Date
July 24, 2025, 4:41 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 35.423974] ================================================================== [ 35.424027] BUG: KASAN: slab-out-of-bounds in strncpy_from_user+0x3c/0x2a0 [ 35.424082] Write of size 121 at addr fff00000c9b92400 by task kunit_try_catch/316 [ 35.424134] [ 35.424332] CPU: 1 UID: 0 PID: 316 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250724 #1 PREEMPT [ 35.424549] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.424581] Hardware name: linux,dummy-virt (DT) [ 35.424614] Call trace: [ 35.424732] show_stack+0x20/0x38 (C) [ 35.424804] dump_stack_lvl+0x8c/0xd0 [ 35.424880] print_report+0x118/0x5e8 [ 35.424928] kasan_report+0xdc/0x128 [ 35.424974] kasan_check_range+0x100/0x1a8 [ 35.425040] __kasan_check_write+0x20/0x30 [ 35.425088] strncpy_from_user+0x3c/0x2a0 [ 35.425142] copy_user_test_oob+0x5c0/0xec8 [ 35.425194] kunit_try_run_case+0x170/0x3f0 [ 35.425242] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.425301] kthread+0x328/0x630 [ 35.425344] ret_from_fork+0x10/0x20 [ 35.425403] [ 35.425429] Allocated by task 316: [ 35.425461] kasan_save_stack+0x3c/0x68 [ 35.425500] kasan_save_track+0x20/0x40 [ 35.425541] kasan_save_alloc_info+0x40/0x58 [ 35.425582] __kasan_kmalloc+0xd4/0xd8 [ 35.425619] __kmalloc_noprof+0x198/0x4c8 [ 35.425674] kunit_kmalloc_array+0x34/0x88 [ 35.425713] copy_user_test_oob+0xac/0xec8 [ 35.426032] kunit_try_run_case+0x170/0x3f0 [ 35.426091] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.426144] kthread+0x328/0x630 [ 35.426181] ret_from_fork+0x10/0x20 [ 35.426219] [ 35.426241] The buggy address belongs to the object at fff00000c9b92400 [ 35.426241] which belongs to the cache kmalloc-128 of size 128 [ 35.426509] The buggy address is located 0 bytes inside of [ 35.426509] allocated 120-byte region [fff00000c9b92400, fff00000c9b92478) [ 35.426614] [ 35.426639] The buggy address belongs to the physical page: [ 35.426676] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b92 [ 35.426887] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.427017] page_type: f5(slab) [ 35.427091] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 35.427192] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 35.427270] page dumped because: kasan: bad access detected [ 35.427433] [ 35.427456] Memory state around the buggy address: [ 35.427591] fff00000c9b92300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.427647] fff00000c9b92380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.427722] >fff00000c9b92400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 35.427813] ^ [ 35.427946] fff00000c9b92480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.428036] fff00000c9b92500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.428408] ================================================================== [ 35.428881] ================================================================== [ 35.428952] BUG: KASAN: slab-out-of-bounds in strncpy_from_user+0x270/0x2a0 [ 35.429019] Write of size 1 at addr fff00000c9b92478 by task kunit_try_catch/316 [ 35.429091] [ 35.429124] CPU: 1 UID: 0 PID: 316 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250724 #1 PREEMPT [ 35.429418] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.429460] Hardware name: linux,dummy-virt (DT) [ 35.429511] Call trace: [ 35.429537] show_stack+0x20/0x38 (C) [ 35.429590] dump_stack_lvl+0x8c/0xd0 [ 35.429637] print_report+0x118/0x5e8 [ 35.429682] kasan_report+0xdc/0x128 [ 35.429727] __asan_report_store1_noabort+0x20/0x30 [ 35.429820] strncpy_from_user+0x270/0x2a0 [ 35.429886] copy_user_test_oob+0x5c0/0xec8 [ 35.429947] kunit_try_run_case+0x170/0x3f0 [ 35.430014] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.430068] kthread+0x328/0x630 [ 35.430133] ret_from_fork+0x10/0x20 [ 35.430183] [ 35.430206] Allocated by task 316: [ 35.430235] kasan_save_stack+0x3c/0x68 [ 35.430277] kasan_save_track+0x20/0x40 [ 35.430313] kasan_save_alloc_info+0x40/0x58 [ 35.430352] __kasan_kmalloc+0xd4/0xd8 [ 35.430411] __kmalloc_noprof+0x198/0x4c8 [ 35.430590] kunit_kmalloc_array+0x34/0x88 [ 35.430664] copy_user_test_oob+0xac/0xec8 [ 35.430724] kunit_try_run_case+0x170/0x3f0 [ 35.430787] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.430851] kthread+0x328/0x630 [ 35.430886] ret_from_fork+0x10/0x20 [ 35.431066] [ 35.431188] The buggy address belongs to the object at fff00000c9b92400 [ 35.431188] which belongs to the cache kmalloc-128 of size 128 [ 35.431254] The buggy address is located 0 bytes to the right of [ 35.431254] allocated 120-byte region [fff00000c9b92400, fff00000c9b92478) [ 35.431443] [ 35.431469] The buggy address belongs to the physical page: [ 35.431507] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b92 [ 35.431564] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.431666] page_type: f5(slab) [ 35.431797] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 35.431882] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 35.431985] page dumped because: kasan: bad access detected [ 35.432064] [ 35.432257] Memory state around the buggy address: [ 35.432307] fff00000c9b92300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.432490] fff00000c9b92380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.432641] >fff00000c9b92400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 35.432723] ^ [ 35.432779] fff00000c9b92480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.432822] fff00000c9b92500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.433075] ==================================================================
[ 31.235146] ================================================================== [ 31.235477] BUG: KASAN: slab-out-of-bounds in strncpy_from_user+0x1a5/0x1d0 [ 31.235943] Write of size 1 at addr ffff888105635478 by task kunit_try_catch/333 [ 31.236242] [ 31.236375] CPU: 0 UID: 0 PID: 333 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) [ 31.236425] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 31.236439] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.236462] Call Trace: [ 31.236480] <TASK> [ 31.236497] dump_stack_lvl+0x73/0xb0 [ 31.236525] print_report+0xd1/0x640 [ 31.236549] ? __virt_addr_valid+0x1db/0x2d0 [ 31.236584] ? strncpy_from_user+0x1a5/0x1d0 [ 31.236608] ? kasan_complete_mode_report_info+0x2a/0x200 [ 31.236635] ? strncpy_from_user+0x1a5/0x1d0 [ 31.236658] kasan_report+0x141/0x180 [ 31.236682] ? strncpy_from_user+0x1a5/0x1d0 [ 31.236710] __asan_report_store1_noabort+0x1b/0x30 [ 31.236736] strncpy_from_user+0x1a5/0x1d0 [ 31.236773] copy_user_test_oob+0x760/0x10f0 [ 31.236799] ? __pfx_copy_user_test_oob+0x10/0x10 [ 31.236822] ? finish_task_switch.isra.0+0x153/0x700 [ 31.236856] ? __switch_to+0x47/0xf80 [ 31.236882] ? __schedule+0x10da/0x2b60 [ 31.236909] ? __pfx_read_tsc+0x10/0x10 [ 31.236931] ? ktime_get_ts64+0x86/0x230 [ 31.236958] kunit_try_run_case+0x1a5/0x480 [ 31.236983] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.237006] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.237032] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.237059] ? __kthread_parkme+0x82/0x180 [ 31.237079] ? preempt_count_sub+0x50/0x80 [ 31.237103] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.237129] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.237153] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.237188] kthread+0x337/0x6f0 [ 31.237210] ? trace_preempt_on+0x20/0xc0 [ 31.237234] ? __pfx_kthread+0x10/0x10 [ 31.237256] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.237280] ? calculate_sigpending+0x7b/0xa0 [ 31.237315] ? __pfx_kthread+0x10/0x10 [ 31.237337] ret_from_fork+0x116/0x1d0 [ 31.237356] ? __pfx_kthread+0x10/0x10 [ 31.237390] ret_from_fork_asm+0x1a/0x30 [ 31.237422] </TASK> [ 31.237434] [ 31.244560] Allocated by task 333: [ 31.244788] kasan_save_stack+0x45/0x70 [ 31.245058] kasan_save_track+0x18/0x40 [ 31.245250] kasan_save_alloc_info+0x3b/0x50 [ 31.245455] __kasan_kmalloc+0xb7/0xc0 [ 31.245665] __kmalloc_noprof+0x1ca/0x510 [ 31.245862] kunit_kmalloc_array+0x25/0x60 [ 31.246111] copy_user_test_oob+0xab/0x10f0 [ 31.246305] kunit_try_run_case+0x1a5/0x480 [ 31.246500] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.246748] kthread+0x337/0x6f0 [ 31.246915] ret_from_fork+0x116/0x1d0 [ 31.247093] ret_from_fork_asm+0x1a/0x30 [ 31.247229] [ 31.247302] The buggy address belongs to the object at ffff888105635400 [ 31.247302] which belongs to the cache kmalloc-128 of size 128 [ 31.247748] The buggy address is located 0 bytes to the right of [ 31.247748] allocated 120-byte region [ffff888105635400, ffff888105635478) [ 31.248696] [ 31.248799] The buggy address belongs to the physical page: [ 31.248972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105635 [ 31.249211] flags: 0x200000000000000(node=0|zone=2) [ 31.249369] page_type: f5(slab) [ 31.249485] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 31.249860] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.250236] page dumped because: kasan: bad access detected [ 31.250480] [ 31.250569] Memory state around the buggy address: [ 31.250792] ffff888105635300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.251242] ffff888105635380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.251545] >ffff888105635400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 31.251762] ^ [ 31.252097] ffff888105635480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.252414] ffff888105635500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.252766] ================================================================== [ 31.211764] ================================================================== [ 31.212410] BUG: KASAN: slab-out-of-bounds in strncpy_from_user+0x2e/0x1d0 [ 31.212776] Write of size 121 at addr ffff888105635400 by task kunit_try_catch/333 [ 31.213098] [ 31.213185] CPU: 0 UID: 0 PID: 333 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) [ 31.213237] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 31.213251] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.213275] Call Trace: [ 31.213296] <TASK> [ 31.213317] dump_stack_lvl+0x73/0xb0 [ 31.213345] print_report+0xd1/0x640 [ 31.213370] ? __virt_addr_valid+0x1db/0x2d0 [ 31.213395] ? strncpy_from_user+0x2e/0x1d0 [ 31.213419] ? kasan_complete_mode_report_info+0x2a/0x200 [ 31.213446] ? strncpy_from_user+0x2e/0x1d0 [ 31.213470] kasan_report+0x141/0x180 [ 31.213493] ? strncpy_from_user+0x2e/0x1d0 [ 31.213520] kasan_check_range+0x10c/0x1c0 [ 31.213545] __kasan_check_write+0x18/0x20 [ 31.213569] strncpy_from_user+0x2e/0x1d0 [ 31.213605] ? __kasan_check_read+0x15/0x20 [ 31.213642] copy_user_test_oob+0x760/0x10f0 [ 31.213669] ? __pfx_copy_user_test_oob+0x10/0x10 [ 31.213693] ? finish_task_switch.isra.0+0x153/0x700 [ 31.213726] ? __switch_to+0x47/0xf80 [ 31.213755] ? __schedule+0x10da/0x2b60 [ 31.213782] ? __pfx_read_tsc+0x10/0x10 [ 31.213804] ? ktime_get_ts64+0x86/0x230 [ 31.213830] kunit_try_run_case+0x1a5/0x480 [ 31.213858] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.213883] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.213911] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.213948] ? __kthread_parkme+0x82/0x180 [ 31.213970] ? preempt_count_sub+0x50/0x80 [ 31.213995] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.214019] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.214044] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.214068] kthread+0x337/0x6f0 [ 31.214089] ? trace_preempt_on+0x20/0xc0 [ 31.214115] ? __pfx_kthread+0x10/0x10 [ 31.214138] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.214162] ? calculate_sigpending+0x7b/0xa0 [ 31.214189] ? __pfx_kthread+0x10/0x10 [ 31.214210] ret_from_fork+0x116/0x1d0 [ 31.214231] ? __pfx_kthread+0x10/0x10 [ 31.214252] ret_from_fork_asm+0x1a/0x30 [ 31.214284] </TASK> [ 31.214296] [ 31.222112] Allocated by task 333: [ 31.222410] kasan_save_stack+0x45/0x70 [ 31.222753] kasan_save_track+0x18/0x40 [ 31.223200] kasan_save_alloc_info+0x3b/0x50 [ 31.223615] __kasan_kmalloc+0xb7/0xc0 [ 31.223990] __kmalloc_noprof+0x1ca/0x510 [ 31.224379] kunit_kmalloc_array+0x25/0x60 [ 31.224761] copy_user_test_oob+0xab/0x10f0 [ 31.225257] kunit_try_run_case+0x1a5/0x480 [ 31.225409] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.225587] kthread+0x337/0x6f0 [ 31.225904] ret_from_fork+0x116/0x1d0 [ 31.226235] ret_from_fork_asm+0x1a/0x30 [ 31.226600] [ 31.226751] The buggy address belongs to the object at ffff888105635400 [ 31.226751] which belongs to the cache kmalloc-128 of size 128 [ 31.227768] The buggy address is located 0 bytes inside of [ 31.227768] allocated 120-byte region [ffff888105635400, ffff888105635478) [ 31.228601] [ 31.228678] The buggy address belongs to the physical page: [ 31.228850] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105635 [ 31.229473] flags: 0x200000000000000(node=0|zone=2) [ 31.229930] page_type: f5(slab) [ 31.230224] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 31.230874] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.231559] page dumped because: kasan: bad access detected [ 31.232044] [ 31.232144] Memory state around the buggy address: [ 31.232295] ffff888105635300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.232968] ffff888105635380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.233588] >ffff888105635400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 31.233996] ^ [ 31.234204] ffff888105635480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.234412] ffff888105635500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.234633] ==================================================================