From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: lib/tests/slub_kunit.c:59 test_next_pointer() error: dereferencing freed memory 'p' (line 55)
Date: Tue, 31 Mar 2026 11:09:08 +0800 [thread overview]
Message-ID: <202603311158.xucMhmlE-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Kees Cook <kees@kernel.org>
CC: David Gow <davidgow@google.com>
CC: Rae Moar <rmoar@google.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: d0c3bcd5b8976159d835a897254048e078f447e6
commit: db6fe4d61ece24193eb4d94a82d967501d53358c lib: Move KUnit tests into tests/ subdirectory
date: 1 year, 2 months ago
:::::: branch date: 6 hours ago
:::::: commit date: 1 year, 2 months ago
config: microblaze-randconfig-r071-20260331 (https://download.01.org/0day-ci/archive/20260331/202603311158.xucMhmlE-lkp@intel.com/config)
compiler: microblaze-linux-gcc (GCC) 8.5.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603311158.xucMhmlE-lkp@intel.com/
New smatch warnings:
lib/tests/slub_kunit.c:59 test_next_pointer() error: dereferencing freed memory 'p' (line 55)
lib/tests/slub_kunit.c:99 test_first_word() error: dereferencing freed memory 'p' (line 98)
lib/tests/slub_kunit.c:114 test_clobber_50th_byte() error: dereferencing freed memory 'p' (line 113)
Old smatch warnings:
lib/tests/slub_kunit.c:131 test_clobber_redzone_free() error: dereferencing freed memory 'p' (line 130)
vim +/p +59 lib/tests/slub_kunit.c
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 45
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 46 #ifndef CONFIG_KASAN
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 47 static void test_next_pointer(struct kunit *test)
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 48 {
4d9dd4b0ce88072 lib/slub_kunit.c Feng Tang 2022-11-30 49 struct kmem_cache *s = test_kmem_cache_create("TestSlub_next_ptr_free",
4d9dd4b0ce88072 lib/slub_kunit.c Feng Tang 2022-11-30 50 64, SLAB_POISON);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 51 u8 *p = kmem_cache_alloc(s, GFP_KERNEL);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 52 unsigned long tmp;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 53 unsigned long *ptr_addr;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 54
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 @55 kmem_cache_free(s, p);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 56
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 57 ptr_addr = (unsigned long *)(p + s->offset);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 58 tmp = *ptr_addr;
b1080c667b3b2c8 lib/slub_kunit.c Guenter Roeck 2024-04-02 @59 p[s->offset] = ~p[s->offset];
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 60
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 61 /*
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 62 * Expecting three errors.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 63 * One for the corrupted freechain and the other one for the wrong
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 64 * count of objects in use. The third error is fixing broken cache.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 65 */
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 66 validate_slab_cache(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 67 KUNIT_EXPECT_EQ(test, 3, slab_errors);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 68
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 69 /*
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 70 * Try to repair corrupted freepointer.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 71 * Still expecting two errors. The first for the wrong count
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 72 * of objects in use.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 73 * The second error is for fixing broken cache.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 74 */
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 75 *ptr_addr = tmp;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 76 slab_errors = 0;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 77
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 78 validate_slab_cache(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 79 KUNIT_EXPECT_EQ(test, 2, slab_errors);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 80
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 81 /*
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 82 * Previous validation repaired the count of objects in use.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 83 * Now expecting no error.
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 84 */
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 85 slab_errors = 0;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 86 validate_slab_cache(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 87 KUNIT_EXPECT_EQ(test, 0, slab_errors);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 88
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 89 kmem_cache_destroy(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 90 }
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 91
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 92 static void test_first_word(struct kunit *test)
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 93 {
4d9dd4b0ce88072 lib/slub_kunit.c Feng Tang 2022-11-30 94 struct kmem_cache *s = test_kmem_cache_create("TestSlub_1th_word_free",
4d9dd4b0ce88072 lib/slub_kunit.c Feng Tang 2022-11-30 95 64, SLAB_POISON);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 96 u8 *p = kmem_cache_alloc(s, GFP_KERNEL);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 97
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 @98 kmem_cache_free(s, p);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 @99 *p = 0x78;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 100
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 101 validate_slab_cache(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 102 KUNIT_EXPECT_EQ(test, 2, slab_errors);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 103
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 104 kmem_cache_destroy(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 105 }
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 106
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 107 static void test_clobber_50th_byte(struct kunit *test)
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 108 {
4d9dd4b0ce88072 lib/slub_kunit.c Feng Tang 2022-11-30 109 struct kmem_cache *s = test_kmem_cache_create("TestSlub_50th_word_free",
4d9dd4b0ce88072 lib/slub_kunit.c Feng Tang 2022-11-30 110 64, SLAB_POISON);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 111 u8 *p = kmem_cache_alloc(s, GFP_KERNEL);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 112
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 @113 kmem_cache_free(s, p);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 @114 p[50] = 0x9a;
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 115
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 116 validate_slab_cache(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 117 KUNIT_EXPECT_EQ(test, 2, slab_errors);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 118
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 119 kmem_cache_destroy(s);
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 120 }
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 121 #endif
1f9f78b1b376f82 lib/slub_kunit.c Oliver Glitta 2021-06-28 122
:::::: The code at line 59 was first introduced by commit
:::::: b1080c667b3b2c8c38a7fa83ca5567124887abae mm/slub, kunit: Use inverted data to corrupt kmem cache
:::::: TO: Guenter Roeck <linux@roeck-us.net>
:::::: CC: Vlastimil Babka <vbabka@suse.cz>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2026-03-31 3:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 3:09 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-12-14 23:40 lib/tests/slub_kunit.c:59 test_next_pointer() error: dereferencing freed memory 'p' (line 55) kernel test robot
2025-05-01 4:36 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603311158.xucMhmlE-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.