Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 46.348548] ================================================================== [ 46.359901] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 46.367770] Read of size 1 at addr ffff000082248000 by task kunit_try_catch/301 [ 46.375176] [ 46.376723] CPU: 3 UID: 0 PID: 301 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 46.376761] Tainted: [B]=BAD_PAGE, [N]=TEST [ 46.376772] Hardware name: Thundercomm Dragonboard 845c (DT) [ 46.376788] Call trace: [ 46.376799] show_stack+0x20/0x38 (C) [ 46.376821] dump_stack_lvl+0x8c/0xd0 [ 46.376845] print_report+0x118/0x608 [ 46.376866] kasan_report+0xdc/0x128 [ 46.376885] __kasan_check_byte+0x54/0x70 [ 46.376905] kmem_cache_destroy+0x34/0x218 [ 46.376929] kmem_cache_double_destroy+0x174/0x300 [ 46.376948] kunit_try_run_case+0x170/0x3f0 [ 46.376970] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.376993] kthread+0x328/0x630 [ 46.377012] ret_from_fork+0x10/0x20 [ 46.377034] [ 46.446701] Allocated by task 301: [ 46.450163] kasan_save_stack+0x3c/0x68 [ 46.454074] kasan_save_track+0x20/0x40 [ 46.457985] kasan_save_alloc_info+0x40/0x58 [ 46.462325] __kasan_slab_alloc+0xa8/0xb0 [ 46.466407] kmem_cache_alloc_noprof+0x10c/0x398 [ 46.471111] __kmem_cache_create_args+0x178/0x280 [ 46.475893] kmem_cache_double_destroy+0xc0/0x300 [ 46.480674] kunit_try_run_case+0x170/0x3f0 [ 46.484929] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.490503] kthread+0x328/0x630 [ 46.493796] ret_from_fork+0x10/0x20 [ 46.497435] [ 46.498966] Freed by task 301: [ 46.502080] kasan_save_stack+0x3c/0x68 [ 46.505991] kasan_save_track+0x20/0x40 [ 46.509902] kasan_save_free_info+0x4c/0x78 [ 46.514155] __kasan_slab_free+0x6c/0x98 [ 46.518153] kmem_cache_free+0x260/0x468 [ 46.522150] slab_kmem_cache_release+0x38/0x50 [ 46.526667] kmem_cache_release+0x1c/0x30 [ 46.530748] kobject_put+0x17c/0x420 [ 46.534388] sysfs_slab_release+0x1c/0x30 [ 46.538472] kmem_cache_destroy+0x118/0x218 [ 46.542725] kmem_cache_double_destroy+0x128/0x300 [ 46.547596] kunit_try_run_case+0x170/0x3f0 [ 46.551850] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.557420] kthread+0x328/0x630 [ 46.560712] ret_from_fork+0x10/0x20 [ 46.564352] [ 46.565882] The buggy address belongs to the object at ffff000082248000 [ 46.565882] which belongs to the cache kmem_cache of size 208 [ 46.578456] The buggy address is located 0 bytes inside of [ 46.578456] freed 208-byte region [ffff000082248000, ffff0000822480d0) [ 46.590682] [ 46.592221] The buggy address belongs to the physical page: [ 46.597875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102248 [ 46.605985] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 46.613744] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 46.620812] page_type: f5(slab) [ 46.624024] raw: 0bfffe0000000040 ffff000080002000 dead000000000122 0000000000000000 [ 46.631873] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 46.639718] head: 0bfffe0000000040 ffff000080002000 dead000000000122 0000000000000000 [ 46.647650] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 46.655583] head: 0bfffe0000000001 fffffdffc2089201 00000000ffffffff 00000000ffffffff [ 46.663516] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 46.671445] page dumped because: kasan: bad access detected [ 46.677091] [ 46.678619] Memory state around the buggy address: [ 46.683486] ffff000082247f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.690800] ffff000082247f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.698117] >ffff000082248000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.705429] ^ [ 46.708716] ffff000082248080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 46.716033] ffff000082248100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.723350] ==================================================================
[ 28.219590] ================================================================== [ 28.219667] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 28.219738] Read of size 1 at addr fff00000c56c2a00 by task kunit_try_catch/227 [ 28.219799] [ 28.219836] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 28.219930] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.219959] Hardware name: linux,dummy-virt (DT) [ 28.219992] Call trace: [ 28.220015] show_stack+0x20/0x38 (C) [ 28.220133] dump_stack_lvl+0x8c/0xd0 [ 28.220187] print_report+0x118/0x608 [ 28.220234] kasan_report+0xdc/0x128 [ 28.220280] __kasan_check_byte+0x54/0x70 [ 28.220328] kmem_cache_destroy+0x34/0x218 [ 28.220375] kmem_cache_double_destroy+0x174/0x300 [ 28.220425] kunit_try_run_case+0x170/0x3f0 [ 28.220476] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.220528] kthread+0x328/0x630 [ 28.220571] ret_from_fork+0x10/0x20 [ 28.220620] [ 28.220638] Allocated by task 227: [ 28.220668] kasan_save_stack+0x3c/0x68 [ 28.220711] kasan_save_track+0x20/0x40 [ 28.220749] kasan_save_alloc_info+0x40/0x58 [ 28.220786] __kasan_slab_alloc+0xa8/0xb0 [ 28.220824] kmem_cache_alloc_noprof+0x10c/0x398 [ 28.220866] __kmem_cache_create_args+0x178/0x280 [ 28.220906] kmem_cache_double_destroy+0xc0/0x300 [ 28.220946] kunit_try_run_case+0x170/0x3f0 [ 28.220984] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.221027] kthread+0x328/0x630 [ 28.221068] ret_from_fork+0x10/0x20 [ 28.221105] [ 28.221123] Freed by task 227: [ 28.221147] kasan_save_stack+0x3c/0x68 [ 28.221184] kasan_save_track+0x20/0x40 [ 28.221222] kasan_save_free_info+0x4c/0x78 [ 28.221257] __kasan_slab_free+0x6c/0x98 [ 28.221295] kmem_cache_free+0x260/0x468 [ 28.221331] slab_kmem_cache_release+0x38/0x50 [ 28.221370] kmem_cache_release+0x1c/0x30 [ 28.221406] kobject_put+0x17c/0x420 [ 28.221442] sysfs_slab_release+0x1c/0x30 [ 28.221479] kmem_cache_destroy+0x118/0x218 [ 28.221518] kmem_cache_double_destroy+0x128/0x300 [ 28.221556] kunit_try_run_case+0x170/0x3f0 [ 28.221594] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.221636] kthread+0x328/0x630 [ 28.221669] ret_from_fork+0x10/0x20 [ 28.221703] [ 28.221722] The buggy address belongs to the object at fff00000c56c2a00 [ 28.221722] which belongs to the cache kmem_cache of size 208 [ 28.221778] The buggy address is located 0 bytes inside of [ 28.221778] freed 208-byte region [fff00000c56c2a00, fff00000c56c2ad0) [ 28.221837] [ 28.221857] The buggy address belongs to the physical page: [ 28.221890] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056c2 [ 28.221944] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.221995] page_type: f5(slab) [ 28.222036] raw: 0bfffe0000000000 fff00000c0001000 dead000000000100 dead000000000122 [ 28.222094] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 28.222134] page dumped because: kasan: bad access detected [ 28.222171] [ 28.222188] Memory state around the buggy address: [ 28.222221] fff00000c56c2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.222263] fff00000c56c2980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.222305] >fff00000c56c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.222343] ^ [ 28.222368] fff00000c56c2a80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 28.222409] fff00000c56c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.222448] ==================================================================
[ 22.972442] ================================================================== [ 22.973044] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 22.974461] Read of size 1 at addr ffff888101106500 by task kunit_try_catch/244 [ 22.974717] [ 22.975161] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.975237] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.975250] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.975277] Call Trace: [ 22.975296] <TASK> [ 22.975319] dump_stack_lvl+0x73/0xb0 [ 22.975360] print_report+0xd1/0x650 [ 22.975383] ? __virt_addr_valid+0x1db/0x2d0 [ 22.975410] ? kmem_cache_double_destroy+0x1bf/0x380 [ 22.975434] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.975460] ? kmem_cache_double_destroy+0x1bf/0x380 [ 22.975484] kasan_report+0x141/0x180 [ 22.975505] ? kmem_cache_double_destroy+0x1bf/0x380 [ 22.975532] ? kmem_cache_double_destroy+0x1bf/0x380 [ 22.975555] __kasan_check_byte+0x3d/0x50 [ 22.975578] kmem_cache_destroy+0x25/0x1d0 [ 22.975606] kmem_cache_double_destroy+0x1bf/0x380 [ 22.975921] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 22.975946] ? finish_task_switch.isra.0+0x153/0x700 [ 22.975971] ? __switch_to+0x47/0xf50 [ 22.976002] ? __pfx_read_tsc+0x10/0x10 [ 22.976024] ? ktime_get_ts64+0x86/0x230 [ 22.976051] kunit_try_run_case+0x1a5/0x480 [ 22.976078] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.976101] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.976129] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.976154] ? __kthread_parkme+0x82/0x180 [ 22.976175] ? preempt_count_sub+0x50/0x80 [ 22.976197] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.976233] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.976258] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.976282] kthread+0x337/0x6f0 [ 22.976302] ? trace_preempt_on+0x20/0xc0 [ 22.976326] ? __pfx_kthread+0x10/0x10 [ 22.976347] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.976369] ? calculate_sigpending+0x7b/0xa0 [ 22.976394] ? __pfx_kthread+0x10/0x10 [ 22.976415] ret_from_fork+0x116/0x1d0 [ 22.976434] ? __pfx_kthread+0x10/0x10 [ 22.976454] ret_from_fork_asm+0x1a/0x30 [ 22.976488] </TASK> [ 22.976500] [ 22.988714] Allocated by task 244: [ 22.988984] kasan_save_stack+0x45/0x70 [ 22.989551] kasan_save_track+0x18/0x40 [ 22.989689] kasan_save_alloc_info+0x3b/0x50 [ 22.989907] __kasan_slab_alloc+0x91/0xa0 [ 22.990172] kmem_cache_alloc_noprof+0x123/0x3f0 [ 22.990424] __kmem_cache_create_args+0x169/0x240 [ 22.990625] kmem_cache_double_destroy+0xd5/0x380 [ 22.991070] kunit_try_run_case+0x1a5/0x480 [ 22.991327] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.991615] kthread+0x337/0x6f0 [ 22.991917] ret_from_fork+0x116/0x1d0 [ 22.992149] ret_from_fork_asm+0x1a/0x30 [ 22.992424] [ 22.992517] Freed by task 244: [ 22.992937] kasan_save_stack+0x45/0x70 [ 22.993172] kasan_save_track+0x18/0x40 [ 22.993383] kasan_save_free_info+0x3f/0x60 [ 22.993557] __kasan_slab_free+0x56/0x70 [ 22.993717] kmem_cache_free+0x249/0x420 [ 22.993871] slab_kmem_cache_release+0x2e/0x40 [ 22.994403] kmem_cache_release+0x16/0x20 [ 22.994578] kobject_put+0x181/0x450 [ 22.994935] sysfs_slab_release+0x16/0x20 [ 22.995476] kmem_cache_destroy+0xf0/0x1d0 [ 22.995675] kmem_cache_double_destroy+0x14e/0x380 [ 22.996178] kunit_try_run_case+0x1a5/0x480 [ 22.996391] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.996563] kthread+0x337/0x6f0 [ 22.996832] ret_from_fork+0x116/0x1d0 [ 22.997183] ret_from_fork_asm+0x1a/0x30 [ 22.997372] [ 22.997468] The buggy address belongs to the object at ffff888101106500 [ 22.997468] which belongs to the cache kmem_cache of size 208 [ 22.998040] The buggy address is located 0 bytes inside of [ 22.998040] freed 208-byte region [ffff888101106500, ffff8881011065d0) [ 22.998702] [ 22.998794] The buggy address belongs to the physical page: [ 22.999307] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101106 [ 22.999631] flags: 0x200000000000000(node=0|zone=2) [ 22.999992] page_type: f5(slab) [ 23.000486] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 23.000837] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 23.001285] page dumped because: kasan: bad access detected [ 23.001502] [ 23.001588] Memory state around the buggy address: [ 23.001787] ffff888101106400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.002514] ffff888101106480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.002786] >ffff888101106500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.003480] ^ [ 23.003657] ffff888101106580: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 23.004214] ffff888101106600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.004459] ==================================================================