Date
July 8, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.204136] ================================================================== [ 31.204369] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x154/0x2e0 [ 31.204438] Read of size 18446744073709551614 at addr fff00000c9acb084 by task kunit_try_catch/211 [ 31.204969] [ 31.205102] CPU: 0 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250708 #1 PREEMPT [ 31.205190] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.205235] Hardware name: linux,dummy-virt (DT) [ 31.205267] Call trace: [ 31.205311] show_stack+0x20/0x38 (C) [ 31.205481] dump_stack_lvl+0x8c/0xd0 [ 31.205530] print_report+0x118/0x5d0 [ 31.205576] kasan_report+0xdc/0x128 [ 31.205623] kasan_check_range+0x100/0x1a8 [ 31.205669] __asan_memmove+0x3c/0x98 [ 31.205714] kmalloc_memmove_negative_size+0x154/0x2e0 [ 31.205769] kunit_try_run_case+0x170/0x3f0 [ 31.205973] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.206092] kthread+0x328/0x630 [ 31.206445] ret_from_fork+0x10/0x20 [ 31.206857] [ 31.206883] Allocated by task 211: [ 31.206963] kasan_save_stack+0x3c/0x68 [ 31.207304] kasan_save_track+0x20/0x40 [ 31.207404] kasan_save_alloc_info+0x40/0x58 [ 31.207443] __kasan_kmalloc+0xd4/0xd8 [ 31.207714] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.207819] kmalloc_memmove_negative_size+0xb0/0x2e0 [ 31.207862] kunit_try_run_case+0x170/0x3f0 [ 31.207902] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.207947] kthread+0x328/0x630 [ 31.208226] ret_from_fork+0x10/0x20 [ 31.208272] [ 31.208292] The buggy address belongs to the object at fff00000c9acb080 [ 31.208292] which belongs to the cache kmalloc-64 of size 64 [ 31.208613] The buggy address is located 4 bytes inside of [ 31.208613] 64-byte region [fff00000c9acb080, fff00000c9acb0c0) [ 31.208815] [ 31.208837] The buggy address belongs to the physical page: [ 31.208932] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109acb [ 31.208988] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.209036] page_type: f5(slab) [ 31.209099] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.209201] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.209508] page dumped because: kasan: bad access detected [ 31.209650] [ 31.209726] Memory state around the buggy address: [ 31.209785] fff00000c9acaf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.209835] fff00000c9acb000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.209907] >fff00000c9acb080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.209945] ^ [ 31.209972] fff00000c9acb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.210014] fff00000c9acb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.210076] ==================================================================
[ 23.532676] ================================================================== [ 23.533593] BUG: KASAN: out-of-bounds in kmalloc_memmove_negative_size+0x171/0x330 [ 23.534076] Read of size 18446744073709551614 at addr ffff888106335e84 by task kunit_try_catch/228 [ 23.534476] [ 23.534573] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) [ 23.534627] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.534640] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.534663] Call Trace: [ 23.534678] <TASK> [ 23.534699] dump_stack_lvl+0x73/0xb0 [ 23.534734] print_report+0xd1/0x610 [ 23.534840] ? __virt_addr_valid+0x1db/0x2d0 [ 23.534871] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.534896] ? kasan_complete_mode_report_info+0x2a/0x200 [ 23.534925] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.534971] kasan_report+0x141/0x180 [ 23.534994] ? kmalloc_memmove_negative_size+0x171/0x330 [ 23.535025] kasan_check_range+0x10c/0x1c0 [ 23.535050] __asan_memmove+0x27/0x70 [ 23.535077] kmalloc_memmove_negative_size+0x171/0x330 [ 23.535103] ? __pfx_kmalloc_memmove_negative_size+0x10/0x10 [ 23.535129] ? __schedule+0x10cc/0x2b60 [ 23.535159] ? __pfx_read_tsc+0x10/0x10 [ 23.535184] ? ktime_get_ts64+0x86/0x230 [ 23.535213] kunit_try_run_case+0x1a5/0x480 [ 23.535251] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.535272] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.535293] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.535322] ? __kthread_parkme+0x82/0x180 [ 23.535344] ? preempt_count_sub+0x50/0x80 [ 23.535369] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.535390] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.535417] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.535444] kthread+0x337/0x6f0 [ 23.535465] ? trace_preempt_on+0x20/0xc0 [ 23.535491] ? __pfx_kthread+0x10/0x10 [ 23.535513] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.535540] ? calculate_sigpending+0x7b/0xa0 [ 23.535568] ? __pfx_kthread+0x10/0x10 [ 23.535591] ret_from_fork+0x116/0x1d0 [ 23.535611] ? __pfx_kthread+0x10/0x10 [ 23.535634] ret_from_fork_asm+0x1a/0x30 [ 23.535669] </TASK> [ 23.535681] [ 23.545813] Allocated by task 228: [ 23.546108] kasan_save_stack+0x45/0x70 [ 23.546271] kasan_save_track+0x18/0x40 [ 23.546471] kasan_save_alloc_info+0x3b/0x50 [ 23.546681] __kasan_kmalloc+0xb7/0xc0 [ 23.546863] __kmalloc_cache_noprof+0x189/0x420 [ 23.547167] kmalloc_memmove_negative_size+0xac/0x330 [ 23.547399] kunit_try_run_case+0x1a5/0x480 [ 23.547534] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.547698] kthread+0x337/0x6f0 [ 23.547809] ret_from_fork+0x116/0x1d0 [ 23.548030] ret_from_fork_asm+0x1a/0x30 [ 23.548260] [ 23.548353] The buggy address belongs to the object at ffff888106335e80 [ 23.548353] which belongs to the cache kmalloc-64 of size 64 [ 23.549140] The buggy address is located 4 bytes inside of [ 23.549140] 64-byte region [ffff888106335e80, ffff888106335ec0) [ 23.549623] [ 23.549693] The buggy address belongs to the physical page: [ 23.549862] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106335 [ 23.550526] flags: 0x200000000000000(node=0|zone=2) [ 23.550939] page_type: f5(slab) [ 23.551070] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.551345] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.551678] page dumped because: kasan: bad access detected [ 23.552233] [ 23.552344] Memory state around the buggy address: [ 23.552646] ffff888106335d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.552955] ffff888106335e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.553157] >ffff888106335e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.553637] ^ [ 23.553804] ffff888106335f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.554186] ffff888106335f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.554680] ==================================================================