Date
April 22, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 19.208247] ================================================================== [ 19.208496] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 19.208696] Read of size 1 at addr fff00000c405d3c0 by task kunit_try_catch/217 [ 19.209284] [ 19.209396] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 19.210376] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.210488] Hardware name: linux,dummy-virt (DT) [ 19.210693] Call trace: [ 19.210962] show_stack+0x20/0x38 (C) [ 19.211314] dump_stack_lvl+0x8c/0xd0 [ 19.211523] print_report+0x118/0x608 [ 19.211636] kasan_report+0xdc/0x128 [ 19.211721] __kasan_check_byte+0x54/0x70 [ 19.211812] kmem_cache_destroy+0x34/0x218 [ 19.211899] kmem_cache_double_destroy+0x174/0x300 [ 19.212001] kunit_try_run_case+0x170/0x3f0 [ 19.212105] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.212634] kthread+0x328/0x630 [ 19.213187] ret_from_fork+0x10/0x20 [ 19.213419] [ 19.213830] Allocated by task 217: [ 19.213949] kasan_save_stack+0x3c/0x68 [ 19.214139] kasan_save_track+0x20/0x40 [ 19.214234] kasan_save_alloc_info+0x40/0x58 [ 19.214546] __kasan_slab_alloc+0xa8/0xb0 [ 19.214740] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 19.214845] __kmem_cache_create_args+0x178/0x280 [ 19.214951] kmem_cache_double_destroy+0xc0/0x300 [ 19.215048] kunit_try_run_case+0x170/0x3f0 [ 19.215569] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.216045] kthread+0x328/0x630 [ 19.216147] ret_from_fork+0x10/0x20 [ 19.216320] [ 19.216365] Freed by task 217: [ 19.216427] kasan_save_stack+0x3c/0x68 [ 19.216869] kasan_save_track+0x20/0x40 [ 19.216958] kasan_save_free_info+0x4c/0x78 [ 19.217500] __kasan_slab_free+0x6c/0x98 [ 19.217830] kmem_cache_free+0x260/0x470 [ 19.217930] slab_kmem_cache_release+0x38/0x50 [ 19.218242] kmem_cache_release+0x1c/0x30 [ 19.218557] kobject_put+0x17c/0x430 [ 19.218819] sysfs_slab_release+0x1c/0x30 [ 19.219115] kmem_cache_destroy+0x118/0x218 [ 19.219527] kmem_cache_double_destroy+0x128/0x300 [ 19.219843] kunit_try_run_case+0x170/0x3f0 [ 19.219936] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.220021] kthread+0x328/0x630 [ 19.220092] ret_from_fork+0x10/0x20 [ 19.220170] [ 19.220574] The buggy address belongs to the object at fff00000c405d3c0 [ 19.220574] which belongs to the cache kmem_cache of size 208 [ 19.220782] The buggy address is located 0 bytes inside of [ 19.220782] freed 208-byte region [fff00000c405d3c0, fff00000c405d490) [ 19.221311] [ 19.221386] The buggy address belongs to the physical page: [ 19.221494] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10405d [ 19.221647] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.222193] page_type: f5(slab) [ 19.222305] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 19.222856] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 19.223088] page dumped because: kasan: bad access detected [ 19.223313] [ 19.223368] Memory state around the buggy address: [ 19.223453] fff00000c405d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.223570] fff00000c405d300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 19.223661] >fff00000c405d380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.224005] ^ [ 19.224576] fff00000c405d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.224702] fff00000c405d480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.225510] ==================================================================
[ 19.547888] ================================================================== [ 19.548769] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 19.549937] Read of size 1 at addr ffff888101ad4c80 by task kunit_try_catch/235 [ 19.550580] [ 19.551239] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 19.551384] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.551441] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.551568] Call Trace: [ 19.551653] <TASK> [ 19.551716] dump_stack_lvl+0x73/0xb0 [ 19.551797] print_report+0xd1/0x650 [ 19.551836] ? __virt_addr_valid+0x1db/0x2d0 [ 19.551873] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.551904] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.551934] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.551963] kasan_report+0x141/0x180 [ 19.551993] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.552026] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.552055] __kasan_check_byte+0x3d/0x50 [ 19.552086] kmem_cache_destroy+0x25/0x1d0 [ 19.552119] kmem_cache_double_destroy+0x1bf/0x380 [ 19.552148] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 19.552175] ? finish_task_switch.isra.0+0x153/0x700 [ 19.552209] ? __switch_to+0x5d9/0xf60 [ 19.552237] ? dequeue_task_fair+0x166/0x4e0 [ 19.552275] ? __pfx_read_tsc+0x10/0x10 [ 19.552302] ? ktime_get_ts64+0x86/0x230 [ 19.552340] kunit_try_run_case+0x1a5/0x480 [ 19.552374] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.552404] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.552475] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.552544] ? __kthread_parkme+0x82/0x180 [ 19.552579] ? preempt_count_sub+0x50/0x80 [ 19.552612] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.552644] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.552675] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.552708] kthread+0x337/0x6f0 [ 19.552737] ? trace_preempt_on+0x20/0xc0 [ 19.552771] ? __pfx_kthread+0x10/0x10 [ 19.552802] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.552833] ? calculate_sigpending+0x7b/0xa0 [ 19.552863] ? __pfx_kthread+0x10/0x10 [ 19.552894] ret_from_fork+0x41/0x80 [ 19.552922] ? __pfx_kthread+0x10/0x10 [ 19.552952] ret_from_fork_asm+0x1a/0x30 [ 19.552995] </TASK> [ 19.553008] [ 19.575084] Allocated by task 235: [ 19.575374] kasan_save_stack+0x45/0x70 [ 19.576215] kasan_save_track+0x18/0x40 [ 19.576796] kasan_save_alloc_info+0x3b/0x50 [ 19.577403] __kasan_slab_alloc+0x91/0xa0 [ 19.578020] kmem_cache_alloc_noprof+0x123/0x3f0 [ 19.578664] __kmem_cache_create_args+0x169/0x240 [ 19.579218] kmem_cache_double_destroy+0xd5/0x380 [ 19.579915] kunit_try_run_case+0x1a5/0x480 [ 19.580265] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.580779] kthread+0x337/0x6f0 [ 19.581086] ret_from_fork+0x41/0x80 [ 19.582151] ret_from_fork_asm+0x1a/0x30 [ 19.582517] [ 19.582753] Freed by task 235: [ 19.583287] kasan_save_stack+0x45/0x70 [ 19.583919] kasan_save_track+0x18/0x40 [ 19.584820] kasan_save_free_info+0x3f/0x60 [ 19.585352] __kasan_slab_free+0x56/0x70 [ 19.585855] kmem_cache_free+0x249/0x420 [ 19.586252] slab_kmem_cache_release+0x2e/0x40 [ 19.586694] kmem_cache_release+0x16/0x20 [ 19.587226] kobject_put+0x181/0x450 [ 19.588068] sysfs_slab_release+0x16/0x20 [ 19.588383] kmem_cache_destroy+0xf0/0x1d0 [ 19.589088] kmem_cache_double_destroy+0x14e/0x380 [ 19.589637] kunit_try_run_case+0x1a5/0x480 [ 19.590315] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.591050] kthread+0x337/0x6f0 [ 19.591355] ret_from_fork+0x41/0x80 [ 19.591957] ret_from_fork_asm+0x1a/0x30 [ 19.592718] [ 19.593181] The buggy address belongs to the object at ffff888101ad4c80 [ 19.593181] which belongs to the cache kmem_cache of size 208 [ 19.594242] The buggy address is located 0 bytes inside of [ 19.594242] freed 208-byte region [ffff888101ad4c80, ffff888101ad4d50) [ 19.595475] [ 19.596171] The buggy address belongs to the physical page: [ 19.596601] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ad4 [ 19.597333] flags: 0x200000000000000(node=0|zone=2) [ 19.598208] page_type: f5(slab) [ 19.598563] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 19.599510] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 19.600047] page dumped because: kasan: bad access detected [ 19.600437] [ 19.601320] Memory state around the buggy address: [ 19.601740] ffff888101ad4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.602379] ffff888101ad4c00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.603194] >ffff888101ad4c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.604224] ^ [ 19.604570] ffff888101ad4d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 19.605475] ffff888101ad4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.606259] ==================================================================
[ 20.724052] ================================================================== [ 20.725120] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 20.725857] Read of size 1 at addr ffff000010ae2140 by task kunit_try_catch/273 [ 20.726534] [ 20.726700] CPU: 1 UID: 0 PID: 273 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 20.726750] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.726765] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.726783] Call trace: [ 20.726795] show_stack+0x20/0x38 (C) [ 20.726828] dump_stack_lvl+0x8c/0xd0 [ 20.726860] print_report+0x118/0x608 [ 20.726889] kasan_report+0xdc/0x128 [ 20.726918] __kasan_check_byte+0x54/0x70 [ 20.726947] kmem_cache_destroy+0x34/0x218 [ 20.726976] kmem_cache_double_destroy+0x174/0x300 [ 20.727013] kunit_try_run_case+0x170/0x3f0 [ 20.727050] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.727089] kthread+0x328/0x630 [ 20.727124] ret_from_fork+0x10/0x20 [ 20.727157] [ 20.733088] Allocated by task 273: [ 20.733415] kasan_save_stack+0x3c/0x68 [ 20.733788] kasan_save_track+0x20/0x40 [ 20.734160] kasan_save_alloc_info+0x40/0x58 [ 20.734575] __kasan_slab_alloc+0xa8/0xb0 [ 20.734962] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 20.735405] __kmem_cache_create_args+0x178/0x280 [ 20.735863] kmem_cache_double_destroy+0xc0/0x300 [ 20.736318] kunit_try_run_case+0x170/0x3f0 [ 20.736727] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.737253] kthread+0x328/0x630 [ 20.737576] ret_from_fork+0x10/0x20 [ 20.737930] [ 20.738083] Freed by task 273: [ 20.738380] kasan_save_stack+0x3c/0x68 [ 20.738752] kasan_save_track+0x20/0x40 [ 20.739124] kasan_save_free_info+0x4c/0x78 [ 20.739529] __kasan_slab_free+0x6c/0x98 [ 20.739908] kmem_cache_free+0x260/0x470 [ 20.740287] slab_kmem_cache_release+0x38/0x50 [ 20.740714] kmem_cache_release+0x1c/0x30 [ 20.741108] kobject_put+0x17c/0x430 [ 20.741467] sysfs_slab_release+0x1c/0x30 [ 20.741855] kmem_cache_destroy+0x118/0x218 [ 20.742257] kmem_cache_double_destroy+0x128/0x300 [ 20.742720] kunit_try_run_case+0x170/0x3f0 [ 20.743127] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.743651] kthread+0x328/0x630 [ 20.743973] ret_from_fork+0x10/0x20 [ 20.744323] [ 20.744477] The buggy address belongs to the object at ffff000010ae2140 [ 20.744477] which belongs to the cache kmem_cache of size 208 [ 20.745602] The buggy address is located 0 bytes inside of [ 20.745602] freed 208-byte region [ffff000010ae2140, ffff000010ae2210) [ 20.746700] [ 20.746854] The buggy address belongs to the physical page: [ 20.747370] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ae2 [ 20.748102] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.748807] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 20.749460] page_type: f5(slab) [ 20.749775] raw: 03fffe0000000040 ffff000000402000 dead000000000122 0000000000000000 [ 20.750491] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 20.751208] head: 03fffe0000000040 ffff000000402000 dead000000000122 0000000000000000 [ 20.751932] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 20.752656] head: 03fffe0000000001 fffffdffc042b881 00000000ffffffff 00000000ffffffff [ 20.753379] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 20.754096] page dumped because: kasan: bad access detected [ 20.754611] [ 20.754764] Memory state around the buggy address: [ 20.755213] ffff000010ae2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.755879] ffff000010ae2080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 20.756545] >ffff000010ae2100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.757207] ^ [ 20.757702] ffff000010ae2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.758367] ffff000010ae2200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.759030] ==================================================================