Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 147.012219] ================================================================== [ 147.013276] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0xd0/0x1cc [ 147.014079] Read of size 1 at addr c8919900 by task kunit_try_catch/193 [ 147.014757] [ 147.015109] CPU: 1 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 147.016042] Hardware name: Generic DT based system [ 147.017358] unwind_backtrace from show_stack+0x18/0x1c [ 147.018069] show_stack from dump_stack_lvl+0x58/0x70 [ 147.018889] dump_stack_lvl from print_report+0x164/0x51c [ 147.019622] print_report from kasan_report+0xc8/0x104 [ 147.020236] kasan_report from __kasan_check_byte+0x34/0x3c [ 147.021147] __kasan_check_byte from kmem_cache_destroy+0x24/0x150 [ 147.021986] kmem_cache_destroy from kmem_cache_double_destroy+0xd0/0x1cc [ 147.022857] kmem_cache_double_destroy from kunit_try_run_case+0x11c/0x2e4 [ 147.023877] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.024850] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 147.025841] kthread from ret_from_fork+0x14/0x30 [ 147.026524] Exception stack(0xfa0cbfb0 to 0xfa0cbff8) [ 147.026962] bfa0: 00000000 00000000 00000000 00000000 [ 147.028092] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 147.029119] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 147.029757] [ 147.030045] Allocated by task 193: [ 147.030486] kasan_set_track+0x3c/0x5c [ 147.031106] __kasan_slab_alloc+0x60/0x68 [ 147.031693] kmem_cache_alloc+0x1dc/0x574 [ 147.032262] kmem_cache_create_usercopy+0x160/0x2a8 [ 147.033023] kmem_cache_create+0x28/0x30 [ 147.033572] kmem_cache_double_destroy+0xa0/0x1cc [ 147.034199] kunit_try_run_case+0x11c/0x2e4 [ 147.034666] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.035432] kthread+0x184/0x1a8 [ 147.036040] ret_from_fork+0x14/0x30 [ 147.036723] [ 147.036999] Freed by task 193: [ 147.037587] kasan_set_track+0x3c/0x5c [ 147.038309] kasan_save_free_info+0x30/0x3c [ 147.038936] __kasan_slab_free+0xdc/0x124 [ 147.039503] kmem_cache_free+0x170/0x41c [ 147.039957] kobject_put+0xfc/0x320 [ 147.040551] kmem_cache_double_destroy+0xbc/0x1cc [ 147.041190] kunit_try_run_case+0x11c/0x2e4 [ 147.041746] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.042472] kthread+0x184/0x1a8 [ 147.042948] ret_from_fork+0x14/0x30 [ 147.043461] [ 147.043717] The buggy address belongs to the object at c8919900 [ 147.043717] which belongs to the cache kmem_cache of size 132 [ 147.044962] The buggy address is located 0 bytes inside of [ 147.044962] freed 132-byte region [c8919900, c8919984) [ 147.046543] [ 147.046782] The buggy address belongs to the physical page: [ 147.047341] page:190a4671 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48919 [ 147.048256] flags: 0x800(slab|zone=0) [ 147.048742] page_type: 0xffffffff() [ 147.049200] raw: 00000800 c4801000 00000122 00000000 00000000 80100010 ffffffff 00000001 [ 147.050178] raw: 00000000 [ 147.050602] page dumped because: kasan: bad access detected [ 147.051238] [ 147.051526] Memory state around the buggy address: [ 147.052027] c8919800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 147.052779] c8919880: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 147.053457] >c8919900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 147.054234] ^ [ 147.054572] c8919980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 147.055366] c8919a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 147.056126] ==================================================================
[ 50.023535] ================================================================== [ 50.024623] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0xce/0x1d0 [ 50.025935] Read of size 1 at addr ffff888101ce1c80 by task kunit_try_catch/216 [ 50.027513] [ 50.027950] CPU: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 50.029034] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 50.030136] Call Trace: [ 50.030400] <TASK> [ 50.030813] dump_stack_lvl+0x4e/0x90 [ 50.031480] print_report+0xd2/0x660 [ 50.032119] ? __virt_addr_valid+0x156/0x1e0 [ 50.032686] ? kasan_complete_mode_report_info+0x64/0x200 [ 50.033667] kasan_report+0xff/0x140 [ 50.034270] ? kmem_cache_double_destroy+0xce/0x1d0 [ 50.035494] ? kmem_cache_double_destroy+0xce/0x1d0 [ 50.036464] ? kmem_cache_double_destroy+0xce/0x1d0 [ 50.037253] __kasan_check_byte+0x3d/0x50 [ 50.037974] kmem_cache_destroy+0x25/0x170 [ 50.038766] kmem_cache_double_destroy+0xce/0x1d0 [ 50.039348] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 50.040035] ? __schedule+0x70b/0x1190 [ 50.041080] ? ktime_get_ts64+0x118/0x140 [ 50.041665] kunit_try_run_case+0x126/0x290 [ 50.042397] ? __pfx_kunit_try_run_case+0x10/0x10 [ 50.043163] ? __kasan_check_write+0x18/0x20 [ 50.043968] ? trace_preempt_on+0x20/0xa0 [ 50.044657] ? __kthread_parkme+0x4f/0xd0 [ 50.045366] ? preempt_count_sub+0x50/0x80 [ 50.046162] ? __pfx_kunit_try_run_case+0x10/0x10 [ 50.047082] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 50.047766] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 50.048656] kthread+0x19e/0x1e0 [ 50.049080] ? __pfx_kthread+0x10/0x10 [ 50.049650] ret_from_fork+0x41/0x70 [ 50.050633] ? __pfx_kthread+0x10/0x10 [ 50.051504] ret_from_fork_asm+0x1b/0x30 [ 50.052278] </TASK> [ 50.052676] [ 50.052979] Allocated by task 216: [ 50.053562] kasan_save_stack+0x3c/0x60 [ 50.054119] kasan_set_track+0x29/0x40 [ 50.054788] kasan_save_alloc_info+0x22/0x30 [ 50.055522] __kasan_slab_alloc+0x91/0xa0 [ 50.056098] kmem_cache_alloc+0x180/0x3b0 [ 50.056943] kmem_cache_create_usercopy+0x13e/0x230 [ 50.057567] kmem_cache_create+0x1a/0x20 [ 50.058369] kmem_cache_double_destroy+0x97/0x1d0 [ 50.059153] kunit_try_run_case+0x126/0x290 [ 50.059616] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 50.060758] kthread+0x19e/0x1e0 [ 50.061432] ret_from_fork+0x41/0x70 [ 50.062279] ret_from_fork_asm+0x1b/0x30 [ 50.062851] [ 50.063099] Freed by task 216: [ 50.064183] kasan_save_stack+0x3c/0x60 [ 50.064700] kasan_set_track+0x29/0x40 [ 50.065471] kasan_save_free_info+0x2f/0x50 [ 50.066205] ____kasan_slab_free+0x172/0x1d0 [ 50.066876] __kasan_slab_free+0x16/0x20 [ 50.067760] kmem_cache_free+0x1a7/0x4b0 [ 50.068580] slab_kmem_cache_release+0x2e/0x40 [ 50.069292] kmem_cache_release+0x16/0x20 [ 50.069790] kobject_put+0xf6/0x250 [ 50.070372] sysfs_slab_release+0x24/0x30 [ 50.071290] kmem_cache_destroy+0xd2/0x170 [ 50.072012] kmem_cache_double_destroy+0xb7/0x1d0 [ 50.072921] kunit_try_run_case+0x126/0x290 [ 50.073678] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 50.074428] kthread+0x19e/0x1e0 [ 50.075414] ret_from_fork+0x41/0x70 [ 50.076223] ret_from_fork_asm+0x1b/0x30 [ 50.077017] [ 50.077297] The buggy address belongs to the object at ffff888101ce1c80 [ 50.077297] which belongs to the cache kmem_cache of size 208 [ 50.078814] The buggy address is located 0 bytes inside of [ 50.078814] freed 208-byte region [ffff888101ce1c80, ffff888101ce1d50) [ 50.080485] [ 50.081186] The buggy address belongs to the physical page: [ 50.082062] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ce1 [ 50.083279] flags: 0x200000000000800(slab|node=0|zone=2) [ 50.084312] page_type: 0xffffffff() [ 50.084847] raw: 0200000000000800 ffff888100041000 dead000000000122 0000000000000000 [ 50.085867] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 50.086781] page dumped because: kasan: bad access detected [ 50.087412] [ 50.087669] Memory state around the buggy address: [ 50.088140] ffff888101ce1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.088797] ffff888101ce1c00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.089946] >ffff888101ce1c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.090604] ^ [ 50.091166] ffff888101ce1d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 50.091795] ffff888101ce1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.092660] ==================================================================