Date
July 11, 2025, 10:11 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 55.119539] ================================================================== [ 55.129002] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 55.136118] Free of addr ffff000806dcc000 by task kunit_try_catch/321 [ 55.142541] [ 55.144027] CPU: 4 UID: 0 PID: 321 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 55.144089] Tainted: [B]=BAD_PAGE, [N]=TEST [ 55.144106] Hardware name: WinLink E850-96 board (DT) [ 55.144128] Call trace: [ 55.144144] show_stack+0x20/0x38 (C) [ 55.144184] dump_stack_lvl+0x8c/0xd0 [ 55.144218] print_report+0x118/0x5d0 [ 55.144248] kasan_report_invalid_free+0xc0/0xe8 [ 55.144276] __kasan_mempool_poison_object+0x14c/0x150 [ 55.144318] mempool_free+0x28c/0x328 [ 55.144351] mempool_double_free_helper+0x150/0x2e8 [ 55.144390] mempool_kmalloc_large_double_free+0xc0/0x118 [ 55.144428] kunit_try_run_case+0x170/0x3f0 [ 55.144465] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 55.144498] kthread+0x328/0x630 [ 55.144526] ret_from_fork+0x10/0x20 [ 55.144560] [ 55.219191] The buggy address belongs to the physical page: [ 55.224748] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886dcc [ 55.232731] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 55.240370] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 55.247315] page_type: f8(unknown) [ 55.250710] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 55.258430] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 55.266156] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 55.273968] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 55.281781] head: 0bfffe0000000002 fffffdffe01b7301 00000000ffffffff 00000000ffffffff [ 55.289593] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 55.297399] page dumped because: kasan: bad access detected [ 55.302954] [ 55.304429] Memory state around the buggy address: [ 55.309208] ffff000806dcbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.316412] ffff000806dcbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.323619] >ffff000806dcc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.330818] ^ [ 55.334034] ffff000806dcc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.341239] ffff000806dcc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.348440] ================================================================== [ 55.357511] ================================================================== [ 55.368061] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 55.375176] Free of addr ffff000808748000 by task kunit_try_catch/323 [ 55.381600] [ 55.383085] CPU: 3 UID: 0 PID: 323 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 55.383146] Tainted: [B]=BAD_PAGE, [N]=TEST [ 55.383160] Hardware name: WinLink E850-96 board (DT) [ 55.383183] Call trace: [ 55.383196] show_stack+0x20/0x38 (C) [ 55.383231] dump_stack_lvl+0x8c/0xd0 [ 55.383266] print_report+0x118/0x5d0 [ 55.383292] kasan_report_invalid_free+0xc0/0xe8 [ 55.383321] __kasan_mempool_poison_pages+0xe0/0xe8 [ 55.383366] mempool_free+0x24c/0x328 [ 55.383399] mempool_double_free_helper+0x150/0x2e8 [ 55.383433] mempool_page_alloc_double_free+0xbc/0x118 [ 55.383470] kunit_try_run_case+0x170/0x3f0 [ 55.383505] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 55.383539] kthread+0x328/0x630 [ 55.383569] ret_from_fork+0x10/0x20 [ 55.383607] [ 55.457729] The buggy address belongs to the physical page: [ 55.463285] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x888748 [ 55.471270] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 55.477789] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 55.485510] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 55.493229] page dumped because: kasan: bad access detected [ 55.498784] [ 55.500260] Memory state around the buggy address: [ 55.505040] ffff000808747f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.512243] ffff000808747f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.519450] >ffff000808748000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.526649] ^ [ 55.529864] ffff000808748080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.537068] ffff000808748100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.544270] ================================================================== [ 54.744006] ================================================================== [ 54.753748] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 54.760862] Free of addr ffff000803b8ae00 by task kunit_try_catch/319 [ 54.767287] [ 54.768772] CPU: 5 UID: 0 PID: 319 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 54.768827] Tainted: [B]=BAD_PAGE, [N]=TEST [ 54.768843] Hardware name: WinLink E850-96 board (DT) [ 54.768866] Call trace: [ 54.768879] show_stack+0x20/0x38 (C) [ 54.768912] dump_stack_lvl+0x8c/0xd0 [ 54.768947] print_report+0x118/0x5d0 [ 54.768976] kasan_report_invalid_free+0xc0/0xe8 [ 54.769007] check_slab_allocation+0xd4/0x108 [ 54.769045] __kasan_mempool_poison_object+0x78/0x150 [ 54.769086] mempool_free+0x28c/0x328 [ 54.769119] mempool_double_free_helper+0x150/0x2e8 [ 54.769153] mempool_kmalloc_double_free+0xc0/0x118 [ 54.769186] kunit_try_run_case+0x170/0x3f0 [ 54.769227] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 54.769260] kthread+0x328/0x630 [ 54.769291] ret_from_fork+0x10/0x20 [ 54.769324] [ 54.847667] Allocated by task 319: [ 54.851055] kasan_save_stack+0x3c/0x68 [ 54.854871] kasan_save_track+0x20/0x40 [ 54.858690] kasan_save_alloc_info+0x40/0x58 [ 54.862944] __kasan_mempool_unpoison_object+0x11c/0x180 [ 54.868240] remove_element+0x130/0x1f8 [ 54.872058] mempool_alloc_preallocated+0x58/0xc0 [ 54.876745] mempool_double_free_helper+0x94/0x2e8 [ 54.881520] mempool_kmalloc_double_free+0xc0/0x118 [ 54.886381] kunit_try_run_case+0x170/0x3f0 [ 54.890547] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 54.896016] kthread+0x328/0x630 [ 54.899228] ret_from_fork+0x10/0x20 [ 54.902787] [ 54.904264] Freed by task 319: [ 54.907300] kasan_save_stack+0x3c/0x68 [ 54.911120] kasan_save_track+0x20/0x40 [ 54.914939] kasan_save_free_info+0x4c/0x78 [ 54.919106] __kasan_mempool_poison_object+0xc0/0x150 [ 54.924140] mempool_free+0x28c/0x328 [ 54.927786] mempool_double_free_helper+0x100/0x2e8 [ 54.932647] mempool_kmalloc_double_free+0xc0/0x118 [ 54.937508] kunit_try_run_case+0x170/0x3f0 [ 54.941675] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 54.947143] kthread+0x328/0x630 [ 54.950355] ret_from_fork+0x10/0x20 [ 54.953915] [ 54.955391] The buggy address belongs to the object at ffff000803b8ae00 [ 54.955391] which belongs to the cache kmalloc-128 of size 128 [ 54.967892] The buggy address is located 0 bytes inside of [ 54.967892] 128-byte region [ffff000803b8ae00, ffff000803b8ae80) [ 54.979435] [ 54.980914] The buggy address belongs to the physical page: [ 54.986470] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883b8a [ 54.994454] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 55.002093] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 55.009036] page_type: f5(slab) [ 55.012172] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 55.019892] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 55.027619] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 55.035430] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 55.043243] head: 0bfffe0000000001 fffffdffe00ee281 00000000ffffffff 00000000ffffffff [ 55.051055] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 55.058860] page dumped because: kasan: bad access detected [ 55.064416] [ 55.065891] Memory state around the buggy address: [ 55.070670] ffff000803b8ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.077875] ffff000803b8ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.085081] >ffff000803b8ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.092280] ^ [ 55.095496] ffff000803b8ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.102700] ffff000803b8af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.109903] ==================================================================
[ 32.506805] ================================================================== [ 32.507177] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 32.507285] Free of addr fff00000c9b68000 by task kunit_try_catch/268 [ 32.507345] [ 32.507403] CPU: 0 UID: 0 PID: 268 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 32.507492] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.507518] Hardware name: linux,dummy-virt (DT) [ 32.507560] Call trace: [ 32.507586] show_stack+0x20/0x38 (C) [ 32.507657] dump_stack_lvl+0x8c/0xd0 [ 32.507705] print_report+0x118/0x5d0 [ 32.507750] kasan_report_invalid_free+0xc0/0xe8 [ 32.507993] __kasan_mempool_poison_object+0x14c/0x150 [ 32.508056] mempool_free+0x28c/0x328 [ 32.508109] mempool_double_free_helper+0x150/0x2e8 [ 32.508179] mempool_kmalloc_large_double_free+0xc0/0x118 [ 32.508232] kunit_try_run_case+0x170/0x3f0 [ 32.508297] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.508361] kthread+0x328/0x630 [ 32.508404] ret_from_fork+0x10/0x20 [ 32.508614] [ 32.508702] The buggy address belongs to the physical page: [ 32.508753] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b68 [ 32.508828] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.508879] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.508941] page_type: f8(unknown) [ 32.509018] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.509083] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.509164] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.509217] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.509266] head: 0bfffe0000000002 ffffc1ffc326da01 00000000ffffffff 00000000ffffffff [ 32.509673] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.509798] page dumped because: kasan: bad access detected [ 32.509843] [ 32.509861] Memory state around the buggy address: [ 32.509897] fff00000c9b67f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.509962] fff00000c9b67f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.510006] >fff00000c9b68000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.510385] ^ [ 32.510462] fff00000c9b68080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.510541] fff00000c9b68100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.510652] ================================================================== [ 32.492990] ================================================================== [ 32.493185] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 32.493255] Free of addr fff00000c99f0d00 by task kunit_try_catch/266 [ 32.493469] [ 32.493551] CPU: 0 UID: 0 PID: 266 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 32.493675] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.493735] Hardware name: linux,dummy-virt (DT) [ 32.493822] Call trace: [ 32.493882] show_stack+0x20/0x38 (C) [ 32.494006] dump_stack_lvl+0x8c/0xd0 [ 32.494095] print_report+0x118/0x5d0 [ 32.494152] kasan_report_invalid_free+0xc0/0xe8 [ 32.494200] check_slab_allocation+0xd4/0x108 [ 32.494413] __kasan_mempool_poison_object+0x78/0x150 [ 32.494468] mempool_free+0x28c/0x328 [ 32.494581] mempool_double_free_helper+0x150/0x2e8 [ 32.494667] mempool_kmalloc_double_free+0xc0/0x118 [ 32.494770] kunit_try_run_case+0x170/0x3f0 [ 32.494844] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.494946] kthread+0x328/0x630 [ 32.495009] ret_from_fork+0x10/0x20 [ 32.495066] [ 32.495084] Allocated by task 266: [ 32.495267] kasan_save_stack+0x3c/0x68 [ 32.495337] kasan_save_track+0x20/0x40 [ 32.495398] kasan_save_alloc_info+0x40/0x58 [ 32.495504] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.495590] remove_element+0x130/0x1f8 [ 32.495637] mempool_alloc_preallocated+0x58/0xc0 [ 32.495676] mempool_double_free_helper+0x94/0x2e8 [ 32.495902] mempool_kmalloc_double_free+0xc0/0x118 [ 32.495990] kunit_try_run_case+0x170/0x3f0 [ 32.496032] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.496305] kthread+0x328/0x630 [ 32.496429] ret_from_fork+0x10/0x20 [ 32.496517] [ 32.496597] Freed by task 266: [ 32.496637] kasan_save_stack+0x3c/0x68 [ 32.496675] kasan_save_track+0x20/0x40 [ 32.496751] kasan_save_free_info+0x4c/0x78 [ 32.496966] __kasan_mempool_poison_object+0xc0/0x150 [ 32.497084] mempool_free+0x28c/0x328 [ 32.497192] mempool_double_free_helper+0x100/0x2e8 [ 32.497271] mempool_kmalloc_double_free+0xc0/0x118 [ 32.497342] kunit_try_run_case+0x170/0x3f0 [ 32.497531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.497714] kthread+0x328/0x630 [ 32.497855] ret_from_fork+0x10/0x20 [ 32.497913] [ 32.497956] The buggy address belongs to the object at fff00000c99f0d00 [ 32.497956] which belongs to the cache kmalloc-128 of size 128 [ 32.498062] The buggy address is located 0 bytes inside of [ 32.498062] 128-byte region [fff00000c99f0d00, fff00000c99f0d80) [ 32.498125] [ 32.498146] The buggy address belongs to the physical page: [ 32.498186] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099f0 [ 32.498503] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.498625] page_type: f5(slab) [ 32.498683] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.498781] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.498858] page dumped because: kasan: bad access detected [ 32.498957] [ 32.499019] Memory state around the buggy address: [ 32.499062] fff00000c99f0c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.499125] fff00000c99f0c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.499381] >fff00000c99f0d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.499580] ^ [ 32.499658] fff00000c99f0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.499751] fff00000c99f0e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.499825] ================================================================== [ 32.520295] ================================================================== [ 32.520368] BUG: KASAN: double-free in mempool_double_free_helper+0x150/0x2e8 [ 32.520458] Free of addr fff00000c9b68000 by task kunit_try_catch/270 [ 32.520502] [ 32.520540] CPU: 0 UID: 0 PID: 270 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 32.520772] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.520941] Hardware name: linux,dummy-virt (DT) [ 32.520987] Call trace: [ 32.521081] show_stack+0x20/0x38 (C) [ 32.521149] dump_stack_lvl+0x8c/0xd0 [ 32.521198] print_report+0x118/0x5d0 [ 32.521260] kasan_report_invalid_free+0xc0/0xe8 [ 32.521520] __kasan_mempool_poison_pages+0xe0/0xe8 [ 32.521638] mempool_free+0x24c/0x328 [ 32.521769] mempool_double_free_helper+0x150/0x2e8 [ 32.521860] mempool_page_alloc_double_free+0xbc/0x118 [ 32.521964] kunit_try_run_case+0x170/0x3f0 [ 32.522056] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.522132] kthread+0x328/0x630 [ 32.522195] ret_from_fork+0x10/0x20 [ 32.522295] [ 32.522378] The buggy address belongs to the physical page: [ 32.522423] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b68 [ 32.522479] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.522570] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 32.522621] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.522705] page dumped because: kasan: bad access detected [ 32.522738] [ 32.522975] Memory state around the buggy address: [ 32.523059] fff00000c9b67f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.523134] fff00000c9b67f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.523250] >fff00000c9b68000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.523363] ^ [ 32.523477] fff00000c9b68080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.523557] fff00000c9b68100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.523633] ==================================================================
[ 25.555438] ================================================================== [ 25.556208] BUG: KASAN: double-free in mempool_double_free_helper+0x184/0x370 [ 25.556642] Free of addr ffff888102bac000 by task kunit_try_catch/289 [ 25.557299] [ 25.557621] CPU: 1 UID: 0 PID: 289 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 25.557899] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.557915] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.557940] Call Trace: [ 25.557954] <TASK> [ 25.557973] dump_stack_lvl+0x73/0xb0 [ 25.558010] print_report+0xd1/0x610 [ 25.558034] ? __virt_addr_valid+0x1db/0x2d0 [ 25.558061] ? kasan_addr_to_slab+0x11/0xa0 [ 25.558081] ? mempool_double_free_helper+0x184/0x370 [ 25.558107] kasan_report_invalid_free+0x10a/0x130 [ 25.558131] ? mempool_double_free_helper+0x184/0x370 [ 25.558158] ? mempool_double_free_helper+0x184/0x370 [ 25.558181] __kasan_mempool_poison_pages+0x115/0x130 [ 25.558205] mempool_free+0x290/0x380 [ 25.558234] mempool_double_free_helper+0x184/0x370 [ 25.558257] ? __pfx_mempool_double_free_helper+0x10/0x10 [ 25.558434] ? __pfx_sched_clock_cpu+0x10/0x10 [ 25.558460] ? finish_task_switch.isra.0+0x153/0x700 [ 25.558487] mempool_page_alloc_double_free+0xe8/0x140 [ 25.558513] ? __pfx_mempool_page_alloc_double_free+0x10/0x10 [ 25.558539] ? __kasan_check_write+0x18/0x20 [ 25.558564] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 25.558587] ? __pfx_mempool_free_pages+0x10/0x10 [ 25.558613] ? __pfx_read_tsc+0x10/0x10 [ 25.558636] ? ktime_get_ts64+0x86/0x230 [ 25.558658] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 25.558687] kunit_try_run_case+0x1a5/0x480 [ 25.558710] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.558758] ? queued_spin_lock_slowpath+0x116/0xb40 [ 25.558783] ? __kthread_parkme+0x82/0x180 [ 25.558804] ? preempt_count_sub+0x50/0x80 [ 25.558827] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.558850] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.558875] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.558900] kthread+0x337/0x6f0 [ 25.558920] ? trace_preempt_on+0x20/0xc0 [ 25.558944] ? __pfx_kthread+0x10/0x10 [ 25.558965] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.558987] ? calculate_sigpending+0x7b/0xa0 [ 25.559012] ? __pfx_kthread+0x10/0x10 [ 25.559035] ret_from_fork+0x116/0x1d0 [ 25.559053] ? __pfx_kthread+0x10/0x10 [ 25.559075] ret_from_fork_asm+0x1a/0x30 [ 25.559105] </TASK> [ 25.559118] [ 25.572213] The buggy address belongs to the physical page: [ 25.572675] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bac [ 25.573183] flags: 0x200000000000000(node=0|zone=2) [ 25.573518] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 25.573855] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 25.574173] page dumped because: kasan: bad access detected [ 25.574848] [ 25.574937] Memory state around the buggy address: [ 25.575175] ffff888102babf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.575717] ffff888102babf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.576342] >ffff888102bac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.576889] ^ [ 25.577156] ffff888102bac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.577756] ffff888102bac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.578043] ================================================================== [ 25.521849] ================================================================== [ 25.522384] BUG: KASAN: double-free in mempool_double_free_helper+0x184/0x370 [ 25.523269] Free of addr ffff888102bac000 by task kunit_try_catch/287 [ 25.523634] [ 25.523929] CPU: 1 UID: 0 PID: 287 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 25.524141] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.524158] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.524183] Call Trace: [ 25.524200] <TASK> [ 25.524221] dump_stack_lvl+0x73/0xb0 [ 25.524259] print_report+0xd1/0x610 [ 25.524375] ? __virt_addr_valid+0x1db/0x2d0 [ 25.524407] ? kasan_addr_to_slab+0x11/0xa0 [ 25.524438] ? mempool_double_free_helper+0x184/0x370 [ 25.524464] kasan_report_invalid_free+0x10a/0x130 [ 25.524490] ? mempool_double_free_helper+0x184/0x370 [ 25.524518] ? mempool_double_free_helper+0x184/0x370 [ 25.524541] __kasan_mempool_poison_object+0x1b3/0x1d0 [ 25.524566] mempool_free+0x2ec/0x380 [ 25.524595] mempool_double_free_helper+0x184/0x370 [ 25.524619] ? __pfx_mempool_double_free_helper+0x10/0x10 [ 25.524643] ? update_load_avg+0x1be/0x21b0 [ 25.524669] ? dequeue_entities+0x27e/0x1740 [ 25.524696] ? finish_task_switch.isra.0+0x153/0x700 [ 25.524724] mempool_kmalloc_large_double_free+0xed/0x140 [ 25.524764] ? __pfx_mempool_kmalloc_large_double_free+0x10/0x10 [ 25.524792] ? __pfx_mempool_kmalloc+0x10/0x10 [ 25.524814] ? __pfx_mempool_kfree+0x10/0x10 [ 25.524839] ? __pfx_read_tsc+0x10/0x10 [ 25.524862] ? ktime_get_ts64+0x86/0x230 [ 25.524888] kunit_try_run_case+0x1a5/0x480 [ 25.524913] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.524933] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.524958] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.524983] ? __kthread_parkme+0x82/0x180 [ 25.525005] ? preempt_count_sub+0x50/0x80 [ 25.525029] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.525050] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.525075] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.525101] kthread+0x337/0x6f0 [ 25.525122] ? trace_preempt_on+0x20/0xc0 [ 25.525147] ? __pfx_kthread+0x10/0x10 [ 25.525169] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.525191] ? calculate_sigpending+0x7b/0xa0 [ 25.525217] ? __pfx_kthread+0x10/0x10 [ 25.525239] ret_from_fork+0x116/0x1d0 [ 25.525259] ? __pfx_kthread+0x10/0x10 [ 25.525302] ret_from_fork_asm+0x1a/0x30 [ 25.525336] </TASK> [ 25.525348] [ 25.539057] The buggy address belongs to the physical page: [ 25.539306] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bac [ 25.539951] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.540598] flags: 0x200000000000040(head|node=0|zone=2) [ 25.540882] page_type: f8(unknown) [ 25.541170] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 25.541724] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 25.542183] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 25.542771] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 25.543229] head: 0200000000000002 ffffea00040aeb01 00000000ffffffff 00000000ffffffff [ 25.543703] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 25.544021] page dumped because: kasan: bad access detected [ 25.544270] [ 25.544351] Memory state around the buggy address: [ 25.545057] ffff888102babf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.545519] ffff888102babf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.545960] >ffff888102bac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.546445] ^ [ 25.546719] ffff888102bac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.547144] ffff888102bac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.547593] ================================================================== [ 25.484118] ================================================================== [ 25.484654] BUG: KASAN: double-free in mempool_double_free_helper+0x184/0x370 [ 25.484988] Free of addr ffff888104cacb00 by task kunit_try_catch/285 [ 25.485255] [ 25.485364] CPU: 0 UID: 0 PID: 285 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 25.485416] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.485429] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.485453] Call Trace: [ 25.485468] <TASK> [ 25.485487] dump_stack_lvl+0x73/0xb0 [ 25.485523] print_report+0xd1/0x610 [ 25.485545] ? __virt_addr_valid+0x1db/0x2d0 [ 25.485573] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.485600] ? mempool_double_free_helper+0x184/0x370 [ 25.485624] kasan_report_invalid_free+0x10a/0x130 [ 25.485648] ? mempool_double_free_helper+0x184/0x370 [ 25.485673] ? mempool_double_free_helper+0x184/0x370 [ 25.485694] ? mempool_double_free_helper+0x184/0x370 [ 25.485717] check_slab_allocation+0x101/0x130 [ 25.485779] __kasan_mempool_poison_object+0x91/0x1d0 [ 25.485804] mempool_free+0x2ec/0x380 [ 25.485833] mempool_double_free_helper+0x184/0x370 [ 25.485856] ? __pfx_mempool_double_free_helper+0x10/0x10 [ 25.485932] ? __pfx_sched_clock_cpu+0x10/0x10 [ 25.485976] ? finish_task_switch.isra.0+0x153/0x700 [ 25.486004] mempool_kmalloc_double_free+0xed/0x140 [ 25.486028] ? __pfx_mempool_kmalloc_double_free+0x10/0x10 [ 25.486054] ? __pfx_mempool_kmalloc+0x10/0x10 [ 25.486077] ? __pfx_mempool_kfree+0x10/0x10 [ 25.486102] ? __pfx_read_tsc+0x10/0x10 [ 25.486125] ? ktime_get_ts64+0x86/0x230 [ 25.486150] kunit_try_run_case+0x1a5/0x480 [ 25.486175] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.486195] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.486218] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.486243] ? __kthread_parkme+0x82/0x180 [ 25.486609] ? preempt_count_sub+0x50/0x80 [ 25.486636] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.486660] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.486686] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.486713] kthread+0x337/0x6f0 [ 25.486746] ? trace_preempt_on+0x20/0xc0 [ 25.486773] ? __pfx_kthread+0x10/0x10 [ 25.486795] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.486817] ? calculate_sigpending+0x7b/0xa0 [ 25.486843] ? __pfx_kthread+0x10/0x10 [ 25.486866] ret_from_fork+0x116/0x1d0 [ 25.486887] ? __pfx_kthread+0x10/0x10 [ 25.486911] ret_from_fork_asm+0x1a/0x30 [ 25.486943] </TASK> [ 25.486956] [ 25.500676] Allocated by task 285: [ 25.500879] kasan_save_stack+0x45/0x70 [ 25.501192] kasan_save_track+0x18/0x40 [ 25.501377] kasan_save_alloc_info+0x3b/0x50 [ 25.501581] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 25.501824] remove_element+0x11e/0x190 [ 25.502001] mempool_alloc_preallocated+0x4d/0x90 [ 25.502206] mempool_double_free_helper+0x8a/0x370 [ 25.502414] mempool_kmalloc_double_free+0xed/0x140 [ 25.502622] kunit_try_run_case+0x1a5/0x480 [ 25.503292] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.503550] kthread+0x337/0x6f0 [ 25.503780] ret_from_fork+0x116/0x1d0 [ 25.504223] ret_from_fork_asm+0x1a/0x30 [ 25.504669] [ 25.504770] Freed by task 285: [ 25.504916] kasan_save_stack+0x45/0x70 [ 25.505297] kasan_save_track+0x18/0x40 [ 25.505593] kasan_save_free_info+0x3f/0x60 [ 25.505878] __kasan_mempool_poison_object+0x131/0x1d0 [ 25.506210] mempool_free+0x2ec/0x380 [ 25.506614] mempool_double_free_helper+0x109/0x370 [ 25.506863] mempool_kmalloc_double_free+0xed/0x140 [ 25.507261] kunit_try_run_case+0x1a5/0x480 [ 25.507605] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.508002] kthread+0x337/0x6f0 [ 25.508234] ret_from_fork+0x116/0x1d0 [ 25.508497] ret_from_fork_asm+0x1a/0x30 [ 25.508879] [ 25.508957] The buggy address belongs to the object at ffff888104cacb00 [ 25.508957] which belongs to the cache kmalloc-128 of size 128 [ 25.509721] The buggy address is located 0 bytes inside of [ 25.509721] 128-byte region [ffff888104cacb00, ffff888104cacb80) [ 25.510263] [ 25.510362] The buggy address belongs to the physical page: [ 25.510609] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cac [ 25.510905] flags: 0x200000000000000(node=0|zone=2) [ 25.511133] page_type: f5(slab) [ 25.511288] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.511602] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.512533] page dumped because: kasan: bad access detected [ 25.512907] [ 25.512997] Memory state around the buggy address: [ 25.513337] ffff888104caca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.513883] ffff888104caca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.514193] >ffff888104cacb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.514678] ^ [ 25.514868] ffff888104cacb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.515161] ffff888104cacc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.515802] ==================================================================