Date
July 6, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.268271] ================================================================== [ 21.268325] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x8c/0x250 [ 21.268379] Write of size 8 at addr fff00000c5709378 by task kunit_try_catch/281 [ 21.268528] [ 21.268768] CPU: 1 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 21.268871] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.269110] Hardware name: linux,dummy-virt (DT) [ 21.269189] Call trace: [ 21.269225] show_stack+0x20/0x38 (C) [ 21.269315] dump_stack_lvl+0x8c/0xd0 [ 21.269436] print_report+0x118/0x608 [ 21.269517] kasan_report+0xdc/0x128 [ 21.269596] kasan_check_range+0x100/0x1a8 [ 21.269657] __kasan_check_write+0x20/0x30 [ 21.269927] copy_to_kernel_nofault+0x8c/0x250 [ 21.270203] copy_to_kernel_nofault_oob+0x1bc/0x418 [ 21.270305] kunit_try_run_case+0x170/0x3f0 [ 21.270365] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.270434] kthread+0x328/0x630 [ 21.270501] ret_from_fork+0x10/0x20 [ 21.270568] [ 21.270603] Allocated by task 281: [ 21.270650] kasan_save_stack+0x3c/0x68 [ 21.270700] kasan_save_track+0x20/0x40 [ 21.270748] kasan_save_alloc_info+0x40/0x58 [ 21.270790] __kasan_kmalloc+0xd4/0xd8 [ 21.270837] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.270878] copy_to_kernel_nofault_oob+0xc8/0x418 [ 21.270926] kunit_try_run_case+0x170/0x3f0 [ 21.270989] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.271036] kthread+0x328/0x630 [ 21.271069] ret_from_fork+0x10/0x20 [ 21.271118] [ 21.271148] The buggy address belongs to the object at fff00000c5709300 [ 21.271148] which belongs to the cache kmalloc-128 of size 128 [ 21.271217] The buggy address is located 0 bytes to the right of [ 21.271217] allocated 120-byte region [fff00000c5709300, fff00000c5709378) [ 21.271281] [ 21.271356] The buggy address belongs to the physical page: [ 21.271753] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105709 [ 21.271871] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.272014] page_type: f5(slab) [ 21.272139] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.272330] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.272439] page dumped because: kasan: bad access detected [ 21.272492] [ 21.272512] Memory state around the buggy address: [ 21.272547] fff00000c5709200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.272827] fff00000c5709280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.272959] >fff00000c5709300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 21.273071] ^ [ 21.273317] fff00000c5709380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.273502] fff00000c5709400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.273548] ================================================================== [ 21.259947] ================================================================== [ 21.260092] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x204/0x250 [ 21.260259] Read of size 8 at addr fff00000c5709378 by task kunit_try_catch/281 [ 21.260313] [ 21.260348] CPU: 1 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 21.260433] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.260461] Hardware name: linux,dummy-virt (DT) [ 21.260495] Call trace: [ 21.260536] show_stack+0x20/0x38 (C) [ 21.260588] dump_stack_lvl+0x8c/0xd0 [ 21.260636] print_report+0x118/0x608 [ 21.260771] kasan_report+0xdc/0x128 [ 21.260820] __asan_report_load8_noabort+0x20/0x30 [ 21.260868] copy_to_kernel_nofault+0x204/0x250 [ 21.260920] copy_to_kernel_nofault_oob+0x158/0x418 [ 21.261109] kunit_try_run_case+0x170/0x3f0 [ 21.261263] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.261325] kthread+0x328/0x630 [ 21.261369] ret_from_fork+0x10/0x20 [ 21.261707] [ 21.261876] Allocated by task 281: [ 21.261994] kasan_save_stack+0x3c/0x68 [ 21.262058] kasan_save_track+0x20/0x40 [ 21.262100] kasan_save_alloc_info+0x40/0x58 [ 21.262141] __kasan_kmalloc+0xd4/0xd8 [ 21.262578] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.262692] copy_to_kernel_nofault_oob+0xc8/0x418 [ 21.263015] kunit_try_run_case+0x170/0x3f0 [ 21.263387] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.263457] kthread+0x328/0x630 [ 21.263515] ret_from_fork+0x10/0x20 [ 21.263780] [ 21.263956] The buggy address belongs to the object at fff00000c5709300 [ 21.263956] which belongs to the cache kmalloc-128 of size 128 [ 21.264394] The buggy address is located 0 bytes to the right of [ 21.264394] allocated 120-byte region [fff00000c5709300, fff00000c5709378) [ 21.264535] [ 21.264655] The buggy address belongs to the physical page: [ 21.264690] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105709 [ 21.264758] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.265326] page_type: f5(slab) [ 21.265487] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.265803] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.265973] page dumped because: kasan: bad access detected [ 21.266013] [ 21.266033] Memory state around the buggy address: [ 21.266097] fff00000c5709200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.266145] fff00000c5709280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.266511] >fff00000c5709300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 21.266626] ^ [ 21.266883] fff00000c5709380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.267056] fff00000c5709400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.267100] ==================================================================
[ 15.530556] ================================================================== [ 15.531581] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x225/0x260 [ 15.531846] Read of size 8 at addr ffff8881027aa278 by task kunit_try_catch/298 [ 15.533369] [ 15.533843] CPU: 1 UID: 0 PID: 298 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 15.533901] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.533916] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.533952] Call Trace: [ 15.533969] <TASK> [ 15.533990] dump_stack_lvl+0x73/0xb0 [ 15.534023] print_report+0xd1/0x650 [ 15.534051] ? __virt_addr_valid+0x1db/0x2d0 [ 15.534402] ? copy_to_kernel_nofault+0x225/0x260 [ 15.534431] ? kasan_complete_mode_report_info+0x2a/0x200 [ 15.534480] ? copy_to_kernel_nofault+0x225/0x260 [ 15.534506] kasan_report+0x141/0x180 [ 15.534531] ? copy_to_kernel_nofault+0x225/0x260 [ 15.534563] __asan_report_load8_noabort+0x18/0x20 [ 15.534589] copy_to_kernel_nofault+0x225/0x260 [ 15.534616] copy_to_kernel_nofault_oob+0x1ed/0x560 [ 15.534643] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 15.534667] ? finish_task_switch.isra.0+0x153/0x700 [ 15.534692] ? __schedule+0x10cc/0x2b60 [ 15.534715] ? trace_hardirqs_on+0x37/0xe0 [ 15.534749] ? __pfx_read_tsc+0x10/0x10 [ 15.534772] ? ktime_get_ts64+0x86/0x230 [ 15.534798] kunit_try_run_case+0x1a5/0x480 [ 15.534826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.534851] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.534876] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.534901] ? __kthread_parkme+0x82/0x180 [ 15.534923] ? preempt_count_sub+0x50/0x80 [ 15.534959] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.534985] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.535009] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.535033] kthread+0x337/0x6f0 [ 15.535072] ? trace_preempt_on+0x20/0xc0 [ 15.535099] ? __pfx_kthread+0x10/0x10 [ 15.535126] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.535150] ? calculate_sigpending+0x7b/0xa0 [ 15.535176] ? __pfx_kthread+0x10/0x10 [ 15.535199] ret_from_fork+0x116/0x1d0 [ 15.535221] ? __pfx_kthread+0x10/0x10 [ 15.535244] ret_from_fork_asm+0x1a/0x30 [ 15.535277] </TASK> [ 15.535305] [ 15.549025] Allocated by task 298: [ 15.549176] kasan_save_stack+0x45/0x70 [ 15.549331] kasan_save_track+0x18/0x40 [ 15.549470] kasan_save_alloc_info+0x3b/0x50 [ 15.549624] __kasan_kmalloc+0xb7/0xc0 [ 15.549758] __kmalloc_cache_noprof+0x189/0x420 [ 15.549920] copy_to_kernel_nofault_oob+0x12f/0x560 [ 15.550633] kunit_try_run_case+0x1a5/0x480 [ 15.551218] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.551693] kthread+0x337/0x6f0 [ 15.551980] ret_from_fork+0x116/0x1d0 [ 15.552117] ret_from_fork_asm+0x1a/0x30 [ 15.552482] [ 15.552643] The buggy address belongs to the object at ffff8881027aa200 [ 15.552643] which belongs to the cache kmalloc-128 of size 128 [ 15.553088] The buggy address is located 0 bytes to the right of [ 15.553088] allocated 120-byte region [ffff8881027aa200, ffff8881027aa278) [ 15.554845] [ 15.555043] The buggy address belongs to the physical page: [ 15.555594] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027aa [ 15.556370] flags: 0x200000000000000(node=0|zone=2) [ 15.556643] page_type: f5(slab) [ 15.556974] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.557709] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.558042] page dumped because: kasan: bad access detected [ 15.558592] [ 15.558830] Memory state around the buggy address: [ 15.559386] ffff8881027aa100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.560013] ffff8881027aa180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.560710] >ffff8881027aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 15.561350] ^ [ 15.561704] ffff8881027aa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.561923] ffff8881027aa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.562268] ================================================================== [ 15.563131] ================================================================== [ 15.563445] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x99/0x260 [ 15.563871] Write of size 8 at addr ffff8881027aa278 by task kunit_try_catch/298 [ 15.564279] [ 15.564492] CPU: 1 UID: 0 PID: 298 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 15.564537] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.564551] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.564574] Call Trace: [ 15.564589] <TASK> [ 15.564607] dump_stack_lvl+0x73/0xb0 [ 15.564635] print_report+0xd1/0x650 [ 15.564659] ? __virt_addr_valid+0x1db/0x2d0 [ 15.564683] ? copy_to_kernel_nofault+0x99/0x260 [ 15.564707] ? kasan_complete_mode_report_info+0x2a/0x200 [ 15.564753] ? copy_to_kernel_nofault+0x99/0x260 [ 15.564791] kasan_report+0x141/0x180 [ 15.564815] ? copy_to_kernel_nofault+0x99/0x260 [ 15.564861] kasan_check_range+0x10c/0x1c0 [ 15.564899] __kasan_check_write+0x18/0x20 [ 15.564921] copy_to_kernel_nofault+0x99/0x260 [ 15.564971] copy_to_kernel_nofault_oob+0x288/0x560 [ 15.564996] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 15.565021] ? finish_task_switch.isra.0+0x153/0x700 [ 15.565045] ? __schedule+0x10cc/0x2b60 [ 15.565078] ? trace_hardirqs_on+0x37/0xe0 [ 15.565110] ? __pfx_read_tsc+0x10/0x10 [ 15.565132] ? ktime_get_ts64+0x86/0x230 [ 15.565157] kunit_try_run_case+0x1a5/0x480 [ 15.565183] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.565206] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.565231] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.565281] ? __kthread_parkme+0x82/0x180 [ 15.565303] ? preempt_count_sub+0x50/0x80 [ 15.565326] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.565353] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.565394] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.565420] kthread+0x337/0x6f0 [ 15.565454] ? trace_preempt_on+0x20/0xc0 [ 15.565488] ? __pfx_kthread+0x10/0x10 [ 15.565512] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.565535] ? calculate_sigpending+0x7b/0xa0 [ 15.565560] ? __pfx_kthread+0x10/0x10 [ 15.565583] ret_from_fork+0x116/0x1d0 [ 15.565603] ? __pfx_kthread+0x10/0x10 [ 15.565626] ret_from_fork_asm+0x1a/0x30 [ 15.565656] </TASK> [ 15.565671] [ 15.574974] Allocated by task 298: [ 15.575110] kasan_save_stack+0x45/0x70 [ 15.575259] kasan_save_track+0x18/0x40 [ 15.575392] kasan_save_alloc_info+0x3b/0x50 [ 15.575771] __kasan_kmalloc+0xb7/0xc0 [ 15.576104] __kmalloc_cache_noprof+0x189/0x420 [ 15.576335] copy_to_kernel_nofault_oob+0x12f/0x560 [ 15.576598] kunit_try_run_case+0x1a5/0x480 [ 15.576903] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.577195] kthread+0x337/0x6f0 [ 15.577319] ret_from_fork+0x116/0x1d0 [ 15.577450] ret_from_fork_asm+0x1a/0x30 [ 15.577711] [ 15.577809] The buggy address belongs to the object at ffff8881027aa200 [ 15.577809] which belongs to the cache kmalloc-128 of size 128 [ 15.578575] The buggy address is located 0 bytes to the right of [ 15.578575] allocated 120-byte region [ffff8881027aa200, ffff8881027aa278) [ 15.579044] [ 15.579123] The buggy address belongs to the physical page: [ 15.579365] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027aa [ 15.579836] flags: 0x200000000000000(node=0|zone=2) [ 15.580144] page_type: f5(slab) [ 15.580330] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.580761] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.581056] page dumped because: kasan: bad access detected [ 15.581308] [ 15.581425] Memory state around the buggy address: [ 15.581663] ffff8881027aa100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.582042] ffff8881027aa180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.582381] >ffff8881027aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 15.582751] ^ [ 15.583077] ffff8881027aa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.583409] ffff8881027aa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.583787] ==================================================================