Date
July 17, 2025, 10:12 a.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 32.394638] ================================================================== [ 32.394745] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x204/0x250 [ 32.394832] Read of size 8 at addr fff00000c98f2d78 by task kunit_try_catch/312 [ 32.394901] [ 32.394977] CPU: 0 UID: 0 PID: 312 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 32.395078] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.395107] Hardware name: linux,dummy-virt (DT) [ 32.395140] Call trace: [ 32.395322] show_stack+0x20/0x38 (C) [ 32.395375] dump_stack_lvl+0x8c/0xd0 [ 32.395427] print_report+0x118/0x5d0 [ 32.395510] kasan_report+0xdc/0x128 [ 32.395569] __asan_report_load8_noabort+0x20/0x30 [ 32.395621] copy_to_kernel_nofault+0x204/0x250 [ 32.395693] copy_to_kernel_nofault_oob+0x158/0x418 [ 32.395746] kunit_try_run_case+0x170/0x3f0 [ 32.395820] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.395901] kthread+0x328/0x630 [ 32.395961] ret_from_fork+0x10/0x20 [ 32.396010] [ 32.396032] Allocated by task 312: [ 32.396072] kasan_save_stack+0x3c/0x68 [ 32.396235] kasan_save_track+0x20/0x40 [ 32.396284] kasan_save_alloc_info+0x40/0x58 [ 32.396335] __kasan_kmalloc+0xd4/0xd8 [ 32.396392] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.396444] copy_to_kernel_nofault_oob+0xc8/0x418 [ 32.396587] kunit_try_run_case+0x170/0x3f0 [ 32.396671] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.396782] kthread+0x328/0x630 [ 32.396893] ret_from_fork+0x10/0x20 [ 32.397028] [ 32.397122] The buggy address belongs to the object at fff00000c98f2d00 [ 32.397122] which belongs to the cache kmalloc-128 of size 128 [ 32.397224] The buggy address is located 0 bytes to the right of [ 32.397224] allocated 120-byte region [fff00000c98f2d00, fff00000c98f2d78) [ 32.397321] [ 32.397344] The buggy address belongs to the physical page: [ 32.397378] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1098f2 [ 32.397662] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.397712] page_type: f5(slab) [ 32.397755] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.397884] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.397979] page dumped because: kasan: bad access detected [ 32.398061] [ 32.398089] Memory state around the buggy address: [ 32.398135] fff00000c98f2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.398181] fff00000c98f2c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.398233] >fff00000c98f2d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 32.398282] ^ [ 32.398335] fff00000c98f2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.398379] fff00000c98f2e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.398420] ================================================================== [ 32.398657] ================================================================== [ 32.398856] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x8c/0x250 [ 32.399082] Write of size 8 at addr fff00000c98f2d78 by task kunit_try_catch/312 [ 32.399136] [ 32.399184] CPU: 0 UID: 0 PID: 312 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 32.399287] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.399420] Hardware name: linux,dummy-virt (DT) [ 32.399463] Call trace: [ 32.399597] show_stack+0x20/0x38 (C) [ 32.399649] dump_stack_lvl+0x8c/0xd0 [ 32.399714] print_report+0x118/0x5d0 [ 32.399813] kasan_report+0xdc/0x128 [ 32.399885] kasan_check_range+0x100/0x1a8 [ 32.399936] __kasan_check_write+0x20/0x30 [ 32.399989] copy_to_kernel_nofault+0x8c/0x250 [ 32.400090] copy_to_kernel_nofault_oob+0x1bc/0x418 [ 32.400163] kunit_try_run_case+0x170/0x3f0 [ 32.400227] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.400297] kthread+0x328/0x630 [ 32.400379] ret_from_fork+0x10/0x20 [ 32.400586] [ 32.400715] Allocated by task 312: [ 32.400775] kasan_save_stack+0x3c/0x68 [ 32.400851] kasan_save_track+0x20/0x40 [ 32.400994] kasan_save_alloc_info+0x40/0x58 [ 32.401429] __kasan_kmalloc+0xd4/0xd8 [ 32.401476] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.401520] copy_to_kernel_nofault_oob+0xc8/0x418 [ 32.401561] kunit_try_run_case+0x170/0x3f0 [ 32.401600] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.401645] kthread+0x328/0x630 [ 32.401678] ret_from_fork+0x10/0x20 [ 32.401716] [ 32.401739] The buggy address belongs to the object at fff00000c98f2d00 [ 32.401739] which belongs to the cache kmalloc-128 of size 128 [ 32.401799] The buggy address is located 0 bytes to the right of [ 32.401799] allocated 120-byte region [fff00000c98f2d00, fff00000c98f2d78) [ 32.401867] [ 32.401888] The buggy address belongs to the physical page: [ 32.401920] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1098f2 [ 32.401974] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.402022] page_type: f5(slab) [ 32.402076] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.402129] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.402171] page dumped because: kasan: bad access detected [ 32.402204] [ 32.402269] Memory state around the buggy address: [ 32.402318] fff00000c98f2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.402365] fff00000c98f2c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.402422] >fff00000c98f2d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 32.402471] ^ [ 32.402514] fff00000c98f2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.402573] fff00000c98f2e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.402630] ==================================================================
[ 29.493835] ================================================================== [ 29.494643] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x225/0x260 [ 29.495435] Read of size 8 at addr ffff88810618b478 by task kunit_try_catch/330 [ 29.496376] [ 29.496704] CPU: 0 UID: 0 PID: 330 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 29.496764] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.496777] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.496800] Call Trace: [ 29.496814] <TASK> [ 29.496835] dump_stack_lvl+0x73/0xb0 [ 29.496870] print_report+0xd1/0x610 [ 29.496895] ? __virt_addr_valid+0x1db/0x2d0 [ 29.496920] ? copy_to_kernel_nofault+0x225/0x260 [ 29.496944] ? kasan_complete_mode_report_info+0x2a/0x200 [ 29.496971] ? copy_to_kernel_nofault+0x225/0x260 [ 29.496995] kasan_report+0x141/0x180 [ 29.497017] ? copy_to_kernel_nofault+0x225/0x260 [ 29.497047] __asan_report_load8_noabort+0x18/0x20 [ 29.497072] copy_to_kernel_nofault+0x225/0x260 [ 29.497110] copy_to_kernel_nofault_oob+0x1ed/0x560 [ 29.497264] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 29.497319] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 29.497348] ? trace_hardirqs_on+0x37/0xe0 [ 29.497381] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 29.497409] kunit_try_run_case+0x1a5/0x480 [ 29.497436] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.497459] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.497483] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.497508] ? __kthread_parkme+0x82/0x180 [ 29.497533] ? preempt_count_sub+0x50/0x80 [ 29.497557] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.497581] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.497605] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.497629] kthread+0x337/0x6f0 [ 29.497649] ? trace_preempt_on+0x20/0xc0 [ 29.497673] ? __pfx_kthread+0x10/0x10 [ 29.497694] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.497717] ? calculate_sigpending+0x7b/0xa0 [ 29.497741] ? __pfx_kthread+0x10/0x10 [ 29.497763] ret_from_fork+0x116/0x1d0 [ 29.497783] ? __pfx_kthread+0x10/0x10 [ 29.497804] ret_from_fork_asm+0x1a/0x30 [ 29.497836] </TASK> [ 29.497848] [ 29.509765] Allocated by task 330: [ 29.510155] kasan_save_stack+0x45/0x70 [ 29.510618] kasan_save_track+0x18/0x40 [ 29.511070] kasan_save_alloc_info+0x3b/0x50 [ 29.511489] __kasan_kmalloc+0xb7/0xc0 [ 29.511784] __kmalloc_cache_noprof+0x189/0x420 [ 29.511934] copy_to_kernel_nofault_oob+0x12f/0x560 [ 29.512095] kunit_try_run_case+0x1a5/0x480 [ 29.512230] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.512847] kthread+0x337/0x6f0 [ 29.513313] ret_from_fork+0x116/0x1d0 [ 29.513766] ret_from_fork_asm+0x1a/0x30 [ 29.514169] [ 29.514329] The buggy address belongs to the object at ffff88810618b400 [ 29.514329] which belongs to the cache kmalloc-128 of size 128 [ 29.515588] The buggy address is located 0 bytes to the right of [ 29.515588] allocated 120-byte region [ffff88810618b400, ffff88810618b478) [ 29.516740] [ 29.516878] The buggy address belongs to the physical page: [ 29.517447] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10618b [ 29.517772] flags: 0x200000000000000(node=0|zone=2) [ 29.518310] page_type: f5(slab) [ 29.518728] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.519209] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.519720] page dumped because: kasan: bad access detected [ 29.520055] [ 29.520131] Memory state around the buggy address: [ 29.520306] ffff88810618b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.520826] ffff88810618b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.521306] >ffff88810618b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.521508] ^ [ 29.521852] ffff88810618b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.522698] ffff88810618b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.523337] ================================================================== [ 29.524380] ================================================================== [ 29.525066] BUG: KASAN: slab-out-of-bounds in copy_to_kernel_nofault+0x99/0x260 [ 29.525721] Write of size 8 at addr ffff88810618b478 by task kunit_try_catch/330 [ 29.525955] [ 29.526034] CPU: 0 UID: 0 PID: 330 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 29.526096] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.526109] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.526131] Call Trace: [ 29.526144] <TASK> [ 29.526160] dump_stack_lvl+0x73/0xb0 [ 29.526190] print_report+0xd1/0x610 [ 29.526213] ? __virt_addr_valid+0x1db/0x2d0 [ 29.526236] ? copy_to_kernel_nofault+0x99/0x260 [ 29.526292] ? kasan_complete_mode_report_info+0x2a/0x200 [ 29.526319] ? copy_to_kernel_nofault+0x99/0x260 [ 29.526343] kasan_report+0x141/0x180 [ 29.526365] ? copy_to_kernel_nofault+0x99/0x260 [ 29.526530] kasan_check_range+0x10c/0x1c0 [ 29.526561] __kasan_check_write+0x18/0x20 [ 29.526585] copy_to_kernel_nofault+0x99/0x260 [ 29.526611] copy_to_kernel_nofault_oob+0x288/0x560 [ 29.526636] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 29.526659] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 29.526685] ? trace_hardirqs_on+0x37/0xe0 [ 29.526718] ? __pfx_copy_to_kernel_nofault_oob+0x10/0x10 [ 29.526745] kunit_try_run_case+0x1a5/0x480 [ 29.526771] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.526794] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.526817] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.526841] ? __kthread_parkme+0x82/0x180 [ 29.526866] ? preempt_count_sub+0x50/0x80 [ 29.526890] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.526913] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.526937] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.526960] kthread+0x337/0x6f0 [ 29.526980] ? trace_preempt_on+0x20/0xc0 [ 29.527002] ? __pfx_kthread+0x10/0x10 [ 29.527023] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.527045] ? calculate_sigpending+0x7b/0xa0 [ 29.527069] ? __pfx_kthread+0x10/0x10 [ 29.527105] ret_from_fork+0x116/0x1d0 [ 29.527124] ? __pfx_kthread+0x10/0x10 [ 29.527145] ret_from_fork_asm+0x1a/0x30 [ 29.527177] </TASK> [ 29.527188] [ 29.540892] Allocated by task 330: [ 29.541106] kasan_save_stack+0x45/0x70 [ 29.541340] kasan_save_track+0x18/0x40 [ 29.541577] kasan_save_alloc_info+0x3b/0x50 [ 29.541726] __kasan_kmalloc+0xb7/0xc0 [ 29.541930] __kmalloc_cache_noprof+0x189/0x420 [ 29.542183] copy_to_kernel_nofault_oob+0x12f/0x560 [ 29.542410] kunit_try_run_case+0x1a5/0x480 [ 29.542666] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.542861] kthread+0x337/0x6f0 [ 29.542983] ret_from_fork+0x116/0x1d0 [ 29.543180] ret_from_fork_asm+0x1a/0x30 [ 29.543390] [ 29.543497] The buggy address belongs to the object at ffff88810618b400 [ 29.543497] which belongs to the cache kmalloc-128 of size 128 [ 29.544052] The buggy address is located 0 bytes to the right of [ 29.544052] allocated 120-byte region [ffff88810618b400, ffff88810618b478) [ 29.544610] [ 29.544707] The buggy address belongs to the physical page: [ 29.544901] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10618b [ 29.545260] flags: 0x200000000000000(node=0|zone=2) [ 29.545491] page_type: f5(slab) [ 29.545662] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.545891] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.546124] page dumped because: kasan: bad access detected [ 29.546376] [ 29.546474] Memory state around the buggy address: [ 29.546702] ffff88810618b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.547045] ffff88810618b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.547411] >ffff88810618b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.547800] ^ [ 29.548095] ffff88810618b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.548576] ffff88810618b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.548883] ==================================================================