Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 30.144184] ================================================================== [ 30.158017] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 30.165392] Read of size 1 at addr ffff00080147da00 by task kunit_try_catch/236 [ 30.172681] [ 30.174169] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 30.174225] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.174242] Hardware name: WinLink E850-96 board (DT) [ 30.174263] Call trace: [ 30.174277] show_stack+0x20/0x38 (C) [ 30.174318] dump_stack_lvl+0x8c/0xd0 [ 30.174356] print_report+0x118/0x608 [ 30.174395] kasan_report+0xdc/0x128 [ 30.174427] __kasan_check_byte+0x54/0x70 [ 30.174459] kfree_sensitive+0x30/0xb0 [ 30.174494] kmalloc_double_kzfree+0x168/0x308 [ 30.174524] kunit_try_run_case+0x170/0x3f0 [ 30.174559] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.174597] kthread+0x328/0x630 [ 30.174628] ret_from_fork+0x10/0x20 [ 30.174663] [ 30.241082] Allocated by task 236: [ 30.244471] kasan_save_stack+0x3c/0x68 [ 30.248286] kasan_save_track+0x20/0x40 [ 30.252107] kasan_save_alloc_info+0x40/0x58 [ 30.256359] __kasan_kmalloc+0xd4/0xd8 [ 30.260092] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.264606] kmalloc_double_kzfree+0xb8/0x308 [ 30.268946] kunit_try_run_case+0x170/0x3f0 [ 30.273112] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.278581] kthread+0x328/0x630 [ 30.281793] ret_from_fork+0x10/0x20 [ 30.285352] [ 30.286827] Freed by task 236: [ 30.289866] kasan_save_stack+0x3c/0x68 [ 30.293685] kasan_save_track+0x20/0x40 [ 30.297504] kasan_save_free_info+0x4c/0x78 [ 30.301671] __kasan_slab_free+0x6c/0x98 [ 30.305579] kfree+0x214/0x3c8 [ 30.308615] kfree_sensitive+0x80/0xb0 [ 30.312348] kmalloc_double_kzfree+0x11c/0x308 [ 30.316774] kunit_try_run_case+0x170/0x3f0 [ 30.320942] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.326410] kthread+0x328/0x630 [ 30.329622] ret_from_fork+0x10/0x20 [ 30.333181] [ 30.334658] The buggy address belongs to the object at ffff00080147da00 [ 30.334658] which belongs to the cache kmalloc-16 of size 16 [ 30.346985] The buggy address is located 0 bytes inside of [ 30.346985] freed 16-byte region [ffff00080147da00, ffff00080147da10) [ 30.358962] [ 30.360441] The buggy address belongs to the physical page: [ 30.365998] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88147d [ 30.373982] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.380491] page_type: f5(slab) [ 30.383627] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 30.391347] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.399067] page dumped because: kasan: bad access detected [ 30.404622] [ 30.406096] Memory state around the buggy address: [ 30.410879] ffff00080147d900: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.418080] ffff00080147d980: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.425285] >ffff00080147da00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.432485] ^ [ 30.435701] ffff00080147da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.442905] ffff00080147db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.450107] ==================================================================
[ 25.162284] ================================================================== [ 25.162417] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 25.162546] Read of size 1 at addr fff00000c5ed4d40 by task kunit_try_catch/193 [ 25.163747] [ 25.163836] CPU: 0 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.164036] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.164096] Hardware name: linux,dummy-virt (DT) [ 25.164168] Call trace: [ 25.164222] show_stack+0x20/0x38 (C) [ 25.164342] dump_stack_lvl+0x8c/0xd0 [ 25.164459] print_report+0x118/0x608 [ 25.164568] kasan_report+0xdc/0x128 [ 25.165319] __kasan_check_byte+0x54/0x70 [ 25.166113] kfree_sensitive+0x30/0xb0 [ 25.166242] kmalloc_double_kzfree+0x168/0x308 [ 25.166355] kunit_try_run_case+0x170/0x3f0 [ 25.166473] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.166599] kthread+0x328/0x630 [ 25.168092] ret_from_fork+0x10/0x20 [ 25.168768] [ 25.168817] Allocated by task 193: [ 25.168880] kasan_save_stack+0x3c/0x68 [ 25.168981] kasan_save_track+0x20/0x40 [ 25.169068] kasan_save_alloc_info+0x40/0x58 [ 25.169160] __kasan_kmalloc+0xd4/0xd8 [ 25.169256] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.169354] kmalloc_double_kzfree+0xb8/0x308 [ 25.169452] kunit_try_run_case+0x170/0x3f0 [ 25.169541] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.169650] kthread+0x328/0x630 [ 25.169760] ret_from_fork+0x10/0x20 [ 25.169847] [ 25.169891] Freed by task 193: [ 25.169950] kasan_save_stack+0x3c/0x68 [ 25.170047] kasan_save_track+0x20/0x40 [ 25.170140] kasan_save_free_info+0x4c/0x78 [ 25.170226] __kasan_slab_free+0x6c/0x98 [ 25.170316] kfree+0x214/0x3c8 [ 25.170405] kfree_sensitive+0x80/0xb0 [ 25.170489] kmalloc_double_kzfree+0x11c/0x308 [ 25.170583] kunit_try_run_case+0x170/0x3f0 [ 25.170675] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.174441] kthread+0x328/0x630 [ 25.175153] ret_from_fork+0x10/0x20 [ 25.175610] [ 25.175661] The buggy address belongs to the object at fff00000c5ed4d40 [ 25.175661] which belongs to the cache kmalloc-16 of size 16 [ 25.175820] The buggy address is located 0 bytes inside of [ 25.175820] freed 16-byte region [fff00000c5ed4d40, fff00000c5ed4d50) [ 25.175963] [ 25.176014] The buggy address belongs to the physical page: [ 25.176087] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ed4 [ 25.176205] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.176320] page_type: f5(slab) [ 25.176408] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.176529] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.176623] page dumped because: kasan: bad access detected [ 25.176716] [ 25.176762] Memory state around the buggy address: [ 25.176856] fff00000c5ed4c00: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 25.176961] fff00000c5ed4c80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.177060] >fff00000c5ed4d00: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 25.177156] ^ [ 25.177232] fff00000c5ed4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.177347] fff00000c5ed4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.180649] ==================================================================
[ 18.734867] ================================================================== [ 18.736388] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 18.737495] Read of size 1 at addr ffff888102b0a0e0 by task kunit_try_catch/209 [ 18.738990] [ 18.739440] CPU: 0 UID: 0 PID: 209 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 18.739570] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.739609] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.739658] Call Trace: [ 18.739679] <TASK> [ 18.739708] dump_stack_lvl+0x73/0xb0 [ 18.740080] print_report+0xd1/0x650 [ 18.740121] ? __virt_addr_valid+0x1db/0x2d0 [ 18.740155] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.740273] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.740312] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.740347] kasan_report+0x141/0x180 [ 18.740379] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.740416] ? kmalloc_double_kzfree+0x19c/0x350 [ 18.740450] __kasan_check_byte+0x3d/0x50 [ 18.740481] kfree_sensitive+0x22/0x90 [ 18.740512] kmalloc_double_kzfree+0x19c/0x350 [ 18.740545] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 18.740579] ? __schedule+0x10cc/0x2b60 [ 18.740612] ? __pfx_read_tsc+0x10/0x10 [ 18.740642] ? ktime_get_ts64+0x86/0x230 [ 18.740674] kunit_try_run_case+0x1a5/0x480 [ 18.740704] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.740739] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.740794] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.740829] ? __kthread_parkme+0x82/0x180 [ 18.740858] ? preempt_count_sub+0x50/0x80 [ 18.740889] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.740918] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.740952] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.740986] kthread+0x337/0x6f0 [ 18.741036] ? trace_preempt_on+0x20/0xc0 [ 18.741072] ? __pfx_kthread+0x10/0x10 [ 18.741102] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.741135] ? calculate_sigpending+0x7b/0xa0 [ 18.741183] ? __pfx_kthread+0x10/0x10 [ 18.741231] ret_from_fork+0x116/0x1d0 [ 18.741257] ? __pfx_kthread+0x10/0x10 [ 18.741286] ret_from_fork_asm+0x1a/0x30 [ 18.741329] </TASK> [ 18.741344] [ 18.765102] Allocated by task 209: [ 18.765735] kasan_save_stack+0x45/0x70 [ 18.766302] kasan_save_track+0x18/0x40 [ 18.767059] kasan_save_alloc_info+0x3b/0x50 [ 18.767666] __kasan_kmalloc+0xb7/0xc0 [ 18.768196] __kmalloc_cache_noprof+0x189/0x420 [ 18.768571] kmalloc_double_kzfree+0xa9/0x350 [ 18.769729] kunit_try_run_case+0x1a5/0x480 [ 18.770116] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.770979] kthread+0x337/0x6f0 [ 18.771401] ret_from_fork+0x116/0x1d0 [ 18.771765] ret_from_fork_asm+0x1a/0x30 [ 18.772658] [ 18.772852] Freed by task 209: [ 18.773159] kasan_save_stack+0x45/0x70 [ 18.774353] kasan_save_track+0x18/0x40 [ 18.774828] kasan_save_free_info+0x3f/0x60 [ 18.775560] __kasan_slab_free+0x56/0x70 [ 18.776216] kfree+0x222/0x3f0 [ 18.776797] kfree_sensitive+0x67/0x90 [ 18.777144] kmalloc_double_kzfree+0x12b/0x350 [ 18.778211] kunit_try_run_case+0x1a5/0x480 [ 18.778586] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.779394] kthread+0x337/0x6f0 [ 18.779743] ret_from_fork+0x116/0x1d0 [ 18.780166] ret_from_fork_asm+0x1a/0x30 [ 18.780507] [ 18.780743] The buggy address belongs to the object at ffff888102b0a0e0 [ 18.780743] which belongs to the cache kmalloc-16 of size 16 [ 18.782111] The buggy address is located 0 bytes inside of [ 18.782111] freed 16-byte region [ffff888102b0a0e0, ffff888102b0a0f0) [ 18.783422] [ 18.783615] The buggy address belongs to the physical page: [ 18.784686] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b0a [ 18.785395] flags: 0x200000000000000(node=0|zone=2) [ 18.785860] page_type: f5(slab) [ 18.786672] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 18.787501] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 18.788322] page dumped because: kasan: bad access detected [ 18.789183] [ 18.789412] Memory state around the buggy address: [ 18.789782] ffff888102b09f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.791108] ffff888102b0a000: 00 02 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc [ 18.791972] >ffff888102b0a080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.792700] ^ [ 18.793491] ffff888102b0a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.794626] ffff888102b0a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.796039] ==================================================================
[ 56.798736] ================================================================== [ 56.813262] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x1f4/0x3a8 [ 56.820709] Read of size 1 at addr cc797880 by task kunit_try_catch/244 [ 56.827392] [ 56.828887] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 56.828918] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 56.828918] Hardware name: Generic DRA74X (Flattened Device Tree) [ 56.828918] Call trace: [ 56.828948] unwind_backtrace from show_stack+0x18/0x1c [ 56.828979] show_stack from dump_stack_lvl+0x70/0x90 [ 56.828979] dump_stack_lvl from print_report+0x158/0x528 [ 56.829010] print_report from kasan_report+0xdc/0x118 [ 56.829040] kasan_report from __kasan_check_byte+0x34/0x3c [ 56.829071] __kasan_check_byte from kfree_sensitive+0x20/0x6c [ 56.829071] kfree_sensitive from kmalloc_double_kzfree+0x1f4/0x3a8 [ 56.829101] kmalloc_double_kzfree from kunit_try_run_case+0x22c/0x5a8 [ 56.829132] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.829162] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 56.829193] kthread from ret_from_fork+0x14/0x20 [ 56.829223] Exception stack(0xf2323fb0 to 0xf2323ff8) [ 56.829223] 3fa0: 00000000 00000000 00000000 00000000 [ 56.829254] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.829254] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 56.829254] [ 56.947418] Allocated by task 244: [ 56.950836] kasan_save_track+0x30/0x5c [ 56.954711] __kasan_kmalloc+0x8c/0x94 [ 56.958496] kmalloc_double_kzfree+0xcc/0x3a8 [ 56.962890] kunit_try_run_case+0x22c/0x5a8 [ 56.967102] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.972625] kthread+0x464/0x810 [ 56.975891] ret_from_fork+0x14/0x20 [ 56.979492] [ 56.980987] Freed by task 244: [ 56.984069] kasan_save_track+0x30/0x5c [ 56.987915] kasan_save_free_info+0x3c/0x48 [ 56.992156] __kasan_slab_free+0x40/0x50 [ 56.996093] kfree+0xe8/0x384 [ 56.999084] kmalloc_double_kzfree+0x174/0x3a8 [ 57.003570] kunit_try_run_case+0x22c/0x5a8 [ 57.007781] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 57.013305] kthread+0x464/0x810 [ 57.016571] ret_from_fork+0x14/0x20 [ 57.020172] [ 57.021667] The buggy address belongs to the object at cc797880 [ 57.021667] which belongs to the cache kmalloc-64 of size 64 [ 57.033416] The buggy address is located 0 bytes inside of [ 57.033416] freed 64-byte region [cc797880, cc7978c0) [ 57.044097] [ 57.045593] The buggy address belongs to the physical page: [ 57.051177] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c797 [ 57.058471] flags: 0x0(zone=0) [ 57.061553] page_type: f5(slab) [ 57.064697] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 57.072845] raw: 00000000 [ 57.075500] page dumped because: kasan: bad access detected [ 57.081085] [ 57.082611] Memory state around the buggy address: [ 57.087432] cc797780: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.093994] cc797800: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.100555] >cc797880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.107147] ^ [ 57.109680] cc797900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.116271] cc797980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.122833] ==================================================================