]  kunit_try_run_case+0x170/0x3f0
[   25.387484]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.387650]  kthread+0x328/0x630
[   25.387745]  ret_from_fork+0x10/0x20
[   25.387842] 
[   25.387902] Freed by task 9:
[   25.387966]  kasan_save_stack+0x3c/0x68
[   25.388064]  kasan_save_track+0x20/0x40
[   25.388149]  kasan_save_free_info+0x4c/0x78
[   25.388243]  __kasan_slab_free+0x6c/0x98
[   25.388326]  kfree+0x214/0x3c8
[   25.388427]  workqueue_uaf_work+0x18/0x30
[   25.388539]  process_one_work+0x530/0xf98
[   25.388659]  worker_thread+0x618/0xf38
[   25.388898]  kthread+0x328/0x630
[   25.389168]  ret_from_fork+0x10/0x20
[   25.389274] 
[   25.389348] Last potentially related work creation:
[   25.389549]  kasan_save_stack+0x3c/0x68
[   25.389820]  kasan_record_aux_stack+0xb4/0xc8
[   25.389953]  __queue_work+0x65c/0x1008
[   25.390170]  queue_work_on+0xbc/0xf8
[   25.390261]  workqueue_uaf+0x210/0x4a8
[   25.390405]  kunit_try_run_case+0x170/0x3f0
[   25.390507]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.390711]  kthread+0x328/0x630
[   25.390817]  ret_from_fork+0x10/0x20
[   25.390916] 
[   25.390971] The buggy address belongs to the object at fff00000c76c26c0
[   25.390971]  which belongs to the cache kmalloc-32 of size 32
[   25.391184] The buggy address is located 0 bytes inside of
[   25.391184]  freed 32-byte region [fff00000c76c26c0, fff00000c76c26e0)
[   25.391338] 
[   25.391409] The buggy address belongs to the physical page:
[   25.391487] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c2
[   25.391613] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   25.391729] page_type: f5(slab)
[   25.391857] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   25.392032] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   25.392138] page dumped because: kasan: bad access detected
[   25.392223] 
[   25.392265] Memory state around the buggy address:
[   25.392350]  fff00000c76c2580: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   25.392507]  fff00000c76c2600: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   25.392689] >fff00000c76c2680: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   25.392785]                                            ^
[   25.392867]  fff00000c76c2700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.392984]  fff00000c76c2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.393157] ==================================================================
Metadata Full log Test run details 

[   18.232342] ==================================================================
[   18.233520] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   18.234212] Read of size 8 at addr ffff888102a18a40 by task kunit_try_catch/221
[   18.234774] 
[   18.235017] CPU: 0 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc1 #1 PREEMPT(voluntary) 
[   18.235134] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.235169] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   18.235224] Call Trace:
[   18.235264]  <TASK>
[   18.235490]  dump_stack_lvl+0x73/0xb0
[   18.235575]  print_report+0xd1/0x650
[   18.235670]  ? __virt_addr_valid+0x1db/0x2d0
[   18.235748]  ? workqueue_uaf+0x4d6/0x560
[   18.235819]  ? kasan_complete_mode_report_info+0x64/0x200
[   18.235888]  ? workqueue_uaf+0x4d6/0x560
[   18.235958]  kasan_report+0x141/0x180
[   18.236032]  ? workqueue_uaf+0x4d6/0x560
[   18.236118]  __asan_report_load8_noabort+0x18/0x20
[   18.236189]  workqueue_uaf+0x4d6/0x560
[   18.236267]  ? __pfx_workqueue_uaf+0x10/0x10
[   18.236342]  ? __schedule+0x10cc/0x2b60
[   18.236412]  ? __pfx_read_tsc+0x10/0x10
[   18.236481]  ? ktime_get_ts64+0x86/0x230
[   18.236563]  kunit_try_run_case+0x1a5/0x480
[   18.236655]  ? __pfx_kunit_try_run_case+0x10/0x10
[   18.236732]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   18.236782]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   18.236818]  ? __kthread_parkme+0x82/0x180
[   18.236849]  ? preempt_count_sub+0x50/0x80
[   18.236884]  ? __pfx_kunit_try_run_case+0x10/0x10
[   18.236919]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   18.236951]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   18.236983]  kthread+0x337/0x6f0
[   18.237004]  ? trace_preempt_on+0x20/0xc0
[   18.237037]  ? __pfx_kthread+0x10/0x10
[   18.237061]  ? _raw_spin_unlock_irq+0x47/0x80
[   18.237090]  ? calculate_sigpending+0x7b/0xa0
[   18.237120]  ? __pfx_kthread+0x10/0x10
[   18.237145]  ret_from_fork+0x41/0x80
[   18.237174]  ? __pfx_kthread+0x10/0x10
[   18.237197]  ret_from_fork_asm+0x1a/0x30
[   18.237272]  </TASK>
[   18.237289] 
[   18.255539] Allocated by task 221:
[   18.256112]  kasan_save_stack+0x45/0x70
[   18.256917]  kasan_save_track+0x18/0x40
[   18.257411]  kasan_save_alloc_info+0x3b/0x50
[   18.258017]  __kasan_kmalloc+0xb7/0xc0
[   18.258490]  __kmalloc_cache_noprof+0x189/0x420
[   18.259070]  workqueue_uaf+0x152/0x560
[   18.259551]  kunit_try_run_case+0x1a5/0x480
[   18.260140]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   18.261023]  kthread+0x337/0x6f0
[   18.261480]  ret_from_fork+0x41/0x80
[   18.261972]  ret_from_fork_asm+0x1a/0x30
[   18.262481] 
[   18.262869] Freed by task 9:
[   18.263192]  kasan_save_stack+0x45/0x70
[   18.263633]  kasan_save_track+0x18/0x40
[   18.264201]  kasan_save_free_info+0x3f/0x60
[   18.264808]  __kasan_slab_free+0x56/0x70
[   18.265294]  kfree+0x222/0x3f0
[   18.265734]  workqueue_uaf_work+0x12/0x20
[   18.266090]  process_one_work+0x5ee/0xf60
[   18.267039]  worker_thread+0x758/0x1220
[   18.267458]  kthread+0x337/0x6f0
[   18.268001]  ret_from_fork+0x41/0x80
[   18.268438]  ret_from_fork_asm+0x1a/0x30
[   18.269023] 
[   18.269328] Last potentially related work creation:
[   18.269927]  kasan_save_stack+0x45/0x70
[   18.270350]  kasan_record_aux_stack+0xb2/0xc0
[   18.270785]  __queue_work+0x626/0xeb0
[   18.271225]  queue_work_on+0xb6/0xc0
[   18.272106]  workqueue_uaf+0x26d/0x560
[   18.272803]  kunit_try_run_case+0x1a5/0x480
[   18.273373]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   18.274133]  kthread+0x337/0x6f0
[   18.274563]  ret_from_fork+0x41/0x80
[   18.275133]  ret_from_fork_asm+0x1a/0x30
[   18.275523] 
[   18.276391] The buggy address belongs to the object at ffff888102a18a40
[   18.276391]  which belongs to the cache kmalloc-32 of size 32
[   18.277925] The buggy address is located 0 bytes inside of
[   18.277925]  freed 32-byte region [ffff888102a18a40, ffff888102a18a60)
[   18.278817] 
[   18.279018] The buggy address belongs to the physical page:
[   18.279381] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a18
[   18.280520] flags: 0x200000000000000(node=0|zone=2)
[   18.281294] page_type: f5(slab)
[   18.282055] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   18.282759] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   18.283320] page dumped because: kasan: bad access detected
[   18.283938] 
[   18.284197] Memory state around the buggy address:
[   18.284725]  ffff888102a18900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   18.285453]  ffff888102a18980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   18.286303] >ffff888102a18a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   18.287209]                                            ^
[   18.287894]  ffff888102a18a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.288509]  ffff888102a18b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.289262] ==================================================================
Metadata Full log Test run details