Hay
Sign in
Date
June 24, 2025, 11:37 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64 

[   39.974708] ==================================================================
[   39.989344] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308
[   39.996846] Read of size 1 at addr ffff0000946612e0 by task kunit_try_catch/290
[   40.004255] 
[   40.005784] CPU: 5 UID: 0 PID: 290 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   40.005814] Tainted: [B]=BAD_PAGE, [N]=TEST
[   40.005823] Hardware name: Thundercomm Dragonboard 845c (DT)
[   40.005835] Call trace:
[   40.005841]  show_stack+0x20/0x38 (C)
[   40.005859]  dump_stack_lvl+0x8c/0xd0
[   40.005878]  print_report+0x118/0x608
[   40.005898]  kasan_report+0xdc/0x128
[   40.005915]  __kasan_check_byte+0x54/0x70
[   40.005934]  kfree_sensitive+0x30/0xb0
[   40.005954]  kmalloc_double_kzfree+0x168/0x308
[   40.005973]  kunit_try_run_case+0x170/0x3f0
[   40.005993]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   40.006013]  kthread+0x328/0x630
[   40.006028]  ret_from_fork+0x10/0x20
[   40.006045] 
[   40.074972] Allocated by task 290:
[   40.078427]  kasan_save_stack+0x3c/0x68
[   40.082335]  kasan_save_track+0x20/0x40
[   40.086239]  kasan_save_alloc_info+0x40/0x58
[   40.090574]  __kasan_kmalloc+0xd4/0xd8
[   40.094389]  __kmalloc_cache_noprof+0x16c/0x3c0
[   40.098987]  kmalloc_double_kzfree+0xb8/0x308
[   40.103406]  kunit_try_run_case+0x170/0x3f0
[   40.107655]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   40.113220]  kthread+0x328/0x630
[   40.116500]  ret_from_fork+0x10/0x20
[   40.120131] 
[   40.121654] Freed by task 290:
[   40.124757]  kasan_save_stack+0x3c/0x68
[   40.128662]  kasan_save_track+0x20/0x40
[   40.132565]  kasan_save_free_info+0x4c/0x78
[   40.136813]  __kasan_slab_free+0x6c/0x98
[   40.140803]  kfree+0x214/0x3c8
[   40.143912]  kfree_sensitive+0x80/0xb0
[   40.147725]  kmalloc_double_kzfree+0x11c/0x308
[   40.152236]  kunit_try_run_case+0x170/0x3f0
[   40.156485]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   40.162050]  kthread+0x328/0x630
[   40.165331]  ret_from_fork+0x10/0x20
[   40.168970] 
[   40.170494] The buggy address belongs to the object at ffff0000946612e0
[   40.170494]  which belongs to the cache kmalloc-16 of size 16
[   40.182974] The buggy address is located 0 bytes inside of
[   40.182974]  freed 16-byte region [ffff0000946612e0, ffff0000946612f0)
[   40.195106] 
[   40.196637] The buggy address belongs to the physical page:
[   40.202279] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114661
[   40.210379] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   40.216990] page_type: f5(slab)
[   40.220187] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000
[   40.228028] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   40.235863] page dumped because: kasan: bad access detected
[   40.241505] 
[   40.243037] Memory state around the buggy address:
[   40.247897]  ffff000094661180: fa fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[   40.255206]  ffff000094661200: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   40.262511] >ffff000094661280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   40.269823]                                                        ^
[   40.276258]  ffff000094661300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.283572]  ffff000094661380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.290878] ==================================================================
Metadata Full log Test run details 

[   33.286681] ==================================================================
[   33.286860] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308
[   33.287804] Read of size 1 at addr fff00000c5757320 by task kunit_try_catch/203
[   33.288055] 
[   33.288285] CPU: 0 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   33.289936] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.290146] Hardware name: linux,dummy-virt (DT)
[   33.290929] Call trace:
[   33.291138]  show_stack+0x20/0x38 (C)
[   33.292188]  dump_stack_lvl+0x8c/0xd0
[   33.292436]  print_report+0x118/0x608
[   33.292697]  kasan_report+0xdc/0x128
[   33.293037]  __kasan_check_byte+0x54/0x70
[   33.293330]  kfree_sensitive+0x30/0xb0
[   33.293796]  kmalloc_double_kzfree+0x168/0x308
[   33.294271]  kunit_try_run_case+0x170/0x3f0
[   33.295478]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.296080]  kthread+0x328/0x630
[   33.296460]  ret_from_fork+0x10/0x20
[   33.296907] 
[   33.297036] Allocated by task 203:
[   33.297197]  kasan_save_stack+0x3c/0x68
[   33.297453]  kasan_save_track+0x20/0x40
[   33.297630]  kasan_save_alloc_info+0x40/0x58
[   33.298127]  __kasan_kmalloc+0xd4/0xd8
[   33.298263]  __kmalloc_cache_noprof+0x16c/0x3c0
[   33.298380]  kmalloc_double_kzfree+0xb8/0x308
[   33.298483]  kunit_try_run_case+0x170/0x3f0
[   33.298573]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.298678]  kthread+0x328/0x630
[   33.298763]  ret_from_fork+0x10/0x20
[   33.298849] 
[   33.298912] Freed by task 203:
[   33.299599]  kasan_save_stack+0x3c/0x68
[   33.299769]  kasan_save_track+0x20/0x40
[   33.299925]  kasan_save_free_info+0x4c/0x78
[   33.300263]  __kasan_slab_free+0x6c/0x98
[   33.300751]  kfree+0x214/0x3c8
[   33.301127]  kfree_sensitive+0x80/0xb0
[   33.301435]  kmalloc_double_kzfree+0x11c/0x308
[   33.301770]  kunit_try_run_case+0x170/0x3f0
[   33.302273]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.302686]  kthread+0x328/0x630
[   33.303185]  ret_from_fork+0x10/0x20
[   33.303371] 
[   33.303427] The buggy address belongs to the object at fff00000c5757320
[   33.303427]  which belongs to the cache kmalloc-16 of size 16
[   33.303737] The buggy address is located 0 bytes inside of
[   33.303737]  freed 16-byte region [fff00000c5757320, fff00000c5757330)
[   33.304134] 
[   33.304225] The buggy address belongs to the physical page:
[   33.304410] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105757
[   33.304770] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.304988] page_type: f5(slab)
[   33.305320] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   33.305953] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   33.306013] page dumped because: kasan: bad access detected
[   33.306055] 
[   33.306086] Memory state around the buggy address:
[   33.306170]  fff00000c5757200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc
[   33.306230]  fff00000c5757280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   33.306285] >fff00000c5757300: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   33.306331]                                ^
[   33.306384]  fff00000c5757380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.306437]  fff00000c5757400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.306482] ==================================================================
Metadata Full log Test run details 

[   29.482498] ==================================================================
[   29.483513] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350
[   29.484560] Read of size 1 at addr ffff8881022bd720 by task kunit_try_catch/222
[   29.485015] 
[   29.485361] CPU: 1 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) 
[   29.485740] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.485797] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   29.485950] Call Trace:
[   29.486026]  <TASK>
[   29.486084]  dump_stack_lvl+0x73/0xb0
[   29.486162]  print_report+0xd1/0x650
[   29.486213]  ? __virt_addr_valid+0x1db/0x2d0
[   29.486266]  ? kmalloc_double_kzfree+0x19c/0x350
[   29.486314]  ? kasan_complete_mode_report_info+0x64/0x200
[   29.486369]  ? kmalloc_double_kzfree+0x19c/0x350
[   29.486418]  kasan_report+0x141/0x180
[   29.486469]  ? kmalloc_double_kzfree+0x19c/0x350
[   29.486535]  ? kmalloc_double_kzfree+0x19c/0x350
[   29.486612]  __kasan_check_byte+0x3d/0x50
[   29.486671]  kfree_sensitive+0x22/0x90
[   29.486738]  kmalloc_double_kzfree+0x19c/0x350
[   29.486790]  ? __pfx_kmalloc_double_kzfree+0x10/0x10
[   29.486853]  ? __pfx_kmalloc_double_kzfree+0x10/0x10
[   29.486914]  kunit_try_run_case+0x1a5/0x480
[   29.486970]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.487016]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   29.487056]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   29.487179]  ? __kthread_parkme+0x82/0x180
[   29.487210]  ? preempt_count_sub+0x50/0x80
[   29.487241]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.487273]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.487305]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   29.487335]  kthread+0x337/0x6f0
[   29.487361]  ? trace_preempt_on+0x20/0xc0
[   29.487391]  ? __pfx_kthread+0x10/0x10
[   29.487418]  ? _raw_spin_unlock_irq+0x47/0x80
[   29.487448]  ? calculate_sigpending+0x7b/0xa0
[   29.487478]  ? __pfx_kthread+0x10/0x10
[   29.487505]  ret_from_fork+0x116/0x1d0
[   29.487533]  ? __pfx_kthread+0x10/0x10
[   29.487583]  ret_from_fork_asm+0x1a/0x30
[   29.487624]  </TASK>
[   29.487644] 
[   29.505229] Allocated by task 222:
[   29.505873]  kasan_save_stack+0x45/0x70
[   29.506132]  kasan_save_track+0x18/0x40
[   29.506661]  kasan_save_alloc_info+0x3b/0x50
[   29.507030]  __kasan_kmalloc+0xb7/0xc0
[   29.507602]  __kmalloc_cache_noprof+0x189/0x420
[   29.507844]  kmalloc_double_kzfree+0xa9/0x350
[   29.508927]  kunit_try_run_case+0x1a5/0x480
[   29.509677]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.510028]  kthread+0x337/0x6f0
[   29.510575]  ret_from_fork+0x116/0x1d0
[   29.511049]  ret_from_fork_asm+0x1a/0x30
[   29.511507] 
[   29.511933] Freed by task 222:
[   29.512145]  kasan_save_stack+0x45/0x70
[   29.512521]  kasan_save_track+0x18/0x40
[   29.512783]  kasan_save_free_info+0x3f/0x60
[   29.513493]  __kasan_slab_free+0x56/0x70
[   29.514025]  kfree+0x222/0x3f0
[   29.514950]  kfree_sensitive+0x67/0x90
[   29.515407]  kmalloc_double_kzfree+0x12b/0x350
[   29.515663]  kunit_try_run_case+0x1a5/0x480
[   29.515910]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.516353]  kthread+0x337/0x6f0
[   29.516938]  ret_from_fork+0x116/0x1d0
[   29.517708]  ret_from_fork_asm+0x1a/0x30
[   29.518081] 
[   29.518222] The buggy address belongs to the object at ffff8881022bd720
[   29.518222]  which belongs to the cache kmalloc-16 of size 16
[   29.519114] The buggy address is located 0 bytes inside of
[   29.519114]  freed 16-byte region [ffff8881022bd720, ffff8881022bd730)
[   29.521115] 
[   29.521308] The buggy address belongs to the physical page:
[   29.522044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022bd
[   29.522671] flags: 0x200000000000000(node=0|zone=2)
[   29.523027] page_type: f5(slab)
[   29.523374] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122
[   29.523987] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   29.524298] page dumped because: kasan: bad access detected
[   29.524725] 
[   29.524935] Memory state around the buggy address:
[   29.526041]  ffff8881022bd600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   29.526712]  ffff8881022bd680: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   29.527578] >ffff8881022bd700: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   29.528596]                                ^
[   29.528853]  ffff8881022bd780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.529622]  ffff8881022bd800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.530326] ==================================================================
Metadata Full log Test run details