Date
July 18, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.342554] ================================================================== [ 18.342669] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 18.342750] Read of size 1 at addr fff00000c19fbdc0 by task kunit_try_catch/215 [ 18.342801] [ 18.342859] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 18.342944] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.342972] Hardware name: linux,dummy-virt (DT) [ 18.343005] Call trace: [ 18.343029] show_stack+0x20/0x38 (C) [ 18.343081] dump_stack_lvl+0x8c/0xd0 [ 18.343131] print_report+0x118/0x5d0 [ 18.343179] kasan_report+0xdc/0x128 [ 18.343223] __kasan_check_byte+0x54/0x70 [ 18.343270] kmem_cache_destroy+0x34/0x218 [ 18.343362] kmem_cache_double_destroy+0x174/0x300 [ 18.343409] kunit_try_run_case+0x170/0x3f0 [ 18.343458] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.343510] kthread+0x328/0x630 [ 18.343552] ret_from_fork+0x10/0x20 [ 18.343601] [ 18.343621] Allocated by task 215: [ 18.343650] kasan_save_stack+0x3c/0x68 [ 18.343692] kasan_save_track+0x20/0x40 [ 18.343731] kasan_save_alloc_info+0x40/0x58 [ 18.343771] __kasan_slab_alloc+0xa8/0xb0 [ 18.343809] kmem_cache_alloc_noprof+0x10c/0x398 [ 18.343860] __kmem_cache_create_args+0x178/0x280 [ 18.343901] kmem_cache_double_destroy+0xc0/0x300 [ 18.343940] kunit_try_run_case+0x170/0x3f0 [ 18.343978] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.344021] kthread+0x328/0x630 [ 18.344052] ret_from_fork+0x10/0x20 [ 18.344089] [ 18.344108] Freed by task 215: [ 18.344135] kasan_save_stack+0x3c/0x68 [ 18.344172] kasan_save_track+0x20/0x40 [ 18.344209] kasan_save_free_info+0x4c/0x78 [ 18.344249] __kasan_slab_free+0x6c/0x98 [ 18.344287] kmem_cache_free+0x260/0x468 [ 18.344324] slab_kmem_cache_release+0x38/0x50 [ 18.344363] kmem_cache_release+0x1c/0x30 [ 18.344399] kobject_put+0x17c/0x420 [ 18.344436] sysfs_slab_release+0x1c/0x30 [ 18.344474] kmem_cache_destroy+0x118/0x218 [ 18.344512] kmem_cache_double_destroy+0x128/0x300 [ 18.344551] kunit_try_run_case+0x170/0x3f0 [ 18.344588] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.344631] kthread+0x328/0x630 [ 18.344663] ret_from_fork+0x10/0x20 [ 18.344699] [ 18.344718] The buggy address belongs to the object at fff00000c19fbdc0 [ 18.344718] which belongs to the cache kmem_cache of size 208 [ 18.344775] The buggy address is located 0 bytes inside of [ 18.344775] freed 208-byte region [fff00000c19fbdc0, fff00000c19fbe90) [ 18.344834] [ 18.344864] The buggy address belongs to the physical page: [ 18.344899] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1019fb [ 18.344954] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.345005] page_type: f5(slab) [ 18.345046] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 18.345095] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 18.345136] page dumped because: kasan: bad access detected [ 18.345168] [ 18.345186] Memory state around the buggy address: [ 18.345219] fff00000c19fbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 18.345261] fff00000c19fbd00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 18.345303] >fff00000c19fbd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 18.345340] ^ [ 18.345374] fff00000c19fbe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.345415] fff00000c19fbe80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.345454] ==================================================================
[ 17.995434] ================================================================== [ 17.995516] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 17.995588] Read of size 1 at addr fff00000c598d640 by task kunit_try_catch/215 [ 17.995640] [ 17.995683] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.995769] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.995797] Hardware name: linux,dummy-virt (DT) [ 17.995830] Call trace: [ 17.995854] show_stack+0x20/0x38 (C) [ 17.995910] dump_stack_lvl+0x8c/0xd0 [ 17.995962] print_report+0x118/0x5d0 [ 17.996009] kasan_report+0xdc/0x128 [ 17.996053] __kasan_check_byte+0x54/0x70 [ 17.996099] kmem_cache_destroy+0x34/0x218 [ 17.996147] kmem_cache_double_destroy+0x174/0x300 [ 17.996202] kunit_try_run_case+0x170/0x3f0 [ 17.996252] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.996304] kthread+0x328/0x630 [ 17.996360] ret_from_fork+0x10/0x20 [ 17.996408] [ 17.996426] Allocated by task 215: [ 17.996457] kasan_save_stack+0x3c/0x68 [ 17.996526] kasan_save_track+0x20/0x40 [ 17.996565] kasan_save_alloc_info+0x40/0x58 [ 17.996604] __kasan_slab_alloc+0xa8/0xb0 [ 17.996643] kmem_cache_alloc_noprof+0x10c/0x398 [ 17.996683] __kmem_cache_create_args+0x178/0x280 [ 17.996723] kmem_cache_double_destroy+0xc0/0x300 [ 17.996761] kunit_try_run_case+0x170/0x3f0 [ 17.996799] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.996840] kthread+0x328/0x630 [ 17.996873] ret_from_fork+0x10/0x20 [ 17.996908] [ 17.996927] Freed by task 215: [ 17.996954] kasan_save_stack+0x3c/0x68 [ 17.996990] kasan_save_track+0x20/0x40 [ 17.997027] kasan_save_free_info+0x4c/0x78 [ 17.997065] __kasan_slab_free+0x6c/0x98 [ 17.997103] kmem_cache_free+0x260/0x468 [ 17.997138] slab_kmem_cache_release+0x38/0x50 [ 17.997178] kmem_cache_release+0x1c/0x30 [ 17.997215] kobject_put+0x17c/0x420 [ 17.997249] sysfs_slab_release+0x1c/0x30 [ 17.997287] kmem_cache_destroy+0x118/0x218 [ 17.997333] kmem_cache_double_destroy+0x128/0x300 [ 17.997373] kunit_try_run_case+0x170/0x3f0 [ 17.997409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.997452] kthread+0x328/0x630 [ 17.997485] ret_from_fork+0x10/0x20 [ 17.997520] [ 17.997539] The buggy address belongs to the object at fff00000c598d640 [ 17.997539] which belongs to the cache kmem_cache of size 208 [ 17.997595] The buggy address is located 0 bytes inside of [ 17.997595] freed 208-byte region [fff00000c598d640, fff00000c598d710) [ 17.997654] [ 17.997677] The buggy address belongs to the physical page: [ 17.997709] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10598d [ 17.997763] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.997815] page_type: f5(slab) [ 17.997857] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 17.997909] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 17.997950] page dumped because: kasan: bad access detected [ 17.997983] [ 17.998000] Memory state around the buggy address: [ 17.998035] fff00000c598d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.998078] fff00000c598d580: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 17.998121] >fff00000c598d600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 17.998159] ^ [ 17.998193] fff00000c598d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.998236] fff00000c598d700: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.998275] ==================================================================
[ 17.965555] ================================================================== [ 17.965632] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x174/0x300 [ 17.965709] Read of size 1 at addr fff00000c56bda00 by task kunit_try_catch/215 [ 17.966064] [ 17.966939] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.967057] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.967138] Hardware name: linux,dummy-virt (DT) [ 17.967379] Call trace: [ 17.967488] show_stack+0x20/0x38 (C) [ 17.967590] dump_stack_lvl+0x8c/0xd0 [ 17.967673] print_report+0x118/0x5d0 [ 17.967730] kasan_report+0xdc/0x128 [ 17.967776] __kasan_check_byte+0x54/0x70 [ 17.967848] kmem_cache_destroy+0x34/0x218 [ 17.967897] kmem_cache_double_destroy+0x174/0x300 [ 17.968144] kunit_try_run_case+0x170/0x3f0 [ 17.968678] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.968861] kthread+0x328/0x630 [ 17.968912] ret_from_fork+0x10/0x20 [ 17.969384] [ 17.969411] Allocated by task 215: [ 17.969627] kasan_save_stack+0x3c/0x68 [ 17.969723] kasan_save_track+0x20/0x40 [ 17.969882] kasan_save_alloc_info+0x40/0x58 [ 17.970000] __kasan_slab_alloc+0xa8/0xb0 [ 17.970068] kmem_cache_alloc_noprof+0x10c/0x398 [ 17.970111] __kmem_cache_create_args+0x178/0x280 [ 17.970314] kmem_cache_double_destroy+0xc0/0x300 [ 17.970415] kunit_try_run_case+0x170/0x3f0 [ 17.970589] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.970707] kthread+0x328/0x630 [ 17.970775] ret_from_fork+0x10/0x20 [ 17.970995] [ 17.971097] Freed by task 215: [ 17.971208] kasan_save_stack+0x3c/0x68 [ 17.971254] kasan_save_track+0x20/0x40 [ 17.971299] kasan_save_free_info+0x4c/0x78 [ 17.971502] __kasan_slab_free+0x6c/0x98 [ 17.971596] kmem_cache_free+0x260/0x468 [ 17.971661] slab_kmem_cache_release+0x38/0x50 [ 17.971941] kmem_cache_release+0x1c/0x30 [ 17.971992] kobject_put+0x17c/0x420 [ 17.972214] sysfs_slab_release+0x1c/0x30 [ 17.972366] kmem_cache_destroy+0x118/0x218 [ 17.972548] kmem_cache_double_destroy+0x128/0x300 [ 17.972741] kunit_try_run_case+0x170/0x3f0 [ 17.972962] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.973042] kthread+0x328/0x630 [ 17.973083] ret_from_fork+0x10/0x20 [ 17.973120] [ 17.973180] The buggy address belongs to the object at fff00000c56bda00 [ 17.973180] which belongs to the cache kmem_cache of size 208 [ 17.973264] The buggy address is located 0 bytes inside of [ 17.973264] freed 208-byte region [fff00000c56bda00, fff00000c56bdad0) [ 17.973329] [ 17.973352] The buggy address belongs to the physical page: [ 17.973386] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056bd [ 17.973451] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.973504] page_type: f5(slab) [ 17.973547] raw: 0bfffe0000000000 fff00000c0001000 dead000000000122 0000000000000000 [ 17.973608] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 17.973650] page dumped because: kasan: bad access detected [ 17.973683] [ 17.973702] Memory state around the buggy address: [ 17.973749] fff00000c56bd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.973802] fff00000c56bd980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.973854] >fff00000c56bda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.973902] ^ [ 17.973930] fff00000c56bda80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 17.973980] fff00000c56bdb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.974024] ==================================================================
[ 13.074215] ================================================================== [ 13.074868] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 13.075356] Read of size 1 at addr ffff888100fb8a00 by task kunit_try_catch/232 [ 13.075698] [ 13.076505] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.076612] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.076629] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.076668] Call Trace: [ 13.076682] <TASK> [ 13.076702] dump_stack_lvl+0x73/0xb0 [ 13.076740] print_report+0xd1/0x610 [ 13.076766] ? __virt_addr_valid+0x1db/0x2d0 [ 13.076795] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.076826] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.076855] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.076886] kasan_report+0x141/0x180 [ 13.076923] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.076957] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.077008] __kasan_check_byte+0x3d/0x50 [ 13.077034] kmem_cache_destroy+0x25/0x1d0 [ 13.077062] kmem_cache_double_destroy+0x1bf/0x380 [ 13.077093] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 13.077123] ? finish_task_switch.isra.0+0x153/0x700 [ 13.077152] ? __switch_to+0x47/0xf50 [ 13.077186] ? __pfx_read_tsc+0x10/0x10 [ 13.077210] ? ktime_get_ts64+0x86/0x230 [ 13.077239] kunit_try_run_case+0x1a5/0x480 [ 13.077270] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.077298] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.077329] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.077358] ? __kthread_parkme+0x82/0x180 [ 13.077383] ? preempt_count_sub+0x50/0x80 [ 13.077409] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.077438] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.077468] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.077500] kthread+0x337/0x6f0 [ 13.077539] ? trace_preempt_on+0x20/0xc0 [ 13.077568] ? __pfx_kthread+0x10/0x10 [ 13.077592] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.077617] ? calculate_sigpending+0x7b/0xa0 [ 13.077645] ? __pfx_kthread+0x10/0x10 [ 13.077669] ret_from_fork+0x116/0x1d0 [ 13.077691] ? __pfx_kthread+0x10/0x10 [ 13.077714] ret_from_fork_asm+0x1a/0x30 [ 13.077751] </TASK> [ 13.077762] [ 13.090231] Allocated by task 232: [ 13.090423] kasan_save_stack+0x45/0x70 [ 13.090630] kasan_save_track+0x18/0x40 [ 13.090823] kasan_save_alloc_info+0x3b/0x50 [ 13.091588] __kasan_slab_alloc+0x91/0xa0 [ 13.091827] kmem_cache_alloc_noprof+0x123/0x3f0 [ 13.092321] __kmem_cache_create_args+0x169/0x240 [ 13.092760] kmem_cache_double_destroy+0xd5/0x380 [ 13.093198] kunit_try_run_case+0x1a5/0x480 [ 13.093593] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.094040] kthread+0x337/0x6f0 [ 13.094211] ret_from_fork+0x116/0x1d0 [ 13.094361] ret_from_fork_asm+0x1a/0x30 [ 13.094801] [ 13.094878] Freed by task 232: [ 13.095298] kasan_save_stack+0x45/0x70 [ 13.095481] kasan_save_track+0x18/0x40 [ 13.095945] kasan_save_free_info+0x3f/0x60 [ 13.096280] __kasan_slab_free+0x56/0x70 [ 13.096634] kmem_cache_free+0x249/0x420 [ 13.096814] slab_kmem_cache_release+0x2e/0x40 [ 13.097298] kmem_cache_release+0x16/0x20 [ 13.097651] kobject_put+0x181/0x450 [ 13.097847] sysfs_slab_release+0x16/0x20 [ 13.098187] kmem_cache_destroy+0xf0/0x1d0 [ 13.098387] kmem_cache_double_destroy+0x14e/0x380 [ 13.098929] kunit_try_run_case+0x1a5/0x480 [ 13.099355] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.099718] kthread+0x337/0x6f0 [ 13.100138] ret_from_fork+0x116/0x1d0 [ 13.100469] ret_from_fork_asm+0x1a/0x30 [ 13.100801] [ 13.100917] The buggy address belongs to the object at ffff888100fb8a00 [ 13.100917] which belongs to the cache kmem_cache of size 208 [ 13.101551] The buggy address is located 0 bytes inside of [ 13.101551] freed 208-byte region [ffff888100fb8a00, ffff888100fb8ad0) [ 13.102027] [ 13.102129] The buggy address belongs to the physical page: [ 13.102376] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100fb8 [ 13.102690] flags: 0x200000000000000(node=0|zone=2) [ 13.103448] page_type: f5(slab) [ 13.103815] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 13.104316] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 13.104905] page dumped because: kasan: bad access detected [ 13.105312] [ 13.105416] Memory state around the buggy address: [ 13.105907] ffff888100fb8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.106400] ffff888100fb8980: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.106991] >ffff888100fb8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.107426] ^ [ 13.107745] ffff888100fb8a80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 13.108258] ffff888100fb8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.108738] ==================================================================
[ 12.896187] ================================================================== [ 12.897654] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 12.898693] Read of size 1 at addr ffff888101c3b3c0 by task kunit_try_catch/233 [ 12.899293] [ 12.899395] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.899465] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.899476] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.899531] Call Trace: [ 12.899545] <TASK> [ 12.899563] dump_stack_lvl+0x73/0xb0 [ 12.899598] print_report+0xd1/0x610 [ 12.899778] ? __virt_addr_valid+0x1db/0x2d0 [ 12.899803] ? kmem_cache_double_destroy+0x1bf/0x380 [ 12.899916] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.899941] ? kmem_cache_double_destroy+0x1bf/0x380 [ 12.899967] kasan_report+0x141/0x180 [ 12.899989] ? kmem_cache_double_destroy+0x1bf/0x380 [ 12.900018] ? kmem_cache_double_destroy+0x1bf/0x380 [ 12.900043] __kasan_check_byte+0x3d/0x50 [ 12.900064] kmem_cache_destroy+0x25/0x1d0 [ 12.900089] kmem_cache_double_destroy+0x1bf/0x380 [ 12.900114] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 12.900138] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.900169] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 12.900199] kunit_try_run_case+0x1a5/0x480 [ 12.900225] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.900246] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.900273] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.900300] ? __kthread_parkme+0x82/0x180 [ 12.900321] ? preempt_count_sub+0x50/0x80 [ 12.900347] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.900370] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.900394] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.900451] kthread+0x337/0x6f0 [ 12.900470] ? trace_preempt_on+0x20/0xc0 [ 12.900494] ? __pfx_kthread+0x10/0x10 [ 12.900515] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.900537] ? calculate_sigpending+0x7b/0xa0 [ 12.900561] ? __pfx_kthread+0x10/0x10 [ 12.900584] ret_from_fork+0x116/0x1d0 [ 12.900604] ? __pfx_kthread+0x10/0x10 [ 12.900624] ret_from_fork_asm+0x1a/0x30 [ 12.900657] </TASK> [ 12.900668] [ 12.915113] Allocated by task 233: [ 12.915626] kasan_save_stack+0x45/0x70 [ 12.916054] kasan_save_track+0x18/0x40 [ 12.916476] kasan_save_alloc_info+0x3b/0x50 [ 12.916986] __kasan_slab_alloc+0x91/0xa0 [ 12.917354] kmem_cache_alloc_noprof+0x123/0x3f0 [ 12.917898] __kmem_cache_create_args+0x169/0x240 [ 12.918361] kmem_cache_double_destroy+0xd5/0x380 [ 12.918889] kunit_try_run_case+0x1a5/0x480 [ 12.919489] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.919855] kthread+0x337/0x6f0 [ 12.919978] ret_from_fork+0x116/0x1d0 [ 12.920109] ret_from_fork_asm+0x1a/0x30 [ 12.920245] [ 12.920314] Freed by task 233: [ 12.920508] kasan_save_stack+0x45/0x70 [ 12.920929] kasan_save_track+0x18/0x40 [ 12.921269] kasan_save_free_info+0x3f/0x60 [ 12.921837] __kasan_slab_free+0x56/0x70 [ 12.922312] kmem_cache_free+0x249/0x420 [ 12.922749] slab_kmem_cache_release+0x2e/0x40 [ 12.923423] kmem_cache_release+0x16/0x20 [ 12.923981] kobject_put+0x181/0x450 [ 12.924260] sysfs_slab_release+0x16/0x20 [ 12.924653] kmem_cache_destroy+0xf0/0x1d0 [ 12.924802] kmem_cache_double_destroy+0x14e/0x380 [ 12.924963] kunit_try_run_case+0x1a5/0x480 [ 12.925109] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.925293] kthread+0x337/0x6f0 [ 12.925470] ret_from_fork+0x116/0x1d0 [ 12.925663] ret_from_fork_asm+0x1a/0x30 [ 12.925821] [ 12.925896] The buggy address belongs to the object at ffff888101c3b3c0 [ 12.925896] which belongs to the cache kmem_cache of size 208 [ 12.926515] The buggy address is located 0 bytes inside of [ 12.926515] freed 208-byte region [ffff888101c3b3c0, ffff888101c3b490) [ 12.927571] [ 12.927926] The buggy address belongs to the physical page: [ 12.928184] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c3b [ 12.929095] flags: 0x200000000000000(node=0|zone=2) [ 12.929590] page_type: f5(slab) [ 12.929763] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 12.930081] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 12.930391] page dumped because: kasan: bad access detected [ 12.931106] [ 12.931446] Memory state around the buggy address: [ 12.931781] ffff888101c3b280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.932071] ffff888101c3b300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 12.932365] >ffff888101c3b380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 12.933043] ^ [ 12.933591] ffff888101c3b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.933885] ffff888101c3b480: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.934173] ==================================================================
[ 13.099180] ================================================================== [ 13.099671] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380 [ 13.100039] Read of size 1 at addr ffff888100fa1dc0 by task kunit_try_catch/232 [ 13.100876] [ 13.101141] CPU: 1 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.101197] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.101209] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.101233] Call Trace: [ 13.101246] <TASK> [ 13.101332] dump_stack_lvl+0x73/0xb0 [ 13.101369] print_report+0xd1/0x610 [ 13.101395] ? __virt_addr_valid+0x1db/0x2d0 [ 13.101421] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.101446] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.101469] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.101494] kasan_report+0x141/0x180 [ 13.101516] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.101544] ? kmem_cache_double_destroy+0x1bf/0x380 [ 13.101569] __kasan_check_byte+0x3d/0x50 [ 13.101590] kmem_cache_destroy+0x25/0x1d0 [ 13.101614] kmem_cache_double_destroy+0x1bf/0x380 [ 13.101639] ? __pfx_kmem_cache_double_destroy+0x10/0x10 [ 13.101665] ? __kasan_check_write+0x18/0x20 [ 13.101684] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.101709] ? irqentry_exit+0x2a/0x60 [ 13.101733] ? trace_hardirqs_on+0x37/0xe0 [ 13.101757] ? __pfx_read_tsc+0x10/0x10 [ 13.101778] ? ktime_get_ts64+0x86/0x230 [ 13.101804] kunit_try_run_case+0x1a5/0x480 [ 13.101830] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.101854] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.101877] ? __kthread_parkme+0x82/0x180 [ 13.101899] ? preempt_count_sub+0x50/0x80 [ 13.101924] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.101947] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.101971] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.101995] kthread+0x337/0x6f0 [ 13.102133] ? trace_preempt_on+0x20/0xc0 [ 13.102158] ? __pfx_kthread+0x10/0x10 [ 13.102178] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.102200] ? calculate_sigpending+0x7b/0xa0 [ 13.102226] ? __pfx_kthread+0x10/0x10 [ 13.102247] ret_from_fork+0x116/0x1d0 [ 13.102266] ? __pfx_kthread+0x10/0x10 [ 13.102286] ret_from_fork_asm+0x1a/0x30 [ 13.102317] </TASK> [ 13.102329] [ 13.114850] Allocated by task 232: [ 13.115259] kasan_save_stack+0x45/0x70 [ 13.115464] kasan_save_track+0x18/0x40 [ 13.115639] kasan_save_alloc_info+0x3b/0x50 [ 13.115836] __kasan_slab_alloc+0x91/0xa0 [ 13.116030] kmem_cache_alloc_noprof+0x123/0x3f0 [ 13.116734] __kmem_cache_create_args+0x169/0x240 [ 13.116940] kmem_cache_double_destroy+0xd5/0x380 [ 13.117432] kunit_try_run_case+0x1a5/0x480 [ 13.117669] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.118150] kthread+0x337/0x6f0 [ 13.118404] ret_from_fork+0x116/0x1d0 [ 13.118550] ret_from_fork_asm+0x1a/0x30 [ 13.118749] [ 13.118842] Freed by task 232: [ 13.118999] kasan_save_stack+0x45/0x70 [ 13.119551] kasan_save_track+0x18/0x40 [ 13.119724] kasan_save_free_info+0x3f/0x60 [ 13.120121] __kasan_slab_free+0x56/0x70 [ 13.120327] kmem_cache_free+0x249/0x420 [ 13.120639] slab_kmem_cache_release+0x2e/0x40 [ 13.120824] kmem_cache_release+0x16/0x20 [ 13.121153] kobject_put+0x181/0x450 [ 13.121331] sysfs_slab_release+0x16/0x20 [ 13.121947] kmem_cache_destroy+0xf0/0x1d0 [ 13.122122] kmem_cache_double_destroy+0x14e/0x380 [ 13.122690] kunit_try_run_case+0x1a5/0x480 [ 13.122886] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.123340] kthread+0x337/0x6f0 [ 13.123515] ret_from_fork+0x116/0x1d0 [ 13.123838] ret_from_fork_asm+0x1a/0x30 [ 13.123987] [ 13.124247] The buggy address belongs to the object at ffff888100fa1dc0 [ 13.124247] which belongs to the cache kmem_cache of size 208 [ 13.124903] The buggy address is located 0 bytes inside of [ 13.124903] freed 208-byte region [ffff888100fa1dc0, ffff888100fa1e90) [ 13.125720] [ 13.125814] The buggy address belongs to the physical page: [ 13.126066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100fa1 [ 13.126557] flags: 0x200000000000000(node=0|zone=2) [ 13.126799] page_type: f5(slab) [ 13.126936] raw: 0200000000000000 ffff888100041000 dead000000000122 0000000000000000 [ 13.127368] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 13.128318] page dumped because: kasan: bad access detected [ 13.128517] [ 13.128590] Memory state around the buggy address: [ 13.128749] ffff888100fa1c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.128974] ffff888100fa1d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 13.129905] >ffff888100fa1d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 13.130286] ^ [ 13.130735] ffff888100fa1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.131227] ffff888100fa1e80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.131806] ==================================================================