lkft/linux-mainline-master - v6.15-rc3-1-g9d7a0577c9db - log-parser-test/kasan-bug-kasan-double-free-in-kmem_cache_double_free

Date

April 20, 2025, 11:09 p.m.

Environment
x15
x86

[   60.587066] ==================================================================
[   60.597961] BUG: KASAN: double-free in kmem_cache_double_free+0x208/0x4bc
[   60.604827] Free of addr cc232000 by task kunit_try_catch/265
[   60.610626] 
[   60.612152] CPU: 1 UID: 0 PID: 265 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.0-rc3 #1 NONE 
[   60.612182] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   60.612213] Hardware name: Generic DRA74X (Flattened Device Tree)
[   60.612213] Call trace: 
[   60.612213]  unwind_backtrace from show_stack+0x18/0x1c
[   60.612274]  show_stack from dump_stack_lvl+0x70/0x90
[   60.612304]  dump_stack_lvl from print_report+0x158/0x528
[   60.612335]  print_report from kasan_report_invalid_free+0xc0/0xf4
[   60.612396]  kasan_report_invalid_free from check_slab_allocation+0xb8/0xd8
[   60.612426]  check_slab_allocation from kmem_cache_free+0xe0/0x470
[   60.612457]  kmem_cache_free from kmem_cache_double_free+0x208/0x4bc
[   60.612487]  kmem_cache_double_free from kunit_try_run_case+0x22c/0x5a8
[   60.612548]  kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128
[   60.612579]  kunit_generic_run_threadfn_adapter from kthread+0x464/0x810
[   60.612609]  kthread from ret_from_fork+0x14/0x20
[   60.612640] Exception stack(0xf255bfb0 to 0xf255bff8)
[   60.612670] bfa0:                                     00000000 00000000 00000000 00000000
[   60.612701] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   60.612731] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[   60.612731] 
[   60.733032] Allocated by task 265:
[   60.736450]  kasan_save_track+0x30/0x5c
[   60.740325]  __kasan_slab_alloc+0x60/0x68
[   60.744354]  kmem_cache_alloc_noprof+0x17c/0x36c
[   60.749023]  kmem_cache_double_free+0x16c/0x4bc
[   60.753601]  kunit_try_run_case+0x22c/0x5a8
[   60.757812]  kunit_generic_run_threadfn_adapter+0xc4/0x128
[   60.763336]  kthread+0x464/0x810
[   60.766601]  ret_from_fork+0x14/0x20
[   60.770202] 
[   60.771697] Freed by task 265:
[   60.774780]  kasan_save_track+0x30/0x5c
[   60.778656]  kasan_save_free_info+0x3c/0x48
[   60.782867]  __kasan_slab_free+0x40/0x50
[   60.786834]  kmem_cache_free+0x100/0x470
[   60.790771]  kmem_cache_double_free+0x184/0x4bc
[   60.795349]  kunit_try_run_case+0x22c/0x5a8
[   60.799560]  kunit_generic_run_threadfn_adapter+0xc4/0x128
[   60.805084]  kthread+0x464/0x810
[   60.808349]  ret_from_fork+0x14/0x20
[   60.811950] 
[   60.813446] The buggy address belongs to the object at cc232000
[   60.813446]  which belongs to the cache test_cache of size 200
[   60.825256] The buggy address is located 0 bytes inside of
[   60.825256]  200-byte region [cc232000, cc2320c8)
[   60.835510] 
[   60.837005] The buggy address belongs to the physical page:
[   60.842620] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c232
[   60.849884] flags: 0x0(zone=0)
[   60.852966] page_type: f5(slab)
[   60.856140] raw: 00000000 cc22f100 00000122 00000000 00000000 800f000f f5000000 00000000
[   60.864288] raw: 00000000
[   60.866943] page dumped because: kasan: bad access detected
[   60.872528] 
[   60.874053] Memory state around the buggy address:
[   60.878875]  cc231f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   60.885437]  cc231f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   60.891998] >cc232000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.898590]            ^
[   60.901123]  cc232080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   60.907714]  cc232100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   60.914276] ==================================================================

Metadata Full log Test run details

[   32.912279] ==================================================================
[   32.923094] BUG: KASAN: double-free in kmem_cache_double_free+0x1e5/0x480
[   32.929893] Free of addr ffff888100e06000 by task kunit_try_catch/252
[   32.936332] 
[   32.937837] CPU: 2 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT(voluntary) 
[   32.937846] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.937848] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   32.937852] Call Trace:
[   32.937854]  <TASK>
[   32.937856]  dump_stack_lvl+0x73/0xb0
[   32.937861]  print_report+0xd1/0x650
[   32.937866]  ? __virt_addr_valid+0x1db/0x2d0
[   32.937871]  ? kasan_complete_mode_report_info+0x64/0x200
[   32.937875]  ? kmem_cache_double_free+0x1e5/0x480
[   32.937878]  kasan_report_invalid_free+0x10a/0x130
[   32.937883]  ? kmem_cache_double_free+0x1e5/0x480
[   32.937887]  ? kmem_cache_double_free+0x1e5/0x480
[   32.937891]  check_slab_allocation+0x101/0x130
[   32.937895]  __kasan_slab_pre_free+0x28/0x40
[   32.937899]  kmem_cache_free+0xed/0x420
[   32.937903]  ? kmem_cache_alloc_noprof+0x123/0x3f0
[   32.937907]  ? kmem_cache_double_free+0x1e5/0x480
[   32.937911]  kmem_cache_double_free+0x1e5/0x480
[   32.937915]  ? __pfx_kmem_cache_double_free+0x10/0x10
[   32.937918]  ? finish_task_switch.isra.0+0x153/0x700
[   32.937923]  ? __switch_to+0x5d9/0xf60
[   32.937927]  ? dequeue_task_fair+0x166/0x4e0
[   32.937933]  ? ktime_get_ts64+0x83/0x230
[   32.937938]  kunit_try_run_case+0x1a2/0x480
[   32.937944]  ? __pfx_kunit_try_run_case+0x10/0x10
[   32.937948]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   32.937953]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   32.937957]  ? __kthread_parkme+0x82/0x180
[   32.937962]  ? preempt_count_sub+0x50/0x80
[   32.937966]  ? __pfx_kunit_try_run_case+0x10/0x10
[   32.937970]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   32.937975]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   32.937979]  kthread+0x334/0x6f0
[   32.937983]  ? trace_preempt_on+0x20/0xc0
[   32.937988]  ? __pfx_kthread+0x10/0x10
[   32.937992]  ? _raw_spin_unlock_irq+0x47/0x80
[   32.937996]  ? calculate_sigpending+0x7b/0xa0
[   32.938000]  ? __pfx_kthread+0x10/0x10
[   32.938004]  ret_from_fork+0x3e/0x80
[   32.938009]  ? __pfx_kthread+0x10/0x10
[   32.938013]  ret_from_fork_asm+0x1a/0x30
[   32.938019]  </TASK>
[   32.938021] 
[   33.130485] Allocated by task 252:
[   33.133889]  kasan_save_stack+0x45/0x70
[   33.137747]  kasan_save_track+0x18/0x40
[   33.141586]  kasan_save_alloc_info+0x3b/0x50
[   33.145857]  __kasan_slab_alloc+0x91/0xa0
[   33.149871]  kmem_cache_alloc_noprof+0x123/0x3f0
[   33.154490]  kmem_cache_double_free+0x14f/0x480
[   33.159021]  kunit_try_run_case+0x1a2/0x480
[   33.163206]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   33.168608]  kthread+0x334/0x6f0
[   33.171848]  ret_from_fork+0x3e/0x80
[   33.175427]  ret_from_fork_asm+0x1a/0x30
[   33.179352] 
[   33.180854] Freed by task 252:
[   33.183911]  kasan_save_stack+0x45/0x70
[   33.187750]  kasan_save_track+0x18/0x40
[   33.191590]  kasan_save_free_info+0x3f/0x60
[   33.195776]  __kasan_slab_free+0x56/0x70
[   33.199717]  kmem_cache_free+0x249/0x420
[   33.203654]  kmem_cache_double_free+0x16a/0x480
[   33.208220]  kunit_try_run_case+0x1a2/0x480
[   33.212407]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   33.217805]  kthread+0x334/0x6f0
[   33.221037]  ret_from_fork+0x3e/0x80
[   33.224616]  ret_from_fork_asm+0x1a/0x30
[   33.228543] 
[   33.230042] The buggy address belongs to the object at ffff888100e06000
[   33.230042]  which belongs to the cache test_cache of size 200
[   33.242471] The buggy address is located 0 bytes inside of
[   33.242471]  200-byte region [ffff888100e06000, ffff888100e060c8)
[   33.254038] 
[   33.255539] The buggy address belongs to the physical page:
[   33.261111] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100e06
[   33.269117] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   33.276770] flags: 0x200000000000040(head|node=0|zone=2)
[   33.282084] page_type: f5(slab)
[   33.285230] raw: 0200000000000040 ffff888100dbcb40 dead000000000122 0000000000000000
[   33.292977] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   33.300733] head: 0200000000000040 ffff888100dbcb40 dead000000000122 0000000000000000
[   33.308559] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   33.316386] head: 0200000000000001 ffffea0004038181 00000000ffffffff 00000000ffffffff
[   33.324221] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   33.332053] page dumped because: kasan: bad access detected
[   33.337626] 
[   33.339125] Memory state around the buggy address:
[   33.343918]  ffff888100e05f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.351136]  ffff888100e05f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.358356] >ffff888100e06000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.365583]                    ^
[   33.368815]  ffff888100e06080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   33.376036]  ffff888100e06100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.383261] ==================================================================

Metadata Full log Test run details

Metadata

Failure - x15 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit