Date
July 4, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.656489] ================================================================== [ 32.656559] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x204/0x250 [ 32.656685] Read of size 8 at addr fff00000c5adb378 by task kunit_try_catch/314 [ 32.656746] [ 32.656825] CPU: 1 UID: 0 PID: 314 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 32.657066] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.657202] Hardware name: linux,dummy-virt (DT) [ 32.657520] Call trace: [ 32.657628] show_stack+0x20/0x38 (C) [ 32.657691] dump_stack_lvl+0x8c/0xd0 [ 32.657804] print_report+0x118/0x608 [ 32.658016] kasan_report+0xdc/0x128 [ 32.658176] __asan_report_load8_noabort+0x20/0x30 [ 32.658234] copy_to_kernel_nofault+0x204/0x250 [ 32.658286] copy_to_kernel_nofault_oob+0x158/0x418 [ 32.658613] kunit_try_run_case+0x170/0x3f0 [ 32.658710] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.658876] kthread+0x328/0x630 [ 32.659026] ret_from_fork+0x10/0x20 [ 32.659155] [ 32.659278] Allocated by task 314: [ 32.659315] kasan_save_stack+0x3c/0x68 [ 32.659390] kasan_save_track+0x20/0x40 [ 32.659748] kasan_save_alloc_info+0x40/0x58 [ 32.659964] __kasan_kmalloc+0xd4/0xd8 [ 32.660564] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.660755] copy_to_kernel_nofault_oob+0xc8/0x418 [ 32.660886] kunit_try_run_case+0x170/0x3f0 [ 32.661051] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.661101] kthread+0x328/0x630 [ 32.661489] ret_from_fork+0x10/0x20 [ 32.661559] [ 32.661596] The buggy address belongs to the object at fff00000c5adb300 [ 32.661596] which belongs to the cache kmalloc-128 of size 128 [ 32.661713] The buggy address is located 0 bytes to the right of [ 32.661713] allocated 120-byte region [fff00000c5adb300, fff00000c5adb378) [ 32.661950] [ 32.661980] The buggy address belongs to the physical page: [ 32.662151] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105adb [ 32.662303] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.662398] page_type: f5(slab) [ 32.662581] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.662751] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.663177] page dumped because: kasan: bad access detected [ 32.663318] [ 32.663449] Memory state around the buggy address: [ 32.663601] fff00000c5adb200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.663659] fff00000c5adb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.663722] >fff00000c5adb300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 32.663763] ^ [ 32.663857] fff00000c5adb380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.663915] fff00000c5adb400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.663956] ================================================================== [ 32.664416] ================================================================== [ 32.664468] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x8c/0x250 [ 32.664522] Write of size 8 at addr fff00000c5adb378 by task kunit_try_catch/314 [ 32.664575] [ 32.664607] CPU: 1 UID: 0 PID: 314 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 32.664691] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.664748] Hardware name: linux,dummy-virt (DT) [ 32.664782] Call trace: [ 32.664811] show_stack+0x20/0x38 (C) [ 32.664861] dump_stack_lvl+0x8c/0xd0 [ 32.664927] print_report+0x118/0x608 [ 32.664979] kasan_report+0xdc/0x128 [ 32.665028] kasan_check_range+0x100/0x1a8 [ 32.665076] __kasan_check_write+0x20/0x30 [ 32.665125] copy_to_kernel_nofault+0x8c/0x250 [ 32.665174] copy_to_kernel_nofault_oob+0x1bc/0x418 [ 32.665226] kunit_try_run_case+0x170/0x3f0 [ 32.665279] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.665334] kthread+0x328/0x630 [ 32.665377] ret_from_fork+0x10/0x20 [ 32.665437] [ 32.665458] Allocated by task 314: [ 32.665493] kasan_save_stack+0x3c/0x68 [ 32.665539] kasan_save_track+0x20/0x40 [ 32.665578] kasan_save_alloc_info+0x40/0x58 [ 32.665626] __kasan_kmalloc+0xd4/0xd8 [ 32.665674] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.666311] copy_to_kernel_nofault_oob+0xc8/0x418 [ 32.666369] kunit_try_run_case+0x170/0x3f0 [ 32.666413] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.666460] kthread+0x328/0x630 [ 32.666548] ret_from_fork+0x10/0x20 [ 32.667583] [ 32.667627] The buggy address belongs to the object at fff00000c5adb300 [ 32.667627] which belongs to the cache kmalloc-128 of size 128 [ 32.667712] The buggy address is located 0 bytes to the right of [ 32.667712] allocated 120-byte region [fff00000c5adb300, fff00000c5adb378) [ 32.667815] [ 32.667871] The buggy address belongs to the physical page: [ 32.667930] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105adb [ 32.668165] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.668584] page_type: f5(slab) [ 32.668945] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.669094] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.669273] page dumped because: kasan: bad access detected [ 32.669477] [ 32.669535] Memory state around the buggy address: [ 32.669684] fff00000c5adb200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.670130] fff00000c5adb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.670212] >fff00000c5adb300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 32.670287] ^ [ 32.670423] fff00000c5adb380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.670768] fff00000c5adb400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.670851] ==================================================================
[ 29.328485] ================================================================== [ 29.329319] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x225/0x260 [ 29.329750] Read of size 8 at addr ffff888105aacd78 by task kunit_try_catch/330 [ 29.330241] [ 29.330372] CPU: 0 UID: 0 PID: 330 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 29.330493] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.330511] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.330540] Call Trace: [ 29.330559] <TASK> [ 29.330584] dump_stack_lvl+0x73/0xb0 [ 29.330659] print_report+0xd1/0x650 [ 29.330691] ? __virt_addr_valid+0x1db/0x2d0 [ 29.330721] ? copy_to_kernel_nofault+0x225/0x260 [ 29.330750] ? kasan_complete_mode_report_info+0x2a/0x200 [ 29.330782] ? copy_to_kernel_nofault+0x225/0x260 [ 29.330810] kasan_report+0x141/0x180 [ 29.330835] ? copy_to_kernel_nofault+0x225/0x260 [ 29.330868] __asan_report_load8_noabort+0x18/0x20 [ 29.330909] copy_to_kernel_nofault+0x225/0x260 [ 29.330938] copy_to_kernel_nofault_oob+0x1ed/0x560 [ 29.330966] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 29.330993] ? finish_task_switch.isra.0+0x153/0x700 [ 29.331021] ? __schedule+0x10cc/0x2b60 [ 29.331050] ? trace_hardirqs_on+0x37/0xe0 [ 29.331087] ? __pfx_read_tsc+0x10/0x10 [ 29.331115] ? ktime_get_ts64+0x86/0x230 [ 29.331146] kunit_try_run_case+0x1a5/0x480 [ 29.331179] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.331432] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.331465] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.331495] ? __kthread_parkme+0x82/0x180 [ 29.331521] ? preempt_count_sub+0x50/0x80 [ 29.331549] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.331579] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.331610] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.331638] kthread+0x337/0x6f0 [ 29.331663] ? trace_preempt_on+0x20/0xc0 [ 29.331689] ? __pfx_kthread+0x10/0x10 [ 29.331714] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.331740] ? calculate_sigpending+0x7b/0xa0 [ 29.331770] ? __pfx_kthread+0x10/0x10 [ 29.331795] ret_from_fork+0x116/0x1d0 [ 29.331819] ? __pfx_kthread+0x10/0x10 [ 29.331844] ret_from_fork_asm+0x1a/0x30 [ 29.331881] </TASK> [ 29.331897] [ 29.343918] Allocated by task 330: [ 29.344124] kasan_save_stack+0x45/0x70 [ 29.344460] kasan_save_track+0x18/0x40 [ 29.345109] kasan_save_alloc_info+0x3b/0x50 [ 29.345522] __kasan_kmalloc+0xb7/0xc0 [ 29.345739] __kmalloc_cache_noprof+0x189/0x420 [ 29.346333] copy_to_kernel_nofault_oob+0x12f/0x560 [ 29.346601] kunit_try_run_case+0x1a5/0x480 [ 29.346810] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.347075] kthread+0x337/0x6f0 [ 29.347226] ret_from_fork+0x116/0x1d0 [ 29.347573] ret_from_fork_asm+0x1a/0x30 [ 29.348034] [ 29.348128] The buggy address belongs to the object at ffff888105aacd00 [ 29.348128] which belongs to the cache kmalloc-128 of size 128 [ 29.348980] The buggy address is located 0 bytes to the right of [ 29.348980] allocated 120-byte region [ffff888105aacd00, ffff888105aacd78) [ 29.349796] [ 29.349908] The buggy address belongs to the physical page: [ 29.350112] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aac [ 29.350512] flags: 0x200000000000000(node=0|zone=2) [ 29.350809] page_type: f5(slab) [ 29.351039] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.351596] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.351879] page dumped because: kasan: bad access detected [ 29.352260] [ 29.352334] Memory state around the buggy address: [ 29.352593] ffff888105aacc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.353253] ffff888105aacc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.353637] >ffff888105aacd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.354028] ^ [ 29.354459] ffff888105aacd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.354802] ffff888105aace00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.355154] ================================================================== [ 29.355961] ================================================================== [ 29.356622] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x99/0x260 [ 29.357028] Write of size 8 at addr ffff888105aacd78 by task kunit_try_catch/330 [ 29.357530] [ 29.357659] CPU: 0 UID: 0 PID: 330 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 29.357752] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.357769] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.357797] Call Trace: [ 29.357819] <TASK> [ 29.357841] dump_stack_lvl+0x73/0xb0 [ 29.357874] print_report+0xd1/0x650 [ 29.357900] ? __virt_addr_valid+0x1db/0x2d0 [ 29.357964] ? copy_to_kernel_nofault+0x99/0x260 [ 29.358019] ? kasan_complete_mode_report_info+0x2a/0x200 [ 29.358049] ? copy_to_kernel_nofault+0x99/0x260 [ 29.358078] kasan_report+0x141/0x180 [ 29.358104] ? copy_to_kernel_nofault+0x99/0x260 [ 29.358137] kasan_check_range+0x10c/0x1c0 [ 29.358220] __kasan_check_write+0x18/0x20 [ 29.358289] copy_to_kernel_nofault+0x99/0x260 [ 29.358320] copy_to_kernel_nofault_oob+0x288/0x560 [ 29.358347] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 29.358376] ? finish_task_switch.isra.0+0x153/0x700 [ 29.358416] ? __schedule+0x10cc/0x2b60 [ 29.358475] ? trace_hardirqs_on+0x37/0xe0 [ 29.358512] ? __pfx_read_tsc+0x10/0x10 [ 29.358538] ? ktime_get_ts64+0x86/0x230 [ 29.358568] kunit_try_run_case+0x1a5/0x480 [ 29.358599] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.358626] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.358654] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.358682] ? __kthread_parkme+0x82/0x180 [ 29.358707] ? preempt_count_sub+0x50/0x80 [ 29.358734] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.358763] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.358791] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.358820] kthread+0x337/0x6f0 [ 29.358843] ? trace_preempt_on+0x20/0xc0 [ 29.358868] ? __pfx_kthread+0x10/0x10 [ 29.358893] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.358919] ? calculate_sigpending+0x7b/0xa0 [ 29.358947] ? __pfx_kthread+0x10/0x10 [ 29.358972] ret_from_fork+0x116/0x1d0 [ 29.358995] ? __pfx_kthread+0x10/0x10 [ 29.359020] ret_from_fork_asm+0x1a/0x30 [ 29.359055] </TASK> [ 29.359070] [ 29.368846] Allocated by task 330: [ 29.369047] kasan_save_stack+0x45/0x70 [ 29.369508] kasan_save_track+0x18/0x40 [ 29.369689] kasan_save_alloc_info+0x3b/0x50 [ 29.370015] __kasan_kmalloc+0xb7/0xc0 [ 29.370325] __kmalloc_cache_noprof+0x189/0x420 [ 29.370695] copy_to_kernel_nofault_oob+0x12f/0x560 [ 29.370994] kunit_try_run_case+0x1a5/0x480 [ 29.371358] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.371806] kthread+0x337/0x6f0 [ 29.372030] ret_from_fork+0x116/0x1d0 [ 29.372226] ret_from_fork_asm+0x1a/0x30 [ 29.372453] [ 29.372556] The buggy address belongs to the object at ffff888105aacd00 [ 29.372556] which belongs to the cache kmalloc-128 of size 128 [ 29.373462] The buggy address is located 0 bytes to the right of [ 29.373462] allocated 120-byte region [ffff888105aacd00, ffff888105aacd78) [ 29.374153] [ 29.374346] The buggy address belongs to the physical page: [ 29.374587] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aac [ 29.375044] flags: 0x200000000000000(node=0|zone=2) [ 29.375445] page_type: f5(slab) [ 29.375653] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.376058] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.376577] page dumped because: kasan: bad access detected [ 29.376864] [ 29.376965] Memory state around the buggy address: [ 29.377223] ffff888105aacc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.377651] ffff888105aacc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.378136] >ffff888105aacd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.378567] ^ [ 29.378826] ffff888105aacd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.379103] ffff888105aace00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.379539] ==================================================================