Date
June 2, 2025, 2:11 p.m.
Environment | |
---|---|
e850-96 | |
qemu-arm64 | |
qemu-x86_64 |
[ 32.677716] ================================================================== [ 32.677908] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 32.678049] Read of size 1 at addr ffff000802440280 by task kunit_try_catch/262 [ 32.681603] [ 32.683090] CPU: 7 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 32.683147] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.683164] Hardware name: WinLink E850-96 board (DT) [ 32.683187] Call trace: [ 32.683205] show_stack+0x20/0x38 (C) [ 32.683238] dump_stack_lvl+0x8c/0xd0 [ 32.683275] print_report+0x118/0x608 [ 32.683303] kasan_report+0xdc/0x128 [ 32.683332] __kasan_check_byte+0x54/0x70 [ 32.683360] kmem_cache_destroy+0x34/0x218 [ 32.683393] kmem_cache_double_destroy+0x174/0x300 [ 32.683426] kunit_try_run_case+0x170/0x3f0 [ 32.683463] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.683505] kthread+0x328/0x630 [ 32.683539] ret_from_fork+0x10/0x20 [ 32.683573] [ 32.749833] Allocated by task 262: [ 32.753221] kasan_save_stack+0x3c/0x68 [ 32.757036] kasan_save_track+0x20/0x40 [ 32.760855] kasan_save_alloc_info+0x40/0x58 [ 32.765109] __kasan_slab_alloc+0xa8/0xb0 [ 32.769101] kmem_cache_alloc_noprof+0x10c/0x398 [ 32.773702] __kmem_cache_create_args+0x178/0x280 [ 32.778389] kmem_cache_double_destroy+0xc0/0x300 [ 32.783077] kunit_try_run_case+0x170/0x3f0 [ 32.787245] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.792713] kthread+0x328/0x630 [ 32.795924] ret_from_fork+0x10/0x20 [ 32.799483] [ 32.800960] Freed by task 262: [ 32.803998] kasan_save_stack+0x3c/0x68 [ 32.807816] kasan_save_track+0x20/0x40 [ 32.811636] kasan_save_free_info+0x4c/0x78 [ 32.815802] __kasan_slab_free+0x6c/0x98 [ 32.819710] kmem_cache_free+0x260/0x468 [ 32.823615] slab_kmem_cache_release+0x38/0x50 [ 32.828042] kmem_cache_release+0x1c/0x30 [ 32.832035] kobject_put+0x17c/0x420 [ 32.835593] sysfs_slab_release+0x1c/0x30 [ 32.839587] kmem_cache_destroy+0x118/0x218 [ 32.843753] kmem_cache_double_destroy+0x128/0x300 [ 32.848528] kunit_try_run_case+0x170/0x3f0 [ 32.852694] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.858163] kthread+0x328/0x630 [ 32.861375] ret_from_fork+0x10/0x20 [ 32.864933] [ 32.866411] The buggy address belongs to the object at ffff000802440280 [ 32.866411] which belongs to the cache kmem_cache of size 208 [ 32.878824] The buggy address is located 0 bytes inside of [ 32.878824] freed 208-byte region [ffff000802440280, ffff000802440350) [ 32.890888] [ 32.892368] The buggy address belongs to the physical page: [ 32.897924] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882440 [ 32.905909] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.913548] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.920492] page_type: f5(slab) [ 32.923627] raw: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 32.931345] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 32.939072] head: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 32.946883] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 32.954696] head: 0bfffe0000000001 fffffdffe0091001 00000000ffffffff 00000000ffffffff [ 32.962508] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.970314] page dumped because: kasan: bad access detected [ 32.975869] [ 32.977345] Memory state around the buggy address: [ 32.982125] ffff000802440180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.989328] ffff000802440200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.996532] >ffff000802440280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.003734] ^ [ 33.006949] ffff000802440300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 33.014153] ffff000802440380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.021356] ==================================================================
[ 19.869146] ================================================================== [ 19.869235] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 19.869319] Read of size 1 at addr fff00000c3ef33c0 by task kunit_try_catch/218 [ 19.869386] [ 19.869428] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B W N 6.15.1-rc1 #1 PREEMPT [ 19.869557] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.869588] Hardware name: linux,dummy-virt (DT) [ 19.869622] Call trace: [ 19.869648] show_stack+0x20/0x38 (C) [ 19.869705] dump_stack_lvl+0x8c/0xd0 [ 19.869759] print_report+0x118/0x608 [ 19.869807] kasan_report+0xdc/0x128 [ 19.869851] __kasan_check_byte+0x54/0x70 [ 19.869899] kmem_cache_destroy+0x34/0x218 [ 19.869949] kmem_cache_double_destroy+0x174/0x300 [ 19.870003] kunit_try_run_case+0x170/0x3f0 [ 19.870055] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.870114] kthread+0x328/0x630 [ 19.870163] ret_from_fork+0x10/0x20 [ 19.870216] [ 19.870236] Allocated by task 218: [ 19.870268] kasan_save_stack+0x3c/0x68 [ 19.870310] kasan_save_track+0x20/0x40 [ 19.870386] kasan_save_alloc_info+0x40/0x58 [ 19.870429] __kasan_slab_alloc+0xa8/0xb0 [ 19.870468] kmem_cache_alloc_noprof+0x10c/0x398 [ 19.870510] __kmem_cache_create_args+0x178/0x280 [ 19.870557] kmem_cache_double_destroy+0xc0/0x300 [ 19.870601] kunit_try_run_case+0x170/0x3f0 [ 19.870640] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.870688] kthread+0x328/0x630 [ 19.870726] ret_from_fork+0x10/0x20 [ 19.870765] [ 19.870785] Freed by task 218: [ 19.870830] kasan_save_stack+0x3c/0x68 [ 19.870870] kasan_save_track+0x20/0x40 [ 19.870907] kasan_save_free_info+0x4c/0x78 [ 19.870948] __kasan_slab_free+0x6c/0x98 [ 19.870987] kmem_cache_free+0x260/0x468 [ 19.871029] slab_kmem_cache_release+0x38/0x50 [ 19.871071] kmem_cache_release+0x1c/0x30 [ 19.871114] kobject_put+0x17c/0x420 [ 19.871153] sysfs_slab_release+0x1c/0x30 [ 19.871192] kmem_cache_destroy+0x118/0x218 [ 19.871230] kmem_cache_double_destroy+0x128/0x300 [ 19.871276] kunit_try_run_case+0x170/0x3f0 [ 19.871315] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.871463] kthread+0x328/0x630 [ 19.871545] ret_from_fork+0x10/0x20 [ 19.871582] [ 19.871603] The buggy address belongs to the object at fff00000c3ef33c0 [ 19.871603] which belongs to the cache kmem_cache of size 208 [ 19.871663] The buggy address is located 0 bytes inside of [ 19.871663] freed 208-byte region [fff00000c3ef33c0, fff00000c3ef3490) [ 19.871726] [ 19.871749] The buggy address belongs to the physical page: [ 19.871785] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ef3 [ 19.871840] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.871895] page_type: f5(slab) [ 19.871940] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 19.871991] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 19.872032] page dumped because: kasan: bad access detected [ 19.872063] [ 19.872083] Memory state around the buggy address: [ 19.872119] fff00000c3ef3280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.872165] fff00000c3ef3300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 19.872209] >fff00000c3ef3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.872249] ^ [ 19.872285] fff00000c3ef3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.872328] fff00000c3ef3480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.872378] ==================================================================
[ 17.653517] ================================================================== [ 17.654045] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 17.654366] Read of size 1 at addr ffff88810150cdc0 by task kunit_try_catch/236 [ 17.654889] [ 17.655135] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 17.655795] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.655841] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.655903] Call Trace: [ 17.655930] <TASK> [ 17.655977] dump_stack_lvl+0x73/0xb0 [ 17.656056] print_report+0xd1/0x650 [ 17.656099] ? __virt_addr_valid+0x1db/0x2d0 [ 17.656164] ? kmem_cache_double_destroy+0x1bf/0x380 [ 17.656215] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.656259] ? kmem_cache_double_destroy+0x1bf/0x380 [ 17.656300] kasan_report+0x141/0x180 [ 17.656345] ? kmem_cache_double_destroy+0x1bf/0x380 [ 17.656396] ? kmem_cache_double_destroy+0x1bf/0x380 [ 17.656438] __kasan_check_byte+0x3d/0x50 [ 17.656489] kmem_cache_destroy+0x25/0x1d0 [ 17.656550] kmem_cache_double_destroy+0x1bf/0x380 [ 17.656599] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 17.656646] ? finish_task_switch.isra.0+0x153/0x700 [ 17.656697] ? __switch_to+0x5d9/0xf60 [ 17.656733] ? dequeue_task_fair+0x166/0x4e0 [ 17.656801] ? __pfx_read_tsc+0x10/0x10 [ 17.656841] ? ktime_get_ts64+0x86/0x230 [ 17.656897] kunit_try_run_case+0x1a5/0x480 [ 17.656947] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.656985] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.657036] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.657089] ? __kthread_parkme+0x82/0x180 [ 17.657134] ? preempt_count_sub+0x50/0x80 [ 17.657184] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.657233] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.657284] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.657327] kthread+0x337/0x6f0 [ 17.657364] ? trace_preempt_on+0x20/0xc0 [ 17.657419] ? __pfx_kthread+0x10/0x10 [ 17.657458] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.657495] ? calculate_sigpending+0x7b/0xa0 [ 17.657534] ? __pfx_kthread+0x10/0x10 [ 17.657563] ret_from_fork+0x41/0x80 [ 17.657599] ? __pfx_kthread+0x10/0x10 [ 17.657627] ret_from_fork_asm+0x1a/0x30 [ 17.657682] </TASK> [ 17.657707] [ 17.673262] Allocated by task 236: [ 17.673937] kasan_save_stack+0x45/0x70 [ 17.674556] kasan_save_track+0x18/0x40 [ 17.674767] kasan_save_alloc_info+0x3b/0x50 [ 17.675454] __kasan_slab_alloc+0x91/0xa0 [ 17.676135] kmem_cache_alloc_noprof+0x123/0x3f0 [ 17.676726] __kmem_cache_create_args+0x169/0x240 [ 17.677756] kmem_cache_double_destroy+0xd5/0x380 [ 17.678065] kunit_try_run_case+0x1a5/0x480 [ 17.678634] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.678969] kthread+0x337/0x6f0 [ 17.679204] ret_from_fork+0x41/0x80 [ 17.679721] ret_from_fork_asm+0x1a/0x30 [ 17.680528] [ 17.680723] Freed by task 236: [ 17.681025] kasan_save_stack+0x45/0x70 [ 17.681701] kasan_save_track+0x18/0x40 [ 17.681988] kasan_save_free_info+0x3f/0x60 [ 17.682359] __kasan_slab_free+0x56/0x70 [ 17.682602] kmem_cache_free+0x249/0x420 [ 17.682947] slab_kmem_cache_release+0x2e/0x40 [ 17.683212] kmem_cache_release+0x16/0x20 [ 17.683422] kobject_put+0x181/0x450 [ 17.683996] sysfs_slab_release+0x16/0x20 [ 17.684549] kmem_cache_destroy+0xf0/0x1d0 [ 17.685022] kmem_cache_double_destroy+0x14e/0x380 [ 17.685984] kunit_try_run_case+0x1a5/0x480 [ 17.686529] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.687091] kthread+0x337/0x6f0 [ 17.687364] ret_from_fork+0x41/0x80 [ 17.687857] ret_from_fork_asm+0x1a/0x30 [ 17.688185] [ 17.688315] The buggy address belongs to the object at ffff88810150cdc0 [ 17.688315] which belongs to the cache kmem_cache of size 208 [ 17.689163] The buggy address is located 0 bytes inside of [ 17.689163] freed 208-byte region [ffff88810150cdc0, ffff88810150ce90) [ 17.691030] [ 17.691213] The buggy address belongs to the physical page: [ 17.691450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10150c [ 17.691831] flags: 0x200000000000000(node=0|zone=2) [ 17.692077] page_type: f5(slab) [ 17.692811] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 17.693624] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 17.694172] page dumped because: kasan: bad access detected [ 17.694416] [ 17.694607] Memory state around the buggy address: [ 17.695034] ffff88810150cc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.695488] ffff88810150cd00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 17.696202] >ffff88810150cd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.697170] ^ [ 17.697591] ffff88810150ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.698009] ffff88810150ce80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.698493] ==================================================================