Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-x86_64 |
[ 27.183955] ================================================================== [ 27.184363] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x3c/0x70 [ 27.184675] Read of size 121 at addr ffff88810255ef00 by task kunit_try_catch/334 [ 27.185035] [ 27.185162] CPU: 0 UID: 0 PID: 334 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 27.185220] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.185236] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.185262] Call Trace: [ 27.185287] <TASK> [ 27.185311] dump_stack_lvl+0x73/0xb0 [ 27.185345] print_report+0xd1/0x650 [ 27.185372] ? __virt_addr_valid+0x1db/0x2d0 [ 27.185401] ? _copy_to_user+0x3c/0x70 [ 27.185425] ? kasan_complete_mode_report_info+0x2a/0x200 [ 27.185455] ? _copy_to_user+0x3c/0x70 [ 27.185478] kasan_report+0x141/0x180 [ 27.185503] ? _copy_to_user+0x3c/0x70 [ 27.185531] kasan_check_range+0x10c/0x1c0 [ 27.185557] __kasan_check_read+0x15/0x20 [ 27.185582] _copy_to_user+0x3c/0x70 [ 27.185606] copy_user_test_oob+0x364/0x10f0 [ 27.185635] ? __pfx_copy_user_test_oob+0x10/0x10 [ 27.185660] ? finish_task_switch.isra.0+0x153/0x700 [ 27.185686] ? __switch_to+0x47/0xf50 [ 27.185716] ? __schedule+0x10cc/0x2b60 [ 27.185741] ? __pfx_read_tsc+0x10/0x10 [ 27.185765] ? ktime_get_ts64+0x86/0x230 [ 27.185795] kunit_try_run_case+0x1a5/0x480 [ 27.185829] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.185856] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.185881] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.185907] ? __kthread_parkme+0x82/0x180 [ 27.185954] ? preempt_count_sub+0x50/0x80 [ 27.185980] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.186008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.186037] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.186074] kthread+0x337/0x6f0 [ 27.186097] ? trace_preempt_on+0x20/0xc0 [ 27.186124] ? __pfx_kthread+0x10/0x10 [ 27.186147] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.186175] ? calculate_sigpending+0x7b/0xa0 [ 27.186203] ? __pfx_kthread+0x10/0x10 [ 27.186228] ret_from_fork+0x116/0x1d0 [ 27.186249] ? __pfx_kthread+0x10/0x10 [ 27.186273] ret_from_fork_asm+0x1a/0x30 [ 27.186308] </TASK> [ 27.186324] [ 27.193569] Allocated by task 334: [ 27.193717] kasan_save_stack+0x45/0x70 [ 27.193954] kasan_save_track+0x18/0x40 [ 27.194128] kasan_save_alloc_info+0x3b/0x50 [ 27.194330] __kasan_kmalloc+0xb7/0xc0 [ 27.194463] __kmalloc_noprof+0x1c9/0x500 [ 27.194608] kunit_kmalloc_array+0x25/0x60 [ 27.194754] copy_user_test_oob+0xab/0x10f0 [ 27.194991] kunit_try_run_case+0x1a5/0x480 [ 27.195216] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.195466] kthread+0x337/0x6f0 [ 27.195586] ret_from_fork+0x116/0x1d0 [ 27.195718] ret_from_fork_asm+0x1a/0x30 [ 27.195858] [ 27.195953] The buggy address belongs to the object at ffff88810255ef00 [ 27.195953] which belongs to the cache kmalloc-128 of size 128 [ 27.196514] The buggy address is located 0 bytes inside of [ 27.196514] allocated 120-byte region [ffff88810255ef00, ffff88810255ef78) [ 27.197091] [ 27.197166] The buggy address belongs to the physical page: [ 27.197344] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10255e [ 27.197592] flags: 0x200000000000000(node=0|zone=2) [ 27.197762] page_type: f5(slab) [ 27.197945] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.198300] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.198640] page dumped because: kasan: bad access detected [ 27.198893] [ 27.199011] Memory state around the buggy address: [ 27.199250] ffff88810255ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.199538] ffff88810255ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.199757] >ffff88810255ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 27.199999] ^ [ 27.200334] ffff88810255ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.200666] ffff88810255f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.201015] ==================================================================
[ 26.967577] ================================================================== [ 26.967951] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x3c/0x70 [ 26.968233] Read of size 121 at addr ffff888105898a00 by task kunit_try_catch/333 [ 26.968529] [ 26.968657] CPU: 0 UID: 0 PID: 333 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 26.968711] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.968725] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.968750] Call Trace: [ 26.968783] <TASK> [ 26.968802] dump_stack_lvl+0x73/0xb0 [ 26.968835] print_report+0xd1/0x650 [ 26.968858] ? __virt_addr_valid+0x1db/0x2d0 [ 26.968883] ? _copy_to_user+0x3c/0x70 [ 26.968905] ? kasan_complete_mode_report_info+0x2a/0x200 [ 26.968933] ? _copy_to_user+0x3c/0x70 [ 26.968954] kasan_report+0x141/0x180 [ 26.968976] ? _copy_to_user+0x3c/0x70 [ 26.969004] kasan_check_range+0x10c/0x1c0 [ 26.969028] __kasan_check_read+0x15/0x20 [ 26.969052] _copy_to_user+0x3c/0x70 [ 26.969073] copy_user_test_oob+0x364/0x10f0 [ 26.969099] ? __pfx_copy_user_test_oob+0x10/0x10 [ 26.969145] ? finish_task_switch.isra.0+0x153/0x700 [ 26.969171] ? __switch_to+0x47/0xf50 [ 26.969199] ? __schedule+0x10cc/0x2b60 [ 26.969222] ? __pfx_read_tsc+0x10/0x10 [ 26.969245] ? ktime_get_ts64+0x86/0x230 [ 26.969272] kunit_try_run_case+0x1a5/0x480 [ 26.969298] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.969334] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.969356] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.969379] ? __kthread_parkme+0x82/0x180 [ 26.969401] ? preempt_count_sub+0x50/0x80 [ 26.969424] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.969450] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.969476] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.969510] kthread+0x337/0x6f0 [ 26.969531] ? trace_preempt_on+0x20/0xc0 [ 26.969556] ? __pfx_kthread+0x10/0x10 [ 26.969577] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.969602] ? calculate_sigpending+0x7b/0xa0 [ 26.969628] ? __pfx_kthread+0x10/0x10 [ 26.969651] ret_from_fork+0x116/0x1d0 [ 26.969671] ? __pfx_kthread+0x10/0x10 [ 26.969692] ret_from_fork_asm+0x1a/0x30 [ 26.969726] </TASK> [ 26.969743] [ 26.976601] Allocated by task 333: [ 26.976724] kasan_save_stack+0x45/0x70 [ 26.977025] kasan_save_track+0x18/0x40 [ 26.977218] kasan_save_alloc_info+0x3b/0x50 [ 26.977461] __kasan_kmalloc+0xb7/0xc0 [ 26.977650] __kmalloc_noprof+0x1c9/0x500 [ 26.977978] kunit_kmalloc_array+0x25/0x60 [ 26.978138] copy_user_test_oob+0xab/0x10f0 [ 26.978278] kunit_try_run_case+0x1a5/0x480 [ 26.978428] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.978852] kthread+0x337/0x6f0 [ 26.979018] ret_from_fork+0x116/0x1d0 [ 26.979204] ret_from_fork_asm+0x1a/0x30 [ 26.979405] [ 26.979513] The buggy address belongs to the object at ffff888105898a00 [ 26.979513] which belongs to the cache kmalloc-128 of size 128 [ 26.979899] The buggy address is located 0 bytes inside of [ 26.979899] allocated 120-byte region [ffff888105898a00, ffff888105898a78) [ 26.980313] [ 26.980406] The buggy address belongs to the physical page: [ 26.980845] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105898 [ 26.981223] flags: 0x200000000000000(node=0|zone=2) [ 26.981462] page_type: f5(slab) [ 26.981641] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.981957] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.982179] page dumped because: kasan: bad access detected [ 26.982359] [ 26.982426] Memory state around the buggy address: [ 26.982659] ffff888105898900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.982972] ffff888105898980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.983233] >ffff888105898a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 26.983450] ^ [ 26.983672] ffff888105898a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.983988] ffff888105898b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.984304] ==================================================================