Date
July 4, 2025, 3:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.727922] ================================================================== [ 32.728110] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 32.728252] Read of size 1 at addr ffff00080179f7c0 by task kunit_try_catch/264 [ 32.731806] [ 32.733292] CPU: 0 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 32.733348] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.733365] Hardware name: WinLink E850-96 board (DT) [ 32.733387] Call trace: [ 32.733402] show_stack+0x20/0x38 (C) [ 32.733438] dump_stack_lvl+0x8c/0xd0 [ 32.733473] print_report+0x118/0x608 [ 32.733505] kasan_report+0xdc/0x128 [ 32.733532] __kasan_check_byte+0x54/0x70 [ 32.733565] kmem_cache_destroy+0x34/0x218 [ 32.733593] kmem_cache_double_destroy+0x174/0x300 [ 32.733628] kunit_try_run_case+0x170/0x3f0 [ 32.733663] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.733700] kthread+0x328/0x630 [ 32.733734] ret_from_fork+0x10/0x20 [ 32.733771] [ 32.800035] Allocated by task 264: [ 32.803422] kasan_save_stack+0x3c/0x68 [ 32.807238] kasan_save_track+0x20/0x40 [ 32.811057] kasan_save_alloc_info+0x40/0x58 [ 32.815310] __kasan_slab_alloc+0xa8/0xb0 [ 32.819304] kmem_cache_alloc_noprof+0x10c/0x398 [ 32.823904] __kmem_cache_create_args+0x178/0x280 [ 32.828592] kmem_cache_double_destroy+0xc0/0x300 [ 32.833279] kunit_try_run_case+0x170/0x3f0 [ 32.837447] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.842914] kthread+0x328/0x630 [ 32.846126] ret_from_fork+0x10/0x20 [ 32.849685] [ 32.851162] Freed by task 264: [ 32.854201] kasan_save_stack+0x3c/0x68 [ 32.858020] kasan_save_track+0x20/0x40 [ 32.861838] kasan_save_free_info+0x4c/0x78 [ 32.866004] __kasan_slab_free+0x6c/0x98 [ 32.869912] kmem_cache_free+0x260/0x468 [ 32.873817] slab_kmem_cache_release+0x38/0x50 [ 32.878244] kmem_cache_release+0x1c/0x30 [ 32.882236] kobject_put+0x17c/0x420 [ 32.885796] sysfs_slab_release+0x1c/0x30 [ 32.889789] kmem_cache_destroy+0x118/0x218 [ 32.893955] kmem_cache_double_destroy+0x128/0x300 [ 32.898730] kunit_try_run_case+0x170/0x3f0 [ 32.902897] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.908365] kthread+0x328/0x630 [ 32.911577] ret_from_fork+0x10/0x20 [ 32.915136] [ 32.916613] The buggy address belongs to the object at ffff00080179f7c0 [ 32.916613] which belongs to the cache kmem_cache of size 208 [ 32.929027] The buggy address is located 0 bytes inside of [ 32.929027] freed 208-byte region [ffff00080179f7c0, ffff00080179f890) [ 32.941090] [ 32.942570] The buggy address belongs to the physical page: [ 32.948125] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88179e [ 32.956109] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.963750] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.970692] page_type: f5(slab) [ 32.973830] raw: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 32.981549] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 32.989274] head: 0bfffe0000000040 ffff000800002000 dead000000000122 0000000000000000 [ 32.997085] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000 [ 33.004898] head: 0bfffe0000000001 fffffdffe005e781 00000000ffffffff 00000000ffffffff [ 33.012712] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 33.020518] page dumped because: kasan: bad access detected [ 33.026071] [ 33.027547] Memory state around the buggy address: [ 33.032329] ffff00080179f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.039530] ffff00080179f700: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 33.046738] >ffff00080179f780: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 33.053936] ^ [ 33.059234] ffff00080179f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.066441] ffff00080179f880: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.073642] ==================================================================
[ 16.926908] ================================================================== [ 16.926995] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 16.927071] Read of size 1 at addr fff00000c3ead8c0 by task kunit_try_catch/220 [ 16.927123] [ 16.927165] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 16.927249] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.927278] Hardware name: linux,dummy-virt (DT) [ 16.927312] Call trace: [ 16.927337] show_stack+0x20/0x38 (C) [ 16.927389] dump_stack_lvl+0x8c/0xd0 [ 16.927439] print_report+0x118/0x608 [ 16.927485] kasan_report+0xdc/0x128 [ 16.927527] __kasan_check_byte+0x54/0x70 [ 16.927572] kmem_cache_destroy+0x34/0x218 [ 16.927617] kmem_cache_double_destroy+0x174/0x300 [ 16.927683] kunit_try_run_case+0x170/0x3f0 [ 16.927732] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.927785] kthread+0x328/0x630 [ 16.927830] ret_from_fork+0x10/0x20 [ 16.927879] [ 16.927898] Allocated by task 220: [ 16.927927] kasan_save_stack+0x3c/0x68 [ 16.928381] kasan_save_track+0x20/0x40 [ 16.928434] kasan_save_alloc_info+0x40/0x58 [ 16.928474] __kasan_slab_alloc+0xa8/0xb0 [ 16.928509] kmem_cache_alloc_noprof+0x10c/0x398 [ 16.928550] __kmem_cache_create_args+0x178/0x280 [ 16.928587] kmem_cache_double_destroy+0xc0/0x300 [ 16.928645] kunit_try_run_case+0x170/0x3f0 [ 16.928685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.928730] kthread+0x328/0x630 [ 16.928765] ret_from_fork+0x10/0x20 [ 16.928800] [ 16.928822] Freed by task 220: [ 16.928849] kasan_save_stack+0x3c/0x68 [ 16.928885] kasan_save_track+0x20/0x40 [ 16.928919] kasan_save_free_info+0x4c/0x78 [ 16.928957] __kasan_slab_free+0x6c/0x98 [ 16.928994] kmem_cache_free+0x260/0x468 [ 16.929028] slab_kmem_cache_release+0x38/0x50 [ 16.929066] kmem_cache_release+0x1c/0x30 [ 16.929104] kobject_put+0x17c/0x420 [ 16.929140] sysfs_slab_release+0x1c/0x30 [ 16.929175] kmem_cache_destroy+0x118/0x218 [ 16.929212] kmem_cache_double_destroy+0x128/0x300 [ 16.929253] kunit_try_run_case+0x170/0x3f0 [ 16.929290] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.929335] kthread+0x328/0x630 [ 16.929371] ret_from_fork+0x10/0x20 [ 16.929405] [ 16.929424] The buggy address belongs to the object at fff00000c3ead8c0 [ 16.929424] which belongs to the cache kmem_cache of size 208 [ 16.929481] The buggy address is located 0 bytes inside of [ 16.929481] freed 208-byte region [fff00000c3ead8c0, fff00000c3ead990) [ 16.929541] [ 16.929565] The buggy address belongs to the physical page: [ 16.929598] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ead [ 16.929665] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.929718] page_type: f5(slab) [ 16.929758] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 16.929808] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 16.929849] page dumped because: kasan: bad access detected [ 16.929882] [ 16.929899] Memory state around the buggy address: [ 16.929932] fff00000c3ead780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.929981] fff00000c3ead800: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 16.930023] >fff00000c3ead880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 16.930061] ^ [ 16.930095] fff00000c3ead900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.930137] fff00000c3ead980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.930175] ==================================================================
[ 15.436863] ================================================================== [ 15.437760] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 15.438151] Read of size 1 at addr ffff888101c20dc0 by task kunit_try_catch/236 [ 15.438758] [ 15.438991] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 15.439099] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.439127] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.439176] Call Trace: [ 15.439206] <TASK> [ 15.439245] dump_stack_lvl+0x73/0xb0 [ 15.439305] print_report+0xd1/0x650 [ 15.439366] ? __virt_addr_valid+0x1db/0x2d0 [ 15.439414] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.439463] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.439511] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.439561] kasan_report+0x141/0x180 [ 15.439611] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.439663] ? kmem_cache_double_destroy+0x1bf/0x380 [ 15.439700] __kasan_check_byte+0x3d/0x50 [ 15.439745] kmem_cache_destroy+0x25/0x1d0 [ 15.439793] kmem_cache_double_destroy+0x1bf/0x380 [ 15.439833] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 15.439871] ? finish_task_switch.isra.0+0x153/0x700 [ 15.439916] ? __switch_to+0x5d9/0xf60 [ 15.439959] ? dequeue_task_fair+0x166/0x4e0 [ 15.440010] ? __pfx_read_tsc+0x10/0x10 [ 15.440046] ? ktime_get_ts64+0x86/0x230 [ 15.440132] kunit_try_run_case+0x1a5/0x480 [ 15.440187] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.440234] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.440286] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.440325] ? __kthread_parkme+0x82/0x180 [ 15.440374] ? preempt_count_sub+0x50/0x80 [ 15.440401] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.440426] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.440451] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.440476] kthread+0x337/0x6f0 [ 15.440495] ? trace_preempt_on+0x20/0xc0 [ 15.440521] ? __pfx_kthread+0x10/0x10 [ 15.440541] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.440564] ? calculate_sigpending+0x7b/0xa0 [ 15.440589] ? __pfx_kthread+0x10/0x10 [ 15.440609] ret_from_fork+0x41/0x80 [ 15.440630] ? __pfx_kthread+0x10/0x10 [ 15.440650] ret_from_fork_asm+0x1a/0x30 [ 15.440684] </TASK> [ 15.440698] [ 15.450996] Allocated by task 236: [ 15.451406] kasan_save_stack+0x45/0x70 [ 15.451822] kasan_save_track+0x18/0x40 [ 15.452254] kasan_save_alloc_info+0x3b/0x50 [ 15.452515] __kasan_slab_alloc+0x91/0xa0 [ 15.452717] kmem_cache_alloc_noprof+0x123/0x3f0 [ 15.453218] __kmem_cache_create_args+0x169/0x240 [ 15.453698] kmem_cache_double_destroy+0xd5/0x380 [ 15.454382] kunit_try_run_case+0x1a5/0x480 [ 15.454664] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.455028] kthread+0x337/0x6f0 [ 15.455513] ret_from_fork+0x41/0x80 [ 15.455953] ret_from_fork_asm+0x1a/0x30 [ 15.456562] [ 15.456706] Freed by task 236: [ 15.456860] kasan_save_stack+0x45/0x70 [ 15.457164] kasan_save_track+0x18/0x40 [ 15.457370] kasan_save_free_info+0x3f/0x60 [ 15.457718] __kasan_slab_free+0x56/0x70 [ 15.458033] kmem_cache_free+0x249/0x420 [ 15.458248] slab_kmem_cache_release+0x2e/0x40 [ 15.458459] kmem_cache_release+0x16/0x20 [ 15.458654] kobject_put+0x181/0x450 [ 15.458847] sysfs_slab_release+0x16/0x20 [ 15.459193] kmem_cache_destroy+0xf0/0x1d0 [ 15.459424] kmem_cache_double_destroy+0x14e/0x380 [ 15.459730] kunit_try_run_case+0x1a5/0x480 [ 15.460099] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.460447] kthread+0x337/0x6f0 [ 15.460647] ret_from_fork+0x41/0x80 [ 15.460832] ret_from_fork_asm+0x1a/0x30 [ 15.461219] [ 15.461403] The buggy address belongs to the object at ffff888101c20dc0 [ 15.461403] which belongs to the cache kmem_cache of size 208 [ 15.462053] The buggy address is located 0 bytes inside of [ 15.462053] freed 208-byte region [ffff888101c20dc0, ffff888101c20e90) [ 15.462732] [ 15.462899] The buggy address belongs to the physical page: [ 15.463353] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c20 [ 15.463809] flags: 0x200000000000000(node=0|zone=2) [ 15.464124] page_type: f5(slab) [ 15.464316] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 15.464789] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 15.465402] page dumped because: kasan: bad access detected [ 15.465633] [ 15.465809] Memory state around the buggy address: [ 15.466183] ffff888101c20c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.466553] ffff888101c20d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 15.467098] >ffff888101c20d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 15.467577] ^ [ 15.467942] ffff888101c20e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.468295] ffff888101c20e80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.468721] ==================================================================