Date
June 25, 2025, 8:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 26.865036] ================================================================== [ 26.865107] BUG: KASAN: double-free in kfree_sensitive+0x3c/0xb0 [ 26.865313] Free of addr fff00000c3f9db40 by task kunit_try_catch/204 [ 26.865739] [ 26.865799] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT [ 26.865886] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.865913] Hardware name: linux,dummy-virt (DT) [ 26.866556] Call trace: [ 26.866611] show_stack+0x20/0x38 (C) [ 26.866664] dump_stack_lvl+0x8c/0xd0 [ 26.866914] print_report+0x118/0x608 [ 26.867064] kasan_report_invalid_free+0xc0/0xe8 [ 26.867433] check_slab_allocation+0xd4/0x108 [ 26.867515] __kasan_slab_pre_free+0x2c/0x48 [ 26.867567] kfree+0xe8/0x3c8 [ 26.867845] kfree_sensitive+0x3c/0xb0 [ 26.867978] kmalloc_double_kzfree+0x168/0x308 [ 26.868046] kunit_try_run_case+0x170/0x3f0 [ 26.868101] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.868598] kthread+0x328/0x630 [ 26.868801] ret_from_fork+0x10/0x20 [ 26.869083] [ 26.869285] Allocated by task 204: [ 26.869384] kasan_save_stack+0x3c/0x68 [ 26.869568] kasan_save_track+0x20/0x40 [ 26.869814] kasan_save_alloc_info+0x40/0x58 [ 26.869914] __kasan_kmalloc+0xd4/0xd8 [ 26.870159] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.870448] kmalloc_double_kzfree+0xb8/0x308 [ 26.870653] kunit_try_run_case+0x170/0x3f0 [ 26.870752] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.871101] kthread+0x328/0x630 [ 26.871383] ret_from_fork+0x10/0x20 [ 26.871525] [ 26.871615] Freed by task 204: [ 26.871671] kasan_save_stack+0x3c/0x68 [ 26.872178] kasan_save_track+0x20/0x40 [ 26.872493] kasan_save_free_info+0x4c/0x78 [ 26.872714] __kasan_slab_free+0x6c/0x98 [ 26.872840] kfree+0x214/0x3c8 [ 26.872986] kfree_sensitive+0x80/0xb0 [ 26.873064] kmalloc_double_kzfree+0x11c/0x308 [ 26.873185] kunit_try_run_case+0x170/0x3f0 [ 26.873405] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.873815] kthread+0x328/0x630 [ 26.874356] ret_from_fork+0x10/0x20 [ 26.874567] [ 26.874682] The buggy address belongs to the object at fff00000c3f9db40 [ 26.874682] which belongs to the cache kmalloc-16 of size 16 [ 26.874844] The buggy address is located 0 bytes inside of [ 26.874844] 16-byte region [fff00000c3f9db40, fff00000c3f9db50) [ 26.875205] [ 26.875352] The buggy address belongs to the physical page: [ 26.875659] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f9d [ 26.875870] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.876128] page_type: f5(slab) [ 26.876362] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122 [ 26.876532] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 26.876840] page dumped because: kasan: bad access detected [ 26.876989] [ 26.877053] Memory state around the buggy address: [ 26.877087] fff00000c3f9da00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 26.877500] fff00000c3f9da80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 26.877694] >fff00000c3f9db00: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 26.877819] ^ [ 26.877971] fff00000c3f9db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.878340] fff00000c3f9dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.878510] ==================================================================
[ 22.255360] ================================================================== [ 22.255864] BUG: KASAN: double-free in kfree_sensitive+0x2e/0x90 [ 22.256404] Free of addr ffff8881016c54a0 by task kunit_try_catch/221 [ 22.256934] [ 22.257138] CPU: 0 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT(voluntary) [ 22.257251] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.257266] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.257287] Call Trace: [ 22.257302] <TASK> [ 22.257321] dump_stack_lvl+0x73/0xb0 [ 22.257351] print_report+0xd1/0x650 [ 22.257374] ? __virt_addr_valid+0x1db/0x2d0 [ 22.257400] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.257426] ? kfree_sensitive+0x2e/0x90 [ 22.257451] kasan_report_invalid_free+0x10a/0x130 [ 22.257476] ? kfree_sensitive+0x2e/0x90 [ 22.257501] ? kfree_sensitive+0x2e/0x90 [ 22.257525] check_slab_allocation+0x101/0x130 [ 22.257547] __kasan_slab_pre_free+0x28/0x40 [ 22.257568] kfree+0xf0/0x3f0 [ 22.257590] ? kfree_sensitive+0x2e/0x90 [ 22.257615] kfree_sensitive+0x2e/0x90 [ 22.257638] kmalloc_double_kzfree+0x19c/0x350 [ 22.257661] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 22.257685] ? __schedule+0x10cc/0x2b60 [ 22.257710] ? __pfx_read_tsc+0x10/0x10 [ 22.257733] ? ktime_get_ts64+0x86/0x230 [ 22.257758] kunit_try_run_case+0x1a5/0x480 [ 22.257785] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.257854] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.257881] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.257908] ? __kthread_parkme+0x82/0x180 [ 22.257929] ? preempt_count_sub+0x50/0x80 [ 22.257966] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.257991] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.258016] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.258040] kthread+0x337/0x6f0 [ 22.258060] ? trace_preempt_on+0x20/0xc0 [ 22.258084] ? __pfx_kthread+0x10/0x10 [ 22.258105] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.258129] ? calculate_sigpending+0x7b/0xa0 [ 22.258154] ? __pfx_kthread+0x10/0x10 [ 22.258176] ret_from_fork+0x116/0x1d0 [ 22.258196] ? __pfx_kthread+0x10/0x10 [ 22.258217] ret_from_fork_asm+0x1a/0x30 [ 22.258248] </TASK> [ 22.258261] [ 22.269803] Allocated by task 221: [ 22.269973] kasan_save_stack+0x45/0x70 [ 22.270173] kasan_save_track+0x18/0x40 [ 22.270466] kasan_save_alloc_info+0x3b/0x50 [ 22.270654] __kasan_kmalloc+0xb7/0xc0 [ 22.270800] __kmalloc_cache_noprof+0x189/0x420 [ 22.271058] kmalloc_double_kzfree+0xa9/0x350 [ 22.271203] kunit_try_run_case+0x1a5/0x480 [ 22.271364] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.271601] kthread+0x337/0x6f0 [ 22.271790] ret_from_fork+0x116/0x1d0 [ 22.272128] ret_from_fork_asm+0x1a/0x30 [ 22.272282] [ 22.272377] Freed by task 221: [ 22.272508] kasan_save_stack+0x45/0x70 [ 22.272630] kasan_save_track+0x18/0x40 [ 22.272773] kasan_save_free_info+0x3f/0x60 [ 22.273253] __kasan_slab_free+0x56/0x70 [ 22.273430] kfree+0x222/0x3f0 [ 22.273568] kfree_sensitive+0x67/0x90 [ 22.273710] kmalloc_double_kzfree+0x12b/0x350 [ 22.273931] kunit_try_run_case+0x1a5/0x480 [ 22.274148] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.274318] kthread+0x337/0x6f0 [ 22.274426] ret_from_fork+0x116/0x1d0 [ 22.274544] ret_from_fork_asm+0x1a/0x30 [ 22.274674] [ 22.274759] The buggy address belongs to the object at ffff8881016c54a0 [ 22.274759] which belongs to the cache kmalloc-16 of size 16 [ 22.275617] The buggy address is located 0 bytes inside of [ 22.275617] 16-byte region [ffff8881016c54a0, ffff8881016c54b0) [ 22.276150] [ 22.276345] The buggy address belongs to the physical page: [ 22.276571] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1016c5 [ 22.276848] flags: 0x200000000000000(node=0|zone=2) [ 22.277032] page_type: f5(slab) [ 22.277143] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 22.277428] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 22.277845] page dumped because: kasan: bad access detected [ 22.278250] [ 22.278344] Memory state around the buggy address: [ 22.278500] ffff8881016c5380: fa fb fc fc fa fb fc fc fa fb fc fc 00 05 fc fc [ 22.278766] ffff8881016c5400: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 22.279365] >ffff8881016c5480: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 22.279629] ^ [ 22.279797] ffff8881016c5500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.280136] ffff8881016c5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.280342] ==================================================================