Hay
Sign in
Date
July 5, 2025, 5:09 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.668686] ==================================================================
[   18.668754] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   18.668807] Read of size 8 at addr fff00000c77eb480 by task kunit_try_catch/200
[   18.668857] 
[   18.668903] CPU: 1 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.668985] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.669012] Hardware name: linux,dummy-virt (DT)
[   18.669042] Call trace:
[   18.669065]  show_stack+0x20/0x38 (C)
[   18.669111]  dump_stack_lvl+0x8c/0xd0
[   18.669157]  print_report+0x118/0x608
[   18.669203]  kasan_report+0xdc/0x128
[   18.669248]  __asan_report_load8_noabort+0x20/0x30
[   18.669295]  workqueue_uaf+0x480/0x4a8
[   18.669341]  kunit_try_run_case+0x170/0x3f0
[   18.669426]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.669534]  kthread+0x328/0x630
[   18.669577]  ret_from_fork+0x10/0x20
[   18.669624] 
[   18.669672] Allocated by task 200:
[   18.669727]  kasan_save_stack+0x3c/0x68
[   18.669770]  kasan_save_track+0x20/0x40
[   18.669828]  kasan_save_alloc_info+0x40/0x58
[   18.669917]  __kasan_kmalloc+0xd4/0xd8
[   18.669983]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.670026]  workqueue_uaf+0x13c/0x4a8
[   18.670060]  kunit_try_run_case+0x170/0x3f0
[   18.670099]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.670140]  kthread+0x328/0x630
[   18.670173]  ret_from_fork+0x10/0x20
[   18.670209] 
[   18.670227] Freed by task 47:
[   18.670253]  kasan_save_stack+0x3c/0x68
[   18.670289]  kasan_save_track+0x20/0x40
[   18.670327]  kasan_save_free_info+0x4c/0x78
[   18.670366]  __kasan_slab_free+0x6c/0x98
[   18.670421]  kfree+0x214/0x3c8
[   18.670471]  workqueue_uaf_work+0x18/0x30
[   18.670527]  process_one_work+0x530/0xf98
[   18.670565]  worker_thread+0x618/0xf38
[   18.670600]  kthread+0x328/0x630
[   18.670631]  ret_from_fork+0x10/0x20
[   18.670667] 
[   18.670686] Last potentially related work creation:
[   18.670722]  kasan_save_stack+0x3c/0x68
[   18.670970]  kasan_record_aux_stack+0xb4/0xc8
[   18.671017]  __queue_work+0x65c/0x1008
[   18.671054]  queue_work_on+0xbc/0xf8
[   18.671093]  workqueue_uaf+0x210/0x4a8
[   18.671129]  kunit_try_run_case+0x170/0x3f0
[   18.671166]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.671209]  kthread+0x328/0x630
[   18.671240]  ret_from_fork+0x10/0x20
[   18.671276] 
[   18.671295] The buggy address belongs to the object at fff00000c77eb480
[   18.671295]  which belongs to the cache kmalloc-32 of size 32
[   18.671352] The buggy address is located 0 bytes inside of
[   18.671352]  freed 32-byte region [fff00000c77eb480, fff00000c77eb4a0)
[   18.671410] 
[   18.671434] The buggy address belongs to the physical page:
[   18.671465] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077eb
[   18.671515] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.671562] page_type: f5(slab)
[   18.671599] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   18.671647] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   18.671686] page dumped because: kasan: bad access detected
[   18.671717] 
[   18.671734] Memory state around the buggy address:
[   18.671765]  fff00000c77eb380: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   18.671807]  fff00000c77eb400: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   18.671848] >fff00000c77eb480: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   18.672307]                    ^
[   18.672416]  fff00000c77eb500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.672478]  fff00000c77eb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.672533] ==================================================================
Metadata Full log Test run details 

[   12.190076] ==================================================================
[   12.190824] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   12.191433] Read of size 8 at addr ffff8881038dc100 by task kunit_try_catch/218
[   12.192164] 
[   12.192360] CPU: 1 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   12.192406] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.192418] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.192440] Call Trace:
[   12.192463]  <TASK>
[   12.192480]  dump_stack_lvl+0x73/0xb0
[   12.192509]  print_report+0xd1/0x650
[   12.192530]  ? __virt_addr_valid+0x1db/0x2d0
[   12.192552]  ? workqueue_uaf+0x4d6/0x560
[   12.192573]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.192595]  ? workqueue_uaf+0x4d6/0x560
[   12.192616]  kasan_report+0x141/0x180
[   12.192637]  ? workqueue_uaf+0x4d6/0x560
[   12.192663]  __asan_report_load8_noabort+0x18/0x20
[   12.192727]  workqueue_uaf+0x4d6/0x560
[   12.192751]  ? __pfx_workqueue_uaf+0x10/0x10
[   12.192773]  ? __schedule+0x10cc/0x2b60
[   12.192794]  ? __pfx_read_tsc+0x10/0x10
[   12.192815]  ? ktime_get_ts64+0x86/0x230
[   12.192838]  kunit_try_run_case+0x1a5/0x480
[   12.192862]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.192883]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.192906]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.192928]  ? __kthread_parkme+0x82/0x180
[   12.192947]  ? preempt_count_sub+0x50/0x80
[   12.192970]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.192993]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.193015]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.193037]  kthread+0x337/0x6f0
[   12.193056]  ? trace_preempt_on+0x20/0xc0
[   12.193078]  ? __pfx_kthread+0x10/0x10
[   12.193098]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.193119]  ? calculate_sigpending+0x7b/0xa0
[   12.193141]  ? __pfx_kthread+0x10/0x10
[   12.193162]  ret_from_fork+0x116/0x1d0
[   12.193179]  ? __pfx_kthread+0x10/0x10
[   12.193227]  ret_from_fork_asm+0x1a/0x30
[   12.193258]  </TASK>
[   12.193269] 
[   12.206066] Allocated by task 218:
[   12.206445]  kasan_save_stack+0x45/0x70
[   12.206859]  kasan_save_track+0x18/0x40
[   12.207128]  kasan_save_alloc_info+0x3b/0x50
[   12.207414]  __kasan_kmalloc+0xb7/0xc0
[   12.207793]  __kmalloc_cache_noprof+0x189/0x420
[   12.208191]  workqueue_uaf+0x152/0x560
[   12.208422]  kunit_try_run_case+0x1a5/0x480
[   12.208585]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.208918]  kthread+0x337/0x6f0
[   12.209213]  ret_from_fork+0x116/0x1d0
[   12.209656]  ret_from_fork_asm+0x1a/0x30
[   12.210048] 
[   12.210205] Freed by task 41:
[   12.210659]  kasan_save_stack+0x45/0x70
[   12.211028]  kasan_save_track+0x18/0x40
[   12.211301]  kasan_save_free_info+0x3f/0x60
[   12.211467]  __kasan_slab_free+0x56/0x70
[   12.211614]  kfree+0x222/0x3f0
[   12.211759]  workqueue_uaf_work+0x12/0x20
[   12.212109]  process_one_work+0x5ee/0xf60
[   12.212530]  worker_thread+0x758/0x1220
[   12.212975]  kthread+0x337/0x6f0
[   12.213355]  ret_from_fork+0x116/0x1d0
[   12.213722]  ret_from_fork_asm+0x1a/0x30
[   12.214090] 
[   12.214284] Last potentially related work creation:
[   12.214729]  kasan_save_stack+0x45/0x70
[   12.215086]  kasan_record_aux_stack+0xb2/0xc0
[   12.215405]  __queue_work+0x626/0xeb0
[   12.215764]  queue_work_on+0xb6/0xc0
[   12.216156]  workqueue_uaf+0x26d/0x560
[   12.216363]  kunit_try_run_case+0x1a5/0x480
[   12.216772]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.217035]  kthread+0x337/0x6f0
[   12.217157]  ret_from_fork+0x116/0x1d0
[   12.217522]  ret_from_fork_asm+0x1a/0x30
[   12.217903] 
[   12.218072] The buggy address belongs to the object at ffff8881038dc100
[   12.218072]  which belongs to the cache kmalloc-32 of size 32
[   12.219107] The buggy address is located 0 bytes inside of
[   12.219107]  freed 32-byte region [ffff8881038dc100, ffff8881038dc120)
[   12.219944] 
[   12.220124] The buggy address belongs to the physical page:
[   12.220845] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038dc
[   12.221102] flags: 0x200000000000000(node=0|zone=2)
[   12.221465] page_type: f5(slab)
[   12.221778] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   12.222498] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   12.223294] page dumped because: kasan: bad access detected
[   12.223896] 
[   12.224015] Memory state around the buggy address:
[   12.224175]  ffff8881038dc000: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   12.224849]  ffff8881038dc080: 00 00 07 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   12.225685] >ffff8881038dc100: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   12.226042]                    ^
[   12.226161]  ffff8881038dc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.226878]  ffff8881038dc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.227570] ==================================================================
Metadata Full log Test run details