Hay
Date
June 18, 2025, 6:43 a.m.

Environment
qemu-arm64
qemu-x86_64

[   23.045856] ==================================================================
[   23.046044] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x118/0x2a8
[   23.046213] Free of addr fff00000c77c4001 by task kunit_try_catch/253
[   23.046305] 
[   23.046535] CPU: 0 UID: 0 PID: 253 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc2-next-20250618 #1 PREEMPT 
[   23.046910] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   23.046994] Hardware name: linux,dummy-virt (DT)
[   23.047080] Call trace:
[   23.047128]  show_stack+0x20/0x38 (C)
[   23.047247]  dump_stack_lvl+0x8c/0xd0
[   23.047361]  print_report+0x118/0x608
[   23.047529]  kasan_report_invalid_free+0xc0/0xe8
[   23.047696]  __kasan_mempool_poison_object+0xfc/0x150
[   23.047823]  mempool_free+0x28c/0x328
[   23.047971]  mempool_kmalloc_invalid_free_helper+0x118/0x2a8
[   23.048109]  mempool_kmalloc_large_invalid_free+0xc0/0x118
[   23.048231]  kunit_try_run_case+0x170/0x3f0
[   23.048362]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.048913]  kthread+0x328/0x630
[   23.049031]  ret_from_fork+0x10/0x20
[   23.049152] 
[   23.049207] The buggy address belongs to the physical page:
[   23.049286] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077c4
[   23.049689] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   23.049807] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   23.049943] page_type: f8(unknown)
[   23.050055] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   23.050172] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   23.050275] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   23.050377] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   23.050486] head: 0bfffe0000000002 ffffc1ffc31df101 00000000ffffffff 00000000ffffffff
[   23.050608] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   23.050709] page dumped because: kasan: bad access detected
[   23.050791] 
[   23.050837] Memory state around the buggy address:
[   23.050918]  fff00000c77c3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.051035]  fff00000c77c3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.051147] >fff00000c77c4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.051241]                    ^
[   23.051311]  fff00000c77c4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.051418]  fff00000c77c4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.051518] ==================================================================
[   23.018295] ==================================================================
[   23.018571] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x118/0x2a8
[   23.018778] Free of addr fff00000c7791b01 by task kunit_try_catch/251
[   23.018883] 
[   23.018975] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc2-next-20250618 #1 PREEMPT 
[   23.019210] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   23.019291] Hardware name: linux,dummy-virt (DT)
[   23.019372] Call trace:
[   23.019426]  show_stack+0x20/0x38 (C)
[   23.019587]  dump_stack_lvl+0x8c/0xd0
[   23.019795]  print_report+0x118/0x608
[   23.019928]  kasan_report_invalid_free+0xc0/0xe8
[   23.020083]  check_slab_allocation+0xfc/0x108
[   23.020274]  __kasan_mempool_poison_object+0x78/0x150
[   23.020445]  mempool_free+0x28c/0x328
[   23.020569]  mempool_kmalloc_invalid_free_helper+0x118/0x2a8
[   23.020702]  mempool_kmalloc_invalid_free+0xc0/0x118
[   23.020827]  kunit_try_run_case+0x170/0x3f0
[   23.020954]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.021095]  kthread+0x328/0x630
[   23.021261]  ret_from_fork+0x10/0x20
[   23.021433] 
[   23.021495] Allocated by task 251:
[   23.021591]  kasan_save_stack+0x3c/0x68
[   23.021741]  kasan_save_track+0x20/0x40
[   23.021885]  kasan_save_alloc_info+0x40/0x58
[   23.022025]  __kasan_mempool_unpoison_object+0x11c/0x180
[   23.022145]  remove_element+0x130/0x1f8
[   23.022232]  mempool_alloc_preallocated+0x58/0xc0
[   23.022319]  mempool_kmalloc_invalid_free_helper+0x94/0x2a8
[   23.022428]  mempool_kmalloc_invalid_free+0xc0/0x118
[   23.022528]  kunit_try_run_case+0x170/0x3f0
[   23.022683]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.022798]  kthread+0x328/0x630
[   23.022890]  ret_from_fork+0x10/0x20
[   23.023039] 
[   23.023125] The buggy address belongs to the object at fff00000c7791b00
[   23.023125]  which belongs to the cache kmalloc-128 of size 128
[   23.023304] The buggy address is located 1 bytes inside of
[   23.023304]  128-byte region [fff00000c7791b00, fff00000c7791b80)
[   23.023456] 
[   23.023506] The buggy address belongs to the physical page:
[   23.023590] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107791
[   23.023714] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   23.023840] page_type: f5(slab)
[   23.023936] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   23.024071] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.024253] page dumped because: kasan: bad access detected
[   23.024366] 
[   23.024417] Memory state around the buggy address:
[   23.024554]  fff00000c7791a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.024676]  fff00000c7791a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.024804] >fff00000c7791b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.025352]                    ^
[   23.025452]  fff00000c7791b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.025583]  fff00000c7791c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.025691] ==================================================================

[   12.892037] ==================================================================
[   12.893291] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.894066] Free of addr ffff888103888001 by task kunit_try_catch/269
[   12.894387] 
[   12.894577] CPU: 1 UID: 0 PID: 269 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) 
[   12.894627] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.894641] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.894662] Call Trace:
[   12.894674]  <TASK>
[   12.894690]  dump_stack_lvl+0x73/0xb0
[   12.894717]  print_report+0xd1/0x650
[   12.894738]  ? __virt_addr_valid+0x1db/0x2d0
[   12.894762]  ? kasan_addr_to_slab+0x11/0xa0
[   12.894781]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.894806]  kasan_report_invalid_free+0x10a/0x130
[   12.894829]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.894856]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.894879]  __kasan_mempool_poison_object+0x102/0x1d0
[   12.894902]  mempool_free+0x2ec/0x380
[   12.894926]  mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.894950]  ? __pfx_mempool_kmalloc_invalid_free_helper+0x10/0x10
[   12.894975]  ? __kasan_check_write+0x18/0x20
[   12.894998]  ? __pfx_sched_clock_cpu+0x10/0x10
[   12.895020]  ? finish_task_switch.isra.0+0x153/0x700
[   12.895046]  mempool_kmalloc_large_invalid_free+0xed/0x140
[   12.895068]  ? __pfx_mempool_kmalloc_large_invalid_free+0x10/0x10
[   12.895094]  ? __pfx_mempool_kmalloc+0x10/0x10
[   12.895115]  ? __pfx_mempool_kfree+0x10/0x10
[   12.895138]  ? __pfx_read_tsc+0x10/0x10
[   12.895160]  ? ktime_get_ts64+0x86/0x230
[   12.895183]  kunit_try_run_case+0x1a5/0x480
[   12.895227]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.895250]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.895271]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.895293]  ? __kthread_parkme+0x82/0x180
[   12.895312]  ? preempt_count_sub+0x50/0x80
[   12.895334]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.895356]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.895378]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.895400]  kthread+0x337/0x6f0
[   12.895418]  ? trace_preempt_on+0x20/0xc0
[   12.895441]  ? __pfx_kthread+0x10/0x10
[   12.895460]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.895480]  ? calculate_sigpending+0x7b/0xa0
[   12.895503]  ? __pfx_kthread+0x10/0x10
[   12.895523]  ret_from_fork+0x116/0x1d0
[   12.895541]  ? __pfx_kthread+0x10/0x10
[   12.895560]  ret_from_fork_asm+0x1a/0x30
[   12.895590]  </TASK>
[   12.895601] 
[   12.909626] The buggy address belongs to the physical page:
[   12.909833] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810388e600 pfn:0x103888
[   12.910316] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   12.910760] flags: 0x200000000000040(head|node=0|zone=2)
[   12.910995] page_type: f8(unknown)
[   12.911144] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   12.911739] raw: ffff88810388e600 0000000000000000 00000000f8000000 0000000000000000
[   12.912057] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   12.912516] head: ffff88810388e600 0000000000000000 00000000f8000000 0000000000000000
[   12.913059] head: 0200000000000002 ffffea00040e2201 00000000ffffffff 00000000ffffffff
[   12.913627] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   12.914103] page dumped because: kasan: bad access detected
[   12.914600] 
[   12.914687] Memory state around the buggy address:
[   12.914899]  ffff888103887f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.915431]  ffff888103887f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.915770] >ffff888103888000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   12.916083]                    ^
[   12.916259]  ffff888103888080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   12.916555]  ffff888103888100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   12.916860] ==================================================================
[   12.849657] ==================================================================
[   12.850973] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.851875] Free of addr ffff888101addb01 by task kunit_try_catch/267
[   12.852082] 
[   12.852165] CPU: 0 UID: 0 PID: 267 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) 
[   12.852227] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.852239] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.852260] Call Trace:
[   12.852272]  <TASK>
[   12.852290]  dump_stack_lvl+0x73/0xb0
[   12.852319]  print_report+0xd1/0x650
[   12.852340]  ? __virt_addr_valid+0x1db/0x2d0
[   12.852363]  ? kasan_complete_mode_report_info+0x2a/0x200
[   12.852387]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.852412]  kasan_report_invalid_free+0x10a/0x130
[   12.852436]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.852461]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.852485]  ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.852508]  check_slab_allocation+0x11f/0x130
[   12.852528]  __kasan_mempool_poison_object+0x91/0x1d0
[   12.852551]  mempool_free+0x2ec/0x380
[   12.852577]  mempool_kmalloc_invalid_free_helper+0x132/0x2e0
[   12.852601]  ? __pfx_mempool_kmalloc_invalid_free_helper+0x10/0x10
[   12.852628]  ? __pfx_sched_clock_cpu+0x10/0x10
[   12.852648]  ? finish_task_switch.isra.0+0x153/0x700
[   12.852679]  mempool_kmalloc_invalid_free+0xed/0x140
[   12.852701]  ? __pfx_mempool_kmalloc_invalid_free+0x10/0x10
[   12.852727]  ? __pfx_mempool_kmalloc+0x10/0x10
[   12.852772]  ? __pfx_mempool_kfree+0x10/0x10
[   12.852796]  ? __pfx_read_tsc+0x10/0x10
[   12.852817]  ? ktime_get_ts64+0x86/0x230
[   12.852840]  kunit_try_run_case+0x1a5/0x480
[   12.852864]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.852885]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.852908]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.852930]  ? __kthread_parkme+0x82/0x180
[   12.852950]  ? preempt_count_sub+0x50/0x80
[   12.852973]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.852994]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.853015]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.853038]  kthread+0x337/0x6f0
[   12.853056]  ? trace_preempt_on+0x20/0xc0
[   12.853078]  ? __pfx_kthread+0x10/0x10
[   12.853099]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.853120]  ? calculate_sigpending+0x7b/0xa0
[   12.853143]  ? __pfx_kthread+0x10/0x10
[   12.853164]  ret_from_fork+0x116/0x1d0
[   12.853182]  ? __pfx_kthread+0x10/0x10
[   12.853201]  ret_from_fork_asm+0x1a/0x30
[   12.853240]  </TASK>
[   12.853250] 
[   12.870021] Allocated by task 267:
[   12.870153]  kasan_save_stack+0x45/0x70
[   12.870549]  kasan_save_track+0x18/0x40
[   12.870925]  kasan_save_alloc_info+0x3b/0x50
[   12.871390]  __kasan_mempool_unpoison_object+0x1a9/0x200
[   12.871979]  remove_element+0x11e/0x190
[   12.872239]  mempool_alloc_preallocated+0x4d/0x90
[   12.872683]  mempool_kmalloc_invalid_free_helper+0x83/0x2e0
[   12.873231]  mempool_kmalloc_invalid_free+0xed/0x140
[   12.873386]  kunit_try_run_case+0x1a5/0x480
[   12.873520]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.873679]  kthread+0x337/0x6f0
[   12.873791]  ret_from_fork+0x116/0x1d0
[   12.873928]  ret_from_fork_asm+0x1a/0x30
[   12.874057] 
[   12.874120] The buggy address belongs to the object at ffff888101addb00
[   12.874120]  which belongs to the cache kmalloc-128 of size 128
[   12.875187] The buggy address is located 1 bytes inside of
[   12.875187]  128-byte region [ffff888101addb00, ffff888101addb80)
[   12.876275] 
[   12.876490] The buggy address belongs to the physical page:
[   12.877078] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101add
[   12.877431] flags: 0x200000000000000(node=0|zone=2)
[   12.877592] page_type: f5(slab)
[   12.877704] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.877922] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.878134] page dumped because: kasan: bad access detected
[   12.878553] 
[   12.878699] Memory state around the buggy address:
[   12.879119]  ffff888101adda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.879898]  ffff888101adda80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.880597] >ffff888101addb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   12.881328]                    ^
[   12.881792]  ffff888101addb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.882537]  ffff888101addc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   12.883153] ==================================================================