lkft/linux-mainline-master - v6.15-rc3-1-g9d7a0577c9db - log-parser-test/kasan-bug-kasan-out-of-bounds-in-kmalloc_memmove_negative_size

Date

April 20, 2025, 11:09 p.m.

Environment
x15
x86

[   55.518432] ==================================================================
[   55.529907] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x1b4/0x360
[   55.537536] Read of size 4294967294 at addr cc22ba84 by task kunit_try_catch/236
[   55.544982] 
[   55.546508] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.0-rc3 #1 NONE 
[   55.546508] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   55.546539] Hardware name: Generic DRA74X (Flattened Device Tree)
[   55.546539] Call trace: 
[   55.546539]  unwind_backtrace from show_stack+0x18/0x1c
[   55.546569]  show_stack from dump_stack_lvl+0x70/0x90
[   55.546600]  dump_stack_lvl from print_report+0x158/0x528
[   55.546630]  print_report from kasan_report+0xdc/0x118
[   55.546661]  kasan_report from kasan_check_range+0x14c/0x198
[   55.546661]  kasan_check_range from __asan_memmove+0x28/0x68
[   55.546691]  __asan_memmove from kmalloc_memmove_negative_size+0x1b4/0x360
[   55.546722]  kmalloc_memmove_negative_size from kunit_try_run_case+0x22c/0x5a8
[   55.546752]  kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128
[   55.546783]  kunit_generic_run_threadfn_adapter from kthread+0x464/0x810
[   55.546783]  kthread from ret_from_fork+0x14/0x20
[   55.546813] Exception stack(0xf247bfb0 to 0xf247bff8)
[   55.546844] bfa0:                                     00000000 00000000 00000000 00000000
[   55.546844] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   55.546874] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[   55.546874] 
[   55.665374] Allocated by task 236:
[   55.668823]  kasan_save_track+0x30/0x5c
[   55.672668]  __kasan_kmalloc+0x8c/0x94
[   55.676452]  kmalloc_memmove_negative_size+0xd0/0x360
[   55.681549]  kunit_try_run_case+0x22c/0x5a8
[   55.685760]  kunit_generic_run_threadfn_adapter+0xc4/0x128
[   55.691314]  kthread+0x464/0x810
[   55.694549]  ret_from_fork+0x14/0x20
[   55.698150] 
[   55.699676] The buggy address belongs to the object at cc22ba80
[   55.699676]  which belongs to the cache kmalloc-64 of size 64
[   55.711395] The buggy address is located 4 bytes inside of
[   55.711395]  64-byte region [cc22ba80, cc22bac0)
[   55.721557] 
[   55.723052] The buggy address belongs to the physical page:
[   55.728637] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c22b
[   55.735931] flags: 0x0(zone=0)
[   55.739013] page_type: f5(slab)
[   55.742187] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000
[   55.750305] raw: 00000000
[   55.752960] page dumped because: kasan: bad access detected
[   55.758575] 
[   55.760070] Memory state around the buggy address:
[   55.764892]  cc22b980: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.771453]  cc22ba00: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.778045] >cc22ba80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   55.784606]            ^
[   55.787170]  cc22bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.793731]  cc22bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.800292] ==================================================================

Metadata Full log Test run details

[   26.287332] ==================================================================
[   26.298762] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330
[   26.306338] Read of size 18446744073709551614 at addr ffff888107f06084 by task kunit_try_catch/223
[   26.315299] 
[   26.316797] CPU: 1 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT(voluntary) 
[   26.316805] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.316807] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   26.316810] Call Trace:
[   26.316812]  <TASK>
[   26.316813]  dump_stack_lvl+0x73/0xb0
[   26.316817]  print_report+0xd1/0x650
[   26.316821]  ? __virt_addr_valid+0x1db/0x2d0
[   26.316824]  ? kmalloc_memmove_negative_size+0x171/0x330
[   26.316829]  ? kasan_complete_mode_report_info+0x2a/0x200
[   26.316833]  ? kmalloc_memmove_negative_size+0x171/0x330
[   26.316838]  kasan_report+0x141/0x180
[   26.316842]  ? kmalloc_memmove_negative_size+0x171/0x330
[   26.316848]  kasan_check_range+0x10c/0x1c0
[   26.316853]  __asan_memmove+0x27/0x70
[   26.316856]  kmalloc_memmove_negative_size+0x171/0x330
[   26.316861]  ? __pfx_kmalloc_memmove_negative_size+0x10/0x10
[   26.316866]  ? __schedule+0x10cc/0x2b30
[   26.316871]  ? ktime_get_ts64+0x83/0x230
[   26.316875]  kunit_try_run_case+0x1a2/0x480
[   26.316879]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.316883]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   26.316888]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   26.316892]  ? __kthread_parkme+0x82/0x180
[   26.316896]  ? preempt_count_sub+0x50/0x80
[   26.316901]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.316905]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   26.316909]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   26.316913]  kthread+0x334/0x6f0
[   26.316917]  ? trace_preempt_on+0x20/0xc0
[   26.316921]  ? __pfx_kthread+0x10/0x10
[   26.316926]  ? _raw_spin_unlock_irq+0x47/0x80
[   26.316930]  ? calculate_sigpending+0x7b/0xa0
[   26.316933]  ? __pfx_kthread+0x10/0x10
[   26.316938]  ret_from_fork+0x3e/0x80
[   26.316941]  ? __pfx_kthread+0x10/0x10
[   26.316946]  ret_from_fork_asm+0x1a/0x30
[   26.316951]  </TASK>
[   26.316953] 
[   26.487896] Allocated by task 223:
[   26.491300]  kasan_save_stack+0x45/0x70
[   26.495141]  kasan_save_track+0x18/0x40
[   26.498979]  kasan_save_alloc_info+0x3b/0x50
[   26.503251]  __kasan_kmalloc+0xb7/0xc0
[   26.507005]  __kmalloc_cache_noprof+0x189/0x420
[   26.511536]  kmalloc_memmove_negative_size+0xac/0x330
[   26.516588]  kunit_try_run_case+0x1a2/0x480
[   26.520776]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   26.526184]  kthread+0x334/0x6f0
[   26.529416]  ret_from_fork+0x3e/0x80
[   26.532993]  ret_from_fork_asm+0x1a/0x30
[   26.536921] 
[   26.538419] The buggy address belongs to the object at ffff888107f06080
[   26.538419]  which belongs to the cache kmalloc-64 of size 64
[   26.550757] The buggy address is located 4 bytes inside of
[   26.550757]  64-byte region [ffff888107f06080, ffff888107f060c0)
[   26.562226] 
[   26.563756] The buggy address belongs to the physical page:
[   26.569334] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107f06
[   26.577341] flags: 0x200000000000000(node=0|zone=2)
[   26.582218] page_type: f5(slab)
[   26.585365] raw: 0200000000000000 ffff8881000428c0 dead000000000122 0000000000000000
[   26.593104] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   26.600842] page dumped because: kasan: bad access detected
[   26.606415] 
[   26.607915] Memory state around the buggy address:
[   26.612721]  ffff888107f05f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.619971]  ffff888107f06000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   26.627198] >ffff888107f06080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   26.634415]                    ^
[   26.637648]  ffff888107f06100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.644866]  ffff888107f06180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.652088] ==================================================================

Metadata Full log Test run details

Metadata

Failure - x15 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit