Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 25.780418] ================================================================== [ 25.790430] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 25.797025] Read of size 1 at addr ffff0008032a0a00 by task kunit_try_catch/211 [ 25.804316] [ 25.805802] CPU: 5 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.805856] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.805870] Hardware name: WinLink E850-96 board (DT) [ 25.805891] Call trace: [ 25.805905] show_stack+0x20/0x38 (C) [ 25.805940] dump_stack_lvl+0x8c/0xd0 [ 25.805979] print_report+0x118/0x608 [ 25.806013] kasan_report+0xdc/0x128 [ 25.806046] __kasan_check_byte+0x54/0x70 [ 25.806076] krealloc_noprof+0x44/0x360 [ 25.806110] krealloc_uaf+0x180/0x520 [ 25.806138] kunit_try_run_case+0x170/0x3f0 [ 25.806175] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.806213] kthread+0x328/0x630 [ 25.806241] ret_from_fork+0x10/0x20 [ 25.806274] [ 25.871155] Allocated by task 211: [ 25.874544] kasan_save_stack+0x3c/0x68 [ 25.878361] kasan_save_track+0x20/0x40 [ 25.882179] kasan_save_alloc_info+0x40/0x58 [ 25.886433] __kasan_kmalloc+0xd4/0xd8 [ 25.890165] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.894679] krealloc_uaf+0xc8/0x520 [ 25.898238] kunit_try_run_case+0x170/0x3f0 [ 25.902404] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.907874] kthread+0x328/0x630 [ 25.911085] ret_from_fork+0x10/0x20 [ 25.914644] [ 25.916121] Freed by task 211: [ 25.919158] kasan_save_stack+0x3c/0x68 [ 25.922977] kasan_save_track+0x20/0x40 [ 25.926798] kasan_save_free_info+0x4c/0x78 [ 25.930963] __kasan_slab_free+0x6c/0x98 [ 25.934869] kfree+0x214/0x3c8 [ 25.937907] krealloc_uaf+0x12c/0x520 [ 25.941553] kunit_try_run_case+0x170/0x3f0 [ 25.945719] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.951188] kthread+0x328/0x630 [ 25.954400] ret_from_fork+0x10/0x20 [ 25.957959] [ 25.959436] The buggy address belongs to the object at ffff0008032a0a00 [ 25.959436] which belongs to the cache kmalloc-256 of size 256 [ 25.971938] The buggy address is located 0 bytes inside of [ 25.971938] freed 256-byte region [ffff0008032a0a00, ffff0008032a0b00) [ 25.984000] [ 25.985478] The buggy address belongs to the physical page: [ 25.991035] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8832a0 [ 25.999021] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.006658] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.013602] page_type: f5(slab) [ 26.016738] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.024458] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.032186] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.039996] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.047809] head: 0bfffe0000000002 fffffdffe00ca801 00000000ffffffff 00000000ffffffff [ 26.055621] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.063426] page dumped because: kasan: bad access detected [ 26.068982] [ 26.070457] Memory state around the buggy address: [ 26.075240] ffff0008032a0900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.082440] ffff0008032a0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.089645] >ffff0008032a0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.096846] ^ [ 26.100061] ffff0008032a0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.107266] ffff0008032a0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.114470] ================================================================== [ 26.121781] ================================================================== [ 26.128884] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 26.135476] Read of size 1 at addr ffff0008032a0a00 by task kunit_try_catch/211 [ 26.142765] [ 26.144250] CPU: 5 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.144300] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.144315] Hardware name: WinLink E850-96 board (DT) [ 26.144336] Call trace: [ 26.144351] show_stack+0x20/0x38 (C) [ 26.144381] dump_stack_lvl+0x8c/0xd0 [ 26.144417] print_report+0x118/0x608 [ 26.144449] kasan_report+0xdc/0x128 [ 26.144482] __asan_report_load1_noabort+0x20/0x30 [ 26.144518] krealloc_uaf+0x4c8/0x520 [ 26.144546] kunit_try_run_case+0x170/0x3f0 [ 26.144581] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.144618] kthread+0x328/0x630 [ 26.144646] ret_from_fork+0x10/0x20 [ 26.144679] [ 26.206568] Allocated by task 211: [ 26.209952] kasan_save_stack+0x3c/0x68 [ 26.213773] kasan_save_track+0x20/0x40 [ 26.217591] kasan_save_alloc_info+0x40/0x58 [ 26.221844] __kasan_kmalloc+0xd4/0xd8 [ 26.225577] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.230090] krealloc_uaf+0xc8/0x520 [ 26.233649] kunit_try_run_case+0x170/0x3f0 [ 26.237816] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.243285] kthread+0x328/0x630 [ 26.246496] ret_from_fork+0x10/0x20 [ 26.250055] [ 26.251531] Freed by task 211: [ 26.254569] kasan_save_stack+0x3c/0x68 [ 26.258389] kasan_save_track+0x20/0x40 [ 26.262208] kasan_save_free_info+0x4c/0x78 [ 26.266374] __kasan_slab_free+0x6c/0x98 [ 26.270281] kfree+0x214/0x3c8 [ 26.273319] krealloc_uaf+0x12c/0x520 [ 26.276965] kunit_try_run_case+0x170/0x3f0 [ 26.281131] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.286600] kthread+0x328/0x630 [ 26.289812] ret_from_fork+0x10/0x20 [ 26.293371] [ 26.294848] The buggy address belongs to the object at ffff0008032a0a00 [ 26.294848] which belongs to the cache kmalloc-256 of size 256 [ 26.307346] The buggy address is located 0 bytes inside of [ 26.307346] freed 256-byte region [ffff0008032a0a00, ffff0008032a0b00) [ 26.319412] [ 26.320891] The buggy address belongs to the physical page: [ 26.326446] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8832a0 [ 26.334431] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.342068] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.349012] page_type: f5(slab) [ 26.352147] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.359870] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.367596] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.375408] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.383221] head: 0bfffe0000000002 fffffdffe00ca801 00000000ffffffff 00000000ffffffff [ 26.391032] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.398838] page dumped because: kasan: bad access detected [ 26.404393] [ 26.405869] Memory state around the buggy address: [ 26.410650] ffff0008032a0900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.417851] ffff0008032a0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.425056] >ffff0008032a0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.432258] ^ [ 26.435473] ffff0008032a0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.442678] ffff0008032a0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.449879] ==================================================================
[ 25.165772] ================================================================== [ 25.166900] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 25.167183] Read of size 1 at addr fff00000c178be00 by task kunit_try_catch/164 [ 25.167317] [ 25.167870] CPU: 0 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.168594] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.168997] Hardware name: linux,dummy-virt (DT) [ 25.169216] Call trace: [ 25.169428] show_stack+0x20/0x38 (C) [ 25.169581] dump_stack_lvl+0x8c/0xd0 [ 25.170373] print_report+0x118/0x608 [ 25.170843] kasan_report+0xdc/0x128 [ 25.171010] __asan_report_load1_noabort+0x20/0x30 [ 25.171704] krealloc_uaf+0x4c8/0x520 [ 25.172233] kunit_try_run_case+0x170/0x3f0 [ 25.173040] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.173233] kthread+0x328/0x630 [ 25.173635] ret_from_fork+0x10/0x20 [ 25.173754] [ 25.173799] Allocated by task 164: [ 25.173868] kasan_save_stack+0x3c/0x68 [ 25.175246] kasan_save_track+0x20/0x40 [ 25.175352] kasan_save_alloc_info+0x40/0x58 [ 25.175458] __kasan_kmalloc+0xd4/0xd8 [ 25.175583] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.175694] krealloc_uaf+0xc8/0x520 [ 25.175798] kunit_try_run_case+0x170/0x3f0 [ 25.177991] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.178123] kthread+0x328/0x630 [ 25.178225] ret_from_fork+0x10/0x20 [ 25.178393] [ 25.178474] Freed by task 164: [ 25.178724] kasan_save_stack+0x3c/0x68 [ 25.179185] kasan_save_track+0x20/0x40 [ 25.179423] kasan_save_free_info+0x4c/0x78 [ 25.179530] __kasan_slab_free+0x6c/0x98 [ 25.179632] kfree+0x214/0x3c8 [ 25.179723] krealloc_uaf+0x12c/0x520 [ 25.180144] kunit_try_run_case+0x170/0x3f0 [ 25.180457] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.180589] kthread+0x328/0x630 [ 25.180678] ret_from_fork+0x10/0x20 [ 25.180765] [ 25.180810] The buggy address belongs to the object at fff00000c178be00 [ 25.180810] which belongs to the cache kmalloc-256 of size 256 [ 25.180962] The buggy address is located 0 bytes inside of [ 25.180962] freed 256-byte region [fff00000c178be00, fff00000c178bf00) [ 25.181106] [ 25.181167] The buggy address belongs to the physical page: [ 25.181323] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10178a [ 25.181505] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.181836] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 25.181978] page_type: f5(slab) [ 25.182073] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.182272] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.182448] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.182760] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.184122] head: 0bfffe0000000001 ffffc1ffc305e281 00000000ffffffff 00000000ffffffff [ 25.184653] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.184759] page dumped because: kasan: bad access detected [ 25.185101] [ 25.185433] Memory state around the buggy address: [ 25.185549] fff00000c178bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.185959] fff00000c178bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.186695] >fff00000c178be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.186985] ^ [ 25.187067] fff00000c178be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.187245] fff00000c178bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.187343] ================================================================== [ 25.137021] ================================================================== [ 25.137233] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 25.137438] Read of size 1 at addr fff00000c178be00 by task kunit_try_catch/164 [ 25.137577] [ 25.138288] CPU: 0 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.138533] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.138655] Hardware name: linux,dummy-virt (DT) [ 25.138882] Call trace: [ 25.138961] show_stack+0x20/0x38 (C) [ 25.139110] dump_stack_lvl+0x8c/0xd0 [ 25.139258] print_report+0x118/0x608 [ 25.139813] kasan_report+0xdc/0x128 [ 25.139987] __kasan_check_byte+0x54/0x70 [ 25.140132] krealloc_noprof+0x44/0x360 [ 25.140950] krealloc_uaf+0x180/0x520 [ 25.141085] kunit_try_run_case+0x170/0x3f0 [ 25.141387] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.141530] kthread+0x328/0x630 [ 25.141664] ret_from_fork+0x10/0x20 [ 25.141803] [ 25.141858] Allocated by task 164: [ 25.141959] kasan_save_stack+0x3c/0x68 [ 25.142067] kasan_save_track+0x20/0x40 [ 25.143258] kasan_save_alloc_info+0x40/0x58 [ 25.143420] __kasan_kmalloc+0xd4/0xd8 [ 25.143524] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.144463] krealloc_uaf+0xc8/0x520 [ 25.145921] kunit_try_run_case+0x170/0x3f0 [ 25.146093] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.146761] kthread+0x328/0x630 [ 25.146877] ret_from_fork+0x10/0x20 [ 25.147614] [ 25.147739] Freed by task 164: [ 25.147982] kasan_save_stack+0x3c/0x68 [ 25.148329] kasan_save_track+0x20/0x40 [ 25.148723] kasan_save_free_info+0x4c/0x78 [ 25.148827] __kasan_slab_free+0x6c/0x98 [ 25.149171] kfree+0x214/0x3c8 [ 25.149371] krealloc_uaf+0x12c/0x520 [ 25.149567] kunit_try_run_case+0x170/0x3f0 [ 25.149995] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.150110] kthread+0x328/0x630 [ 25.150196] ret_from_fork+0x10/0x20 [ 25.150304] [ 25.151505] The buggy address belongs to the object at fff00000c178be00 [ 25.151505] which belongs to the cache kmalloc-256 of size 256 [ 25.151826] The buggy address is located 0 bytes inside of [ 25.151826] freed 256-byte region [fff00000c178be00, fff00000c178bf00) [ 25.153194] [ 25.153291] The buggy address belongs to the physical page: [ 25.153366] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10178a [ 25.153492] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.154693] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 25.155375] page_type: f5(slab) [ 25.155482] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.155612] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.155736] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.155853] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.159005] head: 0bfffe0000000001 ffffc1ffc305e281 00000000ffffffff 00000000ffffffff [ 25.159301] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.159559] page dumped because: kasan: bad access detected [ 25.160033] [ 25.160419] Memory state around the buggy address: [ 25.160824] fff00000c178bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.161493] fff00000c178bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.161633] >fff00000c178be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.161992] ^ [ 25.162183] fff00000c178be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.162286] fff00000c178bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.163075] ==================================================================
[ 25.387598] ================================================================== [ 25.387696] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 25.387810] Read of size 1 at addr fff00000c17ed600 by task kunit_try_catch/164 [ 25.391673] [ 25.392034] CPU: 0 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.392574] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.392740] Hardware name: linux,dummy-virt (DT) [ 25.392861] Call trace: [ 25.392917] show_stack+0x20/0x38 (C) [ 25.393171] dump_stack_lvl+0x8c/0xd0 [ 25.393538] print_report+0x118/0x608 [ 25.393880] kasan_report+0xdc/0x128 [ 25.394033] __asan_report_load1_noabort+0x20/0x30 [ 25.394278] krealloc_uaf+0x4c8/0x520 [ 25.394397] kunit_try_run_case+0x170/0x3f0 [ 25.394590] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.394727] kthread+0x328/0x630 [ 25.394928] ret_from_fork+0x10/0x20 [ 25.395072] [ 25.395126] Allocated by task 164: [ 25.395203] kasan_save_stack+0x3c/0x68 [ 25.395318] kasan_save_track+0x20/0x40 [ 25.397068] kasan_save_alloc_info+0x40/0x58 [ 25.397215] __kasan_kmalloc+0xd4/0xd8 [ 25.397323] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.397429] krealloc_uaf+0xc8/0x520 [ 25.397563] kunit_try_run_case+0x170/0x3f0 [ 25.397723] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.397899] kthread+0x328/0x630 [ 25.398144] ret_from_fork+0x10/0x20 [ 25.398634] [ 25.398719] Freed by task 164: [ 25.398787] kasan_save_stack+0x3c/0x68 [ 25.399046] kasan_save_track+0x20/0x40 [ 25.399143] kasan_save_free_info+0x4c/0x78 [ 25.399242] __kasan_slab_free+0x6c/0x98 [ 25.399331] kfree+0x214/0x3c8 [ 25.399460] krealloc_uaf+0x12c/0x520 [ 25.399623] kunit_try_run_case+0x170/0x3f0 [ 25.399723] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.399864] kthread+0x328/0x630 [ 25.400103] ret_from_fork+0x10/0x20 [ 25.400355] [ 25.400647] The buggy address belongs to the object at fff00000c17ed600 [ 25.400647] which belongs to the cache kmalloc-256 of size 256 [ 25.401148] The buggy address is located 0 bytes inside of [ 25.401148] freed 256-byte region [fff00000c17ed600, fff00000c17ed700) [ 25.401381] [ 25.401438] The buggy address belongs to the physical page: [ 25.401521] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017ec [ 25.402476] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.402609] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 25.402740] page_type: f5(slab) [ 25.403621] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.403867] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.404879] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.405610] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.405777] head: 0bfffe0000000001 ffffc1ffc305fb01 00000000ffffffff 00000000ffffffff [ 25.405934] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.406035] page dumped because: kasan: bad access detected [ 25.406190] [ 25.406237] Memory state around the buggy address: [ 25.406454] fff00000c17ed500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.406627] fff00000c17ed580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.406903] >fff00000c17ed600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.407008] ^ [ 25.407920] fff00000c17ed680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.408079] fff00000c17ed700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.408180] ================================================================== [ 25.366894] ================================================================== [ 25.368717] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 25.369630] Read of size 1 at addr fff00000c17ed600 by task kunit_try_catch/164 [ 25.370172] [ 25.370272] CPU: 0 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.370723] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.370914] Hardware name: linux,dummy-virt (DT) [ 25.371039] Call trace: [ 25.371146] show_stack+0x20/0x38 (C) [ 25.371416] dump_stack_lvl+0x8c/0xd0 [ 25.371593] print_report+0x118/0x608 [ 25.371788] kasan_report+0xdc/0x128 [ 25.371958] __kasan_check_byte+0x54/0x70 [ 25.372098] krealloc_noprof+0x44/0x360 [ 25.372512] krealloc_uaf+0x180/0x520 [ 25.372981] kunit_try_run_case+0x170/0x3f0 [ 25.373186] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.373487] kthread+0x328/0x630 [ 25.373612] ret_from_fork+0x10/0x20 [ 25.373887] [ 25.373939] Allocated by task 164: [ 25.374026] kasan_save_stack+0x3c/0x68 [ 25.374130] kasan_save_track+0x20/0x40 [ 25.374297] kasan_save_alloc_info+0x40/0x58 [ 25.374408] __kasan_kmalloc+0xd4/0xd8 [ 25.374671] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.374869] krealloc_uaf+0xc8/0x520 [ 25.375083] kunit_try_run_case+0x170/0x3f0 [ 25.375207] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.375391] kthread+0x328/0x630 [ 25.375485] ret_from_fork+0x10/0x20 [ 25.375603] [ 25.375718] Freed by task 164: [ 25.376017] kasan_save_stack+0x3c/0x68 [ 25.376137] kasan_save_track+0x20/0x40 [ 25.377317] kasan_save_free_info+0x4c/0x78 [ 25.377451] __kasan_slab_free+0x6c/0x98 [ 25.377560] kfree+0x214/0x3c8 [ 25.377776] krealloc_uaf+0x12c/0x520 [ 25.377958] kunit_try_run_case+0x170/0x3f0 [ 25.378214] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.378325] kthread+0x328/0x630 [ 25.378406] ret_from_fork+0x10/0x20 [ 25.378557] [ 25.378620] The buggy address belongs to the object at fff00000c17ed600 [ 25.378620] which belongs to the cache kmalloc-256 of size 256 [ 25.379073] The buggy address is located 0 bytes inside of [ 25.379073] freed 256-byte region [fff00000c17ed600, fff00000c17ed700) [ 25.379253] [ 25.379394] The buggy address belongs to the physical page: [ 25.379609] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017ec [ 25.379877] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.380006] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 25.380209] page_type: f5(slab) [ 25.380356] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.380624] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.380941] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 25.381122] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.381361] head: 0bfffe0000000001 ffffc1ffc305fb01 00000000ffffffff 00000000ffffffff [ 25.381858] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.381959] page dumped because: kasan: bad access detected [ 25.382032] [ 25.382075] Memory state around the buggy address: [ 25.382769] fff00000c17ed500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.383334] fff00000c17ed580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.383544] >fff00000c17ed600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.384142] ^ [ 25.384218] fff00000c17ed680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.384321] fff00000c17ed700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.384591] ==================================================================
[ 18.679050] ================================================================== [ 18.680190] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 18.680798] Read of size 1 at addr ffff888100aad200 by task kunit_try_catch/182 [ 18.681763] [ 18.682007] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.682130] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.682168] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.682226] Call Trace: [ 18.682281] <TASK> [ 18.682325] dump_stack_lvl+0x73/0xb0 [ 18.682410] print_report+0xd1/0x650 [ 18.682475] ? __virt_addr_valid+0x1db/0x2d0 [ 18.682563] ? krealloc_uaf+0x53c/0x5e0 [ 18.682627] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.682692] ? krealloc_uaf+0x53c/0x5e0 [ 18.682749] kasan_report+0x141/0x180 [ 18.682808] ? krealloc_uaf+0x53c/0x5e0 [ 18.682875] __asan_report_load1_noabort+0x18/0x20 [ 18.682948] krealloc_uaf+0x53c/0x5e0 [ 18.683011] ? __pfx_krealloc_uaf+0x10/0x10 [ 18.683607] ? finish_task_switch.isra.0+0x153/0x700 [ 18.683691] ? __switch_to+0x47/0xf50 [ 18.683778] ? __schedule+0x10cc/0x2b60 [ 18.683857] ? __pfx_read_tsc+0x10/0x10 [ 18.683982] ? ktime_get_ts64+0x86/0x230 [ 18.684158] kunit_try_run_case+0x1a5/0x480 [ 18.684239] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.684302] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.684343] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.684379] ? __kthread_parkme+0x82/0x180 [ 18.684409] ? preempt_count_sub+0x50/0x80 [ 18.684442] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.684481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.684556] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.684641] kthread+0x337/0x6f0 [ 18.684706] ? trace_preempt_on+0x20/0xc0 [ 18.684744] ? __pfx_kthread+0x10/0x10 [ 18.684777] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.684811] ? calculate_sigpending+0x7b/0xa0 [ 18.684848] ? __pfx_kthread+0x10/0x10 [ 18.684878] ret_from_fork+0x116/0x1d0 [ 18.684905] ? __pfx_kthread+0x10/0x10 [ 18.684934] ret_from_fork_asm+0x1a/0x30 [ 18.684981] </TASK> [ 18.684997] [ 18.711028] Allocated by task 182: [ 18.712113] kasan_save_stack+0x45/0x70 [ 18.713763] kasan_save_track+0x18/0x40 [ 18.714305] kasan_save_alloc_info+0x3b/0x50 [ 18.714969] __kasan_kmalloc+0xb7/0xc0 [ 18.715285] __kmalloc_cache_noprof+0x189/0x420 [ 18.716465] krealloc_uaf+0xbb/0x5e0 [ 18.717820] kunit_try_run_case+0x1a5/0x480 [ 18.718772] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.719521] kthread+0x337/0x6f0 [ 18.720077] ret_from_fork+0x116/0x1d0 [ 18.721701] ret_from_fork_asm+0x1a/0x30 [ 18.722380] [ 18.723079] Freed by task 182: [ 18.723964] kasan_save_stack+0x45/0x70 [ 18.725703] kasan_save_track+0x18/0x40 [ 18.726273] kasan_save_free_info+0x3f/0x60 [ 18.726972] __kasan_slab_free+0x56/0x70 [ 18.727723] kfree+0x222/0x3f0 [ 18.728134] krealloc_uaf+0x13d/0x5e0 [ 18.728494] kunit_try_run_case+0x1a5/0x480 [ 18.729731] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.730399] kthread+0x337/0x6f0 [ 18.730785] ret_from_fork+0x116/0x1d0 [ 18.731481] ret_from_fork_asm+0x1a/0x30 [ 18.732209] [ 18.732483] The buggy address belongs to the object at ffff888100aad200 [ 18.732483] which belongs to the cache kmalloc-256 of size 256 [ 18.734139] The buggy address is located 0 bytes inside of [ 18.734139] freed 256-byte region [ffff888100aad200, ffff888100aad300) [ 18.736100] [ 18.736387] The buggy address belongs to the physical page: [ 18.737560] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aac [ 18.738551] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.740184] flags: 0x200000000000040(head|node=0|zone=2) [ 18.740828] page_type: f5(slab) [ 18.741139] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 18.742541] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.743375] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 18.743971] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.744685] head: 0200000000000001 ffffea000402ab01 00000000ffffffff 00000000ffffffff [ 18.745310] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 18.746426] page dumped because: kasan: bad access detected [ 18.746758] [ 18.746903] Memory state around the buggy address: [ 18.747183] ffff888100aad100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.747622] ffff888100aad180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.749602] >ffff888100aad200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.750667] ^ [ 18.751021] ffff888100aad280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.751869] ffff888100aad300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.752886] ================================================================== [ 18.617404] ================================================================== [ 18.618392] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 18.619110] Read of size 1 at addr ffff888100aad200 by task kunit_try_catch/182 [ 18.619547] [ 18.619738] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.619856] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.619895] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.619957] Call Trace: [ 18.619998] <TASK> [ 18.620049] dump_stack_lvl+0x73/0xb0 [ 18.620137] print_report+0xd1/0x650 [ 18.620201] ? __virt_addr_valid+0x1db/0x2d0 [ 18.620277] ? krealloc_uaf+0x1b8/0x5e0 [ 18.621073] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.621161] ? krealloc_uaf+0x1b8/0x5e0 [ 18.621250] kasan_report+0x141/0x180 [ 18.621328] ? krealloc_uaf+0x1b8/0x5e0 [ 18.621673] ? krealloc_uaf+0x1b8/0x5e0 [ 18.621894] __kasan_check_byte+0x3d/0x50 [ 18.621948] krealloc_noprof+0x3f/0x340 [ 18.621990] krealloc_uaf+0x1b8/0x5e0 [ 18.622022] ? __pfx_krealloc_uaf+0x10/0x10 [ 18.622052] ? finish_task_switch.isra.0+0x153/0x700 [ 18.622088] ? __switch_to+0x47/0xf50 [ 18.622126] ? __schedule+0x10cc/0x2b60 [ 18.622160] ? __pfx_read_tsc+0x10/0x10 [ 18.622212] ? ktime_get_ts64+0x86/0x230 [ 18.622279] kunit_try_run_case+0x1a5/0x480 [ 18.622338] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.622389] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.622444] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.622513] ? __kthread_parkme+0x82/0x180 [ 18.622564] ? preempt_count_sub+0x50/0x80 [ 18.622614] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.622667] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.622723] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.622780] kthread+0x337/0x6f0 [ 18.622827] ? trace_preempt_on+0x20/0xc0 [ 18.622880] ? __pfx_kthread+0x10/0x10 [ 18.622931] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.622980] ? calculate_sigpending+0x7b/0xa0 [ 18.623034] ? __pfx_kthread+0x10/0x10 [ 18.623080] ret_from_fork+0x116/0x1d0 [ 18.623121] ? __pfx_kthread+0x10/0x10 [ 18.623165] ret_from_fork_asm+0x1a/0x30 [ 18.623231] </TASK> [ 18.623255] [ 18.642059] Allocated by task 182: [ 18.642390] kasan_save_stack+0x45/0x70 [ 18.642834] kasan_save_track+0x18/0x40 [ 18.643081] kasan_save_alloc_info+0x3b/0x50 [ 18.643380] __kasan_kmalloc+0xb7/0xc0 [ 18.643766] __kmalloc_cache_noprof+0x189/0x420 [ 18.644058] krealloc_uaf+0xbb/0x5e0 [ 18.644356] kunit_try_run_case+0x1a5/0x480 [ 18.644857] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.645245] kthread+0x337/0x6f0 [ 18.645639] ret_from_fork+0x116/0x1d0 [ 18.646218] ret_from_fork_asm+0x1a/0x30 [ 18.646956] [ 18.647283] Freed by task 182: [ 18.648032] kasan_save_stack+0x45/0x70 [ 18.648442] kasan_save_track+0x18/0x40 [ 18.648908] kasan_save_free_info+0x3f/0x60 [ 18.649595] __kasan_slab_free+0x56/0x70 [ 18.652517] kfree+0x222/0x3f0 [ 18.653900] krealloc_uaf+0x13d/0x5e0 [ 18.654341] kunit_try_run_case+0x1a5/0x480 [ 18.654827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.655606] kthread+0x337/0x6f0 [ 18.655841] ret_from_fork+0x116/0x1d0 [ 18.656075] ret_from_fork_asm+0x1a/0x30 [ 18.656326] [ 18.656469] The buggy address belongs to the object at ffff888100aad200 [ 18.656469] which belongs to the cache kmalloc-256 of size 256 [ 18.658100] The buggy address is located 0 bytes inside of [ 18.658100] freed 256-byte region [ffff888100aad200, ffff888100aad300) [ 18.659003] [ 18.659204] The buggy address belongs to the physical page: [ 18.659591] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aac [ 18.662292] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.663573] flags: 0x200000000000040(head|node=0|zone=2) [ 18.664340] page_type: f5(slab) [ 18.664774] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 18.665338] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.666585] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 18.667721] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.668272] head: 0200000000000001 ffffea000402ab01 00000000ffffffff 00000000ffffffff [ 18.669314] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 18.669707] page dumped because: kasan: bad access detected [ 18.670134] [ 18.670412] Memory state around the buggy address: [ 18.671490] ffff888100aad100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.672431] ffff888100aad180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.673140] >ffff888100aad200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.673732] ^ [ 18.674083] ffff888100aad280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.675673] ffff888100aad300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.676578] ==================================================================
[ 17.753047] ================================================================== [ 17.754485] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 17.756301] Read of size 1 at addr ffff888100aa7000 by task kunit_try_catch/182 [ 17.757923] [ 17.758227] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 17.758352] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.758392] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.758446] Call Trace: [ 17.758479] <TASK> [ 17.758537] dump_stack_lvl+0x73/0xb0 [ 17.758908] print_report+0xd1/0x650 [ 17.758948] ? __virt_addr_valid+0x1db/0x2d0 [ 17.758981] ? krealloc_uaf+0x53c/0x5e0 [ 17.759011] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.759041] ? krealloc_uaf+0x53c/0x5e0 [ 17.759071] kasan_report+0x141/0x180 [ 17.759109] ? krealloc_uaf+0x53c/0x5e0 [ 17.759178] __asan_report_load1_noabort+0x18/0x20 [ 17.759217] krealloc_uaf+0x53c/0x5e0 [ 17.759248] ? __pfx_krealloc_uaf+0x10/0x10 [ 17.759277] ? finish_task_switch.isra.0+0x153/0x700 [ 17.759306] ? __switch_to+0x47/0xf50 [ 17.759340] ? __schedule+0x10cc/0x2b60 [ 17.759371] ? __pfx_read_tsc+0x10/0x10 [ 17.759399] ? ktime_get_ts64+0x86/0x230 [ 17.759430] kunit_try_run_case+0x1a5/0x480 [ 17.759463] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.759495] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.759579] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.759650] ? __kthread_parkme+0x82/0x180 [ 17.759681] ? preempt_count_sub+0x50/0x80 [ 17.759713] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.759748] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.759781] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.759815] kthread+0x337/0x6f0 [ 17.759842] ? trace_preempt_on+0x20/0xc0 [ 17.759873] ? __pfx_kthread+0x10/0x10 [ 17.759929] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.759963] ? calculate_sigpending+0x7b/0xa0 [ 17.759998] ? __pfx_kthread+0x10/0x10 [ 17.760027] ret_from_fork+0x116/0x1d0 [ 17.760052] ? __pfx_kthread+0x10/0x10 [ 17.760081] ret_from_fork_asm+0x1a/0x30 [ 17.760154] </TASK> [ 17.760172] [ 17.777855] Allocated by task 182: [ 17.778353] kasan_save_stack+0x45/0x70 [ 17.778776] kasan_save_track+0x18/0x40 [ 17.779350] kasan_save_alloc_info+0x3b/0x50 [ 17.780249] __kasan_kmalloc+0xb7/0xc0 [ 17.780867] __kmalloc_cache_noprof+0x189/0x420 [ 17.781462] krealloc_uaf+0xbb/0x5e0 [ 17.781931] kunit_try_run_case+0x1a5/0x480 [ 17.782443] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.783154] kthread+0x337/0x6f0 [ 17.783460] ret_from_fork+0x116/0x1d0 [ 17.784055] ret_from_fork_asm+0x1a/0x30 [ 17.784863] [ 17.785162] Freed by task 182: [ 17.785599] kasan_save_stack+0x45/0x70 [ 17.786016] kasan_save_track+0x18/0x40 [ 17.786418] kasan_save_free_info+0x3f/0x60 [ 17.787006] __kasan_slab_free+0x56/0x70 [ 17.787654] kfree+0x222/0x3f0 [ 17.787950] krealloc_uaf+0x13d/0x5e0 [ 17.788469] kunit_try_run_case+0x1a5/0x480 [ 17.789015] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.789727] kthread+0x337/0x6f0 [ 17.790145] ret_from_fork+0x116/0x1d0 [ 17.790949] ret_from_fork_asm+0x1a/0x30 [ 17.791449] [ 17.791845] The buggy address belongs to the object at ffff888100aa7000 [ 17.791845] which belongs to the cache kmalloc-256 of size 256 [ 17.793161] The buggy address is located 0 bytes inside of [ 17.793161] freed 256-byte region [ffff888100aa7000, ffff888100aa7100) [ 17.794652] [ 17.795099] The buggy address belongs to the physical page: [ 17.796198] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aa6 [ 17.797183] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.798387] flags: 0x200000000000040(head|node=0|zone=2) [ 17.799073] page_type: f5(slab) [ 17.799441] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.800582] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.801283] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.802296] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.802810] head: 0200000000000001 ffffea000402a981 00000000ffffffff 00000000ffffffff [ 17.803770] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.804503] page dumped because: kasan: bad access detected [ 17.805489] [ 17.805683] Memory state around the buggy address: [ 17.806154] ffff888100aa6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.806729] ffff888100aa6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.808046] >ffff888100aa7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.809083] ^ [ 17.809536] ffff888100aa7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.810743] ffff888100aa7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.811507] ================================================================== [ 17.694540] ================================================================== [ 17.695654] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 17.696336] Read of size 1 at addr ffff888100aa7000 by task kunit_try_catch/182 [ 17.697210] [ 17.697518] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 17.697704] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.697744] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.697805] Call Trace: [ 17.697842] <TASK> [ 17.697907] dump_stack_lvl+0x73/0xb0 [ 17.698313] print_report+0xd1/0x650 [ 17.698393] ? __virt_addr_valid+0x1db/0x2d0 [ 17.698732] ? krealloc_uaf+0x1b8/0x5e0 [ 17.698777] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.698810] ? krealloc_uaf+0x1b8/0x5e0 [ 17.698841] kasan_report+0x141/0x180 [ 17.698872] ? krealloc_uaf+0x1b8/0x5e0 [ 17.698936] ? krealloc_uaf+0x1b8/0x5e0 [ 17.698969] __kasan_check_byte+0x3d/0x50 [ 17.699000] krealloc_noprof+0x3f/0x340 [ 17.699033] krealloc_uaf+0x1b8/0x5e0 [ 17.699064] ? __pfx_krealloc_uaf+0x10/0x10 [ 17.699093] ? finish_task_switch.isra.0+0x153/0x700 [ 17.699153] ? __switch_to+0x47/0xf50 [ 17.699193] ? __schedule+0x10cc/0x2b60 [ 17.699225] ? __pfx_read_tsc+0x10/0x10 [ 17.699254] ? ktime_get_ts64+0x86/0x230 [ 17.699287] kunit_try_run_case+0x1a5/0x480 [ 17.699324] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.699357] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.699390] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.699423] ? __kthread_parkme+0x82/0x180 [ 17.699450] ? preempt_count_sub+0x50/0x80 [ 17.699480] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.699526] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.699637] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.699706] kthread+0x337/0x6f0 [ 17.699739] ? trace_preempt_on+0x20/0xc0 [ 17.699775] ? __pfx_kthread+0x10/0x10 [ 17.699805] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.699836] ? calculate_sigpending+0x7b/0xa0 [ 17.699871] ? __pfx_kthread+0x10/0x10 [ 17.699931] ret_from_fork+0x116/0x1d0 [ 17.699960] ? __pfx_kthread+0x10/0x10 [ 17.699989] ret_from_fork_asm+0x1a/0x30 [ 17.700032] </TASK> [ 17.700047] [ 17.719366] Allocated by task 182: [ 17.719907] kasan_save_stack+0x45/0x70 [ 17.720380] kasan_save_track+0x18/0x40 [ 17.721006] kasan_save_alloc_info+0x3b/0x50 [ 17.721732] __kasan_kmalloc+0xb7/0xc0 [ 17.722276] __kmalloc_cache_noprof+0x189/0x420 [ 17.723012] krealloc_uaf+0xbb/0x5e0 [ 17.723677] kunit_try_run_case+0x1a5/0x480 [ 17.724209] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.724927] kthread+0x337/0x6f0 [ 17.725346] ret_from_fork+0x116/0x1d0 [ 17.726001] ret_from_fork_asm+0x1a/0x30 [ 17.726592] [ 17.727012] Freed by task 182: [ 17.727463] kasan_save_stack+0x45/0x70 [ 17.728055] kasan_save_track+0x18/0x40 [ 17.728452] kasan_save_free_info+0x3f/0x60 [ 17.728815] __kasan_slab_free+0x56/0x70 [ 17.729336] kfree+0x222/0x3f0 [ 17.729767] krealloc_uaf+0x13d/0x5e0 [ 17.730428] kunit_try_run_case+0x1a5/0x480 [ 17.731070] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.731868] kthread+0x337/0x6f0 [ 17.732378] ret_from_fork+0x116/0x1d0 [ 17.732783] ret_from_fork_asm+0x1a/0x30 [ 17.733302] [ 17.733533] The buggy address belongs to the object at ffff888100aa7000 [ 17.733533] which belongs to the cache kmalloc-256 of size 256 [ 17.734766] The buggy address is located 0 bytes inside of [ 17.734766] freed 256-byte region [ffff888100aa7000, ffff888100aa7100) [ 17.736090] [ 17.736425] The buggy address belongs to the physical page: [ 17.736991] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aa6 [ 17.738041] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.738902] flags: 0x200000000000040(head|node=0|zone=2) [ 17.739472] page_type: f5(slab) [ 17.740047] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.740843] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.741594] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.742226] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.742797] head: 0200000000000001 ffffea000402a981 00000000ffffffff 00000000ffffffff [ 17.744132] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.744750] page dumped because: kasan: bad access detected [ 17.745162] [ 17.745399] Memory state around the buggy address: [ 17.745778] ffff888100aa6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.747086] ffff888100aa6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.748080] >ffff888100aa7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.748961] ^ [ 17.749323] ffff888100aa7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.750095] ffff888100aa7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.750923] ==================================================================
[ 20.407968] ================================================================== [ 20.408642] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 20.409274] Read of size 1 at addr ffff00000b7bf200 by task kunit_try_catch/217 [ 20.409943] [ 20.410098] CPU: 3 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.410134] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.410144] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.410157] Call trace: [ 20.410166] show_stack+0x20/0x38 (C) [ 20.410191] dump_stack_lvl+0x8c/0xd0 [ 20.410217] print_report+0x118/0x608 [ 20.410241] kasan_report+0xdc/0x128 [ 20.410263] __asan_report_load1_noabort+0x20/0x30 [ 20.410289] krealloc_uaf+0x4c8/0x520 [ 20.410310] kunit_try_run_case+0x170/0x3f0 [ 20.410334] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.410361] kthread+0x328/0x630 [ 20.410380] ret_from_fork+0x10/0x20 [ 20.410403] [ 20.415895] Allocated by task 217: [ 20.416211] kasan_save_stack+0x3c/0x68 [ 20.416575] kasan_save_track+0x20/0x40 [ 20.416937] kasan_save_alloc_info+0x40/0x58 [ 20.417339] __kasan_kmalloc+0xd4/0xd8 [ 20.417694] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.418117] krealloc_uaf+0xc8/0x520 [ 20.418455] kunit_try_run_case+0x170/0x3f0 [ 20.418848] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.419357] kthread+0x328/0x630 [ 20.419662] ret_from_fork+0x10/0x20 [ 20.420000] [ 20.420146] Freed by task 217: [ 20.420431] kasan_save_stack+0x3c/0x68 [ 20.420795] kasan_save_track+0x20/0x40 [ 20.421158] kasan_save_free_info+0x4c/0x78 [ 20.421553] __kasan_slab_free+0x6c/0x98 [ 20.421923] kfree+0x214/0x3c8 [ 20.422215] krealloc_uaf+0x12c/0x520 [ 20.422561] kunit_try_run_case+0x170/0x3f0 [ 20.422954] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.423462] kthread+0x328/0x630 [ 20.423767] ret_from_fork+0x10/0x20 [ 20.424105] [ 20.424252] The buggy address belongs to the object at ffff00000b7bf200 [ 20.424252] which belongs to the cache kmalloc-256 of size 256 [ 20.425369] The buggy address is located 0 bytes inside of [ 20.425369] freed 256-byte region [ffff00000b7bf200, ffff00000b7bf300) [ 20.426450] [ 20.426598] The buggy address belongs to the physical page: [ 20.427103] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb7be [ 20.427812] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.428504] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 20.429143] page_type: f5(slab) [ 20.429443] raw: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 20.430146] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.430848] head: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 20.431557] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.432267] head: 03fffe0000000001 fffffdffc02def81 00000000ffffffff 00000000ffffffff [ 20.432975] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 20.433678] page dumped because: kasan: bad access detected [ 20.434182] [ 20.434329] Memory state around the buggy address: [ 20.434766] ffff00000b7bf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.435419] ffff00000b7bf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.436072] >ffff00000b7bf200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.436722] ^ [ 20.437024] ffff00000b7bf280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.437676] ffff00000b7bf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.438327] ================================================================== [ 20.375372] ================================================================== [ 20.376476] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 20.377108] Read of size 1 at addr ffff00000b7bf200 by task kunit_try_catch/217 [ 20.377784] [ 20.377946] CPU: 3 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.377993] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.378007] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.378023] Call trace: [ 20.378033] show_stack+0x20/0x38 (C) [ 20.378065] dump_stack_lvl+0x8c/0xd0 [ 20.378099] print_report+0x118/0x608 [ 20.378132] kasan_report+0xdc/0x128 [ 20.378162] __kasan_check_byte+0x54/0x70 [ 20.378194] krealloc_noprof+0x44/0x360 [ 20.378226] krealloc_uaf+0x180/0x520 [ 20.378254] kunit_try_run_case+0x170/0x3f0 [ 20.378286] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.378323] kthread+0x328/0x630 [ 20.378348] ret_from_fork+0x10/0x20 [ 20.378379] [ 20.384186] Allocated by task 217: [ 20.384510] kasan_save_stack+0x3c/0x68 [ 20.384888] kasan_save_track+0x20/0x40 [ 20.385261] kasan_save_alloc_info+0x40/0x58 [ 20.385676] __kasan_kmalloc+0xd4/0xd8 [ 20.386041] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.386477] krealloc_uaf+0xc8/0x520 [ 20.386826] kunit_try_run_case+0x170/0x3f0 [ 20.387231] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.387753] kthread+0x328/0x630 [ 20.388068] ret_from_fork+0x10/0x20 [ 20.388417] [ 20.388570] Freed by task 217: [ 20.388863] kasan_save_stack+0x3c/0x68 [ 20.389238] kasan_save_track+0x20/0x40 [ 20.389611] kasan_save_free_info+0x4c/0x78 [ 20.390019] __kasan_slab_free+0x6c/0x98 [ 20.390401] kfree+0x214/0x3c8 [ 20.390704] krealloc_uaf+0x12c/0x520 [ 20.391061] kunit_try_run_case+0x170/0x3f0 [ 20.391465] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.391987] kthread+0x328/0x630 [ 20.392302] ret_from_fork+0x10/0x20 [ 20.392651] [ 20.392804] The buggy address belongs to the object at ffff00000b7bf200 [ 20.392804] which belongs to the cache kmalloc-256 of size 256 [ 20.393935] The buggy address is located 0 bytes inside of [ 20.393935] freed 256-byte region [ffff00000b7bf200, ffff00000b7bf300) [ 20.395029] [ 20.395183] The buggy address belongs to the physical page: [ 20.395697] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb7be [ 20.396420] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.397125] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 20.397777] page_type: f5(slab) [ 20.398089] raw: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 20.398804] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.399518] head: 03fffe0000000040 ffff000000402b40 dead000000000122 0000000000000000 [ 20.400240] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.400962] head: 03fffe0000000001 fffffdffc02def81 00000000ffffffff 00000000ffffffff [ 20.401683] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 20.402397] page dumped because: kasan: bad access detected [ 20.402910] [ 20.403062] Memory state around the buggy address: [ 20.403508] ffff00000b7bf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.404173] ffff00000b7bf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.404837] >ffff00000b7bf200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.405497] ^ [ 20.405807] ffff00000b7bf280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.406471] ffff00000b7bf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.407132] ==================================================================