Date
April 22, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 17.657461] ================================================================== [ 17.657594] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 17.657705] Read of size 1 at addr fff00000c4714800 by task kunit_try_catch/166 [ 17.657813] [ 17.657883] CPU: 1 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 17.658060] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.658121] Hardware name: linux,dummy-virt (DT) [ 17.658191] Call trace: [ 17.658239] show_stack+0x20/0x38 (C) [ 17.658344] dump_stack_lvl+0x8c/0xd0 [ 17.658445] print_report+0x118/0x608 [ 17.658559] kasan_report+0xdc/0x128 [ 17.658644] __asan_report_load1_noabort+0x20/0x30 [ 17.658774] krealloc_uaf+0x4c8/0x520 [ 17.658881] kunit_try_run_case+0x170/0x3f0 [ 17.658974] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.659080] kthread+0x328/0x630 [ 17.659174] ret_from_fork+0x10/0x20 [ 17.659302] [ 17.659344] Allocated by task 166: [ 17.659407] kasan_save_stack+0x3c/0x68 [ 17.659491] kasan_save_track+0x20/0x40 [ 17.659640] kasan_save_alloc_info+0x40/0x58 [ 17.659869] __kasan_kmalloc+0xd4/0xd8 [ 17.659940] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.660630] krealloc_uaf+0xc8/0x520 [ 17.660807] kunit_try_run_case+0x170/0x3f0 [ 17.660906] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.661113] kthread+0x328/0x630 [ 17.662748] ret_from_fork+0x10/0x20 [ 17.663052] [ 17.663115] Freed by task 166: [ 17.663186] kasan_save_stack+0x3c/0x68 [ 17.663325] kasan_save_track+0x20/0x40 [ 17.663401] kasan_save_free_info+0x4c/0x78 [ 17.663478] __kasan_slab_free+0x6c/0x98 [ 17.663528] kfree+0x214/0x3c8 [ 17.663608] krealloc_uaf+0x12c/0x520 [ 17.663652] kunit_try_run_case+0x170/0x3f0 [ 17.663690] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.663732] kthread+0x328/0x630 [ 17.663779] ret_from_fork+0x10/0x20 [ 17.663846] [ 17.663885] The buggy address belongs to the object at fff00000c4714800 [ 17.663885] which belongs to the cache kmalloc-256 of size 256 [ 17.664016] The buggy address is located 0 bytes inside of [ 17.664016] freed 256-byte region [fff00000c4714800, fff00000c4714900) [ 17.664208] [ 17.664255] The buggy address belongs to the physical page: [ 17.664327] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104714 [ 17.664469] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.664620] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 17.664780] page_type: f5(slab) [ 17.664883] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.664976] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.665066] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.665165] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.665313] head: 0bfffe0000000001 ffffc1ffc311c501 00000000ffffffff 00000000ffffffff [ 17.665423] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.665527] page dumped because: kasan: bad access detected [ 17.665613] [ 17.665655] Memory state around the buggy address: [ 17.665752] fff00000c4714700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.665882] fff00000c4714780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.665989] >fff00000c4714800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.666082] ^ [ 17.666174] fff00000c4714880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.666308] fff00000c4714900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.666398] ================================================================== [ 17.648430] ================================================================== [ 17.648607] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 17.648744] Read of size 1 at addr fff00000c4714800 by task kunit_try_catch/166 [ 17.648883] [ 17.648972] CPU: 1 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 17.649192] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.649262] Hardware name: linux,dummy-virt (DT) [ 17.649325] Call trace: [ 17.649371] show_stack+0x20/0x38 (C) [ 17.649475] dump_stack_lvl+0x8c/0xd0 [ 17.649578] print_report+0x118/0x608 [ 17.649660] kasan_report+0xdc/0x128 [ 17.649746] __kasan_check_byte+0x54/0x70 [ 17.649841] krealloc_noprof+0x44/0x360 [ 17.649980] krealloc_uaf+0x180/0x520 [ 17.650116] kunit_try_run_case+0x170/0x3f0 [ 17.650269] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.650387] kthread+0x328/0x630 [ 17.650487] ret_from_fork+0x10/0x20 [ 17.650592] [ 17.650630] Allocated by task 166: [ 17.650682] kasan_save_stack+0x3c/0x68 [ 17.650756] kasan_save_track+0x20/0x40 [ 17.650831] kasan_save_alloc_info+0x40/0x58 [ 17.650910] __kasan_kmalloc+0xd4/0xd8 [ 17.650985] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.651074] krealloc_uaf+0xc8/0x520 [ 17.651152] kunit_try_run_case+0x170/0x3f0 [ 17.651251] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.651337] kthread+0x328/0x630 [ 17.651409] ret_from_fork+0x10/0x20 [ 17.651489] [ 17.651574] Freed by task 166: [ 17.651629] kasan_save_stack+0x3c/0x68 [ 17.651707] kasan_save_track+0x20/0x40 [ 17.651794] kasan_save_free_info+0x4c/0x78 [ 17.651870] __kasan_slab_free+0x6c/0x98 [ 17.651965] kfree+0x214/0x3c8 [ 17.652056] krealloc_uaf+0x12c/0x520 [ 17.652161] kunit_try_run_case+0x170/0x3f0 [ 17.652244] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.652340] kthread+0x328/0x630 [ 17.652417] ret_from_fork+0x10/0x20 [ 17.652491] [ 17.652539] The buggy address belongs to the object at fff00000c4714800 [ 17.652539] which belongs to the cache kmalloc-256 of size 256 [ 17.652720] The buggy address is located 0 bytes inside of [ 17.652720] freed 256-byte region [fff00000c4714800, fff00000c4714900) [ 17.652849] [ 17.652886] The buggy address belongs to the physical page: [ 17.652947] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104714 [ 17.653056] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.653162] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 17.653281] page_type: f5(slab) [ 17.653401] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.653561] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.653702] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.653815] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.653921] head: 0bfffe0000000001 ffffc1ffc311c501 00000000ffffffff 00000000ffffffff [ 17.654039] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.654165] page dumped because: kasan: bad access detected [ 17.654233] [ 17.654280] Memory state around the buggy address: [ 17.654367] fff00000c4714700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.654460] fff00000c4714780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.654554] >fff00000c4714800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.654634] ^ [ 17.654738] fff00000c4714880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.654870] fff00000c4714900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.654993] ==================================================================
[ 17.849087] ================================================================== [ 17.850560] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 17.851076] Read of size 1 at addr ffff888100341600 by task kunit_try_catch/184 [ 17.851340] [ 17.851489] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 17.851610] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.851626] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.851656] Call Trace: [ 17.851672] <TASK> [ 17.851693] dump_stack_lvl+0x73/0xb0 [ 17.851732] print_report+0xd1/0x650 [ 17.851763] ? __virt_addr_valid+0x1db/0x2d0 [ 17.851794] ? krealloc_uaf+0x1b8/0x5e0 [ 17.851825] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.851857] ? krealloc_uaf+0x1b8/0x5e0 [ 17.851889] kasan_report+0x141/0x180 [ 17.851920] ? krealloc_uaf+0x1b8/0x5e0 [ 17.851955] ? krealloc_uaf+0x1b8/0x5e0 [ 17.851987] __kasan_check_byte+0x3d/0x50 [ 17.852018] krealloc_noprof+0x3f/0x340 [ 17.852051] krealloc_uaf+0x1b8/0x5e0 [ 17.852082] ? __pfx_krealloc_uaf+0x10/0x10 [ 17.852175] ? ktime_get_ts64+0xb8/0x230 [ 17.852216] ? __pfx_read_tsc+0x10/0x10 [ 17.852245] ? ktime_get_ts64+0x86/0x230 [ 17.852279] kunit_try_run_case+0x1a5/0x480 [ 17.852315] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.852346] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.852381] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.852413] ? __kthread_parkme+0x82/0x180 [ 17.852444] ? preempt_count_sub+0x50/0x80 [ 17.852478] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.852664] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.853029] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.853142] kthread+0x337/0x6f0 [ 17.853218] ? trace_preempt_on+0x20/0xc0 [ 17.853298] ? __pfx_kthread+0x10/0x10 [ 17.853358] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.853405] ? calculate_sigpending+0x7b/0xa0 [ 17.853676] ? __pfx_kthread+0x10/0x10 [ 17.853782] ret_from_fork+0x41/0x80 [ 17.853910] ? __pfx_kthread+0x10/0x10 [ 17.854014] ret_from_fork_asm+0x1a/0x30 [ 17.854105] </TASK> [ 17.854122] [ 17.875886] Allocated by task 184: [ 17.876206] kasan_save_stack+0x45/0x70 [ 17.877011] kasan_save_track+0x18/0x40 [ 17.877793] kasan_save_alloc_info+0x3b/0x50 [ 17.877973] __kasan_kmalloc+0xb7/0xc0 [ 17.878126] __kmalloc_cache_noprof+0x189/0x420 [ 17.878296] krealloc_uaf+0xbb/0x5e0 [ 17.878489] kunit_try_run_case+0x1a5/0x480 [ 17.879262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.880265] kthread+0x337/0x6f0 [ 17.880917] ret_from_fork+0x41/0x80 [ 17.881301] ret_from_fork_asm+0x1a/0x30 [ 17.881771] [ 17.882037] Freed by task 184: [ 17.882365] kasan_save_stack+0x45/0x70 [ 17.882963] kasan_save_track+0x18/0x40 [ 17.883292] kasan_save_free_info+0x3f/0x60 [ 17.883963] __kasan_slab_free+0x56/0x70 [ 17.884584] kfree+0x222/0x3f0 [ 17.884874] krealloc_uaf+0x13d/0x5e0 [ 17.885267] kunit_try_run_case+0x1a5/0x480 [ 17.885893] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.886829] kthread+0x337/0x6f0 [ 17.887361] ret_from_fork+0x41/0x80 [ 17.887871] ret_from_fork_asm+0x1a/0x30 [ 17.888447] [ 17.888930] The buggy address belongs to the object at ffff888100341600 [ 17.888930] which belongs to the cache kmalloc-256 of size 256 [ 17.890890] The buggy address is located 0 bytes inside of [ 17.890890] freed 256-byte region [ffff888100341600, ffff888100341700) [ 17.892359] [ 17.892610] The buggy address belongs to the physical page: [ 17.893049] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100340 [ 17.893885] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.894414] flags: 0x200000000000040(head|node=0|zone=2) [ 17.895102] page_type: f5(slab) [ 17.895671] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.896347] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.897173] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.897939] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.898654] head: 0200000000000001 ffffea000400d001 00000000ffffffff 00000000ffffffff [ 17.899386] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.900139] page dumped because: kasan: bad access detected [ 17.900765] [ 17.900972] Memory state around the buggy address: [ 17.901445] ffff888100341500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.902344] ffff888100341580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.903050] >ffff888100341600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.903807] ^ [ 17.904152] ffff888100341680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.904976] ffff888100341700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.905707] ================================================================== [ 17.907561] ================================================================== [ 17.908345] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 17.909218] Read of size 1 at addr ffff888100341600 by task kunit_try_catch/184 [ 17.910076] [ 17.910347] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 17.911225] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.911246] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.911275] Call Trace: [ 17.911292] <TASK> [ 17.911313] dump_stack_lvl+0x73/0xb0 [ 17.911352] print_report+0xd1/0x650 [ 17.911385] ? __virt_addr_valid+0x1db/0x2d0 [ 17.911417] ? krealloc_uaf+0x53c/0x5e0 [ 17.911544] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.911619] ? krealloc_uaf+0x53c/0x5e0 [ 17.911655] kasan_report+0x141/0x180 [ 17.911687] ? krealloc_uaf+0x53c/0x5e0 [ 17.911726] __asan_report_load1_noabort+0x18/0x20 [ 17.911754] krealloc_uaf+0x53c/0x5e0 [ 17.911788] ? __pfx_krealloc_uaf+0x10/0x10 [ 17.911827] ? ktime_get_ts64+0xb8/0x230 [ 17.911862] ? __pfx_read_tsc+0x10/0x10 [ 17.911891] ? ktime_get_ts64+0x86/0x230 [ 17.911925] kunit_try_run_case+0x1a5/0x480 [ 17.911959] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.911991] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.912024] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.912058] ? __kthread_parkme+0x82/0x180 [ 17.912088] ? preempt_count_sub+0x50/0x80 [ 17.912122] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.912153] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.912184] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.912216] kthread+0x337/0x6f0 [ 17.912247] ? trace_preempt_on+0x20/0xc0 [ 17.912280] ? __pfx_kthread+0x10/0x10 [ 17.912311] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.912342] ? calculate_sigpending+0x7b/0xa0 [ 17.912371] ? __pfx_kthread+0x10/0x10 [ 17.912402] ret_from_fork+0x41/0x80 [ 17.912439] ? __pfx_kthread+0x10/0x10 [ 17.912547] ret_from_fork_asm+0x1a/0x30 [ 17.912637] </TASK> [ 17.912654] [ 17.929673] Allocated by task 184: [ 17.930522] kasan_save_stack+0x45/0x70 [ 17.931037] kasan_save_track+0x18/0x40 [ 17.931624] kasan_save_alloc_info+0x3b/0x50 [ 17.932051] __kasan_kmalloc+0xb7/0xc0 [ 17.932350] __kmalloc_cache_noprof+0x189/0x420 [ 17.932706] krealloc_uaf+0xbb/0x5e0 [ 17.933011] kunit_try_run_case+0x1a5/0x480 [ 17.933639] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.934143] kthread+0x337/0x6f0 [ 17.934533] ret_from_fork+0x41/0x80 [ 17.934930] ret_from_fork_asm+0x1a/0x30 [ 17.935703] [ 17.935938] Freed by task 184: [ 17.936250] kasan_save_stack+0x45/0x70 [ 17.936708] kasan_save_track+0x18/0x40 [ 17.937139] kasan_save_free_info+0x3f/0x60 [ 17.937884] __kasan_slab_free+0x56/0x70 [ 17.939639] kfree+0x222/0x3f0 [ 17.939963] krealloc_uaf+0x13d/0x5e0 [ 17.940329] kunit_try_run_case+0x1a5/0x480 [ 17.941113] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.941561] kthread+0x337/0x6f0 [ 17.942029] ret_from_fork+0x41/0x80 [ 17.942923] ret_from_fork_asm+0x1a/0x30 [ 17.943360] [ 17.943891] The buggy address belongs to the object at ffff888100341600 [ 17.943891] which belongs to the cache kmalloc-256 of size 256 [ 17.945752] The buggy address is located 0 bytes inside of [ 17.945752] freed 256-byte region [ffff888100341600, ffff888100341700) [ 17.946567] [ 17.947016] The buggy address belongs to the physical page: [ 17.947436] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100340 [ 17.948478] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.949144] flags: 0x200000000000040(head|node=0|zone=2) [ 17.949954] page_type: f5(slab) [ 17.950351] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.951431] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.952413] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.953338] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.954202] head: 0200000000000001 ffffea000400d001 00000000ffffffff 00000000ffffffff [ 17.955361] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.956034] page dumped because: kasan: bad access detected [ 17.956880] [ 17.957035] Memory state around the buggy address: [ 17.957483] ffff888100341500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.958823] ffff888100341580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.959923] >ffff888100341600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.960495] ^ [ 17.961444] ffff888100341680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.962596] ffff888100341700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.963197] ==================================================================
[ 19.656324] ================================================================== [ 19.657027] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 19.657690] Read of size 1 at addr ffff00000219ce00 by task kunit_try_catch/222 [ 19.658396] [ 19.658579] CPU: 2 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 19.658657] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.658680] Hardware name: Radxa ROCK Pi 4B (DT) [ 19.658707] Call trace: [ 19.658725] show_stack+0x20/0x38 (C) [ 19.658776] dump_stack_lvl+0x8c/0xd0 [ 19.658826] print_report+0x118/0x608 [ 19.658874] kasan_report+0xdc/0x128 [ 19.658920] __asan_report_load1_noabort+0x20/0x30 [ 19.658975] krealloc_uaf+0x4c8/0x520 [ 19.659030] kunit_try_run_case+0x170/0x3f0 [ 19.659086] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.659149] kthread+0x328/0x630 [ 19.659203] ret_from_fork+0x10/0x20 [ 19.659255] [ 19.664897] Allocated by task 222: [ 19.665241] kasan_save_stack+0x3c/0x68 [ 19.665639] kasan_save_track+0x20/0x40 [ 19.666036] kasan_save_alloc_info+0x40/0x58 [ 19.666477] __kasan_kmalloc+0xd4/0xd8 [ 19.666867] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.667338] krealloc_uaf+0xc8/0x520 [ 19.667722] kunit_try_run_case+0x170/0x3f0 [ 19.668157] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.668714] kthread+0x328/0x630 [ 19.669066] ret_from_fork+0x10/0x20 [ 19.669442] [ 19.669610] Freed by task 222: [ 19.669925] kasan_save_stack+0x3c/0x68 [ 19.670324] kasan_save_track+0x20/0x40 [ 19.670721] kasan_save_free_info+0x4c/0x78 [ 19.671154] __kasan_slab_free+0x6c/0x98 [ 19.671558] kfree+0x214/0x3c8 [ 19.671892] krealloc_uaf+0x12c/0x520 [ 19.672283] kunit_try_run_case+0x170/0x3f0 [ 19.672719] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.673275] kthread+0x328/0x630 [ 19.673626] ret_from_fork+0x10/0x20 [ 19.674003] [ 19.674172] The buggy address belongs to the object at ffff00000219ce00 [ 19.674172] which belongs to the cache kmalloc-256 of size 256 [ 19.675337] The buggy address is located 0 bytes inside of [ 19.675337] freed 256-byte region [ffff00000219ce00, ffff00000219cf00) [ 19.676467] [ 19.676637] The buggy address belongs to the physical page: [ 19.677172] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x219c [ 19.677925] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.678657] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 19.679339] page_type: f5(slab) [ 19.679675] raw: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 19.680421] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.681168] head: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 19.681922] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.682677] head: 03fffe0000000001 fffffdffc0086701 00000000ffffffff 00000000ffffffff [ 19.683430] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 19.684168] page dumped because: kasan: bad access detected [ 19.684704] [ 19.684871] Memory state around the buggy address: [ 19.685340] ffff00000219cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.686034] ffff00000219cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.686726] >ffff00000219ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.687411] ^ [ 19.687742] ffff00000219ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.688435] ffff00000219cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.689120] ================================================================== [ 19.621634] ================================================================== [ 19.622774] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 19.623446] Read of size 1 at addr ffff00000219ce00 by task kunit_try_catch/222 [ 19.624152] [ 19.624336] CPU: 2 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 19.624415] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.624438] Hardware name: Radxa ROCK Pi 4B (DT) [ 19.624465] Call trace: [ 19.624483] show_stack+0x20/0x38 (C) [ 19.624535] dump_stack_lvl+0x8c/0xd0 [ 19.624585] print_report+0x118/0x608 [ 19.624633] kasan_report+0xdc/0x128 [ 19.624680] __kasan_check_byte+0x54/0x70 [ 19.624728] krealloc_noprof+0x44/0x360 [ 19.624776] krealloc_uaf+0x180/0x520 [ 19.624831] kunit_try_run_case+0x170/0x3f0 [ 19.624888] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.624952] kthread+0x328/0x630 [ 19.625007] ret_from_fork+0x10/0x20 [ 19.625060] [ 19.630985] Allocated by task 222: [ 19.631332] kasan_save_stack+0x3c/0x68 [ 19.631733] kasan_save_track+0x20/0x40 [ 19.632130] kasan_save_alloc_info+0x40/0x58 [ 19.632571] __kasan_kmalloc+0xd4/0xd8 [ 19.632960] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.633432] krealloc_uaf+0xc8/0x520 [ 19.633816] kunit_try_run_case+0x170/0x3f0 [ 19.634254] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.634811] kthread+0x328/0x630 [ 19.635162] ret_from_fork+0x10/0x20 [ 19.635540] [ 19.635708] Freed by task 222: [ 19.636021] kasan_save_stack+0x3c/0x68 [ 19.636418] kasan_save_track+0x20/0x40 [ 19.636813] kasan_save_free_info+0x4c/0x78 [ 19.637247] __kasan_slab_free+0x6c/0x98 [ 19.637652] kfree+0x214/0x3c8 [ 19.637989] krealloc_uaf+0x12c/0x520 [ 19.638379] kunit_try_run_case+0x170/0x3f0 [ 19.638815] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.639372] kthread+0x328/0x630 [ 19.639723] ret_from_fork+0x10/0x20 [ 19.640100] [ 19.640268] The buggy address belongs to the object at ffff00000219ce00 [ 19.640268] which belongs to the cache kmalloc-256 of size 256 [ 19.641433] The buggy address is located 0 bytes inside of [ 19.641433] freed 256-byte region [ffff00000219ce00, ffff00000219cf00) [ 19.642564] [ 19.642734] The buggy address belongs to the physical page: [ 19.643271] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x219c [ 19.644025] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.644758] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 19.645441] page_type: f5(slab) [ 19.645781] raw: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 19.646527] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.647275] head: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 19.648028] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.648783] head: 03fffe0000000001 fffffdffc0086701 00000000ffffffff 00000000ffffffff [ 19.649536] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 19.650276] page dumped because: kasan: bad access detected [ 19.650811] [ 19.650979] Memory state around the buggy address: [ 19.651449] ffff00000219cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.652142] ffff00000219cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.652835] >ffff00000219ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.653520] ^ [ 19.653852] ffff00000219ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.654545] ffff00000219cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.655231] ==================================================================