Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 34.871989] ================================================================== [ 34.872176] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 34.872310] Read of size 1 at addr ffff000801e2c140 by task kunit_try_catch/259 [ 34.875874] [ 34.877361] CPU: 5 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 34.877419] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.877436] Hardware name: WinLink E850-96 board (DT) [ 34.877458] Call trace: [ 34.877477] show_stack+0x20/0x38 (C) [ 34.877515] dump_stack_lvl+0x8c/0xd0 [ 34.877552] print_report+0x118/0x608 [ 34.877587] kasan_report+0xdc/0x128 [ 34.877620] __kasan_check_byte+0x54/0x70 [ 34.877653] kmem_cache_destroy+0x34/0x218 [ 34.877689] kmem_cache_double_destroy+0x174/0x300 [ 34.877722] kunit_try_run_case+0x170/0x3f0 [ 34.877756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.877796] kthread+0x328/0x630 [ 34.877826] ret_from_fork+0x10/0x20 [ 34.877862] [ 34.944970] Allocated by task 259: [ 34.948358] kasan_save_stack+0x3c/0x68 [ 34.952175] kasan_save_track+0x20/0x40 [ 34.955996] kasan_save_alloc_info+0x40/0x58 [ 34.960248] __kasan_slab_alloc+0xa8/0xb0 [ 34.964241] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 34.968841] __kmem_cache_create_args+0x178/0x280 [ 34.973528] kmem_cache_double_destroy+0xc0/0x300 [ 34.978216] kunit_try_run_case+0x170/0x3f0 [ 34.982383] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.987851] kthread+0x328/0x630 [ 34.991064] ret_from_fork+0x10/0x20 [ 34.994622] [ 34.996099] Freed by task 259: [ 34.999137] kasan_save_stack+0x3c/0x68 [ 35.002955] kasan_save_track+0x20/0x40 [ 35.006775] kasan_save_free_info+0x4c/0x78 [ 35.010941] __kasan_slab_free+0x6c/0x98 [ 35.014847] kmem_cache_free+0x260/0x470 [ 35.018754] slab_kmem_cache_release+0x38/0x50 [ 35.023181] kmem_cache_release+0x1c/0x30 [ 35.027174] kobject_put+0x17c/0x430 [ 35.030734] sysfs_slab_release+0x1c/0x30 [ 35.034726] kmem_cache_destroy+0x118/0x218 [ 35.038892] kmem_cache_double_destroy+0x128/0x300 [ 35.043666] kunit_try_run_case+0x170/0x3f0 [ 35.047833] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.053302] kthread+0x328/0x630 [ 35.056513] ret_from_fork+0x10/0x20 [ 35.060072] [ 35.061550] The buggy address belongs to the object at ffff000801e2c140 [ 35.061550] which belongs to the cache kmem_cache of size 208 [ 35.073963] The buggy address is located 0 bytes inside of [ 35.073963] freed 208-byte region [ffff000801e2c140, ffff000801e2c210) [ 35.086027] [ 35.087505] The buggy address belongs to the physical page: [ 35.093063] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881e2c [ 35.101047] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.108686] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 35.115629] page_type: f5(slab) [ 35.118766] raw: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 35.126484] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 35.134212] head: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 35.142022] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 35.149835] head: 0bfffe0000000001 fffffdffe0078b01 00000000ffffffff 00000000ffffffff [ 35.157647] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 35.165453] page dumped because: kasan: bad access detected [ 35.171010] [ 35.172483] Memory state around the buggy address: [ 35.177265] ffff000801e2c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.184467] ffff000801e2c080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 35.191673] >ffff000801e2c100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.198872] ^ [ 35.204171] ffff000801e2c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.211377] ffff000801e2c200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.218577] ==================================================================
[ 27.114254] ================================================================== [ 27.114548] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 27.115021] Read of size 1 at addr fff00000c5bfedc0 by task kunit_try_catch/216 [ 27.115161] [ 27.115783] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 27.116132] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.116208] Hardware name: linux,dummy-virt (DT) [ 27.116303] Call trace: [ 27.116366] show_stack+0x20/0x38 (C) [ 27.116492] dump_stack_lvl+0x8c/0xd0 [ 27.117406] print_report+0x118/0x608 [ 27.117565] kasan_report+0xdc/0x128 [ 27.118161] __kasan_check_byte+0x54/0x70 [ 27.118960] kmem_cache_destroy+0x34/0x218 [ 27.119100] kmem_cache_double_destroy+0x174/0x300 [ 27.119238] kunit_try_run_case+0x170/0x3f0 [ 27.119764] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.120003] kthread+0x328/0x630 [ 27.120184] ret_from_fork+0x10/0x20 [ 27.120308] [ 27.120359] Allocated by task 216: [ 27.120433] kasan_save_stack+0x3c/0x68 [ 27.120757] kasan_save_track+0x20/0x40 [ 27.120864] kasan_save_alloc_info+0x40/0x58 [ 27.120955] __kasan_slab_alloc+0xa8/0xb0 [ 27.121052] kmem_cache_alloc_noprof+0x10c/0x3a0 [ 27.121156] __kmem_cache_create_args+0x178/0x280 [ 27.121266] kmem_cache_double_destroy+0xc0/0x300 [ 27.121366] kunit_try_run_case+0x170/0x3f0 [ 27.121481] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.121589] kthread+0x328/0x630 [ 27.121676] ret_from_fork+0x10/0x20 [ 27.122507] [ 27.122660] Freed by task 216: [ 27.122754] kasan_save_stack+0x3c/0x68 [ 27.122810] kasan_save_track+0x20/0x40 [ 27.122948] kasan_save_free_info+0x4c/0x78 [ 27.123051] __kasan_slab_free+0x6c/0x98 [ 27.123162] kmem_cache_free+0x260/0x470 [ 27.123270] slab_kmem_cache_release+0x38/0x50 [ 27.123578] kmem_cache_release+0x1c/0x30 [ 27.123702] kobject_put+0x17c/0x430 [ 27.123970] sysfs_slab_release+0x1c/0x30 [ 27.124168] kmem_cache_destroy+0x118/0x218 [ 27.124283] kmem_cache_double_destroy+0x128/0x300 [ 27.126721] kunit_try_run_case+0x170/0x3f0 [ 27.126841] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.126967] kthread+0x328/0x630 [ 27.127071] ret_from_fork+0x10/0x20 [ 27.127256] [ 27.127310] The buggy address belongs to the object at fff00000c5bfedc0 [ 27.127310] which belongs to the cache kmem_cache of size 208 [ 27.127720] The buggy address is located 0 bytes inside of [ 27.127720] freed 208-byte region [fff00000c5bfedc0, fff00000c5bfee90) [ 27.128991] [ 27.129048] The buggy address belongs to the physical page: [ 27.129622] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bfe [ 27.129823] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.130468] page_type: f5(slab) [ 27.130605] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 27.130846] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 27.131404] page dumped because: kasan: bad access detected [ 27.131500] [ 27.131615] Memory state around the buggy address: [ 27.131827] fff00000c5bfec80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.132004] fff00000c5bfed00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 27.132113] >fff00000c5bfed80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 27.132217] ^ [ 27.132348] fff00000c5bfee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.132556] fff00000c5bfee80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.132829] ==================================================================
[ 19.712374] ================================================================== [ 19.713099] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 19.714360] Read of size 1 at addr ffff8881022d33c0 by task kunit_try_catch/232 [ 19.714941] [ 19.715415] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 19.715699] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.715736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.715801] Call Trace: [ 19.715842] <TASK> [ 19.715979] dump_stack_lvl+0x73/0xb0 [ 19.716088] print_report+0xd1/0x650 [ 19.716184] ? __virt_addr_valid+0x1db/0x2d0 [ 19.716270] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.716344] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.716440] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.716517] kasan_report+0x141/0x180 [ 19.716594] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.716676] ? kmem_cache_double_destroy+0x1bf/0x380 [ 19.716772] __kasan_check_byte+0x3d/0x50 [ 19.716837] kmem_cache_destroy+0x25/0x1d0 [ 19.716877] kmem_cache_double_destroy+0x1bf/0x380 [ 19.716908] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 19.716937] ? finish_task_switch.isra.0+0x153/0x700 [ 19.716970] ? __switch_to+0x47/0xf50 [ 19.717043] ? __pfx_read_tsc+0x10/0x10 [ 19.717079] ? ktime_get_ts64+0x86/0x230 [ 19.717114] kunit_try_run_case+0x1a5/0x480 [ 19.717149] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.717234] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.717319] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.717359] ? __kthread_parkme+0x82/0x180 [ 19.717390] ? preempt_count_sub+0x50/0x80 [ 19.717422] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.717452] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.717488] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.717525] kthread+0x337/0x6f0 [ 19.717552] ? trace_preempt_on+0x20/0xc0 [ 19.717586] ? __pfx_kthread+0x10/0x10 [ 19.717614] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.717648] ? calculate_sigpending+0x7b/0xa0 [ 19.717683] ? __pfx_kthread+0x10/0x10 [ 19.717733] ret_from_fork+0x116/0x1d0 [ 19.717768] ? __pfx_kthread+0x10/0x10 [ 19.717799] ret_from_fork_asm+0x1a/0x30 [ 19.717842] </TASK> [ 19.717856] [ 19.737015] Allocated by task 232: [ 19.737417] kasan_save_stack+0x45/0x70 [ 19.737856] kasan_save_track+0x18/0x40 [ 19.738290] kasan_save_alloc_info+0x3b/0x50 [ 19.738762] __kasan_slab_alloc+0x91/0xa0 [ 19.739169] kmem_cache_alloc_noprof+0x123/0x3f0 [ 19.739631] __kmem_cache_create_args+0x169/0x240 [ 19.740331] kmem_cache_double_destroy+0xd5/0x380 [ 19.740787] kunit_try_run_case+0x1a5/0x480 [ 19.741191] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.741751] kthread+0x337/0x6f0 [ 19.742116] ret_from_fork+0x116/0x1d0 [ 19.742873] ret_from_fork_asm+0x1a/0x30 [ 19.743223] [ 19.743637] Freed by task 232: [ 19.744287] kasan_save_stack+0x45/0x70 [ 19.744642] kasan_save_track+0x18/0x40 [ 19.744961] kasan_save_free_info+0x3f/0x60 [ 19.745313] __kasan_slab_free+0x56/0x70 [ 19.745929] kmem_cache_free+0x249/0x420 [ 19.746609] slab_kmem_cache_release+0x2e/0x40 [ 19.747497] kmem_cache_release+0x16/0x20 [ 19.748012] kobject_put+0x181/0x450 [ 19.748627] sysfs_slab_release+0x16/0x20 [ 19.749007] kmem_cache_destroy+0xf0/0x1d0 [ 19.749339] kmem_cache_double_destroy+0x14e/0x380 [ 19.749897] kunit_try_run_case+0x1a5/0x480 [ 19.750446] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.751177] kthread+0x337/0x6f0 [ 19.751549] ret_from_fork+0x116/0x1d0 [ 19.752042] ret_from_fork_asm+0x1a/0x30 [ 19.752367] [ 19.752587] The buggy address belongs to the object at ffff8881022d33c0 [ 19.752587] which belongs to the cache kmem_cache of size 208 [ 19.754090] The buggy address is located 0 bytes inside of [ 19.754090] freed 208-byte region [ffff8881022d33c0, ffff8881022d3490) [ 19.755153] [ 19.755462] The buggy address belongs to the physical page: [ 19.756027] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022d3 [ 19.756747] flags: 0x200000000000000(node=0|zone=2) [ 19.757170] page_type: f5(slab) [ 19.757538] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 19.759123] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 19.760704] page dumped because: kasan: bad access detected [ 19.761199] [ 19.761431] Memory state around the buggy address: [ 19.761885] ffff8881022d3280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.762397] ffff8881022d3300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 19.763029] >ffff8881022d3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.763652] ^ [ 19.764515] ffff8881022d3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.765175] ffff8881022d3480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.765890] ==================================================================
[ 61.545806] ================================================================== [ 61.557067] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1e8/0x398 [ 61.564880] Read of size 1 at addr cc85a400 by task kunit_try_catch/267 [ 61.571563] [ 61.573059] CPU: 1 UID: 0 PID: 267 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 61.573120] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 61.573120] Hardware name: Generic DRA74X (Flattened Device Tree) [ 61.573150] Call trace: [ 61.573150] unwind_backtrace from show_stack+0x18/0x1c [ 61.573211] show_stack from dump_stack_lvl+0x70/0x90 [ 61.573242] dump_stack_lvl from print_report+0x158/0x528 [ 61.573272] print_report from kasan_report+0xdc/0x118 [ 61.573303] kasan_report from __kasan_check_byte+0x34/0x3c [ 61.573333] __kasan_check_byte from kmem_cache_destroy+0x24/0x1ec [ 61.573394] kmem_cache_destroy from kmem_cache_double_destroy+0x1e8/0x398 [ 61.573425] kmem_cache_double_destroy from kunit_try_run_case+0x22c/0x5a8 [ 61.573455] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.573516] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 61.573547] kthread from ret_from_fork+0x14/0x20 [ 61.573577] Exception stack(0xf23b3fb0 to 0xf23b3ff8) [ 61.573608] 3fa0: 00000000 00000000 00000000 00000000 [ 61.573638] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 61.573638] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 61.573669] [ 61.693176] Allocated by task 267: [ 61.696624] kasan_save_track+0x30/0x5c [ 61.700469] __kasan_slab_alloc+0x60/0x68 [ 61.704528] kmem_cache_alloc_noprof+0x17c/0x36c [ 61.709167] __kmem_cache_create_args+0x1c0/0x2c0 [ 61.713928] kmem_cache_double_destroy+0xc0/0x398 [ 61.718658] kunit_try_run_case+0x22c/0x5a8 [ 61.722869] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.728393] kthread+0x464/0x810 [ 61.731658] ret_from_fork+0x14/0x20 [ 61.735260] [ 61.736755] Freed by task 267: [ 61.739837] kasan_save_track+0x30/0x5c [ 61.743713] kasan_save_free_info+0x3c/0x48 [ 61.747924] __kasan_slab_free+0x40/0x50 [ 61.751892] kmem_cache_free+0x100/0x470 [ 61.755828] kobject_put+0x21c/0x678 [ 61.759460] kmem_cache_double_destroy+0x168/0x398 [ 61.764282] kunit_try_run_case+0x22c/0x5a8 [ 61.768493] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 61.774017] kthread+0x464/0x810 [ 61.777282] ret_from_fork+0x14/0x20 [ 61.780883] [ 61.782379] The buggy address belongs to the object at cc85a400 [ 61.782379] which belongs to the cache kmem_cache of size 132 [ 61.794189] The buggy address is located 0 bytes inside of [ 61.794189] freed 132-byte region [cc85a400, cc85a484) [ 61.804962] [ 61.806457] The buggy address belongs to the physical page: [ 61.812072] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c85a [ 61.819366] flags: 0x0(zone=0) [ 61.822448] page_type: f5(slab) [ 61.825592] raw: 00000000 c7001000 00000122 00000000 00000000 80100010 f5000000 00000000 [ 61.833740] raw: 00000000 [ 61.836395] page dumped because: kasan: bad access detected [ 61.841979] [ 61.843505] Memory state around the buggy address: [ 61.848327] cc85a300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.854888] cc85a380: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.861450] >cc85a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.868041] ^ [ 61.870574] cc85a480: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.877166] cc85a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.883728] ==================================================================