Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 148.019760] ================================================================== [ 148.020930] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x14c/0x264 [ 148.021672] Read of size 4 at addr c8fbdd00 by task kunit_try_catch/209 [ 148.022446] [ 148.022708] CPU: 1 PID: 209 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 148.023589] Hardware name: Generic DT based system [ 148.024135] unwind_backtrace from show_stack+0x18/0x1c [ 148.024787] show_stack from dump_stack_lvl+0x58/0x70 [ 148.025408] dump_stack_lvl from print_report+0x164/0x51c [ 148.026174] print_report from kasan_report+0xc8/0x104 [ 148.026869] kasan_report from workqueue_uaf+0x14c/0x264 [ 148.027606] workqueue_uaf from kunit_try_run_case+0x11c/0x2e4 [ 148.028403] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 148.029494] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 148.030292] kthread from ret_from_fork+0x14/0x30 [ 148.031112] Exception stack(0xfa143fb0 to 0xfa143ff8) [ 148.031843] 3fa0: 00000000 00000000 00000000 00000000 [ 148.032716] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 148.033596] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 148.034309] [ 148.034551] Allocated by task 209: [ 148.034946] kasan_set_track+0x3c/0x5c [ 148.035528] __kasan_kmalloc+0x8c/0x94 [ 148.036156] workqueue_uaf+0xcc/0x264 [ 148.036584] kunit_try_run_case+0x11c/0x2e4 [ 148.037297] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 148.038084] kthread+0x184/0x1a8 [ 148.038690] ret_from_fork+0x14/0x30 [ 148.039264] [ 148.039587] Freed by task 33: [ 148.040027] kasan_set_track+0x3c/0x5c [ 148.040544] kasan_save_free_info+0x30/0x3c [ 148.041174] __kasan_slab_free+0xdc/0x124 [ 148.041765] __kmem_cache_free+0x140/0x2a8 [ 148.042396] process_one_work+0x2e4/0x678 [ 148.042952] worker_thread+0x4d8/0x828 [ 148.043408] kthread+0x184/0x1a8 [ 148.044007] ret_from_fork+0x14/0x30 [ 148.044466] [ 148.044821] Last potentially related work creation: [ 148.045418] kasan_save_stack+0x30/0x4c [ 148.046293] __kasan_record_aux_stack+0x84/0x8c [ 148.046992] __queue_work+0x2a8/0x9b8 [ 148.047589] queue_work_on+0x98/0x9c [ 148.048101] workqueue_uaf+0x128/0x264 [ 148.048944] kunit_try_run_case+0x11c/0x2e4 [ 148.049287] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 148.049632] kthread+0x184/0x1a8 [ 148.049862] ret_from_fork+0x14/0x30 [ 148.050168] [ 148.050374] The buggy address belongs to the object at c8fbdd00 [ 148.050374] which belongs to the cache kmalloc-64 of size 64 [ 148.051707] The buggy address is located 0 bytes inside of [ 148.051707] freed 64-byte region [c8fbdd00, c8fbdd40) [ 148.053307] [ 148.053556] The buggy address belongs to the physical page: [ 148.054348] page:652e16b7 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48fbd [ 148.055350] flags: 0x800(slab|zone=0) [ 148.055982] page_type: 0xffffffff() [ 148.056789] raw: 00000800 c4801200 00000122 00000000 00000000 80200020 ffffffff 00000001 [ 148.057956] raw: 00000000 [ 148.058369] page dumped because: kasan: bad access detected [ 148.059092] [ 148.059397] Memory state around the buggy address: [ 148.059909] c8fbdc00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 148.060917] c8fbdc80: 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc fc [ 148.061744] >c8fbdd00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 148.062616] ^ [ 148.063322] c8fbdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 148.064073] c8fbde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 148.064829] ==================================================================
[ 51.872858] ================================================================== [ 51.873933] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x166/0x2a0 [ 51.874730] Read of size 8 at addr ffff888102842a80 by task kunit_try_catch/232 [ 51.875565] [ 51.876026] CPU: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 51.877554] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 51.878620] Call Trace: [ 51.879037] <TASK> [ 51.879389] dump_stack_lvl+0x4e/0x90 [ 51.880382] print_report+0xd2/0x660 [ 51.881109] ? __virt_addr_valid+0x156/0x1e0 [ 51.881685] ? kasan_complete_mode_report_info+0x64/0x200 [ 51.882626] kasan_report+0xff/0x140 [ 51.883384] ? workqueue_uaf+0x166/0x2a0 [ 51.884229] ? workqueue_uaf+0x166/0x2a0 [ 51.884687] __asan_load8+0x82/0xb0 [ 51.885407] workqueue_uaf+0x166/0x2a0 [ 51.886156] ? __pfx_workqueue_uaf+0x10/0x10 [ 51.886778] ? __schedule+0x70b/0x1190 [ 51.887517] ? ktime_get_ts64+0x118/0x140 [ 51.888051] kunit_try_run_case+0x126/0x290 [ 51.888667] ? __pfx_kunit_try_run_case+0x10/0x10 [ 51.889253] ? __kasan_check_write+0x18/0x20 [ 51.890282] ? trace_preempt_on+0x20/0xa0 [ 51.890863] ? __kthread_parkme+0x4f/0xd0 [ 51.891614] ? preempt_count_sub+0x50/0x80 [ 51.892376] ? __pfx_kunit_try_run_case+0x10/0x10 [ 51.893132] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 51.894259] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 51.894902] kthread+0x19e/0x1e0 [ 51.895630] ? __pfx_kthread+0x10/0x10 [ 51.896377] ret_from_fork+0x41/0x70 [ 51.897121] ? __pfx_kthread+0x10/0x10 [ 51.897640] ret_from_fork_asm+0x1b/0x30 [ 51.898310] </TASK> [ 51.898662] [ 51.898892] Allocated by task 232: [ 51.899331] kasan_save_stack+0x3c/0x60 [ 51.900358] kasan_set_track+0x29/0x40 [ 51.901111] kasan_save_alloc_info+0x22/0x30 [ 51.901664] __kasan_kmalloc+0xb7/0xc0 [ 51.902413] kmalloc_trace+0x4c/0xb0 [ 51.903287] workqueue_uaf+0xdb/0x2a0 [ 51.903833] kunit_try_run_case+0x126/0x290 [ 51.904587] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 51.905397] kthread+0x19e/0x1e0 [ 51.906110] ret_from_fork+0x41/0x70 [ 51.906570] ret_from_fork_asm+0x1b/0x30 [ 51.907517] [ 51.907805] Freed by task 8: [ 51.908390] kasan_save_stack+0x3c/0x60 [ 51.908954] kasan_set_track+0x29/0x40 [ 51.909427] kasan_save_free_info+0x2f/0x50 [ 51.910359] ____kasan_slab_free+0x172/0x1d0 [ 51.911313] __kasan_slab_free+0x16/0x20 [ 51.911850] __kmem_cache_free+0x190/0x310 [ 51.912553] kfree+0x7c/0x120 [ 51.913213] workqueue_uaf_work+0x12/0x20 [ 51.913685] process_one_work+0x2fb/0x640 [ 51.914488] worker_thread+0x521/0x780 [ 51.915348] kthread+0x19e/0x1e0 [ 51.915834] ret_from_fork+0x41/0x70 [ 51.916497] ret_from_fork_asm+0x1b/0x30 [ 51.917073] [ 51.917307] Last potentially related work creation: [ 51.917857] kasan_save_stack+0x3c/0x60 [ 51.918341] __kasan_record_aux_stack+0xb3/0xd0 [ 51.919539] kasan_record_aux_stack_noalloc+0xf/0x20 [ 51.920386] __queue_work.part.0+0x269/0x730 [ 51.921096] __queue_work+0x44/0xc0 [ 51.921620] queue_work_on+0x91/0xa0 [ 51.922311] workqueue_uaf+0x147/0x2a0 [ 51.922772] kunit_try_run_case+0x126/0x290 [ 51.923678] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 51.924550] kthread+0x19e/0x1e0 [ 51.925199] ret_from_fork+0x41/0x70 [ 51.925727] ret_from_fork_asm+0x1b/0x30 [ 51.926307] [ 51.926531] The buggy address belongs to the object at ffff888102842a80 [ 51.926531] which belongs to the cache kmalloc-32 of size 32 [ 51.927651] The buggy address is located 0 bytes inside of [ 51.927651] freed 32-byte region [ffff888102842a80, ffff888102842aa0) [ 51.929557] [ 51.929859] The buggy address belongs to the physical page: [ 51.930509] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102842 [ 51.931895] flags: 0x200000000000800(slab|node=0|zone=2) [ 51.932539] page_type: 0xffffffff() [ 51.933358] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000 [ 51.934331] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 51.935462] page dumped because: kasan: bad access detected [ 51.936264] [ 51.936479] Memory state around the buggy address: [ 51.937239] ffff888102842980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.938030] ffff888102842a00: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc [ 51.938671] >ffff888102842a80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 51.940234] ^ [ 51.940666] ffff888102842b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.941428] ffff888102842b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.942478] ==================================================================