Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 34.762685] ================================================================== [ 34.762871] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 34.763007] Read of size 1 at addr ffff000800dba140 by task kunit_try_catch/262 [ 34.766568] [ 34.768054] CPU: 1 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 34.768116] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.768133] Hardware name: WinLink E850-96 board (DT) [ 34.768153] Call trace: [ 34.768167] show_stack+0x20/0x38 (C) [ 34.768204] dump_stack_lvl+0x8c/0xd0 [ 34.768240] print_report+0x118/0x608 [ 34.768276] kasan_report+0xdc/0x128 [ 34.768311] __kasan_check_byte+0x54/0x70 [ 34.768344] kmem_cache_destroy+0x34/0x218 [ 34.768377] kmem_cache_double_destroy+0x174/0x300 [ 34.768412] kunit_try_run_case+0x170/0x3f0 [ 34.768451] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.768488] kthread+0x328/0x630 [ 34.768521] ret_from_fork+0x10/0x20 [ 34.768559] [ 34.834794] Allocated by task 262: [ 34.838183] kasan_save_stack+0x3c/0x68 [ 34.841999] kasan_save_track+0x20/0x40 [ 34.845818] kasan_save_alloc_info+0x40/0x58 [ 34.850072] __kasan_slab_alloc+0xa8/0xb0 [ 34.854065] kmem_cache_alloc_noprof+0x10c/0x398 [ 34.858666] __kmem_cache_create_args+0x178/0x280 [ 34.863352] kmem_cache_double_destroy+0xc0/0x300 [ 34.868040] kunit_try_run_case+0x170/0x3f0 [ 34.872208] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.877675] kthread+0x328/0x630 [ 34.880887] ret_from_fork+0x10/0x20 [ 34.884446] [ 34.885923] Freed by task 262: [ 34.888963] kasan_save_stack+0x3c/0x68 [ 34.892779] kasan_save_track+0x20/0x40 [ 34.896599] kasan_save_free_info+0x4c/0x78 [ 34.900765] __kasan_slab_free+0x6c/0x98 [ 34.904671] kmem_cache_free+0x260/0x468 [ 34.908577] slab_kmem_cache_release+0x38/0x50 [ 34.913006] kmem_cache_release+0x1c/0x30 [ 34.916998] kobject_put+0x17c/0x420 [ 34.920558] sysfs_slab_release+0x1c/0x30 [ 34.924549] kmem_cache_destroy+0x118/0x218 [ 34.928716] kmem_cache_double_destroy+0x128/0x300 [ 34.933490] kunit_try_run_case+0x170/0x3f0 [ 34.937657] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.943127] kthread+0x328/0x630 [ 34.946339] ret_from_fork+0x10/0x20 [ 34.949896] [ 34.951374] The buggy address belongs to the object at ffff000800dba140 [ 34.951374] which belongs to the cache kmem_cache of size 208 [ 34.963787] The buggy address is located 0 bytes inside of [ 34.963787] freed 208-byte region [ffff000800dba140, ffff000800dba210) [ 34.975851] [ 34.977331] The buggy address belongs to the physical page: [ 34.982887] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880dba [ 34.990870] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.998510] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 35.005453] page_type: f5(slab) [ 35.008591] raw: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 35.016309] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 35.024037] head: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 35.031847] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 35.039660] head: 0bfffe0000000001 fffffdffe0036e81 00000000ffffffff 00000000ffffffff [ 35.047472] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 35.055277] page dumped because: kasan: bad access detected [ 35.060832] [ 35.062308] Memory state around the buggy address: [ 35.067088] ffff000800dba000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.074291] ffff000800dba080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 35.081496] >ffff000800dba100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.088696] ^ [ 35.093995] ffff000800dba180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.101201] ffff000800dba200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.108404] ==================================================================
[ 27.705377] ================================================================== [ 27.706104] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 27.706860] Read of size 1 at addr fff00000c569fb40 by task kunit_try_catch/215 [ 27.707298] [ 27.707399] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 27.707641] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.707715] Hardware name: linux,dummy-virt (DT) [ 27.707806] Call trace: [ 27.707867] show_stack+0x20/0x38 (C) [ 27.708232] dump_stack_lvl+0x8c/0xd0 [ 27.708538] print_report+0x118/0x608 [ 27.708786] kasan_report+0xdc/0x128 [ 27.708917] __kasan_check_byte+0x54/0x70 [ 27.709062] kmem_cache_destroy+0x34/0x218 [ 27.709185] kmem_cache_double_destroy+0x174/0x300 [ 27.709304] kunit_try_run_case+0x170/0x3f0 [ 27.709464] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.709669] kthread+0x328/0x630 [ 27.709878] ret_from_fork+0x10/0x20 [ 27.710177] [ 27.710225] Allocated by task 215: [ 27.710309] kasan_save_stack+0x3c/0x68 [ 27.710549] kasan_save_track+0x20/0x40 [ 27.710652] kasan_save_alloc_info+0x40/0x58 [ 27.710828] __kasan_slab_alloc+0xa8/0xb0 [ 27.710993] kmem_cache_alloc_noprof+0x10c/0x398 [ 27.711153] __kmem_cache_create_args+0x178/0x280 [ 27.711285] kmem_cache_double_destroy+0xc0/0x300 [ 27.711410] kunit_try_run_case+0x170/0x3f0 [ 27.712321] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.712445] kthread+0x328/0x630 [ 27.712553] ret_from_fork+0x10/0x20 [ 27.712724] [ 27.713007] Freed by task 215: [ 27.713120] kasan_save_stack+0x3c/0x68 [ 27.713242] kasan_save_track+0x20/0x40 [ 27.713502] kasan_save_free_info+0x4c/0x78 [ 27.713622] __kasan_slab_free+0x6c/0x98 [ 27.713788] kmem_cache_free+0x260/0x468 [ 27.713891] slab_kmem_cache_release+0x38/0x50 [ 27.714008] kmem_cache_release+0x1c/0x30 [ 27.714114] kobject_put+0x17c/0x420 [ 27.714205] sysfs_slab_release+0x1c/0x30 [ 27.714311] kmem_cache_destroy+0x118/0x218 [ 27.714409] kmem_cache_double_destroy+0x128/0x300 [ 27.714522] kunit_try_run_case+0x170/0x3f0 [ 27.714656] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.714769] kthread+0x328/0x630 [ 27.714854] ret_from_fork+0x10/0x20 [ 27.714989] [ 27.715045] The buggy address belongs to the object at fff00000c569fb40 [ 27.715045] which belongs to the cache kmem_cache of size 208 [ 27.715185] The buggy address is located 0 bytes inside of [ 27.715185] freed 208-byte region [fff00000c569fb40, fff00000c569fc10) [ 27.716141] [ 27.716202] The buggy address belongs to the physical page: [ 27.716573] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10569f [ 27.716790] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.717181] page_type: f5(slab) [ 27.717498] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 27.717861] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 27.717990] page dumped because: kasan: bad access detected [ 27.718071] [ 27.718120] Memory state around the buggy address: [ 27.718205] fff00000c569fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.718768] fff00000c569fa80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 27.719061] >fff00000c569fb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.719165] ^ [ 27.719696] fff00000c569fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.720227] fff00000c569fc00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.720437] ==================================================================
[ 27.748316] ================================================================== [ 27.748493] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 27.748721] Read of size 1 at addr fff00000c770b140 by task kunit_try_catch/215 [ 27.748966] [ 27.749127] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 27.749412] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.749519] Hardware name: linux,dummy-virt (DT) [ 27.749623] Call trace: [ 27.749689] show_stack+0x20/0x38 (C) [ 27.749942] dump_stack_lvl+0x8c/0xd0 [ 27.750118] print_report+0x118/0x608 [ 27.750247] kasan_report+0xdc/0x128 [ 27.750454] __kasan_check_byte+0x54/0x70 [ 27.750648] kmem_cache_destroy+0x34/0x218 [ 27.750773] kmem_cache_double_destroy+0x174/0x300 [ 27.750917] kunit_try_run_case+0x170/0x3f0 [ 27.751047] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.751178] kthread+0x328/0x630 [ 27.751299] ret_from_fork+0x10/0x20 [ 27.751579] [ 27.751656] Allocated by task 215: [ 27.751755] kasan_save_stack+0x3c/0x68 [ 27.751908] kasan_save_track+0x20/0x40 [ 27.752200] kasan_save_alloc_info+0x40/0x58 [ 27.752359] __kasan_slab_alloc+0xa8/0xb0 [ 27.752467] kmem_cache_alloc_noprof+0x10c/0x398 [ 27.752697] __kmem_cache_create_args+0x178/0x280 [ 27.752882] kmem_cache_double_destroy+0xc0/0x300 [ 27.752995] kunit_try_run_case+0x170/0x3f0 [ 27.753175] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.753292] kthread+0x328/0x630 [ 27.753389] ret_from_fork+0x10/0x20 [ 27.753521] [ 27.753578] Freed by task 215: [ 27.753778] kasan_save_stack+0x3c/0x68 [ 27.753902] kasan_save_track+0x20/0x40 [ 27.754021] kasan_save_free_info+0x4c/0x78 [ 27.754147] __kasan_slab_free+0x6c/0x98 [ 27.754300] kmem_cache_free+0x260/0x468 [ 27.754397] slab_kmem_cache_release+0x38/0x50 [ 27.754519] kmem_cache_release+0x1c/0x30 [ 27.754710] kobject_put+0x17c/0x420 [ 27.754815] sysfs_slab_release+0x1c/0x30 [ 27.754931] kmem_cache_destroy+0x118/0x218 [ 27.755034] kmem_cache_double_destroy+0x128/0x300 [ 27.755152] kunit_try_run_case+0x170/0x3f0 [ 27.755380] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.755812] kthread+0x328/0x630 [ 27.755932] ret_from_fork+0x10/0x20 [ 27.756078] [ 27.756135] The buggy address belongs to the object at fff00000c770b140 [ 27.756135] which belongs to the cache kmem_cache of size 208 [ 27.756283] The buggy address is located 0 bytes inside of [ 27.756283] freed 208-byte region [fff00000c770b140, fff00000c770b210) [ 27.756668] [ 27.756737] The buggy address belongs to the physical page: [ 27.757044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10770b [ 27.757195] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.757338] page_type: f5(slab) [ 27.757675] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 27.757819] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 27.758098] page dumped because: kasan: bad access detected [ 27.758181] [ 27.758238] Memory state around the buggy address: [ 27.758419] fff00000c770b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.758568] fff00000c770b080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 27.758819] >fff00000c770b100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.758991] ^ [ 27.759084] fff00000c770b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.759194] fff00000c770b200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.759354] ==================================================================
[ 20.457924] ================================================================== [ 20.459159] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 20.460995] Read of size 1 at addr ffff888101678780 by task kunit_try_catch/233 [ 20.462325] [ 20.462581] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.462718] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.462754] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.462817] Call Trace: [ 20.462952] <TASK> [ 20.463087] dump_stack_lvl+0x73/0xb0 [ 20.463336] print_report+0xd1/0x650 [ 20.463388] ? __virt_addr_valid+0x1db/0x2d0 [ 20.463428] ? kmem_cache_double_destroy+0x1bf/0x380 [ 20.463466] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.463521] ? kmem_cache_double_destroy+0x1bf/0x380 [ 20.463645] kasan_report+0x141/0x180 [ 20.463716] ? kmem_cache_double_destroy+0x1bf/0x380 [ 20.463760] ? kmem_cache_double_destroy+0x1bf/0x380 [ 20.463798] __kasan_check_byte+0x3d/0x50 [ 20.463830] kmem_cache_destroy+0x25/0x1d0 [ 20.463865] kmem_cache_double_destroy+0x1bf/0x380 [ 20.463902] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 20.463939] ? finish_task_switch.isra.0+0x153/0x700 [ 20.463971] ? __switch_to+0x47/0xf50 [ 20.464012] ? __pfx_read_tsc+0x10/0x10 [ 20.464042] ? ktime_get_ts64+0x86/0x230 [ 20.464076] kunit_try_run_case+0x1a5/0x480 [ 20.464118] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.464152] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.464190] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.464250] ? __kthread_parkme+0x82/0x180 [ 20.464298] ? preempt_count_sub+0x50/0x80 [ 20.464333] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.464371] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.464405] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.464439] kthread+0x337/0x6f0 [ 20.464470] ? trace_preempt_on+0x20/0xc0 [ 20.464528] ? __pfx_kthread+0x10/0x10 [ 20.464599] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.464672] ? calculate_sigpending+0x7b/0xa0 [ 20.464716] ? __pfx_kthread+0x10/0x10 [ 20.464746] ret_from_fork+0x116/0x1d0 [ 20.464774] ? __pfx_kthread+0x10/0x10 [ 20.464805] ret_from_fork_asm+0x1a/0x30 [ 20.464849] </TASK> [ 20.464865] [ 20.487685] Allocated by task 233: [ 20.488145] kasan_save_stack+0x45/0x70 [ 20.489466] kasan_save_track+0x18/0x40 [ 20.490057] kasan_save_alloc_info+0x3b/0x50 [ 20.490724] __kasan_slab_alloc+0x91/0xa0 [ 20.491119] kmem_cache_alloc_noprof+0x123/0x3f0 [ 20.491835] __kmem_cache_create_args+0x169/0x240 [ 20.492334] kmem_cache_double_destroy+0xd5/0x380 [ 20.493535] kunit_try_run_case+0x1a5/0x480 [ 20.494195] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.494928] kthread+0x337/0x6f0 [ 20.495367] ret_from_fork+0x116/0x1d0 [ 20.495756] ret_from_fork_asm+0x1a/0x30 [ 20.496143] [ 20.496385] Freed by task 233: [ 20.497495] kasan_save_stack+0x45/0x70 [ 20.498129] kasan_save_track+0x18/0x40 [ 20.498738] kasan_save_free_info+0x3f/0x60 [ 20.499120] __kasan_slab_free+0x56/0x70 [ 20.499779] kmem_cache_free+0x249/0x420 [ 20.500212] slab_kmem_cache_release+0x2e/0x40 [ 20.501320] kmem_cache_release+0x16/0x20 [ 20.501647] kobject_put+0x181/0x450 [ 20.502128] sysfs_slab_release+0x16/0x20 [ 20.502876] kmem_cache_destroy+0xf0/0x1d0 [ 20.503338] kmem_cache_double_destroy+0x14e/0x380 [ 20.503953] kunit_try_run_case+0x1a5/0x480 [ 20.504343] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.505597] kthread+0x337/0x6f0 [ 20.506010] ret_from_fork+0x116/0x1d0 [ 20.506410] ret_from_fork_asm+0x1a/0x30 [ 20.507021] [ 20.507272] The buggy address belongs to the object at ffff888101678780 [ 20.507272] which belongs to the cache kmem_cache of size 208 [ 20.508379] The buggy address is located 0 bytes inside of [ 20.508379] freed 208-byte region [ffff888101678780, ffff888101678850) [ 20.510079] [ 20.510391] The buggy address belongs to the physical page: [ 20.511070] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101678 [ 20.511920] flags: 0x200000000000000(node=0|zone=2) [ 20.512377] page_type: f5(slab) [ 20.513415] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 20.514037] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 20.514976] page dumped because: kasan: bad access detected [ 20.515531] [ 20.515871] Memory state around the buggy address: [ 20.516278] ffff888101678680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.517640] ffff888101678700: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.518233] >ffff888101678780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.518842] ^ [ 20.519158] ffff888101678800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 20.520144] ffff888101678880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.521310] ==================================================================
[ 19.332802] ================================================================== [ 19.333745] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 19.334537] Read of size 1 at addr ffff888101affb40 by task kunit_try_catch/233 [ 19.335065] [ 19.335427] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.335587] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.335632] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.335723] Call Trace: [ 19.335767] <TASK> [ 19.335814] dump_stack_lvl+0x73/0xb0 [ 19.335918] print_report+0xd1/0x650 [ 19.335996] ? __virt_addr_valid+0x1db/0x2d0 [ 19.336073] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.336151] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.336227] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.336308] kasan_report+0x141/0x180 [ 19.336379] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.336458] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.336501] __kasan_check_byte+0x3d/0x50 [ 19.336535] kmem_cache_destroy+0x25/0x1d0 [ 19.336568] kmem_cache_double_destroy+0x1bf/0x380 [ 19.336605] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 19.336641] ? finish_task_switch.isra.0+0x153/0x700 [ 19.336673] ? __switch_to+0x47/0xf50 [ 19.336713] ? __pfx_read_tsc+0x10/0x10 [ 19.336743] ? ktime_get_ts64+0x86/0x230 [ 19.336776] kunit_try_run_case+0x1a5/0x480 [ 19.336813] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.336847] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.336906] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.336946] ? __kthread_parkme+0x82/0x180 [ 19.336976] ? preempt_count_sub+0x50/0x80 [ 19.337007] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.337042] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.337076] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.337141] kthread+0x337/0x6f0 [ 19.337179] ? trace_preempt_on+0x20/0xc0 [ 19.337213] ? __pfx_kthread+0x10/0x10 [ 19.337243] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.337274] ? calculate_sigpending+0x7b/0xa0 [ 19.337309] ? __pfx_kthread+0x10/0x10 [ 19.337338] ret_from_fork+0x116/0x1d0 [ 19.337365] ? __pfx_kthread+0x10/0x10 [ 19.337393] ret_from_fork_asm+0x1a/0x30 [ 19.337435] </TASK> [ 19.337450] [ 19.354484] Allocated by task 233: [ 19.354862] kasan_save_stack+0x45/0x70 [ 19.355480] kasan_save_track+0x18/0x40 [ 19.355944] kasan_save_alloc_info+0x3b/0x50 [ 19.356497] __kasan_slab_alloc+0x91/0xa0 [ 19.356947] kmem_cache_alloc_noprof+0x123/0x3f0 [ 19.357415] __kmem_cache_create_args+0x169/0x240 [ 19.357827] kmem_cache_double_destroy+0xd5/0x380 [ 19.358442] kunit_try_run_case+0x1a5/0x480 [ 19.359276] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.360256] kthread+0x337/0x6f0 [ 19.360547] ret_from_fork+0x116/0x1d0 [ 19.360852] ret_from_fork_asm+0x1a/0x30 [ 19.361217] [ 19.361474] Freed by task 233: [ 19.361850] kasan_save_stack+0x45/0x70 [ 19.362300] kasan_save_track+0x18/0x40 [ 19.362726] kasan_save_free_info+0x3f/0x60 [ 19.363123] __kasan_slab_free+0x56/0x70 [ 19.363540] kmem_cache_free+0x249/0x420 [ 19.363872] slab_kmem_cache_release+0x2e/0x40 [ 19.364411] kmem_cache_release+0x16/0x20 [ 19.364915] kobject_put+0x181/0x450 [ 19.365299] sysfs_slab_release+0x16/0x20 [ 19.365818] kmem_cache_destroy+0xf0/0x1d0 [ 19.366373] kmem_cache_double_destroy+0x14e/0x380 [ 19.366846] kunit_try_run_case+0x1a5/0x480 [ 19.367972] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.368386] kthread+0x337/0x6f0 [ 19.368675] ret_from_fork+0x116/0x1d0 [ 19.369085] ret_from_fork_asm+0x1a/0x30 [ 19.369940] [ 19.370169] The buggy address belongs to the object at ffff888101affb40 [ 19.370169] which belongs to the cache kmem_cache of size 208 [ 19.371186] The buggy address is located 0 bytes inside of [ 19.371186] freed 208-byte region [ffff888101affb40, ffff888101affc10) [ 19.372222] [ 19.372431] The buggy address belongs to the physical page: [ 19.372926] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101aff [ 19.373572] flags: 0x200000000000000(node=0|zone=2) [ 19.374046] page_type: f5(slab) [ 19.374484] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 19.375158] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 19.375802] page dumped because: kasan: bad access detected [ 19.376270] [ 19.376500] Memory state around the buggy address: [ 19.376961] ffff888101affa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.377571] ffff888101affa80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 19.378075] >ffff888101affb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.378725] ^ [ 19.379216] ffff888101affb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.379795] ffff888101affc00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.380323] ==================================================================
[ 21.458090] ================================================================== [ 21.459157] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 21.459891] Read of size 1 at addr ffff00000daa2140 by task kunit_try_catch/268 [ 21.460568] [ 21.460732] CPU: 1 UID: 0 PID: 268 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 21.460782] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.460796] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.460813] Call trace: [ 21.460824] show_stack+0x20/0x38 (C) [ 21.460857] dump_stack_lvl+0x8c/0xd0 [ 21.460893] print_report+0x118/0x608 [ 21.460927] kasan_report+0xdc/0x128 [ 21.460958] __kasan_check_byte+0x54/0x70 [ 21.460990] kmem_cache_destroy+0x34/0x218 [ 21.461022] kmem_cache_double_destroy+0x174/0x300 [ 21.461054] kunit_try_run_case+0x170/0x3f0 [ 21.461088] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.461126] kthread+0x328/0x630 [ 21.461152] ret_from_fork+0x10/0x20 [ 21.461184] [ 21.467115] Allocated by task 268: [ 21.467440] kasan_save_stack+0x3c/0x68 [ 21.467817] kasan_save_track+0x20/0x40 [ 21.468193] kasan_save_alloc_info+0x40/0x58 [ 21.468611] __kasan_slab_alloc+0xa8/0xb0 [ 21.469002] kmem_cache_alloc_noprof+0x10c/0x398 [ 21.469448] __kmem_cache_create_args+0x178/0x280 [ 21.469899] kmem_cache_double_destroy+0xc0/0x300 [ 21.470350] kunit_try_run_case+0x170/0x3f0 [ 21.470755] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.471279] kthread+0x328/0x630 [ 21.471595] ret_from_fork+0x10/0x20 [ 21.471945] [ 21.472098] Freed by task 268: [ 21.472392] kasan_save_stack+0x3c/0x68 [ 21.472768] kasan_save_track+0x20/0x40 [ 21.473143] kasan_save_free_info+0x4c/0x78 [ 21.473553] __kasan_slab_free+0x6c/0x98 [ 21.473936] kmem_cache_free+0x260/0x468 [ 21.474317] slab_kmem_cache_release+0x38/0x50 [ 21.474746] kmem_cache_release+0x1c/0x30 [ 21.475134] kobject_put+0x17c/0x420 [ 21.475485] sysfs_slab_release+0x1c/0x30 [ 21.475875] kmem_cache_destroy+0x118/0x218 [ 21.476280] kmem_cache_double_destroy+0x128/0x300 [ 21.476739] kunit_try_run_case+0x170/0x3f0 [ 21.477146] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.477671] kthread+0x328/0x630 [ 21.477986] ret_from_fork+0x10/0x20 [ 21.478335] [ 21.478488] The buggy address belongs to the object at ffff00000daa2140 [ 21.478488] which belongs to the cache kmem_cache of size 208 [ 21.479613] The buggy address is located 0 bytes inside of [ 21.479613] freed 208-byte region [ffff00000daa2140, ffff00000daa2210) [ 21.480709] [ 21.480863] The buggy address belongs to the physical page: [ 21.481378] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xdaa2 [ 21.482101] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.482806] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 21.483457] page_type: f5(slab) [ 21.483770] raw: 03fffe0000000040 ffff000000402000 dead000000000122 0000000000000000 [ 21.484486] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 21.485201] head: 03fffe0000000040 ffff000000402000 dead000000000122 0000000000000000 [ 21.485924] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 21.486647] head: 03fffe0000000001 fffffdffc036a881 00000000ffffffff 00000000ffffffff [ 21.487370] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 21.488084] page dumped because: kasan: bad access detected [ 21.488598] [ 21.488750] Memory state around the buggy address: [ 21.489199] ffff00000daa2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.489865] ffff00000daa2080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 21.490530] >ffff00000daa2100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.491191] ^ [ 21.491685] ffff00000daa2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.492351] ffff00000daa2200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.493013] ==================================================================