Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 52.783081] ================================================================== [ 52.794708] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x208/0x5d4 [ 52.801391] Read of size 1 at addr cb2d1c00 by task kunit_try_catch/220 [ 52.808044] [ 52.809539] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 52.809570] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 52.809570] Hardware name: Generic DRA74X (Flattened Device Tree) [ 52.809600] Call trace: [ 52.809600] unwind_backtrace from show_stack+0x18/0x1c [ 52.809631] show_stack from dump_stack_lvl+0x70/0x90 [ 52.809661] dump_stack_lvl from print_report+0x158/0x528 [ 52.809661] print_report from kasan_report+0xdc/0x118 [ 52.809692] kasan_report from __kasan_check_byte+0x34/0x3c [ 52.809722] __kasan_check_byte from krealloc_noprof+0x30/0x2e4 [ 52.809753] krealloc_noprof from krealloc_uaf+0x208/0x5d4 [ 52.809753] krealloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 52.809783] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.809814] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 52.809844] kthread from ret_from_fork+0x14/0x20 [ 52.809844] Exception stack(0xf23fbfb0 to 0xf23fbff8) [ 52.809875] bfa0: 00000000 00000000 00000000 00000000 [ 52.809875] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 52.809906] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 52.809906] [ 52.925720] Allocated by task 220: [ 52.929138] kasan_save_track+0x30/0x5c [ 52.933013] __kasan_kmalloc+0x8c/0x94 [ 52.936798] krealloc_uaf+0xd8/0x5d4 [ 52.940399] kunit_try_run_case+0x22c/0x5a8 [ 52.944610] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.950134] kthread+0x464/0x810 [ 52.953399] ret_from_fork+0x14/0x20 [ 52.957000] [ 52.958496] Freed by task 220: [ 52.961578] kasan_save_track+0x30/0x5c [ 52.965454] kasan_save_free_info+0x3c/0x48 [ 52.969665] __kasan_slab_free+0x40/0x50 [ 52.973632] kfree+0xe8/0x384 [ 52.976623] krealloc_uaf+0x180/0x5d4 [ 52.980316] kunit_try_run_case+0x22c/0x5a8 [ 52.984527] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.990051] kthread+0x464/0x810 [ 52.993316] ret_from_fork+0x14/0x20 [ 52.996917] [ 52.998413] The buggy address belongs to the object at cb2d1c00 [ 52.998413] which belongs to the cache kmalloc-256 of size 256 [ 53.010314] The buggy address is located 0 bytes inside of [ 53.010314] freed 256-byte region [cb2d1c00, cb2d1d00) [ 53.021057] [ 53.022583] The buggy address belongs to the physical page: [ 53.028167] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8b2d0 [ 53.035461] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 53.043151] flags: 0x40(head|zone=0) [ 53.046752] page_type: f5(slab) [ 53.049926] raw: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 53.058074] raw: 00000000 [ 53.060729] head: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 53.068969] head: 00000000 00000001 eeb91541 ffffffff 00000000 ffffffff 00000000 ffffffff [ 53.077178] head: 00000000 00000002 [ 53.080688] page dumped because: kasan: bad access detected [ 53.086303] [ 53.087799] Memory state around the buggy address: [ 53.092620] cb2d1b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.099212] cb2d1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.105773] >cb2d1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.112335] ^ [ 53.114898] cb2d1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.121459] cb2d1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.128051] ================================================================== [ 53.135650] ================================================================== [ 53.142944] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x580/0x5d4 [ 53.149597] Read of size 1 at addr cb2d1c00 by task kunit_try_catch/220 [ 53.156249] [ 53.157745] CPU: 1 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 53.157775] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 53.157806] Hardware name: Generic DRA74X (Flattened Device Tree) [ 53.157806] Call trace: [ 53.157806] unwind_backtrace from show_stack+0x18/0x1c [ 53.157836] show_stack from dump_stack_lvl+0x70/0x90 [ 53.157867] dump_stack_lvl from print_report+0x158/0x528 [ 53.157897] print_report from kasan_report+0xdc/0x118 [ 53.157897] kasan_report from krealloc_uaf+0x580/0x5d4 [ 53.157928] krealloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 53.157958] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.157989] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 53.157989] kthread from ret_from_fork+0x14/0x20 [ 53.158020] Exception stack(0xf23fbfb0 to 0xf23fbff8) [ 53.158050] bfa0: 00000000 00000000 00000000 00000000 [ 53.158050] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 53.158081] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 53.158081] [ 53.262084] Allocated by task 220: [ 53.265502] kasan_save_track+0x30/0x5c [ 53.269378] __kasan_kmalloc+0x8c/0x94 [ 53.273162] krealloc_uaf+0xd8/0x5d4 [ 53.276763] kunit_try_run_case+0x22c/0x5a8 [ 53.280975] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.286499] kthread+0x464/0x810 [ 53.289764] ret_from_fork+0x14/0x20 [ 53.293365] [ 53.294860] Freed by task 220: [ 53.297943] kasan_save_track+0x30/0x5c [ 53.301818] kasan_save_free_info+0x3c/0x48 [ 53.306030] __kasan_slab_free+0x40/0x50 [ 53.309967] kfree+0xe8/0x384 [ 53.312988] krealloc_uaf+0x180/0x5d4 [ 53.316680] kunit_try_run_case+0x22c/0x5a8 [ 53.320892] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.326416] kthread+0x464/0x810 [ 53.329681] ret_from_fork+0x14/0x20 [ 53.333282] [ 53.334777] The buggy address belongs to the object at cb2d1c00 [ 53.334777] which belongs to the cache kmalloc-256 of size 256 [ 53.346679] The buggy address is located 0 bytes inside of [ 53.346679] freed 256-byte region [cb2d1c00, cb2d1d00) [ 53.357452] [ 53.358947] The buggy address belongs to the physical page: [ 53.364562] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8b2d0 [ 53.371826] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 53.379516] flags: 0x40(head|zone=0) [ 53.383117] page_type: f5(slab) [ 53.386291] raw: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 53.394439] raw: 00000000 [ 53.397094] head: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 53.405334] head: 00000000 00000001 eeb91541 ffffffff 00000000 ffffffff 00000000 ffffffff [ 53.413543] head: 00000000 00000002 [ 53.417053] page dumped because: kasan: bad access detected [ 53.422668] [ 53.424163] Memory state around the buggy address: [ 53.428985] cb2d1b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.435577] cb2d1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.442138] >cb2d1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.448699] ^ [ 53.451263] cb2d1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.457824] cb2d1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.464385] ==================================================================
[ 22.744141] ================================================================== [ 22.755745] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 22.762363] Read of size 1 at addr ffff8881038cac00 by task kunit_try_catch/207 [ 22.769687] [ 22.771221] CPU: 3 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 22.771229] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.771231] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 22.771234] Call Trace: [ 22.771236] <TASK> [ 22.771237] dump_stack_lvl+0x73/0xb0 [ 22.771241] print_report+0xd1/0x650 [ 22.771245] ? __virt_addr_valid+0x1db/0x2d0 [ 22.771249] ? krealloc_uaf+0x1b8/0x5e0 [ 22.771253] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.771257] ? krealloc_uaf+0x1b8/0x5e0 [ 22.771261] kasan_report+0x141/0x180 [ 22.771265] ? krealloc_uaf+0x1b8/0x5e0 [ 22.771269] ? krealloc_uaf+0x1b8/0x5e0 [ 22.771274] __kasan_check_byte+0x3d/0x50 [ 22.771278] krealloc_noprof+0x3f/0x340 [ 22.771282] krealloc_uaf+0x1b8/0x5e0 [ 22.771286] ? __pfx_krealloc_uaf+0x10/0x10 [ 22.771290] ? finish_task_switch.isra.0+0x153/0x700 [ 22.771294] ? __switch_to+0x5d9/0xf60 [ 22.771298] ? dequeue_task_fair+0x166/0x4e0 [ 22.771302] ? __schedule+0x10cc/0x2b30 [ 22.771306] ? ktime_get_ts64+0x83/0x230 [ 22.771311] kunit_try_run_case+0x1a2/0x480 [ 22.771315] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.771319] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.771324] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.771328] ? __kthread_parkme+0x82/0x180 [ 22.771332] ? preempt_count_sub+0x50/0x80 [ 22.771337] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.771341] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 22.771345] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.771349] kthread+0x334/0x6f0 [ 22.771353] ? trace_preempt_on+0x20/0xc0 [ 22.771357] ? __pfx_kthread+0x10/0x10 [ 22.771361] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.771365] ? calculate_sigpending+0x7b/0xa0 [ 22.771369] ? __pfx_kthread+0x10/0x10 [ 22.771373] ret_from_fork+0x3e/0x80 [ 22.771377] ? __pfx_kthread+0x10/0x10 [ 22.771381] ret_from_fork_asm+0x1a/0x30 [ 22.771387] </TASK> [ 22.771388] [ 22.951937] Allocated by task 207: [ 22.955343] kasan_save_stack+0x45/0x70 [ 22.959183] kasan_save_track+0x18/0x40 [ 22.963021] kasan_save_alloc_info+0x3b/0x50 [ 22.967294] __kasan_kmalloc+0xb7/0xc0 [ 22.971045] __kmalloc_cache_noprof+0x189/0x420 [ 22.975579] krealloc_uaf+0xbb/0x5e0 [ 22.979159] kunit_try_run_case+0x1a2/0x480 [ 22.983353] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 22.988758] kthread+0x334/0x6f0 [ 22.992019] ret_from_fork+0x3e/0x80 [ 22.995599] ret_from_fork_asm+0x1a/0x30 [ 22.999531] [ 23.001031] Freed by task 207: [ 23.004093] kasan_save_stack+0x45/0x70 [ 23.007931] kasan_save_track+0x18/0x40 [ 23.011770] kasan_save_free_info+0x3f/0x60 [ 23.015956] __kasan_slab_free+0x56/0x70 [ 23.019879] kfree+0x222/0x3f0 [ 23.022940] krealloc_uaf+0x13d/0x5e0 [ 23.026605] kunit_try_run_case+0x1a2/0x480 [ 23.030792] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.036191] kthread+0x334/0x6f0 [ 23.039424] ret_from_fork+0x3e/0x80 [ 23.043004] ret_from_fork_asm+0x1a/0x30 [ 23.046938] [ 23.048435] The buggy address belongs to the object at ffff8881038cac00 [ 23.048435] which belongs to the cache kmalloc-256 of size 256 [ 23.060941] The buggy address is located 0 bytes inside of [ 23.060941] freed 256-byte region [ffff8881038cac00, ffff8881038cad00) [ 23.073023] [ 23.074521] The buggy address belongs to the physical page: [ 23.080094] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038ca [ 23.088103] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.095762] flags: 0x200000000000040(head|node=0|zone=2) [ 23.101074] page_type: f5(slab) [ 23.104221] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.111960] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.119702] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.127553] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.135385] head: 0200000000000001 ffffea00040e3281 00000000ffffffff 00000000ffffffff [ 23.143212] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.151046] page dumped because: kasan: bad access detected [ 23.156617] [ 23.158116] Memory state around the buggy address: [ 23.162909] ffff8881038cab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.170127] ffff8881038cab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.177347] >ffff8881038cac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.184567] ^ [ 23.187799] ffff8881038cac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.195017] ffff8881038cad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.202238] ================================================================== [ 23.209478] ================================================================== [ 23.216708] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 23.223346] Read of size 1 at addr ffff8881038cac00 by task kunit_try_catch/207 [ 23.230652] [ 23.232154] CPU: 3 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 23.232162] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.232164] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 23.232167] Call Trace: [ 23.232169] <TASK> [ 23.232170] dump_stack_lvl+0x73/0xb0 [ 23.232174] print_report+0xd1/0x650 [ 23.232178] ? __virt_addr_valid+0x1db/0x2d0 [ 23.232181] ? krealloc_uaf+0x53c/0x5e0 [ 23.232185] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.232189] ? krealloc_uaf+0x53c/0x5e0 [ 23.232193] kasan_report+0x141/0x180 [ 23.232197] ? krealloc_uaf+0x53c/0x5e0 [ 23.232202] __asan_report_load1_noabort+0x18/0x20 [ 23.232206] krealloc_uaf+0x53c/0x5e0 [ 23.232210] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.232214] ? finish_task_switch.isra.0+0x153/0x700 [ 23.232218] ? __switch_to+0x5d9/0xf60 [ 23.232222] ? dequeue_task_fair+0x166/0x4e0 [ 23.232226] ? __schedule+0x10cc/0x2b30 [ 23.232231] ? ktime_get_ts64+0x83/0x230 [ 23.232235] kunit_try_run_case+0x1a2/0x480 [ 23.232240] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.232244] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.232248] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.232252] ? __kthread_parkme+0x82/0x180 [ 23.232256] ? preempt_count_sub+0x50/0x80 [ 23.232261] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.232265] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.232269] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.232273] kthread+0x334/0x6f0 [ 23.232277] ? trace_preempt_on+0x20/0xc0 [ 23.232281] ? __pfx_kthread+0x10/0x10 [ 23.232285] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.232289] ? calculate_sigpending+0x7b/0xa0 [ 23.232293] ? __pfx_kthread+0x10/0x10 [ 23.232297] ret_from_fork+0x3e/0x80 [ 23.232301] ? __pfx_kthread+0x10/0x10 [ 23.232305] ret_from_fork_asm+0x1a/0x30 [ 23.232311] </TASK> [ 23.232312] [ 23.405930] Allocated by task 207: [ 23.409334] kasan_save_stack+0x45/0x70 [ 23.413174] kasan_save_track+0x18/0x40 [ 23.417013] kasan_save_alloc_info+0x3b/0x50 [ 23.421286] __kasan_kmalloc+0xb7/0xc0 [ 23.425037] __kmalloc_cache_noprof+0x189/0x420 [ 23.429571] krealloc_uaf+0xbb/0x5e0 [ 23.433148] kunit_try_run_case+0x1a2/0x480 [ 23.437334] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.442733] kthread+0x334/0x6f0 [ 23.445966] ret_from_fork+0x3e/0x80 [ 23.449547] ret_from_fork_asm+0x1a/0x30 [ 23.453481] [ 23.454979] Freed by task 207: [ 23.458038] kasan_save_stack+0x45/0x70 [ 23.461879] kasan_save_track+0x18/0x40 [ 23.465741] kasan_save_free_info+0x3f/0x60 [ 23.469928] __kasan_slab_free+0x56/0x70 [ 23.473856] kfree+0x222/0x3f0 [ 23.476913] krealloc_uaf+0x13d/0x5e0 [ 23.480578] kunit_try_run_case+0x1a2/0x480 [ 23.484767] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.490174] kthread+0x334/0x6f0 [ 23.493405] ret_from_fork+0x3e/0x80 [ 23.496984] ret_from_fork_asm+0x1a/0x30 [ 23.500910] [ 23.502410] The buggy address belongs to the object at ffff8881038cac00 [ 23.502410] which belongs to the cache kmalloc-256 of size 256 [ 23.514923] The buggy address is located 0 bytes inside of [ 23.514923] freed 256-byte region [ffff8881038cac00, ffff8881038cad00) [ 23.527004] [ 23.528505] The buggy address belongs to the physical page: [ 23.534077] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1038ca [ 23.542083] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.549737] flags: 0x200000000000040(head|node=0|zone=2) [ 23.555048] page_type: f5(slab) [ 23.558197] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.565944] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.573743] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.581576] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.589404] head: 0200000000000001 ffffea00040e3281 00000000ffffffff 00000000ffffffff [ 23.597236] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.605063] page dumped because: kasan: bad access detected [ 23.610634] [ 23.612132] Memory state around the buggy address: [ 23.616927] ffff8881038cab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.624145] ffff8881038cab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.631364] >ffff8881038cac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.638582] ^ [ 23.641816] ffff8881038cac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.649034] ffff8881038cad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.656254] ==================================================================