Date
June 17, 2025, 3:39 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 94.381875] ================================================================== [ 94.383938] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0xd0/0x1b8 [ 94.385221] Read of size 1 at addr ffff0000c60b4000 by task kunit_try_catch/199 [ 94.386265] [ 94.386809] CPU: 1 PID: 199 Comm: kunit_try_catch Tainted: G B N 6.6.94-rc1 #1 [ 94.388455] Hardware name: linux,dummy-virt (DT) [ 94.389329] Call trace: [ 94.389826] dump_backtrace+0x9c/0x128 [ 94.391251] show_stack+0x20/0x38 [ 94.392295] dump_stack_lvl+0x60/0xb0 [ 94.393066] print_report+0xf8/0x5e8 [ 94.394374] kasan_report+0xdc/0x128 [ 94.395749] __kasan_check_byte+0x54/0x70 [ 94.397018] kmem_cache_destroy+0x30/0x178 [ 94.397718] kmem_cache_double_destroy+0xd0/0x1b8 [ 94.398129] kunit_try_run_case+0x114/0x298 [ 94.399078] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 94.400112] kthread+0x18c/0x1a8 [ 94.401318] ret_from_fork+0x10/0x20 [ 94.402201] [ 94.402677] Allocated by task 199: [ 94.403668] kasan_save_stack+0x3c/0x68 [ 94.404606] kasan_set_track+0x2c/0x40 [ 94.405498] kasan_save_alloc_info+0x24/0x38 [ 94.406325] __kasan_slab_alloc+0xa8/0xb0 [ 94.407272] kmem_cache_alloc+0x138/0x330 [ 94.408275] kmem_cache_create_usercopy+0x170/0x260 [ 94.409386] kmem_cache_create+0x24/0x38 [ 94.410247] kmem_cache_double_destroy+0xa4/0x1b8 [ 94.411376] kunit_try_run_case+0x114/0x298 [ 94.412462] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 94.413670] kthread+0x18c/0x1a8 [ 94.414381] ret_from_fork+0x10/0x20 [ 94.415379] [ 94.415886] Freed by task 199: [ 94.416571] kasan_save_stack+0x3c/0x68 [ 94.417577] kasan_set_track+0x2c/0x40 [ 94.418397] kasan_save_free_info+0x38/0x60 [ 94.419419] __kasan_slab_free+0x100/0x170 [ 94.420448] kmem_cache_free+0x18c/0x3f8 [ 94.421474] slab_kmem_cache_release+0x38/0x50 [ 94.422406] kmem_cache_release+0x1c/0x30 [ 94.423434] kobject_put+0x104/0x2c0 [ 94.424271] sysfs_slab_release+0x30/0x48 [ 94.425281] kmem_cache_destroy+0xd8/0x178 [ 94.426170] kmem_cache_double_destroy+0xc0/0x1b8 [ 94.427469] kunit_try_run_case+0x114/0x298 [ 94.428487] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 94.429566] kthread+0x18c/0x1a8 [ 94.430298] ret_from_fork+0x10/0x20 [ 94.431134] [ 94.431817] The buggy address belongs to the object at ffff0000c60b4000 [ 94.431817] which belongs to the cache kmem_cache of size 208 [ 94.433724] The buggy address is located 0 bytes inside of [ 94.433724] freed 208-byte region [ffff0000c60b4000, ffff0000c60b40d0) [ 94.435574] [ 94.436111] The buggy address belongs to the physical page: [ 94.437214] page:00000000a8e1fee1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060b4 [ 94.438587] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 94.439859] page_type: 0xffffffff() [ 94.440672] raw: 0bfffc0000000800 ffff0000c0001000 dead000000000122 0000000000000000 [ 94.441940] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 94.443250] page dumped because: kasan: bad access detected [ 94.444222] [ 94.444733] Memory state around the buggy address: [ 94.445680] ffff0000c60b3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 94.446965] ffff0000c60b3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 94.448139] >ffff0000c60b4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 94.449069] ^ [ 94.449813] ffff0000c60b4080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 94.451139] ffff0000c60b4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 94.452442] ==================================================================
[ 35.380011] ================================================================== [ 35.381264] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0xce/0x1d0 [ 35.381967] Read of size 1 at addr ffff888101b028c0 by task kunit_try_catch/214 [ 35.382947] [ 35.383073] CPU: 1 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.6.94-rc1 #1 [ 35.383453] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 35.383836] Call Trace: [ 35.383995] <TASK> [ 35.384135] dump_stack_lvl+0x4e/0x90 [ 35.384414] print_report+0xd2/0x650 [ 35.384628] ? __virt_addr_valid+0x156/0x1e0 [ 35.385470] ? kmem_cache_double_destroy+0xce/0x1d0 [ 35.385825] ? kasan_complete_mode_report_info+0x64/0x200 [ 35.386188] ? kmem_cache_double_destroy+0xce/0x1d0 [ 35.386696] kasan_report+0x147/0x180 [ 35.387054] ? kmem_cache_double_destroy+0xce/0x1d0 [ 35.387497] ? kmem_cache_double_destroy+0xce/0x1d0 [ 35.388001] __kasan_check_byte+0x3d/0x50 [ 35.388328] kmem_cache_destroy+0x25/0x170 [ 35.388754] kmem_cache_double_destroy+0xce/0x1d0 [ 35.389134] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 35.389723] ? __schedule+0x715/0x11a0 [ 35.390083] ? ktime_get_ts64+0x118/0x140 [ 35.390755] kunit_try_run_case+0x120/0x290 [ 35.391124] ? __pfx_kunit_try_run_case+0x10/0x10 [ 35.391616] ? __kasan_check_write+0x18/0x20 [ 35.391988] ? trace_preempt_on+0x20/0xa0 [ 35.392322] ? __kthread_parkme+0x4f/0xd0 [ 35.392760] ? preempt_count_sub+0x50/0x80 [ 35.393125] ? __pfx_kunit_try_run_case+0x10/0x10 [ 35.393694] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 35.394169] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 35.394933] kthread+0x19e/0x1e0 [ 35.395261] ? __pfx_kthread+0x10/0x10 [ 35.395688] ret_from_fork+0x41/0x70 [ 35.396055] ? __pfx_kthread+0x10/0x10 [ 35.396513] ret_from_fork_asm+0x1b/0x30 [ 35.396852] </TASK> [ 35.397083] [ 35.397256] Allocated by task 214: [ 35.397644] kasan_save_stack+0x44/0x70 [ 35.398002] kasan_set_track+0x29/0x40 [ 35.398313] kasan_save_alloc_info+0x22/0x30 [ 35.399037] __kasan_slab_alloc+0x91/0xa0 [ 35.399302] kmem_cache_alloc+0x186/0x3b0 [ 35.399743] kmem_cache_create_usercopy+0x13e/0x230 [ 35.400103] kmem_cache_create+0x1a/0x20 [ 35.400506] kmem_cache_double_destroy+0x97/0x1d0 [ 35.400885] kunit_try_run_case+0x120/0x290 [ 35.401252] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 35.401747] kthread+0x19e/0x1e0 [ 35.402054] ret_from_fork+0x41/0x70 [ 35.402353] ret_from_fork_asm+0x1b/0x30 [ 35.402939] [ 35.403064] Freed by task 214: [ 35.403285] kasan_save_stack+0x44/0x70 [ 35.403774] kasan_set_track+0x29/0x40 [ 35.404093] kasan_save_free_info+0x2f/0x50 [ 35.404502] ____kasan_slab_free+0x172/0x1d0 [ 35.404869] __kasan_slab_free+0x16/0x20 [ 35.405143] kmem_cache_free+0x1a7/0x4b0 [ 35.405583] slab_kmem_cache_release+0x2e/0x40 [ 35.405998] kmem_cache_release+0x16/0x20 [ 35.406283] kobject_put+0xf6/0x250 [ 35.406665] sysfs_slab_release+0x24/0x30 [ 35.406977] kmem_cache_destroy+0xd2/0x170 [ 35.407305] kmem_cache_double_destroy+0xb7/0x1d0 [ 35.407946] kunit_try_run_case+0x120/0x290 [ 35.408227] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 35.408601] kthread+0x19e/0x1e0 [ 35.409003] ret_from_fork+0x41/0x70 [ 35.409235] ret_from_fork_asm+0x1b/0x30 [ 35.409686] [ 35.409819] The buggy address belongs to the object at ffff888101b028c0 [ 35.409819] which belongs to the cache kmem_cache of size 208 [ 35.410720] The buggy address is located 0 bytes inside of [ 35.410720] freed 208-byte region [ffff888101b028c0, ffff888101b02990) [ 35.411451] [ 35.411769] The buggy address belongs to the physical page: [ 35.412282] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b02 [ 35.412975] flags: 0x200000000000800(slab|node=0|zone=2) [ 35.413472] page_type: 0xffffffff() [ 35.413829] raw: 0200000000000800 ffff888100041000 dead000000000122 0000000000000000 [ 35.414310] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 35.414844] page dumped because: kasan: bad access detected [ 35.415208] [ 35.415333] Memory state around the buggy address: [ 35.415851] ffff888101b02780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.416240] ffff888101b02800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 35.416878] >ffff888101b02880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.417330] ^ [ 35.417922] ffff888101b02900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.418510] ffff888101b02980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.419062] ==================================================================