Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 184.660498] ================================================================== [ 184.663340] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x14c/0x270 [ 184.664599] Read of size 8 at addr ffff0000c60518c0 by task kunit_try_catch/214 [ 184.667129] [ 184.667738] CPU: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 184.669731] Hardware name: linux,dummy-virt (DT) [ 184.671131] Call trace: [ 184.671814] dump_backtrace+0x9c/0x128 [ 184.672962] show_stack+0x20/0x38 [ 184.674459] dump_stack_lvl+0x60/0xb0 [ 184.675521] print_report+0xf8/0x5d8 [ 184.676651] kasan_report+0xc8/0x118 [ 184.678099] __asan_load8+0x9c/0xc0 [ 184.679239] workqueue_uaf+0x14c/0x270 [ 184.680329] kunit_try_run_case+0xf8/0x260 [ 184.682943] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 184.684425] kthread+0x18c/0x1a8 [ 184.685555] ret_from_fork+0x10/0x20 [ 184.686722] [ 184.687345] Allocated by task 214: [ 184.688213] kasan_save_stack+0x3c/0x68 [ 184.689399] kasan_set_track+0x2c/0x40 [ 184.690713] kasan_save_alloc_info+0x24/0x38 [ 184.691766] __kasan_kmalloc+0xd4/0xd8 [ 184.693161] kmalloc_trace+0x68/0x130 [ 184.694489] workqueue_uaf+0xd0/0x270 [ 184.695560] kunit_try_run_case+0xf8/0x260 [ 184.696804] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 184.698504] kthread+0x18c/0x1a8 [ 184.699432] ret_from_fork+0x10/0x20 [ 184.700565] [ 184.701455] Freed by task 70: [ 184.702443] kasan_save_stack+0x3c/0x68 [ 184.703759] kasan_set_track+0x2c/0x40 [ 184.704956] kasan_save_free_info+0x38/0x60 [ 184.706404] __kasan_slab_free+0x100/0x170 [ 184.707645] __kmem_cache_free+0x170/0x2e0 [ 184.709056] kfree+0x74/0x138 [ 184.710132] workqueue_uaf_work+0x18/0x30 [ 184.711317] process_one_work+0x2a8/0x6d0 [ 184.712488] worker_thread+0x53c/0x708 [ 184.714006] kthread+0x18c/0x1a8 [ 184.714693] ret_from_fork+0x10/0x20 [ 184.715818] [ 184.716290] Last potentially related work creation: [ 184.717802] kasan_save_stack+0x3c/0x68 [ 184.719155] __kasan_record_aux_stack+0xb8/0xe8 [ 184.720556] kasan_record_aux_stack_noalloc+0x14/0x20 [ 184.722041] __queue_work+0x260/0x800 [ 184.722959] queue_work_on+0xb4/0xf0 [ 184.723980] workqueue_uaf+0x12c/0x270 [ 184.725282] kunit_try_run_case+0xf8/0x260 [ 184.726543] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 184.727998] kthread+0x18c/0x1a8 [ 184.729065] ret_from_fork+0x10/0x20 [ 184.730024] [ 184.730664] The buggy address belongs to the object at ffff0000c60518c0 [ 184.730664] which belongs to the cache kmalloc-32 of size 32 [ 184.733544] The buggy address is located 0 bytes inside of [ 184.733544] freed 32-byte region [ffff0000c60518c0, ffff0000c60518e0) [ 184.736020] [ 184.736676] The buggy address belongs to the physical page: [ 184.738324] page:00000000b85054fb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106051 [ 184.740275] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 184.741923] page_type: 0xffffffff() [ 184.743439] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000 [ 184.744841] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 184.746886] page dumped because: kasan: bad access detected [ 184.748156] [ 184.748818] Memory state around the buggy address: [ 184.750172] ffff0000c6051780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 184.751912] ffff0000c6051800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 184.753812] >ffff0000c6051880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 184.755447] ^ [ 184.756836] ffff0000c6051900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 184.758550] ffff0000c6051980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 184.760139] ==================================================================