Hay
Date
Dec. 5, 2024, 2:07 p.m.

Environment
qemu-arm64
qemu-x86_64

[   31.270965] ==================================================================
[   31.271697] BUG: KASAN: double-free in kmem_cache_double_free+0x190/0x3c8
[   31.273346] Free of addr fff00000c6530000 by task kunit_try_catch/198
[   31.274121] 
[   31.274483] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N 6.13.0-rc1-next-20241205 #1
[   31.275610] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.276406] Hardware name: linux,dummy-virt (DT)
[   31.277330] Call trace:
[   31.277917]  show_stack+0x20/0x38 (C)
[   31.278668]  dump_stack_lvl+0x8c/0xd0
[   31.279579]  print_report+0x118/0x5e0
[   31.280183]  kasan_report_invalid_free+0xb0/0xd8
[   31.280809]  check_slab_allocation+0xd4/0x108
[   31.281360]  __kasan_slab_pre_free+0x2c/0x48
[   31.282076]  kmem_cache_free+0xf0/0x470
[   31.282670]  kmem_cache_double_free+0x190/0x3c8
[   31.283735]  kunit_try_run_case+0x14c/0x3d0
[   31.284384]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.285209]  kthread+0x24c/0x2d0
[   31.285757]  ret_from_fork+0x10/0x20
[   31.286252] 
[   31.286632] Allocated by task 198:
[   31.287968]  kasan_save_stack+0x3c/0x68
[   31.288520]  kasan_save_track+0x20/0x40
[   31.289113]  kasan_save_alloc_info+0x40/0x58
[   31.289778]  __kasan_slab_alloc+0xa8/0xb0
[   31.290392]  kmem_cache_alloc_noprof+0x108/0x398
[   31.291044]  kmem_cache_double_free+0x12c/0x3c8
[   31.291632]  kunit_try_run_case+0x14c/0x3d0
[   31.292538]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.293253]  kthread+0x24c/0x2d0
[   31.293769]  ret_from_fork+0x10/0x20
[   31.294465] 
[   31.294831] Freed by task 198:
[   31.295651]  kasan_save_stack+0x3c/0x68
[   31.296158]  kasan_save_track+0x20/0x40
[   31.296809]  kasan_save_free_info+0x4c/0x78
[   31.297381]  __kasan_slab_free+0x6c/0x98
[   31.298001]  kmem_cache_free+0x118/0x470
[   31.298591]  kmem_cache_double_free+0x140/0x3c8
[   31.299134]  kunit_try_run_case+0x14c/0x3d0
[   31.300089]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.300752]  kthread+0x24c/0x2d0
[   31.301380]  ret_from_fork+0x10/0x20
[   31.302011] 
[   31.302392] The buggy address belongs to the object at fff00000c6530000
[   31.302392]  which belongs to the cache test_cache of size 200
[   31.304384] The buggy address is located 0 bytes inside of
[   31.304384]  200-byte region [fff00000c6530000, fff00000c65300c8)
[   31.305849] 
[   31.306325] The buggy address belongs to the physical page:
[   31.307328] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106530
[   31.308560] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.309553] page_type: f5(slab)
[   31.310034] raw: 0bfffe0000000000 fff00000c1608a00 dead000000000122 0000000000000000
[   31.311194] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   31.312434] page dumped because: kasan: bad access detected
[   31.313301] 
[   31.313644] Memory state around the buggy address:
[   31.314348]  fff00000c652ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.315420]  fff00000c652ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.316574] >fff00000c6530000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.317384]                    ^
[   31.317793]  fff00000c6530080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   31.318834]  fff00000c6530100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.320090] ==================================================================

[   29.111392] ==================================================================
[   29.112184] BUG: KASAN: double-free in kmem_cache_double_free+0x1e6/0x490
[   29.113077] Free of addr ffff888101aba000 by task kunit_try_catch/216
[   29.113593] 
[   29.114011] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N 6.13.0-rc1-next-20241205 #1
[   29.115225] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.115830] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   29.116728] Call Trace:
[   29.117014]  <TASK>
[   29.117261]  dump_stack_lvl+0x73/0xb0
[   29.117808]  print_report+0xd1/0x640
[   29.118285]  ? __virt_addr_valid+0x1db/0x2d0
[   29.118871]  ? kmem_cache_double_free+0x1e6/0x490
[   29.119367]  ? kasan_complete_mode_report_info+0x64/0x200
[   29.120154]  ? kmem_cache_double_free+0x1e6/0x490
[   29.120755]  kasan_report_invalid_free+0xc0/0xf0
[   29.121260]  ? kmem_cache_double_free+0x1e6/0x490
[   29.121727]  ? kmem_cache_double_free+0x1e6/0x490
[   29.122302]  check_slab_allocation+0x101/0x130
[   29.122926]  __kasan_slab_pre_free+0x28/0x40
[   29.123484]  kmem_cache_free+0xee/0x420
[   29.124038]  ? kmem_cache_alloc_noprof+0x11e/0x3e0
[   29.124532]  ? kmem_cache_double_free+0x1e6/0x490
[   29.125368]  kmem_cache_double_free+0x1e6/0x490
[   29.126175]  ? __pfx_kmem_cache_double_free+0x10/0x10
[   29.126731]  ? finish_task_switch.isra.0+0x153/0x700
[   29.127290]  ? __switch_to+0x5d9/0xf60
[   29.127610]  ? __pfx_read_tsc+0x10/0x10
[   29.128443]  ? ktime_get_ts64+0x86/0x230
[   29.128979]  kunit_try_run_case+0x1b3/0x490
[   29.129548]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.130143]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   29.130743]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   29.131449]  ? __kthread_parkme+0x82/0x160
[   29.131930]  ? preempt_count_sub+0x50/0x80
[   29.132499]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.133002]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   29.133757]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.134338]  kthread+0x257/0x310
[   29.134904]  ? __pfx_kthread+0x10/0x10
[   29.135266]  ret_from_fork+0x41/0x80
[   29.135706]  ? __pfx_kthread+0x10/0x10
[   29.136230]  ret_from_fork_asm+0x1a/0x30
[   29.136630]  </TASK>
[   29.137056] 
[   29.137302] Allocated by task 216:
[   29.137897]  kasan_save_stack+0x3d/0x60
[   29.138244]  kasan_save_track+0x18/0x40
[   29.138634]  kasan_save_alloc_info+0x3b/0x50
[   29.139241]  __kasan_slab_alloc+0x91/0xa0
[   29.139744]  kmem_cache_alloc_noprof+0x11e/0x3e0
[   29.140278]  kmem_cache_double_free+0x150/0x490
[   29.140904]  kunit_try_run_case+0x1b3/0x490
[   29.141351]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.142046]  kthread+0x257/0x310
[   29.142436]  ret_from_fork+0x41/0x80
[   29.142971]  ret_from_fork_asm+0x1a/0x30
[   29.143435] 
[   29.143721] Freed by task 216:
[   29.144036]  kasan_save_stack+0x3d/0x60
[   29.144612]  kasan_save_track+0x18/0x40
[   29.145092]  kasan_save_free_info+0x3f/0x60
[   29.145546]  __kasan_slab_free+0x56/0x70
[   29.145974]  kmem_cache_free+0x120/0x420
[   29.146423]  kmem_cache_double_free+0x16b/0x490
[   29.147041]  kunit_try_run_case+0x1b3/0x490
[   29.147486]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.148124]  kthread+0x257/0x310
[   29.148571]  ret_from_fork+0x41/0x80
[   29.149063]  ret_from_fork_asm+0x1a/0x30
[   29.149512] 
[   29.149820] The buggy address belongs to the object at ffff888101aba000
[   29.149820]  which belongs to the cache test_cache of size 200
[   29.150958] The buggy address is located 0 bytes inside of
[   29.150958]  200-byte region [ffff888101aba000, ffff888101aba0c8)
[   29.152026] 
[   29.152256] The buggy address belongs to the physical page:
[   29.152755] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101aba
[   29.153411] flags: 0x200000000000000(node=0|zone=2)
[   29.154146] page_type: f5(slab)
[   29.154458] raw: 0200000000000000 ffff8881011e5c80 dead000000000122 0000000000000000
[   29.155222] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   29.156013] page dumped because: kasan: bad access detected
[   29.156654] 
[   29.156947] Memory state around the buggy address:
[   29.157482]  ffff888101ab9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.158233]  ffff888101ab9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.158831] >ffff888101aba000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.159491]                    ^
[   29.160043]  ffff888101aba080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   29.160727]  ffff888101aba100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.161426] ==================================================================