Hay
Sign in
Date
July 12, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   17.794059] ==================================================================
[   17.794196] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300
[   17.794341] Read of size 1 at addr fff00000c4715dc0 by task kunit_try_catch/215
[   17.794512] 
[   17.794597] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.794977] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.795087] Hardware name: linux,dummy-virt (DT)
[   17.795123] Call trace:
[   17.795181]  show_stack+0x20/0x38 (C)
[   17.795499]  dump_stack_lvl+0x8c/0xd0
[   17.795699]  print_report+0x118/0x5d0
[   17.795848]  kasan_report+0xdc/0x128
[   17.795925]  __kasan_check_byte+0x54/0x70
[   17.796031]  kmem_cache_destroy+0x34/0x218
[   17.796093]  kmem_cache_double_destroy+0x174/0x300
[   17.796352]  kunit_try_run_case+0x170/0x3f0
[   17.796638]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.796819]  kthread+0x328/0x630
[   17.796952]  ret_from_fork+0x10/0x20
[   17.797126] 
[   17.797256] Allocated by task 215:
[   17.797289]  kasan_save_stack+0x3c/0x68
[   17.797684]  kasan_save_track+0x20/0x40
[   17.797902]  kasan_save_alloc_info+0x40/0x58
[   17.798006]  __kasan_slab_alloc+0xa8/0xb0
[   17.798293]  kmem_cache_alloc_noprof+0x10c/0x398
[   17.798650]  __kmem_cache_create_args+0x178/0x280
[   17.798793]  kmem_cache_double_destroy+0xc0/0x300
[   17.798945]  kunit_try_run_case+0x170/0x3f0
[   17.799552]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.799747]  kthread+0x328/0x630
[   17.799858]  ret_from_fork+0x10/0x20
[   17.799903] 
[   17.799922] Freed by task 215:
[   17.800201]  kasan_save_stack+0x3c/0x68
[   17.800382]  kasan_save_track+0x20/0x40
[   17.800573]  kasan_save_free_info+0x4c/0x78
[   17.800760]  __kasan_slab_free+0x6c/0x98
[   17.800853]  kmem_cache_free+0x260/0x468
[   17.800923]  slab_kmem_cache_release+0x38/0x50
[   17.801124]  kmem_cache_release+0x1c/0x30
[   17.801341]  kobject_put+0x17c/0x420
[   17.801430]  sysfs_slab_release+0x1c/0x30
[   17.801650]  kmem_cache_destroy+0x118/0x218
[   17.801718]  kmem_cache_double_destroy+0x128/0x300
[   17.801840]  kunit_try_run_case+0x170/0x3f0
[   17.802099]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.802307]  kthread+0x328/0x630
[   17.802468]  ret_from_fork+0x10/0x20
[   17.802641] 
[   17.802669] The buggy address belongs to the object at fff00000c4715dc0
[   17.802669]  which belongs to the cache kmem_cache of size 208
[   17.802738] The buggy address is located 0 bytes inside of
[   17.802738]  freed 208-byte region [fff00000c4715dc0, fff00000c4715e90)
[   17.802959] 
[   17.803184] The buggy address belongs to the physical page:
[   17.803389] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104715
[   17.803473] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.803539] page_type: f5(slab)
[   17.803748] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000
[   17.803899] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   17.804220] page dumped because: kasan: bad access detected
[   17.804402] 
[   17.804482] Memory state around the buggy address:
[   17.804584]  fff00000c4715c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.804658]  fff00000c4715d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   17.804701] >fff00000c4715d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   17.805196]                                            ^
[   17.805343]  fff00000c4715e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.805514]  fff00000c4715e80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.805608] ==================================================================
Metadata Full log Test run details 

[   13.841112] ==================================================================
[   13.841790] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380
[   13.842094] Read of size 1 at addr ffff888101cddb40 by task kunit_try_catch/232
[   13.842421] 
[   13.842538] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.842584] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.842596] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.842619] Call Trace:
[   13.842889]  <TASK>
[   13.842913]  dump_stack_lvl+0x73/0xb0
[   13.842947]  print_report+0xd1/0x610
[   13.842972]  ? __virt_addr_valid+0x1db/0x2d0
[   13.842997]  ? kmem_cache_double_destroy+0x1bf/0x380
[   13.843022]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.843046]  ? kmem_cache_double_destroy+0x1bf/0x380
[   13.843139]  kasan_report+0x141/0x180
[   13.843163]  ? kmem_cache_double_destroy+0x1bf/0x380
[   13.843205]  ? kmem_cache_double_destroy+0x1bf/0x380
[   13.843231]  __kasan_check_byte+0x3d/0x50
[   13.843274]  kmem_cache_destroy+0x25/0x1d0
[   13.843298]  kmem_cache_double_destroy+0x1bf/0x380
[   13.843324]  ? __pfx_kmem_cache_double_destroy+0x10/0x10
[   13.843350]  ? finish_task_switch.isra.0+0x153/0x700
[   13.843374]  ? __switch_to+0x47/0xf50
[   13.843404]  ? __pfx_read_tsc+0x10/0x10
[   13.843426]  ? ktime_get_ts64+0x86/0x230
[   13.843450]  kunit_try_run_case+0x1a5/0x480
[   13.843476]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.843501]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.843527]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.843551]  ? __kthread_parkme+0x82/0x180
[   13.843571]  ? preempt_count_sub+0x50/0x80
[   13.843595]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.843620]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.843645]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.843670]  kthread+0x337/0x6f0
[   13.843689]  ? trace_preempt_on+0x20/0xc0
[   13.843714]  ? __pfx_kthread+0x10/0x10
[   13.843736]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.843759]  ? calculate_sigpending+0x7b/0xa0
[   13.843785]  ? __pfx_kthread+0x10/0x10
[   13.843807]  ret_from_fork+0x116/0x1d0
[   13.843825]  ? __pfx_kthread+0x10/0x10
[   13.843846]  ret_from_fork_asm+0x1a/0x30
[   13.843878]  </TASK>
[   13.843889] 
[   13.853911] Allocated by task 232:
[   13.854057]  kasan_save_stack+0x45/0x70
[   13.854343]  kasan_save_track+0x18/0x40
[   13.854500]  kasan_save_alloc_info+0x3b/0x50
[   13.854748]  __kasan_slab_alloc+0x91/0xa0
[   13.854935]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.855205]  __kmem_cache_create_args+0x169/0x240
[   13.855441]  kmem_cache_double_destroy+0xd5/0x380
[   13.855757]  kunit_try_run_case+0x1a5/0x480
[   13.856592]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.856945]  kthread+0x337/0x6f0
[   13.857619]  ret_from_fork+0x116/0x1d0
[   13.858039]  ret_from_fork_asm+0x1a/0x30
[   13.858243] 
[   13.858333] Freed by task 232:
[   13.858447]  kasan_save_stack+0x45/0x70
[   13.858584]  kasan_save_track+0x18/0x40
[   13.858725]  kasan_save_free_info+0x3f/0x60
[   13.858873]  __kasan_slab_free+0x56/0x70
[   13.859118]  kmem_cache_free+0x249/0x420
[   13.859474]  slab_kmem_cache_release+0x2e/0x40
[   13.859873]  kmem_cache_release+0x16/0x20
[   13.860278]  kobject_put+0x181/0x450
[   13.860714]  sysfs_slab_release+0x16/0x20
[   13.861092]  kmem_cache_destroy+0xf0/0x1d0
[   13.861566]  kmem_cache_double_destroy+0x14e/0x380
[   13.862240]  kunit_try_run_case+0x1a5/0x480
[   13.862662]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.863212]  kthread+0x337/0x6f0
[   13.863542]  ret_from_fork+0x116/0x1d0
[   13.863872]  ret_from_fork_asm+0x1a/0x30
[   13.864074] 
[   13.864328] The buggy address belongs to the object at ffff888101cddb40
[   13.864328]  which belongs to the cache kmem_cache of size 208
[   13.864895] The buggy address is located 0 bytes inside of
[   13.864895]  freed 208-byte region [ffff888101cddb40, ffff888101cddc10)
[   13.865897] 
[   13.866062] The buggy address belongs to the physical page:
[   13.866819] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101cdd
[   13.867481] flags: 0x200000000000000(node=0|zone=2)
[   13.867855] page_type: f5(slab)
[   13.868059] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000
[   13.868948] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   13.869311] page dumped because: kasan: bad access detected
[   13.869490] 
[   13.869561] Memory state around the buggy address:
[   13.869717]  ffff888101cdda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.869937]  ffff888101cdda80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   13.870165] >ffff888101cddb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   13.870661]                                            ^
[   13.870856]  ffff888101cddb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.871133]  ffff888101cddc00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.871463] ==================================================================
Metadata Full log Test run details