Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 45.088997] ================================================================== [ 45.099978] BUG: KASAN: double-free in kmem_cache_double_free+0x190/0x3c8 [ 45.106869] Free of addr ffff000094654000 by task kunit_try_catch/295 [ 45.113391] [ 45.114926] CPU: 7 UID: 0 PID: 295 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 45.114965] Tainted: [B]=BAD_PAGE, [N]=TEST [ 45.114973] Hardware name: Thundercomm Dragonboard 845c (DT) [ 45.114988] Call trace: [ 45.114995] show_stack+0x20/0x38 (C) [ 45.115016] dump_stack_lvl+0x8c/0xd0 [ 45.115037] print_report+0x118/0x608 [ 45.115059] kasan_report_invalid_free+0xc0/0xe8 [ 45.115080] check_slab_allocation+0xd4/0x108 [ 45.115099] __kasan_slab_pre_free+0x2c/0x48 [ 45.115117] kmem_cache_free+0xf0/0x468 [ 45.115136] kmem_cache_double_free+0x190/0x3c8 [ 45.115152] kunit_try_run_case+0x170/0x3f0 [ 45.115171] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 45.115191] kthread+0x328/0x630 [ 45.115205] ret_from_fork+0x10/0x20 [ 45.115224] [ 45.190038] Allocated by task 295: [ 45.193494] kasan_save_stack+0x3c/0x68 [ 45.197399] kasan_save_track+0x20/0x40 [ 45.201302] kasan_save_alloc_info+0x40/0x58 [ 45.205635] __kasan_slab_alloc+0xa8/0xb0 [ 45.209709] kmem_cache_alloc_noprof+0x10c/0x398 [ 45.214393] kmem_cache_double_free+0x12c/0x3c8 [ 45.218989] kunit_try_run_case+0x170/0x3f0 [ 45.223235] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 45.228794] kthread+0x328/0x630 [ 45.232074] ret_from_fork+0x10/0x20 [ 45.235703] [ 45.237225] Freed by task 295: [ 45.240328] kasan_save_stack+0x3c/0x68 [ 45.244231] kasan_save_track+0x20/0x40 [ 45.248134] kasan_save_free_info+0x4c/0x78 [ 45.252380] __kasan_slab_free+0x6c/0x98 [ 45.256368] kmem_cache_free+0x260/0x468 [ 45.260357] kmem_cache_double_free+0x140/0x3c8 [ 45.264952] kunit_try_run_case+0x170/0x3f0 [ 45.269199] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 45.274762] kthread+0x328/0x630 [ 45.278043] ret_from_fork+0x10/0x20 [ 45.281682] [ 45.283213] The buggy address belongs to the object at ffff000094654000 [ 45.283213] which belongs to the cache test_cache of size 200 [ 45.295775] The buggy address is located 0 bytes inside of [ 45.295775] 200-byte region [ffff000094654000, ffff0000946540c8) [ 45.307463] [ 45.308987] The buggy address belongs to the physical page: [ 45.314631] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114654 [ 45.322730] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 45.330481] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 45.337533] page_type: f5(slab) [ 45.340732] raw: 0bfffe0000000040 ffff00008195ef00 dead000000000122 0000000000000000 [ 45.348572] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 45.356409] head: 0bfffe0000000040 ffff00008195ef00 dead000000000122 0000000000000000 [ 45.364333] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000 [ 45.372258] head: 0bfffe0000000001 fffffdffc2519501 00000000ffffffff 00000000ffffffff [ 45.380180] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 45.388100] page dumped because: kasan: bad access detected [ 45.393742] [ 45.395274] Memory state around the buggy address: [ 45.400134] ffff000094653f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.407449] ffff000094653f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.414754] >ffff000094654000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.422065] ^ [ 45.425342] ffff000094654080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 45.432657] ffff000094654100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.439967] ==================================================================
[ 27.769993] ================================================================== [ 27.770113] BUG: KASAN: double-free in kmem_cache_double_free+0x190/0x3c8 [ 27.770191] Free of addr fff00000c5764000 by task kunit_try_catch/221 [ 27.770288] [ 27.770350] CPU: 0 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 27.770518] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.770547] Hardware name: linux,dummy-virt (DT) [ 27.770580] Call trace: [ 27.770647] show_stack+0x20/0x38 (C) [ 27.770909] dump_stack_lvl+0x8c/0xd0 [ 27.771023] print_report+0x118/0x608 [ 27.771122] kasan_report_invalid_free+0xc0/0xe8 [ 27.771252] check_slab_allocation+0xd4/0x108 [ 27.771316] __kasan_slab_pre_free+0x2c/0x48 [ 27.771367] kmem_cache_free+0xf0/0x468 [ 27.771432] kmem_cache_double_free+0x190/0x3c8 [ 27.771687] kunit_try_run_case+0x170/0x3f0 [ 27.771845] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.771979] kthread+0x328/0x630 [ 27.772160] ret_from_fork+0x10/0x20 [ 27.772323] [ 27.772414] Allocated by task 221: [ 27.772535] kasan_save_stack+0x3c/0x68 [ 27.772608] kasan_save_track+0x20/0x40 [ 27.772656] kasan_save_alloc_info+0x40/0x58 [ 27.772693] __kasan_slab_alloc+0xa8/0xb0 [ 27.772732] kmem_cache_alloc_noprof+0x10c/0x398 [ 27.772772] kmem_cache_double_free+0x12c/0x3c8 [ 27.773118] kunit_try_run_case+0x170/0x3f0 [ 27.773304] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.773416] kthread+0x328/0x630 [ 27.773573] ret_from_fork+0x10/0x20 [ 27.773622] [ 27.773641] Freed by task 221: [ 27.773667] kasan_save_stack+0x3c/0x68 [ 27.773728] kasan_save_track+0x20/0x40 [ 27.773770] kasan_save_free_info+0x4c/0x78 [ 27.773808] __kasan_slab_free+0x6c/0x98 [ 27.773846] kmem_cache_free+0x260/0x468 [ 27.773883] kmem_cache_double_free+0x140/0x3c8 [ 27.773924] kunit_try_run_case+0x170/0x3f0 [ 27.773961] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.774020] kthread+0x328/0x630 [ 27.774073] ret_from_fork+0x10/0x20 [ 27.774120] [ 27.774138] The buggy address belongs to the object at fff00000c5764000 [ 27.774138] which belongs to the cache test_cache of size 200 [ 27.774225] The buggy address is located 0 bytes inside of [ 27.774225] 200-byte region [fff00000c5764000, fff00000c57640c8) [ 27.774286] [ 27.774312] The buggy address belongs to the physical page: [ 27.774355] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105764 [ 27.774421] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.774476] page_type: f5(slab) [ 27.774516] raw: 0bfffe0000000000 fff00000c56d43c0 dead000000000122 0000000000000000 [ 27.774566] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 27.774622] page dumped because: kasan: bad access detected [ 27.774653] [ 27.774670] Memory state around the buggy address: [ 27.774721] fff00000c5763f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.774769] fff00000c5763f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.774826] >fff00000c5764000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.774863] ^ [ 27.774907] fff00000c5764080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 27.774948] fff00000c5764100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.774993] ==================================================================
[ 22.810761] ================================================================== [ 22.811339] BUG: KASAN: double-free in kmem_cache_double_free+0x1e5/0x480 [ 22.811693] Free of addr ffff888103ad4000 by task kunit_try_catch/238 [ 22.811963] [ 22.812052] CPU: 1 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.812106] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.812118] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.812142] Call Trace: [ 22.812156] <TASK> [ 22.812177] dump_stack_lvl+0x73/0xb0 [ 22.812209] print_report+0xd1/0x650 [ 22.812241] ? __virt_addr_valid+0x1db/0x2d0 [ 22.812269] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.812294] ? kmem_cache_double_free+0x1e5/0x480 [ 22.812318] kasan_report_invalid_free+0x10a/0x130 [ 22.812341] ? kmem_cache_double_free+0x1e5/0x480 [ 22.812367] ? kmem_cache_double_free+0x1e5/0x480 [ 22.812390] check_slab_allocation+0x101/0x130 [ 22.812411] __kasan_slab_pre_free+0x28/0x40 [ 22.812430] kmem_cache_free+0xed/0x420 [ 22.812453] ? kmem_cache_alloc_noprof+0x123/0x3f0 [ 22.812476] ? kmem_cache_double_free+0x1e5/0x480 [ 22.812501] kmem_cache_double_free+0x1e5/0x480 [ 22.812524] ? __pfx_kmem_cache_double_free+0x10/0x10 [ 22.812546] ? finish_task_switch.isra.0+0x153/0x700 [ 22.812568] ? __switch_to+0x47/0xf50 [ 22.812597] ? __pfx_read_tsc+0x10/0x10 [ 22.812618] ? ktime_get_ts64+0x86/0x230 [ 22.812644] kunit_try_run_case+0x1a5/0x480 [ 22.812670] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.812692] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.812717] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.812741] ? __kthread_parkme+0x82/0x180 [ 22.812762] ? preempt_count_sub+0x50/0x80 [ 22.812785] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.812808] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.812831] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.812853] kthread+0x337/0x6f0 [ 22.812872] ? trace_preempt_on+0x20/0xc0 [ 22.812896] ? __pfx_kthread+0x10/0x10 [ 22.812915] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.812938] ? calculate_sigpending+0x7b/0xa0 [ 22.812961] ? __pfx_kthread+0x10/0x10 [ 22.812981] ret_from_fork+0x116/0x1d0 [ 22.813000] ? __pfx_kthread+0x10/0x10 [ 22.813019] ret_from_fork_asm+0x1a/0x30 [ 22.813050] </TASK> [ 22.813062] [ 22.822443] Allocated by task 238: [ 22.822693] kasan_save_stack+0x45/0x70 [ 22.822863] kasan_save_track+0x18/0x40 [ 22.823071] kasan_save_alloc_info+0x3b/0x50 [ 22.823295] __kasan_slab_alloc+0x91/0xa0 [ 22.823491] kmem_cache_alloc_noprof+0x123/0x3f0 [ 22.823711] kmem_cache_double_free+0x14f/0x480 [ 22.823914] kunit_try_run_case+0x1a5/0x480 [ 22.824093] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.824512] kthread+0x337/0x6f0 [ 22.824757] ret_from_fork+0x116/0x1d0 [ 22.824919] ret_from_fork_asm+0x1a/0x30 [ 22.825333] [ 22.825408] Freed by task 238: [ 22.825515] kasan_save_stack+0x45/0x70 [ 22.825647] kasan_save_track+0x18/0x40 [ 22.825773] kasan_save_free_info+0x3f/0x60 [ 22.825910] __kasan_slab_free+0x56/0x70 [ 22.826039] kmem_cache_free+0x249/0x420 [ 22.826243] kmem_cache_double_free+0x16a/0x480 [ 22.826667] kunit_try_run_case+0x1a5/0x480 [ 22.826898] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.827160] kthread+0x337/0x6f0 [ 22.827463] ret_from_fork+0x116/0x1d0 [ 22.827725] ret_from_fork_asm+0x1a/0x30 [ 22.828092] [ 22.828183] The buggy address belongs to the object at ffff888103ad4000 [ 22.828183] which belongs to the cache test_cache of size 200 [ 22.828730] The buggy address is located 0 bytes inside of [ 22.828730] 200-byte region [ffff888103ad4000, ffff888103ad40c8) [ 22.829495] [ 22.829600] The buggy address belongs to the physical page: [ 22.829999] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ad4 [ 22.830414] flags: 0x200000000000000(node=0|zone=2) [ 22.830643] page_type: f5(slab) [ 22.830763] raw: 0200000000000000 ffff8881015d9780 dead000000000122 0000000000000000 [ 22.830986] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000 [ 22.831543] page dumped because: kasan: bad access detected [ 22.832058] [ 22.832152] Memory state around the buggy address: [ 22.832339] ffff888103ad3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.832617] ffff888103ad3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.832931] >ffff888103ad4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.833373] ^ [ 22.833547] ffff888103ad4080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 22.833970] ffff888103ad4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.834449] ==================================================================