[BUG] ACPI: property: KASAN invalid-free when unloading configfs SSDT with hierarchical _DSD subnodes

[Shuangpeng]

Hi Kernel Maintainers,

I hit the following KASAN report while testing current upstream kernel:

KASAN: invalid-free in acpi_destroy_nondev_subnodes

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/4e397435a9482205119b0044cfd0ce80

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[   98.822019][  T806] ==================================================================
[   98.847029][  T806] BUG: KASAN: invalid-free in acpi_destroy_nondev_subnodes (./include/acpi/platform/aclinuxex.h:64 drivers/acpi/property.c:667)
[   98.847737][  T806] Free of addr ffff88810dbc0130 by task kworker/u8:1/806
[   98.848339][  T806]
[   98.848556][  T806] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   98.848564][  T806] Workqueue: kacpi_hotplug acpi_device_del_work_fn
[   98.848569][  T806] Call Trace:
[   98.848571][  T806]  <TASK>
[   98.848574][  T806]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[   98.848577][  T806]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[   98.848592][  T806]  kasan_report_invalid_free (mm/kasan/report.c:557)
[   98.848603][  T806]  check_slab_allocation (mm/kasan/common.c:?)
[   98.848607][  T806]  kfree (./include/linux/kasan.h:199 mm/slub.c:2634 mm/slub.c:6251 mm/slub.c:6566)
[   98.848614][  T806]  acpi_destroy_nondev_subnodes (./include/acpi/platform/aclinuxex.h:64 drivers/acpi/property.c:667)
[   98.848620][  T806]  acpi_free_properties (drivers/acpi/property.c:676)
[   98.848633][  T806]  acpi_device_release (drivers/acpi/scan.c:521)
[   98.848637][  T806]  device_release (drivers/base/core.c:2562)
[   98.848640][  T806]  kobject_put (lib/kobject.c:689 lib/kobject.c:720 ./include/linux/kref.h:65 lib/kobject.c:737)
[   98.848644][  T806]  acpi_device_del_work_fn (./include/acpi/acpi_bus.h:980 drivers/acpi/scan.c:589)
[   98.848647][  T806]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[   98.848654][  T806]  worker_thread (kernel/workqueue.c:3478)
[   98.848661][  T806]  kthread (kernel/kthread.c:436)
[   98.848670][  T806]  ret_from_fork (arch/x86/kernel/process.c:158)
[   98.848682][  T806]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[   98.848687][  T806]  </TASK>
[   98.848688][  T806]
[   98.865113][  T806] Allocated by task 10 on cpu 0 at 95.708432s:
[   98.865648][  T806]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[   98.866058][  T806]  __kasan_kmalloc (mm/kasan/common.c:398 mm/kasan/common.c:415)
[   98.866459][  T806]  __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5296 mm/slub.c:5308)
[   98.866875][  T806]  acpi_ut_initialize_buffer (drivers/acpi/acpica/utalloc.c:?)
[   98.867351][  T806]  acpi_evaluate_object (drivers/acpi/acpica/nsxfeval.c:400)
[   98.867792][  T806]  acpi_evaluate_object_typed (drivers/acpi/acpica/nsxfeval.c:84)
[   98.868283][  T806]  acpi_init_properties (drivers/acpi/property.c:609)
[   98.868728][  T806]  acpi_init_device_object (drivers/acpi/scan.c:1820)
[   98.869208][  T806]  acpi_add_single_object (drivers/acpi/scan.c:1870)
[   98.869675][  T806]  acpi_bus_check_add (drivers/acpi/scan.c:2171)
[   98.870113][  T806]  acpi_ns_walk_namespace (drivers/acpi/acpica/nswalk.c:?)
[   98.870576][  T806]  acpi_walk_namespace (drivers/acpi/acpica/nsxfeval.c:606)
[   98.871000][  T806]  acpi_bus_scan (drivers/acpi/scan.c:2728)
[   98.871393][  T806]  acpi_table_events_fn (drivers/acpi/scan.c:2933)
[   98.871824][  T806]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[   98.872294][  T806]  worker_thread (kernel/workqueue.c:3478)
[   98.872689][  T806]  kthread (kernel/kthread.c:436)
[   98.873042][  T806]  ret_from_fork (arch/x86/kernel/process.c:158)
[   98.873441][  T806]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[   98.873848][  T806]
[   98.874057][  T806] The buggy address belongs to the object at ffff88810dbc0000
[   98.874057][  T806]  which belongs to the cache kmalloc-1k of size 1024
[   98.875239][  T806] The buggy address is located 304 bytes inside of
[   98.875239][  T806]  888-byte region [ffff88810dbc0000, ffff88810dbc0378)


Best,
Shuangpeng