Date
July 23, 2025, 3:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.714577] ================================================================== [ 32.714647] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 32.714927] Free of addr fff00000c9bfc001 by task kunit_try_catch/276 [ 32.715179] [ 32.715228] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 32.715546] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.715693] Hardware name: linux,dummy-virt (DT) [ 32.715743] Call trace: [ 32.715772] show_stack+0x20/0x38 (C) [ 32.715827] dump_stack_lvl+0x8c/0xd0 [ 32.715885] print_report+0x118/0x5e8 [ 32.715944] kasan_report_invalid_free+0xc0/0xe8 [ 32.715993] __kasan_mempool_poison_object+0xfc/0x150 [ 32.716053] mempool_free+0x3f4/0x5f0 [ 32.716100] mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 32.716163] mempool_kmalloc_large_invalid_free+0xc0/0x118 [ 32.716501] kunit_try_run_case+0x170/0x3f0 [ 32.716630] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.716724] kthread+0x328/0x630 [ 32.716770] ret_from_fork+0x10/0x20 [ 32.716819] [ 32.716841] The buggy address belongs to the physical page: [ 32.716990] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bfc [ 32.717081] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.717216] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.717323] page_type: f8(unknown) [ 32.717467] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.717596] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.717652] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.717861] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.718195] head: 0bfffe0000000002 ffffc1ffc326ff01 00000000ffffffff 00000000ffffffff [ 32.718303] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.718422] page dumped because: kasan: bad access detected [ 32.718456] [ 32.718762] Memory state around the buggy address: [ 32.719009] fff00000c9bfbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.719071] fff00000c9bfbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.719254] >fff00000c9bfc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.719399] ^ [ 32.719538] fff00000c9bfc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.719787] fff00000c9bfc100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.720400] ================================================================== [ 32.701357] ================================================================== [ 32.701452] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 32.701546] Free of addr fff00000c9bd9e01 by task kunit_try_catch/274 [ 32.701611] [ 32.701661] CPU: 1 UID: 0 PID: 274 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 32.701754] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.701787] Hardware name: linux,dummy-virt (DT) [ 32.701819] Call trace: [ 32.701845] show_stack+0x20/0x38 (C) [ 32.701910] dump_stack_lvl+0x8c/0xd0 [ 32.701958] print_report+0x118/0x5e8 [ 32.702309] kasan_report_invalid_free+0xc0/0xe8 [ 32.702461] check_slab_allocation+0xfc/0x108 [ 32.702581] __kasan_mempool_poison_object+0x78/0x150 [ 32.702707] mempool_free+0x3f4/0x5f0 [ 32.702795] mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 32.702878] mempool_kmalloc_invalid_free+0xc0/0x118 [ 32.702999] kunit_try_run_case+0x170/0x3f0 [ 32.703047] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.703315] kthread+0x328/0x630 [ 32.703497] ret_from_fork+0x10/0x20 [ 32.703748] [ 32.703857] Allocated by task 274: [ 32.703895] kasan_save_stack+0x3c/0x68 [ 32.703954] kasan_save_track+0x20/0x40 [ 32.704004] kasan_save_alloc_info+0x40/0x58 [ 32.704045] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.704087] remove_element+0x130/0x1f8 [ 32.704432] mempool_alloc_preallocated+0x58/0xc0 [ 32.704556] mempool_kmalloc_invalid_free_helper+0x94/0x2a8 [ 32.704708] mempool_kmalloc_invalid_free+0xc0/0x118 [ 32.704825] kunit_try_run_case+0x170/0x3f0 [ 32.704947] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.705016] kthread+0x328/0x630 [ 32.705103] ret_from_fork+0x10/0x20 [ 32.705234] [ 32.705261] The buggy address belongs to the object at fff00000c9bd9e00 [ 32.705261] which belongs to the cache kmalloc-128 of size 128 [ 32.705323] The buggy address is located 1 bytes inside of [ 32.705323] 128-byte region [fff00000c9bd9e00, fff00000c9bd9e80) [ 32.705384] [ 32.705406] The buggy address belongs to the physical page: [ 32.705837] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bd9 [ 32.705963] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.706058] page_type: f5(slab) [ 32.706150] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.706227] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.706364] page dumped because: kasan: bad access detected [ 32.706432] [ 32.706491] Memory state around the buggy address: [ 32.706565] fff00000c9bd9d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.706665] fff00000c9bd9d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.706762] >fff00000c9bd9e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.707060] ^ [ 32.707189] fff00000c9bd9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.707253] fff00000c9bd9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.707305] ==================================================================
[ 27.019745] ================================================================== [ 27.020203] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.020711] Free of addr ffff888106228001 by task kunit_try_catch/292 [ 27.021351] [ 27.021601] CPU: 0 UID: 0 PID: 292 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 27.021655] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.021668] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.021692] Call Trace: [ 27.021705] <TASK> [ 27.021723] dump_stack_lvl+0x73/0xb0 [ 27.021756] print_report+0xd1/0x640 [ 27.021780] ? __virt_addr_valid+0x1db/0x2d0 [ 27.021808] ? kasan_addr_to_slab+0x11/0xa0 [ 27.021828] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.021854] kasan_report_invalid_free+0x10a/0x130 [ 27.021880] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.021907] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.021930] __kasan_mempool_poison_object+0x102/0x1d0 [ 27.021956] mempool_free+0x490/0x640 [ 27.021985] mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.022010] ? __pfx_mempool_kmalloc_invalid_free_helper+0x10/0x10 [ 27.022035] ? update_load_avg+0x1be/0x21b0 [ 27.022073] ? finish_task_switch.isra.0+0x153/0x700 [ 27.022100] mempool_kmalloc_large_invalid_free+0xed/0x140 [ 27.022125] ? __pfx_mempool_kmalloc_large_invalid_free+0x10/0x10 [ 27.022167] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.022191] ? __pfx_mempool_kfree+0x10/0x10 [ 27.022216] ? __pfx_read_tsc+0x10/0x10 [ 27.022239] ? ktime_get_ts64+0x86/0x230 [ 27.022264] kunit_try_run_case+0x1a5/0x480 [ 27.022290] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.022313] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.022340] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.022366] ? __kthread_parkme+0x82/0x180 [ 27.022452] ? preempt_count_sub+0x50/0x80 [ 27.022476] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.022501] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.022526] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.022550] kthread+0x337/0x6f0 [ 27.022571] ? trace_preempt_on+0x20/0xc0 [ 27.022597] ? __pfx_kthread+0x10/0x10 [ 27.022618] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.022642] ? calculate_sigpending+0x7b/0xa0 [ 27.022668] ? __pfx_kthread+0x10/0x10 [ 27.022691] ret_from_fork+0x116/0x1d0 [ 27.022711] ? __pfx_kthread+0x10/0x10 [ 27.022731] ret_from_fork_asm+0x1a/0x30 [ 27.022762] </TASK> [ 27.022774] [ 27.039717] The buggy address belongs to the physical page: [ 27.039917] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106228 [ 27.040856] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 27.041635] flags: 0x200000000000040(head|node=0|zone=2) [ 27.041829] page_type: f8(unknown) [ 27.041959] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.042212] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 27.042778] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.043323] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 27.043916] head: 0200000000000002 ffffea0004188a01 00000000ffffffff 00000000ffffffff [ 27.044659] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 27.044910] page dumped because: kasan: bad access detected [ 27.045099] [ 27.045176] Memory state around the buggy address: [ 27.045332] ffff888106227f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.046162] ffff888106227f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.046816] >ffff888106228000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.047659] ^ [ 27.047994] ffff888106228080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.048626] ffff888106228100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.049205] ================================================================== [ 26.986257] ================================================================== [ 26.987220] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 26.987514] Free of addr ffff8881060ab201 by task kunit_try_catch/290 [ 26.987719] [ 26.987808] CPU: 1 UID: 0 PID: 290 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 26.987861] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.987874] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.987897] Call Trace: [ 26.987910] <TASK> [ 26.987929] dump_stack_lvl+0x73/0xb0 [ 26.987957] print_report+0xd1/0x640 [ 26.987980] ? __virt_addr_valid+0x1db/0x2d0 [ 26.988006] ? kasan_complete_mode_report_info+0x2a/0x200 [ 26.988032] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 26.988057] kasan_report_invalid_free+0x10a/0x130 [ 26.988082] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 26.988109] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 26.988133] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 26.988167] check_slab_allocation+0x11f/0x130 [ 26.988189] __kasan_mempool_poison_object+0x91/0x1d0 [ 26.988213] mempool_free+0x490/0x640 [ 26.988242] mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 26.988268] ? __pfx_mempool_kmalloc_invalid_free_helper+0x10/0x10 [ 26.988294] ? dequeue_entities+0x23f/0x1630 [ 26.988317] ? __kasan_check_write+0x18/0x20 [ 26.988341] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.988362] ? finish_task_switch.isra.0+0x153/0x700 [ 26.988387] mempool_kmalloc_invalid_free+0xed/0x140 [ 26.988542] ? __pfx_mempool_kmalloc_invalid_free+0x10/0x10 [ 26.988582] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.988606] ? __pfx_mempool_kfree+0x10/0x10 [ 26.988631] ? __pfx_read_tsc+0x10/0x10 [ 26.988654] ? ktime_get_ts64+0x86/0x230 [ 26.988678] kunit_try_run_case+0x1a5/0x480 [ 26.988705] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.988728] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.988754] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.989118] ? __kthread_parkme+0x82/0x180 [ 26.989141] ? preempt_count_sub+0x50/0x80 [ 26.989176] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.989201] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.989226] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.989249] kthread+0x337/0x6f0 [ 26.989269] ? trace_preempt_on+0x20/0xc0 [ 26.989296] ? __pfx_kthread+0x10/0x10 [ 26.989317] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.989341] ? calculate_sigpending+0x7b/0xa0 [ 26.989365] ? __pfx_kthread+0x10/0x10 [ 26.989461] ret_from_fork+0x116/0x1d0 [ 26.989483] ? __pfx_kthread+0x10/0x10 [ 26.989505] ret_from_fork_asm+0x1a/0x30 [ 26.989537] </TASK> [ 26.989548] [ 27.003852] Allocated by task 290: [ 27.004016] kasan_save_stack+0x45/0x70 [ 27.004783] kasan_save_track+0x18/0x40 [ 27.005052] kasan_save_alloc_info+0x3b/0x50 [ 27.005335] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 27.005732] remove_element+0x11e/0x190 [ 27.006041] mempool_alloc_preallocated+0x4d/0x90 [ 27.006346] mempool_kmalloc_invalid_free_helper+0x83/0x2e0 [ 27.006703] mempool_kmalloc_invalid_free+0xed/0x140 [ 27.006949] kunit_try_run_case+0x1a5/0x480 [ 27.007517] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.007901] kthread+0x337/0x6f0 [ 27.008080] ret_from_fork+0x116/0x1d0 [ 27.008493] ret_from_fork_asm+0x1a/0x30 [ 27.008793] [ 27.008901] The buggy address belongs to the object at ffff8881060ab200 [ 27.008901] which belongs to the cache kmalloc-128 of size 128 [ 27.009670] The buggy address is located 1 bytes inside of [ 27.009670] 128-byte region [ffff8881060ab200, ffff8881060ab280) [ 27.010604] [ 27.010691] The buggy address belongs to the physical page: [ 27.011113] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060ab [ 27.011667] flags: 0x200000000000000(node=0|zone=2) [ 27.011895] page_type: f5(slab) [ 27.012170] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.012720] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.013214] page dumped because: kasan: bad access detected [ 27.013605] [ 27.013807] Memory state around the buggy address: [ 27.014021] ffff8881060ab100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.014750] ffff8881060ab180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.015124] >ffff8881060ab200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.015585] ^ [ 27.015725] ffff8881060ab280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.016143] ffff8881060ab300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.016414] ==================================================================