Date
July 17, 2025, 10:12 a.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 31.007415] ================================================================== [ 31.007489] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 31.007564] Read of size 1 at addr fff00000c3f2da00 by task kunit_try_catch/246 [ 31.007616] [ 31.007658] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 31.007749] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.007774] Hardware name: linux,dummy-virt (DT) [ 31.007809] Call trace: [ 31.007835] show_stack+0x20/0x38 (C) [ 31.007888] dump_stack_lvl+0x8c/0xd0 [ 31.007943] print_report+0x118/0x5d0 [ 31.007990] kasan_report+0xdc/0x128 [ 31.008035] __kasan_check_byte+0x54/0x70 [ 31.008095] kmem_cache_destroy+0x34/0x218 [ 31.008146] kmem_cache_double_destroy+0x174/0x300 [ 31.008195] kunit_try_run_case+0x170/0x3f0 [ 31.008243] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.008295] kthread+0x328/0x630 [ 31.008338] ret_from_fork+0x10/0x20 [ 31.008404] [ 31.008423] Allocated by task 246: [ 31.008453] kasan_save_stack+0x3c/0x68 [ 31.008493] kasan_save_track+0x20/0x40 [ 31.008528] kasan_save_alloc_info+0x40/0x58 [ 31.008567] __kasan_slab_alloc+0xa8/0xb0 [ 31.008603] kmem_cache_alloc_noprof+0x10c/0x398 [ 31.008645] __kmem_cache_create_args+0x178/0x280 [ 31.008686] kmem_cache_double_destroy+0xc0/0x300 [ 31.008726] kunit_try_run_case+0x170/0x3f0 [ 31.008763] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.008806] kthread+0x328/0x630 [ 31.008838] ret_from_fork+0x10/0x20 [ 31.008875] [ 31.008893] Freed by task 246: [ 31.008918] kasan_save_stack+0x3c/0x68 [ 31.008955] kasan_save_track+0x20/0x40 [ 31.008990] kasan_save_free_info+0x4c/0x78 [ 31.009027] __kasan_slab_free+0x6c/0x98 [ 31.009073] kmem_cache_free+0x260/0x468 [ 31.009113] slab_kmem_cache_release+0x38/0x50 [ 31.009154] kmem_cache_release+0x1c/0x30 [ 31.009190] kobject_put+0x17c/0x420 [ 31.009226] sysfs_slab_release+0x1c/0x30 [ 31.009262] kmem_cache_destroy+0x118/0x218 [ 31.009301] kmem_cache_double_destroy+0x128/0x300 [ 31.009341] kunit_try_run_case+0x170/0x3f0 [ 31.009377] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.009419] kthread+0x328/0x630 [ 31.009451] ret_from_fork+0x10/0x20 [ 31.009487] [ 31.009507] The buggy address belongs to the object at fff00000c3f2da00 [ 31.009507] which belongs to the cache kmem_cache of size 208 [ 31.009567] The buggy address is located 0 bytes inside of [ 31.009567] freed 208-byte region [fff00000c3f2da00, fff00000c3f2dad0) [ 31.009627] [ 31.009649] The buggy address belongs to the physical page: [ 31.009685] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f2d [ 31.009742] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.009795] page_type: f5(slab) [ 31.009838] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 31.009888] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 31.009929] page dumped because: kasan: bad access detected [ 31.009961] [ 31.009978] Memory state around the buggy address: [ 31.010013] fff00000c3f2d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.010063] fff00000c3f2d980: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.010107] >fff00000c3f2da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.010147] ^ [ 31.010173] fff00000c3f2da80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 31.010212] fff00000c3f2db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.010250] ==================================================================