Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.963413] ================================================================== [ 15.963496] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 15.963846] Read of size 18446744073709551614 at addr fff00000c654e204 by task kunit_try_catch/181 [ 15.963960] [ 15.964081] CPU: 0 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.964168] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.964326] Hardware name: linux,dummy-virt (DT) [ 15.964361] Call trace: [ 15.964567] show_stack+0x20/0x38 (C) [ 15.964682] dump_stack_lvl+0x8c/0xd0 [ 15.964781] print_report+0x118/0x5d0 [ 15.965235] kasan_report+0xdc/0x128 [ 15.965329] kasan_check_range+0x100/0x1a8 [ 15.965701] __asan_memmove+0x3c/0x98 [ 15.965769] kmalloc_memmove_negative_size+0x154/0x2e0 [ 15.965972] kunit_try_run_case+0x170/0x3f0 [ 15.966306] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.966405] kthread+0x328/0x630 [ 15.966634] ret_from_fork+0x10/0x20 [ 15.966873] [ 15.966897] Allocated by task 181: [ 15.966949] kasan_save_stack+0x3c/0x68 [ 15.967274] kasan_save_track+0x20/0x40 [ 15.967459] kasan_save_alloc_info+0x40/0x58 [ 15.967515] __kasan_kmalloc+0xd4/0xd8 [ 15.967690] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.967740] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 15.967801] kunit_try_run_case+0x170/0x3f0 [ 15.967839] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.967881] kthread+0x328/0x630 [ 15.967912] ret_from_fork+0x10/0x20 [ 15.967953] [ 15.967981] The buggy address belongs to the object at fff00000c654e200 [ 15.967981] which belongs to the cache kmalloc-64 of size 64 [ 15.968055] The buggy address is located 4 bytes inside of [ 15.968055] 64-byte region [fff00000c654e200, fff00000c654e240) [ 15.968112] [ 15.968491] The buggy address belongs to the physical page: [ 15.968575] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10654e [ 15.968679] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.968758] page_type: f5(slab) [ 15.968796] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 15.968845] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 15.969789] page dumped because: kasan: bad access detected [ 15.969940] [ 15.969988] Memory state around the buggy address: [ 15.970041] fff00000c654e100: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 15.970411] fff00000c654e180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.970506] >fff00000c654e200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 15.970599] ^ [ 15.970646] fff00000c654e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.970697] fff00000c654e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.971003] ==================================================================
[ 16.734775] ================================================================== [ 16.734934] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 16.734988] Read of size 18446744073709551614 at addr fff00000c5ab4a84 by task kunit_try_catch/181 [ 16.735368] [ 16.735436] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.735618] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.735703] Hardware name: linux,dummy-virt (DT) [ 16.735734] Call trace: [ 16.735784] show_stack+0x20/0x38 (C) [ 16.735834] dump_stack_lvl+0x8c/0xd0 [ 16.735888] print_report+0x118/0x5d0 [ 16.735937] kasan_report+0xdc/0x128 [ 16.735980] kasan_check_range+0x100/0x1a8 [ 16.736026] __asan_memmove+0x3c/0x98 [ 16.736198] kmalloc_memmove_negative_size+0x154/0x2e0 [ 16.736295] kunit_try_run_case+0x170/0x3f0 [ 16.736446] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.736567] kthread+0x328/0x630 [ 16.736683] ret_from_fork+0x10/0x20 [ 16.736839] [ 16.736938] Allocated by task 181: [ 16.737014] kasan_save_stack+0x3c/0x68 [ 16.737071] kasan_save_track+0x20/0x40 [ 16.737108] kasan_save_alloc_info+0x40/0x58 [ 16.737431] __kasan_kmalloc+0xd4/0xd8 [ 16.737497] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.737754] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 16.737860] kunit_try_run_case+0x170/0x3f0 [ 16.737942] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.738043] kthread+0x328/0x630 [ 16.738142] ret_from_fork+0x10/0x20 [ 16.738300] [ 16.738369] The buggy address belongs to the object at fff00000c5ab4a80 [ 16.738369] which belongs to the cache kmalloc-64 of size 64 [ 16.738466] The buggy address is located 4 bytes inside of [ 16.738466] 64-byte region [fff00000c5ab4a80, fff00000c5ab4ac0) [ 16.738549] [ 16.738657] The buggy address belongs to the physical page: [ 16.738706] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ab4 [ 16.738778] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.738890] page_type: f5(slab) [ 16.738952] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 16.739251] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 16.739321] page dumped because: kasan: bad access detected [ 16.739368] [ 16.739405] Memory state around the buggy address: [ 16.739472] fff00000c5ab4980: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 16.739556] fff00000c5ab4a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.739631] >fff00000c5ab4a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 16.739671] ^ [ 16.739697] fff00000c5ab4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.739748] fff00000c5ab4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.739785] ==================================================================
[ 12.812784] ================================================================== [ 12.813266] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 12.813588] Read of size 18446744073709551614 at addr ffff8881026bf704 by task kunit_try_catch/197 [ 12.814109] [ 12.814203] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.814246] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.814258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.814278] Call Trace: [ 12.814290] <TASK> [ 12.814304] dump_stack_lvl+0x73/0xb0 [ 12.814333] print_report+0xd1/0x610 [ 12.814355] ? __virt_addr_valid+0x1db/0x2d0 [ 12.814380] ? kmalloc_memmove_negative_size+0x171/0x330 [ 12.814406] ? kasan_complete_mode_report_info+0x2a/0x200 [ 12.814461] ? kmalloc_memmove_negative_size+0x171/0x330 [ 12.814505] kasan_report+0x141/0x180 [ 12.814527] ? kmalloc_memmove_negative_size+0x171/0x330 [ 12.814557] kasan_check_range+0x10c/0x1c0 [ 12.814767] __asan_memmove+0x27/0x70 [ 12.814788] kmalloc_memmove_negative_size+0x171/0x330 [ 12.814815] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 12.814843] ? __schedule+0x10cc/0x2b60 [ 12.814865] ? __pfx_read_tsc+0x10/0x10 [ 12.814886] ? ktime_get_ts64+0x86/0x230 [ 12.814911] kunit_try_run_case+0x1a5/0x480 [ 12.814935] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.814958] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.814982] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.815006] ? __kthread_parkme+0x82/0x180 [ 12.815027] ? preempt_count_sub+0x50/0x80 [ 12.815051] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.815076] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.815100] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.815125] kthread+0x337/0x6f0 [ 12.815144] ? trace_preempt_on+0x20/0xc0 [ 12.815167] ? __pfx_kthread+0x10/0x10 [ 12.815187] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.815208] ? calculate_sigpending+0x7b/0xa0 [ 12.815233] ? __pfx_kthread+0x10/0x10 [ 12.815254] ret_from_fork+0x116/0x1d0 [ 12.815272] ? __pfx_kthread+0x10/0x10 [ 12.815292] ret_from_fork_asm+0x1a/0x30 [ 12.815323] </TASK> [ 12.815332] [ 12.825808] Allocated by task 197: [ 12.826184] kasan_save_stack+0x45/0x70 [ 12.826391] kasan_save_track+0x18/0x40 [ 12.826825] kasan_save_alloc_info+0x3b/0x50 [ 12.827000] __kasan_kmalloc+0xb7/0xc0 [ 12.827200] __kmalloc_cache_noprof+0x189/0x420 [ 12.827411] kmalloc_memmove_negative_size+0xac/0x330 [ 12.827916] kunit_try_run_case+0x1a5/0x480 [ 12.828120] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.828541] kthread+0x337/0x6f0 [ 12.828773] ret_from_fork+0x116/0x1d0 [ 12.828929] ret_from_fork_asm+0x1a/0x30 [ 12.829134] [ 12.829233] The buggy address belongs to the object at ffff8881026bf700 [ 12.829233] which belongs to the cache kmalloc-64 of size 64 [ 12.830384] The buggy address is located 4 bytes inside of [ 12.830384] 64-byte region [ffff8881026bf700, ffff8881026bf740) [ 12.831947] [ 12.832060] The buggy address belongs to the physical page: [ 12.832282] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026bf [ 12.833079] flags: 0x200000000000000(node=0|zone=2) [ 12.833978] page_type: f5(slab) [ 12.834687] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 12.835005] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 12.835328] page dumped because: kasan: bad access detected [ 12.836192] [ 12.836312] Memory state around the buggy address: [ 12.836511] ffff8881026bf600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.837350] ffff8881026bf680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.837970] >ffff8881026bf700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 12.838319] ^ [ 12.838824] ffff8881026bf780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.839369] ffff8881026bf800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.839982] ==================================================================
[ 13.047897] ================================================================== [ 13.048396] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 13.048935] Read of size 18446744073709551614 at addr ffff888102b39b04 by task kunit_try_catch/198 [ 13.049318] [ 13.049465] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.049508] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.049520] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.049540] Call Trace: [ 13.049551] <TASK> [ 13.049565] dump_stack_lvl+0x73/0xb0 [ 13.049595] print_report+0xd1/0x610 [ 13.049618] ? __virt_addr_valid+0x1db/0x2d0 [ 13.049684] ? kmalloc_memmove_negative_size+0x171/0x330 [ 13.049712] ? kasan_complete_mode_report_info+0x2a/0x200 [ 13.049736] ? kmalloc_memmove_negative_size+0x171/0x330 [ 13.049781] kasan_report+0x141/0x180 [ 13.049803] ? kmalloc_memmove_negative_size+0x171/0x330 [ 13.049834] kasan_check_range+0x10c/0x1c0 [ 13.049858] __asan_memmove+0x27/0x70 [ 13.049877] kmalloc_memmove_negative_size+0x171/0x330 [ 13.049902] ? __kasan_check_write+0x18/0x20 [ 13.049922] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 13.049948] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.049975] ? trace_hardirqs_on+0x37/0xe0 [ 13.049998] ? __pfx_read_tsc+0x10/0x10 [ 13.050019] ? ktime_get_ts64+0x86/0x230 [ 13.050043] kunit_try_run_case+0x1a5/0x480 [ 13.050082] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.050108] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.050368] ? __kthread_parkme+0x82/0x180 [ 13.050393] ? preempt_count_sub+0x50/0x80 [ 13.050417] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.050442] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.050467] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.050493] kthread+0x337/0x6f0 [ 13.050512] ? trace_preempt_on+0x20/0xc0 [ 13.050535] ? __pfx_kthread+0x10/0x10 [ 13.050555] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.050577] ? calculate_sigpending+0x7b/0xa0 [ 13.050601] ? __pfx_kthread+0x10/0x10 [ 13.050623] ret_from_fork+0x116/0x1d0 [ 13.050690] ? __pfx_kthread+0x10/0x10 [ 13.050719] ret_from_fork_asm+0x1a/0x30 [ 13.050749] </TASK> [ 13.050759] [ 13.059348] Allocated by task 198: [ 13.059477] kasan_save_stack+0x45/0x70 [ 13.059676] kasan_save_track+0x18/0x40 [ 13.059892] kasan_save_alloc_info+0x3b/0x50 [ 13.060263] __kasan_kmalloc+0xb7/0xc0 [ 13.060395] __kmalloc_cache_noprof+0x189/0x420 [ 13.060554] kmalloc_memmove_negative_size+0xac/0x330 [ 13.061066] kunit_try_run_case+0x1a5/0x480 [ 13.061349] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.061602] kthread+0x337/0x6f0 [ 13.061889] ret_from_fork+0x116/0x1d0 [ 13.062045] ret_from_fork_asm+0x1a/0x30 [ 13.062200] [ 13.062296] The buggy address belongs to the object at ffff888102b39b00 [ 13.062296] which belongs to the cache kmalloc-64 of size 64 [ 13.062835] The buggy address is located 4 bytes inside of [ 13.062835] 64-byte region [ffff888102b39b00, ffff888102b39b40) [ 13.063357] [ 13.063458] The buggy address belongs to the physical page: [ 13.063760] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b39 [ 13.064167] flags: 0x200000000000000(node=0|zone=2) [ 13.064394] page_type: f5(slab) [ 13.064542] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 13.064774] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 13.065120] page dumped because: kasan: bad access detected [ 13.065369] [ 13.065518] Memory state around the buggy address: [ 13.065738] ffff888102b39a00: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 13.065954] ffff888102b39a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.066729] >ffff888102b39b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 13.067068] ^ [ 13.067194] ffff888102b39b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.067504] ffff888102b39c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.067825] ==================================================================