Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 43.732226] ================================================================== [ 43.743204] BUG: KASAN: double-free in kmem_cache_double_free+0x190/0x3c8 [ 43.750114] Free of addr ffff000080e26000 by task kunit_try_catch/307 [ 43.756642] [ 43.758182] CPU: 2 UID: 0 PID: 307 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 43.758219] Tainted: [B]=BAD_PAGE, [N]=TEST [ 43.758229] Hardware name: Thundercomm Dragonboard 845c (DT) [ 43.758247] Call trace: [ 43.758256] show_stack+0x20/0x38 (C) [ 43.758280] dump_stack_lvl+0x8c/0xd0 [ 43.758304] print_report+0x118/0x608 [ 43.758327] kasan_report_invalid_free+0xc0/0xe8 [ 43.758348] check_slab_allocation+0xd4/0x108 [ 43.758370] __kasan_slab_pre_free+0x2c/0x48 [ 43.758391] kmem_cache_free+0xf0/0x468 [ 43.758414] kmem_cache_double_free+0x190/0x3c8 [ 43.758433] kunit_try_run_case+0x170/0x3f0 [ 43.758457] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.758481] kthread+0x328/0x630 [ 43.758501] ret_from_fork+0x10/0x20 [ 43.758526] [ 43.833383] Allocated by task 307: [ 43.836847] kasan_save_stack+0x3c/0x68 [ 43.840760] kasan_save_track+0x20/0x40 [ 43.844670] kasan_save_alloc_info+0x40/0x58 [ 43.849010] __kasan_slab_alloc+0xa8/0xb0 [ 43.853094] kmem_cache_alloc_noprof+0x10c/0x398 [ 43.857794] kmem_cache_double_free+0x12c/0x3c8 [ 43.862404] kunit_try_run_case+0x170/0x3f0 [ 43.866658] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.872226] kthread+0x328/0x630 [ 43.875510] ret_from_fork+0x10/0x20 [ 43.879149] [ 43.880685] Freed by task 307: [ 43.883798] kasan_save_stack+0x3c/0x68 [ 43.887710] kasan_save_track+0x20/0x40 [ 43.891620] kasan_save_free_info+0x4c/0x78 [ 43.895869] __kasan_slab_free+0x6c/0x98 [ 43.899865] kmem_cache_free+0x260/0x468 [ 43.903861] kmem_cache_double_free+0x140/0x3c8 [ 43.908470] kunit_try_run_case+0x170/0x3f0 [ 43.912723] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.918299] kthread+0x328/0x630 [ 43.921589] ret_from_fork+0x10/0x20 [ 43.925228] [ 43.926760] The buggy address belongs to the object at ffff000080e26000 [ 43.926760] which belongs to the cache test_cache of size 200 [ 43.939340] The buggy address is located 0 bytes inside of [ 43.939340] 200-byte region [ffff000080e26000, ffff000080e260c8) [ 43.951038] [ 43.952577] The buggy address belongs to the physical page: [ 43.958228] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100e26 [ 43.966347] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 43.974110] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 43.981173] page_type: f5(slab) [ 43.984383] raw: 0bfffe0000000040 ffff000080e24000 dead000000000122 0000000000000000 [ 43.992230] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 44.000079] head: 0bfffe0000000040 ffff000080e24000 dead000000000122 0000000000000000 [ 44.008010] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 44.015942] head: 0bfffe0000000001 fffffdffc2038981 00000000ffffffff 00000000ffffffff [ 44.023874] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 44.031801] page dumped because: kasan: bad access detected [ 44.037449] [ 44.038979] Memory state around the buggy address: [ 44.043840] ffff000080e25f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.051157] ffff000080e25f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.058472] >ffff000080e26000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.065795] ^ [ 44.069084] ffff000080e26080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 44.076399] ffff000080e26100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.083713] ==================================================================
[ 33.944859] ================================================================== [ 33.945126] BUG: KASAN: double-free in kmem_cache_double_free+0x190/0x3c8 [ 33.945272] Free of addr fff00000c77d4000 by task kunit_try_catch/220 [ 33.945372] [ 33.945465] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 33.945670] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.945732] Hardware name: linux,dummy-virt (DT) [ 33.945811] Call trace: [ 33.945867] show_stack+0x20/0x38 (C) [ 33.946015] dump_stack_lvl+0x8c/0xd0 [ 33.946145] print_report+0x118/0x608 [ 33.946488] kasan_report_invalid_free+0xc0/0xe8 [ 33.946643] check_slab_allocation+0xd4/0x108 [ 33.946944] __kasan_slab_pre_free+0x2c/0x48 [ 33.947373] kmem_cache_free+0xf0/0x468 [ 33.947912] kmem_cache_double_free+0x190/0x3c8 [ 33.948218] kunit_try_run_case+0x170/0x3f0 [ 33.948353] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.948559] kthread+0x328/0x630 [ 33.948694] ret_from_fork+0x10/0x20 [ 33.950226] [ 33.950285] Allocated by task 220: [ 33.950384] kasan_save_stack+0x3c/0x68 [ 33.950493] kasan_save_track+0x20/0x40 [ 33.950605] kasan_save_alloc_info+0x40/0x58 [ 33.950829] __kasan_slab_alloc+0xa8/0xb0 [ 33.951139] kmem_cache_alloc_noprof+0x10c/0x398 [ 33.951284] kmem_cache_double_free+0x12c/0x3c8 [ 33.951444] kunit_try_run_case+0x170/0x3f0 [ 33.951550] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.951671] kthread+0x328/0x630 [ 33.951769] ret_from_fork+0x10/0x20 [ 33.951864] [ 33.951967] Freed by task 220: [ 33.952047] kasan_save_stack+0x3c/0x68 [ 33.952155] kasan_save_track+0x20/0x40 [ 33.952344] kasan_save_free_info+0x4c/0x78 [ 33.952445] __kasan_slab_free+0x6c/0x98 [ 33.952575] kmem_cache_free+0x260/0x468 [ 33.952806] kmem_cache_double_free+0x140/0x3c8 [ 33.953072] kunit_try_run_case+0x170/0x3f0 [ 33.953171] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.953275] kthread+0x328/0x630 [ 33.953359] ret_from_fork+0x10/0x20 [ 33.953457] [ 33.953509] The buggy address belongs to the object at fff00000c77d4000 [ 33.953509] which belongs to the cache test_cache of size 200 [ 33.953758] The buggy address is located 0 bytes inside of [ 33.953758] 200-byte region [fff00000c77d4000, fff00000c77d40c8) [ 33.953919] [ 33.954035] The buggy address belongs to the physical page: [ 33.954117] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077d4 [ 33.954285] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.954431] page_type: f5(slab) [ 33.955915] raw: 0bfffe0000000000 fff00000c11b8c80 dead000000000122 0000000000000000 [ 33.956118] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 33.956515] page dumped because: kasan: bad access detected [ 33.956859] [ 33.956923] Memory state around the buggy address: [ 33.957006] fff00000c77d3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.957112] fff00000c77d3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.957216] >fff00000c77d4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.957924] ^ [ 33.958013] fff00000c77d4080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 33.958133] fff00000c77d4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.958240] ==================================================================
[ 30.039490] ================================================================== [ 30.040470] BUG: KASAN: double-free in kmem_cache_double_free+0x1e5/0x480 [ 30.041288] Free of addr ffff888102de6000 by task kunit_try_catch/239 [ 30.041885] [ 30.042151] CPU: 0 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 30.042263] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.042292] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.042338] Call Trace: [ 30.042368] <TASK> [ 30.042408] dump_stack_lvl+0x73/0xb0 [ 30.042482] print_report+0xd1/0x650 [ 30.042553] ? __virt_addr_valid+0x1db/0x2d0 [ 30.042616] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.042741] ? kmem_cache_double_free+0x1e5/0x480 [ 30.042810] kasan_report_invalid_free+0x10a/0x130 [ 30.042885] ? kmem_cache_double_free+0x1e5/0x480 [ 30.042942] ? kmem_cache_double_free+0x1e5/0x480 [ 30.042982] check_slab_allocation+0x101/0x130 [ 30.043011] __kasan_slab_pre_free+0x28/0x40 [ 30.043037] kmem_cache_free+0xed/0x420 [ 30.043063] ? kmem_cache_alloc_noprof+0x123/0x3f0 [ 30.043092] ? kmem_cache_double_free+0x1e5/0x480 [ 30.043124] kmem_cache_double_free+0x1e5/0x480 [ 30.043152] ? __pfx_kmem_cache_double_free+0x10/0x10 [ 30.043180] ? finish_task_switch.isra.0+0x153/0x700 [ 30.043208] ? __switch_to+0x47/0xf50 [ 30.043244] ? __pfx_read_tsc+0x10/0x10 [ 30.043270] ? ktime_get_ts64+0x86/0x230 [ 30.043301] kunit_try_run_case+0x1a5/0x480 [ 30.043333] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.043359] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 30.043390] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.043418] ? __kthread_parkme+0x82/0x180 [ 30.043442] ? preempt_count_sub+0x50/0x80 [ 30.043469] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.043497] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.043526] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.043575] kthread+0x337/0x6f0 [ 30.043599] ? trace_preempt_on+0x20/0xc0 [ 30.043632] ? __pfx_kthread+0x10/0x10 [ 30.043674] ? _raw_spin_unlock_irq+0x47/0x80 [ 30.043703] ? calculate_sigpending+0x7b/0xa0 [ 30.043732] ? __pfx_kthread+0x10/0x10 [ 30.043758] ret_from_fork+0x116/0x1d0 [ 30.043781] ? __pfx_kthread+0x10/0x10 [ 30.043805] ret_from_fork_asm+0x1a/0x30 [ 30.043853] </TASK> [ 30.043869] [ 30.058915] Allocated by task 239: [ 30.059300] kasan_save_stack+0x45/0x70 [ 30.059767] kasan_save_track+0x18/0x40 [ 30.060102] kasan_save_alloc_info+0x3b/0x50 [ 30.060429] __kasan_slab_alloc+0x91/0xa0 [ 30.060842] kmem_cache_alloc_noprof+0x123/0x3f0 [ 30.061121] kmem_cache_double_free+0x14f/0x480 [ 30.061378] kunit_try_run_case+0x1a5/0x480 [ 30.061845] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.062354] kthread+0x337/0x6f0 [ 30.062743] ret_from_fork+0x116/0x1d0 [ 30.063114] ret_from_fork_asm+0x1a/0x30 [ 30.063512] [ 30.063734] Freed by task 239: [ 30.064062] kasan_save_stack+0x45/0x70 [ 30.064360] kasan_save_track+0x18/0x40 [ 30.064615] kasan_save_free_info+0x3f/0x60 [ 30.065045] __kasan_slab_free+0x56/0x70 [ 30.065446] kmem_cache_free+0x249/0x420 [ 30.065849] kmem_cache_double_free+0x16a/0x480 [ 30.066122] kunit_try_run_case+0x1a5/0x480 [ 30.066368] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 30.066811] kthread+0x337/0x6f0 [ 30.067175] ret_from_fork+0x116/0x1d0 [ 30.067576] ret_from_fork_asm+0x1a/0x30 [ 30.068021] [ 30.068222] The buggy address belongs to the object at ffff888102de6000 [ 30.068222] which belongs to the cache test_cache of size 200 [ 30.069134] The buggy address is located 0 bytes inside of [ 30.069134] 200-byte region [ffff888102de6000, ffff888102de60c8) [ 30.070075] [ 30.070275] The buggy address belongs to the physical page: [ 30.070748] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102de6 [ 30.071364] flags: 0x200000000000000(node=0|zone=2) [ 30.071748] page_type: f5(slab) [ 30.071985] raw: 0200000000000000 ffff888101060c80 dead000000000122 0000000000000000 [ 30.072669] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 30.073314] page dumped because: kasan: bad access detected [ 30.073607] [ 30.073823] Memory state around the buggy address: [ 30.074229] ffff888102de5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.074869] ffff888102de5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.075400] >ffff888102de6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.075891] ^ [ 30.076103] ffff888102de6080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 30.076735] ffff888102de6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.077330] ==================================================================