Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.279060] ================================================================== [ 17.279147] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 17.279240] Read of size 1 at addr fff00000c3ea1a00 by task kunit_try_catch/216 [ 17.279292] [ 17.279336] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.279425] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.279453] Hardware name: linux,dummy-virt (DT) [ 17.279486] Call trace: [ 17.279512] show_stack+0x20/0x38 (C) [ 17.279563] dump_stack_lvl+0x8c/0xd0 [ 17.279615] print_report+0x118/0x5d0 [ 17.279663] kasan_report+0xdc/0x128 [ 17.279709] __kasan_check_byte+0x54/0x70 [ 17.279756] kmem_cache_destroy+0x34/0x218 [ 17.279805] kmem_cache_double_destroy+0x174/0x300 [ 17.279853] kunit_try_run_case+0x170/0x3f0 [ 17.279904] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.279957] kthread+0x328/0x630 [ 17.280000] ret_from_fork+0x10/0x20 [ 17.280049] [ 17.280067] Allocated by task 216: [ 17.280099] kasan_save_stack+0x3c/0x68 [ 17.280142] kasan_save_track+0x20/0x40 [ 17.280185] kasan_save_alloc_info+0x40/0x58 [ 17.280236] __kasan_slab_alloc+0xa8/0xb0 [ 17.280275] kmem_cache_alloc_noprof+0x10c/0x398 [ 17.280317] __kmem_cache_create_args+0x178/0x280 [ 17.280358] kmem_cache_double_destroy+0xc0/0x300 [ 17.280399] kunit_try_run_case+0x170/0x3f0 [ 17.280438] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.280483] kthread+0x328/0x630 [ 17.280515] ret_from_fork+0x10/0x20 [ 17.280552] [ 17.280570] Freed by task 216: [ 17.280597] kasan_save_stack+0x3c/0x68 [ 17.280634] kasan_save_track+0x20/0x40 [ 17.280673] kasan_save_free_info+0x4c/0x78 [ 17.280712] __kasan_slab_free+0x6c/0x98 [ 17.280748] kmem_cache_free+0x260/0x468 [ 17.280785] slab_kmem_cache_release+0x38/0x50 [ 17.280823] kmem_cache_release+0x1c/0x30 [ 17.280858] kobject_put+0x17c/0x420 [ 17.280895] sysfs_slab_release+0x1c/0x30 [ 17.280933] kmem_cache_destroy+0x118/0x218 [ 17.280971] kmem_cache_double_destroy+0x128/0x300 [ 17.281009] kunit_try_run_case+0x170/0x3f0 [ 17.281048] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.281090] kthread+0x328/0x630 [ 17.281123] ret_from_fork+0x10/0x20 [ 17.281157] [ 17.281178] The buggy address belongs to the object at fff00000c3ea1a00 [ 17.281178] which belongs to the cache kmem_cache of size 208 [ 17.281246] The buggy address is located 0 bytes inside of [ 17.281246] freed 208-byte region [fff00000c3ea1a00, fff00000c3ea1ad0) [ 17.281308] [ 17.281330] The buggy address belongs to the physical page: [ 17.281364] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ea1 [ 17.281420] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.281474] page_type: f5(slab) [ 17.281517] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 17.281567] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 17.281610] page dumped because: kasan: bad access detected [ 17.281641] [ 17.281661] Memory state around the buggy address: [ 17.281693] fff00000c3ea1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.281737] fff00000c3ea1980: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.281780] >fff00000c3ea1a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.281819] ^ [ 17.281847] fff00000c3ea1a80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 17.281889] fff00000c3ea1b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.281929] ==================================================================
[ 18.009718] ================================================================== [ 18.010076] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 18.010200] Read of size 1 at addr fff00000c472ac80 by task kunit_try_catch/216 [ 18.010257] [ 18.010297] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.010384] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.010412] Hardware name: linux,dummy-virt (DT) [ 18.010482] Call trace: [ 18.010507] show_stack+0x20/0x38 (C) [ 18.010559] dump_stack_lvl+0x8c/0xd0 [ 18.010610] print_report+0x118/0x5d0 [ 18.010677] kasan_report+0xdc/0x128 [ 18.010721] __kasan_check_byte+0x54/0x70 [ 18.010767] kmem_cache_destroy+0x34/0x218 [ 18.010814] kmem_cache_double_destroy+0x174/0x300 [ 18.010870] kunit_try_run_case+0x170/0x3f0 [ 18.010920] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.010980] kthread+0x328/0x630 [ 18.011033] ret_from_fork+0x10/0x20 [ 18.011081] [ 18.011099] Allocated by task 216: [ 18.011128] kasan_save_stack+0x3c/0x68 [ 18.011167] kasan_save_track+0x20/0x40 [ 18.011217] kasan_save_alloc_info+0x40/0x58 [ 18.011256] __kasan_slab_alloc+0xa8/0xb0 [ 18.011295] kmem_cache_alloc_noprof+0x10c/0x398 [ 18.011349] __kmem_cache_create_args+0x178/0x280 [ 18.012147] kmem_cache_double_destroy+0xc0/0x300 [ 18.012252] kunit_try_run_case+0x170/0x3f0 [ 18.012300] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.012522] kthread+0x328/0x630 [ 18.012755] ret_from_fork+0x10/0x20 [ 18.012809] [ 18.012930] Freed by task 216: [ 18.012992] kasan_save_stack+0x3c/0x68 [ 18.013088] kasan_save_track+0x20/0x40 [ 18.013227] kasan_save_free_info+0x4c/0x78 [ 18.013280] __kasan_slab_free+0x6c/0x98 [ 18.013318] kmem_cache_free+0x260/0x468 [ 18.013589] slab_kmem_cache_release+0x38/0x50 [ 18.013672] kmem_cache_release+0x1c/0x30 [ 18.013749] kobject_put+0x17c/0x420 [ 18.014041] sysfs_slab_release+0x1c/0x30 [ 18.014244] kmem_cache_destroy+0x118/0x218 [ 18.014401] kmem_cache_double_destroy+0x128/0x300 [ 18.014609] kunit_try_run_case+0x170/0x3f0 [ 18.014671] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.014727] kthread+0x328/0x630 [ 18.014788] ret_from_fork+0x10/0x20 [ 18.014906] [ 18.014928] The buggy address belongs to the object at fff00000c472ac80 [ 18.014928] which belongs to the cache kmem_cache of size 208 [ 18.015193] The buggy address is located 0 bytes inside of [ 18.015193] freed 208-byte region [fff00000c472ac80, fff00000c472ad50) [ 18.015561] [ 18.015609] The buggy address belongs to the physical page: [ 18.015764] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10472a [ 18.015894] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.016107] page_type: f5(slab) [ 18.016158] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 18.016311] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 18.016444] page dumped because: kasan: bad access detected [ 18.016587] [ 18.016641] Memory state around the buggy address: [ 18.016730] fff00000c472ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.016939] fff00000c472ac00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.016990] >fff00000c472ac80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.017151] ^ [ 18.017241] fff00000c472ad00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 18.017396] fff00000c472ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.017494] ==================================================================
[ 13.517681] ================================================================== [ 13.518182] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 13.519085] Read of size 1 at addr ffff888101a223c0 by task kunit_try_catch/232 [ 13.519586] [ 13.519695] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.519858] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.519871] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.519896] Call Trace: [ 13.519910] <TASK> [ 13.519929] dump_stack_lvl+0x73/0xb0 [ 13.519964] print_report+0xd1/0x610 [ 13.519989] ? __virt_addr_valid+0x1db/0x2d0 [ 13.520015] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.520040] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.520064] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.520090] kasan_report+0x141/0x180 [ 13.520112] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.520141] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.520166] __kasan_check_byte+0x3d/0x50 [ 13.520188] kmem_cache_destroy+0x25/0x1d0 [ 13.520212] kmem_cache_double_destroy+0x1bf/0x380 [ 13.520237] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 13.520263] ? finish_task_switch.isra.0+0x153/0x700 [ 13.520296] ? __switch_to+0x47/0xf50 [ 13.520325] ? __pfx_read_tsc+0x10/0x10 [ 13.520346] ? ktime_get_ts64+0x86/0x230 [ 13.520371] kunit_try_run_case+0x1a5/0x480 [ 13.520398] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.520551] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.520676] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.520701] ? __kthread_parkme+0x82/0x180 [ 13.520725] ? preempt_count_sub+0x50/0x80 [ 13.520748] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.520773] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.520799] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.520825] kthread+0x337/0x6f0 [ 13.520847] ? trace_preempt_on+0x20/0xc0 [ 13.520871] ? __pfx_kthread+0x10/0x10 [ 13.520892] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.520914] ? calculate_sigpending+0x7b/0xa0 [ 13.520940] ? __pfx_kthread+0x10/0x10 [ 13.520961] ret_from_fork+0x116/0x1d0 [ 13.520981] ? __pfx_kthread+0x10/0x10 [ 13.521002] ret_from_fork_asm+0x1a/0x30 [ 13.521035] </TASK> [ 13.521046] [ 13.537241] Allocated by task 232: [ 13.537380] kasan_save_stack+0x45/0x70 [ 13.538203] kasan_save_track+0x18/0x40 [ 13.538886] kasan_save_alloc_info+0x3b/0x50 [ 13.539399] __kasan_slab_alloc+0x91/0xa0 [ 13.540020] kmem_cache_alloc_noprof+0x123/0x3f0 [ 13.540416] __kmem_cache_create_args+0x169/0x240 [ 13.541074] kmem_cache_double_destroy+0xd5/0x380 [ 13.541384] kunit_try_run_case+0x1a5/0x480 [ 13.541926] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.542598] kthread+0x337/0x6f0 [ 13.542737] ret_from_fork+0x116/0x1d0 [ 13.542868] ret_from_fork_asm+0x1a/0x30 [ 13.543004] [ 13.543074] Freed by task 232: [ 13.543181] kasan_save_stack+0x45/0x70 [ 13.543314] kasan_save_track+0x18/0x40 [ 13.544086] kasan_save_free_info+0x3f/0x60 [ 13.544652] __kasan_slab_free+0x56/0x70 [ 13.545203] kmem_cache_free+0x249/0x420 [ 13.545792] slab_kmem_cache_release+0x2e/0x40 [ 13.546233] kmem_cache_release+0x16/0x20 [ 13.546704] kobject_put+0x181/0x450 [ 13.547071] sysfs_slab_release+0x16/0x20 [ 13.547486] kmem_cache_destroy+0xf0/0x1d0 [ 13.547839] kmem_cache_double_destroy+0x14e/0x380 [ 13.548143] kunit_try_run_case+0x1a5/0x480 [ 13.548291] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.548619] kthread+0x337/0x6f0 [ 13.549225] ret_from_fork+0x116/0x1d0 [ 13.549834] ret_from_fork_asm+0x1a/0x30 [ 13.550220] [ 13.550381] The buggy address belongs to the object at ffff888101a223c0 [ 13.550381] which belongs to the cache kmem_cache of size 208 [ 13.550998] The buggy address is located 0 bytes inside of [ 13.550998] freed 208-byte region [ffff888101a223c0, ffff888101a22490) [ 13.551335] [ 13.551405] The buggy address belongs to the physical page: [ 13.551760] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a22 [ 13.552082] flags: 0x200000000000000(node=0|zone=2) [ 13.552306] page_type: f5(slab) [ 13.552477] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 13.552891] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 13.553185] page dumped because: kasan: bad access detected [ 13.553350] [ 13.553417] Memory state around the buggy address: [ 13.553651] ffff888101a22280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.554110] ffff888101a22300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 13.554444] >ffff888101a22380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.554957] ^ [ 13.555306] ffff888101a22400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.555605] ffff888101a22480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.556015] ==================================================================
[ 13.727275] ================================================================== [ 13.727767] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 13.728311] Read of size 1 at addr ffff888101b19b40 by task kunit_try_catch/233 [ 13.728673] [ 13.728878] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.728985] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.728999] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.729033] Call Trace: [ 13.729047] <TASK> [ 13.729076] dump_stack_lvl+0x73/0xb0 [ 13.729111] print_report+0xd1/0x610 [ 13.729135] ? __virt_addr_valid+0x1db/0x2d0 [ 13.729160] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.729186] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.729211] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.729238] kasan_report+0x141/0x180 [ 13.729260] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.729288] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.729315] __kasan_check_byte+0x3d/0x50 [ 13.729337] kmem_cache_destroy+0x25/0x1d0 [ 13.729379] kmem_cache_double_destroy+0x1bf/0x380 [ 13.729406] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 13.729431] ? finish_task_switch.isra.0+0x153/0x700 [ 13.729457] ? __switch_to+0x47/0xf50 [ 13.729522] ? __pfx_read_tsc+0x10/0x10 [ 13.729544] ? ktime_get_ts64+0x86/0x230 [ 13.729570] kunit_try_run_case+0x1a5/0x480 [ 13.729598] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.729621] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.729666] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.729690] ? __kthread_parkme+0x82/0x180 [ 13.729713] ? preempt_count_sub+0x50/0x80 [ 13.729736] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.729761] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.729787] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.729814] kthread+0x337/0x6f0 [ 13.729833] ? trace_preempt_on+0x20/0xc0 [ 13.729857] ? __pfx_kthread+0x10/0x10 [ 13.729878] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.729901] ? calculate_sigpending+0x7b/0xa0 [ 13.729927] ? __pfx_kthread+0x10/0x10 [ 13.729949] ret_from_fork+0x116/0x1d0 [ 13.729969] ? __pfx_kthread+0x10/0x10 [ 13.729989] ret_from_fork_asm+0x1a/0x30 [ 13.730021] </TASK> [ 13.730032] [ 13.740706] Allocated by task 233: [ 13.740846] kasan_save_stack+0x45/0x70 [ 13.741075] kasan_save_track+0x18/0x40 [ 13.741341] kasan_save_alloc_info+0x3b/0x50 [ 13.741785] __kasan_slab_alloc+0x91/0xa0 [ 13.742036] kmem_cache_alloc_noprof+0x123/0x3f0 [ 13.742214] __kmem_cache_create_args+0x169/0x240 [ 13.742503] kmem_cache_double_destroy+0xd5/0x380 [ 13.742779] kunit_try_run_case+0x1a5/0x480 [ 13.743118] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.743346] kthread+0x337/0x6f0 [ 13.743516] ret_from_fork+0x116/0x1d0 [ 13.743703] ret_from_fork_asm+0x1a/0x30 [ 13.743951] [ 13.744077] Freed by task 233: [ 13.744265] kasan_save_stack+0x45/0x70 [ 13.744499] kasan_save_track+0x18/0x40 [ 13.744636] kasan_save_free_info+0x3f/0x60 [ 13.744942] __kasan_slab_free+0x56/0x70 [ 13.745186] kmem_cache_free+0x249/0x420 [ 13.745406] slab_kmem_cache_release+0x2e/0x40 [ 13.745576] kmem_cache_release+0x16/0x20 [ 13.745814] kobject_put+0x181/0x450 [ 13.746088] sysfs_slab_release+0x16/0x20 [ 13.746295] kmem_cache_destroy+0xf0/0x1d0 [ 13.746438] kmem_cache_double_destroy+0x14e/0x380 [ 13.746818] kunit_try_run_case+0x1a5/0x480 [ 13.747073] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.747345] kthread+0x337/0x6f0 [ 13.747467] ret_from_fork+0x116/0x1d0 [ 13.747614] ret_from_fork_asm+0x1a/0x30 [ 13.747933] [ 13.748118] The buggy address belongs to the object at ffff888101b19b40 [ 13.748118] which belongs to the cache kmem_cache of size 208 [ 13.748826] The buggy address is located 0 bytes inside of [ 13.748826] freed 208-byte region [ffff888101b19b40, ffff888101b19c10) [ 13.749558] [ 13.749813] The buggy address belongs to the physical page: [ 13.750082] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b19 [ 13.750589] flags: 0x200000000000000(node=0|zone=2) [ 13.750925] page_type: f5(slab) [ 13.751154] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 13.751451] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 13.751905] page dumped because: kasan: bad access detected [ 13.752151] [ 13.752304] Memory state around the buggy address: [ 13.752507] ffff888101b19a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.752978] ffff888101b19a80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 13.753857] >ffff888101b19b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.754235] ^ [ 13.754483] ffff888101b19b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.754873] ffff888101b19c00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.755387] ==================================================================