Date
June 25, 2025, 8:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.677657] ================================================================== [ 29.677727] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x204/0x250 [ 29.677801] Read of size 8 at addr fff00000c786ac78 by task kunit_try_catch/293 [ 29.677853] [ 29.677893] CPU: 0 UID: 0 PID: 293 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT [ 29.677983] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.678013] Hardware name: linux,dummy-virt (DT) [ 29.678049] Call trace: [ 29.678074] show_stack+0x20/0x38 (C) [ 29.678128] dump_stack_lvl+0x8c/0xd0 [ 29.678176] print_report+0x118/0x608 [ 29.678226] kasan_report+0xdc/0x128 [ 29.678271] __asan_report_load8_noabort+0x20/0x30 [ 29.678321] copy_to_kernel_nofault+0x204/0x250 [ 29.678371] copy_to_kernel_nofault_oob+0x158/0x418 [ 29.678469] kunit_try_run_case+0x170/0x3f0 [ 29.678520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.678594] kthread+0x328/0x630 [ 29.678658] ret_from_fork+0x10/0x20 [ 29.678737] [ 29.678759] Allocated by task 293: [ 29.678791] kasan_save_stack+0x3c/0x68 [ 29.678888] kasan_save_track+0x20/0x40 [ 29.678987] kasan_save_alloc_info+0x40/0x58 [ 29.679055] __kasan_kmalloc+0xd4/0xd8 [ 29.679158] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.679235] copy_to_kernel_nofault_oob+0xc8/0x418 [ 29.679680] kunit_try_run_case+0x170/0x3f0 [ 29.679820] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.679972] kthread+0x328/0x630 [ 29.680012] ret_from_fork+0x10/0x20 [ 29.680070] [ 29.680104] The buggy address belongs to the object at fff00000c786ac00 [ 29.680104] which belongs to the cache kmalloc-128 of size 128 [ 29.680167] The buggy address is located 0 bytes to the right of [ 29.680167] allocated 120-byte region [fff00000c786ac00, fff00000c786ac78) [ 29.680437] [ 29.680527] The buggy address belongs to the physical page: [ 29.680687] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 29.680785] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.681000] page_type: f5(slab) [ 29.681165] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.681288] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.681330] page dumped because: kasan: bad access detected [ 29.681578] [ 29.681606] Memory state around the buggy address: [ 29.681742] fff00000c786ab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.681871] fff00000c786ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.682045] >fff00000c786ac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.682118] ^ [ 29.682253] fff00000c786ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.682301] fff00000c786ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.682608] ================================================================== [ 29.683795] ================================================================== [ 29.683856] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x8c/0x250 [ 29.684100] Write of size 8 at addr fff00000c786ac78 by task kunit_try_catch/293 [ 29.684312] [ 29.684444] CPU: 0 UID: 0 PID: 293 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT [ 29.684642] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.684723] Hardware name: linux,dummy-virt (DT) [ 29.684811] Call trace: [ 29.684900] show_stack+0x20/0x38 (C) [ 29.685055] dump_stack_lvl+0x8c/0xd0 [ 29.685271] print_report+0x118/0x608 [ 29.685360] kasan_report+0xdc/0x128 [ 29.685425] kasan_check_range+0x100/0x1a8 [ 29.685606] __kasan_check_write+0x20/0x30 [ 29.685775] copy_to_kernel_nofault+0x8c/0x250 [ 29.685936] copy_to_kernel_nofault_oob+0x1bc/0x418 [ 29.686059] kunit_try_run_case+0x170/0x3f0 [ 29.686134] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.686453] kthread+0x328/0x630 [ 29.686655] ret_from_fork+0x10/0x20 [ 29.686745] [ 29.686775] Allocated by task 293: [ 29.686869] kasan_save_stack+0x3c/0x68 [ 29.687011] kasan_save_track+0x20/0x40 [ 29.687170] kasan_save_alloc_info+0x40/0x58 [ 29.687261] __kasan_kmalloc+0xd4/0xd8 [ 29.687352] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.687478] copy_to_kernel_nofault_oob+0xc8/0x418 [ 29.687524] kunit_try_run_case+0x170/0x3f0 [ 29.687965] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.688079] kthread+0x328/0x630 [ 29.688340] ret_from_fork+0x10/0x20 [ 29.688533] [ 29.688614] The buggy address belongs to the object at fff00000c786ac00 [ 29.688614] which belongs to the cache kmalloc-128 of size 128 [ 29.688827] The buggy address is located 0 bytes to the right of [ 29.688827] allocated 120-byte region [fff00000c786ac00, fff00000c786ac78) [ 29.688959] [ 29.689118] The buggy address belongs to the physical page: [ 29.689160] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 29.689352] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.689532] page_type: f5(slab) [ 29.689775] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.689985] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.690127] page dumped because: kasan: bad access detected [ 29.690166] [ 29.690186] Memory state around the buggy address: [ 29.690433] fff00000c786ab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.690487] fff00000c786ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.690592] >fff00000c786ac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.690739] ^ [ 29.690902] fff00000c786ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.691101] fff00000c786ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.691148] ==================================================================
[ 25.654336] ================================================================== [ 25.654833] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x225/0x260 [ 25.655796] Read of size 8 at addr ffff888102597b78 by task kunit_try_catch/310 [ 25.656612] [ 25.656855] CPU: 0 UID: 0 PID: 310 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT(voluntary) [ 25.656914] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.656929] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.656965] Call Trace: [ 25.656981] <TASK> [ 25.657001] dump_stack_lvl+0x73/0xb0 [ 25.657032] print_report+0xd1/0x650 [ 25.657057] ? __virt_addr_valid+0x1db/0x2d0 [ 25.657134] ? copy_to_kernel_nofault+0x225/0x260 [ 25.657160] ? kasan_complete_mode_report_info+0x2a/0x200 [ 25.657185] ? copy_to_kernel_nofault+0x225/0x260 [ 25.657208] kasan_report+0x141/0x180 [ 25.657230] ? copy_to_kernel_nofault+0x225/0x260 [ 25.657257] __asan_report_load8_noabort+0x18/0x20 [ 25.657281] copy_to_kernel_nofault+0x225/0x260 [ 25.657305] copy_to_kernel_nofault_oob+0x1ed/0x560 [ 25.657329] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 25.657352] ? finish_task_switch.isra.0+0x153/0x700 [ 25.657375] ? __schedule+0x10cc/0x2b60 [ 25.657400] ? trace_hardirqs_on+0x37/0xe0 [ 25.657431] ? __pfx_read_tsc+0x10/0x10 [ 25.657454] ? ktime_get_ts64+0x86/0x230 [ 25.657479] kunit_try_run_case+0x1a5/0x480 [ 25.657507] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.657529] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.657551] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.657576] ? __kthread_parkme+0x82/0x180 [ 25.657597] ? preempt_count_sub+0x50/0x80 [ 25.657619] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.657644] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.657668] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.657692] kthread+0x337/0x6f0 [ 25.657712] ? trace_preempt_on+0x20/0xc0 [ 25.657733] ? __pfx_kthread+0x10/0x10 [ 25.657754] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.657777] ? calculate_sigpending+0x7b/0xa0 [ 25.657818] ? __pfx_kthread+0x10/0x10 [ 25.657840] ret_from_fork+0x116/0x1d0 [ 25.657859] ? __pfx_kthread+0x10/0x10 [ 25.657880] ret_from_fork_asm+0x1a/0x30 [ 25.657911] </TASK> [ 25.657923] [ 25.671002] Allocated by task 310: [ 25.671354] kasan_save_stack+0x45/0x70 [ 25.671771] kasan_save_track+0x18/0x40 [ 25.672189] kasan_save_alloc_info+0x3b/0x50 [ 25.672666] __kasan_kmalloc+0xb7/0xc0 [ 25.673086] __kmalloc_cache_noprof+0x189/0x420 [ 25.673606] copy_to_kernel_nofault_oob+0x12f/0x560 [ 25.674140] kunit_try_run_case+0x1a5/0x480 [ 25.674625] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.675190] kthread+0x337/0x6f0 [ 25.675548] ret_from_fork+0x116/0x1d0 [ 25.675966] ret_from_fork_asm+0x1a/0x30 [ 25.676380] [ 25.676579] The buggy address belongs to the object at ffff888102597b00 [ 25.676579] which belongs to the cache kmalloc-128 of size 128 [ 25.677785] The buggy address is located 0 bytes to the right of [ 25.677785] allocated 120-byte region [ffff888102597b00, ffff888102597b78) [ 25.678926] [ 25.679142] The buggy address belongs to the physical page: [ 25.679683] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102597 [ 25.680445] flags: 0x200000000000000(node=0|zone=2) [ 25.680976] page_type: f5(slab) [ 25.681303] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.681669] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.682114] page dumped because: kasan: bad access detected [ 25.682449] [ 25.682534] Memory state around the buggy address: [ 25.682686] ffff888102597a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.682977] ffff888102597a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.683203] >ffff888102597b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 25.683781] ^ [ 25.684475] ffff888102597b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.685251] ffff888102597c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.685516] ================================================================== [ 25.686395] ================================================================== [ 25.686667] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x99/0x260 [ 25.687301] Write of size 8 at addr ffff888102597b78 by task kunit_try_catch/310 [ 25.687954] [ 25.688126] CPU: 0 UID: 0 PID: 310 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250625 #1 PREEMPT(voluntary) [ 25.688179] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.688193] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.688216] Call Trace: [ 25.688230] <TASK> [ 25.688251] dump_stack_lvl+0x73/0xb0 [ 25.688279] print_report+0xd1/0x650 [ 25.688303] ? __virt_addr_valid+0x1db/0x2d0 [ 25.688327] ? copy_to_kernel_nofault+0x99/0x260 [ 25.688354] ? kasan_complete_mode_report_info+0x2a/0x200 [ 25.688381] ? copy_to_kernel_nofault+0x99/0x260 [ 25.688403] kasan_report+0x141/0x180 [ 25.688424] ? copy_to_kernel_nofault+0x99/0x260 [ 25.688451] kasan_check_range+0x10c/0x1c0 [ 25.688475] __kasan_check_write+0x18/0x20 [ 25.688497] copy_to_kernel_nofault+0x99/0x260 [ 25.688521] copy_to_kernel_nofault_oob+0x288/0x560 [ 25.688544] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 25.688567] ? finish_task_switch.isra.0+0x153/0x700 [ 25.688604] ? __schedule+0x10cc/0x2b60 [ 25.688645] ? trace_hardirqs_on+0x37/0xe0 [ 25.688675] ? __pfx_read_tsc+0x10/0x10 [ 25.688698] ? ktime_get_ts64+0x86/0x230 [ 25.688723] kunit_try_run_case+0x1a5/0x480 [ 25.688750] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.688773] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.688795] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.688820] ? __kthread_parkme+0x82/0x180 [ 25.688841] ? preempt_count_sub+0x50/0x80 [ 25.688864] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.688888] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.688929] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.688963] kthread+0x337/0x6f0 [ 25.688983] ? trace_preempt_on+0x20/0xc0 [ 25.689005] ? __pfx_kthread+0x10/0x10 [ 25.689025] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.689048] ? calculate_sigpending+0x7b/0xa0 [ 25.689072] ? __pfx_kthread+0x10/0x10 [ 25.689093] ret_from_fork+0x116/0x1d0 [ 25.689112] ? __pfx_kthread+0x10/0x10 [ 25.689139] ret_from_fork_asm+0x1a/0x30 [ 25.689170] </TASK> [ 25.689183] [ 25.696650] Allocated by task 310: [ 25.696831] kasan_save_stack+0x45/0x70 [ 25.697077] kasan_save_track+0x18/0x40 [ 25.697282] kasan_save_alloc_info+0x3b/0x50 [ 25.697448] __kasan_kmalloc+0xb7/0xc0 [ 25.697584] __kmalloc_cache_noprof+0x189/0x420 [ 25.697731] copy_to_kernel_nofault_oob+0x12f/0x560 [ 25.697928] kunit_try_run_case+0x1a5/0x480 [ 25.698138] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.698436] kthread+0x337/0x6f0 [ 25.698559] ret_from_fork+0x116/0x1d0 [ 25.698791] ret_from_fork_asm+0x1a/0x30 [ 25.698924] [ 25.698999] The buggy address belongs to the object at ffff888102597b00 [ 25.698999] which belongs to the cache kmalloc-128 of size 128 [ 25.699596] The buggy address is located 0 bytes to the right of [ 25.699596] allocated 120-byte region [ffff888102597b00, ffff888102597b78) [ 25.700189] [ 25.700265] The buggy address belongs to the physical page: [ 25.700473] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102597 [ 25.701019] flags: 0x200000000000000(node=0|zone=2) [ 25.701228] page_type: f5(slab) [ 25.701377] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.701627] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.702049] page dumped because: kasan: bad access detected [ 25.702279] [ 25.702359] Memory state around the buggy address: [ 25.702547] ffff888102597a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.703088] ffff888102597a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.703400] >ffff888102597b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 25.703621] ^ [ 25.703827] ffff888102597b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.704043] ffff888102597c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.704251] ==================================================================