lkft/linux-mainline-master - v6.16-rc6-121-g6832a9317eee - log-parser-boot/kasan-bug-kasan-out-of-bounds-in-kmalloc_memmove_negative_size

Date

July 17, 2025, 11:11 p.m.

Environment
qemu-arm64
qemu-x86_64

[   16.725836] ==================================================================
[   16.726089] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0
[   16.726211] Read of size 18446744073709551614 at addr fff00000c7848804 by task kunit_try_catch/180
[   16.726364] 
[   16.726466] CPU: 1 UID: 0 PID: 180 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.726552] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.726901] Hardware name: linux,dummy-virt (DT)
[   16.726954] Call trace:
[   16.726980]  show_stack+0x20/0x38 (C)
[   16.727034]  dump_stack_lvl+0x8c/0xd0
[   16.727152]  print_report+0x118/0x5d0
[   16.727272]  kasan_report+0xdc/0x128
[   16.727545]  kasan_check_range+0x100/0x1a8
[   16.727599]  __asan_memmove+0x3c/0x98
[   16.727809]  kmalloc_memmove_negative_size+0x154/0x2e0
[   16.728253]  kunit_try_run_case+0x170/0x3f0
[   16.728322]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.728373]  kthread+0x328/0x630
[   16.729244]  ret_from_fork+0x10/0x20
[   16.729537] 
[   16.729650] Allocated by task 180:
[   16.729822]  kasan_save_stack+0x3c/0x68
[   16.730233]  kasan_save_track+0x20/0x40
[   16.730433]  kasan_save_alloc_info+0x40/0x58
[   16.730653]  __kasan_kmalloc+0xd4/0xd8
[   16.730750]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.731162]  kmalloc_memmove_negative_size+0xb0/0x2e0
[   16.731497]  kunit_try_run_case+0x170/0x3f0
[   16.731610]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.731729]  kthread+0x328/0x630
[   16.731836]  ret_from_fork+0x10/0x20
[   16.732505] 
[   16.732581] The buggy address belongs to the object at fff00000c7848800
[   16.732581]  which belongs to the cache kmalloc-64 of size 64
[   16.732691] The buggy address is located 4 bytes inside of
[   16.732691]  64-byte region [fff00000c7848800, fff00000c7848840)
[   16.732933] 
[   16.733074] The buggy address belongs to the physical page:
[   16.733343] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107848
[   16.733451] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.733661] page_type: f5(slab)
[   16.733915] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.734033] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.734144] page dumped because: kasan: bad access detected
[   16.734229] 
[   16.734357] Memory state around the buggy address:
[   16.734414]  fff00000c7848700: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc
[   16.734810]  fff00000c7848780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.734900] >fff00000c7848800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   16.735017]                    ^
[   16.735106]  fff00000c7848880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.735183]  fff00000c7848900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.735330] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

301T1hhn39ydHFy5rptQHsDW0S9

job_id

TEST:linaro@lkft#301T6gpYLeLGmQWpD00AWQfumjV

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/301T6gpYLeLGmQWpD00AWQfumjV

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/301T39wHoz6bxp2ayFJ1MYtxW4T/Image.gz
sha256sum	1e8a96425b394266b80f5a87f3e4c17a0920d75b386a58c4ea821fbec08b62cd

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/301T39wHoz6bxp2ayFJ1MYtxW4T/modules.tar.xz
sha256sum	2d1b6550fa3f9a7bcd72ff05007bba0c70779bc2a8f1888e75b7d4efc5d9e554

durations

tests

boot	0
kunit	176.79

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   12.450006] ==================================================================
[   12.450502] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330
[   12.451077] Read of size 18446744073709551614 at addr ffff888102f3bf84 by task kunit_try_catch/197
[   12.451523] 
[   12.451655] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.451706] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.451717] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.451741] Call Trace:
[   12.451755]  <TASK>
[   12.451776]  dump_stack_lvl+0x73/0xb0
[   12.451810]  print_report+0xd1/0x610
[   12.451833]  ? __virt_addr_valid+0x1db/0x2d0
[   12.452096]  ? kmalloc_memmove_negative_size+0x171/0x330
[   12.452127]  ? kasan_complete_mode_report_info+0x2a/0x200
[   12.452150]  ? kmalloc_memmove_negative_size+0x171/0x330
[   12.452196]  kasan_report+0x141/0x180
[   12.452218]  ? kmalloc_memmove_negative_size+0x171/0x330
[   12.452248]  kasan_check_range+0x10c/0x1c0
[   12.452271]  __asan_memmove+0x27/0x70
[   12.452290]  kmalloc_memmove_negative_size+0x171/0x330
[   12.452312]  ? __kasan_check_write+0x18/0x20
[   12.452331]  ? __pfx_kmalloc_memmove_negative_size+0x10/0x10
[   12.452355]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   12.452381]  ? trace_hardirqs_on+0x37/0xe0
[   12.452405]  ? __pfx_read_tsc+0x10/0x10
[   12.452426]  ? ktime_get_ts64+0x86/0x230
[   12.452451]  kunit_try_run_case+0x1a5/0x480
[   12.452479]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.452502]  ? queued_spin_lock_slowpath+0x116/0xb40
[   12.452527]  ? __kthread_parkme+0x82/0x180
[   12.452547]  ? preempt_count_sub+0x50/0x80
[   12.452572]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.452607]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.452630]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.452652]  kthread+0x337/0x6f0
[   12.452671]  ? trace_preempt_on+0x20/0xc0
[   12.452692]  ? __pfx_kthread+0x10/0x10
[   12.452711]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.452732]  ? calculate_sigpending+0x7b/0xa0
[   12.452756]  ? __pfx_kthread+0x10/0x10
[   12.452776]  ret_from_fork+0x116/0x1d0
[   12.452794]  ? __pfx_kthread+0x10/0x10
[   12.452831]  ret_from_fork_asm+0x1a/0x30
[   12.452864]  </TASK>
[   12.452875] 
[   12.464104] Allocated by task 197:
[   12.464305]  kasan_save_stack+0x45/0x70
[   12.464491]  kasan_save_track+0x18/0x40
[   12.464718]  kasan_save_alloc_info+0x3b/0x50
[   12.465341]  __kasan_kmalloc+0xb7/0xc0
[   12.465615]  __kmalloc_cache_noprof+0x189/0x420
[   12.465792]  kmalloc_memmove_negative_size+0xac/0x330
[   12.466208]  kunit_try_run_case+0x1a5/0x480
[   12.466418]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.466860]  kthread+0x337/0x6f0
[   12.467001]  ret_from_fork+0x116/0x1d0
[   12.467212]  ret_from_fork_asm+0x1a/0x30
[   12.467388] 
[   12.467482] The buggy address belongs to the object at ffff888102f3bf80
[   12.467482]  which belongs to the cache kmalloc-64 of size 64
[   12.468398] The buggy address is located 4 bytes inside of
[   12.468398]  64-byte region [ffff888102f3bf80, ffff888102f3bfc0)
[   12.469244] 
[   12.469330] The buggy address belongs to the physical page:
[   12.469674] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f3b
[   12.470035] flags: 0x200000000000000(node=0|zone=2)
[   12.470302] page_type: f5(slab)
[   12.470443] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   12.470751] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   12.471140] page dumped because: kasan: bad access detected
[   12.471593] 
[   12.471683] Memory state around the buggy address:
[   12.471856]  ffff888102f3be80: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc
[   12.472265]  ffff888102f3bf00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.472741] >ffff888102f3bf80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   12.472971]                    ^
[   12.473298]  ffff888102f3c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.473596]  ffff888102f3c080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.473878] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

301T1hhn39ydHFy5rptQHsDW0S9

job_id

TEST:linaro@lkft#301T7xoEYOckNLikE6jjEAHHRA9

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/301T7xoEYOckNLikE6jjEAHHRA9

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/301T4likwvozYziJtzNCf8nqDOS/bzImage
sha256sum	d878b5e59deae208baa4e6d482e984445ae0ec4af3b5020650447f9d4a2c4b26

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/301T4likwvozYziJtzNCf8nqDOS/modules.tar.xz
sha256sum	291fe06cceb324f9770dcb63da3c986fce8e7a389aa66d36243b066e98ed6839

durations

tests

boot	0
kunit	276.12

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit