Date
July 20, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.778230] ================================================================== [ 16.778390] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 16.778558] Read of size 1 at addr fff00000c59ab980 by task kunit_try_catch/192 [ 16.778612] [ 16.778667] CPU: 1 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.778761] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.779133] Hardware name: linux,dummy-virt (DT) [ 16.779314] Call trace: [ 16.779451] show_stack+0x20/0x38 (C) [ 16.779597] dump_stack_lvl+0x8c/0xd0 [ 16.779990] print_report+0x118/0x5d0 [ 16.780192] kasan_report+0xdc/0x128 [ 16.780299] __kasan_check_byte+0x54/0x70 [ 16.780549] kfree_sensitive+0x30/0xb0 [ 16.780769] kmalloc_double_kzfree+0x168/0x308 [ 16.781094] kunit_try_run_case+0x170/0x3f0 [ 16.781283] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.781408] kthread+0x328/0x630 [ 16.781960] ret_from_fork+0x10/0x20 [ 16.782063] [ 16.782230] Allocated by task 192: [ 16.782409] kasan_save_stack+0x3c/0x68 [ 16.782457] kasan_save_track+0x20/0x40 [ 16.782737] kasan_save_alloc_info+0x40/0x58 [ 16.782894] __kasan_kmalloc+0xd4/0xd8 [ 16.782996] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.783181] kmalloc_double_kzfree+0xb8/0x308 [ 16.783290] kunit_try_run_case+0x170/0x3f0 [ 16.783385] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.783483] kthread+0x328/0x630 [ 16.783520] ret_from_fork+0x10/0x20 [ 16.784480] [ 16.784544] Freed by task 192: [ 16.784614] kasan_save_stack+0x3c/0x68 [ 16.784696] kasan_save_track+0x20/0x40 [ 16.784775] kasan_save_free_info+0x4c/0x78 [ 16.785069] __kasan_slab_free+0x6c/0x98 [ 16.785567] kfree+0x214/0x3c8 [ 16.785785] kfree_sensitive+0x80/0xb0 [ 16.785988] kmalloc_double_kzfree+0x11c/0x308 [ 16.786064] kunit_try_run_case+0x170/0x3f0 [ 16.786105] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.786149] kthread+0x328/0x630 [ 16.786185] ret_from_fork+0x10/0x20 [ 16.786221] [ 16.786394] The buggy address belongs to the object at fff00000c59ab980 [ 16.786394] which belongs to the cache kmalloc-16 of size 16 [ 16.786570] The buggy address is located 0 bytes inside of [ 16.786570] freed 16-byte region [fff00000c59ab980, fff00000c59ab990) [ 16.786963] [ 16.787064] The buggy address belongs to the physical page: [ 16.787212] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059ab [ 16.787339] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.787538] page_type: f5(slab) [ 16.787660] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 16.787793] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 16.787838] page dumped because: kasan: bad access detected [ 16.788196] [ 16.788295] Memory state around the buggy address: [ 16.788343] fff00000c59ab880: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc [ 16.788789] fff00000c59ab900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 16.788865] >fff00000c59ab980: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.788981] ^ [ 16.789067] fff00000c59aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.789113] fff00000c59aba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.789282] ==================================================================
[ 16.752131] ================================================================== [ 16.752250] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 16.752355] Read of size 1 at addr fff00000c1375ba0 by task kunit_try_catch/192 [ 16.752450] [ 16.752485] CPU: 1 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.752602] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.752660] Hardware name: linux,dummy-virt (DT) [ 16.752695] Call trace: [ 16.752719] show_stack+0x20/0x38 (C) [ 16.752787] dump_stack_lvl+0x8c/0xd0 [ 16.753009] print_report+0x118/0x5d0 [ 16.753079] kasan_report+0xdc/0x128 [ 16.753238] __kasan_check_byte+0x54/0x70 [ 16.753470] kfree_sensitive+0x30/0xb0 [ 16.753685] kmalloc_double_kzfree+0x168/0x308 [ 16.753884] kunit_try_run_case+0x170/0x3f0 [ 16.753970] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.754076] kthread+0x328/0x630 [ 16.754171] ret_from_fork+0x10/0x20 [ 16.754220] [ 16.754252] Allocated by task 192: [ 16.754564] kasan_save_stack+0x3c/0x68 [ 16.754707] kasan_save_track+0x20/0x40 [ 16.754831] kasan_save_alloc_info+0x40/0x58 [ 16.754978] __kasan_kmalloc+0xd4/0xd8 [ 16.755075] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.755126] kmalloc_double_kzfree+0xb8/0x308 [ 16.755210] kunit_try_run_case+0x170/0x3f0 [ 16.755299] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.755454] kthread+0x328/0x630 [ 16.755565] ret_from_fork+0x10/0x20 [ 16.755603] [ 16.755657] Freed by task 192: [ 16.755865] kasan_save_stack+0x3c/0x68 [ 16.756117] kasan_save_track+0x20/0x40 [ 16.756224] kasan_save_free_info+0x4c/0x78 [ 16.756385] __kasan_slab_free+0x6c/0x98 [ 16.756496] kfree+0x214/0x3c8 [ 16.756602] kfree_sensitive+0x80/0xb0 [ 16.756710] kmalloc_double_kzfree+0x11c/0x308 [ 16.756858] kunit_try_run_case+0x170/0x3f0 [ 16.756920] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.756987] kthread+0x328/0x630 [ 16.757019] ret_from_fork+0x10/0x20 [ 16.757057] [ 16.757077] The buggy address belongs to the object at fff00000c1375ba0 [ 16.757077] which belongs to the cache kmalloc-16 of size 16 [ 16.757137] The buggy address is located 0 bytes inside of [ 16.757137] freed 16-byte region [fff00000c1375ba0, fff00000c1375bb0) [ 16.757198] [ 16.757218] The buggy address belongs to the physical page: [ 16.757250] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101375 [ 16.757388] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.757477] page_type: f5(slab) [ 16.757565] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 16.757724] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 16.757969] page dumped because: kasan: bad access detected [ 16.758043] [ 16.758085] Memory state around the buggy address: [ 16.758217] fff00000c1375a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 16.758313] fff00000c1375b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 16.758356] >fff00000c1375b80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 16.758615] ^ [ 16.758790] fff00000c1375c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.758904] fff00000c1375c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.759006] ==================================================================
[ 12.988921] ================================================================== [ 12.989807] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 12.990169] Read of size 1 at addr ffff8881017e0440 by task kunit_try_catch/210 [ 12.990777] [ 12.990887] CPU: 0 UID: 0 PID: 210 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 12.990934] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.990946] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.990968] Call Trace: [ 12.990981] <TASK> [ 12.990998] dump_stack_lvl+0x73/0xb0 [ 12.991039] print_report+0xd1/0x610 [ 12.991060] ? __virt_addr_valid+0x1db/0x2d0 [ 12.991082] ? kmalloc_double_kzfree+0x19c/0x350 [ 12.991104] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.991125] ? kmalloc_double_kzfree+0x19c/0x350 [ 12.991148] kasan_report+0x141/0x180 [ 12.991170] ? kmalloc_double_kzfree+0x19c/0x350 [ 12.991196] ? kmalloc_double_kzfree+0x19c/0x350 [ 12.991219] __kasan_check_byte+0x3d/0x50 [ 12.991240] kfree_sensitive+0x22/0x90 [ 12.991262] kmalloc_double_kzfree+0x19c/0x350 [ 12.991284] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 12.991307] ? __schedule+0x10c6/0x2b60 [ 12.991330] ? __pfx_read_tsc+0x10/0x10 [ 12.991351] ? ktime_get_ts64+0x86/0x230 [ 12.991378] kunit_try_run_case+0x1a5/0x480 [ 12.991411] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.991433] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.991457] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.991479] ? __kthread_parkme+0x82/0x180 [ 12.991499] ? preempt_count_sub+0x50/0x80 [ 12.991523] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.991547] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.991569] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.991592] kthread+0x337/0x6f0 [ 12.991611] ? trace_preempt_on+0x20/0xc0 [ 12.991634] ? __pfx_kthread+0x10/0x10 [ 12.991654] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.991675] ? calculate_sigpending+0x7b/0xa0 [ 12.991698] ? __pfx_kthread+0x10/0x10 [ 12.991721] ret_from_fork+0x116/0x1d0 [ 12.991739] ? __pfx_kthread+0x10/0x10 [ 12.991759] ret_from_fork_asm+0x1a/0x30 [ 12.991791] </TASK> [ 12.991801] [ 13.000660] Allocated by task 210: [ 13.000870] kasan_save_stack+0x45/0x70 [ 13.001235] kasan_save_track+0x18/0x40 [ 13.001425] kasan_save_alloc_info+0x3b/0x50 [ 13.001577] __kasan_kmalloc+0xb7/0xc0 [ 13.001833] __kmalloc_cache_noprof+0x189/0x420 [ 13.002173] kmalloc_double_kzfree+0xa9/0x350 [ 13.002428] kunit_try_run_case+0x1a5/0x480 [ 13.002725] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.002999] kthread+0x337/0x6f0 [ 13.003275] ret_from_fork+0x116/0x1d0 [ 13.003424] ret_from_fork_asm+0x1a/0x30 [ 13.003646] [ 13.003746] Freed by task 210: [ 13.003904] kasan_save_stack+0x45/0x70 [ 13.004255] kasan_save_track+0x18/0x40 [ 13.004413] kasan_save_free_info+0x3f/0x60 [ 13.004616] __kasan_slab_free+0x56/0x70 [ 13.004891] kfree+0x222/0x3f0 [ 13.005161] kfree_sensitive+0x67/0x90 [ 13.005408] kmalloc_double_kzfree+0x12b/0x350 [ 13.005613] kunit_try_run_case+0x1a5/0x480 [ 13.005793] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.006213] kthread+0x337/0x6f0 [ 13.006433] ret_from_fork+0x116/0x1d0 [ 13.006609] ret_from_fork_asm+0x1a/0x30 [ 13.006807] [ 13.006905] The buggy address belongs to the object at ffff8881017e0440 [ 13.006905] which belongs to the cache kmalloc-16 of size 16 [ 13.007425] The buggy address is located 0 bytes inside of [ 13.007425] freed 16-byte region [ffff8881017e0440, ffff8881017e0450) [ 13.007906] [ 13.008005] The buggy address belongs to the physical page: [ 13.008216] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017e0 [ 13.008739] flags: 0x200000000000000(node=0|zone=2) [ 13.008935] page_type: f5(slab) [ 13.009118] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 13.009355] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 13.009765] page dumped because: kasan: bad access detected [ 13.010126] [ 13.010227] Memory state around the buggy address: [ 13.010518] ffff8881017e0300: 00 04 fc fc 00 01 fc fc 00 01 fc fc 00 04 fc fc [ 13.010793] ffff8881017e0380: 00 04 fc fc 00 05 fc fc fa fb fc fc fa fb fc fc [ 13.011149] >ffff8881017e0400: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 13.011528] ^ [ 13.011851] ffff8881017e0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.012559] ffff8881017e0500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.013105] ==================================================================
[ 13.136519] ================================================================== [ 13.137054] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 13.137324] Read of size 1 at addr ffff8881023973c0 by task kunit_try_catch/209 [ 13.137551] [ 13.137645] CPU: 0 UID: 0 PID: 209 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.137693] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.137704] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.137726] Call Trace: [ 13.137739] <TASK> [ 13.137756] dump_stack_lvl+0x73/0xb0 [ 13.137785] print_report+0xd1/0x610 [ 13.137808] ? __virt_addr_valid+0x1db/0x2d0 [ 13.137831] ? kmalloc_double_kzfree+0x19c/0x350 [ 13.137853] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.137873] ? kmalloc_double_kzfree+0x19c/0x350 [ 13.137896] kasan_report+0x141/0x180 [ 13.137916] ? kmalloc_double_kzfree+0x19c/0x350 [ 13.137941] ? kmalloc_double_kzfree+0x19c/0x350 [ 13.137963] __kasan_check_byte+0x3d/0x50 [ 13.137983] kfree_sensitive+0x22/0x90 [ 13.138005] kmalloc_double_kzfree+0x19c/0x350 [ 13.138026] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 13.138050] ? __pfx_queued_spin_lock_slowpath+0x10/0x10 [ 13.138075] ? __pfx_read_tsc+0x10/0x10 [ 13.138095] ? ktime_get_ts64+0x86/0x230 [ 13.138119] kunit_try_run_case+0x1a5/0x480 [ 13.138143] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.138207] ? _raw_spin_lock_irqsave+0xf9/0x100 [ 13.138229] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.138252] ? __kthread_parkme+0x82/0x180 [ 13.138272] ? preempt_count_sub+0x50/0x80 [ 13.138315] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.138339] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.138382] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.138451] kthread+0x337/0x6f0 [ 13.138471] ? trace_preempt_on+0x20/0xc0 [ 13.138506] ? __pfx_kthread+0x10/0x10 [ 13.138526] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.138547] ? calculate_sigpending+0x7b/0xa0 [ 13.138570] ? __pfx_kthread+0x10/0x10 [ 13.138591] ret_from_fork+0x116/0x1d0 [ 13.138608] ? __pfx_kthread+0x10/0x10 [ 13.138628] ret_from_fork_asm+0x1a/0x30 [ 13.138657] </TASK> [ 13.138668] [ 13.151792] Allocated by task 209: [ 13.152296] kasan_save_stack+0x45/0x70 [ 13.152696] kasan_save_track+0x18/0x40 [ 13.153002] kasan_save_alloc_info+0x3b/0x50 [ 13.153479] __kasan_kmalloc+0xb7/0xc0 [ 13.153621] __kmalloc_cache_noprof+0x189/0x420 [ 13.153783] kmalloc_double_kzfree+0xa9/0x350 [ 13.154029] kunit_try_run_case+0x1a5/0x480 [ 13.154420] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.154925] kthread+0x337/0x6f0 [ 13.155280] ret_from_fork+0x116/0x1d0 [ 13.155691] ret_from_fork_asm+0x1a/0x30 [ 13.156128] [ 13.156356] Freed by task 209: [ 13.156474] kasan_save_stack+0x45/0x70 [ 13.156613] kasan_save_track+0x18/0x40 [ 13.156749] kasan_save_free_info+0x3f/0x60 [ 13.157015] __kasan_slab_free+0x56/0x70 [ 13.157377] kfree+0x222/0x3f0 [ 13.157697] kfree_sensitive+0x67/0x90 [ 13.158202] kmalloc_double_kzfree+0x12b/0x350 [ 13.158682] kunit_try_run_case+0x1a5/0x480 [ 13.159131] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.159733] kthread+0x337/0x6f0 [ 13.160135] ret_from_fork+0x116/0x1d0 [ 13.160330] ret_from_fork_asm+0x1a/0x30 [ 13.160693] [ 13.160831] The buggy address belongs to the object at ffff8881023973c0 [ 13.160831] which belongs to the cache kmalloc-16 of size 16 [ 13.161491] The buggy address is located 0 bytes inside of [ 13.161491] freed 16-byte region [ffff8881023973c0, ffff8881023973d0) [ 13.161842] [ 13.162051] The buggy address belongs to the physical page: [ 13.162588] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102397 [ 13.163458] flags: 0x200000000000000(node=0|zone=2) [ 13.163942] page_type: f5(slab) [ 13.164262] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 13.165038] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 13.165369] page dumped because: kasan: bad access detected [ 13.165856] [ 13.166078] Memory state around the buggy address: [ 13.166448] ffff888102397280: 00 02 fc fc 00 02 fc fc 00 06 fc fc 00 06 fc fc [ 13.166671] ffff888102397300: fa fb fc fc fa fb fc fc fa fb fc fc 00 05 fc fc [ 13.166937] >ffff888102397380: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 13.167659] ^ [ 13.168247] ffff888102397400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.168918] ffff888102397480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.169413] ==================================================================