Hay
Sign in
Date
July 2, 2025, 11:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   30.966877] ==================================================================
[   30.966951] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308
[   30.967004] Read of size 1 at addr fff00000c919c7c0 by task kunit_try_catch/225
[   30.967440] 
[   30.967504] CPU: 0 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT 
[   30.967635] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.967815] Hardware name: linux,dummy-virt (DT)
[   30.967852] Call trace:
[   30.967876]  show_stack+0x20/0x38 (C)
[   30.968163]  dump_stack_lvl+0x8c/0xd0
[   30.968266]  print_report+0x118/0x608
[   30.968412]  kasan_report+0xdc/0x128
[   30.968494]  __kasan_check_byte+0x54/0x70
[   30.968576]  kfree_sensitive+0x30/0xb0
[   30.968717]  kmalloc_double_kzfree+0x168/0x308
[   30.968826]  kunit_try_run_case+0x170/0x3f0
[   30.968875]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.969180]  kthread+0x328/0x630
[   30.969394]  ret_from_fork+0x10/0x20
[   30.969510] 
[   30.969559] Allocated by task 225:
[   30.969675]  kasan_save_stack+0x3c/0x68
[   30.969756]  kasan_save_track+0x20/0x40
[   30.969900]  kasan_save_alloc_info+0x40/0x58
[   30.969950]  __kasan_kmalloc+0xd4/0xd8
[   30.970015]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.970216]  kmalloc_double_kzfree+0xb8/0x308
[   30.970450]  kunit_try_run_case+0x170/0x3f0
[   30.970542]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.970688]  kthread+0x328/0x630
[   30.970755]  ret_from_fork+0x10/0x20
[   30.970821] 
[   30.970865] Freed by task 225:
[   30.971046]  kasan_save_stack+0x3c/0x68
[   30.971178]  kasan_save_track+0x20/0x40
[   30.971330]  kasan_save_free_info+0x4c/0x78
[   30.971459]  __kasan_slab_free+0x6c/0x98
[   30.971528]  kfree+0x214/0x3c8
[   30.971690]  kfree_sensitive+0x80/0xb0
[   30.971754]  kmalloc_double_kzfree+0x11c/0x308
[   30.971795]  kunit_try_run_case+0x170/0x3f0
[   30.971834]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.971878]  kthread+0x328/0x630
[   30.971911]  ret_from_fork+0x10/0x20
[   30.972555] 
[   30.972662] The buggy address belongs to the object at fff00000c919c7c0
[   30.972662]  which belongs to the cache kmalloc-16 of size 16
[   30.972788] The buggy address is located 0 bytes inside of
[   30.972788]  freed 16-byte region [fff00000c919c7c0, fff00000c919c7d0)
[   30.972862] 
[   30.972882] The buggy address belongs to the physical page:
[   30.973218] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c919c6c0 pfn:0x10919c
[   30.973491] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.973639] page_type: f5(slab)
[   30.973689] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   30.973780] raw: fff00000c919c6c0 000000008080007f 00000000f5000000 0000000000000000
[   30.973888] page dumped because: kasan: bad access detected
[   30.973921] 
[   30.973960] Memory state around the buggy address:
[   30.974008]  fff00000c919c680: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc
[   30.974067]  fff00000c919c700: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   30.974110] >fff00000c919c780: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc
[   30.974149]                                            ^
[   30.974188]  fff00000c919c800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.974231]  fff00000c919c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.974270] ==================================================================
Metadata Full log Test run details 

[   32.709923] ==================================================================
[   32.709990] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308
[   32.710154] Read of size 1 at addr fff00000c57889c0 by task kunit_try_catch/223
[   32.710238] 
[   32.710341] CPU: 1 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT 
[   32.710519] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.710555] Hardware name: linux,dummy-virt (DT)
[   32.710628] Call trace:
[   32.710655]  show_stack+0x20/0x38 (C)
[   32.710714]  dump_stack_lvl+0x8c/0xd0
[   32.710785]  print_report+0x118/0x608
[   32.710834]  kasan_report+0xdc/0x128
[   32.710881]  __kasan_check_byte+0x54/0x70
[   32.710931]  kfree_sensitive+0x30/0xb0
[   32.710987]  kmalloc_double_kzfree+0x168/0x308
[   32.711119]  kunit_try_run_case+0x170/0x3f0
[   32.711192]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.711259]  kthread+0x328/0x630
[   32.711303]  ret_from_fork+0x10/0x20
[   32.711503] 
[   32.711600] Allocated by task 223:
[   32.711633]  kasan_save_stack+0x3c/0x68
[   32.711679]  kasan_save_track+0x20/0x40
[   32.711716]  kasan_save_alloc_info+0x40/0x58
[   32.711755]  __kasan_kmalloc+0xd4/0xd8
[   32.711793]  __kmalloc_cache_noprof+0x16c/0x3c0
[   32.712066]  kmalloc_double_kzfree+0xb8/0x308
[   32.712211]  kunit_try_run_case+0x170/0x3f0
[   32.712279]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.712376]  kthread+0x328/0x630
[   32.712436]  ret_from_fork+0x10/0x20
[   32.712525] 
[   32.712546] Freed by task 223:
[   32.712575]  kasan_save_stack+0x3c/0x68
[   32.712632]  kasan_save_track+0x20/0x40
[   32.712814]  kasan_save_free_info+0x4c/0x78
[   32.712951]  __kasan_slab_free+0x6c/0x98
[   32.713109]  kfree+0x214/0x3c8
[   32.713239]  kfree_sensitive+0x80/0xb0
[   32.713331]  kmalloc_double_kzfree+0x11c/0x308
[   32.713423]  kunit_try_run_case+0x170/0x3f0
[   32.713532]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.713612]  kthread+0x328/0x630
[   32.713686]  ret_from_fork+0x10/0x20
[   32.713785] 
[   32.713844] The buggy address belongs to the object at fff00000c57889c0
[   32.713844]  which belongs to the cache kmalloc-16 of size 16
[   32.713924] The buggy address is located 0 bytes inside of
[   32.713924]  freed 16-byte region [fff00000c57889c0, fff00000c57889d0)
[   32.714105] 
[   32.714237] The buggy address belongs to the physical page:
[   32.714293] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105788
[   32.714380] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.714457] page_type: f5(slab)
[   32.714524] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122
[   32.714602] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   32.714643] page dumped because: kasan: bad access detected
[   32.714696] 
[   32.714728] Memory state around the buggy address:
[   32.714767]  fff00000c5788880: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   32.714830]  fff00000c5788900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   32.714873] >fff00000c5788980: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc
[   32.714912]                                            ^
[   32.714964]  fff00000c5788a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.715014]  fff00000c5788a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.715063] ==================================================================
Metadata Full log Test run details 

[   23.385050] ==================================================================
[   23.385658] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350
[   23.386088] Read of size 1 at addr ffff88810586d4a0 by task kunit_try_catch/240
[   23.386415] 
[   23.386541] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) 
[   23.386623] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.386636] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.386669] Call Trace:
[   23.386730]  <TASK>
[   23.386750]  dump_stack_lvl+0x73/0xb0
[   23.386813]  print_report+0xd1/0x650
[   23.386835]  ? __virt_addr_valid+0x1db/0x2d0
[   23.386869]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.386891]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.386916]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.386938]  kasan_report+0x141/0x180
[   23.386959]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.386984]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.387006]  __kasan_check_byte+0x3d/0x50
[   23.387044]  kfree_sensitive+0x22/0x90
[   23.387084]  kmalloc_double_kzfree+0x19c/0x350
[   23.387115]  ? __pfx_kmalloc_double_kzfree+0x10/0x10
[   23.387137]  ? __schedule+0x10cc/0x2b60
[   23.387158]  ? __pfx_read_tsc+0x10/0x10
[   23.387192]  ? ktime_get_ts64+0x86/0x230
[   23.387216]  kunit_try_run_case+0x1a5/0x480
[   23.387240]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.387263]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.387284]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.387314]  ? __kthread_parkme+0x82/0x180
[   23.387334]  ? preempt_count_sub+0x50/0x80
[   23.387357]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.387381]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.387404]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.387427]  kthread+0x337/0x6f0
[   23.387446]  ? trace_preempt_on+0x20/0xc0
[   23.387469]  ? __pfx_kthread+0x10/0x10
[   23.387497]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.387521]  ? calculate_sigpending+0x7b/0xa0
[   23.387543]  ? __pfx_kthread+0x10/0x10
[   23.387564]  ret_from_fork+0x116/0x1d0
[   23.387583]  ? __pfx_kthread+0x10/0x10
[   23.387603]  ret_from_fork_asm+0x1a/0x30
[   23.387633]  </TASK>
[   23.387645] 
[   23.396586] Allocated by task 240:
[   23.396746]  kasan_save_stack+0x45/0x70
[   23.396882]  kasan_save_track+0x18/0x40
[   23.397304]  kasan_save_alloc_info+0x3b/0x50
[   23.397789]  __kasan_kmalloc+0xb7/0xc0
[   23.397981]  __kmalloc_cache_noprof+0x189/0x420
[   23.398191]  kmalloc_double_kzfree+0xa9/0x350
[   23.398343]  kunit_try_run_case+0x1a5/0x480
[   23.398482]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.398756]  kthread+0x337/0x6f0
[   23.398985]  ret_from_fork+0x116/0x1d0
[   23.399292]  ret_from_fork_asm+0x1a/0x30
[   23.399620] 
[   23.399785] Freed by task 240:
[   23.399971]  kasan_save_stack+0x45/0x70
[   23.400181]  kasan_save_track+0x18/0x40
[   23.400394]  kasan_save_free_info+0x3f/0x60
[   23.400628]  __kasan_slab_free+0x56/0x70
[   23.400987]  kfree+0x222/0x3f0
[   23.401285]  kfree_sensitive+0x67/0x90
[   23.401528]  kmalloc_double_kzfree+0x12b/0x350
[   23.401672]  kunit_try_run_case+0x1a5/0x480
[   23.401976]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.402296]  kthread+0x337/0x6f0
[   23.402535]  ret_from_fork+0x116/0x1d0
[   23.402855]  ret_from_fork_asm+0x1a/0x30
[   23.403004] 
[   23.403068] The buggy address belongs to the object at ffff88810586d4a0
[   23.403068]  which belongs to the cache kmalloc-16 of size 16
[   23.403583] The buggy address is located 0 bytes inside of
[   23.403583]  freed 16-byte region [ffff88810586d4a0, ffff88810586d4b0)
[   23.404277] 
[   23.404430] The buggy address belongs to the physical page:
[   23.404726] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10586d
[   23.405138] flags: 0x200000000000000(node=0|zone=2)
[   23.405408] page_type: f5(slab)
[   23.405611] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   23.405877] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   23.406417] page dumped because: kasan: bad access detected
[   23.407028] 
[   23.407124] Memory state around the buggy address:
[   23.407283]  ffff88810586d380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.407732]  ffff88810586d400: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.407948] >ffff88810586d480: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   23.408258]                                ^
[   23.408461]  ffff88810586d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.408872]  ffff88810586d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.409081] ==================================================================
Metadata Full log Test run details 

[   23.674670] ==================================================================
[   23.675244] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350
[   23.675588] Read of size 1 at addr ffff8881049ad5a0 by task kunit_try_catch/241
[   23.675901] 
[   23.675988] CPU: 1 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) 
[   23.676042] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.676055] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.676090] Call Trace:
[   23.676120]  <TASK>
[   23.676140]  dump_stack_lvl+0x73/0xb0
[   23.676171]  print_report+0xd1/0x650
[   23.676194]  ? __virt_addr_valid+0x1db/0x2d0
[   23.676218]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.676240]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.676265]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.676288]  kasan_report+0x141/0x180
[   23.676310]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.676335]  ? kmalloc_double_kzfree+0x19c/0x350
[   23.676357]  __kasan_check_byte+0x3d/0x50
[   23.676379]  kfree_sensitive+0x22/0x90
[   23.676405]  kmalloc_double_kzfree+0x19c/0x350
[   23.676427]  ? __pfx_kmalloc_double_kzfree+0x10/0x10
[   23.676449]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   23.676473]  ? trace_hardirqs_on+0x37/0xe0
[   23.676497]  ? __pfx_read_tsc+0x10/0x10
[   23.676518]  ? ktime_get_ts64+0x86/0x230
[   23.676543]  kunit_try_run_case+0x1a5/0x480
[   23.676571]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.676595]  ? queued_spin_lock_slowpath+0x116/0xb40
[   23.676618]  ? __kthread_parkme+0x82/0x180
[   23.676638]  ? preempt_count_sub+0x50/0x80
[   23.676661]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.676686]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.676709]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.676733]  kthread+0x337/0x6f0
[   23.676753]  ? trace_preempt_on+0x20/0xc0
[   23.676775]  ? __pfx_kthread+0x10/0x10
[   23.676796]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.676820]  ? calculate_sigpending+0x7b/0xa0
[   23.676844]  ? __pfx_kthread+0x10/0x10
[   23.676865]  ret_from_fork+0x116/0x1d0
[   23.676884]  ? __pfx_kthread+0x10/0x10
[   23.676904]  ret_from_fork_asm+0x1a/0x30
[   23.676947]  </TASK>
[   23.676960] 
[   23.687710] Allocated by task 241:
[   23.687892]  kasan_save_stack+0x45/0x70
[   23.688090]  kasan_save_track+0x18/0x40
[   23.688590]  kasan_save_alloc_info+0x3b/0x50
[   23.688773]  __kasan_kmalloc+0xb7/0xc0
[   23.688958]  __kmalloc_cache_noprof+0x189/0x420
[   23.689197]  kmalloc_double_kzfree+0xa9/0x350
[   23.689697]  kunit_try_run_case+0x1a5/0x480
[   23.689870]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.690191]  kthread+0x337/0x6f0
[   23.690783]  ret_from_fork+0x116/0x1d0
[   23.690978]  ret_from_fork_asm+0x1a/0x30
[   23.691222] 
[   23.691366] Freed by task 241:
[   23.691545]  kasan_save_stack+0x45/0x70
[   23.692077]  kasan_save_track+0x18/0x40
[   23.692291]  kasan_save_free_info+0x3f/0x60
[   23.692498]  __kasan_slab_free+0x56/0x70
[   23.692677]  kfree+0x222/0x3f0
[   23.692823]  kfree_sensitive+0x67/0x90
[   23.693376]  kmalloc_double_kzfree+0x12b/0x350
[   23.693557]  kunit_try_run_case+0x1a5/0x480
[   23.693753]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.694168]  kthread+0x337/0x6f0
[   23.694420]  ret_from_fork+0x116/0x1d0
[   23.694554]  ret_from_fork_asm+0x1a/0x30
[   23.694749] 
[   23.694841] The buggy address belongs to the object at ffff8881049ad5a0
[   23.694841]  which belongs to the cache kmalloc-16 of size 16
[   23.695846] The buggy address is located 0 bytes inside of
[   23.695846]  freed 16-byte region [ffff8881049ad5a0, ffff8881049ad5b0)
[   23.696737] 
[   23.696829] The buggy address belongs to the physical page:
[   23.697109] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049ad
[   23.697722] flags: 0x200000000000000(node=0|zone=2)
[   23.698113] page_type: f5(slab)
[   23.698248] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122
[   23.698778] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   23.699481] page dumped because: kasan: bad access detected
[   23.699800] 
[   23.699880] Memory state around the buggy address:
[   23.700186]  ffff8881049ad480: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.700959]  ffff8881049ad500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.701429] >ffff8881049ad580: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   23.701734]                                ^
[   23.702096]  ffff8881049ad600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.702516]  ffff8881049ad680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.702746] ==================================================================
Metadata Full log Test run details