From: kernel test robot <oliver.sang@intel.com>
To: Christoph Hellwig <hch@lst.de>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
Vlastimil Babka <vbabka@suse.cz>, <linux-mm@kvack.org>,
<oliver.sang@intel.com>
Subject: [linux-next:master] [mempool] 022e94e2c3: BUG:KASAN:double-free_in_mempool_free
Date: Thu, 20 Nov 2025 13:57:20 +0800 [thread overview]
Message-ID: <202511201309.55538605-lkp@intel.com> (raw)
Hello,
kernel test robot noticed "BUG:KASAN:double-free_in_mempool_free" on:
commit: 022e94e2c304505973d00dedca4b1432c231fbf6 ("mempool: add mempool_{alloc,free}_bulk")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master 187dac290bfd0741b9d7d5490af825c33fd9baa4]
in testcase: kunit
version:
with following parameters:
group: group-03
config: x86_64-rhel-9.4-kunit
compiler: gcc-14
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (Haswell) with 16G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202511201309.55538605-lkp@intel.com
kern :err : [ 152.903458] [ T4181] ==================================================================
kern :err : [ 152.916375] [ T4181] BUG: KASAN: double-free in mempool_free (mm/mempool.c:687 (discriminator 1))
kern :err : [ 152.922918] [ T4181] Free of addr ffff88812a92b800 by task kunit_try_catch/4181
kern :err : [ 152.932343] [ T4181] CPU: 2 UID: 0 PID: 4181 Comm: kunit_try_catch Tainted: G S B N 6.18.0-rc3-00007-g022e94e2c304 #1 PREEMPT(voluntary)
kern :err : [ 152.932348] [ T4181] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST
kern :err : [ 152.932350] [ T4181] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
kern :err : [ 152.932351] [ T4181] Call Trace:
kern :err : [ 152.932353] [ T4181] <TASK>
kern :err : [ 152.932354] [ T4181] dump_stack_lvl (lib/dump_stack.c:122)
kern :err : [ 152.932358] [ T4181] print_address_description+0x88/0x320
kern :err : [ 152.932362] [ T4181] print_report (mm/kasan/report.c:483)
kern :err : [ 152.932365] [ T4181] ? mempool_free (mm/mempool.c:687 (discriminator 1))
kern :err : [ 152.932367] [ T4181] kasan_report_invalid_free (mm/kasan/report.c:563)
kern :err : [ 152.932371] [ T4181] ? mempool_free (mm/mempool.c:687 (discriminator 1))
kern :err : [ 152.932374] [ T4181] ? mempool_free (mm/mempool.c:687 (discriminator 1))
kern :err : [ 152.932376] [ T4181] ? mempool_free (mm/mempool.c:687 (discriminator 1))
kern :err : [ 152.932378] [ T4181] check_slab_allocation (mm/kasan/common.c:230)
kern :err : [ 152.932381] [ T4181] __kasan_mempool_poison_object (mm/kasan/common.c:542 (discriminator 1))
kern :err : [ 152.932384] [ T4181] mempool_free_bulk (mm/mempool.c:137 mm/mempool.c:160 mm/mempool.c:653)
kern :err : [ 152.932387] [ T4181] ? mempool_init_node (mm/mempool.c:140 mm/mempool.c:160 mm/mempool.c:245)
kern :err : [ 152.932389] [ T4181] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:111 (discriminator 4) kernel/locking/spinlock.c:162 (discriminator 4))
kern :err : [ 152.932393] [ T4181] mempool_free (mm/mempool.c:687 (discriminator 1))
kern :err : [ 152.932395] [ T4181] ? __pfx_mempool_free (mm/mempool.c:686)
kern :err : [ 152.932398] [ T4181] ? kasan_save_track (mm/kasan/common.c:69 (discriminator 1) mm/kasan/common.c:78 (discriminator 1))
kern :err : [ 152.932400] [ T4181] ? remove_element (mm/mempool.c:172)
kern :err : [ 152.932414] [ T4181] mempool_double_free_helper (mm/kasan/kasan_test_c.c:1444 (discriminator 17)) kasan_test
kern :err : [ 152.932423] [ T4181] ? __pfx_mempool_double_free_helper (mm/kasan/kasan_test_c.c:1436) kasan_test
kern :err : [ 152.932440] [ T4181] ? sched_clock (arch/x86/include/asm/preempt.h:95 arch/x86/kernel/tsc.c:289)
kern :err : [ 152.932442] [ T4181] ? __update_idle_core (kernel/sched/sched.h:1340 kernel/sched/fair.c:7584)
kern :err : [ 152.932445] [ T4181] mempool_kmalloc_double_free (mm/kasan/kasan_test_c.c:1457) kasan_test
kern :err : [ 152.932453] [ T4181] ? __pfx_mempool_kmalloc_double_free (mm/kasan/kasan_test_c.c:1448) kasan_test
kern :err : [ 152.932461] [ T4181] ? __switch_to (arch/x86/include/asm/cpufeature.h:101 arch/x86/kernel/process_64.c:378 arch/x86/kernel/process_64.c:666)
kern :err : [ 152.932463] [ T4181] ? __pfx_mempool_kmalloc (mm/mempool.c:715)
kern :err : [ 152.932466] [ T4181] ? __pfx_mempool_kfree (mm/mempool.c:722)
kern :err : [ 152.932468] [ T4181] ? __pfx_read_tsc (arch/x86/include/asm/tsc.h:57 arch/x86/kernel/tsc.c:1134)
kern :err : [ 152.932471] [ T4181] ? ktime_get_ts64 (kernel/time/timekeeping.c:387 kernel/time/timekeeping.c:404 kernel/time/timekeeping.c:967)
kern :err : [ 152.932474] [ T4181] ? __pfx___schedule (kernel/sched/core.c:6785)
kern :err : [ 152.932477] [ T4181] kunit_try_run_case (lib/kunit/test.c:450 lib/kunit/test.c:493)
kern :err : [ 152.932480] [ T4181] ? __pfx_kunit_try_run_case (lib/kunit/test.c:480)
kern :err : [ 152.932483] [ T4181] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:111 (discriminator 4) kernel/locking/spinlock.c:162 (discriminator 4))
kern :err : [ 152.932486] [ T4181] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
kern :err : [ 152.932489] [ T4181] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
kern :err : [ 152.932492] [ T4181] ? __pfx_kunit_try_run_case (lib/kunit/test.c:480)
kern :err : [ 152.932494] [ T4181] ? __pfx_kunit_generic_run_threadfn_adapter (lib/kunit/try-catch.c:26)
kern :err : [ 152.932498] [ T4181] kunit_generic_run_threadfn_adapter (lib/kunit/try-catch.c:31)
kern :err : [ 152.932501] [ T4181] kthread (kernel/kthread.c:463)
kern :err : [ 152.932503] [ T4181] ? __pfx_kthread (kernel/kthread.c:412)
kern :err : [ 152.932505] [ T4181] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169)
kern :err : [ 152.932509] [ T4181] ? __pfx_kthread (kernel/kthread.c:412)
kern :err : [ 152.932511] [ T4181] ? __pfx_kthread (kernel/kthread.c:412)
kern :err : [ 152.932513] [ T4181] ret_from_fork (arch/x86/kernel/process.c:164)
kern :err : [ 152.932516] [ T4181] ? __pfx_kthread (kernel/kthread.c:412)
kern :err : [ 152.932518] [ T4181] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
kern :err : [ 152.932522] [ T4181] </TASK>
kern :err : [ 153.201368] [ T4181] Allocated by task 4181:
kern :warn : [ 153.205558] [ T4181] kasan_save_stack (mm/kasan/common.c:57)
kern :warn : [ 153.210098] [ T4181] kasan_save_track (mm/kasan/common.c:69 (discriminator 1) mm/kasan/common.c:78 (discriminator 1))
kern :warn : [ 153.214637] [ T4181] remove_element (mm/mempool.c:172)
kern :warn : [ 153.219176] [ T4181] mempool_alloc_preallocated (include/linux/spinlock.h:406 mm/mempool.c:409 mm/mempool.c:585)
kern :warn : [ 153.224582] [ T4181] mempool_double_free_helper (mm/kasan/kasan_test_c.c:1439) kasan_test
kern :warn : [ 153.231213] [ T4181] mempool_kmalloc_double_free (mm/kasan/kasan_test_c.c:1457) kasan_test
kern :warn : [ 153.237839] [ T4181] kunit_try_run_case (lib/kunit/test.c:450 lib/kunit/test.c:493)
kern :warn : [ 153.242727] [ T4181] kunit_generic_run_threadfn_adapter (lib/kunit/try-catch.c:31)
kern :warn : [ 153.248830] [ T4181] kthread (kernel/kthread.c:463)
kern :warn : [ 153.252759] [ T4181] ret_from_fork (arch/x86/kernel/process.c:164)
kern :warn : [ 153.257211] [ T4181] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
kern :err : [ 153.264025] [ T4181] Freed by task 4181:
kern :warn : [ 153.267866] [ T4181] kasan_save_stack (mm/kasan/common.c:57)
kern :warn : [ 153.272416] [ T4181] kasan_save_track (mm/kasan/common.c:69 (discriminator 1) mm/kasan/common.c:78 (discriminator 1))
kern :warn : [ 153.276964] [ T4181] __kasan_save_free_info (mm/kasan/generic.c:590 (discriminator 1))
kern :warn : [ 153.282025] [ T4181] __kasan_mempool_poison_object (mm/kasan/common.c:534)
kern :warn : [ 153.287868] [ T4181] mempool_free_bulk (mm/mempool.c:137 mm/mempool.c:160 mm/mempool.c:653)
kern :warn : [ 153.292668] [ T4181] mempool_free (mm/mempool.c:687 (discriminator 1))
kern :warn : [ 153.296944] [ T4181] mempool_double_free_helper (mm/kasan/kasan_test_c.c:1444 (discriminator 5)) kasan_test
kern :warn : [ 153.303573] [ T4181] mempool_kmalloc_double_free (mm/kasan/kasan_test_c.c:1457) kasan_test
kern :warn : [ 153.310203] [ T4181] kunit_try_run_case (lib/kunit/test.c:450 lib/kunit/test.c:493)
kern :warn : [ 153.315091] [ T4181] kunit_generic_run_threadfn_adapter (lib/kunit/try-catch.c:31)
kern :warn : [ 153.321198] [ T4181] kthread (kernel/kthread.c:463)
kern :warn : [ 153.325127] [ T4181] ret_from_fork (arch/x86/kernel/process.c:164)
kern :warn : [ 153.329576] [ T4181] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
kern :err : [ 153.336387] [ T4181] The buggy address belongs to the object at ffff88812a92b800
which belongs to the cache kmalloc-128 of size 128
kern :err : [ 153.350320] [ T4181] The buggy address is located 0 bytes inside of
128-byte region [ffff88812a92b800, ffff88812a92b880)
kern :err : [ 153.365488] [ T4181] The buggy address belongs to the physical page:
kern :warn : [ 153.371765] [ T4181] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12a92a
kern :warn : [ 153.380478] [ T4181] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern :warn : [ 153.388842] [ T4181] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
kern :warn : [ 153.396513] [ T4181] page_type: f5(slab)
kern :warn : [ 153.400355] [ T4181] raw: 0017ffffc0000040 ffff888100042a00 ffffea00040b9600 0000000000000004
kern :warn : [ 153.408806] [ T4181] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
kern :warn : [ 153.417258] [ T4181] head: 0017ffffc0000040 ffff888100042a00 ffffea00040b9600 0000000000000004
kern :warn : [ 153.425800] [ T4181] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
kern :warn : [ 153.434338] [ T4181] head: 0017ffffc0000001 ffffea0004aa4a81 00000000ffffffff 00000000ffffffff
kern :warn : [ 153.442876] [ T4181] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
kern :warn : [ 153.451422] [ T4181] page dumped because: kasan: bad access detected
kern :err : [ 153.459902] [ T4181] Memory state around the buggy address:
kern :err : [ 153.465395] [ T4181] ffff88812a92b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern :err : [ 153.473335] [ T4181] ffff88812a92b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern :err : [ 153.481266] [ T4181] >ffff88812a92b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern :err : [ 153.489195] [ T4181] ^
kern :err : [ 153.493121] [ T4181] ffff88812a92b880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern :err : [ 153.501051] [ T4181] ffff88812a92b900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern :err : [ 153.508980] [ T4181] ==================================================================
kern :info : [ 153.517054] [ T3993] ok 51 mempool_kmalloc_double_free
kern :err : [ 153.517141] [ T4183] ==================================================================
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251120/202511201309.55538605-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2025-11-20 5:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 5:57 kernel test robot [this message]
2025-11-20 7:27 ` [linux-next:master] [mempool] 022e94e2c3: BUG:KASAN:double-free_in_mempool_free Christoph Hellwig
2025-11-20 11:17 ` Andrey Ryabinin
2025-11-20 12:58 ` Vlastimil Babka
2025-11-21 1:50 ` Oliver Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202511201309.55538605-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=hch@lst.de \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.