Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 50.527886] ================================================================== [ 50.539970] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 50.547202] Free of addr ffff000096d10000 by task kunit_try_catch/346 [ 50.553732] [ 50.555273] CPU: 5 UID: 0 PID: 346 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 50.555304] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.555313] Hardware name: Thundercomm Dragonboard 845c (DT) [ 50.555325] Call trace: [ 50.555332] show_stack+0x20/0x38 (C) [ 50.555350] dump_stack_lvl+0x8c/0xd0 [ 50.555370] print_report+0x118/0x608 [ 50.555391] kasan_report_invalid_free+0xc0/0xe8 [ 50.555412] __kasan_mempool_poison_object+0x14c/0x150 [ 50.555433] mempool_free+0x28c/0x328 [ 50.555450] mempool_double_free_helper+0x150/0x2e8 [ 50.555470] mempool_kmalloc_large_double_free+0xc0/0x118 [ 50.555489] kunit_try_run_case+0x170/0x3f0 [ 50.555508] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.555529] kthread+0x328/0x630 [ 50.555544] ret_from_fork+0x10/0x20 [ 50.555562] [ 50.632486] The buggy address belongs to the physical page: [ 50.638132] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116d10 [ 50.646237] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 50.653991] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 50.661043] page_type: f8(unknown) [ 50.664504] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 50.672348] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 50.680194] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 50.688120] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 50.696049] head: 0bfffe0000000002 fffffdffc25b4401 00000000ffffffff 00000000ffffffff [ 50.703981] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 50.711908] page dumped because: kasan: bad access detected [ 50.717551] [ 50.719084] Memory state around the buggy address: [ 50.723936] ffff000096d0ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.731246] ffff000096d0ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.738557] >ffff000096d10000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.745864] ^ [ 50.749146] ffff000096d10080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.756455] ffff000096d10100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.763772] ================================================================== [ 50.775160] ================================================================== [ 50.787784] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 50.795020] Free of addr ffff00008553c000 by task kunit_try_catch/348 [ 50.801544] [ 50.803078] CPU: 3 UID: 0 PID: 348 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 50.803110] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.803120] Hardware name: Thundercomm Dragonboard 845c (DT) [ 50.803134] Call trace: [ 50.803142] show_stack+0x20/0x38 (C) [ 50.803161] dump_stack_lvl+0x8c/0xd0 [ 50.803184] print_report+0x118/0x608 [ 50.803205] kasan_report_invalid_free+0xc0/0xe8 [ 50.803226] __kasan_mempool_poison_pages+0xe0/0xe8 [ 50.803252] mempool_free+0x24c/0x328 [ 50.803271] mempool_double_free_helper+0x150/0x2e8 [ 50.803291] mempool_page_alloc_double_free+0xbc/0x118 [ 50.803314] kunit_try_run_case+0x170/0x3f0 [ 50.803335] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.803358] kthread+0x328/0x630 [ 50.803375] ret_from_fork+0x10/0x20 [ 50.803393] [ 50.879848] The buggy address belongs to the physical page: [ 50.885504] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10553c [ 50.893611] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 50.900236] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 50.908086] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.915931] page dumped because: kasan: bad access detected [ 50.921583] [ 50.923111] Memory state around the buggy address: [ 50.927974] ffff00008553bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.935294] ffff00008553bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.942614] >ffff00008553c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.949929] ^ [ 50.953219] ffff00008553c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.960536] ffff00008553c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.967851] ================================================================== [ 50.139739] ================================================================== [ 50.151398] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 50.158641] Free of addr ffff000082240900 by task kunit_try_catch/344 [ 50.165169] [ 50.166709] CPU: 3 UID: 0 PID: 344 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 50.166742] Tainted: [B]=BAD_PAGE, [N]=TEST [ 50.166753] Hardware name: Thundercomm Dragonboard 845c (DT) [ 50.166769] Call trace: [ 50.166777] show_stack+0x20/0x38 (C) [ 50.166797] dump_stack_lvl+0x8c/0xd0 [ 50.166821] print_report+0x118/0x608 [ 50.166843] kasan_report_invalid_free+0xc0/0xe8 [ 50.166866] check_slab_allocation+0xd4/0x108 [ 50.166891] __kasan_mempool_poison_object+0x78/0x150 [ 50.166913] mempool_free+0x28c/0x328 [ 50.166934] mempool_double_free_helper+0x150/0x2e8 [ 50.166954] mempool_kmalloc_double_free+0xc0/0x118 [ 50.166974] kunit_try_run_case+0x170/0x3f0 [ 50.166995] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.167019] kthread+0x328/0x630 [ 50.167037] ret_from_fork+0x10/0x20 [ 50.167058] [ 50.247832] Allocated by task 344: [ 50.251300] kasan_save_stack+0x3c/0x68 [ 50.255213] kasan_save_track+0x20/0x40 [ 50.259125] kasan_save_alloc_info+0x40/0x58 [ 50.263464] __kasan_mempool_unpoison_object+0x11c/0x180 [ 50.268865] remove_element+0x130/0x1f8 [ 50.272775] mempool_alloc_preallocated+0x58/0xc0 [ 50.277560] mempool_double_free_helper+0x94/0x2e8 [ 50.282432] mempool_kmalloc_double_free+0xc0/0x118 [ 50.287393] kunit_try_run_case+0x170/0x3f0 [ 50.291646] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.297219] kthread+0x328/0x630 [ 50.300513] ret_from_fork+0x10/0x20 [ 50.304154] [ 50.305685] Freed by task 344: [ 50.308801] kasan_save_stack+0x3c/0x68 [ 50.312713] kasan_save_track+0x20/0x40 [ 50.316625] kasan_save_free_info+0x4c/0x78 [ 50.320877] __kasan_mempool_poison_object+0xc0/0x150 [ 50.326012] mempool_free+0x28c/0x328 [ 50.329738] mempool_double_free_helper+0x100/0x2e8 [ 50.334695] mempool_kmalloc_double_free+0xc0/0x118 [ 50.339652] kunit_try_run_case+0x170/0x3f0 [ 50.343905] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 50.349481] kthread+0x328/0x630 [ 50.352773] ret_from_fork+0x10/0x20 [ 50.356413] [ 50.357948] The buggy address belongs to the object at ffff000082240900 [ 50.357948] which belongs to the cache kmalloc-128 of size 128 [ 50.370609] The buggy address is located 0 bytes inside of [ 50.370609] 128-byte region [ffff000082240900, ffff000082240980) [ 50.382310] [ 50.383849] The buggy address belongs to the physical page: [ 50.389501] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102240 [ 50.397611] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 50.405371] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 50.412436] page_type: f5(slab) [ 50.415647] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 50.423497] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 50.431347] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 50.439281] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 50.447218] head: 0bfffe0000000001 fffffdffc2089001 00000000ffffffff 00000000ffffffff [ 50.455155] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 50.463085] page dumped because: kasan: bad access detected [ 50.468733] [ 50.470264] Memory state around the buggy address: [ 50.475131] ffff000082240800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.482448] ffff000082240880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.489767] >ffff000082240900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.497082] ^ [ 50.500372] ffff000082240980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.507691] ffff000082240a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.515008] ==================================================================
[ 33.148998] ================================================================== [ 33.149058] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 33.149118] Free of addr fff00000c9c7c000 by task kunit_try_catch/269 [ 33.149163] [ 33.149196] CPU: 0 UID: 0 PID: 269 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.149282] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.149309] Hardware name: linux,dummy-virt (DT) [ 33.149343] Call trace: [ 33.149366] show_stack+0x20/0x38 (C) [ 33.149413] dump_stack_lvl+0x8c/0xd0 [ 33.149463] print_report+0x118/0x608 [ 33.149511] kasan_report_invalid_free+0xc0/0xe8 [ 33.149561] __kasan_mempool_poison_object+0x14c/0x150 [ 33.149615] mempool_free+0x28c/0x328 [ 33.149661] mempool_double_free_helper+0x150/0x2e8 [ 33.149712] mempool_kmalloc_large_double_free+0xc0/0x118 [ 33.149765] kunit_try_run_case+0x170/0x3f0 [ 33.149814] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.149965] kthread+0x328/0x630 [ 33.150061] ret_from_fork+0x10/0x20 [ 33.150110] [ 33.150131] The buggy address belongs to the physical page: [ 33.150227] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c7c [ 33.150500] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.150599] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 33.150702] page_type: f8(unknown) [ 33.150831] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.150892] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 33.150944] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 33.151034] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 33.151084] head: 0bfffe0000000002 ffffc1ffc3271f01 00000000ffffffff 00000000ffffffff [ 33.151141] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 33.151304] page dumped because: kasan: bad access detected [ 33.151363] [ 33.151382] Memory state around the buggy address: [ 33.151415] fff00000c9c7bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.151491] fff00000c9c7bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.151535] >fff00000c9c7c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.151574] ^ [ 33.151601] fff00000c9c7c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.151680] fff00000c9c7c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.151854] ================================================================== [ 33.160004] ================================================================== [ 33.160145] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 33.160310] Free of addr fff00000c9c7c000 by task kunit_try_catch/271 [ 33.160511] [ 33.160632] CPU: 0 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.160726] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.160753] Hardware name: linux,dummy-virt (DT) [ 33.160785] Call trace: [ 33.160813] show_stack+0x20/0x38 (C) [ 33.161067] dump_stack_lvl+0x8c/0xd0 [ 33.161232] print_report+0x118/0x608 [ 33.161291] kasan_report_invalid_free+0xc0/0xe8 [ 33.161341] __kasan_mempool_poison_pages+0xe0/0xe8 [ 33.161401] mempool_free+0x24c/0x328 [ 33.161617] mempool_double_free_helper+0x150/0x2e8 [ 33.161805] mempool_page_alloc_double_free+0xbc/0x118 [ 33.162130] kunit_try_run_case+0x170/0x3f0 [ 33.162548] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.162745] kthread+0x328/0x630 [ 33.162888] ret_from_fork+0x10/0x20 [ 33.162938] [ 33.162960] The buggy address belongs to the physical page: [ 33.162990] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c7c [ 33.163070] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.163138] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 33.163192] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.163658] page dumped because: kasan: bad access detected [ 33.163742] [ 33.163862] Memory state around the buggy address: [ 33.163898] fff00000c9c7bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.163944] fff00000c9c7bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.163987] >fff00000c9c7c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.164026] ^ [ 33.164053] fff00000c9c7c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.164128] fff00000c9c7c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.164201] ================================================================== [ 33.134258] ================================================================== [ 33.134332] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 33.134398] Free of addr fff00000c9ae3c00 by task kunit_try_catch/267 [ 33.134442] [ 33.134480] CPU: 0 UID: 0 PID: 267 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.134567] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.134595] Hardware name: linux,dummy-virt (DT) [ 33.134627] Call trace: [ 33.134652] show_stack+0x20/0x38 (C) [ 33.134701] dump_stack_lvl+0x8c/0xd0 [ 33.134754] print_report+0x118/0x608 [ 33.134801] kasan_report_invalid_free+0xc0/0xe8 [ 33.136003] check_slab_allocation+0xd4/0x108 [ 33.136086] __kasan_mempool_poison_object+0x78/0x150 [ 33.136545] mempool_free+0x28c/0x328 [ 33.136695] mempool_double_free_helper+0x150/0x2e8 [ 33.136748] mempool_kmalloc_double_free+0xc0/0x118 [ 33.136802] kunit_try_run_case+0x170/0x3f0 [ 33.136868] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.136925] kthread+0x328/0x630 [ 33.136996] ret_from_fork+0x10/0x20 [ 33.137369] [ 33.137419] Allocated by task 267: [ 33.137494] kasan_save_stack+0x3c/0x68 [ 33.137542] kasan_save_track+0x20/0x40 [ 33.137582] kasan_save_alloc_info+0x40/0x58 [ 33.137630] __kasan_mempool_unpoison_object+0x11c/0x180 [ 33.137676] remove_element+0x130/0x1f8 [ 33.137714] mempool_alloc_preallocated+0x58/0xc0 [ 33.138041] mempool_double_free_helper+0x94/0x2e8 [ 33.138123] mempool_kmalloc_double_free+0xc0/0x118 [ 33.138168] kunit_try_run_case+0x170/0x3f0 [ 33.138207] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.138253] kthread+0x328/0x630 [ 33.138285] ret_from_fork+0x10/0x20 [ 33.138323] [ 33.138342] Freed by task 267: [ 33.138371] kasan_save_stack+0x3c/0x68 [ 33.138410] kasan_save_track+0x20/0x40 [ 33.138447] kasan_save_free_info+0x4c/0x78 [ 33.138485] __kasan_mempool_poison_object+0xc0/0x150 [ 33.138528] mempool_free+0x28c/0x328 [ 33.138575] mempool_double_free_helper+0x100/0x2e8 [ 33.138615] mempool_kmalloc_double_free+0xc0/0x118 [ 33.138657] kunit_try_run_case+0x170/0x3f0 [ 33.138695] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.139066] kthread+0x328/0x630 [ 33.139102] ret_from_fork+0x10/0x20 [ 33.139141] [ 33.139160] The buggy address belongs to the object at fff00000c9ae3c00 [ 33.139160] which belongs to the cache kmalloc-128 of size 128 [ 33.139226] The buggy address is located 0 bytes inside of [ 33.139226] 128-byte region [fff00000c9ae3c00, fff00000c9ae3c80) [ 33.139296] [ 33.139319] The buggy address belongs to the physical page: [ 33.139350] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ae3 [ 33.139642] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.139703] page_type: f5(slab) [ 33.139749] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.139811] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.139863] page dumped because: kasan: bad access detected [ 33.140054] [ 33.140074] Memory state around the buggy address: [ 33.140110] fff00000c9ae3b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.140516] fff00000c9ae3b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.140606] >fff00000c9ae3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.140646] ^ [ 33.140675] fff00000c9ae3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.140733] fff00000c9ae3d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.140773] ==================================================================
[ 24.863935] ================================================================== [ 24.864341] BUG: KASAN: double-free in mempool_double_free_helper+0x184/0x370 [ 24.864642] Free of addr ffff888106164000 by task kunit_try_catch/288 [ 24.865738] [ 24.866045] CPU: 0 UID: 0 PID: 288 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.866101] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.866218] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.866248] Call Trace: [ 24.866262] <TASK> [ 24.866279] dump_stack_lvl+0x73/0xb0 [ 24.866312] print_report+0xd1/0x650 [ 24.866335] ? __virt_addr_valid+0x1db/0x2d0 [ 24.866361] ? kasan_addr_to_slab+0x11/0xa0 [ 24.866386] ? mempool_double_free_helper+0x184/0x370 [ 24.866431] kasan_report_invalid_free+0x10a/0x130 [ 24.866482] ? mempool_double_free_helper+0x184/0x370 [ 24.866509] ? mempool_double_free_helper+0x184/0x370 [ 24.866532] __kasan_mempool_poison_pages+0x115/0x130 [ 24.866557] mempool_free+0x290/0x380 [ 24.866584] mempool_double_free_helper+0x184/0x370 [ 24.866609] ? __pfx_mempool_double_free_helper+0x10/0x10 [ 24.866633] ? __kasan_check_write+0x18/0x20 [ 24.866656] ? __pfx_sched_clock_cpu+0x10/0x10 [ 24.866679] ? finish_task_switch.isra.0+0x153/0x700 [ 24.866705] mempool_page_alloc_double_free+0xe8/0x140 [ 24.866731] ? __pfx_mempool_page_alloc_double_free+0x10/0x10 [ 24.866758] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 24.866781] ? __pfx_mempool_free_pages+0x10/0x10 [ 24.866806] ? __pfx_read_tsc+0x10/0x10 [ 24.866828] ? ktime_get_ts64+0x86/0x230 [ 24.866852] kunit_try_run_case+0x1a5/0x480 [ 24.866879] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.866903] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.866926] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.866952] ? __kthread_parkme+0x82/0x180 [ 24.866973] ? preempt_count_sub+0x50/0x80 [ 24.866996] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.867021] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.867045] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.867069] kthread+0x337/0x6f0 [ 24.867089] ? trace_preempt_on+0x20/0xc0 [ 24.867112] ? __pfx_kthread+0x10/0x10 [ 24.867152] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.867191] ? calculate_sigpending+0x7b/0xa0 [ 24.867216] ? __pfx_kthread+0x10/0x10 [ 24.867239] ret_from_fork+0x116/0x1d0 [ 24.867258] ? __pfx_kthread+0x10/0x10 [ 24.867279] ret_from_fork_asm+0x1a/0x30 [ 24.867310] </TASK> [ 24.867322] [ 24.878961] The buggy address belongs to the physical page: [ 24.879422] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106164 [ 24.879846] flags: 0x200000000000000(node=0|zone=2) [ 24.880074] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 24.880685] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 24.880977] page dumped because: kasan: bad access detected [ 24.881206] [ 24.881391] Memory state around the buggy address: [ 24.881609] ffff888106163f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.881915] ffff888106163f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.882193] >ffff888106164000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.882893] ^ [ 24.883054] ffff888106164080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.883476] ffff888106164100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.883766] ================================================================== [ 24.793079] ================================================================== [ 24.793664] BUG: KASAN: double-free in mempool_double_free_helper+0x184/0x370 [ 24.793901] Free of addr ffff888105540800 by task kunit_try_catch/284 [ 24.794096] [ 24.794182] CPU: 1 UID: 0 PID: 284 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.794233] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.794246] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.794269] Call Trace: [ 24.794281] <TASK> [ 24.794298] dump_stack_lvl+0x73/0xb0 [ 24.794324] print_report+0xd1/0x650 [ 24.794347] ? __virt_addr_valid+0x1db/0x2d0 [ 24.794370] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.794395] ? mempool_double_free_helper+0x184/0x370 [ 24.794419] kasan_report_invalid_free+0x10a/0x130 [ 24.794442] ? mempool_double_free_helper+0x184/0x370 [ 24.794477] ? mempool_double_free_helper+0x184/0x370 [ 24.794500] ? mempool_double_free_helper+0x184/0x370 [ 24.794522] check_slab_allocation+0x101/0x130 [ 24.794548] __kasan_mempool_poison_object+0x91/0x1d0 [ 24.794572] mempool_free+0x2ec/0x380 [ 24.794597] mempool_double_free_helper+0x184/0x370 [ 24.794621] ? __pfx_mempool_double_free_helper+0x10/0x10 [ 24.794648] ? finish_task_switch.isra.0+0x153/0x700 [ 24.794673] mempool_kmalloc_double_free+0xed/0x140 [ 24.794695] ? __pfx_mempool_kmalloc_double_free+0x10/0x10 [ 24.794721] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.794743] ? __pfx_mempool_kfree+0x10/0x10 [ 24.794767] ? __pfx_read_tsc+0x10/0x10 [ 24.794789] ? ktime_get_ts64+0x86/0x230 [ 24.794812] kunit_try_run_case+0x1a5/0x480 [ 24.794839] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.794862] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.794884] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.794909] ? __kthread_parkme+0x82/0x180 [ 24.794929] ? preempt_count_sub+0x50/0x80 [ 24.794951] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.794975] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.794999] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.795023] kthread+0x337/0x6f0 [ 24.795042] ? trace_preempt_on+0x20/0xc0 [ 24.795064] ? __pfx_kthread+0x10/0x10 [ 24.795084] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.795108] ? calculate_sigpending+0x7b/0xa0 [ 24.795130] ? __pfx_kthread+0x10/0x10 [ 24.795152] ret_from_fork+0x116/0x1d0 [ 24.795170] ? __pfx_kthread+0x10/0x10 [ 24.795190] ret_from_fork_asm+0x1a/0x30 [ 24.795221] </TASK> [ 24.795232] [ 24.813423] Allocated by task 284: [ 24.813967] kasan_save_stack+0x45/0x70 [ 24.814208] kasan_save_track+0x18/0x40 [ 24.814340] kasan_save_alloc_info+0x3b/0x50 [ 24.814493] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 24.814934] remove_element+0x11e/0x190 [ 24.815089] mempool_alloc_preallocated+0x4d/0x90 [ 24.815833] mempool_double_free_helper+0x8a/0x370 [ 24.816388] mempool_kmalloc_double_free+0xed/0x140 [ 24.816817] kunit_try_run_case+0x1a5/0x480 [ 24.817327] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.817684] kthread+0x337/0x6f0 [ 24.818005] ret_from_fork+0x116/0x1d0 [ 24.818550] ret_from_fork_asm+0x1a/0x30 [ 24.818921] [ 24.819082] Freed by task 284: [ 24.819465] kasan_save_stack+0x45/0x70 [ 24.819623] kasan_save_track+0x18/0x40 [ 24.819752] kasan_save_free_info+0x3f/0x60 [ 24.819891] __kasan_mempool_poison_object+0x131/0x1d0 [ 24.820052] mempool_free+0x2ec/0x380 [ 24.820228] mempool_double_free_helper+0x109/0x370 [ 24.821009] mempool_kmalloc_double_free+0xed/0x140 [ 24.821369] kunit_try_run_case+0x1a5/0x480 [ 24.821559] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.822248] kthread+0x337/0x6f0 [ 24.822836] ret_from_fork+0x116/0x1d0 [ 24.823368] ret_from_fork_asm+0x1a/0x30 [ 24.823626] [ 24.823695] The buggy address belongs to the object at ffff888105540800 [ 24.823695] which belongs to the cache kmalloc-128 of size 128 [ 24.824049] The buggy address is located 0 bytes inside of [ 24.824049] 128-byte region [ffff888105540800, ffff888105540880) [ 24.825480] [ 24.825854] The buggy address belongs to the physical page: [ 24.826786] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105540 [ 24.827522] flags: 0x200000000000000(node=0|zone=2) [ 24.827889] page_type: f5(slab) [ 24.828018] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.828361] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.829300] page dumped because: kasan: bad access detected [ 24.830030] [ 24.830305] Memory state around the buggy address: [ 24.830886] ffff888105540700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.831110] ffff888105540780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.831942] >ffff888105540800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.832696] ^ [ 24.832824] ffff888105540880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.833039] ffff888105540900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.833271] ================================================================== [ 24.837542] ================================================================== [ 24.838046] BUG: KASAN: double-free in mempool_double_free_helper+0x184/0x370 [ 24.838338] Free of addr ffff88810607c000 by task kunit_try_catch/286 [ 24.838856] [ 24.838975] CPU: 1 UID: 0 PID: 286 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 24.839028] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.839042] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.839065] Call Trace: [ 24.839077] <TASK> [ 24.839094] dump_stack_lvl+0x73/0xb0 [ 24.839124] print_report+0xd1/0x650 [ 24.839147] ? __virt_addr_valid+0x1db/0x2d0 [ 24.839290] ? kasan_addr_to_slab+0x11/0xa0 [ 24.839315] ? mempool_double_free_helper+0x184/0x370 [ 24.839339] kasan_report_invalid_free+0x10a/0x130 [ 24.839363] ? mempool_double_free_helper+0x184/0x370 [ 24.839389] ? mempool_double_free_helper+0x184/0x370 [ 24.839412] __kasan_mempool_poison_object+0x1b3/0x1d0 [ 24.839436] mempool_free+0x2ec/0x380 [ 24.839509] mempool_double_free_helper+0x184/0x370 [ 24.839559] ? __pfx_mempool_double_free_helper+0x10/0x10 [ 24.839581] ? update_load_avg+0x1be/0x21b0 [ 24.839605] ? dequeue_entities+0x27e/0x1740 [ 24.839630] ? finish_task_switch.isra.0+0x153/0x700 [ 24.839656] mempool_kmalloc_large_double_free+0xed/0x140 [ 24.839681] ? __pfx_mempool_kmalloc_large_double_free+0x10/0x10 [ 24.839708] ? __pfx_mempool_kmalloc+0x10/0x10 [ 24.839729] ? __pfx_mempool_kfree+0x10/0x10 [ 24.839753] ? __pfx_read_tsc+0x10/0x10 [ 24.839776] ? ktime_get_ts64+0x86/0x230 [ 24.839801] kunit_try_run_case+0x1a5/0x480 [ 24.839827] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.839849] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.839871] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.839897] ? __kthread_parkme+0x82/0x180 [ 24.839918] ? preempt_count_sub+0x50/0x80 [ 24.839941] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.839965] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.839988] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.840012] kthread+0x337/0x6f0 [ 24.840032] ? trace_preempt_on+0x20/0xc0 [ 24.840055] ? __pfx_kthread+0x10/0x10 [ 24.840076] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.840099] ? calculate_sigpending+0x7b/0xa0 [ 24.840123] ? __pfx_kthread+0x10/0x10 [ 24.840145] ret_from_fork+0x116/0x1d0 [ 24.840163] ? __pfx_kthread+0x10/0x10 [ 24.840238] ret_from_fork_asm+0x1a/0x30 [ 24.840270] </TASK> [ 24.840280] [ 24.851780] The buggy address belongs to the physical page: [ 24.852142] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10607c [ 24.852862] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.853482] flags: 0x200000000000040(head|node=0|zone=2) [ 24.853853] page_type: f8(unknown) [ 24.854030] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.854653] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.855145] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 24.855783] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 24.856322] head: 0200000000000002 ffffea0004181f01 00000000ffffffff 00000000ffffffff [ 24.856640] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.856944] page dumped because: kasan: bad access detected [ 24.857392] [ 24.857515] Memory state around the buggy address: [ 24.857901] ffff88810607bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.858566] ffff88810607bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.858983] >ffff88810607c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.859512] ^ [ 24.859804] ffff88810607c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.860496] ffff88810607c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.860942] ==================================================================