Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 42.160570] ================================================================== [ 42.175202] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 42.182705] Read of size 1 at addr ffff0000955dd4a0 by task kunit_try_catch/301 [ 42.190110] [ 42.191644] CPU: 7 UID: 0 PID: 301 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 42.191676] Tainted: [B]=BAD_PAGE, [N]=TEST [ 42.191684] Hardware name: Thundercomm Dragonboard 845c (DT) [ 42.191697] Call trace: [ 42.191704] show_stack+0x20/0x38 (C) [ 42.191721] dump_stack_lvl+0x8c/0xd0 [ 42.191742] print_report+0x118/0x608 [ 42.191761] kasan_report+0xdc/0x128 [ 42.191778] __kasan_check_byte+0x54/0x70 [ 42.191796] kfree_sensitive+0x30/0xb0 [ 42.191817] kmalloc_double_kzfree+0x168/0x308 [ 42.191836] kunit_try_run_case+0x170/0x3f0 [ 42.191853] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.191874] kthread+0x328/0x630 [ 42.191887] ret_from_fork+0x10/0x20 [ 42.191905] [ 42.260854] Allocated by task 301: [ 42.264307] kasan_save_stack+0x3c/0x68 [ 42.268213] kasan_save_track+0x20/0x40 [ 42.272116] kasan_save_alloc_info+0x40/0x58 [ 42.276452] __kasan_kmalloc+0xd4/0xd8 [ 42.280268] __kmalloc_cache_noprof+0x16c/0x3c0 [ 42.284866] kmalloc_double_kzfree+0xb8/0x308 [ 42.289290] kunit_try_run_case+0x170/0x3f0 [ 42.293539] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.299105] kthread+0x328/0x630 [ 42.302388] ret_from_fork+0x10/0x20 [ 42.306031] [ 42.307560] Freed by task 301: [ 42.310672] kasan_save_stack+0x3c/0x68 [ 42.314576] kasan_save_track+0x20/0x40 [ 42.318479] kasan_save_free_info+0x4c/0x78 [ 42.322725] __kasan_slab_free+0x6c/0x98 [ 42.326718] kfree+0x214/0x3c8 [ 42.329827] kfree_sensitive+0x80/0xb0 [ 42.333644] kmalloc_double_kzfree+0x11c/0x308 [ 42.338156] kunit_try_run_case+0x170/0x3f0 [ 42.342405] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.347976] kthread+0x328/0x630 [ 42.351259] ret_from_fork+0x10/0x20 [ 42.354892] [ 42.356423] The buggy address belongs to the object at ffff0000955dd4a0 [ 42.356423] which belongs to the cache kmalloc-16 of size 16 [ 42.368902] The buggy address is located 0 bytes inside of [ 42.368902] freed 16-byte region [ffff0000955dd4a0, ffff0000955dd4b0) [ 42.381039] [ 42.382563] The buggy address belongs to the physical page: [ 42.388202] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1155dd [ 42.396302] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 42.402918] page_type: f5(slab) [ 42.406114] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000 [ 42.413953] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 42.421792] page dumped because: kasan: bad access detected [ 42.427432] [ 42.428954] Memory state around the buggy address: [ 42.433807] ffff0000955dd380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 42.441121] ffff0000955dd400: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 42.448435] >ffff0000955dd480: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 42.455749] ^ [ 42.460082] ffff0000955dd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.467398] ffff0000955dd580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.474706] ==================================================================
[ 31.267898] ================================================================== [ 31.267965] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 31.268231] Read of size 1 at addr fff00000c5a30cc0 by task kunit_try_catch/224 [ 31.268375] [ 31.268441] CPU: 0 UID: 0 PID: 224 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.268954] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.269108] Hardware name: linux,dummy-virt (DT) [ 31.269235] Call trace: [ 31.269326] show_stack+0x20/0x38 (C) [ 31.269472] dump_stack_lvl+0x8c/0xd0 [ 31.269664] print_report+0x118/0x608 [ 31.269969] kasan_report+0xdc/0x128 [ 31.270028] __kasan_check_byte+0x54/0x70 [ 31.270100] kfree_sensitive+0x30/0xb0 [ 31.270150] kmalloc_double_kzfree+0x168/0x308 [ 31.270202] kunit_try_run_case+0x170/0x3f0 [ 31.270266] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.270321] kthread+0x328/0x630 [ 31.270375] ret_from_fork+0x10/0x20 [ 31.270448] [ 31.270467] Allocated by task 224: [ 31.270502] kasan_save_stack+0x3c/0x68 [ 31.270547] kasan_save_track+0x20/0x40 [ 31.270585] kasan_save_alloc_info+0x40/0x58 [ 31.270634] __kasan_kmalloc+0xd4/0xd8 [ 31.270672] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.270724] kmalloc_double_kzfree+0xb8/0x308 [ 31.270772] kunit_try_run_case+0x170/0x3f0 [ 31.270813] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.270912] kthread+0x328/0x630 [ 31.270978] ret_from_fork+0x10/0x20 [ 31.271215] [ 31.271241] Freed by task 224: [ 31.271527] kasan_save_stack+0x3c/0x68 [ 31.271633] kasan_save_track+0x20/0x40 [ 31.271887] kasan_save_free_info+0x4c/0x78 [ 31.272068] __kasan_slab_free+0x6c/0x98 [ 31.272151] kfree+0x214/0x3c8 [ 31.272188] kfree_sensitive+0x80/0xb0 [ 31.272458] kmalloc_double_kzfree+0x11c/0x308 [ 31.272581] kunit_try_run_case+0x170/0x3f0 [ 31.272832] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.273094] kthread+0x328/0x630 [ 31.273264] ret_from_fork+0x10/0x20 [ 31.273514] [ 31.273565] The buggy address belongs to the object at fff00000c5a30cc0 [ 31.273565] which belongs to the cache kmalloc-16 of size 16 [ 31.273765] The buggy address is located 0 bytes inside of [ 31.273765] freed 16-byte region [fff00000c5a30cc0, fff00000c5a30cd0) [ 31.274010] [ 31.274034] The buggy address belongs to the physical page: [ 31.274066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c5a30be0 pfn:0x105a30 [ 31.274331] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.274643] page_type: f5(slab) [ 31.274717] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.274826] raw: fff00000c5a30be0 000000008080007f 00000000f5000000 0000000000000000 [ 31.274883] page dumped because: kasan: bad access detected [ 31.275115] [ 31.275204] Memory state around the buggy address: [ 31.275321] fff00000c5a30b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.275405] fff00000c5a30c00: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.275749] >fff00000c5a30c80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 31.275795] ^ [ 31.276313] fff00000c5a30d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.276467] fff00000c5a30d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.276529] ==================================================================
[ 23.473540] ================================================================== [ 23.473978] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 23.474394] Read of size 1 at addr ffff8881054e0a20 by task kunit_try_catch/241 [ 23.474778] [ 23.474878] CPU: 1 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.474926] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.474938] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.474959] Call Trace: [ 23.474973] <TASK> [ 23.474988] dump_stack_lvl+0x73/0xb0 [ 23.475018] print_report+0xd1/0x650 [ 23.475040] ? __virt_addr_valid+0x1db/0x2d0 [ 23.475064] ? kmalloc_double_kzfree+0x19c/0x350 [ 23.475085] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.475110] ? kmalloc_double_kzfree+0x19c/0x350 [ 23.475132] kasan_report+0x141/0x180 [ 23.475153] ? kmalloc_double_kzfree+0x19c/0x350 [ 23.475178] ? kmalloc_double_kzfree+0x19c/0x350 [ 23.475201] __kasan_check_byte+0x3d/0x50 [ 23.475222] kfree_sensitive+0x22/0x90 [ 23.475249] kmalloc_double_kzfree+0x19c/0x350 [ 23.475271] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 23.475294] ? __schedule+0x10cc/0x2b60 [ 23.475319] ? __pfx_read_tsc+0x10/0x10 [ 23.475341] ? ktime_get_ts64+0x86/0x230 [ 23.475366] kunit_try_run_case+0x1a5/0x480 [ 23.475392] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.475415] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.475435] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.475472] ? __kthread_parkme+0x82/0x180 [ 23.475493] ? preempt_count_sub+0x50/0x80 [ 23.475516] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.475540] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.475562] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.475586] kthread+0x337/0x6f0 [ 23.475605] ? trace_preempt_on+0x20/0xc0 [ 23.475629] ? __pfx_kthread+0x10/0x10 [ 23.475649] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.475673] ? calculate_sigpending+0x7b/0xa0 [ 23.475697] ? __pfx_kthread+0x10/0x10 [ 23.475718] ret_from_fork+0x116/0x1d0 [ 23.475738] ? __pfx_kthread+0x10/0x10 [ 23.475758] ret_from_fork_asm+0x1a/0x30 [ 23.475790] </TASK> [ 23.475801] [ 23.484810] Allocated by task 241: [ 23.485330] kasan_save_stack+0x45/0x70 [ 23.485532] kasan_save_track+0x18/0x40 [ 23.486074] kasan_save_alloc_info+0x3b/0x50 [ 23.486577] __kasan_kmalloc+0xb7/0xc0 [ 23.486859] __kmalloc_cache_noprof+0x189/0x420 [ 23.487038] kmalloc_double_kzfree+0xa9/0x350 [ 23.487495] kunit_try_run_case+0x1a5/0x480 [ 23.487780] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.487999] kthread+0x337/0x6f0 [ 23.488480] ret_from_fork+0x116/0x1d0 [ 23.488642] ret_from_fork_asm+0x1a/0x30 [ 23.488829] [ 23.488918] Freed by task 241: [ 23.489062] kasan_save_stack+0x45/0x70 [ 23.489564] kasan_save_track+0x18/0x40 [ 23.489759] kasan_save_free_info+0x3f/0x60 [ 23.490082] __kasan_slab_free+0x56/0x70 [ 23.490288] kfree+0x222/0x3f0 [ 23.490593] kfree_sensitive+0x67/0x90 [ 23.490754] kmalloc_double_kzfree+0x12b/0x350 [ 23.490945] kunit_try_run_case+0x1a5/0x480 [ 23.491135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.491815] kthread+0x337/0x6f0 [ 23.491982] ret_from_fork+0x116/0x1d0 [ 23.492136] ret_from_fork_asm+0x1a/0x30 [ 23.492609] [ 23.492695] The buggy address belongs to the object at ffff8881054e0a20 [ 23.492695] which belongs to the cache kmalloc-16 of size 16 [ 23.493489] The buggy address is located 0 bytes inside of [ 23.493489] freed 16-byte region [ffff8881054e0a20, ffff8881054e0a30) [ 23.494022] [ 23.494122] The buggy address belongs to the physical page: [ 23.494652] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1054e0 [ 23.495006] flags: 0x200000000000000(node=0|zone=2) [ 23.495401] page_type: f5(slab) [ 23.495551] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 23.495963] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.496480] page dumped because: kasan: bad access detected [ 23.496726] [ 23.496813] Memory state around the buggy address: [ 23.496985] ffff8881054e0900: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.497296] ffff8881054e0980: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.497589] >ffff8881054e0a00: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 23.497878] ^ [ 23.498052] ffff8881054e0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.498775] ffff8881054e0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.499110] ==================================================================