Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 40.657013] ================================================================== [ 40.668578] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 40.676258] Read of size 18446744073709551614 at addr ffff000097bcd984 by task kunit_try_catch/289 [ 40.685339] [ 40.686875] CPU: 2 UID: 0 PID: 289 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 40.686905] Tainted: [B]=BAD_PAGE, [N]=TEST [ 40.686915] Hardware name: Thundercomm Dragonboard 845c (DT) [ 40.686927] Call trace: [ 40.686935] show_stack+0x20/0x38 (C) [ 40.686953] dump_stack_lvl+0x8c/0xd0 [ 40.686975] print_report+0x118/0x608 [ 40.686995] kasan_report+0xdc/0x128 [ 40.687014] kasan_check_range+0x100/0x1a8 [ 40.687035] __asan_memmove+0x3c/0x98 [ 40.687052] kmalloc_memmove_negative_size+0x154/0x2e0 [ 40.687072] kunit_try_run_case+0x170/0x3f0 [ 40.687090] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.687114] kthread+0x328/0x630 [ 40.687130] ret_from_fork+0x10/0x20 [ 40.687149] [ 40.756827] Allocated by task 289: [ 40.760294] kasan_save_stack+0x3c/0x68 [ 40.764201] kasan_save_track+0x20/0x40 [ 40.768106] kasan_save_alloc_info+0x40/0x58 [ 40.772452] __kasan_kmalloc+0xd4/0xd8 [ 40.776269] __kmalloc_cache_noprof+0x16c/0x3c0 [ 40.780877] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 40.786013] kunit_try_run_case+0x170/0x3f0 [ 40.790274] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.795845] kthread+0x328/0x630 [ 40.799132] ret_from_fork+0x10/0x20 [ 40.802776] [ 40.804307] The buggy address belongs to the object at ffff000097bcd980 [ 40.804307] which belongs to the cache kmalloc-64 of size 64 [ 40.816798] The buggy address is located 4 bytes inside of [ 40.816798] 64-byte region [ffff000097bcd980, ffff000097bcd9c0) [ 40.828415] [ 40.829948] The buggy address belongs to the physical page: [ 40.835594] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117bcd [ 40.843699] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 40.850324] page_type: f5(slab) [ 40.853526] raw: 0bfffe0000000000 ffff0000800028c0 dead000000000122 0000000000000000 [ 40.861372] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 40.869216] page dumped because: kasan: bad access detected [ 40.874862] [ 40.876392] Memory state around the buggy address: [ 40.881250] ffff000097bcd880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.888564] ffff000097bcd900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.895881] >ffff000097bcd980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 40.903195] ^ [ 40.906479] ffff000097bcda00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.913794] ffff000097bcda80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.921106] ==================================================================
[ 31.158097] ================================================================== [ 31.158169] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 31.158230] Read of size 18446744073709551614 at addr fff00000c5a6ac84 by task kunit_try_catch/212 [ 31.158311] [ 31.158346] CPU: 0 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.158801] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.158947] Hardware name: linux,dummy-virt (DT) [ 31.158989] Call trace: [ 31.159032] show_stack+0x20/0x38 (C) [ 31.159084] dump_stack_lvl+0x8c/0xd0 [ 31.159145] print_report+0x118/0x608 [ 31.159191] kasan_report+0xdc/0x128 [ 31.159236] kasan_check_range+0x100/0x1a8 [ 31.159600] __asan_memmove+0x3c/0x98 [ 31.159670] kmalloc_memmove_negative_size+0x154/0x2e0 [ 31.159723] kunit_try_run_case+0x170/0x3f0 [ 31.159785] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.159851] kthread+0x328/0x630 [ 31.159891] ret_from_fork+0x10/0x20 [ 31.160330] [ 31.160413] Allocated by task 212: [ 31.160473] kasan_save_stack+0x3c/0x68 [ 31.160608] kasan_save_track+0x20/0x40 [ 31.160652] kasan_save_alloc_info+0x40/0x58 [ 31.160696] __kasan_kmalloc+0xd4/0xd8 [ 31.161003] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.161209] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 31.161549] kunit_try_run_case+0x170/0x3f0 [ 31.161622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.161823] kthread+0x328/0x630 [ 31.162142] ret_from_fork+0x10/0x20 [ 31.162289] [ 31.162474] The buggy address belongs to the object at fff00000c5a6ac80 [ 31.162474] which belongs to the cache kmalloc-64 of size 64 [ 31.162669] The buggy address is located 4 bytes inside of [ 31.162669] 64-byte region [fff00000c5a6ac80, fff00000c5a6acc0) [ 31.162901] [ 31.163100] The buggy address belongs to the physical page: [ 31.163182] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a6a [ 31.163431] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.163657] page_type: f5(slab) [ 31.163728] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.163866] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.164054] page dumped because: kasan: bad access detected [ 31.164114] [ 31.164218] Memory state around the buggy address: [ 31.164252] fff00000c5a6ab80: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc [ 31.164440] fff00000c5a6ac00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.164683] >fff00000c5a6ac80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.164830] ^ [ 31.164997] fff00000c5a6ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.165052] fff00000c5a6ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.165233] ==================================================================
[ 23.331528] ================================================================== [ 23.331991] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 23.332359] Read of size 18446744073709551614 at addr ffff888104bb9784 by task kunit_try_catch/229 [ 23.332761] [ 23.332857] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.332902] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.332915] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.332936] Call Trace: [ 23.332948] <TASK> [ 23.332963] dump_stack_lvl+0x73/0xb0 [ 23.332992] print_report+0xd1/0x650 [ 23.333013] ? __virt_addr_valid+0x1db/0x2d0 [ 23.333038] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.333061] ? kasan_complete_mode_report_info+0x2a/0x200 [ 23.333085] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.333125] kasan_report+0x141/0x180 [ 23.333146] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.333174] kasan_check_range+0x10c/0x1c0 [ 23.333197] __asan_memmove+0x27/0x70 [ 23.333231] kmalloc_memmove_negative_size+0x171/0x330 [ 23.333254] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 23.333278] ? __schedule+0x10cc/0x2b60 [ 23.333303] ? __pfx_read_tsc+0x10/0x10 [ 23.333324] ? ktime_get_ts64+0x86/0x230 [ 23.333349] kunit_try_run_case+0x1a5/0x480 [ 23.333374] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.333397] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.333418] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.333443] ? __kthread_parkme+0x82/0x180 [ 23.333477] ? preempt_count_sub+0x50/0x80 [ 23.333501] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.333525] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.333548] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.333571] kthread+0x337/0x6f0 [ 23.333591] ? trace_preempt_on+0x20/0xc0 [ 23.333615] ? __pfx_kthread+0x10/0x10 [ 23.333635] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.333658] ? calculate_sigpending+0x7b/0xa0 [ 23.333681] ? __pfx_kthread+0x10/0x10 [ 23.333703] ret_from_fork+0x116/0x1d0 [ 23.333721] ? __pfx_kthread+0x10/0x10 [ 23.333741] ret_from_fork_asm+0x1a/0x30 [ 23.333772] </TASK> [ 23.333784] [ 23.340741] Allocated by task 229: [ 23.340898] kasan_save_stack+0x45/0x70 [ 23.341080] kasan_save_track+0x18/0x40 [ 23.341290] kasan_save_alloc_info+0x3b/0x50 [ 23.341474] __kasan_kmalloc+0xb7/0xc0 [ 23.341638] __kmalloc_cache_noprof+0x189/0x420 [ 23.341795] kmalloc_memmove_negative_size+0xac/0x330 [ 23.342016] kunit_try_run_case+0x1a5/0x480 [ 23.342223] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.342470] kthread+0x337/0x6f0 [ 23.342610] ret_from_fork+0x116/0x1d0 [ 23.342760] ret_from_fork_asm+0x1a/0x30 [ 23.342913] [ 23.343001] The buggy address belongs to the object at ffff888104bb9780 [ 23.343001] which belongs to the cache kmalloc-64 of size 64 [ 23.343541] The buggy address is located 4 bytes inside of [ 23.343541] 64-byte region [ffff888104bb9780, ffff888104bb97c0) [ 23.343968] [ 23.344054] The buggy address belongs to the physical page: [ 23.344223] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104bb9 [ 23.344462] flags: 0x200000000000000(node=0|zone=2) [ 23.344619] page_type: f5(slab) [ 23.344734] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.344991] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.345311] page dumped because: kasan: bad access detected [ 23.345577] [ 23.345669] Memory state around the buggy address: [ 23.345909] ffff888104bb9680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.346378] ffff888104bb9700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.346593] >ffff888104bb9780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.346794] ^ [ 23.346901] ffff888104bb9800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.347104] ffff888104bb9880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.348098] ==================================================================