Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 23.117608] ================================================================== [ 23.117777] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 23.117885] Read of size 1 at addr fff00000c6739400 by task kunit_try_catch/166 [ 23.118067] [ 23.118155] CPU: 0 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.118359] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.118433] Hardware name: linux,dummy-virt (DT) [ 23.118526] Call trace: [ 23.118579] show_stack+0x20/0x38 (C) [ 23.118698] dump_stack_lvl+0x8c/0xd0 [ 23.118804] print_report+0x118/0x608 [ 23.118908] kasan_report+0xdc/0x128 [ 23.119034] __kasan_check_byte+0x54/0x70 [ 23.119142] krealloc_noprof+0x44/0x360 [ 23.119250] krealloc_uaf+0x180/0x520 [ 23.119361] kunit_try_run_case+0x170/0x3f0 [ 23.119475] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.119613] kthread+0x328/0x630 [ 23.119751] ret_from_fork+0x10/0x20 [ 23.119885] [ 23.119954] Allocated by task 166: [ 23.120021] kasan_save_stack+0x3c/0x68 [ 23.120130] kasan_save_track+0x20/0x40 [ 23.120324] kasan_save_alloc_info+0x40/0x58 [ 23.120504] __kasan_kmalloc+0xd4/0xd8 [ 23.120631] __kmalloc_cache_noprof+0x15c/0x3c0 [ 23.120737] krealloc_uaf+0xc8/0x520 [ 23.120827] kunit_try_run_case+0x170/0x3f0 [ 23.120953] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.121153] kthread+0x328/0x630 [ 23.121337] ret_from_fork+0x10/0x20 [ 23.121433] [ 23.121508] Freed by task 166: [ 23.121610] kasan_save_stack+0x3c/0x68 [ 23.121724] kasan_save_track+0x20/0x40 [ 23.121823] kasan_save_free_info+0x4c/0x78 [ 23.121926] __kasan_slab_free+0x6c/0x98 [ 23.122048] kfree+0x214/0x3c8 [ 23.122140] krealloc_uaf+0x12c/0x520 [ 23.122236] kunit_try_run_case+0x170/0x3f0 [ 23.122395] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.122508] kthread+0x328/0x630 [ 23.122631] ret_from_fork+0x10/0x20 [ 23.122912] [ 23.123041] The buggy address belongs to the object at fff00000c6739400 [ 23.123041] which belongs to the cache kmalloc-256 of size 256 [ 23.123245] The buggy address is located 0 bytes inside of [ 23.123245] freed 256-byte region [fff00000c6739400, fff00000c6739500) [ 23.124191] [ 23.124251] The buggy address belongs to the physical page: [ 23.124333] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106738 [ 23.124493] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.124593] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 23.124903] page_type: f5(slab) [ 23.125344] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 23.125553] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.126363] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 23.126489] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.126603] head: 0bfffe0000000001 ffffc1ffc319ce01 00000000ffffffff 00000000ffffffff [ 23.126721] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.126882] page dumped because: kasan: bad access detected [ 23.127077] [ 23.127125] Memory state around the buggy address: [ 23.127198] fff00000c6739300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.127299] fff00000c6739380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.127465] >fff00000c6739400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.127599] ^ [ 23.127714] fff00000c6739480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.128073] fff00000c6739500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.128414] ================================================================== [ 23.133306] ================================================================== [ 23.133405] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 23.133510] Read of size 1 at addr fff00000c6739400 by task kunit_try_catch/166 [ 23.134210] [ 23.134298] CPU: 0 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.135104] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.135273] Hardware name: linux,dummy-virt (DT) [ 23.135362] Call trace: [ 23.135490] show_stack+0x20/0x38 (C) [ 23.135739] dump_stack_lvl+0x8c/0xd0 [ 23.136048] print_report+0x118/0x608 [ 23.136163] kasan_report+0xdc/0x128 [ 23.136325] __asan_report_load1_noabort+0x20/0x30 [ 23.136493] krealloc_uaf+0x4c8/0x520 [ 23.136681] kunit_try_run_case+0x170/0x3f0 [ 23.137039] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.137207] kthread+0x328/0x630 [ 23.137375] ret_from_fork+0x10/0x20 [ 23.137660] [ 23.137789] Allocated by task 166: [ 23.138204] kasan_save_stack+0x3c/0x68 [ 23.138314] kasan_save_track+0x20/0x40 [ 23.138412] kasan_save_alloc_info+0x40/0x58 [ 23.138515] __kasan_kmalloc+0xd4/0xd8 [ 23.138617] __kmalloc_cache_noprof+0x15c/0x3c0 [ 23.138731] krealloc_uaf+0xc8/0x520 [ 23.138839] kunit_try_run_case+0x170/0x3f0 [ 23.138966] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.139090] kthread+0x328/0x630 [ 23.139192] ret_from_fork+0x10/0x20 [ 23.139292] [ 23.139342] Freed by task 166: [ 23.139413] kasan_save_stack+0x3c/0x68 [ 23.139515] kasan_save_track+0x20/0x40 [ 23.139635] kasan_save_free_info+0x4c/0x78 [ 23.139824] __kasan_slab_free+0x6c/0x98 [ 23.139915] kfree+0x214/0x3c8 [ 23.140027] krealloc_uaf+0x12c/0x520 [ 23.140247] kunit_try_run_case+0x170/0x3f0 [ 23.140381] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.140523] kthread+0x328/0x630 [ 23.140637] ret_from_fork+0x10/0x20 [ 23.140874] [ 23.140986] The buggy address belongs to the object at fff00000c6739400 [ 23.140986] which belongs to the cache kmalloc-256 of size 256 [ 23.141149] The buggy address is located 0 bytes inside of [ 23.141149] freed 256-byte region [fff00000c6739400, fff00000c6739500) [ 23.141539] [ 23.141657] The buggy address belongs to the physical page: [ 23.141747] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106738 [ 23.141944] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.142069] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 23.142202] page_type: f5(slab) [ 23.142305] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 23.142437] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.142572] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 23.142703] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.142837] head: 0bfffe0000000001 ffffc1ffc319ce01 00000000ffffffff 00000000ffffffff [ 23.142989] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.143094] page dumped because: kasan: bad access detected [ 23.143244] [ 23.143397] Memory state around the buggy address: [ 23.143633] fff00000c6739300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.143765] fff00000c6739380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.143979] >fff00000c6739400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.144205] ^ [ 23.144283] fff00000c6739480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.144384] fff00000c6739500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.144522] ==================================================================
[ 11.486636] ================================================================== [ 11.486973] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 11.487311] Read of size 1 at addr ffff888100351200 by task kunit_try_catch/184 [ 11.487630] [ 11.487742] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 11.487785] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.487797] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.487816] Call Trace: [ 11.487832] <TASK> [ 11.487849] dump_stack_lvl+0x73/0xb0 [ 11.487874] print_report+0xd1/0x650 [ 11.487896] ? __virt_addr_valid+0x1db/0x2d0 [ 11.487918] ? krealloc_uaf+0x53c/0x5e0 [ 11.487939] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.487961] ? krealloc_uaf+0x53c/0x5e0 [ 11.487982] kasan_report+0x141/0x180 [ 11.488004] ? krealloc_uaf+0x53c/0x5e0 [ 11.488031] __asan_report_load1_noabort+0x18/0x20 [ 11.488051] krealloc_uaf+0x53c/0x5e0 [ 11.488073] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.488093] ? finish_task_switch.isra.0+0x153/0x700 [ 11.488116] ? __switch_to+0x5d9/0xf60 [ 11.488135] ? dequeue_task_fair+0x166/0x4e0 [ 11.488160] ? __schedule+0x10cc/0x2b30 [ 11.488202] ? __pfx_read_tsc+0x10/0x10 [ 11.488220] ? ktime_get_ts64+0x86/0x230 [ 11.488245] kunit_try_run_case+0x1a5/0x480 [ 11.488268] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.488289] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.488312] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.488346] ? __kthread_parkme+0x82/0x180 [ 11.488366] ? preempt_count_sub+0x50/0x80 [ 11.488390] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.488413] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.488435] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.488457] kthread+0x337/0x6f0 [ 11.488477] ? trace_preempt_on+0x20/0xc0 [ 11.488499] ? __pfx_kthread+0x10/0x10 [ 11.488520] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.488542] ? calculate_sigpending+0x7b/0xa0 [ 11.488563] ? __pfx_kthread+0x10/0x10 [ 11.488585] ret_from_fork+0x41/0x80 [ 11.488605] ? __pfx_kthread+0x10/0x10 [ 11.488626] ret_from_fork_asm+0x1a/0x30 [ 11.488657] </TASK> [ 11.488667] [ 11.496124] Allocated by task 184: [ 11.496311] kasan_save_stack+0x45/0x70 [ 11.496770] kasan_save_track+0x18/0x40 [ 11.496976] kasan_save_alloc_info+0x3b/0x50 [ 11.497133] __kasan_kmalloc+0xb7/0xc0 [ 11.497447] __kmalloc_cache_noprof+0x189/0x420 [ 11.497651] krealloc_uaf+0xbb/0x5e0 [ 11.497827] kunit_try_run_case+0x1a5/0x480 [ 11.498013] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.498284] kthread+0x337/0x6f0 [ 11.498435] ret_from_fork+0x41/0x80 [ 11.498624] ret_from_fork_asm+0x1a/0x30 [ 11.498790] [ 11.498885] Freed by task 184: [ 11.499040] kasan_save_stack+0x45/0x70 [ 11.499200] kasan_save_track+0x18/0x40 [ 11.499404] kasan_save_free_info+0x3f/0x60 [ 11.499615] __kasan_slab_free+0x56/0x70 [ 11.499810] kfree+0x222/0x3f0 [ 11.499966] krealloc_uaf+0x13d/0x5e0 [ 11.500121] kunit_try_run_case+0x1a5/0x480 [ 11.500418] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.500709] kthread+0x337/0x6f0 [ 11.500855] ret_from_fork+0x41/0x80 [ 11.500986] ret_from_fork_asm+0x1a/0x30 [ 11.501124] [ 11.501194] The buggy address belongs to the object at ffff888100351200 [ 11.501194] which belongs to the cache kmalloc-256 of size 256 [ 11.501557] The buggy address is located 0 bytes inside of [ 11.501557] freed 256-byte region [ffff888100351200, ffff888100351300) [ 11.502079] [ 11.502228] The buggy address belongs to the physical page: [ 11.502494] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100350 [ 11.502840] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.503152] flags: 0x200000000000040(head|node=0|zone=2) [ 11.503333] page_type: f5(slab) [ 11.503453] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.503682] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.504032] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.504884] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.505273] head: 0200000000000001 ffffea000400d401 00000000ffffffff 00000000ffffffff [ 11.505641] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 11.506187] page dumped because: kasan: bad access detected [ 11.506472] [ 11.506553] Memory state around the buggy address: [ 11.506745] ffff888100351100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.507048] ffff888100351180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.507395] >ffff888100351200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.507602] ^ [ 11.507787] ffff888100351280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.508100] ffff888100351300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.508387] ================================================================== [ 11.456246] ================================================================== [ 11.456886] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 11.457186] Read of size 1 at addr ffff888100351200 by task kunit_try_catch/184 [ 11.457584] [ 11.457693] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 11.457735] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.457747] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.457767] Call Trace: [ 11.457784] <TASK> [ 11.457799] dump_stack_lvl+0x73/0xb0 [ 11.457825] print_report+0xd1/0x650 [ 11.457848] ? __virt_addr_valid+0x1db/0x2d0 [ 11.457870] ? krealloc_uaf+0x1b8/0x5e0 [ 11.457890] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.457913] ? krealloc_uaf+0x1b8/0x5e0 [ 11.457935] kasan_report+0x141/0x180 [ 11.457957] ? krealloc_uaf+0x1b8/0x5e0 [ 11.457981] ? krealloc_uaf+0x1b8/0x5e0 [ 11.458003] __kasan_check_byte+0x3d/0x50 [ 11.458025] krealloc_noprof+0x3f/0x340 [ 11.458049] krealloc_uaf+0x1b8/0x5e0 [ 11.458071] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.458091] ? finish_task_switch.isra.0+0x153/0x700 [ 11.458114] ? __switch_to+0x5d9/0xf60 [ 11.458134] ? dequeue_task_fair+0x166/0x4e0 [ 11.458159] ? __schedule+0x10cc/0x2b30 [ 11.458182] ? __pfx_read_tsc+0x10/0x10 [ 11.458202] ? ktime_get_ts64+0x86/0x230 [ 11.458252] kunit_try_run_case+0x1a5/0x480 [ 11.458277] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.458298] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.458332] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.458355] ? __kthread_parkme+0x82/0x180 [ 11.458377] ? preempt_count_sub+0x50/0x80 [ 11.458418] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.458441] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.458463] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.458485] kthread+0x337/0x6f0 [ 11.458506] ? trace_preempt_on+0x20/0xc0 [ 11.458529] ? __pfx_kthread+0x10/0x10 [ 11.458551] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.458572] ? calculate_sigpending+0x7b/0xa0 [ 11.458593] ? __pfx_kthread+0x10/0x10 [ 11.458615] ret_from_fork+0x41/0x80 [ 11.458635] ? __pfx_kthread+0x10/0x10 [ 11.458657] ret_from_fork_asm+0x1a/0x30 [ 11.458689] </TASK> [ 11.458699] [ 11.469187] Allocated by task 184: [ 11.469432] kasan_save_stack+0x45/0x70 [ 11.469610] kasan_save_track+0x18/0x40 [ 11.469767] kasan_save_alloc_info+0x3b/0x50 [ 11.469977] __kasan_kmalloc+0xb7/0xc0 [ 11.470155] __kmalloc_cache_noprof+0x189/0x420 [ 11.470443] krealloc_uaf+0xbb/0x5e0 [ 11.470578] kunit_try_run_case+0x1a5/0x480 [ 11.470771] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.471024] kthread+0x337/0x6f0 [ 11.471194] ret_from_fork+0x41/0x80 [ 11.471349] ret_from_fork_asm+0x1a/0x30 [ 11.471543] [ 11.471633] Freed by task 184: [ 11.471778] kasan_save_stack+0x45/0x70 [ 11.471950] kasan_save_track+0x18/0x40 [ 11.472446] kasan_save_free_info+0x3f/0x60 [ 11.472613] __kasan_slab_free+0x56/0x70 [ 11.472797] kfree+0x222/0x3f0 [ 11.472943] krealloc_uaf+0x13d/0x5e0 [ 11.473112] kunit_try_run_case+0x1a5/0x480 [ 11.473301] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.473487] kthread+0x337/0x6f0 [ 11.473608] ret_from_fork+0x41/0x80 [ 11.473738] ret_from_fork_asm+0x1a/0x30 [ 11.474191] [ 11.474619] The buggy address belongs to the object at ffff888100351200 [ 11.474619] which belongs to the cache kmalloc-256 of size 256 [ 11.475515] The buggy address is located 0 bytes inside of [ 11.475515] freed 256-byte region [ffff888100351200, ffff888100351300) [ 11.476091] [ 11.476511] The buggy address belongs to the physical page: [ 11.476834] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100350 [ 11.477308] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.477929] flags: 0x200000000000040(head|node=0|zone=2) [ 11.478402] page_type: f5(slab) [ 11.478828] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.479345] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.480018] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.480362] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.480879] head: 0200000000000001 ffffea000400d401 00000000ffffffff 00000000ffffffff [ 11.481354] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 11.481907] page dumped because: kasan: bad access detected [ 11.482353] [ 11.482625] Memory state around the buggy address: [ 11.482838] ffff888100351100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.483381] ffff888100351180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.484023] >ffff888100351200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.484562] ^ [ 11.484727] ffff888100351280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.485014] ffff888100351300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.485702] ==================================================================
[ 21.348823] ================================================================== [ 21.349488] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 21.350105] Read of size 1 at addr ffff00000eea2400 by task kunit_try_catch/218 [ 21.350769] [ 21.350926] CPU: 3 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.350960] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.350971] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.350983] Call trace: [ 21.350992] show_stack+0x20/0x38 (C) [ 21.351016] dump_stack_lvl+0x8c/0xd0 [ 21.351039] print_report+0x118/0x608 [ 21.351060] kasan_report+0xdc/0x128 [ 21.351080] __asan_report_load1_noabort+0x20/0x30 [ 21.351104] krealloc_uaf+0x4c8/0x520 [ 21.351127] kunit_try_run_case+0x170/0x3f0 [ 21.351153] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.351181] kthread+0x328/0x630 [ 21.351204] ret_from_fork+0x10/0x20 [ 21.351227] [ 21.356723] Allocated by task 218: [ 21.357041] kasan_save_stack+0x3c/0x68 [ 21.357402] kasan_save_track+0x20/0x40 [ 21.357763] kasan_save_alloc_info+0x40/0x58 [ 21.358162] __kasan_kmalloc+0xd4/0xd8 [ 21.358515] __kmalloc_cache_noprof+0x15c/0x3c0 [ 21.358943] krealloc_uaf+0xc8/0x520 [ 21.359284] kunit_try_run_case+0x170/0x3f0 [ 21.359677] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.360188] kthread+0x328/0x630 [ 21.360498] ret_from_fork+0x10/0x20 [ 21.360836] [ 21.360982] Freed by task 218: [ 21.361266] kasan_save_stack+0x3c/0x68 [ 21.361626] kasan_save_track+0x20/0x40 [ 21.361986] kasan_save_free_info+0x4c/0x78 [ 21.362378] __kasan_slab_free+0x6c/0x98 [ 21.362745] kfree+0x214/0x3c8 [ 21.363041] krealloc_uaf+0x12c/0x520 [ 21.363389] kunit_try_run_case+0x170/0x3f0 [ 21.363784] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.364294] kthread+0x328/0x630 [ 21.364605] ret_from_fork+0x10/0x20 [ 21.364943] [ 21.365091] The buggy address belongs to the object at ffff00000eea2400 [ 21.365091] which belongs to the cache kmalloc-256 of size 256 [ 21.366210] The buggy address is located 0 bytes inside of [ 21.366210] freed 256-byte region [ffff00000eea2400, ffff00000eea2500) [ 21.367290] [ 21.367438] The buggy address belongs to the physical page: [ 21.367945] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xeea2 [ 21.368654] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.369347] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 21.369985] page_type: f5(slab) [ 21.370285] raw: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 21.370989] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.371691] head: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 21.372400] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.373111] head: 03fffe0000000001 fffffdffc03ba881 00000000ffffffff 00000000ffffffff [ 21.373820] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 21.374524] page dumped because: kasan: bad access detected [ 21.375028] [ 21.375174] Memory state around the buggy address: [ 21.375613] ffff00000eea2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.376267] ffff00000eea2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.376920] >ffff00000eea2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.377571] ^ [ 21.377874] ffff00000eea2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.378528] ffff00000eea2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.379178] ================================================================== [ 21.316303] ================================================================== [ 21.317404] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 21.318040] Read of size 1 at addr ffff00000eea2400 by task kunit_try_catch/218 [ 21.318718] [ 21.318883] CPU: 3 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.318932] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.318946] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.318963] Call trace: [ 21.318975] show_stack+0x20/0x38 (C) [ 21.319008] dump_stack_lvl+0x8c/0xd0 [ 21.319039] print_report+0x118/0x608 [ 21.319069] kasan_report+0xdc/0x128 [ 21.319097] __kasan_check_byte+0x54/0x70 [ 21.319125] krealloc_noprof+0x44/0x360 [ 21.319154] krealloc_uaf+0x180/0x520 [ 21.319187] kunit_try_run_case+0x170/0x3f0 [ 21.319222] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.319261] kthread+0x328/0x630 [ 21.319294] ret_from_fork+0x10/0x20 [ 21.319327] [ 21.325139] Allocated by task 218: [ 21.325465] kasan_save_stack+0x3c/0x68 [ 21.325839] kasan_save_track+0x20/0x40 [ 21.326210] kasan_save_alloc_info+0x40/0x58 [ 21.326623] __kasan_kmalloc+0xd4/0xd8 [ 21.326986] __kmalloc_cache_noprof+0x15c/0x3c0 [ 21.327427] krealloc_uaf+0xc8/0x520 [ 21.327780] kunit_try_run_case+0x170/0x3f0 [ 21.328186] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.328710] kthread+0x328/0x630 [ 21.329033] ret_from_fork+0x10/0x20 [ 21.329382] [ 21.329535] Freed by task 218: [ 21.329829] kasan_save_stack+0x3c/0x68 [ 21.330201] kasan_save_track+0x20/0x40 [ 21.330571] kasan_save_free_info+0x4c/0x78 [ 21.330975] __kasan_slab_free+0x6c/0x98 [ 21.331353] kfree+0x214/0x3c8 [ 21.331661] krealloc_uaf+0x12c/0x520 [ 21.332022] kunit_try_run_case+0x170/0x3f0 [ 21.332428] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.332952] kthread+0x328/0x630 [ 21.333274] ret_from_fork+0x10/0x20 [ 21.333624] [ 21.333777] The buggy address belongs to the object at ffff00000eea2400 [ 21.333777] which belongs to the cache kmalloc-256 of size 256 [ 21.334910] The buggy address is located 0 bytes inside of [ 21.334910] freed 256-byte region [ffff00000eea2400, ffff00000eea2500) [ 21.336006] [ 21.336160] The buggy address belongs to the physical page: [ 21.336676] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xeea2 [ 21.337400] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.338106] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 21.338762] page_type: f5(slab) [ 21.339077] raw: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 21.339782] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.340485] head: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 21.341195] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.341905] head: 03fffe0000000001 fffffdffc03ba881 00000000ffffffff 00000000ffffffff [ 21.342613] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 21.343317] page dumped because: kasan: bad access detected [ 21.343822] [ 21.343968] Memory state around the buggy address: [ 21.344407] ffff00000eea2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.345062] ffff00000eea2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.345716] >ffff00000eea2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.346366] ^ [ 21.346669] ffff00000eea2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.347323] ffff00000eea2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.347975] ==================================================================