Date
Dec. 5, 2024, 2:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.592028] ================================================================== [ 31.593523] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x17c/0x2f8 [ 31.594564] Read of size 1 at addr fff00000c56a0dc0 by task kunit_try_catch/204 [ 31.595801] [ 31.596424] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 31.597663] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.598295] Hardware name: linux,dummy-virt (DT) [ 31.598972] Call trace: [ 31.599924] show_stack+0x20/0x38 (C) [ 31.600696] dump_stack_lvl+0x8c/0xd0 [ 31.601662] print_report+0x118/0x5e0 [ 31.602387] kasan_report+0xc8/0x118 [ 31.603144] __kasan_check_byte+0x54/0x70 [ 31.604025] kmem_cache_destroy+0x34/0x218 [ 31.604826] kmem_cache_double_destroy+0x17c/0x2f8 [ 31.605656] kunit_try_run_case+0x14c/0x3d0 [ 31.606261] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.607077] kthread+0x24c/0x2d0 [ 31.607746] ret_from_fork+0x10/0x20 [ 31.608357] [ 31.608740] Allocated by task 204: [ 31.609842] kasan_save_stack+0x3c/0x68 [ 31.610452] kasan_save_track+0x20/0x40 [ 31.611024] kasan_save_alloc_info+0x40/0x58 [ 31.611538] __kasan_slab_alloc+0xa8/0xb0 [ 31.612642] kmem_cache_alloc_noprof+0x108/0x398 [ 31.613259] __kmem_cache_create_args+0x18c/0x2b0 [ 31.614037] kmem_cache_double_destroy+0xc8/0x2f8 [ 31.614701] kunit_try_run_case+0x14c/0x3d0 [ 31.615394] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.616187] kthread+0x24c/0x2d0 [ 31.616691] ret_from_fork+0x10/0x20 [ 31.617218] [ 31.617548] Freed by task 204: [ 31.618798] kasan_save_stack+0x3c/0x68 [ 31.619698] kasan_save_track+0x20/0x40 [ 31.620357] kasan_save_free_info+0x4c/0x78 [ 31.621043] __kasan_slab_free+0x6c/0x98 [ 31.621583] kmem_cache_free+0x118/0x470 [ 31.622200] slab_kmem_cache_release+0x38/0x50 [ 31.622868] kmem_cache_release+0x1c/0x30 [ 31.623794] kobject_put+0x17c/0x430 [ 31.624317] sysfs_slab_release+0x1c/0x30 [ 31.624897] kmem_cache_destroy+0x118/0x218 [ 31.625536] kmem_cache_double_destroy+0x130/0x2f8 [ 31.626564] kunit_try_run_case+0x14c/0x3d0 [ 31.627250] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.627986] kthread+0x24c/0x2d0 [ 31.628523] ret_from_fork+0x10/0x20 [ 31.629150] [ 31.629526] The buggy address belongs to the object at fff00000c56a0dc0 [ 31.629526] which belongs to the cache kmem_cache of size 208 [ 31.630966] The buggy address is located 0 bytes inside of [ 31.630966] freed 208-byte region [fff00000c56a0dc0, fff00000c56a0e90) [ 31.632753] [ 31.633055] The buggy address belongs to the physical page: [ 31.633787] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056a0 [ 31.635581] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.636433] page_type: f5(slab) [ 31.636924] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 31.637818] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 31.639013] page dumped because: kasan: bad access detected [ 31.640426] [ 31.640752] Memory state around the buggy address: [ 31.641361] fff00000c56a0c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.642197] fff00000c56a0d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 31.643544] >fff00000c56a0d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.644456] ^ [ 31.645157] fff00000c56a0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.646056] fff00000c56a0e80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.646985] ==================================================================
[ 29.345937] ================================================================== [ 29.346955] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bd/0x380 [ 29.348357] Read of size 1 at addr ffff888101d408c0 by task kunit_try_catch/222 [ 29.349768] [ 29.350257] CPU: 1 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 29.351198] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.351781] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.352629] Call Trace: [ 29.353309] <TASK> [ 29.353545] dump_stack_lvl+0x73/0xb0 [ 29.354087] print_report+0xd1/0x640 [ 29.354645] ? __virt_addr_valid+0x1db/0x2d0 [ 29.355558] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.356074] kasan_report+0x102/0x140 [ 29.356641] ? kmem_cache_double_destroy+0x1bd/0x380 [ 29.357746] ? kmem_cache_double_destroy+0x1bd/0x380 [ 29.358593] ? kmem_cache_double_destroy+0x1bd/0x380 [ 29.359448] __kasan_check_byte+0x3d/0x50 [ 29.359991] kmem_cache_destroy+0x25/0x1d0 [ 29.360425] kmem_cache_double_destroy+0x1bd/0x380 [ 29.360968] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 29.361711] ? finish_task_switch.isra.0+0x153/0x700 [ 29.362171] ? __switch_to+0x5d9/0xf60 [ 29.363019] ? __pfx_empty_cache_ctor+0x10/0x10 [ 29.363887] ? __pfx_read_tsc+0x10/0x10 [ 29.364459] ? ktime_get_ts64+0x86/0x230 [ 29.365294] kunit_try_run_case+0x1b3/0x490 [ 29.365904] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.366475] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 29.367249] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.367837] ? __kthread_parkme+0x82/0x160 [ 29.368660] ? preempt_count_sub+0x50/0x80 [ 29.369250] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.369927] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.370485] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.371090] kthread+0x257/0x310 [ 29.371375] ? __pfx_kthread+0x10/0x10 [ 29.372094] ret_from_fork+0x41/0x80 [ 29.372763] ? __pfx_kthread+0x10/0x10 [ 29.373645] ret_from_fork_asm+0x1a/0x30 [ 29.374373] </TASK> [ 29.374566] [ 29.375315] Allocated by task 222: [ 29.375636] kasan_save_stack+0x3d/0x60 [ 29.376705] kasan_save_track+0x18/0x40 [ 29.377171] kasan_save_alloc_info+0x3b/0x50 [ 29.377977] __kasan_slab_alloc+0x91/0xa0 [ 29.378658] kmem_cache_alloc_noprof+0x11e/0x3e0 [ 29.379199] __kmem_cache_create_args+0x177/0x250 [ 29.379718] kmem_cache_double_destroy+0xd3/0x380 [ 29.380614] kunit_try_run_case+0x1b3/0x490 [ 29.381230] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.381762] kthread+0x257/0x310 [ 29.382288] ret_from_fork+0x41/0x80 [ 29.382724] ret_from_fork_asm+0x1a/0x30 [ 29.383280] [ 29.383538] Freed by task 222: [ 29.383990] kasan_save_stack+0x3d/0x60 [ 29.384317] kasan_save_track+0x18/0x40 [ 29.385471] kasan_save_free_info+0x3f/0x60 [ 29.385847] __kasan_slab_free+0x56/0x70 [ 29.386908] kmem_cache_free+0x120/0x420 [ 29.387916] slab_kmem_cache_release+0x2e/0x40 [ 29.388523] kmem_cache_release+0x16/0x20 [ 29.389354] kobject_put+0x181/0x450 [ 29.390608] sysfs_slab_release+0x16/0x20 [ 29.391538] kmem_cache_destroy+0xf0/0x1d0 [ 29.391829] kmem_cache_double_destroy+0x14c/0x380 [ 29.393338] kunit_try_run_case+0x1b3/0x490 [ 29.394305] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.394780] kthread+0x257/0x310 [ 29.395035] ret_from_fork+0x41/0x80 [ 29.395512] ret_from_fork_asm+0x1a/0x30 [ 29.396507] [ 29.396747] The buggy address belongs to the object at ffff888101d408c0 [ 29.396747] which belongs to the cache kmem_cache of size 208 [ 29.398885] The buggy address is located 0 bytes inside of [ 29.398885] freed 208-byte region [ffff888101d408c0, ffff888101d40990) [ 29.399589] [ 29.399745] The buggy address belongs to the physical page: [ 29.400106] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101d40 [ 29.400811] flags: 0x200000000000000(node=0|zone=2) [ 29.401522] page_type: f5(slab) [ 29.402042] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 29.403337] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 29.404370] page dumped because: kasan: bad access detected [ 29.404913] [ 29.405050] Memory state around the buggy address: [ 29.405646] ffff888101d40780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.407159] ffff888101d40800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 29.407703] >ffff888101d40880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 29.409126] ^ [ 29.409655] ffff888101d40900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.410626] ffff888101d40980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.411792] ==================================================================