Date
June 2, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 20.310111] ================================================================== [ 20.311227] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x174/0x318 [ 20.311961] Read of size 1 at addr fff00000c5bb2280 by task kunit_try_catch/179 [ 20.313319] [ 20.313548] CPU: 0 UID: 0 PID: 179 Comm: kunit_try_catch Tainted: G B N 6.12.32-rc1 #1 [ 20.313749] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.313819] Hardware name: linux,dummy-virt (DT) [ 20.313892] Call trace: [ 20.313945] dump_backtrace+0x9c/0x128 [ 20.314068] show_stack+0x20/0x38 [ 20.314159] dump_stack_lvl+0x8c/0xd0 [ 20.314221] print_report+0x118/0x5f0 [ 20.314293] kasan_report+0xdc/0x128 [ 20.314334] __kasan_check_byte+0x54/0x70 [ 20.314379] kfree_sensitive+0x30/0xb0 [ 20.314421] kmalloc_double_kzfree+0x174/0x318 [ 20.314467] kunit_try_run_case+0x170/0x3f0 [ 20.314514] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.314564] kthread+0x24c/0x2d0 [ 20.314605] ret_from_fork+0x10/0x20 [ 20.314653] [ 20.320907] Allocated by task 179: [ 20.321410] kasan_save_stack+0x3c/0x68 [ 20.321950] kasan_save_track+0x20/0x40 [ 20.322331] kasan_save_alloc_info+0x40/0x58 [ 20.322772] __kasan_kmalloc+0xd4/0xd8 [ 20.323113] __kmalloc_cache_noprof+0x154/0x320 [ 20.323645] kmalloc_double_kzfree+0xb8/0x318 [ 20.324146] kunit_try_run_case+0x170/0x3f0 [ 20.324557] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.325037] kthread+0x24c/0x2d0 [ 20.325712] ret_from_fork+0x10/0x20 [ 20.326181] [ 20.326487] Freed by task 179: [ 20.326852] kasan_save_stack+0x3c/0x68 [ 20.327594] kasan_save_track+0x20/0x40 [ 20.327884] kasan_save_free_info+0x4c/0x78 [ 20.328152] __kasan_slab_free+0x6c/0x98 [ 20.328436] kfree+0x110/0x3b8 [ 20.329012] kfree_sensitive+0x80/0xb0 [ 20.329554] kmalloc_double_kzfree+0x120/0x318 [ 20.330103] kunit_try_run_case+0x170/0x3f0 [ 20.330527] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.331141] kthread+0x24c/0x2d0 [ 20.331508] ret_from_fork+0x10/0x20 [ 20.331937] [ 20.332204] The buggy address belongs to the object at fff00000c5bb2280 [ 20.332204] which belongs to the cache kmalloc-16 of size 16 [ 20.333178] The buggy address is located 0 bytes inside of [ 20.333178] freed 16-byte region [fff00000c5bb2280, fff00000c5bb2290) [ 20.334273] [ 20.334612] The buggy address belongs to the physical page: [ 20.334944] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bb2 [ 20.336008] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.336532] page_type: f5(slab) [ 20.336881] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 20.337682] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 20.338334] page dumped because: kasan: bad access detected [ 20.338888] [ 20.339335] Memory state around the buggy address: [ 20.340100] fff00000c5bb2180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 20.340676] fff00000c5bb2200: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc [ 20.341291] >fff00000c5bb2280: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.341905] ^ [ 20.342273] fff00000c5bb2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.342916] fff00000c5bb2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.343524] ==================================================================