Date
June 3, 2025, 7:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.783213] ================================================================== [ 19.783303] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 19.783418] Read of size 1 at addr fff00000c65c9280 by task kunit_try_catch/215 [ 19.783480] [ 19.783520] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 19.783610] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.783638] Hardware name: linux,dummy-virt (DT) [ 19.783672] Call trace: [ 19.783698] show_stack+0x20/0x38 (C) [ 19.783749] dump_stack_lvl+0x8c/0xd0 [ 19.783801] print_report+0x118/0x608 [ 19.783847] kasan_report+0xdc/0x128 [ 19.783892] __kasan_check_byte+0x54/0x70 [ 19.783939] kmem_cache_destroy+0x34/0x218 [ 19.783988] kmem_cache_double_destroy+0x174/0x300 [ 19.784043] kunit_try_run_case+0x170/0x3f0 [ 19.784093] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.784147] kthread+0x328/0x630 [ 19.784191] ret_from_fork+0x10/0x20 [ 19.784238] [ 19.784257] Allocated by task 215: [ 19.784287] kasan_save_stack+0x3c/0x68 [ 19.784326] kasan_save_track+0x20/0x40 [ 19.784365] kasan_save_alloc_info+0x40/0x58 [ 19.784400] __kasan_slab_alloc+0xa8/0xb0 [ 19.784447] kmem_cache_alloc_noprof+0x10c/0x398 [ 19.784487] __kmem_cache_create_args+0x178/0x280 [ 19.784527] kmem_cache_double_destroy+0xc0/0x300 [ 19.784565] kunit_try_run_case+0x170/0x3f0 [ 19.784604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.784648] kthread+0x328/0x630 [ 19.784679] ret_from_fork+0x10/0x20 [ 19.784715] [ 19.784733] Freed by task 215: [ 19.784759] kasan_save_stack+0x3c/0x68 [ 19.784797] kasan_save_track+0x20/0x40 [ 19.784838] kasan_save_free_info+0x4c/0x78 [ 19.784874] __kasan_slab_free+0x6c/0x98 [ 19.784911] kmem_cache_free+0x260/0x468 [ 19.784947] slab_kmem_cache_release+0x38/0x50 [ 19.784986] kmem_cache_release+0x1c/0x30 [ 19.785022] kobject_put+0x17c/0x420 [ 19.785058] sysfs_slab_release+0x1c/0x30 [ 19.785094] kmem_cache_destroy+0x118/0x218 [ 19.785133] kmem_cache_double_destroy+0x128/0x300 [ 19.785171] kunit_try_run_case+0x170/0x3f0 [ 19.785209] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.785252] kthread+0x328/0x630 [ 19.785284] ret_from_fork+0x10/0x20 [ 19.785318] [ 19.785339] The buggy address belongs to the object at fff00000c65c9280 [ 19.785339] which belongs to the cache kmem_cache of size 208 [ 19.785396] The buggy address is located 0 bytes inside of [ 19.785396] freed 208-byte region [fff00000c65c9280, fff00000c65c9350) [ 19.785466] [ 19.785487] The buggy address belongs to the physical page: [ 19.785521] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065c9 [ 19.785575] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.785630] page_type: f5(slab) [ 19.785672] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 19.785723] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 19.785765] page dumped because: kasan: bad access detected [ 19.785799] [ 19.785816] Memory state around the buggy address: [ 19.785850] fff00000c65c9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.785893] fff00000c65c9200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.785937] >fff00000c65c9280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.785983] ^ [ 19.786014] fff00000c65c9300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 19.786055] fff00000c65c9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.786095] ==================================================================
[ 15.597414] ================================================================== [ 15.597876] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 15.598242] Read of size 1 at addr ffff888101117c80 by task kunit_try_catch/232 [ 15.598749] [ 15.599331] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 15.599439] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.599465] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.599525] Call Trace: [ 15.599544] <TASK> [ 15.599586] dump_stack_lvl+0x73/0xb0 [ 15.599647] print_report+0xd1/0x650 [ 15.599680] ? __virt_addr_valid+0x1db/0x2d0 [ 15.599761] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.599787] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.599814] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.599838] kasan_report+0x141/0x180 [ 15.599864] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.599892] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.599917] __kasan_check_byte+0x3d/0x50 [ 15.599942] kmem_cache_destroy+0x25/0x1d0 [ 15.599970] kmem_cache_double_destroy+0x1bf/0x380 [ 15.600214] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 15.600266] ? finish_task_switch.isra.0+0x153/0x700 [ 15.600300] ? __switch_to+0x47/0xf50 [ 15.600334] ? __pfx_read_tsc+0x10/0x10 [ 15.600362] ? ktime_get_ts64+0x86/0x230 [ 15.600393] kunit_try_run_case+0x1a5/0x480 [ 15.600420] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.600441] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.600492] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.600520] ? __kthread_parkme+0x82/0x180 [ 15.600545] ? preempt_count_sub+0x50/0x80 [ 15.600570] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.600594] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.600622] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.600649] kthread+0x337/0x6f0 [ 15.600671] ? trace_preempt_on+0x20/0xc0 [ 15.600699] ? __pfx_kthread+0x10/0x10 [ 15.600724] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.600750] ? calculate_sigpending+0x7b/0xa0 [ 15.600779] ? __pfx_kthread+0x10/0x10 [ 15.600803] ret_from_fork+0x116/0x1d0 [ 15.600825] ? __pfx_kthread+0x10/0x10 [ 15.600848] ret_from_fork_asm+0x1a/0x30 [ 15.600882] </TASK> [ 15.600897] [ 15.610757] Allocated by task 232: [ 15.611008] kasan_save_stack+0x45/0x70 [ 15.611384] kasan_save_track+0x18/0x40 [ 15.611565] kasan_save_alloc_info+0x3b/0x50 [ 15.612236] __kasan_slab_alloc+0x91/0xa0 [ 15.612379] kmem_cache_alloc_noprof+0x123/0x3f0 [ 15.612585] __kmem_cache_create_args+0x169/0x240 [ 15.613073] kmem_cache_double_destroy+0xd5/0x380 [ 15.613288] kunit_try_run_case+0x1a5/0x480 [ 15.613577] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.613963] kthread+0x337/0x6f0 [ 15.614202] ret_from_fork+0x116/0x1d0 [ 15.614422] ret_from_fork_asm+0x1a/0x30 [ 15.614649] [ 15.614881] Freed by task 232: [ 15.615060] kasan_save_stack+0x45/0x70 [ 15.615296] kasan_save_track+0x18/0x40 [ 15.615562] kasan_save_free_info+0x3f/0x60 [ 15.615970] __kasan_slab_free+0x56/0x70 [ 15.616539] kmem_cache_free+0x249/0x420 [ 15.616874] slab_kmem_cache_release+0x2e/0x40 [ 15.617009] kmem_cache_release+0x16/0x20 [ 15.617129] kobject_put+0x181/0x450 [ 15.617555] sysfs_slab_release+0x16/0x20 [ 15.617836] kmem_cache_destroy+0xf0/0x1d0 [ 15.618084] kmem_cache_double_destroy+0x14e/0x380 [ 15.618431] kunit_try_run_case+0x1a5/0x480 [ 15.618600] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.619099] kthread+0x337/0x6f0 [ 15.619390] ret_from_fork+0x116/0x1d0 [ 15.619606] ret_from_fork_asm+0x1a/0x30 [ 15.620272] [ 15.620370] The buggy address belongs to the object at ffff888101117c80 [ 15.620370] which belongs to the cache kmem_cache of size 208 [ 15.620888] The buggy address is located 0 bytes inside of [ 15.620888] freed 208-byte region [ffff888101117c80, ffff888101117d50) [ 15.621351] [ 15.621480] The buggy address belongs to the physical page: [ 15.621725] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101117 [ 15.622150] flags: 0x200000000000000(node=0|zone=2) [ 15.622299] page_type: f5(slab) [ 15.622407] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 15.623008] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 15.623408] page dumped because: kasan: bad access detected [ 15.623606] [ 15.624035] Memory state around the buggy address: [ 15.624365] ffff888101117b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.624771] ffff888101117c00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.625014] >ffff888101117c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.625370] ^ [ 15.625553] ffff888101117d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 15.625946] ffff888101117d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.626160] ==================================================================