Date
July 25, 2025, 3:13 a.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 34.522055] ================================================================== [ 34.522125] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 34.522285] Free of addr fff00000c9a8b401 by task kunit_try_catch/273 [ 34.522335] [ 34.522597] CPU: 0 UID: 0 PID: 273 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 34.522924] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 34.523068] Hardware name: linux,dummy-virt (DT) [ 34.523129] Call trace: [ 34.523241] show_stack+0x20/0x38 (C) [ 34.523312] dump_stack_lvl+0x8c/0xd0 [ 34.523369] print_report+0x118/0x5e8 [ 34.523777] kasan_report_invalid_free+0xc0/0xe8 [ 34.524006] check_slab_allocation+0xfc/0x108 [ 34.524156] __kasan_mempool_poison_object+0x78/0x150 [ 34.524244] mempool_free+0x3f4/0x5f0 [ 34.524412] mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 34.524523] mempool_kmalloc_invalid_free+0xc0/0x118 [ 34.524788] kunit_try_run_case+0x170/0x3f0 [ 34.524908] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.524985] kthread+0x328/0x630 [ 34.525029] ret_from_fork+0x10/0x20 [ 34.525078] [ 34.525100] Allocated by task 273: [ 34.525129] kasan_save_stack+0x3c/0x68 [ 34.525169] kasan_save_track+0x20/0x40 [ 34.525205] kasan_save_alloc_info+0x40/0x58 [ 34.525243] __kasan_mempool_unpoison_object+0x11c/0x180 [ 34.525287] remove_element+0x130/0x1f8 [ 34.525324] mempool_alloc_preallocated+0x58/0xc0 [ 34.525364] mempool_kmalloc_invalid_free_helper+0x94/0x2a8 [ 34.525409] mempool_kmalloc_invalid_free+0xc0/0x118 [ 34.525452] kunit_try_run_case+0x170/0x3f0 [ 34.525491] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.525534] kthread+0x328/0x630 [ 34.525567] ret_from_fork+0x10/0x20 [ 34.525603] [ 34.525624] The buggy address belongs to the object at fff00000c9a8b400 [ 34.525624] which belongs to the cache kmalloc-128 of size 128 [ 34.525818] The buggy address is located 1 bytes inside of [ 34.525818] 128-byte region [fff00000c9a8b400, fff00000c9a8b480) [ 34.526170] [ 34.526192] The buggy address belongs to the physical page: [ 34.526232] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a8b [ 34.526287] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.526338] page_type: f5(slab) [ 34.526381] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.526469] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 34.526552] page dumped because: kasan: bad access detected [ 34.526582] [ 34.526602] Memory state around the buggy address: [ 34.526684] fff00000c9a8b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.526769] fff00000c9a8b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.526813] >fff00000c9a8b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.526895] ^ [ 34.526982] fff00000c9a8b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.527166] fff00000c9a8b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.527224] ================================================================== [ 34.532179] ================================================================== [ 34.532551] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 34.532657] Free of addr fff00000c9bf0001 by task kunit_try_catch/275 [ 34.532739] [ 34.532773] CPU: 0 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 34.532861] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 34.532929] Hardware name: linux,dummy-virt (DT) [ 34.532988] Call trace: [ 34.533057] show_stack+0x20/0x38 (C) [ 34.533113] dump_stack_lvl+0x8c/0xd0 [ 34.533162] print_report+0x118/0x5e8 [ 34.533233] kasan_report_invalid_free+0xc0/0xe8 [ 34.533511] __kasan_mempool_poison_object+0xfc/0x150 [ 34.533598] mempool_free+0x3f4/0x5f0 [ 34.533676] mempool_kmalloc_invalid_free_helper+0x118/0x2a8 [ 34.533753] mempool_kmalloc_large_invalid_free+0xc0/0x118 [ 34.533806] kunit_try_run_case+0x170/0x3f0 [ 34.533852] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.533989] kthread+0x328/0x630 [ 34.534067] ret_from_fork+0x10/0x20 [ 34.534123] [ 34.534144] The buggy address belongs to the physical page: [ 34.534180] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf0 [ 34.534247] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 34.534296] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 34.534352] page_type: f8(unknown) [ 34.534426] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 34.534748] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 34.535262] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 34.535313] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 34.535449] head: 0bfffe0000000002 ffffc1ffc326fc01 00000000ffffffff 00000000ffffffff [ 34.535499] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 34.535539] page dumped because: kasan: bad access detected [ 34.535570] [ 34.535590] Memory state around the buggy address: [ 34.535623] fff00000c9beff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.535680] fff00000c9beff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.535724] >fff00000c9bf0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.535762] ^ [ 34.535791] fff00000c9bf0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.535833] fff00000c9bf0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.535871] ==================================================================
[ 27.595661] ================================================================== [ 27.596519] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.596844] Free of addr ffff888106370001 by task kunit_try_catch/292 [ 27.597237] [ 27.597406] CPU: 0 UID: 0 PID: 292 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 27.597457] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.597470] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.597491] Call Trace: [ 27.597505] <TASK> [ 27.597521] dump_stack_lvl+0x73/0xb0 [ 27.597551] print_report+0xd1/0x640 [ 27.597575] ? __virt_addr_valid+0x1db/0x2d0 [ 27.597601] ? kasan_addr_to_slab+0x11/0xa0 [ 27.597622] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.597650] kasan_report_invalid_free+0x10a/0x130 [ 27.597676] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.597707] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.597733] __kasan_mempool_poison_object+0x102/0x1d0 [ 27.597760] mempool_free+0x490/0x640 [ 27.597787] mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.597870] ? __pfx_mempool_kmalloc_invalid_free_helper+0x10/0x10 [ 27.597897] ? update_load_avg+0x1be/0x21b0 [ 27.597925] ? finish_task_switch.isra.0+0x153/0x700 [ 27.597964] mempool_kmalloc_large_invalid_free+0xed/0x140 [ 27.597991] ? __pfx_mempool_kmalloc_large_invalid_free+0x10/0x10 [ 27.598020] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.598044] ? __pfx_mempool_kfree+0x10/0x10 [ 27.598071] ? __pfx_read_tsc+0x10/0x10 [ 27.598095] ? ktime_get_ts64+0x86/0x230 [ 27.598121] kunit_try_run_case+0x1a5/0x480 [ 27.598145] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.598169] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.598193] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.598219] ? __kthread_parkme+0x82/0x180 [ 27.598241] ? preempt_count_sub+0x50/0x80 [ 27.598275] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.598300] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.598324] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.598350] kthread+0x337/0x6f0 [ 27.598370] ? trace_preempt_on+0x20/0xc0 [ 27.598395] ? __pfx_kthread+0x10/0x10 [ 27.598416] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.598441] ? calculate_sigpending+0x7b/0xa0 [ 27.598465] ? __pfx_kthread+0x10/0x10 [ 27.598488] ret_from_fork+0x116/0x1d0 [ 27.598508] ? __pfx_kthread+0x10/0x10 [ 27.598529] ret_from_fork_asm+0x1a/0x30 [ 27.598563] </TASK> [ 27.598575] [ 27.607852] The buggy address belongs to the physical page: [ 27.608228] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106370 [ 27.608526] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 27.608840] flags: 0x200000000000040(head|node=0|zone=2) [ 27.609261] page_type: f8(unknown) [ 27.609407] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.609648] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 27.609887] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 27.610229] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 27.610580] head: 0200000000000002 ffffea000418dc01 00000000ffffffff 00000000ffffffff [ 27.611097] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 27.611455] page dumped because: kasan: bad access detected [ 27.611675] [ 27.611741] Memory state around the buggy address: [ 27.611901] ffff88810636ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.612132] ffff88810636ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.612460] >ffff888106370000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.613048] ^ [ 27.613235] ffff888106370080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.613529] ffff888106370100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.613796] ================================================================== [ 27.570646] ================================================================== [ 27.571447] BUG: KASAN: invalid-free in mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.571784] Free of addr ffff888105820001 by task kunit_try_catch/290 [ 27.572129] [ 27.572225] CPU: 0 UID: 0 PID: 290 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 27.572290] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.572303] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.572324] Call Trace: [ 27.572338] <TASK> [ 27.572356] dump_stack_lvl+0x73/0xb0 [ 27.572386] print_report+0xd1/0x640 [ 27.572410] ? __virt_addr_valid+0x1db/0x2d0 [ 27.572437] ? kasan_complete_mode_report_info+0x2a/0x200 [ 27.572464] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.572491] kasan_report_invalid_free+0x10a/0x130 [ 27.572517] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.572546] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.572572] ? mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.572598] check_slab_allocation+0x11f/0x130 [ 27.572620] __kasan_mempool_poison_object+0x91/0x1d0 [ 27.572646] mempool_free+0x490/0x640 [ 27.572674] mempool_kmalloc_invalid_free_helper+0x132/0x2e0 [ 27.572700] ? __pfx_mempool_kmalloc_invalid_free_helper+0x10/0x10 [ 27.572731] ? finish_task_switch.isra.0+0x153/0x700 [ 27.572759] mempool_kmalloc_invalid_free+0xed/0x140 [ 27.572784] ? __pfx_mempool_kmalloc_invalid_free+0x10/0x10 [ 27.572813] ? __pfx_mempool_kmalloc+0x10/0x10 [ 27.572840] ? __pfx_mempool_kfree+0x10/0x10 [ 27.572866] ? __pfx_read_tsc+0x10/0x10 [ 27.572890] ? ktime_get_ts64+0x86/0x230 [ 27.572916] kunit_try_run_case+0x1a5/0x480 [ 27.572953] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.572994] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.573024] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.573052] ? __kthread_parkme+0x82/0x180 [ 27.573083] ? preempt_count_sub+0x50/0x80 [ 27.573108] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.573145] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.573171] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.573195] kthread+0x337/0x6f0 [ 27.573215] ? trace_preempt_on+0x20/0xc0 [ 27.573240] ? __pfx_kthread+0x10/0x10 [ 27.573262] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.573287] ? calculate_sigpending+0x7b/0xa0 [ 27.573312] ? __pfx_kthread+0x10/0x10 [ 27.573335] ret_from_fork+0x116/0x1d0 [ 27.573355] ? __pfx_kthread+0x10/0x10 [ 27.573376] ret_from_fork_asm+0x1a/0x30 [ 27.573409] </TASK> [ 27.573422] [ 27.582601] Allocated by task 290: [ 27.582799] kasan_save_stack+0x45/0x70 [ 27.583023] kasan_save_track+0x18/0x40 [ 27.583274] kasan_save_alloc_info+0x3b/0x50 [ 27.583466] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 27.583648] remove_element+0x11e/0x190 [ 27.583966] mempool_alloc_preallocated+0x4d/0x90 [ 27.584177] mempool_kmalloc_invalid_free_helper+0x83/0x2e0 [ 27.584454] mempool_kmalloc_invalid_free+0xed/0x140 [ 27.584689] kunit_try_run_case+0x1a5/0x480 [ 27.584929] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.585206] kthread+0x337/0x6f0 [ 27.585360] ret_from_fork+0x116/0x1d0 [ 27.585529] ret_from_fork_asm+0x1a/0x30 [ 27.585711] [ 27.585798] The buggy address belongs to the object at ffff888105820000 [ 27.585798] which belongs to the cache kmalloc-128 of size 128 [ 27.586396] The buggy address is located 1 bytes inside of [ 27.586396] 128-byte region [ffff888105820000, ffff888105820080) [ 27.587061] [ 27.587165] The buggy address belongs to the physical page: [ 27.587379] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105820 [ 27.587717] flags: 0x200000000000000(node=0|zone=2) [ 27.588008] page_type: f5(slab) [ 27.588189] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.588487] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.588815] page dumped because: kasan: bad access detected [ 27.589046] [ 27.589191] Memory state around the buggy address: [ 27.589376] ffff88810581ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.589676] ffff88810581ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.590041] >ffff888105820000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.590291] ^ [ 27.590408] ffff888105820080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.590627] ffff888105820100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.590879] ==================================================================