Untitled

1. ==================================================================
2. BUG: KASAN: slab-use-after-free in __list_del include/linux/list.h:195 [inline]
3. BUG: KASAN: slab-use-after-free in __list_del_entry include/linux/list.h:218 [inline]
4. BUG: KASAN: slab-use-after-free in list_del include/linux/list.h:229 [inline]
5. BUG: KASAN: slab-use-after-free in detach_worker+0x164/0x180 kernel/workqueue.c:2709
6. Write of size 8 at addr ffff88810d694380 by task kworker/R-write/40
7.  
8. CPU: 1 UID: 0 PID: 40 Comm: kworker/R-write Not tainted 6.12.0-rc4 #1
9. Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
10. Workqueue: 0x0 (writeback)
11. Call Trace:
12. <TASK>
13. __dump_stack lib/dump_stack.c:94 [inline]
14. dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
15. print_address_description mm/kasan/report.c:377 [inline]
16. print_report+0xcb/0x620 mm/kasan/report.c:488
17. kasan_report+0xbd/0xf0 mm/kasan/report.c:601
18. __list_del include/linux/list.h:195 [inline]
19. __list_del_entry include/linux/list.h:218 [inline]
20. list_del include/linux/list.h:229 [inline]
21. detach_worker+0x164/0x180 kernel/workqueue.c:2709
22. worker_detach_from_pool kernel/workqueue.c:2728 [inline]
23. rescuer_thread+0x69d/0xcd0 kernel/workqueue.c:3526
24. kthread+0x2c2/0x3a0 kernel/kthread.c:389
25. ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
26. ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
27. </TASK>
28.  
29. Allocated by task 8064:
30. kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
31. kasan_save_track+0x14/0x30 mm/kasan/common.c:68
32. poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
33. __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:394
34. kmalloc_node_noprof include/linux/slab.h:901 [inline]
35. get_unbound_pool kernel/workqueue.c:5008 [inline]
36. alloc_unbound_pwq+0x687/0x1000 kernel/workqueue.c:5136
37. apply_wqattrs_prepare+0x49c/0xe20 kernel/workqueue.c:5261
38. apply_workqueue_attrs_locked+0x64/0xf0 kernel/workqueue.c:5337
39. wq_cpumask_store+0xe4/0x180 kernel/workqueue.c:7139
40. dev_attr_store+0x57/0x80 drivers/base/core.c:2447
41. sysfs_kf_write+0x117/0x170 fs/sysfs/file.c:136
42. kernfs_fop_write_iter+0x33c/0x500 fs/kernfs/file.c:334
43. new_sync_write fs/read_write.c:590 [inline]
44. vfs_write+0xbcb/0x10d0 fs/read_write.c:683
45. ksys_write+0x122/0x250 fs/read_write.c:736
46. do_syscall_x64 arch/x86/entry/common.c:52 [inline]
47. do_syscall_64+0xbf/0x1d0 arch/x86/entry/common.c:83
48. entry_SYSCALL_64_after_hwframe+0x77/0x7f
49.  
50. Freed by task 0:
51. kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
52. kasan_save_track+0x14/0x30 mm/kasan/common.c:68
53. kasan_save_free_info+0x3a/0x60 mm/kasan/generic.c:579
54. poison_slab_object mm/kasan/common.c:247 [inline]
55. __kasan_slab_free+0x38/0x50 mm/kasan/common.c:264
56. kasan_slab_free include/linux/kasan.h:230 [inline]
57. slab_free_hook mm/slub.c:2342 [inline]
58. slab_free mm/slub.c:4579 [inline]
59. kfree+0x212/0x4a0 mm/slub.c:4727
60. rcu_do_batch kernel/rcu/tree.c:2567 [inline]
61. rcu_core+0x835/0x17f0 kernel/rcu/tree.c:2823
62. handle_softirqs+0x1b1/0x7d0 kernel/softirq.c:554
63. __do_softirq kernel/softirq.c:588 [inline]
64. invoke_softirq kernel/softirq.c:428 [inline]
65. __irq_exit_rcu kernel/softirq.c:637 [inline]
66. irq_exit_rcu+0x94/0xc0 kernel/softirq.c:649
67. instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
68. sysvec_apic_timer_interrupt+0x70/0x80 arch/x86/kernel/apic/apic.c:1049
69. asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
70.  
71. Last potentially related work creation:
72. kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
73. __kasan_record_aux_stack+0x8c/0xa0 mm/kasan/generic.c:541
74. __call_rcu_common.constprop.0+0x6a/0xad0 kernel/rcu/tree.c:3086
75. put_unbound_pool+0x552/0x830 kernel/workqueue.c:4965
76. pwq_release_workfn+0x4c6/0x9e0 kernel/workqueue.c:5065
77. kthread_worker_fn+0x2b9/0xb00 kernel/kthread.c:844
78. kthread+0x2c2/0x3a0 kernel/kthread.c:389
79. ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
80. ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
81.  
82. The buggy address belongs to the object at ffff88810d694000
83. which belongs to the cache kmalloc-2k of size 2048
84. The buggy address is located 896 bytes inside of
85. freed 2048-byte region [ffff88810d694000, ffff88810d694800)
86.  
87. The buggy address belongs to the physical page:
88. page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810d694000 pfn:0x10d690
89. head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
90. flags: 0x200000000000240(workingset|head|node=0|zone=2)
91. page_type: f5(slab)
92. raw: 0200000000000240 ffff888100042f00 ffffea0004032610 ffffea00043bc810
93. raw: ffff88810d694000 0000000000080001 00000001f5000000 0000000000000000
94. head: 0200000000000240 ffff888100042f00 ffffea0004032610 ffffea00043bc810
95. head: ffff88810d694000 0000000000080001 00000001f5000000 0000000000000000
96. head: 0200000000000003 ffffea000435a401 ffffffffffffffff 0000000000000000
97. head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
98. page dumped because: kasan: bad access detected
99.  
100. Memory state around the buggy address:
101. ffff88810d694280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
102. ffff88810d694300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
103. >ffff88810d694380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
104. ^
105. ffff88810d694400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
106. ffff88810d694480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
107. ==================================================================