Date
July 10, 2025, 6:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.216621] ================================================================== [ 18.216705] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 18.216782] Read of size 1 at addr fff00000c3e02780 by task kunit_try_catch/215 [ 18.216833] [ 18.216878] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.216966] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.216993] Hardware name: linux,dummy-virt (DT) [ 18.217026] Call trace: [ 18.217051] show_stack+0x20/0x38 (C) [ 18.217106] dump_stack_lvl+0x8c/0xd0 [ 18.217157] print_report+0x118/0x608 [ 18.217204] kasan_report+0xdc/0x128 [ 18.217250] __kasan_check_byte+0x54/0x70 [ 18.217299] kmem_cache_destroy+0x34/0x218 [ 18.217364] kmem_cache_double_destroy+0x174/0x300 [ 18.217414] kunit_try_run_case+0x170/0x3f0 [ 18.217466] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.217521] kthread+0x328/0x630 [ 18.217565] ret_from_fork+0x10/0x20 [ 18.217615] [ 18.217634] Allocated by task 215: [ 18.217665] kasan_save_stack+0x3c/0x68 [ 18.217708] kasan_save_track+0x20/0x40 [ 18.217747] kasan_save_alloc_info+0x40/0x58 [ 18.217788] __kasan_slab_alloc+0xa8/0xb0 [ 18.217827] kmem_cache_alloc_noprof+0x10c/0x398 [ 18.217871] __kmem_cache_create_args+0x178/0x280 [ 18.217912] kmem_cache_double_destroy+0xc0/0x300 [ 18.217955] kunit_try_run_case+0x170/0x3f0 [ 18.217994] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.218040] kthread+0x328/0x630 [ 18.218075] ret_from_fork+0x10/0x20 [ 18.218113] [ 18.218131] Freed by task 215: [ 18.218158] kasan_save_stack+0x3c/0x68 [ 18.218197] kasan_save_track+0x20/0x40 [ 18.218235] kasan_save_free_info+0x4c/0x78 [ 18.218275] __kasan_slab_free+0x6c/0x98 [ 18.218314] kmem_cache_free+0x260/0x468 [ 18.218364] slab_kmem_cache_release+0x38/0x50 [ 18.218403] kmem_cache_release+0x1c/0x30 [ 18.218440] kobject_put+0x17c/0x420 [ 18.218477] sysfs_slab_release+0x1c/0x30 [ 18.218514] kmem_cache_destroy+0x118/0x218 [ 18.218552] kmem_cache_double_destroy+0x128/0x300 [ 18.218593] kunit_try_run_case+0x170/0x3f0 [ 18.218631] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.218676] kthread+0x328/0x630 [ 18.218708] ret_from_fork+0x10/0x20 [ 18.218745] [ 18.218764] The buggy address belongs to the object at fff00000c3e02780 [ 18.218764] which belongs to the cache kmem_cache of size 208 [ 18.218820] The buggy address is located 0 bytes inside of [ 18.218820] freed 208-byte region [fff00000c3e02780, fff00000c3e02850) [ 18.218880] [ 18.218903] The buggy address belongs to the physical page: [ 18.218936] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103e02 [ 18.218991] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.219044] page_type: f5(slab) [ 18.219086] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 18.219135] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 18.219176] page dumped because: kasan: bad access detected [ 18.219207] [ 18.219227] Memory state around the buggy address: [ 18.219260] fff00000c3e02680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.219303] fff00000c3e02700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.219359] >fff00000c3e02780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.219397] ^ [ 18.219430] fff00000c3e02800: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 18.219473] fff00000c3e02880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.219511] ==================================================================
[ 13.331703] ================================================================== [ 13.332331] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 13.332654] Read of size 1 at addr ffff8881027a4140 by task kunit_try_catch/232 [ 13.332936] [ 13.333241] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.333317] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.333330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.333351] Call Trace: [ 13.333363] <TASK> [ 13.333380] dump_stack_lvl+0x73/0xb0 [ 13.333413] print_report+0xd1/0x650 [ 13.333435] ? __virt_addr_valid+0x1db/0x2d0 [ 13.333481] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.333506] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.333529] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.333554] kasan_report+0x141/0x180 [ 13.333575] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.333603] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.333629] __kasan_check_byte+0x3d/0x50 [ 13.333650] kmem_cache_destroy+0x25/0x1d0 [ 13.333675] kmem_cache_double_destroy+0x1bf/0x380 [ 13.333700] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 13.333743] ? finish_task_switch.isra.0+0x153/0x700 [ 13.333768] ? __switch_to+0x47/0xf50 [ 13.333796] ? __pfx_read_tsc+0x10/0x10 [ 13.333818] ? ktime_get_ts64+0x86/0x230 [ 13.333842] kunit_try_run_case+0x1a5/0x480 [ 13.333868] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.333890] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.333915] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.333957] ? __kthread_parkme+0x82/0x180 [ 13.334000] ? preempt_count_sub+0x50/0x80 [ 13.334024] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.334060] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.334085] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.334111] kthread+0x337/0x6f0 [ 13.334129] ? trace_preempt_on+0x20/0xc0 [ 13.334152] ? __pfx_kthread+0x10/0x10 [ 13.334172] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.334194] ? calculate_sigpending+0x7b/0xa0 [ 13.334217] ? __pfx_kthread+0x10/0x10 [ 13.334239] ret_from_fork+0x116/0x1d0 [ 13.334258] ? __pfx_kthread+0x10/0x10 [ 13.334277] ret_from_fork_asm+0x1a/0x30 [ 13.334309] </TASK> [ 13.334319] [ 13.345357] Allocated by task 232: [ 13.345531] kasan_save_stack+0x45/0x70 [ 13.345966] kasan_save_track+0x18/0x40 [ 13.346315] kasan_save_alloc_info+0x3b/0x50 [ 13.346519] __kasan_slab_alloc+0x91/0xa0 [ 13.346701] kmem_cache_alloc_noprof+0x123/0x3f0 [ 13.347196] __kmem_cache_create_args+0x169/0x240 [ 13.347391] kmem_cache_double_destroy+0xd5/0x380 [ 13.347849] kunit_try_run_case+0x1a5/0x480 [ 13.348236] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.348490] kthread+0x337/0x6f0 [ 13.348901] ret_from_fork+0x116/0x1d0 [ 13.349179] ret_from_fork_asm+0x1a/0x30 [ 13.349578] [ 13.349776] Freed by task 232: [ 13.349906] kasan_save_stack+0x45/0x70 [ 13.351475] kasan_save_track+0x18/0x40 [ 13.352139] kasan_save_free_info+0x3f/0x60 [ 13.352691] __kasan_slab_free+0x56/0x70 [ 13.353154] kmem_cache_free+0x249/0x420 [ 13.353408] slab_kmem_cache_release+0x2e/0x40 [ 13.353618] kmem_cache_release+0x16/0x20 [ 13.353780] kobject_put+0x181/0x450 [ 13.353980] sysfs_slab_release+0x16/0x20 [ 13.354638] kmem_cache_destroy+0xf0/0x1d0 [ 13.354867] kmem_cache_double_destroy+0x14e/0x380 [ 13.355338] kunit_try_run_case+0x1a5/0x480 [ 13.355626] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.356050] kthread+0x337/0x6f0 [ 13.356333] ret_from_fork+0x116/0x1d0 [ 13.356639] ret_from_fork_asm+0x1a/0x30 [ 13.357013] [ 13.357131] The buggy address belongs to the object at ffff8881027a4140 [ 13.357131] which belongs to the cache kmem_cache of size 208 [ 13.357601] The buggy address is located 0 bytes inside of [ 13.357601] freed 208-byte region [ffff8881027a4140, ffff8881027a4210) [ 13.358422] [ 13.358517] The buggy address belongs to the physical page: [ 13.358756] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027a4 [ 13.359230] flags: 0x200000000000000(node=0|zone=2) [ 13.359611] page_type: f5(slab) [ 13.359759] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 13.360353] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 13.360680] page dumped because: kasan: bad access detected [ 13.361109] [ 13.361201] Memory state around the buggy address: [ 13.361398] ffff8881027a4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.361678] ffff8881027a4080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 13.362063] >ffff8881027a4100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.362304] ^ [ 13.362730] ffff8881027a4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.363007] ffff8881027a4200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.363415] ==================================================================