Date
July 15, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 106.969271] ================================================================== [ 106.970062] BUG: KASAN: use-after-free in kmem_cache_double_destroy+0xd4/0x1d0 [ 106.970674] Read of size 1 at addr ffff0000c6446780 by task kunit_try_catch/245 [ 106.971180] [ 106.971378] CPU: 1 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 106.972024] Hardware name: linux,dummy-virt (DT) [ 106.972440] Call trace: [ 106.972859] dump_backtrace+0xe0/0x134 [ 106.973376] show_stack+0x20/0x2c [ 106.974585] dump_stack_lvl+0x88/0xb4 [ 106.975363] print_report+0x158/0x44c [ 106.976176] kasan_report+0xc8/0x180 [ 106.976914] __kasan_check_byte+0x54/0x70 [ 106.977323] kmem_cache_destroy+0x100/0x1a4 [ 106.978008] kmem_cache_double_destroy+0xd4/0x1d0 [ 106.978758] kunit_try_run_case+0x8c/0x124 [ 106.979416] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 106.980231] kthread+0x15c/0x170 [ 106.980911] ret_from_fork+0x10/0x20 [ 106.981554] [ 106.981879] Allocated by task 245: [ 106.982391] kasan_save_stack+0x3c/0x70 [ 106.982859] kasan_set_track+0x2c/0x40 [ 106.983235] kasan_save_alloc_info+0x24/0x34 [ 106.983649] __kasan_slab_alloc+0xa8/0xac [ 106.984293] kmem_cache_alloc+0x194/0x3b0 [ 106.985035] kmem_cache_create_usercopy+0x14c/0x280 [ 106.985815] kmem_cache_create+0x24/0x30 [ 106.986443] kmem_cache_double_destroy+0xa4/0x1d0 [ 106.987236] kunit_try_run_case+0x8c/0x124 [ 106.987897] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 106.988805] kthread+0x15c/0x170 [ 106.989391] ret_from_fork+0x10/0x20 [ 106.989991] [ 106.990285] Freed by task 245: [ 106.990760] kasan_save_stack+0x3c/0x70 [ 106.991381] kasan_set_track+0x2c/0x40 [ 106.991983] kasan_save_free_info+0x38/0x5c [ 106.992731] __kasan_slab_free+0x100/0x170 [ 106.993313] slab_free_freelist_hook+0xd8/0x1c0 [ 106.993729] kmem_cache_free+0x194/0x42c [ 106.994198] slab_kmem_cache_release+0x38/0x50 [ 106.994722] kmem_cache_release+0x1c/0x2c [ 106.995103] kobject_put+0x104/0x2c0 [ 106.995453] sysfs_slab_release+0x30/0x40 [ 106.995840] kmem_cache_destroy+0xd8/0x1a4 [ 106.996227] kmem_cache_double_destroy+0xc4/0x1d0 [ 106.997224] kunit_try_run_case+0x8c/0x124 [ 106.997958] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 106.998738] kthread+0x15c/0x170 [ 106.999291] ret_from_fork+0x10/0x20 [ 106.999866] [ 107.000141] The buggy address belongs to the object at ffff0000c6446780 [ 107.000141] which belongs to the cache kmem_cache of size 216 [ 107.001725] The buggy address is located 0 bytes inside of [ 107.001725] 216-byte region [ffff0000c6446780, ffff0000c6446858) [ 107.003196] [ 107.003474] The buggy address belongs to the physical page: [ 107.004154] page:0000000031a37b1f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106446 [ 107.005389] head:0000000031a37b1f order:1 compound_mapcount:0 compound_pincount:0 [ 107.006419] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 107.007394] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002000 [ 107.008353] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 107.009380] page dumped because: kasan: bad access detected [ 107.010176] [ 107.010459] Memory state around the buggy address: [ 107.010943] ffff0000c6446680: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 107.011444] ffff0000c6446700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 107.011970] >ffff0000c6446780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.012638] ^ [ 107.013298] ffff0000c6446800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 107.013973] ffff0000c6446880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 107.014612] ==================================================================
[ 76.684091] ================================================================== [ 76.685048] BUG: KASAN: use-after-free in kmem_cache_double_destroy+0xa4/0x144 [ 76.685797] Read of size 1 at addr ffff0000c546a180 by task kunit_try_catch/161 [ 76.686448] [ 76.686692] CPU: 1 PID: 161 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 76.687432] Hardware name: linux,dummy-virt (DT) [ 76.687846] Call trace: [ 76.688103] dump_backtrace+0xf8/0x118 [ 76.688806] show_stack+0x18/0x24 [ 76.689261] __dump_stack+0x28/0x38 [ 76.689672] dump_stack_lvl+0x54/0x6c [ 76.690123] print_address_description+0x7c/0x1ec [ 76.690660] print_report+0x50/0x68 [ 76.691695] kasan_report+0xac/0x100 [ 76.692163] __kasan_check_byte+0x3c/0x54 [ 76.692664] kmem_cache_destroy+0x3c/0x14c [ 76.693144] kmem_cache_double_destroy+0xa4/0x144 [ 76.693679] kunit_try_run_case+0x80/0x184 [ 76.694146] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.694710] kthread+0x16c/0x21c [ 76.695169] ret_from_fork+0x10/0x20 [ 76.695588] [ 76.695794] Allocated by task 161: [ 76.696176] kasan_set_track+0x4c/0x80 [ 76.697296] kasan_save_alloc_info+0x28/0x34 [ 76.697772] __kasan_slab_alloc+0x58/0x70 [ 76.698242] slab_post_alloc_hook+0x70/0x2f4 [ 76.698716] kmem_cache_alloc+0x168/0x260 [ 76.699201] kmem_cache_create_usercopy+0x108/0x29c [ 76.699732] kmem_cache_create+0x1c/0x28 [ 76.700178] kmem_cache_double_destroy+0x48/0x144 [ 76.700691] kunit_try_run_case+0x80/0x184 [ 76.701158] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.701715] kthread+0x16c/0x21c [ 76.702161] ret_from_fork+0x10/0x20 [ 76.702552] [ 76.702770] Freed by task 161: [ 76.703112] kasan_set_track+0x4c/0x80 [ 76.703588] kasan_save_free_info+0x3c/0x60 [ 76.704054] ____kasan_slab_free+0xe8/0x140 [ 76.704547] __kasan_slab_free+0x18/0x28 [ 76.705623] kmem_cache_free+0xe0/0x358 [ 76.706117] slab_kmem_cache_release+0x30/0x40 [ 76.706616] kmem_cache_release+0x14/0x20 [ 76.707130] kobject_put+0xd8/0x140 [ 76.707573] sysfs_slab_release+0x28/0x34 [ 76.708088] kmem_cache_destroy+0x148/0x14c [ 76.708550] kmem_cache_double_destroy+0x90/0x144 [ 76.709064] kunit_try_run_case+0x80/0x184 [ 76.709559] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.710152] kthread+0x16c/0x21c [ 76.710593] ret_from_fork+0x10/0x20 [ 76.711084] [ 76.711291] The buggy address belongs to the object at ffff0000c546a180 [ 76.711291] which belongs to the cache kmem_cache of size 216 [ 76.712220] The buggy address is located 0 bytes inside of [ 76.712220] 216-byte region [ffff0000c546a180, ffff0000c546a258) [ 76.713902] [ 76.714126] The buggy address belongs to the physical page: [ 76.714593] page:000000005b065639 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10546a [ 76.715397] head:000000005b065639 order:1 compound_mapcount:0 compound_pincount:0 [ 76.716117] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 76.716859] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002000 [ 76.717542] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 76.718151] page dumped because: kasan: bad access detected [ 76.718642] [ 76.718846] Memory state around the buggy address: [ 76.719324] ffff0000c546a080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 76.719987] ffff0000c546a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.720629] >ffff0000c546a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.721743] ^ [ 76.722099] ffff0000c546a200: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 76.722743] ffff0000c546a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.723371] ==================================================================
[ 75.792417] ================================================================== [ 75.793732] BUG: KASAN: use-after-free in kmem_cache_double_destroy+0xa4/0x144 [ 75.794496] Read of size 1 at addr ffff0000c159ed80 by task kunit_try_catch/161 [ 75.795134] [ 75.795379] CPU: 1 PID: 161 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.797193] Hardware name: linux,dummy-virt (DT) [ 75.797570] Call trace: [ 75.797824] dump_backtrace+0xf4/0x114 [ 75.798602] show_stack+0x18/0x24 [ 75.799037] __dump_stack+0x28/0x38 [ 75.799430] dump_stack_lvl+0x50/0x68 [ 75.800230] print_address_description+0x7c/0x1ec [ 75.801191] print_report+0x50/0x68 [ 75.802015] kasan_report+0xac/0xfc [ 75.802798] __kasan_check_byte+0x3c/0x54 [ 75.803609] kmem_cache_destroy+0x3c/0x14c [ 75.804469] kmem_cache_double_destroy+0xa4/0x144 [ 75.805180] kunit_try_run_case+0x80/0x184 [ 75.805617] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.806325] kthread+0x16c/0x21c [ 75.806825] ret_from_fork+0x10/0x20 [ 75.807303] [ 75.807566] Allocated by task 161: [ 75.807997] kasan_set_track+0x4c/0x80 [ 75.808544] kasan_save_alloc_info+0x28/0x34 [ 75.809049] __kasan_slab_alloc+0x58/0x70 [ 75.809554] slab_post_alloc_hook+0x70/0x2e8 [ 75.810032] kmem_cache_alloc+0x164/0x254 [ 75.810549] kmem_cache_create_usercopy+0x108/0x2a0 [ 75.811065] kmem_cache_create+0x1c/0x28 [ 75.811495] kmem_cache_double_destroy+0x48/0x144 [ 75.812071] kunit_try_run_case+0x80/0x184 [ 75.812639] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.813313] kthread+0x16c/0x21c [ 75.813748] ret_from_fork+0x10/0x20 [ 75.814166] [ 75.814404] Freed by task 161: [ 75.814758] kasan_set_track+0x4c/0x80 [ 75.815261] kasan_save_free_info+0x3c/0x60 [ 75.815759] ____kasan_slab_free+0xe8/0x140 [ 75.816418] __kasan_slab_free+0x18/0x28 [ 75.816926] kmem_cache_free+0xe0/0x34c [ 75.817406] slab_kmem_cache_release+0x30/0x40 [ 75.817888] kmem_cache_release+0x14/0x20 [ 75.818379] kobject_put+0xd8/0x13c [ 75.818788] sysfs_slab_release+0x28/0x34 [ 75.819232] kmem_cache_destroy+0x148/0x14c [ 75.819883] kmem_cache_double_destroy+0x90/0x144 [ 75.820389] kunit_try_run_case+0x80/0x184 [ 75.820873] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.821437] kthread+0x16c/0x21c [ 75.821884] ret_from_fork+0x10/0x20 [ 75.822308] [ 75.822511] The buggy address belongs to the object at ffff0000c159ed80 [ 75.822511] which belongs to the cache kmem_cache of size 216 [ 75.823460] The buggy address is located 0 bytes inside of [ 75.823460] 216-byte region [ffff0000c159ed80, ffff0000c159ee58) [ 75.824508] [ 75.824761] The buggy address belongs to the physical page: [ 75.825260] page:00000000acb072d7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10159e [ 75.826064] head:00000000acb072d7 order:1 compound_mapcount:0 compound_pincount:0 [ 75.826707] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 75.827486] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002000 [ 75.828372] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 75.829028] page dumped because: kasan: bad access detected [ 75.829519] [ 75.829711] Memory state around the buggy address: [ 75.830168] ffff0000c159ec80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 75.830812] ffff0000c159ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.831432] >ffff0000c159ed80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.832513] ^ [ 75.832914] ffff0000c159ee00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 75.833556] ffff0000c159ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.834167] ==================================================================
[ 74.375684] ================================================================== [ 74.376904] BUG: KASAN: use-after-free in kmem_cache_double_destroy+0xcc/0x1d0 [ 74.378988] Read of size 1 at addr ffff0000c15bb500 by task kunit_try_catch/161 [ 74.380211] [ 74.380797] CPU: 1 PID: 161 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.381903] Hardware name: linux,dummy-virt (DT) [ 74.382732] Call trace: [ 74.382976] dump_backtrace.part.0+0xdc/0xf0 [ 74.383425] show_stack+0x18/0x30 [ 74.383799] dump_stack_lvl+0x64/0x80 [ 74.384152] print_report+0x158/0x438 [ 74.385101] kasan_report+0xb4/0xf4 [ 74.385792] __kasan_check_byte+0x54/0x70 [ 74.386633] kmem_cache_destroy+0xf0/0x194 [ 74.387508] kmem_cache_double_destroy+0xcc/0x1d0 [ 74.388477] kunit_try_run_case+0x84/0x120 [ 74.389348] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.390390] kthread+0x180/0x190 [ 74.391143] ret_from_fork+0x10/0x20 [ 74.391902] [ 74.392341] Allocated by task 161: [ 74.393011] kasan_save_stack+0x3c/0x70 [ 74.393830] kasan_set_track+0x2c/0x40 [ 74.394634] kasan_save_alloc_info+0x24/0x34 [ 74.395502] __kasan_slab_alloc+0x8c/0x90 [ 74.396360] kmem_cache_alloc+0x170/0x2c4 [ 74.397243] kmem_cache_create_usercopy+0x144/0x26c [ 74.398218] kmem_cache_create+0x1c/0x30 [ 74.399071] kmem_cache_double_destroy+0x9c/0x1d0 [ 74.400017] kunit_try_run_case+0x84/0x120 [ 74.400841] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.401791] kthread+0x180/0x190 [ 74.402421] ret_from_fork+0x10/0x20 [ 74.402772] [ 74.402942] Freed by task 161: [ 74.403190] kasan_save_stack+0x3c/0x70 [ 74.404097] kasan_set_track+0x2c/0x40 [ 74.404827] kasan_save_free_info+0x38/0x5c [ 74.405735] __kasan_slab_free+0xe4/0x150 [ 74.406595] kmem_cache_free+0x1b8/0x38c [ 74.407463] slab_kmem_cache_release+0x30/0x40 [ 74.408352] kmem_cache_release+0x14/0x20 [ 74.409198] kobject_put+0xe0/0x170 [ 74.409850] sysfs_slab_release+0x28/0x34 [ 74.410631] kmem_cache_destroy+0xc8/0x194 [ 74.411369] kmem_cache_double_destroy+0xbc/0x1d0 [ 74.412371] kunit_try_run_case+0x84/0x120 [ 74.413089] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.413802] kthread+0x180/0x190 [ 74.414135] ret_from_fork+0x10/0x20 [ 74.414871] [ 74.415347] The buggy address belongs to the object at ffff0000c15bb500 [ 74.415347] which belongs to the cache kmem_cache of size 216 [ 74.417180] The buggy address is located 0 bytes inside of [ 74.417180] 216-byte region [ffff0000c15bb500, ffff0000c15bb5d8) [ 74.418826] [ 74.419290] The buggy address belongs to the physical page: [ 74.420140] page:000000002d0224d4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1015ba [ 74.421229] head:000000002d0224d4 order:1 compound_mapcount:0 compound_pincount:0 [ 74.421714] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 74.422275] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002000 [ 74.423317] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 74.424218] page dumped because: kasan: bad access detected [ 74.424791] [ 74.425206] Memory state around the buggy address: [ 74.425875] ffff0000c15bb400: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 74.426632] ffff0000c15bb480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.427220] >ffff0000c15bb500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.427885] ^ [ 74.428359] ffff0000c15bb580: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 74.429037] ffff0000c15bb600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.429488] ==================================================================
[ 65.839426] ================================================================== [ 65.840149] BUG: KASAN: use-after-free in kmem_cache_double_destroy+0xe0/0x1c8 [ 65.841293] Read of size 1 at addr ffff0000c59c6480 by task kunit_try_catch/159 [ 65.842184] [ 65.842525] CPU: 0 PID: 159 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 65.843553] Hardware name: linux,dummy-virt (DT) [ 65.844163] Call trace: [ 65.844556] dump_backtrace+0x110/0x120 [ 65.845044] show_stack+0x18/0x28 [ 65.845393] dump_stack_lvl+0x68/0x84 [ 65.845740] print_report+0x158/0x484 [ 65.846046] kasan_report+0x98/0xe0 [ 65.846575] __kasan_check_byte+0x58/0x70 [ 65.847168] kmem_cache_destroy+0x34/0x178 [ 65.847799] kmem_cache_double_destroy+0xe0/0x1c8 [ 65.848501] kunit_try_run_case+0x7c/0x120 [ 65.849127] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.849918] kthread+0x1a4/0x1b8 [ 65.850430] ret_from_fork+0x10/0x20 [ 65.850975] [ 65.851219] Allocated by task 159: [ 65.851731] kasan_save_stack+0x2c/0x58 [ 65.852305] kasan_set_track+0x2c/0x40 [ 65.852838] kasan_save_alloc_info+0x24/0x38 [ 65.853462] __kasan_slab_alloc+0x74/0x90 [ 65.854032] slab_post_alloc_hook+0x6c/0x260 [ 65.854667] kmem_cache_alloc+0x164/0x270 [ 65.855279] kmem_cache_create_usercopy+0x1ac/0x2c0 [ 65.855945] kmem_cache_create+0x1c/0x28 [ 65.856524] kmem_cache_double_destroy+0xac/0x1c8 [ 65.857195] kunit_try_run_case+0x7c/0x120 [ 65.857814] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.858503] kthread+0x1a4/0x1b8 [ 65.858803] ret_from_fork+0x10/0x20 [ 65.859107] [ 65.859303] Freed by task 159: [ 65.859753] kasan_save_stack+0x2c/0x58 [ 65.860323] kasan_set_track+0x2c/0x40 [ 65.860859] kasan_save_free_info+0x38/0x60 [ 65.861471] __kasan_slab_free+0xe8/0x158 [ 65.862033] kmem_cache_free+0x1b0/0x3a0 [ 65.862631] slab_kmem_cache_release+0x30/0x40 [ 65.863265] kmem_cache_release+0x14/0x20 [ 65.863870] kobject_put+0xe0/0x188 [ 65.864416] sysfs_slab_release+0x28/0x38 [ 65.864981] kmem_cache_destroy+0xe0/0x178 [ 65.865565] kmem_cache_double_destroy+0xcc/0x1c8 [ 65.866257] kunit_try_run_case+0x7c/0x120 [ 65.866699] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.867120] kthread+0x1a4/0x1b8 [ 65.867416] ret_from_fork+0x10/0x20 [ 65.867719] [ 65.867880] The buggy address belongs to the object at ffff0000c59c6480 [ 65.867880] which belongs to the cache kmem_cache of size 216 [ 65.868908] The buggy address is located 0 bytes inside of [ 65.868908] 216-byte region [ffff0000c59c6480, ffff0000c59c6558) [ 65.870193] [ 65.870463] The buggy address belongs to the physical page: [ 65.871136] page:00000000e765158c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059c6 [ 65.872189] head:00000000e765158c order:1 compound_mapcount:0 compound_pincount:0 [ 65.873044] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 65.873991] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002000 [ 65.874897] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 65.875764] page dumped because: kasan: bad access detected [ 65.876433] [ 65.876697] Memory state around the buggy address: [ 65.877311] ffff0000c59c6380: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 65.878166] ffff0000c59c6400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.879007] >ffff0000c59c6480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.879828] ^ [ 65.880188] ffff0000c59c6500: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 65.880636] ffff0000c59c6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.881048] ==================================================================
[ 31.990770] ================================================================== [ 31.991392] BUG: KASAN: use-after-free in kmem_cache_double_destroy+0xc2/0x1b0 [ 31.992758] Read of size 1 at addr ffff888101a45500 by task kunit_try_catch/265 [ 31.994082] [ 31.994348] CPU: 1 PID: 265 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 31.994741] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.995049] Call Trace: [ 31.995185] <TASK> [ 31.995334] dump_stack_lvl+0x49/0x62 [ 31.995582] print_report+0x189/0x492 [ 31.995789] ? kasan_complete_mode_report_info+0x7c/0x200 [ 31.996081] ? kmem_cache_double_destroy+0xc2/0x1b0 [ 31.996913] kasan_report+0x10c/0x190 [ 31.997237] ? kmem_cache_double_destroy+0xc2/0x1b0 [ 31.997578] ? kmem_cache_double_destroy+0xc2/0x1b0 [ 31.997882] __kasan_check_byte+0x39/0x50 [ 31.998206] kmem_cache_destroy+0x21/0x170 [ 31.998436] kmem_cache_double_destroy+0xc2/0x1b0 [ 31.998790] ? kasan_memchr+0x1e0/0x1e0 [ 31.999099] ? __kunit_add_resource+0xd1/0x100 [ 31.999342] ? kasan_test_init+0x13e/0x1b0 [ 31.999716] kunit_try_run_case+0x8f/0xd0 [ 32.000249] ? kunit_catch_run_case+0x80/0x80 [ 32.000624] ? kunit_try_catch_throw+0x40/0x40 [ 32.000981] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 32.001343] kthread+0x17b/0x1b0 [ 32.001774] ? kthread_complete_and_exit+0x30/0x30 [ 32.002108] ret_from_fork+0x22/0x30 [ 32.002458] </TASK> [ 32.002595] [ 32.002706] Allocated by task 265: [ 32.002899] kasan_save_stack+0x41/0x70 [ 32.003184] kasan_set_track+0x25/0x40 [ 32.003401] kasan_save_alloc_info+0x1e/0x30 [ 32.003681] __kasan_slab_alloc+0x90/0xa0 [ 32.004095] kmem_cache_alloc+0x150/0x370 [ 32.004405] kmem_cache_create_usercopy+0x120/0x290 [ 32.004609] kmem_cache_create+0x16/0x20 [ 32.004836] kmem_cache_double_destroy+0x93/0x1b0 [ 32.005284] kunit_try_run_case+0x8f/0xd0 [ 32.005673] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 32.006026] kthread+0x17b/0x1b0 [ 32.006299] ret_from_fork+0x22/0x30 [ 32.006908] [ 32.007118] Freed by task 265: [ 32.007398] kasan_save_stack+0x41/0x70 [ 32.007834] kasan_set_track+0x25/0x40 [ 32.008019] kasan_save_free_info+0x2e/0x50 [ 32.008214] ____kasan_slab_free+0x175/0x1d0 [ 32.008671] __kasan_slab_free+0x12/0x20 [ 32.009142] kmem_cache_free+0x19c/0x4a0 [ 32.009734] slab_kmem_cache_release+0x2a/0x40 [ 32.010235] kmem_cache_release+0x12/0x20 [ 32.010934] kobject_put+0xf2/0x250 [ 32.011412] sysfs_slab_release+0x20/0x30 [ 32.011925] kmem_cache_destroy+0xce/0x170 [ 32.012326] kmem_cache_double_destroy+0xab/0x1b0 [ 32.012787] kunit_try_run_case+0x8f/0xd0 [ 32.012983] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 32.013232] kthread+0x17b/0x1b0 [ 32.013449] ret_from_fork+0x22/0x30 [ 32.013817] [ 32.013939] The buggy address belongs to the object at ffff888101a45500 [ 32.013939] which belongs to the cache kmem_cache of size 216 [ 32.015409] The buggy address is located 0 bytes inside of [ 32.015409] 216-byte region [ffff888101a45500, ffff888101a455d8) [ 32.016068] [ 32.016188] The buggy address belongs to the physical page: [ 32.016628] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a45 [ 32.017152] flags: 0x200000000000200(slab|node=0|zone=2) [ 32.017719] raw: 0200000000000200 0000000000000000 dead000000000122 ffff888100041000 [ 32.018089] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 32.018663] page dumped because: kasan: bad access detected [ 32.019030] [ 32.019155] Memory state around the buggy address: [ 32.019583] ffff888101a45400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.020251] ffff888101a45480: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.020853] >ffff888101a45500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.021371] ^ [ 32.021746] ffff888101a45580: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 32.022210] ffff888101a45600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.022764] ==================================================================