Hay
Date
June 2, 2025, 2:11 p.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   32.677716] ==================================================================
[   32.677908] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300
[   32.678049] Read of size 1 at addr ffff000802440280 by task kunit_try_catch/262
[   32.681603] 
[   32.683090] CPU: 7 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT 
[   32.683147] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.683164] Hardware name: WinLink E850-96 board (DT)
[   32.683187] Call trace:
[   32.683205]  show_stack+0x20/0x38 (C)
[   32.683238]  dump_stack_lvl+0x8c/0xd0
[   32.683275]  print_report+0x118/0x608
[   32.683303]  kasan_report+0xdc/0x128
[   32.683332]  __kasan_check_byte+0x54/0x70
[   32.683360]  kmem_cache_destroy+0x34/0x218
[   32.683393]  kmem_cache_double_destroy+0x174/0x300
[   32.683426]  kunit_try_run_case+0x170/0x3f0
[   32.683463]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.683505]  kthread+0x328/0x630
[   32.683539]  ret_from_fork+0x10/0x20
[   32.683573] 
[   32.749833] Allocated by task 262:
[   32.753221]  kasan_save_stack+0x3c/0x68
[   32.757036]  kasan_save_track+0x20/0x40
[   32.760855]  kasan_save_alloc_info+0x40/0x58
[   32.765109]  __kasan_slab_alloc+0xa8/0xb0
[   32.769101]  kmem_cache_alloc_noprof+0x10c/0x398
[   32.773702]  __kmem_cache_create_args+0x178/0x280
[   32.778389]  kmem_cache_double_destroy+0xc0/0x300
[   32.783077]  kunit_try_run_case+0x170/0x3f0
[   32.787245]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.792713]  kthread+0x328/0x630
[   32.795924]  ret_from_fork+0x10/0x20
[   32.799483] 
[   32.800960] Freed by task 262:
[   32.803998]  kasan_save_stack+0x3c/0x68
[   32.807816]  kasan_save_track+0x20/0x40
[   32.811636]  kasan_save_free_info+0x4c/0x78
[   32.815802]  __kasan_slab_free+0x6c/0x98
[   32.819710]  kmem_cache_free+0x260/0x468
[   32.823615]  slab_kmem_cache_release+0x38/0x50
[   32.828042]  kmem_cache_release+0x1c/0x30
[   32.832035]  kobject_put+0x17c/0x420
[   32.835593]  sysfs_slab_release+0x1c/0x30
[   32.839587]  kmem_cache_destroy+0x118/0x218
[   32.843753]  kmem_cache_double_destroy+0x128/0x300
[   32.848528]  kunit_try_run_case+0x170/0x3f0
[   32.852694]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.858163]  kthread+0x328/0x630
[   32.861375]  ret_from_fork+0x10/0x20
[   32.864933] 
[   32.866411] The buggy address belongs to the object at ffff000802440280
[   32.866411]  which belongs to the cache kmem_cache of size 208
[   32.878824] The buggy address is located 0 bytes inside of
[   32.878824]  freed 208-byte region [ffff000802440280, ffff000802440350)
[   32.890888] 
[   32.892368] The buggy address belongs to the physical page:
[   32.897924] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882440
[   32.905909] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   32.913548] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   32.920492] page_type: f5(slab)
[   32.923627] raw: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000
[   32.931345] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000
[   32.939072] head: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000
[   32.946883] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000
[   32.954696] head: 0bfffe0000000001 fffffdffe0091001 00000000ffffffff 00000000ffffffff
[   32.962508] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   32.970314] page dumped because: kasan: bad access detected
[   32.975869] 
[   32.977345] Memory state around the buggy address:
[   32.982125]  ffff000802440180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.989328]  ffff000802440200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.996532] >ffff000802440280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.003734]                    ^
[   33.006949]  ffff000802440300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   33.014153]  ffff000802440380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.021356] ==================================================================

[   19.869146] ==================================================================
[   19.869235] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300
[   19.869319] Read of size 1 at addr fff00000c3ef33c0 by task kunit_try_catch/218
[   19.869386] 
[   19.869428] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.1-rc1 #1 PREEMPT 
[   19.869557] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   19.869588] Hardware name: linux,dummy-virt (DT)
[   19.869622] Call trace:
[   19.869648]  show_stack+0x20/0x38 (C)
[   19.869705]  dump_stack_lvl+0x8c/0xd0
[   19.869759]  print_report+0x118/0x608
[   19.869807]  kasan_report+0xdc/0x128
[   19.869851]  __kasan_check_byte+0x54/0x70
[   19.869899]  kmem_cache_destroy+0x34/0x218
[   19.869949]  kmem_cache_double_destroy+0x174/0x300
[   19.870003]  kunit_try_run_case+0x170/0x3f0
[   19.870055]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.870114]  kthread+0x328/0x630
[   19.870163]  ret_from_fork+0x10/0x20
[   19.870216] 
[   19.870236] Allocated by task 218:
[   19.870268]  kasan_save_stack+0x3c/0x68
[   19.870310]  kasan_save_track+0x20/0x40
[   19.870386]  kasan_save_alloc_info+0x40/0x58
[   19.870429]  __kasan_slab_alloc+0xa8/0xb0
[   19.870468]  kmem_cache_alloc_noprof+0x10c/0x398
[   19.870510]  __kmem_cache_create_args+0x178/0x280
[   19.870557]  kmem_cache_double_destroy+0xc0/0x300
[   19.870601]  kunit_try_run_case+0x170/0x3f0
[   19.870640]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.870688]  kthread+0x328/0x630
[   19.870726]  ret_from_fork+0x10/0x20
[   19.870765] 
[   19.870785] Freed by task 218:
[   19.870830]  kasan_save_stack+0x3c/0x68
[   19.870870]  kasan_save_track+0x20/0x40
[   19.870907]  kasan_save_free_info+0x4c/0x78
[   19.870948]  __kasan_slab_free+0x6c/0x98
[   19.870987]  kmem_cache_free+0x260/0x468
[   19.871029]  slab_kmem_cache_release+0x38/0x50
[   19.871071]  kmem_cache_release+0x1c/0x30
[   19.871114]  kobject_put+0x17c/0x420
[   19.871153]  sysfs_slab_release+0x1c/0x30
[   19.871192]  kmem_cache_destroy+0x118/0x218
[   19.871230]  kmem_cache_double_destroy+0x128/0x300
[   19.871276]  kunit_try_run_case+0x170/0x3f0
[   19.871315]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.871463]  kthread+0x328/0x630
[   19.871545]  ret_from_fork+0x10/0x20
[   19.871582] 
[   19.871603] The buggy address belongs to the object at fff00000c3ef33c0
[   19.871603]  which belongs to the cache kmem_cache of size 208
[   19.871663] The buggy address is located 0 bytes inside of
[   19.871663]  freed 208-byte region [fff00000c3ef33c0, fff00000c3ef3490)
[   19.871726] 
[   19.871749] The buggy address belongs to the physical page:
[   19.871785] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ef3
[   19.871840] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.871895] page_type: f5(slab)
[   19.871940] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000
[   19.871991] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   19.872032] page dumped because: kasan: bad access detected
[   19.872063] 
[   19.872083] Memory state around the buggy address:
[   19.872119]  fff00000c3ef3280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.872165]  fff00000c3ef3300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   19.872209] >fff00000c3ef3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   19.872249]                                            ^
[   19.872285]  fff00000c3ef3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.872328]  fff00000c3ef3480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.872378] ==================================================================

[   17.653517] ==================================================================
[   17.654045] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380
[   17.654366] Read of size 1 at addr ffff88810150cdc0 by task kunit_try_catch/236
[   17.654889] 
[   17.655135] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT(voluntary) 
[   17.655795] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.655841] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   17.655903] Call Trace:
[   17.655930]  <TASK>
[   17.655977]  dump_stack_lvl+0x73/0xb0
[   17.656056]  print_report+0xd1/0x650
[   17.656099]  ? __virt_addr_valid+0x1db/0x2d0
[   17.656164]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.656215]  ? kasan_complete_mode_report_info+0x64/0x200
[   17.656259]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.656300]  kasan_report+0x141/0x180
[   17.656345]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.656396]  ? kmem_cache_double_destroy+0x1bf/0x380
[   17.656438]  __kasan_check_byte+0x3d/0x50
[   17.656489]  kmem_cache_destroy+0x25/0x1d0
[   17.656550]  kmem_cache_double_destroy+0x1bf/0x380
[   17.656599]  ? __pfx_kmem_cache_double_destroy+0x10/0x10
[   17.656646]  ? finish_task_switch.isra.0+0x153/0x700
[   17.656697]  ? __switch_to+0x5d9/0xf60
[   17.656733]  ? dequeue_task_fair+0x166/0x4e0
[   17.656801]  ? __pfx_read_tsc+0x10/0x10
[   17.656841]  ? ktime_get_ts64+0x86/0x230
[   17.656897]  kunit_try_run_case+0x1a5/0x480
[   17.656947]  ? __pfx_kunit_try_run_case+0x10/0x10
[   17.656985]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   17.657036]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   17.657089]  ? __kthread_parkme+0x82/0x180
[   17.657134]  ? preempt_count_sub+0x50/0x80
[   17.657184]  ? __pfx_kunit_try_run_case+0x10/0x10
[   17.657233]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.657284]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   17.657327]  kthread+0x337/0x6f0
[   17.657364]  ? trace_preempt_on+0x20/0xc0
[   17.657419]  ? __pfx_kthread+0x10/0x10
[   17.657458]  ? _raw_spin_unlock_irq+0x47/0x80
[   17.657495]  ? calculate_sigpending+0x7b/0xa0
[   17.657534]  ? __pfx_kthread+0x10/0x10
[   17.657563]  ret_from_fork+0x41/0x80
[   17.657599]  ? __pfx_kthread+0x10/0x10
[   17.657627]  ret_from_fork_asm+0x1a/0x30
[   17.657682]  </TASK>
[   17.657707] 
[   17.673262] Allocated by task 236:
[   17.673937]  kasan_save_stack+0x45/0x70
[   17.674556]  kasan_save_track+0x18/0x40
[   17.674767]  kasan_save_alloc_info+0x3b/0x50
[   17.675454]  __kasan_slab_alloc+0x91/0xa0
[   17.676135]  kmem_cache_alloc_noprof+0x123/0x3f0
[   17.676726]  __kmem_cache_create_args+0x169/0x240
[   17.677756]  kmem_cache_double_destroy+0xd5/0x380
[   17.678065]  kunit_try_run_case+0x1a5/0x480
[   17.678634]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.678969]  kthread+0x337/0x6f0
[   17.679204]  ret_from_fork+0x41/0x80
[   17.679721]  ret_from_fork_asm+0x1a/0x30
[   17.680528] 
[   17.680723] Freed by task 236:
[   17.681025]  kasan_save_stack+0x45/0x70
[   17.681701]  kasan_save_track+0x18/0x40
[   17.681988]  kasan_save_free_info+0x3f/0x60
[   17.682359]  __kasan_slab_free+0x56/0x70
[   17.682602]  kmem_cache_free+0x249/0x420
[   17.682947]  slab_kmem_cache_release+0x2e/0x40
[   17.683212]  kmem_cache_release+0x16/0x20
[   17.683422]  kobject_put+0x181/0x450
[   17.683996]  sysfs_slab_release+0x16/0x20
[   17.684549]  kmem_cache_destroy+0xf0/0x1d0
[   17.685022]  kmem_cache_double_destroy+0x14e/0x380
[   17.685984]  kunit_try_run_case+0x1a5/0x480
[   17.686529]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.687091]  kthread+0x337/0x6f0
[   17.687364]  ret_from_fork+0x41/0x80
[   17.687857]  ret_from_fork_asm+0x1a/0x30
[   17.688185] 
[   17.688315] The buggy address belongs to the object at ffff88810150cdc0
[   17.688315]  which belongs to the cache kmem_cache of size 208
[   17.689163] The buggy address is located 0 bytes inside of
[   17.689163]  freed 208-byte region [ffff88810150cdc0, ffff88810150ce90)
[   17.691030] 
[   17.691213] The buggy address belongs to the physical page:
[   17.691450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10150c
[   17.691831] flags: 0x200000000000000(node=0|zone=2)
[   17.692077] page_type: f5(slab)
[   17.692811] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000
[   17.693624] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   17.694172] page dumped because: kasan: bad access detected
[   17.694416] 
[   17.694607] Memory state around the buggy address:
[   17.695034]  ffff88810150cc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.695488]  ffff88810150cd00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   17.696202] >ffff88810150cd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   17.697170]                                            ^
[   17.697591]  ffff88810150ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.698009]  ffff88810150ce80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.698493] ==================================================================