Hay
Sign in
Date
May 12, 2025, 11:48 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.155369] ==================================================================
[   18.156099] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300
[   18.156303] Read of size 1 at addr fff00000c1096c80 by task kunit_try_catch/215
[   18.156403] 
[   18.156659] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250512 #1 PREEMPT 
[   18.157385] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.157456] Hardware name: linux,dummy-virt (DT)
[   18.157533] Call trace:
[   18.157588]  show_stack+0x20/0x38 (C)
[   18.157703]  dump_stack_lvl+0x8c/0xd0
[   18.158434]  print_report+0x118/0x608
[   18.158717]  kasan_report+0xdc/0x128
[   18.159197]  __kasan_check_byte+0x54/0x70
[   18.159392]  kmem_cache_destroy+0x34/0x218
[   18.159807]  kmem_cache_double_destroy+0x174/0x300
[   18.160088]  kunit_try_run_case+0x170/0x3f0
[   18.160207]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.160315]  kthread+0x328/0x630
[   18.160793]  ret_from_fork+0x10/0x20
[   18.161125] 
[   18.161385] Allocated by task 215:
[   18.161478]  kasan_save_stack+0x3c/0x68
[   18.161562]  kasan_save_track+0x20/0x40
[   18.161637]  kasan_save_alloc_info+0x40/0x58
[   18.161720]  __kasan_slab_alloc+0xa8/0xb0
[   18.161998]  kmem_cache_alloc_noprof+0x10c/0x3a0
[   18.162317]  __kmem_cache_create_args+0x178/0x280
[   18.162777]  kmem_cache_double_destroy+0xc0/0x300
[   18.162882]  kunit_try_run_case+0x170/0x3f0
[   18.163201]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.163445]  kthread+0x328/0x630
[   18.163579]  ret_from_fork+0x10/0x20
[   18.163722] 
[   18.163761] Freed by task 215:
[   18.163998]  kasan_save_stack+0x3c/0x68
[   18.164284]  kasan_save_track+0x20/0x40
[   18.164381]  kasan_save_free_info+0x4c/0x78
[   18.164656]  __kasan_slab_free+0x6c/0x98
[   18.164767]  kmem_cache_free+0x260/0x470
[   18.164841]  slab_kmem_cache_release+0x38/0x50
[   18.165311]  kmem_cache_release+0x1c/0x30
[   18.165407]  kobject_put+0x17c/0x430
[   18.166047]  sysfs_slab_release+0x1c/0x30
[   18.166208]  kmem_cache_destroy+0x118/0x218
[   18.166467]  kmem_cache_double_destroy+0x128/0x300
[   18.166550]  kunit_try_run_case+0x170/0x3f0
[   18.166632]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.166713]  kthread+0x328/0x630
[   18.167132]  ret_from_fork+0x10/0x20
[   18.167216] 
[   18.167627] The buggy address belongs to the object at fff00000c1096c80
[   18.167627]  which belongs to the cache kmem_cache of size 208
[   18.167765] The buggy address is located 0 bytes inside of
[   18.167765]  freed 208-byte region [fff00000c1096c80, fff00000c1096d50)
[   18.168157] 
[   18.168317] The buggy address belongs to the physical page:
[   18.168389] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101096
[   18.168732] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.168856] page_type: f5(slab)
[   18.168935] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000
[   18.169055] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   18.169797] page dumped because: kasan: bad access detected
[   18.170008] 
[   18.170275] Memory state around the buggy address:
[   18.170539]  fff00000c1096b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.170745]  fff00000c1096c00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.170847] >fff00000c1096c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.170985]                    ^
[   18.171078]  fff00000c1096d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   18.171382]  fff00000c1096d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.171490] ==================================================================
Metadata Full log Test run details 

[   17.716570] ==================================================================
[   17.717352] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380
[   17.717924] Read of size 1 at addr ffff888102b5a140 by task kunit_try_catch/232
[   17.718320] 
[   17.718445] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250512 #1 PREEMPT(voluntary) 
[   17.718509] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.718523] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   17.718550] Call Trace:
[   17.718567]  <TASK>
[   17.718591]  dump_stack_lvl+0x73/0xb0
[   17.718636]  print_report+0xd1/0x650
[   17.718664]  ? __virt_addr_valid+0x1db/0x2d0
[   17.718692]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.718719]  ? kasan_complete_mode_report_info+0x64/0x200
[   17.718743]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.719092]  kasan_report+0x141/0x180
[   17.719120]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.719170]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.719198]  __kasan_check_byte+0x3d/0x50
[   17.719223]  kmem_cache_destroy+0x25/0x1d0
[   17.719251]  kmem_cache_double_destroy+0x1bf/0x380
[   17.719301]  ? __pfx_kmem_cache_double_destroy+0x10/0x10
[   17.719328]  ? finish_task_switch.isra.0+0x153/0x700
[   17.719355]  ? __switch_to+0x47/0xf50
[   17.719387]  ? __pfx_read_tsc+0x10/0x10
[   17.719412]  ? ktime_get_ts64+0x86/0x230
[   17.719441]  kunit_try_run_case+0x1a5/0x480
[   17.719472]  ? __pfx_kunit_try_run_case+0x10/0x10
[   17.719496]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   17.719522]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   17.719546]  ? __kthread_parkme+0x82/0x180
[   17.719569]  ? preempt_count_sub+0x50/0x80
[   17.719593]  ? __pfx_kunit_try_run_case+0x10/0x10
[   17.719618]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.719643]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   17.719667]  kthread+0x337/0x6f0
[   17.719708]  ? trace_preempt_on+0x20/0xc0
[   17.719736]  ? __pfx_kthread+0x10/0x10
[   17.719758]  ? _raw_spin_unlock_irq+0x47/0x80
[   17.719780]  ? calculate_sigpending+0x7b/0xa0
[   17.719807]  ? __pfx_kthread+0x10/0x10
[   17.719830]  ret_from_fork+0x116/0x1d0
[   17.719850]  ? __pfx_kthread+0x10/0x10
[   17.719872]  ret_from_fork_asm+0x1a/0x30
[   17.719906]  </TASK>
[   17.719921] 
[   17.729239] Allocated by task 232:
[   17.729602]  kasan_save_stack+0x45/0x70
[   17.729923]  kasan_save_track+0x18/0x40
[   17.730103]  kasan_save_alloc_info+0x3b/0x50
[   17.730482]  __kasan_slab_alloc+0x91/0xa0
[   17.730744]  kmem_cache_alloc_noprof+0x123/0x3f0
[   17.731031]  __kmem_cache_create_args+0x169/0x240
[   17.731509]  kmem_cache_double_destroy+0xd5/0x380
[   17.731832]  kunit_try_run_case+0x1a5/0x480
[   17.732173]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.732495]  kthread+0x337/0x6f0
[   17.732741]  ret_from_fork+0x116/0x1d0
[   17.732972]  ret_from_fork_asm+0x1a/0x30
[   17.733421] 
[   17.733563] Freed by task 232:
[   17.733838]  kasan_save_stack+0x45/0x70
[   17.734166]  kasan_save_track+0x18/0x40
[   17.734450]  kasan_save_free_info+0x3f/0x60
[   17.734609]  __kasan_slab_free+0x56/0x70
[   17.734871]  kmem_cache_free+0x249/0x420
[   17.735230]  slab_kmem_cache_release+0x2e/0x40
[   17.735386]  kmem_cache_release+0x16/0x20
[   17.735782]  kobject_put+0x181/0x450
[   17.735927]  sysfs_slab_release+0x16/0x20
[   17.736217]  kmem_cache_destroy+0xf0/0x1d0
[   17.736493]  kmem_cache_double_destroy+0x14e/0x380
[   17.736694]  kunit_try_run_case+0x1a5/0x480
[   17.736813]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.737526]  kthread+0x337/0x6f0
[   17.737733]  ret_from_fork+0x116/0x1d0
[   17.737969]  ret_from_fork_asm+0x1a/0x30
[   17.738306] 
[   17.738430] The buggy address belongs to the object at ffff888102b5a140
[   17.738430]  which belongs to the cache kmem_cache of size 208
[   17.738900] The buggy address is located 0 bytes inside of
[   17.738900]  freed 208-byte region [ffff888102b5a140, ffff888102b5a210)
[   17.739506] 
[   17.739644] The buggy address belongs to the physical page:
[   17.739905] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b5a
[   17.740306] flags: 0x200000000000000(node=0|zone=2)
[   17.740638] page_type: f5(slab)
[   17.740789] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000
[   17.741435] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   17.741755] page dumped because: kasan: bad access detected
[   17.741983] 
[   17.742211] Memory state around the buggy address:
[   17.742387]  ffff888102b5a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.742731]  ffff888102b5a080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   17.743171] >ffff888102b5a100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   17.743524]                                            ^
[   17.743878]  ffff888102b5a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.744118]  ffff888102b5a200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.744519] ==================================================================
Metadata Full log Test run details