Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 29.988428] ================================================================== [ 30.002087] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 30.009462] Read of size 1 at addr ffff000800c2f0a0 by task kunit_try_catch/239 [ 30.016752] [ 30.018238] CPU: 5 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 30.018300] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.018319] Hardware name: WinLink E850-96 board (DT) [ 30.018341] Call trace: [ 30.018357] show_stack+0x20/0x38 (C) [ 30.018393] dump_stack_lvl+0x8c/0xd0 [ 30.018433] print_report+0x118/0x608 [ 30.018468] kasan_report+0xdc/0x128 [ 30.018505] __kasan_check_byte+0x54/0x70 [ 30.018537] kfree_sensitive+0x30/0xb0 [ 30.018573] kmalloc_double_kzfree+0x168/0x308 [ 30.018605] kunit_try_run_case+0x170/0x3f0 [ 30.018642] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.018681] kthread+0x328/0x630 [ 30.018709] ret_from_fork+0x10/0x20 [ 30.018743] [ 30.084287] Allocated by task 239: [ 30.087675] kasan_save_stack+0x3c/0x68 [ 30.091492] kasan_save_track+0x20/0x40 [ 30.095310] kasan_save_alloc_info+0x40/0x58 [ 30.099564] __kasan_kmalloc+0xd4/0xd8 [ 30.103296] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.107810] kmalloc_double_kzfree+0xb8/0x308 [ 30.112150] kunit_try_run_case+0x170/0x3f0 [ 30.116317] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.121787] kthread+0x328/0x630 [ 30.124997] ret_from_fork+0x10/0x20 [ 30.128556] [ 30.130032] Freed by task 239: [ 30.133070] kasan_save_stack+0x3c/0x68 [ 30.136889] kasan_save_track+0x20/0x40 [ 30.140710] kasan_save_free_info+0x4c/0x78 [ 30.144875] __kasan_slab_free+0x6c/0x98 [ 30.148781] kfree+0x214/0x3c8 [ 30.151820] kfree_sensitive+0x80/0xb0 [ 30.155552] kmalloc_double_kzfree+0x11c/0x308 [ 30.159979] kunit_try_run_case+0x170/0x3f0 [ 30.164146] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.169614] kthread+0x328/0x630 [ 30.172828] ret_from_fork+0x10/0x20 [ 30.176385] [ 30.177863] The buggy address belongs to the object at ffff000800c2f0a0 [ 30.177863] which belongs to the cache kmalloc-16 of size 16 [ 30.190190] The buggy address is located 0 bytes inside of [ 30.190190] freed 16-byte region [ffff000800c2f0a0, ffff000800c2f0b0) [ 30.202166] [ 30.203644] The buggy address belongs to the physical page: [ 30.209201] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880c2f [ 30.217185] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.223696] page_type: f5(slab) [ 30.226833] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 30.234551] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.242269] page dumped because: kasan: bad access detected [ 30.247825] [ 30.249300] Memory state around the buggy address: [ 30.254082] ffff000800c2ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.261285] ffff000800c2f000: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.268488] >ffff000800c2f080: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 30.275689] ^ [ 30.279947] ffff000800c2f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.287151] ffff000800c2f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.294355] ==================================================================
[ 25.657559] ================================================================== [ 25.657907] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 25.658246] Read of size 1 at addr fff00000c62bd320 by task kunit_try_catch/192 [ 25.658564] [ 25.658767] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.659082] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.659175] Hardware name: linux,dummy-virt (DT) [ 25.659260] Call trace: [ 25.659326] show_stack+0x20/0x38 (C) [ 25.659957] dump_stack_lvl+0x8c/0xd0 [ 25.660257] print_report+0x118/0x608 [ 25.660389] kasan_report+0xdc/0x128 [ 25.660529] __kasan_check_byte+0x54/0x70 [ 25.660744] kfree_sensitive+0x30/0xb0 [ 25.660974] kmalloc_double_kzfree+0x168/0x308 [ 25.661156] kunit_try_run_case+0x170/0x3f0 [ 25.661299] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.661610] kthread+0x328/0x630 [ 25.661727] ret_from_fork+0x10/0x20 [ 25.661852] [ 25.661901] Allocated by task 192: [ 25.662001] kasan_save_stack+0x3c/0x68 [ 25.662366] kasan_save_track+0x20/0x40 [ 25.662590] kasan_save_alloc_info+0x40/0x58 [ 25.662828] __kasan_kmalloc+0xd4/0xd8 [ 25.663017] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.663381] kmalloc_double_kzfree+0xb8/0x308 [ 25.663836] kunit_try_run_case+0x170/0x3f0 [ 25.664124] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.664438] kthread+0x328/0x630 [ 25.664566] ret_from_fork+0x10/0x20 [ 25.664837] [ 25.664902] Freed by task 192: [ 25.664996] kasan_save_stack+0x3c/0x68 [ 25.665565] kasan_save_track+0x20/0x40 [ 25.666108] kasan_save_free_info+0x4c/0x78 [ 25.666240] __kasan_slab_free+0x6c/0x98 [ 25.666742] kfree+0x214/0x3c8 [ 25.666850] kfree_sensitive+0x80/0xb0 [ 25.667213] kmalloc_double_kzfree+0x11c/0x308 [ 25.667516] kunit_try_run_case+0x170/0x3f0 [ 25.667903] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.668504] kthread+0x328/0x630 [ 25.668633] ret_from_fork+0x10/0x20 [ 25.668743] [ 25.668828] The buggy address belongs to the object at fff00000c62bd320 [ 25.668828] which belongs to the cache kmalloc-16 of size 16 [ 25.668983] The buggy address is located 0 bytes inside of [ 25.668983] freed 16-byte region [fff00000c62bd320, fff00000c62bd330) [ 25.669242] [ 25.669549] The buggy address belongs to the physical page: [ 25.669756] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062bd [ 25.670318] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.670702] page_type: f5(slab) [ 25.670903] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.671388] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.671839] page dumped because: kasan: bad access detected [ 25.671922] [ 25.672186] Memory state around the buggy address: [ 25.672282] fff00000c62bd200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 25.672719] fff00000c62bd280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.673076] >fff00000c62bd300: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 25.673466] ^ [ 25.673555] fff00000c62bd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.673660] fff00000c62bd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.674144] ==================================================================
[ 25.920351] ================================================================== [ 25.920502] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 25.920634] Read of size 1 at addr fff00000c56fe400 by task kunit_try_catch/192 [ 25.922263] [ 25.922494] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.923089] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.923654] Hardware name: linux,dummy-virt (DT) [ 25.923742] Call trace: [ 25.923809] show_stack+0x20/0x38 (C) [ 25.923954] dump_stack_lvl+0x8c/0xd0 [ 25.925782] print_report+0x118/0x608 [ 25.925941] kasan_report+0xdc/0x128 [ 25.926811] __kasan_check_byte+0x54/0x70 [ 25.927239] kfree_sensitive+0x30/0xb0 [ 25.928220] kmalloc_double_kzfree+0x168/0x308 [ 25.928497] kunit_try_run_case+0x170/0x3f0 [ 25.928849] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.929044] kthread+0x328/0x630 [ 25.929178] ret_from_fork+0x10/0x20 [ 25.929576] [ 25.929921] Allocated by task 192: [ 25.930074] kasan_save_stack+0x3c/0x68 [ 25.930252] kasan_save_track+0x20/0x40 [ 25.930351] kasan_save_alloc_info+0x40/0x58 [ 25.930455] __kasan_kmalloc+0xd4/0xd8 [ 25.930763] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.931108] kmalloc_double_kzfree+0xb8/0x308 [ 25.931300] kunit_try_run_case+0x170/0x3f0 [ 25.931408] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.931530] kthread+0x328/0x630 [ 25.931695] ret_from_fork+0x10/0x20 [ 25.931826] [ 25.931927] Freed by task 192: [ 25.932006] kasan_save_stack+0x3c/0x68 [ 25.932114] kasan_save_track+0x20/0x40 [ 25.932563] kasan_save_free_info+0x4c/0x78 [ 25.932886] __kasan_slab_free+0x6c/0x98 [ 25.933001] kfree+0x214/0x3c8 [ 25.933174] kfree_sensitive+0x80/0xb0 [ 25.933281] kmalloc_double_kzfree+0x11c/0x308 [ 25.933384] kunit_try_run_case+0x170/0x3f0 [ 25.933487] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.933597] kthread+0x328/0x630 [ 25.933676] ret_from_fork+0x10/0x20 [ 25.933768] [ 25.934057] The buggy address belongs to the object at fff00000c56fe400 [ 25.934057] which belongs to the cache kmalloc-16 of size 16 [ 25.934676] The buggy address is located 0 bytes inside of [ 25.934676] freed 16-byte region [fff00000c56fe400, fff00000c56fe410) [ 25.934971] [ 25.935092] The buggy address belongs to the physical page: [ 25.935291] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056fe [ 25.935472] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.935809] page_type: f5(slab) [ 25.936498] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.936820] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.937361] page dumped because: kasan: bad access detected [ 25.937455] [ 25.937515] Memory state around the buggy address: [ 25.937604] fff00000c56fe300: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc [ 25.938476] fff00000c56fe380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.938599] >fff00000c56fe400: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.938699] ^ [ 25.938776] fff00000c56fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.939804] fff00000c56fe500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.940088] ==================================================================
[ 19.457448] ================================================================== [ 19.458412] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 19.460043] Read of size 1 at addr ffff8881023e23e0 by task kunit_try_catch/210 [ 19.461025] [ 19.461326] CPU: 0 UID: 0 PID: 210 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.461567] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.461606] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.461682] Call Trace: [ 19.461719] <TASK> [ 19.461767] dump_stack_lvl+0x73/0xb0 [ 19.461871] print_report+0xd1/0x650 [ 19.461950] ? __virt_addr_valid+0x1db/0x2d0 [ 19.462078] ? kmalloc_double_kzfree+0x19c/0x350 [ 19.462169] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.462285] ? kmalloc_double_kzfree+0x19c/0x350 [ 19.462344] kasan_report+0x141/0x180 [ 19.462378] ? kmalloc_double_kzfree+0x19c/0x350 [ 19.462414] ? kmalloc_double_kzfree+0x19c/0x350 [ 19.462447] __kasan_check_byte+0x3d/0x50 [ 19.462477] kfree_sensitive+0x22/0x90 [ 19.462542] kmalloc_double_kzfree+0x19c/0x350 [ 19.462578] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 19.462612] ? __schedule+0x10cc/0x2b60 [ 19.462644] ? __pfx_read_tsc+0x10/0x10 [ 19.462675] ? ktime_get_ts64+0x86/0x230 [ 19.462708] kunit_try_run_case+0x1a5/0x480 [ 19.462746] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.462778] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.462813] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.462846] ? __kthread_parkme+0x82/0x180 [ 19.462876] ? preempt_count_sub+0x50/0x80 [ 19.462908] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.462942] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.462975] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.463008] kthread+0x337/0x6f0 [ 19.463034] ? trace_preempt_on+0x20/0xc0 [ 19.463067] ? __pfx_kthread+0x10/0x10 [ 19.463095] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.463124] ? calculate_sigpending+0x7b/0xa0 [ 19.463158] ? __pfx_kthread+0x10/0x10 [ 19.463187] ret_from_fork+0x116/0x1d0 [ 19.463212] ? __pfx_kthread+0x10/0x10 [ 19.463291] ret_from_fork_asm+0x1a/0x30 [ 19.463337] </TASK> [ 19.463353] [ 19.483168] Allocated by task 210: [ 19.483826] kasan_save_stack+0x45/0x70 [ 19.484579] kasan_save_track+0x18/0x40 [ 19.484996] kasan_save_alloc_info+0x3b/0x50 [ 19.485631] __kasan_kmalloc+0xb7/0xc0 [ 19.486069] __kmalloc_cache_noprof+0x189/0x420 [ 19.486763] kmalloc_double_kzfree+0xa9/0x350 [ 19.487184] kunit_try_run_case+0x1a5/0x480 [ 19.487806] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.488466] kthread+0x337/0x6f0 [ 19.488944] ret_from_fork+0x116/0x1d0 [ 19.489313] ret_from_fork_asm+0x1a/0x30 [ 19.489766] [ 19.490008] Freed by task 210: [ 19.490361] kasan_save_stack+0x45/0x70 [ 19.490781] kasan_save_track+0x18/0x40 [ 19.491097] kasan_save_free_info+0x3f/0x60 [ 19.491679] __kasan_slab_free+0x56/0x70 [ 19.492458] kfree+0x222/0x3f0 [ 19.493053] kfree_sensitive+0x67/0x90 [ 19.493725] kmalloc_double_kzfree+0x12b/0x350 [ 19.494359] kunit_try_run_case+0x1a5/0x480 [ 19.494835] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.495735] kthread+0x337/0x6f0 [ 19.496056] ret_from_fork+0x116/0x1d0 [ 19.496571] ret_from_fork_asm+0x1a/0x30 [ 19.497219] [ 19.497694] The buggy address belongs to the object at ffff8881023e23e0 [ 19.497694] which belongs to the cache kmalloc-16 of size 16 [ 19.499213] The buggy address is located 0 bytes inside of [ 19.499213] freed 16-byte region [ffff8881023e23e0, ffff8881023e23f0) [ 19.500100] [ 19.500347] The buggy address belongs to the physical page: [ 19.500796] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1023e2 [ 19.502109] flags: 0x200000000000000(node=0|zone=2) [ 19.502544] page_type: f5(slab) [ 19.503325] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 19.503895] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 19.504767] page dumped because: kasan: bad access detected [ 19.505424] [ 19.505932] Memory state around the buggy address: [ 19.506434] ffff8881023e2280: fa fb fc fc 00 02 fc fc 00 05 fc fc 00 02 fc fc [ 19.507683] ffff8881023e2300: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc [ 19.509588] >ffff8881023e2380: fa fb fc fc fa fb fc fc 00 05 fc fc fa fb fc fc [ 19.510939] ^ [ 19.511410] ffff8881023e2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.512932] ffff8881023e2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.513945] ==================================================================
[ 18.479070] ================================================================== [ 18.480101] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 18.480939] Read of size 1 at addr ffff88810262e160 by task kunit_try_catch/210 [ 18.482342] [ 18.482582] CPU: 0 UID: 0 PID: 210 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.482702] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.482740] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.483050] Call Trace: [ 18.483077] <TASK> [ 18.483106] dump_stack_lvl+0x73/0xb0 [ 18.483186] print_report+0xd1/0x650 [ 18.483221] ? __virt_addr_valid+0x1db/0x2d0 [ 18.483254] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.483288] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.483319] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.483352] kasan_report+0x141/0x180 [ 18.483382] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.483419] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.483452] __kasan_check_byte+0x3d/0x50 [ 18.483482] kfree_sensitive+0x22/0x90 [ 18.483513] kmalloc_double_kzfree+0x19c/0x350 [ 18.483546] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 18.483580] ? __schedule+0x10cc/0x2b60 [ 18.483612] ? __pfx_read_tsc+0x10/0x10 [ 18.483642] ? ktime_get_ts64+0x86/0x230 [ 18.483675] kunit_try_run_case+0x1a5/0x480 [ 18.483711] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.483745] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.483777] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.483810] ? __kthread_parkme+0x82/0x180 [ 18.483837] ? preempt_count_sub+0x50/0x80 [ 18.483868] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.483932] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.483966] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.484000] kthread+0x337/0x6f0 [ 18.484029] ? trace_preempt_on+0x20/0xc0 [ 18.484062] ? __pfx_kthread+0x10/0x10 [ 18.484091] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.484161] ? calculate_sigpending+0x7b/0xa0 [ 18.484202] ? __pfx_kthread+0x10/0x10 [ 18.484233] ret_from_fork+0x116/0x1d0 [ 18.484258] ? __pfx_kthread+0x10/0x10 [ 18.484287] ret_from_fork_asm+0x1a/0x30 [ 18.484329] </TASK> [ 18.484346] [ 18.497268] Allocated by task 210: [ 18.497558] kasan_save_stack+0x45/0x70 [ 18.497905] kasan_save_track+0x18/0x40 [ 18.498317] kasan_save_alloc_info+0x3b/0x50 [ 18.498785] __kasan_kmalloc+0xb7/0xc0 [ 18.499262] __kmalloc_cache_noprof+0x189/0x420 [ 18.499731] kmalloc_double_kzfree+0xa9/0x350 [ 18.500267] kunit_try_run_case+0x1a5/0x480 [ 18.500715] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.501300] kthread+0x337/0x6f0 [ 18.501700] ret_from_fork+0x116/0x1d0 [ 18.502142] ret_from_fork_asm+0x1a/0x30 [ 18.502533] [ 18.502742] Freed by task 210: [ 18.503156] kasan_save_stack+0x45/0x70 [ 18.503549] kasan_save_track+0x18/0x40 [ 18.503861] kasan_save_free_info+0x3f/0x60 [ 18.504368] __kasan_slab_free+0x56/0x70 [ 18.504764] kfree+0x222/0x3f0 [ 18.505186] kfree_sensitive+0x67/0x90 [ 18.505596] kmalloc_double_kzfree+0x12b/0x350 [ 18.506045] kunit_try_run_case+0x1a5/0x480 [ 18.506487] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.506871] kthread+0x337/0x6f0 [ 18.507315] ret_from_fork+0x116/0x1d0 [ 18.507719] ret_from_fork_asm+0x1a/0x30 [ 18.508194] [ 18.508430] The buggy address belongs to the object at ffff88810262e160 [ 18.508430] which belongs to the cache kmalloc-16 of size 16 [ 18.509344] The buggy address is located 0 bytes inside of [ 18.509344] freed 16-byte region [ffff88810262e160, ffff88810262e170) [ 18.510227] [ 18.510428] The buggy address belongs to the physical page: [ 18.510795] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262e [ 18.511546] flags: 0x200000000000000(node=0|zone=2) [ 18.512039] page_type: f5(slab) [ 18.512450] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 18.513162] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 18.513833] page dumped because: kasan: bad access detected [ 18.514359] [ 18.514587] Memory state around the buggy address: [ 18.514946] ffff88810262e000: fa fb fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 18.515648] ffff88810262e080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.516205] >ffff88810262e100: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.516643] ^ [ 18.517167] ffff88810262e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.517784] ffff88810262e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.518458] ==================================================================
[ 20.802398] ================================================================== [ 20.803751] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 20.804455] Read of size 1 at addr ffff000001e6e700 by task kunit_try_catch/245 [ 20.805134] [ 20.805299] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.805348] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.805363] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.805380] Call trace: [ 20.805391] show_stack+0x20/0x38 (C) [ 20.805428] dump_stack_lvl+0x8c/0xd0 [ 20.805463] print_report+0x118/0x608 [ 20.805497] kasan_report+0xdc/0x128 [ 20.805530] __kasan_check_byte+0x54/0x70 [ 20.805562] kfree_sensitive+0x30/0xb0 [ 20.805594] kmalloc_double_kzfree+0x168/0x308 [ 20.805626] kunit_try_run_case+0x170/0x3f0 [ 20.805659] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.805698] kthread+0x328/0x630 [ 20.805725] ret_from_fork+0x10/0x20 [ 20.805757] [ 20.811626] Allocated by task 245: [ 20.811950] kasan_save_stack+0x3c/0x68 [ 20.812328] kasan_save_track+0x20/0x40 [ 20.812704] kasan_save_alloc_info+0x40/0x58 [ 20.813121] __kasan_kmalloc+0xd4/0xd8 [ 20.813488] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.813925] kmalloc_double_kzfree+0xb8/0x308 [ 20.814345] kunit_try_run_case+0x170/0x3f0 [ 20.814751] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.815274] kthread+0x328/0x630 [ 20.815589] ret_from_fork+0x10/0x20 [ 20.815940] [ 20.816093] Freed by task 245: [ 20.816386] kasan_save_stack+0x3c/0x68 [ 20.816763] kasan_save_track+0x20/0x40 [ 20.817138] kasan_save_free_info+0x4c/0x78 [ 20.817545] __kasan_slab_free+0x6c/0x98 [ 20.817927] kfree+0x214/0x3c8 [ 20.818230] kfree_sensitive+0x80/0xb0 [ 20.818596] kmalloc_double_kzfree+0x11c/0x308 [ 20.819023] kunit_try_run_case+0x170/0x3f0 [ 20.819429] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.819952] kthread+0x328/0x630 [ 20.820267] ret_from_fork+0x10/0x20 [ 20.820619] [ 20.820771] The buggy address belongs to the object at ffff000001e6e700 [ 20.820771] which belongs to the cache kmalloc-16 of size 16 [ 20.821888] The buggy address is located 0 bytes inside of [ 20.821888] freed 16-byte region [ffff000001e6e700, ffff000001e6e710) [ 20.822977] [ 20.823130] The buggy address belongs to the physical page: [ 20.823645] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e6e [ 20.824369] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.824982] page_type: f5(slab) [ 20.825297] raw: 03fffe0000000000 ffff000000402640 dead000000000122 0000000000000000 [ 20.826012] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 20.826719] page dumped because: kasan: bad access detected [ 20.827234] [ 20.827386] Memory state around the buggy address: [ 20.827835] ffff000001e6e600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 20.828500] ffff000001e6e680: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 20.829165] >ffff000001e6e700: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.829826] ^ [ 20.830137] ffff000001e6e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.830802] ffff000001e6e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.831463] ==================================================================