Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   96.099049] ==================================================================
[   96.100877] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x14c/0x270
[   96.102333] Read of size 8 at addr ffff0000c5ec1f00 by task kunit_try_catch/215
[   96.103741] 
[   96.104193] CPU: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   96.105733] Hardware name: linux,dummy-virt (DT)
[   96.107320] Call trace:
[   96.108324]  dump_backtrace+0x9c/0x128
[   96.110205]  show_stack+0x20/0x38
[   96.112200]  dump_stack_lvl+0x60/0xb0
[   96.113626]  print_report+0xf8/0x5e8
[   96.114683]  kasan_report+0xdc/0x128
[   96.116590]  __asan_load8+0x9c/0xc0
[   96.117504]  workqueue_uaf+0x14c/0x270
[   96.118329]  kunit_try_run_case+0x114/0x298
[   96.119204]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   96.120315]  kthread+0x18c/0x1a8
[   96.121104]  ret_from_fork+0x10/0x20
[   96.121937] 
[   96.122336] Allocated by task 215:
[   96.123179]  kasan_save_stack+0x3c/0x68
[   96.124134]  kasan_set_track+0x2c/0x40
[   96.125032]  kasan_save_alloc_info+0x24/0x38
[   96.125919]  __kasan_kmalloc+0xd4/0xd8
[   96.126745]  kmalloc_trace+0x68/0x130
[   96.127584]  workqueue_uaf+0xd0/0x270
[   96.128309]  kunit_try_run_case+0x114/0x298
[   96.129130]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   96.130195]  kthread+0x18c/0x1a8
[   96.131148]  ret_from_fork+0x10/0x20
[   96.131928] 
[   96.132343] Freed by task 24:
[   96.132904]  kasan_save_stack+0x3c/0x68
[   96.133710]  kasan_set_track+0x2c/0x40
[   96.134493]  kasan_save_free_info+0x38/0x60
[   96.135537]  __kasan_slab_free+0x100/0x170
[   96.136466]  __kmem_cache_free+0x178/0x2c8
[   96.137327]  kfree+0x74/0x138
[   96.137971]  workqueue_uaf_work+0x18/0x30
[   96.138960]  process_one_work+0x2a8/0x6d0
[   96.139735]  worker_thread+0x528/0x6e8
[   96.140996]  kthread+0x18c/0x1a8
[   96.141754]  ret_from_fork+0x10/0x20
[   96.142510] 
[   96.143247] Last potentially related work creation:
[   96.144069]  kasan_save_stack+0x3c/0x68
[   96.144948]  __kasan_record_aux_stack+0xb8/0xe8
[   96.145841]  kasan_record_aux_stack_noalloc+0x14/0x20
[   96.146661]  __queue_work+0x2d0/0x7f8
[   96.147371]  queue_work_on+0xb4/0xf0
[   96.148346]  workqueue_uaf+0x12c/0x270
[   96.149122]  kunit_try_run_case+0x114/0x298
[   96.149961]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   96.151171]  kthread+0x18c/0x1a8
[   96.151934]  ret_from_fork+0x10/0x20
[   96.152737] 
[   96.153057] The buggy address belongs to the object at ffff0000c5ec1f00
[   96.153057]  which belongs to the cache kmalloc-32 of size 32
[   96.154621] The buggy address is located 0 bytes inside of
[   96.154621]  freed 32-byte region [ffff0000c5ec1f00, ffff0000c5ec1f20)
[   96.156297] 
[   96.156807] The buggy address belongs to the physical page:
[   96.157724] page:000000009bc72880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ec1
[   96.159070] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   96.160296] page_type: 0xffffffff()
[   96.161155] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000
[   96.162480] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   96.163784] page dumped because: kasan: bad access detected
[   96.164773] 
[   96.165228] Memory state around the buggy address:
[   96.166114]  ffff0000c5ec1e00: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc
[   96.167503]  ffff0000c5ec1e80: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   96.168932] >ffff0000c5ec1f00: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   96.169876]                    ^
[   96.170684]  ffff0000c5ec1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.171861]  ffff0000c5ec2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   96.172897] ==================================================================
Metadata Full log Test run details 

[   36.425844] ==================================================================
[   36.426568] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x166/0x2a0
[   36.427327] Read of size 8 at addr ffff888102796b40 by task kunit_try_catch/230
[   36.427692] 
[   36.427847] CPU: 1 PID: 230 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   36.429645] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   36.430263] Call Trace:
[   36.430591]  <TASK>
[   36.430996]  dump_stack_lvl+0x4e/0x90
[   36.431515]  print_report+0xd2/0x650
[   36.431811]  ? __virt_addr_valid+0x156/0x1e0
[   36.432106]  ? workqueue_uaf+0x166/0x2a0
[   36.432665]  ? kasan_complete_mode_report_info+0x64/0x200
[   36.433195]  ? workqueue_uaf+0x166/0x2a0
[   36.434079]  kasan_report+0x147/0x180
[   36.434334]  ? workqueue_uaf+0x166/0x2a0
[   36.434740]  __asan_load8+0x82/0xb0
[   36.435053]  workqueue_uaf+0x166/0x2a0
[   36.435311]  ? __pfx_workqueue_uaf+0x10/0x10
[   36.435703]  ? __schedule+0x715/0x11a0
[   36.436018]  ? ktime_get_ts64+0x118/0x140
[   36.436317]  kunit_try_run_case+0x120/0x290
[   36.436702]  ? __pfx_kunit_try_run_case+0x10/0x10
[   36.437096]  ? __kasan_check_write+0x18/0x20
[   36.437486]  ? trace_preempt_on+0x20/0xa0
[   36.437853]  ? __kthread_parkme+0x4f/0xd0
[   36.438171]  ? preempt_count_sub+0x50/0x80
[   36.438632]  ? __pfx_kunit_try_run_case+0x10/0x10
[   36.438995]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   36.439436]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   36.439831]  kthread+0x19e/0x1e0
[   36.440078]  ? __pfx_kthread+0x10/0x10
[   36.440374]  ret_from_fork+0x41/0x70
[   36.440731]  ? __pfx_kthread+0x10/0x10
[   36.441001]  ret_from_fork_asm+0x1b/0x30
[   36.441310]  </TASK>
[   36.441549] 
[   36.441690] Allocated by task 230:
[   36.441894]  kasan_save_stack+0x44/0x70
[   36.442187]  kasan_set_track+0x29/0x40
[   36.442525]  kasan_save_alloc_info+0x22/0x30
[   36.442941]  __kasan_kmalloc+0xb7/0xc0
[   36.443159]  kmalloc_trace+0x4c/0xb0
[   36.443403]  workqueue_uaf+0xdb/0x2a0
[   36.443634]  kunit_try_run_case+0x120/0x290
[   36.444149]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   36.444559]  kthread+0x19e/0x1e0
[   36.444795]  ret_from_fork+0x41/0x70
[   36.445113]  ret_from_fork_asm+0x1b/0x30
[   36.445440] 
[   36.445563] Freed by task 23:
[   36.445792]  kasan_save_stack+0x44/0x70
[   36.446037]  kasan_set_track+0x29/0x40
[   36.446285]  kasan_save_free_info+0x2f/0x50
[   36.446728]  ____kasan_slab_free+0x172/0x1d0
[   36.447097]  __kasan_slab_free+0x16/0x20
[   36.447384]  __kmem_cache_free+0x190/0x310
[   36.447700]  kfree+0x7c/0x120
[   36.447940]  workqueue_uaf_work+0x12/0x20
[   36.448204]  process_one_work+0x2fb/0x640
[   36.448748]  worker_thread+0x502/0x780
[   36.449015]  kthread+0x19e/0x1e0
[   36.449252]  ret_from_fork+0x41/0x70
[   36.449569]  ret_from_fork_asm+0x1b/0x30
[   36.449975] 
[   36.450098] Last potentially related work creation:
[   36.450333]  kasan_save_stack+0x44/0x70
[   36.450648]  __kasan_record_aux_stack+0xb3/0xd0
[   36.450919]  kasan_record_aux_stack_noalloc+0xf/0x20
[   36.451427]  __queue_work.part.0+0x269/0x730
[   36.451705]  __queue_work+0x44/0xc0
[   36.451937]  queue_work_on+0x91/0xa0
[   36.452199]  workqueue_uaf+0x147/0x2a0
[   36.452504]  kunit_try_run_case+0x120/0x290
[   36.452761]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   36.453141]  kthread+0x19e/0x1e0
[   36.453521]  ret_from_fork+0x41/0x70
[   36.453751]  ret_from_fork_asm+0x1b/0x30
[   36.454049] 
[   36.454180] The buggy address belongs to the object at ffff888102796b40
[   36.454180]  which belongs to the cache kmalloc-32 of size 32
[   36.454890] The buggy address is located 0 bytes inside of
[   36.454890]  freed 32-byte region [ffff888102796b40, ffff888102796b60)
[   36.455712] 
[   36.455853] The buggy address belongs to the physical page:
[   36.456193] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102796
[   36.456822] flags: 0x200000000000800(slab|node=0|zone=2)
[   36.457215] page_type: 0xffffffff()
[   36.457513] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000
[   36.457975] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   36.458550] page dumped because: kasan: bad access detected
[   36.458923] 
[   36.459052] Memory state around the buggy address:
[   36.459294]  ffff888102796a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   36.459686]  ffff888102796a80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   36.460197] >ffff888102796b00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   36.460668]                                            ^
[   36.461034]  ffff888102796b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.461417]  ffff888102796c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.461921] ==================================================================
Metadata Full log Test run details