Date
July 11, 2025, 10:11 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 47.159218] ================================================================== [ 47.173041] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 47.180414] Read of size 1 at addr ffff0008030dafc0 by task kunit_try_catch/276 [ 47.187705] [ 47.189191] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 47.189252] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.189268] Hardware name: WinLink E850-96 board (DT) [ 47.189291] Call trace: [ 47.189306] show_stack+0x20/0x38 (C) [ 47.189344] dump_stack_lvl+0x8c/0xd0 [ 47.189377] print_report+0x118/0x5d0 [ 47.189406] kasan_report+0xdc/0x128 [ 47.189431] __kasan_check_byte+0x54/0x70 [ 47.189468] kfree_sensitive+0x30/0xb0 [ 47.189507] kmalloc_double_kzfree+0x168/0x308 [ 47.189542] kunit_try_run_case+0x170/0x3f0 [ 47.189582] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.189614] kthread+0x328/0x630 [ 47.189644] ret_from_fork+0x10/0x20 [ 47.189679] [ 47.256456] Allocated by task 276: [ 47.259844] kasan_save_stack+0x3c/0x68 [ 47.263659] kasan_save_track+0x20/0x40 [ 47.267480] kasan_save_alloc_info+0x40/0x58 [ 47.271732] __kasan_kmalloc+0xd4/0xd8 [ 47.275465] __kmalloc_cache_noprof+0x16c/0x3c0 [ 47.279978] kmalloc_double_kzfree+0xb8/0x308 [ 47.284319] kunit_try_run_case+0x170/0x3f0 [ 47.288485] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.293954] kthread+0x328/0x630 [ 47.297166] ret_from_fork+0x10/0x20 [ 47.300725] [ 47.302202] Freed by task 276: [ 47.305240] kasan_save_stack+0x3c/0x68 [ 47.309058] kasan_save_track+0x20/0x40 [ 47.312877] kasan_save_free_info+0x4c/0x78 [ 47.317044] __kasan_slab_free+0x6c/0x98 [ 47.320951] kfree+0x214/0x3c8 [ 47.323988] kfree_sensitive+0x80/0xb0 [ 47.327721] kmalloc_double_kzfree+0x11c/0x308 [ 47.332148] kunit_try_run_case+0x170/0x3f0 [ 47.336314] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.341783] kthread+0x328/0x630 [ 47.344995] ret_from_fork+0x10/0x20 [ 47.348554] [ 47.350032] The buggy address belongs to the object at ffff0008030dafc0 [ 47.350032] which belongs to the cache kmalloc-16 of size 16 [ 47.362359] The buggy address is located 0 bytes inside of [ 47.362359] freed 16-byte region [ffff0008030dafc0, ffff0008030dafd0) [ 47.374335] [ 47.375814] The buggy address belongs to the physical page: [ 47.381370] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8830da [ 47.389354] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 47.395865] page_type: f5(slab) [ 47.398999] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 47.406719] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 47.414438] page dumped because: kasan: bad access detected [ 47.419994] [ 47.421469] Memory state around the buggy address: [ 47.426248] ffff0008030dae80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 47.433452] ffff0008030daf00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 47.440658] >ffff0008030daf80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 47.447858] ^ [ 47.453158] ffff0008030db000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.460362] ffff0008030db080: 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 [ 47.467565] ==================================================================
[ 30.683787] ================================================================== [ 30.683851] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308 [ 30.683921] Read of size 1 at addr fff00000c918c680 by task kunit_try_catch/223 [ 30.683971] [ 30.684010] CPU: 1 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 30.684098] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.684124] Hardware name: linux,dummy-virt (DT) [ 30.684157] Call trace: [ 30.684204] show_stack+0x20/0x38 (C) [ 30.684258] dump_stack_lvl+0x8c/0xd0 [ 30.684305] print_report+0x118/0x5d0 [ 30.684804] kasan_report+0xdc/0x128 [ 30.684847] __kasan_check_byte+0x54/0x70 [ 30.684896] kfree_sensitive+0x30/0xb0 [ 30.685004] kmalloc_double_kzfree+0x168/0x308 [ 30.685070] kunit_try_run_case+0x170/0x3f0 [ 30.685138] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.685190] kthread+0x328/0x630 [ 30.685236] ret_from_fork+0x10/0x20 [ 30.685284] [ 30.685302] Allocated by task 223: [ 30.685340] kasan_save_stack+0x3c/0x68 [ 30.685382] kasan_save_track+0x20/0x40 [ 30.685451] kasan_save_alloc_info+0x40/0x58 [ 30.685491] __kasan_kmalloc+0xd4/0xd8 [ 30.685529] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.685571] kmalloc_double_kzfree+0xb8/0x308 [ 30.685611] kunit_try_run_case+0x170/0x3f0 [ 30.685650] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.685690] kthread+0x328/0x630 [ 30.685724] ret_from_fork+0x10/0x20 [ 30.685760] [ 30.685779] Freed by task 223: [ 30.685804] kasan_save_stack+0x3c/0x68 [ 30.685843] kasan_save_track+0x20/0x40 [ 30.685880] kasan_save_free_info+0x4c/0x78 [ 30.685916] __kasan_slab_free+0x6c/0x98 [ 30.685955] kfree+0x214/0x3c8 [ 30.685990] kfree_sensitive+0x80/0xb0 [ 30.686028] kmalloc_double_kzfree+0x11c/0x308 [ 30.686068] kunit_try_run_case+0x170/0x3f0 [ 30.686107] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.686148] kthread+0x328/0x630 [ 30.686204] ret_from_fork+0x10/0x20 [ 30.686272] [ 30.686383] The buggy address belongs to the object at fff00000c918c680 [ 30.686383] which belongs to the cache kmalloc-16 of size 16 [ 30.686469] The buggy address is located 0 bytes inside of [ 30.686469] freed 16-byte region [fff00000c918c680, fff00000c918c690) [ 30.686602] [ 30.686662] The buggy address belongs to the physical page: [ 30.686723] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10918c [ 30.686855] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.686922] page_type: f5(slab) [ 30.686994] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122 [ 30.687130] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.687207] page dumped because: kasan: bad access detected [ 30.687276] [ 30.687314] Memory state around the buggy address: [ 30.687358] fff00000c918c580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.687668] fff00000c918c600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.687787] >fff00000c918c680: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.687874] ^ [ 30.687910] fff00000c918c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.687996] fff00000c918c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.688086] ==================================================================
[ 24.114060] ================================================================== [ 24.115392] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350 [ 24.115770] Read of size 1 at addr ffff888104c83b60 by task kunit_try_catch/242 [ 24.116037] [ 24.116160] CPU: 0 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.116220] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.116233] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.116256] Call Trace: [ 24.116270] <TASK> [ 24.116289] dump_stack_lvl+0x73/0xb0 [ 24.116330] print_report+0xd1/0x610 [ 24.116354] ? __virt_addr_valid+0x1db/0x2d0 [ 24.116380] ? kmalloc_double_kzfree+0x19c/0x350 [ 24.116402] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.116428] ? kmalloc_double_kzfree+0x19c/0x350 [ 24.116450] kasan_report+0x141/0x180 [ 24.116471] ? kmalloc_double_kzfree+0x19c/0x350 [ 24.116495] ? kmalloc_double_kzfree+0x19c/0x350 [ 24.116517] __kasan_check_byte+0x3d/0x50 [ 24.116538] kfree_sensitive+0x22/0x90 [ 24.116564] kmalloc_double_kzfree+0x19c/0x350 [ 24.116586] ? __pfx_kmalloc_double_kzfree+0x10/0x10 [ 24.116609] ? __schedule+0x10cc/0x2b60 [ 24.116633] ? __pfx_read_tsc+0x10/0x10 [ 24.116655] ? ktime_get_ts64+0x86/0x230 [ 24.116681] kunit_try_run_case+0x1a5/0x480 [ 24.116705] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.116726] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.116880] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.116904] ? __kthread_parkme+0x82/0x180 [ 24.116926] ? preempt_count_sub+0x50/0x80 [ 24.116950] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.116973] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.116998] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.117022] kthread+0x337/0x6f0 [ 24.117042] ? trace_preempt_on+0x20/0xc0 [ 24.117066] ? __pfx_kthread+0x10/0x10 [ 24.117086] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.117107] ? calculate_sigpending+0x7b/0xa0 [ 24.117132] ? __pfx_kthread+0x10/0x10 [ 24.117153] ret_from_fork+0x116/0x1d0 [ 24.117172] ? __pfx_kthread+0x10/0x10 [ 24.117193] ret_from_fork_asm+0x1a/0x30 [ 24.117224] </TASK> [ 24.117235] [ 24.124696] Allocated by task 242: [ 24.124909] kasan_save_stack+0x45/0x70 [ 24.125055] kasan_save_track+0x18/0x40 [ 24.125243] kasan_save_alloc_info+0x3b/0x50 [ 24.125646] __kasan_kmalloc+0xb7/0xc0 [ 24.125850] __kmalloc_cache_noprof+0x189/0x420 [ 24.126065] kmalloc_double_kzfree+0xa9/0x350 [ 24.126368] kunit_try_run_case+0x1a5/0x480 [ 24.126599] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.126869] kthread+0x337/0x6f0 [ 24.126986] ret_from_fork+0x116/0x1d0 [ 24.127146] ret_from_fork_asm+0x1a/0x30 [ 24.127427] [ 24.127519] Freed by task 242: [ 24.127669] kasan_save_stack+0x45/0x70 [ 24.127857] kasan_save_track+0x18/0x40 [ 24.128028] kasan_save_free_info+0x3f/0x60 [ 24.128210] __kasan_slab_free+0x56/0x70 [ 24.128429] kfree+0x222/0x3f0 [ 24.128614] kfree_sensitive+0x67/0x90 [ 24.128819] kmalloc_double_kzfree+0x12b/0x350 [ 24.129003] kunit_try_run_case+0x1a5/0x480 [ 24.129187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.129408] kthread+0x337/0x6f0 [ 24.129578] ret_from_fork+0x116/0x1d0 [ 24.129773] ret_from_fork_asm+0x1a/0x30 [ 24.129944] [ 24.130023] The buggy address belongs to the object at ffff888104c83b60 [ 24.130023] which belongs to the cache kmalloc-16 of size 16 [ 24.130462] The buggy address is located 0 bytes inside of [ 24.130462] freed 16-byte region [ffff888104c83b60, ffff888104c83b70) [ 24.131173] [ 24.131349] The buggy address belongs to the physical page: [ 24.131571] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104c83 [ 24.131906] flags: 0x200000000000000(node=0|zone=2) [ 24.132124] page_type: f5(slab) [ 24.132330] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 24.132641] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.132956] page dumped because: kasan: bad access detected [ 24.133162] [ 24.133227] Memory state around the buggy address: [ 24.133542] ffff888104c83a00: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 24.133827] ffff888104c83a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.134117] >ffff888104c83b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.134607] ^ [ 24.134821] ffff888104c83b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.135055] ffff888104c83c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.135471] ==================================================================