lkft/linux-next-master - next-20250626 - log-parser-boot/kasan-bug-kasan-invalid-free-in-kfree

Date

June 26, 2025, 9:10 a.m.

Environment
dragonboard-845c
juno-r2
qemu-arm64
qemu-x86_64

[   32.634748] ==================================================================
[   32.645872] BUG: KASAN: invalid-free in kfree+0x270/0x3c8
[   32.651355] Free of addr ffff0000966fc001 by task kunit_try_catch/236
[   32.657879] 
[   32.659412] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   32.659440] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.659448] Hardware name: Thundercomm Dragonboard 845c (DT)
[   32.659457] Call trace:
[   32.659463]  show_stack+0x20/0x38 (C)
[   32.659482]  dump_stack_lvl+0x8c/0xd0
[   32.659501]  print_report+0x118/0x608
[   32.659519]  kasan_report_invalid_free+0xc0/0xe8
[   32.659541]  __kasan_kfree_large+0x5c/0xa8
[   32.659559]  free_large_kmalloc+0x68/0x150
[   32.659577]  kfree+0x270/0x3c8
[   32.659593]  kmalloc_large_invalid_free+0x108/0x270
[   32.659611]  kunit_try_run_case+0x170/0x3f0
[   32.659630]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.659651]  kthread+0x328/0x630
[   32.659665]  ret_from_fork+0x10/0x20
[   32.659684] 
[   32.733667] The buggy address belongs to the physical page:
[   32.739310] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1166fc
[   32.747414] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   32.755170] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   32.762227] page_type: f8(unknown)
[   32.765698] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   32.773544] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   32.781391] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   32.789324] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   32.797256] head: 0bfffe0000000002 fffffdffc259bf01 00000000ffffffff 00000000ffffffff
[   32.805187] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   32.813114] page dumped because: kasan: bad access detected
[   32.818757] 
[   32.820286] Memory state around the buggy address:
[   32.825142]  ffff0000966fbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.832456]  ffff0000966fbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.839770] >ffff0000966fc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.847082]                    ^
[   32.850364]  ffff0000966fc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.857678]  ffff0000966fc100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.864990] ==================================================================

Metadata Full log Test run details

[ 1523.212283] ==================================================================
[ 1523.212310] BUG: KASAN: invalid-free in kfree+0x270/0x3c8
[ 1523.212343] Free of addr ffff0008261f4001 by task kunit_try_catch/221
[ 1523.212370] 
[ 1523.212384] CPU: 4 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[ 1523.212443] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[ 1523.212460] Hardware name: ARM Juno development board (r2) (DT)
[ 1523.212481] Call trace:
[ 1523.212492]  show_stack+0x20/0x38 (C)
[ 1523.212528]  dump_stack_lvl+0x8c/0xd0
[ 1523.212565]  print_report+0x118/0x608
[ 1523.212604]  kasan_report_invalid_free+0xc0/0xe8
[ 1523.212646]  __kasan_kfree_large+0x5c/0xa8
[ 1523.212686]  free_large_kmalloc+0x68/0x150
[ 1523.212722]  kfree+0x270/0x3c8
[ 1523.212754]  kmalloc_large_invalid_free+0x108/0x270
[ 1523.212792]  kunit_try_run_case+0x170/0x3f0
[ 1523.212830]  kunit_generic_run_threadfn_adapter+0x88/0x100
[ 1523.213123] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[ 1523.217944] BUG: KASAN: slab-out-of-bounds in krealloc_more_oob_helper+0x60c/0x678
[ 1523.217980] Write of size 1 at addr ffff000800d20eeb by task kunit_try_catch/227
[ 1523.218013] 
[ 1523.218027] CPU: 5 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[ 1523.218085] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[ 1523.218103] Hardware name: ARM Juno development board (r2) (DT)
[ 1523.218124] Call trace:
[ 1523.218135]  show_stack+0x20/0x38 (C)
[ 1523.218170]  dump_stack_lvl+0x8c/0xd0
[ 1523.218208]  print_report+0x118/0x608
[ 1523.218247]  kasan_report+0xdc/0x128
[ 1523.218285]  __asan_report_store1_noabort+0x20/0x30
[ 1523.218321]  krealloc_more_oob_helper+0x60c/0x678
[ 1523.218361]  krealloc_more_oob+0x20/0x38
[ 1523.218397]  kunit_try_run_case+0x170/0x3f0
[ 1523.218435]  kunit_generic_run_threadfn_adapter+0x88/0x100
[ 1523.218479]  kthread+0x328/0x630
[ 1523.218509]  ret_from_fork+0x10/0x20
[ 1523.218545] 
[ 1523.218554] Allocated by task 227:
[ 1523.218571]  kasan_save_stack+0x3c/0x68
[ 1523.218603]  kasan_save_track+0x20/0x40
[ 1523.218635]  kasan_save_alloc_info+0x40/0x58
[ 1523.218662]  __kasan_krealloc+0x118/0x178
[ 1523.218694]  krealloc_noprof+0x128/0x360
[ 1523.218726]  krealloc_more_oob_helper+0x168/0x678
[ 1523.218758]  krealloc_more_oob+0x20/0x38
[ 1523.218788]  kunit_try_run_case+0x170/0x3f0
[ 1523.218819]  kunit_generic_run_threadfn_adapter+0x88/0x100
[ 1523.218856]  kthread+0x328/0x630
[ 1523.218879]  ret_from_fork+0x10/0x20
[ 1523.218908] 
[ 1523.218917] The buggy address belongs to the object at ffff000800d20e00
[ 1523.218917]  which belongs to the cache kmalloc-256 of size 256
[ 1523.218954] The buggy address is located 0 bytes to the right of
[ 1523.218954]  allocated 235-byte region [ffff000800d20e00, ffff000800d20eeb)
[ 1523.218997] 
[ 1523.219007] The buggy address belongs to the physical page:
[ 1523.219025] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880d20
[ 1523.219058] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1523.219088] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[ 1523.219121] page_type: f5(slab)
[ 1523.219147] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[ 1523.219181] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[ 1523.219217] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[ 1523.219251] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[ 1523.219286] head: 0bfffe0000000001 fffffdffe0034801 00000000ffffffff 00000000ffffffff
[ 1523.219320] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[ 1523.219346] page dumped because: kasan: bad access detected
[ 1523.219364] 
[ 1523.219373] Memory state around the buggy address:
[ 1523.219392]  ffff000800d20d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1523.219421]  ffff000800d20e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1523.219450] >ffff000800d20e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fc fc
[ 1523.219473]                                                           ^
[ 1523.219498]  ffff000800d20f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1523.219526]  ffff000800d20f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1523.219550] ==================================================================

Metadata Full log Test run details

[   26.602576] ==================================================================
[   26.602779] BUG: KASAN: invalid-free in kfree+0x270/0x3c8
[   26.602930] Free of addr fff00000c6498001 by task kunit_try_catch/162
[   26.603038] 
[   26.603179] CPU: 0 UID: 0 PID: 162 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   26.603289] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.603320] Hardware name: linux,dummy-virt (DT)
[   26.603355] Call trace:
[   26.603375]  show_stack+0x20/0x38 (C)
[   26.603424]  dump_stack_lvl+0x8c/0xd0
[   26.603471]  print_report+0x118/0x608
[   26.603519]  kasan_report_invalid_free+0xc0/0xe8
[   26.603568]  __kasan_kfree_large+0x5c/0xa8
[   26.603614]  free_large_kmalloc+0x68/0x150
[   26.603670]  kfree+0x270/0x3c8
[   26.603842]  kmalloc_large_invalid_free+0x108/0x270
[   26.603912]  kunit_try_run_case+0x170/0x3f0
[   26.603958]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.604075]  kthread+0x328/0x630
[   26.604138]  ret_from_fork+0x10/0x20
[   26.604235] 
[   26.604319] The buggy address belongs to the physical page:
[   26.604372] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106498
[   26.604423] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   26.604468] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   26.604518] page_type: f8(unknown)
[   26.604554] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   26.604602] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   26.604649] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000
[   26.604695] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   26.604741] head: 0bfffe0000000002 ffffc1ffc3192601 00000000ffffffff 00000000ffffffff
[   26.604808] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   26.604846] page dumped because: kasan: bad access detected
[   26.604875] 
[   26.604892] Memory state around the buggy address:
[   26.604935]  fff00000c6497f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.605044]  fff00000c6497f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.605138] >fff00000c6498000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.605173]                    ^
[   26.605300]  fff00000c6498080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.605347]  fff00000c6498100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.605564] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VBWOwNE7tln7ibBWNJtNgCdd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VBWOwNE7tln7ibBWNJtNgCdd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/Image.gz
sha256sum	42e36f6e4a060d5f9a1060b857a02a69294fe7d2a27b0731adb370bcbc85f1e6

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/modules.tar.xz
sha256sum	890b3fa8e09fb90f169b09d75de24714d8b16adf2b500a29a27124602d4970e9

durations

tests

boot	0
kunit	167.09

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   21.724507] ==================================================================
[   21.725556] BUG: KASAN: invalid-free in kfree+0x274/0x3f0
[   21.725980] Free of addr ffff888102bb8001 by task kunit_try_catch/179
[   21.726342] 
[   21.726451] CPU: 0 UID: 0 PID: 179 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) 
[   21.726516] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.726529] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   21.726564] Call Trace:
[   21.726580]  <TASK>
[   21.726601]  dump_stack_lvl+0x73/0xb0
[   21.726633]  print_report+0xd1/0x650
[   21.726656]  ? __virt_addr_valid+0x1db/0x2d0
[   21.726692]  ? kasan_addr_to_slab+0x11/0xa0
[   21.726711]  ? kfree+0x274/0x3f0
[   21.726733]  kasan_report_invalid_free+0x10a/0x130
[   21.726768]  ? kfree+0x274/0x3f0
[   21.726851]  ? kfree+0x274/0x3f0
[   21.726876]  __kasan_kfree_large+0x86/0xd0
[   21.726897]  free_large_kmalloc+0x52/0x110
[   21.726931]  kfree+0x274/0x3f0
[   21.726955]  kmalloc_large_invalid_free+0x120/0x2b0
[   21.726977]  ? __pfx_kmalloc_large_invalid_free+0x10/0x10
[   21.727010]  ? __schedule+0x10cc/0x2b60
[   21.727054]  ? __pfx_read_tsc+0x10/0x10
[   21.727077]  ? ktime_get_ts64+0x86/0x230
[   21.727101]  kunit_try_run_case+0x1a5/0x480
[   21.727127]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.727149]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   21.727173]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   21.727204]  ? __kthread_parkme+0x82/0x180
[   21.727242]  ? preempt_count_sub+0x50/0x80
[   21.727265]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.727288]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.727311]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   21.727333]  kthread+0x337/0x6f0
[   21.727352]  ? trace_preempt_on+0x20/0xc0
[   21.727375]  ? __pfx_kthread+0x10/0x10
[   21.727395]  ? _raw_spin_unlock_irq+0x47/0x80
[   21.727417]  ? calculate_sigpending+0x7b/0xa0
[   21.727440]  ? __pfx_kthread+0x10/0x10
[   21.727461]  ret_from_fork+0x116/0x1d0
[   21.727479]  ? __pfx_kthread+0x10/0x10
[   21.727498]  ret_from_fork_asm+0x1a/0x30
[   21.727530]  </TASK>
[   21.727543] 
[   21.738188] The buggy address belongs to the physical page:
[   21.738450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bb8
[   21.738785] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   21.739103] flags: 0x200000000000040(head|node=0|zone=2)
[   21.739335] page_type: f8(unknown)
[   21.739489] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   21.739761] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   21.740463] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000
[   21.740721] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000
[   21.741018] head: 0200000000000002 ffffea00040aee01 00000000ffffffff 00000000ffffffff
[   21.741519] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   21.741972] page dumped because: kasan: bad access detected
[   21.742218] 
[   21.742296] Memory state around the buggy address:
[   21.742450]  ffff888102bb7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.742770]  ffff888102bb7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.743090] >ffff888102bb8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.743356]                    ^
[   21.743611]  ffff888102bb8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.743849]  ffff888102bb8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.744318] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VCWzEgPcUDHhhw0N7L6OuTsi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VCWzEgPcUDHhhw0N7L6OuTsi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/bzImage
sha256sum	af9e113be0609efaece1c192f6aceee5e71a8c7326695ad181171f155187f3ab

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/modules.tar.xz
sha256sum	eb3bf6ab4822a4ffbb4c6a0a8f2b0db2418a278c2192667f80b6a1aac6efaa14

durations

tests

boot	0
kunit	146.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - juno-r2 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit