Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.290411] ================================================================== [ 32.290500] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 32.290578] Read of size 1 at addr fff00000c113a780 by task kunit_try_catch/248 [ 32.290630] [ 32.290675] CPU: 1 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.290768] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.290797] Hardware name: linux,dummy-virt (DT) [ 32.290831] Call trace: [ 32.290857] show_stack+0x20/0x38 (C) [ 32.290912] dump_stack_lvl+0x8c/0xd0 [ 32.290979] print_report+0x118/0x608 [ 32.291030] kasan_report+0xdc/0x128 [ 32.291075] __kasan_check_byte+0x54/0x70 [ 32.291124] kmem_cache_destroy+0x34/0x218 [ 32.291173] kmem_cache_double_destroy+0x174/0x300 [ 32.291223] kunit_try_run_case+0x170/0x3f0 [ 32.291274] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.291328] kthread+0x328/0x630 [ 32.291374] ret_from_fork+0x10/0x20 [ 32.291423] [ 32.291442] Allocated by task 248: [ 32.291476] kasan_save_stack+0x3c/0x68 [ 32.291519] kasan_save_track+0x20/0x40 [ 32.291560] kasan_save_alloc_info+0x40/0x58 [ 32.291607] __kasan_slab_alloc+0xa8/0xb0 [ 32.291645] kmem_cache_alloc_noprof+0x10c/0x398 [ 32.291689] __kmem_cache_create_args+0x178/0x280 [ 32.291728] kmem_cache_double_destroy+0xc0/0x300 [ 32.291769] kunit_try_run_case+0x170/0x3f0 [ 32.291809] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.291853] kthread+0x328/0x630 [ 32.291887] ret_from_fork+0x10/0x20 [ 32.291923] [ 32.291956] Freed by task 248: [ 32.291984] kasan_save_stack+0x3c/0x68 [ 32.292021] kasan_save_track+0x20/0x40 [ 32.292060] kasan_save_free_info+0x4c/0x78 [ 32.292096] __kasan_slab_free+0x6c/0x98 [ 32.292135] kmem_cache_free+0x260/0x468 [ 32.292173] slab_kmem_cache_release+0x38/0x50 [ 32.292214] kmem_cache_release+0x1c/0x30 [ 32.292251] kobject_put+0x17c/0x420 [ 32.292290] sysfs_slab_release+0x1c/0x30 [ 32.292328] kmem_cache_destroy+0x118/0x218 [ 32.292366] kmem_cache_double_destroy+0x128/0x300 [ 32.292407] kunit_try_run_case+0x170/0x3f0 [ 32.292448] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.292494] kthread+0x328/0x630 [ 32.292528] ret_from_fork+0x10/0x20 [ 32.292565] [ 32.292585] The buggy address belongs to the object at fff00000c113a780 [ 32.292585] which belongs to the cache kmem_cache of size 208 [ 32.292644] The buggy address is located 0 bytes inside of [ 32.292644] freed 208-byte region [fff00000c113a780, fff00000c113a850) [ 32.292705] [ 32.292730] The buggy address belongs to the physical page: [ 32.292765] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10113a [ 32.292825] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.292880] page_type: f5(slab) [ 32.292923] raw: 0bfffe0000000000 fff00000c0001000 dead000000000100 dead000000000122 [ 32.292984] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 32.293027] page dumped because: kasan: bad access detected [ 32.293061] [ 32.293079] Memory state around the buggy address: [ 32.293114] fff00000c113a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.293158] fff00000c113a700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.293204] >fff00000c113a780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.293243] ^ [ 32.293271] fff00000c113a800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 32.293312] fff00000c113a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.293352] ==================================================================
[ 34.133854] ================================================================== [ 34.133932] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 34.134012] Read of size 1 at addr fff00000c5c333c0 by task kunit_try_catch/246 [ 34.134065] [ 34.134107] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 34.137223] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.137255] Hardware name: linux,dummy-virt (DT) [ 34.137295] Call trace: [ 34.137320] show_stack+0x20/0x38 (C) [ 34.137378] dump_stack_lvl+0x8c/0xd0 [ 34.137433] print_report+0x118/0x608 [ 34.137485] kasan_report+0xdc/0x128 [ 34.137532] __kasan_check_byte+0x54/0x70 [ 34.137579] kmem_cache_destroy+0x34/0x218 [ 34.137629] kmem_cache_double_destroy+0x174/0x300 [ 34.137677] kunit_try_run_case+0x170/0x3f0 [ 34.137730] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.137783] kthread+0x328/0x630 [ 34.137827] ret_from_fork+0x10/0x20 [ 34.137875] [ 34.137896] Allocated by task 246: [ 34.137926] kasan_save_stack+0x3c/0x68 [ 34.137971] kasan_save_track+0x20/0x40 [ 34.138008] kasan_save_alloc_info+0x40/0x58 [ 34.138046] __kasan_slab_alloc+0xa8/0xb0 [ 34.138086] kmem_cache_alloc_noprof+0x10c/0x398 [ 34.138128] __kmem_cache_create_args+0x178/0x280 [ 34.138178] kmem_cache_double_destroy+0xc0/0x300 [ 34.138248] kunit_try_run_case+0x170/0x3f0 [ 34.138298] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.138353] kthread+0x328/0x630 [ 34.138400] ret_from_fork+0x10/0x20 [ 34.138445] [ 34.138464] Freed by task 246: [ 34.138493] kasan_save_stack+0x3c/0x68 [ 34.138532] kasan_save_track+0x20/0x40 [ 34.138574] kasan_save_free_info+0x4c/0x78 [ 34.138612] __kasan_slab_free+0x6c/0x98 [ 34.138649] kmem_cache_free+0x260/0x468 [ 34.138709] slab_kmem_cache_release+0x38/0x50 [ 34.138747] kmem_cache_release+0x1c/0x30 [ 34.138785] kobject_put+0x17c/0x420 [ 34.138831] sysfs_slab_release+0x1c/0x30 [ 34.138877] kmem_cache_destroy+0x118/0x218 [ 34.138914] kmem_cache_double_destroy+0x128/0x300 [ 34.138953] kunit_try_run_case+0x170/0x3f0 [ 34.139002] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.139056] kthread+0x328/0x630 [ 34.139089] ret_from_fork+0x10/0x20 [ 34.139126] [ 34.139148] The buggy address belongs to the object at fff00000c5c333c0 [ 34.139148] which belongs to the cache kmem_cache of size 208 [ 34.139217] The buggy address is located 0 bytes inside of [ 34.139217] freed 208-byte region [fff00000c5c333c0, fff00000c5c33490) [ 34.139293] [ 34.139317] The buggy address belongs to the physical page: [ 34.139360] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105c33 [ 34.139440] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.139523] page_type: f5(slab) [ 34.139568] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 34.139620] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 34.139670] page dumped because: kasan: bad access detected [ 34.139705] [ 34.139745] Memory state around the buggy address: [ 34.139796] fff00000c5c33280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.139840] fff00000c5c33300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 34.139894] >fff00000c5c33380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 34.139947] ^ [ 34.139991] fff00000c5c33400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.140040] fff00000c5c33480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.140079] ==================================================================
[ 24.163349] ================================================================== [ 24.163780] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 24.165106] Read of size 1 at addr ffff88810190e640 by task kunit_try_catch/264 [ 24.166028] [ 24.166585] CPU: 1 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 24.166662] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.166677] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.166703] Call Trace: [ 24.166720] <TASK> [ 24.166745] dump_stack_lvl+0x73/0xb0 [ 24.166785] print_report+0xd1/0x650 [ 24.166810] ? __virt_addr_valid+0x1db/0x2d0 [ 24.166837] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.166861] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.166889] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.166913] kasan_report+0x141/0x180 [ 24.167095] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.167128] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.167155] __kasan_check_byte+0x3d/0x50 [ 24.167177] kmem_cache_destroy+0x25/0x1d0 [ 24.167246] kmem_cache_double_destroy+0x1bf/0x380 [ 24.167269] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 24.167294] ? finish_task_switch.isra.0+0x153/0x700 [ 24.167318] ? __switch_to+0x47/0xf50 [ 24.167347] ? __pfx_read_tsc+0x10/0x10 [ 24.167369] ? ktime_get_ts64+0x86/0x230 [ 24.167396] kunit_try_run_case+0x1a5/0x480 [ 24.167424] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.167449] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.167472] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.167494] ? __kthread_parkme+0x82/0x180 [ 24.167514] ? preempt_count_sub+0x50/0x80 [ 24.167537] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.167562] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.167585] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.167610] kthread+0x337/0x6f0 [ 24.167629] ? trace_preempt_on+0x20/0xc0 [ 24.167654] ? __pfx_kthread+0x10/0x10 [ 24.167674] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.167699] ? calculate_sigpending+0x7b/0xa0 [ 24.167724] ? __pfx_kthread+0x10/0x10 [ 24.167746] ret_from_fork+0x116/0x1d0 [ 24.167765] ? __pfx_kthread+0x10/0x10 [ 24.167785] ret_from_fork_asm+0x1a/0x30 [ 24.167816] </TASK> [ 24.167831] [ 24.180761] Allocated by task 264: [ 24.181037] kasan_save_stack+0x45/0x70 [ 24.181580] kasan_save_track+0x18/0x40 [ 24.181958] kasan_save_alloc_info+0x3b/0x50 [ 24.182474] __kasan_slab_alloc+0x91/0xa0 [ 24.182767] kmem_cache_alloc_noprof+0x123/0x3f0 [ 24.182921] __kmem_cache_create_args+0x169/0x240 [ 24.183664] kmem_cache_double_destroy+0xd5/0x380 [ 24.184169] kunit_try_run_case+0x1a5/0x480 [ 24.184538] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.184806] kthread+0x337/0x6f0 [ 24.185417] ret_from_fork+0x116/0x1d0 [ 24.185906] ret_from_fork_asm+0x1a/0x30 [ 24.186438] [ 24.186515] Freed by task 264: [ 24.186621] kasan_save_stack+0x45/0x70 [ 24.186748] kasan_save_track+0x18/0x40 [ 24.186871] kasan_save_free_info+0x3f/0x60 [ 24.187624] __kasan_slab_free+0x56/0x70 [ 24.188031] kmem_cache_free+0x249/0x420 [ 24.188672] slab_kmem_cache_release+0x2e/0x40 [ 24.189126] kmem_cache_release+0x16/0x20 [ 24.189624] kobject_put+0x181/0x450 [ 24.190137] sysfs_slab_release+0x16/0x20 [ 24.190333] kmem_cache_destroy+0xf0/0x1d0 [ 24.190771] kmem_cache_double_destroy+0x14e/0x380 [ 24.190939] kunit_try_run_case+0x1a5/0x480 [ 24.191471] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.191897] kthread+0x337/0x6f0 [ 24.192022] ret_from_fork+0x116/0x1d0 [ 24.192157] ret_from_fork_asm+0x1a/0x30 [ 24.192742] [ 24.192905] The buggy address belongs to the object at ffff88810190e640 [ 24.192905] which belongs to the cache kmem_cache of size 208 [ 24.194125] The buggy address is located 0 bytes inside of [ 24.194125] freed 208-byte region [ffff88810190e640, ffff88810190e710) [ 24.195055] [ 24.195232] The buggy address belongs to the physical page: [ 24.195736] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10190e [ 24.195996] flags: 0x200000000000000(node=0|zone=2) [ 24.196450] page_type: f5(slab) [ 24.196986] raw: 0200000000000000 ffff888100041000 dead000000000100 dead000000000122 [ 24.197961] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 24.198252] page dumped because: kasan: bad access detected [ 24.198732] [ 24.198882] Memory state around the buggy address: [ 24.199333] ffff88810190e500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.199540] ffff88810190e580: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 24.199739] >ffff88810190e600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 24.199950] ^ [ 24.200606] ffff88810190e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.201360] ffff88810190e700: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.201969] ==================================================================
[ 23.904902] ================================================================== [ 23.905304] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 23.906265] Read of size 1 at addr ffff888101e2dc80 by task kunit_try_catch/263 [ 23.907173] [ 23.907449] CPU: 1 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.907519] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.907533] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.907558] Call Trace: [ 23.907573] <TASK> [ 23.907594] dump_stack_lvl+0x73/0xb0 [ 23.907632] print_report+0xd1/0x650 [ 23.907657] ? __virt_addr_valid+0x1db/0x2d0 [ 23.907684] ? kmem_cache_double_destroy+0x1bf/0x380 [ 23.907710] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.907735] ? kmem_cache_double_destroy+0x1bf/0x380 [ 23.907760] kasan_report+0x141/0x180 [ 23.907783] ? kmem_cache_double_destroy+0x1bf/0x380 [ 23.907810] ? kmem_cache_double_destroy+0x1bf/0x380 [ 23.907835] __kasan_check_byte+0x3d/0x50 [ 23.907857] kmem_cache_destroy+0x25/0x1d0 [ 23.907885] kmem_cache_double_destroy+0x1bf/0x380 [ 23.907910] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 23.907933] ? finish_task_switch.isra.0+0x153/0x700 [ 23.907997] ? __switch_to+0x47/0xf50 [ 23.908028] ? __pfx_read_tsc+0x10/0x10 [ 23.908063] ? ktime_get_ts64+0x86/0x230 [ 23.908090] kunit_try_run_case+0x1a5/0x480 [ 23.908119] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.908143] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.908165] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.908188] ? __kthread_parkme+0x82/0x180 [ 23.908208] ? preempt_count_sub+0x50/0x80 [ 23.908231] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.908256] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.908280] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.908314] kthread+0x337/0x6f0 [ 23.908334] ? trace_preempt_on+0x20/0xc0 [ 23.908359] ? __pfx_kthread+0x10/0x10 [ 23.908380] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.908406] ? calculate_sigpending+0x7b/0xa0 [ 23.908430] ? __pfx_kthread+0x10/0x10 [ 23.908452] ret_from_fork+0x116/0x1d0 [ 23.908472] ? __pfx_kthread+0x10/0x10 [ 23.908500] ret_from_fork_asm+0x1a/0x30 [ 23.908532] </TASK> [ 23.908546] [ 23.918228] Allocated by task 263: [ 23.918454] kasan_save_stack+0x45/0x70 [ 23.918728] kasan_save_track+0x18/0x40 [ 23.918888] kasan_save_alloc_info+0x3b/0x50 [ 23.919072] __kasan_slab_alloc+0x91/0xa0 [ 23.919207] kmem_cache_alloc_noprof+0x123/0x3f0 [ 23.919441] __kmem_cache_create_args+0x169/0x240 [ 23.919975] kmem_cache_double_destroy+0xd5/0x380 [ 23.920208] kunit_try_run_case+0x1a5/0x480 [ 23.920369] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.920752] kthread+0x337/0x6f0 [ 23.920930] ret_from_fork+0x116/0x1d0 [ 23.921121] ret_from_fork_asm+0x1a/0x30 [ 23.921329] [ 23.921412] Freed by task 263: [ 23.921581] kasan_save_stack+0x45/0x70 [ 23.921808] kasan_save_track+0x18/0x40 [ 23.922064] kasan_save_free_info+0x3f/0x60 [ 23.922230] __kasan_slab_free+0x56/0x70 [ 23.922371] kmem_cache_free+0x249/0x420 [ 23.922508] slab_kmem_cache_release+0x2e/0x40 [ 23.922666] kmem_cache_release+0x16/0x20 [ 23.922860] kobject_put+0x181/0x450 [ 23.923191] sysfs_slab_release+0x16/0x20 [ 23.923407] kmem_cache_destroy+0xf0/0x1d0 [ 23.923660] kmem_cache_double_destroy+0x14e/0x380 [ 23.923901] kunit_try_run_case+0x1a5/0x480 [ 23.924049] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.924365] kthread+0x337/0x6f0 [ 23.924556] ret_from_fork+0x116/0x1d0 [ 23.924734] ret_from_fork_asm+0x1a/0x30 [ 23.924921] [ 23.924991] The buggy address belongs to the object at ffff888101e2dc80 [ 23.924991] which belongs to the cache kmem_cache of size 208 [ 23.925433] The buggy address is located 0 bytes inside of [ 23.925433] freed 208-byte region [ffff888101e2dc80, ffff888101e2dd50) [ 23.925783] [ 23.926020] The buggy address belongs to the physical page: [ 23.926288] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e2d [ 23.927117] flags: 0x200000000000000(node=0|zone=2) [ 23.927359] page_type: f5(slab) [ 23.927480] raw: 0200000000000000 ffff888100041000 dead000000000100 dead000000000122 [ 23.928297] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 23.928726] page dumped because: kasan: bad access detected [ 23.928976] [ 23.929068] Memory state around the buggy address: [ 23.929281] ffff888101e2db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.929772] ffff888101e2dc00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.930046] >ffff888101e2dc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.930344] ^ [ 23.930454] ffff888101e2dd00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 23.930820] ffff888101e2dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.931243] ==================================================================