Date
July 4, 2025, 3:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.906460] ================================================================== [ 30.913849] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 30.920531] Read of size 8 at addr ffff000803acdd80 by task kunit_try_catch/249 [ 30.927822] [ 30.929306] CPU: 2 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 30.929363] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.929383] Hardware name: WinLink E850-96 board (DT) [ 30.929406] Call trace: [ 30.929420] show_stack+0x20/0x38 (C) [ 30.929455] dump_stack_lvl+0x8c/0xd0 [ 30.929491] print_report+0x118/0x608 [ 30.929521] kasan_report+0xdc/0x128 [ 30.929550] __asan_report_load8_noabort+0x20/0x30 [ 30.929590] workqueue_uaf+0x480/0x4a8 [ 30.929624] kunit_try_run_case+0x170/0x3f0 [ 30.929661] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.929697] kthread+0x328/0x630 [ 30.929733] ret_from_fork+0x10/0x20 [ 30.929767] [ 30.991709] Allocated by task 249: [ 30.995096] kasan_save_stack+0x3c/0x68 [ 30.998911] kasan_save_track+0x20/0x40 [ 31.002731] kasan_save_alloc_info+0x40/0x58 [ 31.006984] __kasan_kmalloc+0xd4/0xd8 [ 31.010718] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.015231] workqueue_uaf+0x13c/0x4a8 [ 31.018963] kunit_try_run_case+0x170/0x3f0 [ 31.023130] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.028598] kthread+0x328/0x630 [ 31.031810] ret_from_fork+0x10/0x20 [ 31.035370] [ 31.036846] Freed by task 67: [ 31.039798] kasan_save_stack+0x3c/0x68 [ 31.043616] kasan_save_track+0x20/0x40 [ 31.047435] kasan_save_free_info+0x4c/0x78 [ 31.051602] __kasan_slab_free+0x6c/0x98 [ 31.055508] kfree+0x214/0x3c8 [ 31.058546] workqueue_uaf_work+0x18/0x30 [ 31.062539] process_one_work+0x530/0xf98 [ 31.066532] worker_thread+0x618/0xf38 [ 31.070266] kthread+0x328/0x630 [ 31.073476] ret_from_fork+0x10/0x20 [ 31.077035] [ 31.078512] Last potentially related work creation: [ 31.083372] kasan_save_stack+0x3c/0x68 [ 31.087191] kasan_record_aux_stack+0xb4/0xc8 [ 31.091532] __queue_work+0x65c/0x1008 [ 31.095264] queue_work_on+0xbc/0xf8 [ 31.098823] workqueue_uaf+0x210/0x4a8 [ 31.102556] kunit_try_run_case+0x170/0x3f0 [ 31.106723] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.112191] kthread+0x328/0x630 [ 31.115403] ret_from_fork+0x10/0x20 [ 31.118962] [ 31.120439] The buggy address belongs to the object at ffff000803acdd80 [ 31.120439] which belongs to the cache kmalloc-32 of size 32 [ 31.132765] The buggy address is located 0 bytes inside of [ 31.132765] freed 32-byte region [ffff000803acdd80, ffff000803acdda0) [ 31.144743] [ 31.146221] The buggy address belongs to the physical page: [ 31.151777] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883acd [ 31.159762] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.166272] page_type: f5(slab) [ 31.169411] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 31.177127] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 31.184849] page dumped because: kasan: bad access detected [ 31.190401] [ 31.191877] Memory state around the buggy address: [ 31.196658] ffff000803acdc80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.203860] ffff000803acdd00: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc [ 31.211066] >ffff000803acdd80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 31.218266] ^ [ 31.221483] ffff000803acde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.228686] ffff000803acde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.235889] ==================================================================
[ 15.954485] ================================================================== [ 15.954550] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 15.954801] Read of size 8 at addr fff00000c65b3040 by task kunit_try_catch/205 [ 15.954853] [ 15.954952] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 15.955033] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.955060] Hardware name: linux,dummy-virt (DT) [ 15.955093] Call trace: [ 15.955115] show_stack+0x20/0x38 (C) [ 15.955389] dump_stack_lvl+0x8c/0xd0 [ 15.955489] print_report+0x118/0x608 [ 15.955534] kasan_report+0xdc/0x128 [ 15.955577] __asan_report_load8_noabort+0x20/0x30 [ 15.955684] workqueue_uaf+0x480/0x4a8 [ 15.955828] kunit_try_run_case+0x170/0x3f0 [ 15.956027] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.956161] kthread+0x328/0x630 [ 15.956329] ret_from_fork+0x10/0x20 [ 15.956466] [ 15.956734] Allocated by task 205: [ 15.956784] kasan_save_stack+0x3c/0x68 [ 15.956832] kasan_save_track+0x20/0x40 [ 15.956866] kasan_save_alloc_info+0x40/0x58 [ 15.956905] __kasan_kmalloc+0xd4/0xd8 [ 15.956941] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.956980] workqueue_uaf+0x13c/0x4a8 [ 15.957018] kunit_try_run_case+0x170/0x3f0 [ 15.957057] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.957288] kthread+0x328/0x630 [ 15.957332] ret_from_fork+0x10/0x20 [ 15.957368] [ 15.957386] Freed by task 78: [ 15.957413] kasan_save_stack+0x3c/0x68 [ 15.957447] kasan_save_track+0x20/0x40 [ 15.957483] kasan_save_free_info+0x4c/0x78 [ 15.957521] __kasan_slab_free+0x6c/0x98 [ 15.957557] kfree+0x214/0x3c8 [ 15.957590] workqueue_uaf_work+0x18/0x30 [ 15.957637] process_one_work+0x530/0xf98 [ 15.957710] worker_thread+0x618/0xf38 [ 15.958058] kthread+0x328/0x630 [ 15.958276] ret_from_fork+0x10/0x20 [ 15.958441] [ 15.958671] Last potentially related work creation: [ 15.958811] kasan_save_stack+0x3c/0x68 [ 15.958872] kasan_record_aux_stack+0xb4/0xc8 [ 15.958911] __queue_work+0x65c/0x1008 [ 15.959108] queue_work_on+0xbc/0xf8 [ 15.959200] workqueue_uaf+0x210/0x4a8 [ 15.959317] kunit_try_run_case+0x170/0x3f0 [ 15.959358] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.959639] kthread+0x328/0x630 [ 15.959786] ret_from_fork+0x10/0x20 [ 15.959940] [ 15.960024] The buggy address belongs to the object at fff00000c65b3040 [ 15.960024] which belongs to the cache kmalloc-32 of size 32 [ 15.960222] The buggy address is located 0 bytes inside of [ 15.960222] freed 32-byte region [fff00000c65b3040, fff00000c65b3060) [ 15.960431] [ 15.960534] The buggy address belongs to the physical page: [ 15.960667] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b3 [ 15.960772] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.960923] page_type: f5(slab) [ 15.960989] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 15.961089] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.961131] page dumped because: kasan: bad access detected [ 15.961162] [ 15.961179] Memory state around the buggy address: [ 15.961211] fff00000c65b2f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.961253] fff00000c65b2f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.961336] >fff00000c65b3000: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 15.961379] ^ [ 15.961412] fff00000c65b3080: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.961454] fff00000c65b3100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.961492] ==================================================================
[ 15.100832] ================================================================== [ 15.101731] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560 [ 15.102050] Read of size 8 at addr ffff8881026070c0 by task kunit_try_catch/221 [ 15.102590] [ 15.102776] CPU: 0 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 15.102876] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.102901] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.102941] Call Trace: [ 15.102971] <TASK> [ 15.103009] dump_stack_lvl+0x73/0xb0 [ 15.103070] print_report+0xd1/0x650 [ 15.103118] ? __virt_addr_valid+0x1db/0x2d0 [ 15.103167] ? workqueue_uaf+0x4d6/0x560 [ 15.103207] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.103252] ? workqueue_uaf+0x4d6/0x560 [ 15.103298] kasan_report+0x141/0x180 [ 15.103366] ? workqueue_uaf+0x4d6/0x560 [ 15.103420] __asan_report_load8_noabort+0x18/0x20 [ 15.103770] workqueue_uaf+0x4d6/0x560 [ 15.103846] ? __pfx_workqueue_uaf+0x10/0x10 [ 15.103886] ? __schedule+0x10cc/0x2b60 [ 15.103926] ? __pfx_read_tsc+0x10/0x10 [ 15.103962] ? ktime_get_ts64+0x86/0x230 [ 15.104006] kunit_try_run_case+0x1a5/0x480 [ 15.104049] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.104084] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.104125] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.104164] ? __kthread_parkme+0x82/0x180 [ 15.104201] ? preempt_count_sub+0x50/0x80 [ 15.104252] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.104295] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.104355] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.104395] kthread+0x337/0x6f0 [ 15.104426] ? trace_preempt_on+0x20/0xc0 [ 15.104477] ? __pfx_kthread+0x10/0x10 [ 15.104507] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.104551] ? calculate_sigpending+0x7b/0xa0 [ 15.104586] ? __pfx_kthread+0x10/0x10 [ 15.104621] ret_from_fork+0x41/0x80 [ 15.104663] ? __pfx_kthread+0x10/0x10 [ 15.104702] ret_from_fork_asm+0x1a/0x30 [ 15.104757] </TASK> [ 15.104776] [ 15.117758] Allocated by task 221: [ 15.118168] kasan_save_stack+0x45/0x70 [ 15.118700] kasan_save_track+0x18/0x40 [ 15.118962] kasan_save_alloc_info+0x3b/0x50 [ 15.119813] __kasan_kmalloc+0xb7/0xc0 [ 15.120179] __kmalloc_cache_noprof+0x189/0x420 [ 15.120736] workqueue_uaf+0x152/0x560 [ 15.121126] kunit_try_run_case+0x1a5/0x480 [ 15.121762] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.122059] kthread+0x337/0x6f0 [ 15.122649] ret_from_fork+0x41/0x80 [ 15.122964] ret_from_fork_asm+0x1a/0x30 [ 15.123667] [ 15.123942] Freed by task 72: [ 15.124043] kasan_save_stack+0x45/0x70 [ 15.124795] kasan_save_track+0x18/0x40 [ 15.125208] kasan_save_free_info+0x3f/0x60 [ 15.125577] __kasan_slab_free+0x56/0x70 [ 15.125946] kfree+0x222/0x3f0 [ 15.126212] workqueue_uaf_work+0x12/0x20 [ 15.126795] process_one_work+0x5ee/0xf60 [ 15.127610] worker_thread+0x758/0x1220 [ 15.127960] kthread+0x337/0x6f0 [ 15.128396] ret_from_fork+0x41/0x80 [ 15.128758] ret_from_fork_asm+0x1a/0x30 [ 15.129056] [ 15.129306] Last potentially related work creation: [ 15.129674] kasan_save_stack+0x45/0x70 [ 15.130052] kasan_record_aux_stack+0xb2/0xc0 [ 15.130665] __queue_work+0x626/0xeb0 [ 15.130941] queue_work_on+0xb6/0xc0 [ 15.131597] workqueue_uaf+0x26d/0x560 [ 15.131956] kunit_try_run_case+0x1a5/0x480 [ 15.132174] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.132568] kthread+0x337/0x6f0 [ 15.132874] ret_from_fork+0x41/0x80 [ 15.133108] ret_from_fork_asm+0x1a/0x30 [ 15.134135] [ 15.134505] The buggy address belongs to the object at ffff8881026070c0 [ 15.134505] which belongs to the cache kmalloc-32 of size 32 [ 15.135770] The buggy address is located 0 bytes inside of [ 15.135770] freed 32-byte region [ffff8881026070c0, ffff8881026070e0) [ 15.136654] [ 15.136858] The buggy address belongs to the physical page: [ 15.137390] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102607 [ 15.137913] flags: 0x200000000000000(node=0|zone=2) [ 15.138587] page_type: f5(slab) [ 15.138772] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 15.139350] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.140360] page dumped because: kasan: bad access detected [ 15.140767] [ 15.140944] Memory state around the buggy address: [ 15.141216] ffff888102606f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.141855] ffff888102607000: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 15.142565] >ffff888102607080: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 15.143129] ^ [ 15.143986] ffff888102607100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.144477] ffff888102607180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.144927] ==================================================================