Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 39.829617] ================================================================== [ 39.841175] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 39.848853] Read of size 18446744073709551614 at addr ffff000093903884 by task kunit_try_catch/266 [ 39.857932] [ 39.859467] CPU: 0 UID: 0 PID: 266 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 39.859495] Tainted: [B]=BAD_PAGE, [N]=TEST [ 39.859504] Hardware name: Thundercomm Dragonboard 845c (DT) [ 39.859516] Call trace: [ 39.859523] show_stack+0x20/0x38 (C) [ 39.859542] dump_stack_lvl+0x8c/0xd0 [ 39.859562] print_report+0x118/0x608 [ 39.859582] kasan_report+0xdc/0x128 [ 39.859600] kasan_check_range+0x100/0x1a8 [ 39.859621] __asan_memmove+0x3c/0x98 [ 39.859636] kmalloc_memmove_negative_size+0x154/0x2e0 [ 39.859656] kunit_try_run_case+0x170/0x3f0 [ 39.859675] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.859697] kthread+0x328/0x630 [ 39.859711] ret_from_fork+0x10/0x20 [ 39.859730] [ 39.929399] Allocated by task 266: [ 39.932865] kasan_save_stack+0x3c/0x68 [ 39.936771] kasan_save_track+0x20/0x40 [ 39.940675] kasan_save_alloc_info+0x40/0x58 [ 39.945019] __kasan_kmalloc+0xd4/0xd8 [ 39.948837] __kmalloc_cache_noprof+0x16c/0x3c0 [ 39.953444] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 39.958581] kunit_try_run_case+0x170/0x3f0 [ 39.962840] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.968408] kthread+0x328/0x630 [ 39.971693] ret_from_fork+0x10/0x20 [ 39.975338] [ 39.976868] The buggy address belongs to the object at ffff000093903880 [ 39.976868] which belongs to the cache kmalloc-64 of size 64 [ 39.989356] The buggy address is located 4 bytes inside of [ 39.989356] 64-byte region [ffff000093903880, ffff0000939038c0) [ 40.000970] [ 40.002500] The buggy address belongs to the physical page: [ 40.008144] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113903 [ 40.016249] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 40.022873] page_type: f5(slab) [ 40.026075] raw: 0bfffe0000000000 ffff0000800028c0 dead000000000122 0000000000000000 [ 40.033921] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 40.041763] page dumped because: kasan: bad access detected [ 40.047408] [ 40.048938] Memory state around the buggy address: [ 40.053796] ffff000093903780: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 40.061110] ffff000093903800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.068426] >ffff000093903880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 40.075738] ^ [ 40.079022] ffff000093903900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.086337] ffff000093903980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.093649] ==================================================================
[ 26.909899] ================================================================== [ 26.909977] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 26.910032] Read of size 18446744073709551614 at addr fff00000c5753204 by task kunit_try_catch/192 [ 26.910126] [ 26.910162] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.910262] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.910288] Hardware name: linux,dummy-virt (DT) [ 26.910407] Call trace: [ 26.910458] show_stack+0x20/0x38 (C) [ 26.910621] dump_stack_lvl+0x8c/0xd0 [ 26.910670] print_report+0x118/0x608 [ 26.910717] kasan_report+0xdc/0x128 [ 26.910761] kasan_check_range+0x100/0x1a8 [ 26.910808] __asan_memmove+0x3c/0x98 [ 26.910851] kmalloc_memmove_negative_size+0x154/0x2e0 [ 26.910902] kunit_try_run_case+0x170/0x3f0 [ 26.910948] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.911001] kthread+0x328/0x630 [ 26.911042] ret_from_fork+0x10/0x20 [ 26.911098] [ 26.911125] Allocated by task 192: [ 26.911153] kasan_save_stack+0x3c/0x68 [ 26.911191] kasan_save_track+0x20/0x40 [ 26.911229] kasan_save_alloc_info+0x40/0x58 [ 26.911266] __kasan_kmalloc+0xd4/0xd8 [ 26.911302] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.911341] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 26.911418] kunit_try_run_case+0x170/0x3f0 [ 26.911530] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.911653] kthread+0x328/0x630 [ 26.911752] ret_from_fork+0x10/0x20 [ 26.911840] [ 26.911859] The buggy address belongs to the object at fff00000c5753200 [ 26.911859] which belongs to the cache kmalloc-64 of size 64 [ 26.912185] The buggy address is located 4 bytes inside of [ 26.912185] 64-byte region [fff00000c5753200, fff00000c5753240) [ 26.912246] [ 26.912272] The buggy address belongs to the physical page: [ 26.912302] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105753 [ 26.912386] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.912479] page_type: f5(slab) [ 26.912521] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 26.912606] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.912763] page dumped because: kasan: bad access detected [ 26.912900] [ 26.912918] Memory state around the buggy address: [ 26.913011] fff00000c5753100: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 26.913134] fff00000c5753180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.913175] >fff00000c5753200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 26.913214] ^ [ 26.913245] fff00000c5753280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.913421] fff00000c5753300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.913458] ==================================================================
[ 22.301935] ================================================================== [ 22.302438] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 22.302693] Read of size 18446744073709551614 at addr ffff8881024d1904 by task kunit_try_catch/209 [ 22.304138] [ 22.304357] CPU: 0 UID: 0 PID: 209 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.304412] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.304425] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.304449] Call Trace: [ 22.304464] <TASK> [ 22.304483] dump_stack_lvl+0x73/0xb0 [ 22.304518] print_report+0xd1/0x650 [ 22.304541] ? __virt_addr_valid+0x1db/0x2d0 [ 22.304565] ? kmalloc_memmove_negative_size+0x171/0x330 [ 22.304589] ? kasan_complete_mode_report_info+0x2a/0x200 [ 22.304615] ? kmalloc_memmove_negative_size+0x171/0x330 [ 22.304663] kasan_report+0x141/0x180 [ 22.304685] ? kmalloc_memmove_negative_size+0x171/0x330 [ 22.304712] kasan_check_range+0x10c/0x1c0 [ 22.304734] __asan_memmove+0x27/0x70 [ 22.304756] kmalloc_memmove_negative_size+0x171/0x330 [ 22.304780] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 22.304939] ? __schedule+0x10cc/0x2b60 [ 22.304968] ? __pfx_read_tsc+0x10/0x10 [ 22.305005] ? ktime_get_ts64+0x86/0x230 [ 22.305030] kunit_try_run_case+0x1a5/0x480 [ 22.305094] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.305117] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.305140] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.305164] ? __kthread_parkme+0x82/0x180 [ 22.305185] ? preempt_count_sub+0x50/0x80 [ 22.305208] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.305240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.305263] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.305286] kthread+0x337/0x6f0 [ 22.305304] ? trace_preempt_on+0x20/0xc0 [ 22.305328] ? __pfx_kthread+0x10/0x10 [ 22.305347] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.305370] ? calculate_sigpending+0x7b/0xa0 [ 22.305393] ? __pfx_kthread+0x10/0x10 [ 22.305413] ret_from_fork+0x116/0x1d0 [ 22.305431] ? __pfx_kthread+0x10/0x10 [ 22.305451] ret_from_fork_asm+0x1a/0x30 [ 22.305482] </TASK> [ 22.305494] [ 22.317449] Allocated by task 209: [ 22.317725] kasan_save_stack+0x45/0x70 [ 22.318091] kasan_save_track+0x18/0x40 [ 22.318238] kasan_save_alloc_info+0x3b/0x50 [ 22.318417] __kasan_kmalloc+0xb7/0xc0 [ 22.318655] __kmalloc_cache_noprof+0x189/0x420 [ 22.319123] kmalloc_memmove_negative_size+0xac/0x330 [ 22.319504] kunit_try_run_case+0x1a5/0x480 [ 22.319755] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.319927] kthread+0x337/0x6f0 [ 22.320208] ret_from_fork+0x116/0x1d0 [ 22.320605] ret_from_fork_asm+0x1a/0x30 [ 22.320833] [ 22.320953] The buggy address belongs to the object at ffff8881024d1900 [ 22.320953] which belongs to the cache kmalloc-64 of size 64 [ 22.321464] The buggy address is located 4 bytes inside of [ 22.321464] 64-byte region [ffff8881024d1900, ffff8881024d1940) [ 22.322021] [ 22.322112] The buggy address belongs to the physical page: [ 22.322485] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d1 [ 22.322820] flags: 0x200000000000000(node=0|zone=2) [ 22.323252] page_type: f5(slab) [ 22.323481] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 22.323810] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.324276] page dumped because: kasan: bad access detected [ 22.324518] [ 22.324629] Memory state around the buggy address: [ 22.324898] ffff8881024d1800: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc [ 22.325413] ffff8881024d1880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.325758] >ffff8881024d1900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 22.326198] ^ [ 22.326439] ffff8881024d1980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.326684] ffff8881024d1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.327266] ==================================================================