Date
July 11, 2025, 10:11 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 51.923970] ================================================================== [ 51.924161] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 51.924305] Read of size 1 at addr ffff000801b70280 by task kunit_try_catch/299 [ 51.927856] [ 51.929344] CPU: 4 UID: 0 PID: 299 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 51.929405] Tainted: [B]=BAD_PAGE, [N]=TEST [ 51.929423] Hardware name: WinLink E850-96 board (DT) [ 51.929446] Call trace: [ 51.929459] show_stack+0x20/0x38 (C) [ 51.929496] dump_stack_lvl+0x8c/0xd0 [ 51.929530] print_report+0x118/0x5d0 [ 51.929565] kasan_report+0xdc/0x128 [ 51.929592] __kasan_check_byte+0x54/0x70 [ 51.929629] kmem_cache_destroy+0x34/0x218 [ 51.929666] kmem_cache_double_destroy+0x174/0x300 [ 51.929700] kunit_try_run_case+0x170/0x3f0 [ 51.929737] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 51.929770] kthread+0x328/0x630 [ 51.929801] ret_from_fork+0x10/0x20 [ 51.929840] [ 51.997301] Allocated by task 299: [ 52.000688] kasan_save_stack+0x3c/0x68 [ 52.004504] kasan_save_track+0x20/0x40 [ 52.008324] kasan_save_alloc_info+0x40/0x58 [ 52.012577] __kasan_slab_alloc+0xa8/0xb0 [ 52.016570] kmem_cache_alloc_noprof+0x10c/0x398 [ 52.021171] __kmem_cache_create_args+0x178/0x280 [ 52.025858] kmem_cache_double_destroy+0xc0/0x300 [ 52.030546] kunit_try_run_case+0x170/0x3f0 [ 52.034714] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 52.040181] kthread+0x328/0x630 [ 52.043393] ret_from_fork+0x10/0x20 [ 52.046951] [ 52.048429] Freed by task 299: [ 52.051467] kasan_save_stack+0x3c/0x68 [ 52.055285] kasan_save_track+0x20/0x40 [ 52.059104] kasan_save_free_info+0x4c/0x78 [ 52.063271] __kasan_slab_free+0x6c/0x98 [ 52.067178] kmem_cache_free+0x260/0x468 [ 52.071083] slab_kmem_cache_release+0x38/0x50 [ 52.075510] kmem_cache_release+0x1c/0x30 [ 52.079503] kobject_put+0x17c/0x420 [ 52.083062] sysfs_slab_release+0x1c/0x30 [ 52.087055] kmem_cache_destroy+0x118/0x218 [ 52.091222] kmem_cache_double_destroy+0x128/0x300 [ 52.095996] kunit_try_run_case+0x170/0x3f0 [ 52.100164] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 52.105632] kthread+0x328/0x630 [ 52.108843] ret_from_fork+0x10/0x20 [ 52.112402] [ 52.113880] The buggy address belongs to the object at ffff000801b70280 [ 52.113880] which belongs to the cache kmem_cache of size 208 [ 52.126295] The buggy address is located 0 bytes inside of [ 52.126295] freed 208-byte region [ffff000801b70280, ffff000801b70350) [ 52.138358] [ 52.139835] The buggy address belongs to the physical page: [ 52.145391] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881b70 [ 52.153376] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 52.161015] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 52.167959] page_type: f5(slab) [ 52.171095] raw: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 52.178814] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 52.186542] head: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 52.194352] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 52.202164] head: 0bfffe0000000001 fffffdffe006dc01 00000000ffffffff 00000000ffffffff [ 52.209977] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 52.217782] page dumped because: kasan: bad access detected [ 52.223338] [ 52.224813] Memory state around the buggy address: [ 52.229593] ffff000801b70180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.236796] ffff000801b70200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.244003] >ffff000801b70280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.251202] ^ [ 52.254417] ffff000801b70300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 52.261622] ffff000801b70380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.268825] ==================================================================
[ 31.775311] ================================================================== [ 31.775426] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 31.775509] Read of size 1 at addr fff00000c3e188c0 by task kunit_try_catch/246 [ 31.775562] [ 31.775608] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 31.775700] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.776482] Hardware name: linux,dummy-virt (DT) [ 31.776537] Call trace: [ 31.776581] show_stack+0x20/0x38 (C) [ 31.776701] dump_stack_lvl+0x8c/0xd0 [ 31.776917] print_report+0x118/0x5d0 [ 31.777353] kasan_report+0xdc/0x128 [ 31.777550] __kasan_check_byte+0x54/0x70 [ 31.778009] kmem_cache_destroy+0x34/0x218 [ 31.778194] kmem_cache_double_destroy+0x174/0x300 [ 31.778354] kunit_try_run_case+0x170/0x3f0 [ 31.778415] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.778790] kthread+0x328/0x630 [ 31.779059] ret_from_fork+0x10/0x20 [ 31.779115] [ 31.779135] Allocated by task 246: [ 31.779539] kasan_save_stack+0x3c/0x68 [ 31.779595] kasan_save_track+0x20/0x40 [ 31.780071] kasan_save_alloc_info+0x40/0x58 [ 31.780113] __kasan_slab_alloc+0xa8/0xb0 [ 31.780555] kmem_cache_alloc_noprof+0x10c/0x398 [ 31.780860] __kmem_cache_create_args+0x178/0x280 [ 31.780907] kmem_cache_double_destroy+0xc0/0x300 [ 31.780950] kunit_try_run_case+0x170/0x3f0 [ 31.781694] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.781821] kthread+0x328/0x630 [ 31.781939] ret_from_fork+0x10/0x20 [ 31.782113] [ 31.782140] Freed by task 246: [ 31.782168] kasan_save_stack+0x3c/0x68 [ 31.782213] kasan_save_track+0x20/0x40 [ 31.782306] kasan_save_free_info+0x4c/0x78 [ 31.782435] __kasan_slab_free+0x6c/0x98 [ 31.782549] kmem_cache_free+0x260/0x468 [ 31.782787] slab_kmem_cache_release+0x38/0x50 [ 31.782828] kmem_cache_release+0x1c/0x30 [ 31.782870] kobject_put+0x17c/0x420 [ 31.782908] sysfs_slab_release+0x1c/0x30 [ 31.782950] kmem_cache_destroy+0x118/0x218 [ 31.782989] kmem_cache_double_destroy+0x128/0x300 [ 31.783209] kunit_try_run_case+0x170/0x3f0 [ 31.783256] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.783679] kthread+0x328/0x630 [ 31.783735] ret_from_fork+0x10/0x20 [ 31.783855] [ 31.784122] The buggy address belongs to the object at fff00000c3e188c0 [ 31.784122] which belongs to the cache kmem_cache of size 208 [ 31.784239] The buggy address is located 0 bytes inside of [ 31.784239] freed 208-byte region [fff00000c3e188c0, fff00000c3e18990) [ 31.784682] [ 31.784738] The buggy address belongs to the physical page: [ 31.784774] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103e18 [ 31.785190] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.785346] page_type: f5(slab) [ 31.785452] raw: 0bfffe0000000000 fff00000c0001000 dead000000000100 dead000000000122 [ 31.785523] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 31.785575] page dumped because: kasan: bad access detected [ 31.785683] [ 31.785704] Memory state around the buggy address: [ 31.785905] fff00000c3e18780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.785994] fff00000c3e18800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 31.786105] >fff00000c3e18880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.786147] ^ [ 31.786558] fff00000c3e18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.786675] fff00000c3e18980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.786920] ==================================================================
[ 24.634014] ================================================================== [ 24.635537] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 24.636569] Read of size 1 at addr ffff888101b228c0 by task kunit_try_catch/265 [ 24.636820] [ 24.636916] CPU: 0 UID: 0 PID: 265 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.636974] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.636987] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.637012] Call Trace: [ 24.637027] <TASK> [ 24.637049] dump_stack_lvl+0x73/0xb0 [ 24.637088] print_report+0xd1/0x610 [ 24.637112] ? __virt_addr_valid+0x1db/0x2d0 [ 24.637139] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.637163] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.637189] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.637213] kasan_report+0x141/0x180 [ 24.637235] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.637261] ? kmem_cache_double_destroy+0x1bf/0x380 [ 24.637500] __kasan_check_byte+0x3d/0x50 [ 24.637525] kmem_cache_destroy+0x25/0x1d0 [ 24.637569] kmem_cache_double_destroy+0x1bf/0x380 [ 24.637593] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 24.637895] ? finish_task_switch.isra.0+0x153/0x700 [ 24.637923] ? __switch_to+0x47/0xf80 [ 24.637970] ? __pfx_read_tsc+0x10/0x10 [ 24.637993] ? ktime_get_ts64+0x86/0x230 [ 24.638019] kunit_try_run_case+0x1a5/0x480 [ 24.638045] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.638066] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.638090] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.638115] ? __kthread_parkme+0x82/0x180 [ 24.638136] ? preempt_count_sub+0x50/0x80 [ 24.638160] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.638182] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.638207] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.638231] kthread+0x337/0x6f0 [ 24.638252] ? trace_preempt_on+0x20/0xc0 [ 24.638294] ? __pfx_kthread+0x10/0x10 [ 24.638315] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.638336] ? calculate_sigpending+0x7b/0xa0 [ 24.638362] ? __pfx_kthread+0x10/0x10 [ 24.638384] ret_from_fork+0x116/0x1d0 [ 24.638403] ? __pfx_kthread+0x10/0x10 [ 24.638424] ret_from_fork_asm+0x1a/0x30 [ 24.638456] </TASK> [ 24.638469] [ 24.655748] Allocated by task 265: [ 24.656343] kasan_save_stack+0x45/0x70 [ 24.656916] kasan_save_track+0x18/0x40 [ 24.657490] kasan_save_alloc_info+0x3b/0x50 [ 24.658104] __kasan_slab_alloc+0x91/0xa0 [ 24.658686] kmem_cache_alloc_noprof+0x123/0x3f0 [ 24.659091] __kmem_cache_create_args+0x169/0x240 [ 24.659256] kmem_cache_double_destroy+0xd5/0x380 [ 24.660095] kunit_try_run_case+0x1a5/0x480 [ 24.660672] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.661168] kthread+0x337/0x6f0 [ 24.661649] ret_from_fork+0x116/0x1d0 [ 24.662093] ret_from_fork_asm+0x1a/0x30 [ 24.662591] [ 24.662914] Freed by task 265: [ 24.663033] kasan_save_stack+0x45/0x70 [ 24.663167] kasan_save_track+0x18/0x40 [ 24.663541] kasan_save_free_info+0x3f/0x60 [ 24.664102] __kasan_slab_free+0x56/0x70 [ 24.664704] kmem_cache_free+0x249/0x420 [ 24.665302] slab_kmem_cache_release+0x2e/0x40 [ 24.665690] kmem_cache_release+0x16/0x20 [ 24.666208] kobject_put+0x181/0x450 [ 24.666608] sysfs_slab_release+0x16/0x20 [ 24.667141] kmem_cache_destroy+0xf0/0x1d0 [ 24.667483] kmem_cache_double_destroy+0x14e/0x380 [ 24.668059] kunit_try_run_case+0x1a5/0x480 [ 24.668568] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.669064] kthread+0x337/0x6f0 [ 24.669192] ret_from_fork+0x116/0x1d0 [ 24.669636] ret_from_fork_asm+0x1a/0x30 [ 24.670217] [ 24.670424] The buggy address belongs to the object at ffff888101b228c0 [ 24.670424] which belongs to the cache kmem_cache of size 208 [ 24.671191] The buggy address is located 0 bytes inside of [ 24.671191] freed 208-byte region [ffff888101b228c0, ffff888101b22990) [ 24.672868] [ 24.673200] The buggy address belongs to the physical page: [ 24.673764] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b22 [ 24.674418] flags: 0x200000000000000(node=0|zone=2) [ 24.675018] page_type: f5(slab) [ 24.675436] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 24.675993] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 24.676222] page dumped because: kasan: bad access detected [ 24.676401] [ 24.676578] Memory state around the buggy address: [ 24.677095] ffff888101b22780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.677853] ffff888101b22800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 24.678634] >ffff888101b22880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 24.679344] ^ [ 24.679831] ffff888101b22900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.680245] ffff888101b22980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.680744] ==================================================================