Date
June 19, 2025, 12:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.807398] ================================================================== [ 30.807597] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 30.807747] Read of size 1 at addr fff00000c4726d20 by task kunit_try_catch/203 [ 30.808121] [ 30.808217] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 30.808463] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.808582] Hardware name: linux,dummy-virt (DT) [ 30.808801] Call trace: [ 30.808917] show_stack+0x20/0x38 (C) [ 30.809212] dump_stack_lvl+0x8c/0xd0 [ 30.809666] print_report+0x118/0x608 [ 30.809823] kasan_report+0xdc/0x128 [ 30.809961] __kasan_check_byte+0x54/0x70 [ 30.810069] kfree_sensitive+0x30/0xb0 [ 30.810256] kmalloc_double_kzfree+0x168/0x308 [ 30.810407] kunit_try_run_case+0x170/0x3f0 [ 30.810555] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.810722] kthread+0x328/0x630 [ 30.810833] ret_from_fork+0x10/0x20 [ 30.810992] [ 30.811067] Allocated by task 203: [ 30.811162] kasan_save_stack+0x3c/0x68 [ 30.811299] kasan_save_track+0x20/0x40 [ 30.811385] kasan_save_alloc_info+0x40/0x58 [ 30.811477] __kasan_kmalloc+0xd4/0xd8 [ 30.811608] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.811861] kmalloc_double_kzfree+0xb8/0x308 [ 30.812207] kunit_try_run_case+0x170/0x3f0 [ 30.812352] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.812511] kthread+0x328/0x630 [ 30.812627] ret_from_fork+0x10/0x20 [ 30.812742] [ 30.812790] Freed by task 203: [ 30.812863] kasan_save_stack+0x3c/0x68 [ 30.812964] kasan_save_track+0x20/0x40 [ 30.813052] kasan_save_free_info+0x4c/0x78 [ 30.813488] __kasan_slab_free+0x6c/0x98 [ 30.813624] kfree+0x214/0x3c8 [ 30.813756] kfree_sensitive+0x80/0xb0 [ 30.813857] kmalloc_double_kzfree+0x11c/0x308 [ 30.813968] kunit_try_run_case+0x170/0x3f0 [ 30.814160] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.814263] kthread+0x328/0x630 [ 30.814474] ret_from_fork+0x10/0x20 [ 30.814630] [ 30.814708] The buggy address belongs to the object at fff00000c4726d20 [ 30.814708] which belongs to the cache kmalloc-16 of size 16 [ 30.814964] The buggy address is located 0 bytes inside of [ 30.814964] freed 16-byte region [fff00000c4726d20, fff00000c4726d30) [ 30.815146] [ 30.815226] The buggy address belongs to the physical page: [ 30.815350] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104726 [ 30.815542] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.815684] page_type: f5(slab) [ 30.815812] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122 [ 30.816361] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.816478] page dumped because: kasan: bad access detected [ 30.816568] [ 30.816619] Memory state around the buggy address: [ 30.816701] fff00000c4726c00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.816938] fff00000c4726c80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.817065] >fff00000c4726d00: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 30.817174] ^ [ 30.817253] fff00000c4726d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.817796] fff00000c4726e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.817963] ==================================================================
[ 27.339526] ================================================================== [ 27.340618] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 27.342010] Read of size 1 at addr ffff8881022a26c0 by task kunit_try_catch/221 [ 27.342488] [ 27.342661] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 27.342748] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.342763] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.342790] Call Trace: [ 27.342810] <TASK> [ 27.342837] dump_stack_lvl+0x73/0xb0 [ 27.342909] print_report+0xd1/0x650 [ 27.342948] ? __virt_addr_valid+0x1db/0x2d0 [ 27.342976] ? kmalloc_double_kzfree+0x19c/0x350 [ 27.343001] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.343029] ? kmalloc_double_kzfree+0x19c/0x350 [ 27.343053] kasan_report+0x141/0x180 [ 27.343076] ? kmalloc_double_kzfree+0x19c/0x350 [ 27.343123] ? kmalloc_double_kzfree+0x19c/0x350 [ 27.343150] __kasan_check_byte+0x3d/0x50 [ 27.343173] kfree_sensitive+0x22/0x90 [ 27.343198] kmalloc_double_kzfree+0x19c/0x350 [ 27.343222] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 27.343246] ? __schedule+0x10cc/0x2b60 [ 27.343271] ? __pfx_read_tsc+0x10/0x10 [ 27.343295] ? ktime_get_ts64+0x86/0x230 [ 27.343323] kunit_try_run_case+0x1a5/0x480 [ 27.343351] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.343374] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.343398] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.343422] ? __kthread_parkme+0x82/0x180 [ 27.343445] ? preempt_count_sub+0x50/0x80 [ 27.343471] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.343495] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.343519] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.343543] kthread+0x337/0x6f0 [ 27.343564] ? trace_preempt_on+0x20/0xc0 [ 27.343589] ? __pfx_kthread+0x10/0x10 [ 27.343611] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.343633] ? calculate_sigpending+0x7b/0xa0 [ 27.343659] ? __pfx_kthread+0x10/0x10 [ 27.343681] ret_from_fork+0x116/0x1d0 [ 27.343702] ? __pfx_kthread+0x10/0x10 [ 27.343723] ret_from_fork_asm+0x1a/0x30 [ 27.343756] </TASK> [ 27.343769] [ 27.355092] Allocated by task 221: [ 27.355514] kasan_save_stack+0x45/0x70 [ 27.355943] kasan_save_track+0x18/0x40 [ 27.356253] kasan_save_alloc_info+0x3b/0x50 [ 27.356448] __kasan_kmalloc+0xb7/0xc0 [ 27.356621] __kmalloc_cache_noprof+0x189/0x420 [ 27.356822] kmalloc_double_kzfree+0xa9/0x350 [ 27.357183] kunit_try_run_case+0x1a5/0x480 [ 27.357552] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.358020] kthread+0x337/0x6f0 [ 27.358327] ret_from_fork+0x116/0x1d0 [ 27.358656] ret_from_fork_asm+0x1a/0x30 [ 27.358967] [ 27.359060] Freed by task 221: [ 27.359356] kasan_save_stack+0x45/0x70 [ 27.359650] kasan_save_track+0x18/0x40 [ 27.359827] kasan_save_free_info+0x3f/0x60 [ 27.360151] __kasan_slab_free+0x56/0x70 [ 27.360501] kfree+0x222/0x3f0 [ 27.360779] kfree_sensitive+0x67/0x90 [ 27.361167] kmalloc_double_kzfree+0x12b/0x350 [ 27.361462] kunit_try_run_case+0x1a5/0x480 [ 27.361819] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.362093] kthread+0x337/0x6f0 [ 27.362398] ret_from_fork+0x116/0x1d0 [ 27.362743] ret_from_fork_asm+0x1a/0x30 [ 27.363029] [ 27.363210] The buggy address belongs to the object at ffff8881022a26c0 [ 27.363210] which belongs to the cache kmalloc-16 of size 16 [ 27.363873] The buggy address is located 0 bytes inside of [ 27.363873] freed 16-byte region [ffff8881022a26c0, ffff8881022a26d0) [ 27.364558] [ 27.364678] The buggy address belongs to the physical page: [ 27.364893] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022a2 [ 27.365406] flags: 0x200000000000000(node=0|zone=2) [ 27.365822] page_type: f5(slab) [ 27.366179] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 27.366752] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 27.367378] page dumped because: kasan: bad access detected [ 27.367695] [ 27.367799] Memory state around the buggy address: [ 27.368034] ffff8881022a2580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 27.368578] ffff8881022a2600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 27.369146] >ffff8881022a2680: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 27.369648] ^ [ 27.369969] ffff8881022a2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.370411] ffff8881022a2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.370967] ==================================================================