Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.675989] ================================================================== [ 30.687111] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x2ec/0x320 [ 30.694083] Read of size 1 at addr ffff0000820e85ff by task kunit_try_catch/224 [ 30.701493] [ 30.703028] CPU: 0 UID: 0 PID: 224 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 30.703059] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.703067] Hardware name: Thundercomm Dragonboard 845c (DT) [ 30.703080] Call trace: [ 30.703086] show_stack+0x20/0x38 (C) [ 30.703105] dump_stack_lvl+0x8c/0xd0 [ 30.703126] print_report+0x118/0x608 [ 30.703145] kasan_report+0xdc/0x128 [ 30.703164] __asan_report_load1_noabort+0x20/0x30 [ 30.703181] kmalloc_oob_left+0x2ec/0x320 [ 30.703199] kunit_try_run_case+0x170/0x3f0 [ 30.703217] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.703238] kthread+0x328/0x630 [ 30.703253] ret_from_fork+0x10/0x20 [ 30.703271] [ 30.768790] Allocated by task 67: [ 30.772163] kasan_save_stack+0x3c/0x68 [ 30.776074] kasan_save_track+0x20/0x40 [ 30.779984] kasan_save_alloc_info+0x40/0x58 [ 30.784320] __kasan_kmalloc+0xd4/0xd8 [ 30.788142] __kmalloc_node_track_caller_noprof+0x194/0x4b8 [ 30.793802] kvasprintf+0xe0/0x180 [ 30.797269] kasprintf+0xd0/0x110 [ 30.800646] of_icc_get_by_index+0x3cc/0x558 [ 30.804991] dev_pm_opp_of_find_icc_paths+0x1b8/0x460 [ 30.810123] qcom_cpufreq_hw_driver_probe+0x12c/0x4a8 [ 30.815258] platform_probe+0xcc/0x198 [ 30.819072] really_probe+0x188/0x7f0 [ 30.822796] __driver_probe_device+0x164/0x378 [ 30.827316] driver_probe_device+0x64/0x180 [ 30.831569] __device_attach_driver+0x174/0x280 [ 30.836174] bus_for_each_drv+0x118/0x1b0 [ 30.840260] __device_attach+0x174/0x378 [ 30.844253] device_initial_probe+0x1c/0x30 [ 30.848505] bus_probe_device+0x12c/0x170 [ 30.852589] deferred_probe_work_func+0x140/0x208 [ 30.857371] process_one_work+0x530/0xf98 [ 30.861455] worker_thread+0x618/0xf38 [ 30.865275] kthread+0x328/0x630 [ 30.868565] ret_from_fork+0x10/0x20 [ 30.872202] [ 30.873731] Freed by task 67: [ 30.876759] kasan_save_stack+0x3c/0x68 [ 30.880668] kasan_save_track+0x20/0x40 [ 30.884578] kasan_save_free_info+0x4c/0x78 [ 30.888829] __kasan_slab_free+0x6c/0x98 [ 30.892826] kfree+0x214/0x3c8 [ 30.895948] icc_put+0x19c/0x340 [ 30.899243] dev_pm_opp_of_find_icc_paths+0x234/0x460 [ 30.904379] qcom_cpufreq_hw_driver_probe+0x12c/0x4a8 [ 30.909511] platform_probe+0xcc/0x198 [ 30.913334] really_probe+0x188/0x7f0 [ 30.917066] __driver_probe_device+0x164/0x378 [ 30.921578] driver_probe_device+0x64/0x180 [ 30.925830] __device_attach_driver+0x174/0x280 [ 30.930429] bus_for_each_drv+0x118/0x1b0 [ 30.934509] __device_attach+0x174/0x378 [ 30.938502] device_initial_probe+0x1c/0x30 [ 30.942755] bus_probe_device+0x12c/0x170 [ 30.946839] deferred_probe_work_func+0x140/0x208 [ 30.951619] process_one_work+0x530/0xf98 [ 30.955699] worker_thread+0x618/0xf38 [ 30.959519] kthread+0x328/0x630 [ 30.962812] ret_from_fork+0x10/0x20 [ 30.966449] [ 30.967985] The buggy address belongs to the object at ffff0000820e85e0 [ 30.967985] which belongs to the cache kmalloc-16 of size 16 [ 30.980473] The buggy address is located 15 bytes to the right of [ 30.980473] allocated 16-byte region [ffff0000820e85e0, ffff0000820e85f0) [ 30.993571] [ 30.995101] The buggy address belongs to the physical page: [ 31.000745] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1020e8 [ 31.008858] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.015475] page_type: f5(slab) [ 31.018682] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000 [ 31.026527] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 31.034369] page dumped because: kasan: bad access detected [ 31.040013] [ 31.041541] Memory state around the buggy address: [ 31.046403] ffff0000820e8480: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 31.053715] ffff0000820e8500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.061029] >ffff0000820e8580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.068350] ^ [ 31.075578] ffff0000820e8600: 00 07 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.082894] ffff0000820e8680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.090215] ==================================================================
[ 26.550614] ================================================================== [ 26.550671] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x2ec/0x320 [ 26.550720] Read of size 1 at addr fff00000c16b9bdf by task kunit_try_catch/150 [ 26.550768] [ 26.550797] CPU: 0 UID: 0 PID: 150 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.551045] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.551090] Hardware name: linux,dummy-virt (DT) [ 26.551255] Call trace: [ 26.551277] show_stack+0x20/0x38 (C) [ 26.551332] dump_stack_lvl+0x8c/0xd0 [ 26.551396] print_report+0x118/0x608 [ 26.551441] kasan_report+0xdc/0x128 [ 26.551487] __asan_report_load1_noabort+0x20/0x30 [ 26.551535] kmalloc_oob_left+0x2ec/0x320 [ 26.551579] kunit_try_run_case+0x170/0x3f0 [ 26.551674] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.551884] kthread+0x328/0x630 [ 26.551990] ret_from_fork+0x10/0x20 [ 26.552038] [ 26.552064] Allocated by task 12: [ 26.552113] kasan_save_stack+0x3c/0x68 [ 26.552154] kasan_save_track+0x20/0x40 [ 26.552190] kasan_save_alloc_info+0x40/0x58 [ 26.552224] __kasan_kmalloc+0xd4/0xd8 [ 26.552259] __kmalloc_node_track_caller_noprof+0x194/0x4b8 [ 26.552301] kvasprintf+0xe0/0x180 [ 26.552335] __kthread_create_on_node+0x16c/0x350 [ 26.552372] kthread_create_on_node+0xe4/0x130 [ 26.552407] create_worker+0x380/0x6b8 [ 26.552441] worker_thread+0x808/0xf38 [ 26.552475] kthread+0x328/0x630 [ 26.552505] ret_from_fork+0x10/0x20 [ 26.552538] [ 26.552556] The buggy address belongs to the object at fff00000c16b9bc0 [ 26.552556] which belongs to the cache kmalloc-16 of size 16 [ 26.552609] The buggy address is located 19 bytes to the right of [ 26.552609] allocated 12-byte region [fff00000c16b9bc0, fff00000c16b9bcc) [ 26.552670] [ 26.552688] The buggy address belongs to the physical page: [ 26.552717] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c16b9ba0 pfn:0x1016b9 [ 26.552771] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.552817] page_type: f5(slab) [ 26.552852] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 26.552901] raw: fff00000c16b9ba0 000000008080007f 00000000f5000000 0000000000000000 [ 26.552940] page dumped because: kasan: bad access detected [ 26.552968] [ 26.552984] Memory state around the buggy address: [ 26.553013] fff00000c16b9a80: 00 03 fc fc fa fb fc fc 00 02 fc fc fa fb fc fc [ 26.553062] fff00000c16b9b00: 00 01 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 26.553145] >fff00000c16b9b80: fa fb fc fc fa fb fc fc 00 04 fc fc 00 07 fc fc [ 26.553214] ^ [ 26.553310] fff00000c16b9c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.553458] fff00000c16b9c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.553494] ==================================================================
[ 21.507498] ================================================================== [ 21.508683] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x361/0x3c0 [ 21.509450] Read of size 1 at addr ffff888101126c1f by task kunit_try_catch/167 [ 21.509683] [ 21.510151] CPU: 0 UID: 0 PID: 167 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 21.510213] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.510242] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.510266] Call Trace: [ 21.510282] <TASK> [ 21.510304] dump_stack_lvl+0x73/0xb0 [ 21.510339] print_report+0xd1/0x650 [ 21.510361] ? __virt_addr_valid+0x1db/0x2d0 [ 21.510386] ? kmalloc_oob_left+0x361/0x3c0 [ 21.510405] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.510430] ? kmalloc_oob_left+0x361/0x3c0 [ 21.510450] kasan_report+0x141/0x180 [ 21.510471] ? kmalloc_oob_left+0x361/0x3c0 [ 21.510495] __asan_report_load1_noabort+0x18/0x20 [ 21.510517] kmalloc_oob_left+0x361/0x3c0 [ 21.510538] ? __pfx_kmalloc_oob_left+0x10/0x10 [ 21.510559] ? __schedule+0x10cc/0x2b60 [ 21.510585] ? __pfx_read_tsc+0x10/0x10 [ 21.510607] ? ktime_get_ts64+0x86/0x230 [ 21.510633] kunit_try_run_case+0x1a5/0x480 [ 21.510658] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.510680] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.510704] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.510728] ? __kthread_parkme+0x82/0x180 [ 21.510748] ? preempt_count_sub+0x50/0x80 [ 21.510827] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.510854] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.510877] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.510900] kthread+0x337/0x6f0 [ 21.510919] ? trace_preempt_on+0x20/0xc0 [ 21.510943] ? __pfx_kthread+0x10/0x10 [ 21.510962] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.510985] ? calculate_sigpending+0x7b/0xa0 [ 21.511031] ? __pfx_kthread+0x10/0x10 [ 21.511052] ret_from_fork+0x116/0x1d0 [ 21.511071] ? __pfx_kthread+0x10/0x10 [ 21.511090] ret_from_fork_asm+0x1a/0x30 [ 21.511122] </TASK> [ 21.511134] [ 21.524378] Allocated by task 26: [ 21.524845] kasan_save_stack+0x45/0x70 [ 21.525305] kasan_save_track+0x18/0x40 [ 21.525471] kasan_save_alloc_info+0x3b/0x50 [ 21.525966] __kasan_kmalloc+0xb7/0xc0 [ 21.526325] __kmalloc_node_track_caller_noprof+0x1cb/0x500 [ 21.526789] kstrdup+0x3e/0xa0 [ 21.526997] devtmpfs_work_loop+0x96d/0xf30 [ 21.527412] devtmpfsd+0x3b/0x40 [ 21.527532] kthread+0x337/0x6f0 [ 21.527645] ret_from_fork+0x116/0x1d0 [ 21.527769] ret_from_fork_asm+0x1a/0x30 [ 21.528205] [ 21.528435] Freed by task 26: [ 21.528761] kasan_save_stack+0x45/0x70 [ 21.529230] kasan_save_track+0x18/0x40 [ 21.529659] kasan_save_free_info+0x3f/0x60 [ 21.530114] __kasan_slab_free+0x56/0x70 [ 21.530486] kfree+0x222/0x3f0 [ 21.530846] devtmpfs_work_loop+0xacb/0xf30 [ 21.531320] devtmpfsd+0x3b/0x40 [ 21.531686] kthread+0x337/0x6f0 [ 21.531852] ret_from_fork+0x116/0x1d0 [ 21.532290] ret_from_fork_asm+0x1a/0x30 [ 21.532668] [ 21.532741] The buggy address belongs to the object at ffff888101126c00 [ 21.532741] which belongs to the cache kmalloc-16 of size 16 [ 21.533505] The buggy address is located 15 bytes to the right of [ 21.533505] allocated 16-byte region [ffff888101126c00, ffff888101126c10) [ 21.534487] [ 21.534571] The buggy address belongs to the physical page: [ 21.534746] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101126 [ 21.535682] flags: 0x200000000000000(node=0|zone=2) [ 21.536180] page_type: f5(slab) [ 21.536608] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 21.537299] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 21.537691] page dumped because: kasan: bad access detected [ 21.537969] [ 21.538138] Memory state around the buggy address: [ 21.538553] ffff888101126b00: 00 00 fc fc 00 04 fc fc 00 04 fc fc 00 00 fc fc [ 21.539246] ffff888101126b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 21.539891] >ffff888101126c00: fa fb fc fc 00 07 fc fc fc fc fc fc fc fc fc fc [ 21.540474] ^ [ 21.540610] ffff888101126c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.540902] ffff888101126d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.541539] ==================================================================