Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.889853] ================================================================== [ 30.889948] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 30.890013] Read of size 18446744073709551614 at addr fff00000c91ed504 by task kunit_try_catch/213 [ 30.890098] [ 30.890130] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 30.890217] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.890244] Hardware name: linux,dummy-virt (DT) [ 30.890275] Call trace: [ 30.890300] show_stack+0x20/0x38 (C) [ 30.890354] dump_stack_lvl+0x8c/0xd0 [ 30.890404] print_report+0x118/0x608 [ 30.890461] kasan_report+0xdc/0x128 [ 30.890508] kasan_check_range+0x100/0x1a8 [ 30.890562] __asan_memmove+0x3c/0x98 [ 30.890610] kmalloc_memmove_negative_size+0x154/0x2e0 [ 30.890661] kunit_try_run_case+0x170/0x3f0 [ 30.890711] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.890765] kthread+0x328/0x630 [ 30.890821] ret_from_fork+0x10/0x20 [ 30.890870] [ 30.890888] Allocated by task 213: [ 30.890916] kasan_save_stack+0x3c/0x68 [ 30.891329] kasan_save_track+0x20/0x40 [ 30.891884] kasan_save_alloc_info+0x40/0x58 [ 30.892039] __kasan_kmalloc+0xd4/0xd8 [ 30.892119] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.892194] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 30.892323] kunit_try_run_case+0x170/0x3f0 [ 30.892378] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.892422] kthread+0x328/0x630 [ 30.892464] ret_from_fork+0x10/0x20 [ 30.892500] [ 30.892883] The buggy address belongs to the object at fff00000c91ed500 [ 30.892883] which belongs to the cache kmalloc-64 of size 64 [ 30.893013] The buggy address is located 4 bytes inside of [ 30.893013] 64-byte region [fff00000c91ed500, fff00000c91ed540) [ 30.893103] [ 30.893211] The buggy address belongs to the physical page: [ 30.893272] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091ed [ 30.893362] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.893617] page_type: f5(slab) [ 30.893839] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 30.894054] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.894216] page dumped because: kasan: bad access detected [ 30.894346] [ 30.894401] Memory state around the buggy address: [ 30.894528] fff00000c91ed400: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 30.894608] fff00000c91ed480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.894658] >fff00000c91ed500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.894720] ^ [ 30.894815] fff00000c91ed580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.894892] fff00000c91ed600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.894948] ==================================================================
[ 32.651301] ================================================================== [ 32.651370] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 32.651425] Read of size 18446744073709551614 at addr fff00000c990b384 by task kunit_try_catch/211 [ 32.651672] [ 32.651715] CPU: 1 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.651831] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.651915] Hardware name: linux,dummy-virt (DT) [ 32.651984] Call trace: [ 32.652036] show_stack+0x20/0x38 (C) [ 32.652137] dump_stack_lvl+0x8c/0xd0 [ 32.652243] print_report+0x118/0x608 [ 32.652299] kasan_report+0xdc/0x128 [ 32.652368] kasan_check_range+0x100/0x1a8 [ 32.652415] __asan_memmove+0x3c/0x98 [ 32.652458] kmalloc_memmove_negative_size+0x154/0x2e0 [ 32.652608] kunit_try_run_case+0x170/0x3f0 [ 32.652685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.652802] kthread+0x328/0x630 [ 32.652869] ret_from_fork+0x10/0x20 [ 32.652943] [ 32.653016] Allocated by task 211: [ 32.653066] kasan_save_stack+0x3c/0x68 [ 32.653148] kasan_save_track+0x20/0x40 [ 32.653255] kasan_save_alloc_info+0x40/0x58 [ 32.653313] __kasan_kmalloc+0xd4/0xd8 [ 32.653399] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.653473] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 32.653545] kunit_try_run_case+0x170/0x3f0 [ 32.653618] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.653699] kthread+0x328/0x630 [ 32.653742] ret_from_fork+0x10/0x20 [ 32.653778] [ 32.653797] The buggy address belongs to the object at fff00000c990b380 [ 32.653797] which belongs to the cache kmalloc-64 of size 64 [ 32.653863] The buggy address is located 4 bytes inside of [ 32.653863] 64-byte region [fff00000c990b380, fff00000c990b3c0) [ 32.653931] [ 32.653961] The buggy address belongs to the physical page: [ 32.653997] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10990b [ 32.654049] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.654113] page_type: f5(slab) [ 32.654151] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 32.654220] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.654270] page dumped because: kasan: bad access detected [ 32.654302] [ 32.654319] Memory state around the buggy address: [ 32.654350] fff00000c990b280: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 32.654403] fff00000c990b300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.654446] >fff00000c990b380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 32.654485] ^ [ 32.654520] fff00000c990b400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.654563] fff00000c990b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.654601] ==================================================================
[ 23.236901] ================================================================== [ 23.237389] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 23.237737] Read of size 18446744073709551614 at addr ffff888105895684 by task kunit_try_catch/228 [ 23.238175] [ 23.238286] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.238350] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.238363] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.238383] Call Trace: [ 23.238395] <TASK> [ 23.238410] dump_stack_lvl+0x73/0xb0 [ 23.238437] print_report+0xd1/0x650 [ 23.238459] ? __virt_addr_valid+0x1db/0x2d0 [ 23.238480] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.238503] ? kasan_complete_mode_report_info+0x2a/0x200 [ 23.238528] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.238552] kasan_report+0x141/0x180 [ 23.238573] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.238601] kasan_check_range+0x10c/0x1c0 [ 23.238623] __asan_memmove+0x27/0x70 [ 23.238646] kmalloc_memmove_negative_size+0x171/0x330 [ 23.238669] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 23.238717] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 23.238745] kunit_try_run_case+0x1a5/0x480 [ 23.238770] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.238792] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.238813] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.238834] ? __kthread_parkme+0x82/0x180 [ 23.238854] ? preempt_count_sub+0x50/0x80 [ 23.238876] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.238900] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.238924] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.238947] kthread+0x337/0x6f0 [ 23.238966] ? trace_preempt_on+0x20/0xc0 [ 23.239005] ? __pfx_kthread+0x10/0x10 [ 23.239026] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.239062] ? calculate_sigpending+0x7b/0xa0 [ 23.239085] ? __pfx_kthread+0x10/0x10 [ 23.239106] ret_from_fork+0x116/0x1d0 [ 23.239124] ? __pfx_kthread+0x10/0x10 [ 23.239144] ret_from_fork_asm+0x1a/0x30 [ 23.239174] </TASK> [ 23.239185] [ 23.246911] Allocated by task 228: [ 23.247036] kasan_save_stack+0x45/0x70 [ 23.247165] kasan_save_track+0x18/0x40 [ 23.247335] kasan_save_alloc_info+0x3b/0x50 [ 23.247611] __kasan_kmalloc+0xb7/0xc0 [ 23.248008] __kmalloc_cache_noprof+0x189/0x420 [ 23.248343] kmalloc_memmove_negative_size+0xac/0x330 [ 23.248739] kunit_try_run_case+0x1a5/0x480 [ 23.248958] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.249482] kthread+0x337/0x6f0 [ 23.249754] ret_from_fork+0x116/0x1d0 [ 23.249942] ret_from_fork_asm+0x1a/0x30 [ 23.250089] [ 23.250154] The buggy address belongs to the object at ffff888105895680 [ 23.250154] which belongs to the cache kmalloc-64 of size 64 [ 23.250676] The buggy address is located 4 bytes inside of [ 23.250676] 64-byte region [ffff888105895680, ffff8881058956c0) [ 23.251356] [ 23.251481] The buggy address belongs to the physical page: [ 23.251856] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105895 [ 23.252100] flags: 0x200000000000000(node=0|zone=2) [ 23.252253] page_type: f5(slab) [ 23.252376] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.253032] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.253407] page dumped because: kasan: bad access detected [ 23.253816] [ 23.253913] Memory state around the buggy address: [ 23.254282] ffff888105895580: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 23.254670] ffff888105895600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.254966] >ffff888105895680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.255302] ^ [ 23.255504] ffff888105895700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.255888] ffff888105895780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.256179] ==================================================================
[ 23.518513] ================================================================== [ 23.518944] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 23.519490] Read of size 18446744073709551614 at addr ffff888105a09984 by task kunit_try_catch/229 [ 23.520365] [ 23.520547] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.520600] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.520613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.520636] Call Trace: [ 23.520650] <TASK> [ 23.520670] dump_stack_lvl+0x73/0xb0 [ 23.520703] print_report+0xd1/0x650 [ 23.520726] ? __virt_addr_valid+0x1db/0x2d0 [ 23.520750] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.520775] ? kasan_complete_mode_report_info+0x2a/0x200 [ 23.520800] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.520846] kasan_report+0x141/0x180 [ 23.520867] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.520895] kasan_check_range+0x10c/0x1c0 [ 23.520918] __asan_memmove+0x27/0x70 [ 23.520942] kmalloc_memmove_negative_size+0x171/0x330 [ 23.520965] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 23.520992] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 23.521019] kunit_try_run_case+0x1a5/0x480 [ 23.521046] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.521084] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.521106] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.521128] ? __kthread_parkme+0x82/0x180 [ 23.521148] ? preempt_count_sub+0x50/0x80 [ 23.521172] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.521245] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.521269] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.521293] kthread+0x337/0x6f0 [ 23.521312] ? trace_preempt_on+0x20/0xc0 [ 23.521337] ? __pfx_kthread+0x10/0x10 [ 23.521357] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.521382] ? calculate_sigpending+0x7b/0xa0 [ 23.521405] ? __pfx_kthread+0x10/0x10 [ 23.521427] ret_from_fork+0x116/0x1d0 [ 23.521447] ? __pfx_kthread+0x10/0x10 [ 23.521467] ret_from_fork_asm+0x1a/0x30 [ 23.521498] </TASK> [ 23.521511] [ 23.532682] Allocated by task 229: [ 23.532886] kasan_save_stack+0x45/0x70 [ 23.533090] kasan_save_track+0x18/0x40 [ 23.533222] kasan_save_alloc_info+0x3b/0x50 [ 23.533613] __kasan_kmalloc+0xb7/0xc0 [ 23.533808] __kmalloc_cache_noprof+0x189/0x420 [ 23.534006] kmalloc_memmove_negative_size+0xac/0x330 [ 23.534212] kunit_try_run_case+0x1a5/0x480 [ 23.534457] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.534629] kthread+0x337/0x6f0 [ 23.534745] ret_from_fork+0x116/0x1d0 [ 23.534924] ret_from_fork_asm+0x1a/0x30 [ 23.535125] [ 23.535217] The buggy address belongs to the object at ffff888105a09980 [ 23.535217] which belongs to the cache kmalloc-64 of size 64 [ 23.536100] The buggy address is located 4 bytes inside of [ 23.536100] 64-byte region [ffff888105a09980, ffff888105a099c0) [ 23.536565] [ 23.536648] The buggy address belongs to the physical page: [ 23.536897] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a09 [ 23.537277] flags: 0x200000000000000(node=0|zone=2) [ 23.537564] page_type: f5(slab) [ 23.537713] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.538071] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.538357] page dumped because: kasan: bad access detected [ 23.538608] [ 23.538697] Memory state around the buggy address: [ 23.538870] ffff888105a09880: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 23.539090] ffff888105a09900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.539352] >ffff888105a09980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.539698] ^ [ 23.539858] ffff888105a09a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.540269] ffff888105a09a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.540512] ==================================================================