Date
July 25, 2025, 3:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.931011] ================================================================== [ 31.931129] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x2ec/0x320 [ 31.931190] Read of size 1 at addr fff00000c85ecd7f by task kunit_try_catch/170 [ 31.931701] [ 31.931737] CPU: 1 UID: 0 PID: 170 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 31.931991] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.932090] Hardware name: linux,dummy-virt (DT) [ 31.932123] Call trace: [ 31.932145] show_stack+0x20/0x38 (C) [ 31.932199] dump_stack_lvl+0x8c/0xd0 [ 31.932244] print_report+0x118/0x5e8 [ 31.932288] kasan_report+0xdc/0x128 [ 31.932378] __asan_report_load1_noabort+0x20/0x30 [ 31.932428] kmalloc_oob_left+0x2ec/0x320 [ 31.932474] kunit_try_run_case+0x170/0x3f0 [ 31.932817] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.932928] kthread+0x328/0x630 [ 31.933331] ret_from_fork+0x10/0x20 [ 31.933466] [ 31.933579] Allocated by task 104: [ 31.933611] kasan_save_stack+0x3c/0x68 [ 31.934009] kasan_save_track+0x20/0x40 [ 31.934198] kasan_save_alloc_info+0x40/0x58 [ 31.934245] __kasan_kmalloc+0xd4/0xd8 [ 31.934585] __kmalloc_node_track_caller_noprof+0x194/0x4b8 [ 31.934873] kvasprintf+0xe0/0x180 [ 31.935031] kasprintf+0xd0/0x110 [ 31.935064] miscdev_test_can_open+0xac/0x2c8 [ 31.935493] miscdev_test_collision_reverse+0x3b8/0x650 [ 31.935548] kunit_try_run_case+0x170/0x3f0 [ 31.935587] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.935800] kthread+0x328/0x630 [ 31.936273] ret_from_fork+0x10/0x20 [ 31.936359] [ 31.936595] Freed by task 3361656128: [ 31.937449] ------------[ cut here ]------------ [ 31.938139] pool index -1 out of bounds (219) for stack id fff00000 [ 31.942816] WARNING: lib/stackdepot.c:500 at depot_fetch_stack+0x68/0x88, CPU#1: kunit_try_catch/170 [ 32.010018] Modules linked in: [ 32.011514] CPU: 1 UID: 0 PID: 170 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 32.012929] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.013611] Hardware name: linux,dummy-virt (DT) [ 32.014432] pstate: 614000c9 (nZCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 32.015580] pc : depot_fetch_stack+0x68/0x88 [ 32.016338] lr : depot_fetch_stack+0x68/0x88 [ 32.016573] sp : ffff800080b57a50 [ 32.016776] x29: ffff800080b57a50 x28: ffff800080087b08 x27: 1ffff00010010f61 [ 32.017325] x26: 1ffff00010010f60 x25: ffff800080087b00 x24: ffff9501e9f78254 [ 32.018026] x23: ffffc1ffc3217b00 x22: ffff9501eeab1208 x21: ffff9501eeab4568 [ 32.019282] x20: fff00000c85ecd7f x19: ffff800080b57b60 x18: 00000000511e29a0 [ 32.020368] x17: 000000005ff4b93d x16: 00000000f1f1f1f1 x15: 0000000000000007 [ 32.021323] x14: 0000000000000000 x13: 0000000000000007 x12: ffff70001016aea7 [ 32.022346] x11: 1ffff0001016aea6 x10: ffff70001016aea6 x9 : ffff9501e98f123c [ 32.023493] x8 : ffff800080b57537 x7 : 0000000000000001 x6 : ffff70001016aea6 [ 32.024483] x5 : ffff800080b57530 x4 : 1ffe000019357a21 x3 : dfff800000000000 [ 32.025493] x2 : 0000000000000000 x1 : 0000000000000000 x0 : fff00000c9abd100 [ 32.026522] Call trace: [ 32.027024] depot_fetch_stack+0x68/0x88 (P) [ 32.027742] stack_depot_print+0x24/0x60 [ 32.028302] print_report+0x5e4/0x5e8 [ 32.028510] kasan_report+0xdc/0x128 [ 32.028716] __asan_report_load1_noabort+0x20/0x30 [ 32.028940] kmalloc_oob_left+0x2ec/0x320 [ 32.029136] kunit_try_run_case+0x170/0x3f0 [ 32.029336] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.029577] kthread+0x328/0x630 [ 32.029940] ret_from_fork+0x10/0x20 [ 32.030395] ---[ end trace 0000000000000000 ]--- [ 32.031574] ------------[ cut here ]------------ [ 32.031627] corrupt handle or use after stack_depot_put() [ 32.031739] WARNING: lib/stackdepot.c:772 at stack_depot_print+0x54/0x60, CPU#1: kunit_try_catch/170 [ 32.033520] Modules linked in: [ 32.033889] CPU: 1 UID: 0 PID: 170 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 32.034911] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.035604] Hardware name: linux,dummy-virt (DT) [ 32.036104] pstate: 614000c9 (nZCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 32.036783] pc : stack_depot_print+0x54/0x60 [ 32.037227] lr : stack_depot_print+0x54/0x60 [ 32.037430] sp : ffff800080b57a60 [ 32.037589] x29: ffff800080b57a60 x28: ffff800080087b08 x27: 1ffff00010010f61 [ 32.037948] x26: 1ffff00010010f60 x25: ffff800080087b00 x24: ffff9501e9f78254 [ 32.038290] x23: ffffc1ffc3217b00 x22: ffff9501eeab1208 x21: ffff9501eeab4568 [ 32.038628] x20: fff00000c85ecd7f x19: ffff800080b57b60 x18: 00000000511e29a0 [ 32.039518] x17: 000000005ff4b93d x16: 00000000f1f1f1f1 x15: 00000000f3f3f3f3 [ 32.040063] x14: ffff70001016af2c x13: 1ffe000019357a21 x12: ffff72a03e117255 [ 32.040406] x11: 1ffff2a03e117254 x10: ffff72a03e117254 x9 : ffff9501e98f123c [ 32.040764] x8 : ffff9501f08b92a3 x7 : 0000000000000001 x6 : ffff72a03e117254 [ 32.041203] x5 : ffff9501f08b92a0 x4 : 1ffe000019357a21 x3 : dfff800000000000 [ 32.041603] x2 : 0000000000000000 x1 : 0000000000000000 x0 : fff00000c9abd100 [ 32.042011] Call trace: [ 32.042180] stack_depot_print+0x54/0x60 (P) [ 32.042420] print_report+0x5e4/0x5e8 [ 32.042666] kasan_report+0xdc/0x128 [ 32.042903] __asan_report_load1_noabort+0x20/0x30 [ 32.043157] kmalloc_oob_left+0x2ec/0x320 [ 32.043411] kunit_try_run_case+0x170/0x3f0 [ 32.043678] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.043968] kthread+0x328/0x630 [ 32.044186] ret_from_fork+0x10/0x20 [ 32.044423] ---[ end trace 0000000000000000 ]--- [ 32.044693] [ 32.044723] The buggy address belongs to the object at fff00000c85ecd60 [ 32.044723] which belongs to the cache kmalloc-16 of size 16 [ 32.044780] The buggy address is located 15 bytes to the right of [ 32.044780] allocated 16-byte region [fff00000c85ecd60, fff00000c85ecd70) [ 32.044841] [ 32.044864] The buggy address belongs to the physical page: [ 32.044903] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1085ec [ 32.044956] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.045005] page_type: f5(slab) [ 32.045045] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122 [ 32.045093] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 32.045131] page dumped because: kasan: bad access detected [ 32.045161] [ 32.045178] Memory state around the buggy address: [ 32.045212] fff00000c85ecc00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.045255] fff00000c85ecc80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.045296] >fff00000c85ecd00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.045332] ^ [ 32.045372] fff00000c85ecd80: 00 07 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.045411] fff00000c85ece00: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 32.045449] ==================================================================
[ 25.022494] ================================================================== [ 25.022926] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x361/0x3c0 [ 25.024059] Read of size 1 at addr ffff888105f9f15f by task kunit_try_catch/187 [ 25.025254] [ 25.025654] CPU: 1 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 25.025711] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.025724] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.025746] Call Trace: [ 25.025760] <TASK> [ 25.025778] dump_stack_lvl+0x73/0xb0 [ 25.025823] print_report+0xd1/0x640 [ 25.025847] ? __virt_addr_valid+0x1db/0x2d0 [ 25.025871] ? kmalloc_oob_left+0x361/0x3c0 [ 25.025892] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.025918] ? kmalloc_oob_left+0x361/0x3c0 [ 25.025940] kasan_report+0x141/0x180 [ 25.025975] ? kmalloc_oob_left+0x361/0x3c0 [ 25.026001] __asan_report_load1_noabort+0x18/0x20 [ 25.026026] kmalloc_oob_left+0x361/0x3c0 [ 25.026048] ? __pfx_kmalloc_oob_left+0x10/0x10 [ 25.026083] ? __schedule+0x10da/0x2b60 [ 25.026104] ? __pfx_read_tsc+0x10/0x10 [ 25.026126] ? ktime_get_ts64+0x86/0x230 [ 25.026152] kunit_try_run_case+0x1a5/0x480 [ 25.026178] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.026203] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.026225] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.026251] ? __kthread_parkme+0x82/0x180 [ 25.026273] ? preempt_count_sub+0x50/0x80 [ 25.026297] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.026322] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.026346] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.026370] kthread+0x337/0x6f0 [ 25.026390] ? trace_preempt_on+0x20/0xc0 [ 25.026414] ? __pfx_kthread+0x10/0x10 [ 25.026435] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.026459] ? calculate_sigpending+0x7b/0xa0 [ 25.026482] ? __pfx_kthread+0x10/0x10 [ 25.026504] ret_from_fork+0x116/0x1d0 [ 25.026523] ? __pfx_kthread+0x10/0x10 [ 25.026544] ret_from_fork_asm+0x1a/0x30 [ 25.026575] </TASK> [ 25.026587] [ 25.040180] Allocated by task 21: [ 25.040599] kasan_save_stack+0x45/0x70 [ 25.041102] kasan_save_track+0x18/0x40 [ 25.041552] kasan_save_alloc_info+0x3b/0x50 [ 25.042041] __kasan_kmalloc+0xb7/0xc0 [ 25.042466] __kmalloc_cache_node_noprof+0x188/0x420 [ 25.042956] build_sched_domains+0x38c/0x5d80 [ 25.043352] partition_sched_domains+0x471/0x9c0 [ 25.043723] rebuild_sched_domains_locked+0x97d/0xd50 [ 25.044386] cpuset_update_active_cpus+0x80f/0x1a90 [ 25.044967] sched_cpu_activate+0x2bf/0x330 [ 25.045309] cpuhp_invoke_callback+0x2a1/0xf00 [ 25.045734] cpuhp_thread_fun+0x2ce/0x5c0 [ 25.046167] smpboot_thread_fn+0x2bc/0x730 [ 25.046429] kthread+0x337/0x6f0 [ 25.046766] ret_from_fork+0x116/0x1d0 [ 25.047210] ret_from_fork_asm+0x1a/0x30 [ 25.047352] [ 25.047441] Freed by task 21: [ 25.047564] kasan_save_stack+0x45/0x70 [ 25.047698] kasan_save_track+0x18/0x40 [ 25.047827] kasan_save_free_info+0x3f/0x60 [ 25.047986] __kasan_slab_free+0x5e/0x80 [ 25.048475] kfree+0x222/0x3f0 [ 25.048741] build_sched_domains+0x2072/0x5d80 [ 25.049375] partition_sched_domains+0x471/0x9c0 [ 25.049919] rebuild_sched_domains_locked+0x97d/0xd50 [ 25.050458] cpuset_update_active_cpus+0x80f/0x1a90 [ 25.050642] sched_cpu_activate+0x2bf/0x330 [ 25.051046] cpuhp_invoke_callback+0x2a1/0xf00 [ 25.051765] cpuhp_thread_fun+0x2ce/0x5c0 [ 25.052373] smpboot_thread_fn+0x2bc/0x730 [ 25.052934] kthread+0x337/0x6f0 [ 25.053503] ret_from_fork+0x116/0x1d0 [ 25.054061] ret_from_fork_asm+0x1a/0x30 [ 25.054523] [ 25.054886] The buggy address belongs to the object at ffff888105f9f140 [ 25.054886] which belongs to the cache kmalloc-16 of size 16 [ 25.055745] The buggy address is located 15 bytes to the right of [ 25.055745] allocated 16-byte region [ffff888105f9f140, ffff888105f9f150) [ 25.057500] [ 25.057812] The buggy address belongs to the physical page: [ 25.058476] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105f9f [ 25.058738] flags: 0x200000000000000(node=0|zone=2) [ 25.059542] page_type: f5(slab) [ 25.060058] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 25.061088] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.061619] page dumped because: kasan: bad access detected [ 25.061977] [ 25.062340] Memory state around the buggy address: [ 25.063018] ffff888105f9f000: 00 06 fc fc 00 06 fc fc 00 06 fc fc fa fb fc fc [ 25.063874] ffff888105f9f080: fa fb fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 25.064579] >ffff888105f9f100: fa fb fc fc fa fb fc fc fa fb fc fc 00 07 fc fc [ 25.065103] ^ [ 25.065818] ffff888105f9f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.066771] ffff888105f9f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.067303] ==================================================================