Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 16.838379] ================================================================== [ 16.838571] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.838781] Read of size 1 at addr fff00000c45a8c00 by task kunit_try_catch/165 [ 16.838830] [ 16.838861] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.839448] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.839639] Hardware name: linux,dummy-virt (DT) [ 16.839720] Call trace: [ 16.839950] show_stack+0x20/0x38 (C) [ 16.840039] dump_stack_lvl+0x8c/0xd0 [ 16.840173] print_report+0x118/0x608 [ 16.840218] kasan_report+0xdc/0x128 [ 16.840261] __asan_report_load1_noabort+0x20/0x30 [ 16.840609] krealloc_uaf+0x4c8/0x520 [ 16.840653] kunit_try_run_case+0x170/0x3f0 [ 16.840734] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.840906] kthread+0x328/0x630 [ 16.840964] ret_from_fork+0x10/0x20 [ 16.841021] [ 16.841038] Allocated by task 165: [ 16.841111] kasan_save_stack+0x3c/0x68 [ 16.841289] kasan_save_track+0x20/0x40 [ 16.841374] kasan_save_alloc_info+0x40/0x58 [ 16.841474] __kasan_kmalloc+0xd4/0xd8 [ 16.841585] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.841676] krealloc_uaf+0xc8/0x520 [ 16.841764] kunit_try_run_case+0x170/0x3f0 [ 16.841800] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.841842] kthread+0x328/0x630 [ 16.841872] ret_from_fork+0x10/0x20 [ 16.841952] [ 16.841995] Freed by task 165: [ 16.842019] kasan_save_stack+0x3c/0x68 [ 16.842055] kasan_save_track+0x20/0x40 [ 16.842090] kasan_save_free_info+0x4c/0x78 [ 16.842127] __kasan_slab_free+0x6c/0x98 [ 16.842162] kfree+0x214/0x3c8 [ 16.842194] krealloc_uaf+0x12c/0x520 [ 16.842371] kunit_try_run_case+0x170/0x3f0 [ 16.842638] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.842963] kthread+0x328/0x630 [ 16.843276] ret_from_fork+0x10/0x20 [ 16.843357] [ 16.843660] The buggy address belongs to the object at fff00000c45a8c00 [ 16.843660] which belongs to the cache kmalloc-256 of size 256 [ 16.843722] The buggy address is located 0 bytes inside of [ 16.843722] freed 256-byte region [fff00000c45a8c00, fff00000c45a8d00) [ 16.843780] [ 16.843800] The buggy address belongs to the physical page: [ 16.843841] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1045a8 [ 16.843940] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.844395] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.844489] page_type: f5(slab) [ 16.844713] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.844838] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.844927] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.845113] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.845278] head: 0bfffe0000000001 ffffc1ffc3116a01 00000000ffffffff 00000000ffffffff [ 16.845325] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.845363] page dumped because: kasan: bad access detected [ 16.845824] [ 16.845861] Memory state around the buggy address: [ 16.845895] fff00000c45a8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.845937] fff00000c45a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.845991] >fff00000c45a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.846027] ^ [ 16.846054] fff00000c45a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.846104] fff00000c45a8d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.846140] ================================================================== [ 16.826549] ================================================================== [ 16.826653] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.826705] Read of size 1 at addr fff00000c45a8c00 by task kunit_try_catch/165 [ 16.826752] [ 16.826784] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.826862] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.826887] Hardware name: linux,dummy-virt (DT) [ 16.826916] Call trace: [ 16.826936] show_stack+0x20/0x38 (C) [ 16.826996] dump_stack_lvl+0x8c/0xd0 [ 16.827201] print_report+0x118/0x608 [ 16.827353] kasan_report+0xdc/0x128 [ 16.827738] __kasan_check_byte+0x54/0x70 [ 16.827789] krealloc_noprof+0x44/0x360 [ 16.827834] krealloc_uaf+0x180/0x520 [ 16.828105] kunit_try_run_case+0x170/0x3f0 [ 16.828264] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.828899] kthread+0x328/0x630 [ 16.828947] ret_from_fork+0x10/0x20 [ 16.829640] [ 16.829660] Allocated by task 165: [ 16.830269] kasan_save_stack+0x3c/0x68 [ 16.830333] kasan_save_track+0x20/0x40 [ 16.830370] kasan_save_alloc_info+0x40/0x58 [ 16.830409] __kasan_kmalloc+0xd4/0xd8 [ 16.830935] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.831370] krealloc_uaf+0xc8/0x520 [ 16.831587] kunit_try_run_case+0x170/0x3f0 [ 16.831717] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.831760] kthread+0x328/0x630 [ 16.831792] ret_from_fork+0x10/0x20 [ 16.831837] [ 16.831991] Freed by task 165: [ 16.832120] kasan_save_stack+0x3c/0x68 [ 16.832160] kasan_save_track+0x20/0x40 [ 16.832254] kasan_save_free_info+0x4c/0x78 [ 16.832312] __kasan_slab_free+0x6c/0x98 [ 16.832426] kfree+0x214/0x3c8 [ 16.832459] krealloc_uaf+0x12c/0x520 [ 16.832494] kunit_try_run_case+0x170/0x3f0 [ 16.832530] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.832611] kthread+0x328/0x630 [ 16.832767] ret_from_fork+0x10/0x20 [ 16.832950] [ 16.832973] The buggy address belongs to the object at fff00000c45a8c00 [ 16.832973] which belongs to the cache kmalloc-256 of size 256 [ 16.833198] The buggy address is located 0 bytes inside of [ 16.833198] freed 256-byte region [fff00000c45a8c00, fff00000c45a8d00) [ 16.833311] [ 16.833332] The buggy address belongs to the physical page: [ 16.833866] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1045a8 [ 16.834236] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.834407] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.834503] page_type: f5(slab) [ 16.834540] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.834766] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.834964] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.835025] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.835260] head: 0bfffe0000000001 ffffc1ffc3116a01 00000000ffffffff 00000000ffffffff [ 16.835411] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.835692] page dumped because: kasan: bad access detected [ 16.835815] [ 16.835909] Memory state around the buggy address: [ 16.835944] fff00000c45a8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.835997] fff00000c45a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.836038] >fff00000c45a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.836074] ^ [ 16.836101] fff00000c45a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.836154] fff00000c45a8d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.836189] ==================================================================
[ 16.788251] ================================================================== [ 16.788341] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.788399] Read of size 1 at addr fff00000c172e200 by task kunit_try_catch/165 [ 16.788578] [ 16.788609] CPU: 1 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.788892] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.788926] Hardware name: linux,dummy-virt (DT) [ 16.788955] Call trace: [ 16.788975] show_stack+0x20/0x38 (C) [ 16.789509] dump_stack_lvl+0x8c/0xd0 [ 16.789672] print_report+0x118/0x608 [ 16.789716] kasan_report+0xdc/0x128 [ 16.790122] __kasan_check_byte+0x54/0x70 [ 16.790189] krealloc_noprof+0x44/0x360 [ 16.790274] krealloc_uaf+0x180/0x520 [ 16.790334] kunit_try_run_case+0x170/0x3f0 [ 16.790381] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.790438] kthread+0x328/0x630 [ 16.790477] ret_from_fork+0x10/0x20 [ 16.790522] [ 16.790540] Allocated by task 165: [ 16.790695] kasan_save_stack+0x3c/0x68 [ 16.790863] kasan_save_track+0x20/0x40 [ 16.790978] kasan_save_alloc_info+0x40/0x58 [ 16.791019] __kasan_kmalloc+0xd4/0xd8 [ 16.791095] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.791141] krealloc_uaf+0xc8/0x520 [ 16.791338] kunit_try_run_case+0x170/0x3f0 [ 16.791599] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.791641] kthread+0x328/0x630 [ 16.792044] ret_from_fork+0x10/0x20 [ 16.792294] [ 16.792332] Freed by task 165: [ 16.792415] kasan_save_stack+0x3c/0x68 [ 16.792538] kasan_save_track+0x20/0x40 [ 16.792596] kasan_save_free_info+0x4c/0x78 [ 16.792635] __kasan_slab_free+0x6c/0x98 [ 16.792672] kfree+0x214/0x3c8 [ 16.792704] krealloc_uaf+0x12c/0x520 [ 16.792739] kunit_try_run_case+0x170/0x3f0 [ 16.792775] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.792816] kthread+0x328/0x630 [ 16.792847] ret_from_fork+0x10/0x20 [ 16.792898] [ 16.792932] The buggy address belongs to the object at fff00000c172e200 [ 16.792932] which belongs to the cache kmalloc-256 of size 256 [ 16.793416] The buggy address is located 0 bytes inside of [ 16.793416] freed 256-byte region [fff00000c172e200, fff00000c172e300) [ 16.793541] [ 16.793562] The buggy address belongs to the physical page: [ 16.793592] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10172e [ 16.793644] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.794167] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.794314] page_type: f5(slab) [ 16.794351] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.794522] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.794599] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.794765] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.794886] head: 0bfffe0000000001 ffffc1ffc305cb81 00000000ffffffff 00000000ffffffff [ 16.795051] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.795092] page dumped because: kasan: bad access detected [ 16.795175] [ 16.795201] Memory state around the buggy address: [ 16.795232] fff00000c172e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.795326] fff00000c172e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.795378] >fff00000c172e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.795414] ^ [ 16.795496] fff00000c172e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.795680] fff00000c172e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.795728] ================================================================== [ 16.796940] ================================================================== [ 16.796988] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.797331] Read of size 1 at addr fff00000c172e200 by task kunit_try_catch/165 [ 16.797466] [ 16.797578] CPU: 1 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.797663] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.797688] Hardware name: linux,dummy-virt (DT) [ 16.797716] Call trace: [ 16.797736] show_stack+0x20/0x38 (C) [ 16.797783] dump_stack_lvl+0x8c/0xd0 [ 16.797838] print_report+0x118/0x608 [ 16.797883] kasan_report+0xdc/0x128 [ 16.798271] __asan_report_load1_noabort+0x20/0x30 [ 16.798343] krealloc_uaf+0x4c8/0x520 [ 16.798398] kunit_try_run_case+0x170/0x3f0 [ 16.798446] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.798595] kthread+0x328/0x630 [ 16.798894] ret_from_fork+0x10/0x20 [ 16.799228] [ 16.799269] Allocated by task 165: [ 16.799297] kasan_save_stack+0x3c/0x68 [ 16.799342] kasan_save_track+0x20/0x40 [ 16.799508] kasan_save_alloc_info+0x40/0x58 [ 16.799590] __kasan_kmalloc+0xd4/0xd8 [ 16.799665] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.799783] krealloc_uaf+0xc8/0x520 [ 16.799856] kunit_try_run_case+0x170/0x3f0 [ 16.800091] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.800390] kthread+0x328/0x630 [ 16.800529] ret_from_fork+0x10/0x20 [ 16.800701] [ 16.800803] Freed by task 165: [ 16.800864] kasan_save_stack+0x3c/0x68 [ 16.800950] kasan_save_track+0x20/0x40 [ 16.800987] kasan_save_free_info+0x4c/0x78 [ 16.801025] __kasan_slab_free+0x6c/0x98 [ 16.801065] kfree+0x214/0x3c8 [ 16.801098] krealloc_uaf+0x12c/0x520 [ 16.801142] kunit_try_run_case+0x170/0x3f0 [ 16.801178] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.801456] kthread+0x328/0x630 [ 16.801647] ret_from_fork+0x10/0x20 [ 16.801683] [ 16.801702] The buggy address belongs to the object at fff00000c172e200 [ 16.801702] which belongs to the cache kmalloc-256 of size 256 [ 16.802158] The buggy address is located 0 bytes inside of [ 16.802158] freed 256-byte region [fff00000c172e200, fff00000c172e300) [ 16.802336] [ 16.802357] The buggy address belongs to the physical page: [ 16.802385] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10172e [ 16.802466] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.802592] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.802640] page_type: f5(slab) [ 16.802675] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.802723] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.802770] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.803056] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.803232] head: 0bfffe0000000001 ffffc1ffc305cb81 00000000ffffffff 00000000ffffffff [ 16.803332] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.803410] page dumped because: kasan: bad access detected [ 16.803439] [ 16.803456] Memory state around the buggy address: [ 16.803493] fff00000c172e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.803658] fff00000c172e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.803699] >fff00000c172e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.803774] ^ [ 16.803902] fff00000c172e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.804046] fff00000c172e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.804087] ==================================================================
[ 13.273994] ================================================================== [ 13.274309] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 13.274921] Read of size 1 at addr ffff88810034ce00 by task kunit_try_catch/182 [ 13.275745] [ 13.275871] CPU: 0 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.275983] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.276007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.276126] Call Trace: [ 13.276159] <TASK> [ 13.276189] dump_stack_lvl+0x73/0xb0 [ 13.276259] print_report+0xd1/0x650 [ 13.276301] ? __virt_addr_valid+0x1db/0x2d0 [ 13.276333] ? krealloc_uaf+0x53c/0x5e0 [ 13.276354] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.276377] ? krealloc_uaf+0x53c/0x5e0 [ 13.276397] kasan_report+0x141/0x180 [ 13.276417] ? krealloc_uaf+0x53c/0x5e0 [ 13.276441] __asan_report_load1_noabort+0x18/0x20 [ 13.276463] krealloc_uaf+0x53c/0x5e0 [ 13.276482] ? __pfx_krealloc_uaf+0x10/0x10 [ 13.276528] ? finish_task_switch.isra.0+0x153/0x700 [ 13.276568] ? __switch_to+0x47/0xf50 [ 13.276607] ? __schedule+0x10cc/0x2b60 [ 13.276651] ? __pfx_read_tsc+0x10/0x10 [ 13.276671] ? ktime_get_ts64+0x86/0x230 [ 13.276695] kunit_try_run_case+0x1a5/0x480 [ 13.276717] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.276737] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.276759] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.276780] ? __kthread_parkme+0x82/0x180 [ 13.276798] ? preempt_count_sub+0x50/0x80 [ 13.276818] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.276839] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.276860] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.276880] kthread+0x337/0x6f0 [ 13.276898] ? trace_preempt_on+0x20/0xc0 [ 13.276919] ? __pfx_kthread+0x10/0x10 [ 13.276937] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.276957] ? calculate_sigpending+0x7b/0xa0 [ 13.276978] ? __pfx_kthread+0x10/0x10 [ 13.276998] ret_from_fork+0x116/0x1d0 [ 13.277014] ? __pfx_kthread+0x10/0x10 [ 13.277033] ret_from_fork_asm+0x1a/0x30 [ 13.277061] </TASK> [ 13.277073] [ 13.289793] Allocated by task 182: [ 13.290071] kasan_save_stack+0x45/0x70 [ 13.290720] kasan_save_track+0x18/0x40 [ 13.290973] kasan_save_alloc_info+0x3b/0x50 [ 13.291234] __kasan_kmalloc+0xb7/0xc0 [ 13.291423] __kmalloc_cache_noprof+0x189/0x420 [ 13.291791] krealloc_uaf+0xbb/0x5e0 [ 13.292050] kunit_try_run_case+0x1a5/0x480 [ 13.292221] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.292535] kthread+0x337/0x6f0 [ 13.292944] ret_from_fork+0x116/0x1d0 [ 13.293291] ret_from_fork_asm+0x1a/0x30 [ 13.293756] [ 13.293947] Freed by task 182: [ 13.294133] kasan_save_stack+0x45/0x70 [ 13.294448] kasan_save_track+0x18/0x40 [ 13.295220] kasan_save_free_info+0x3f/0x60 [ 13.295674] __kasan_slab_free+0x56/0x70 [ 13.295946] kfree+0x222/0x3f0 [ 13.296196] krealloc_uaf+0x13d/0x5e0 [ 13.296654] kunit_try_run_case+0x1a5/0x480 [ 13.296880] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.297313] kthread+0x337/0x6f0 [ 13.297651] ret_from_fork+0x116/0x1d0 [ 13.297923] ret_from_fork_asm+0x1a/0x30 [ 13.298219] [ 13.298379] The buggy address belongs to the object at ffff88810034ce00 [ 13.298379] which belongs to the cache kmalloc-256 of size 256 [ 13.299071] The buggy address is located 0 bytes inside of [ 13.299071] freed 256-byte region [ffff88810034ce00, ffff88810034cf00) [ 13.300165] [ 13.300282] The buggy address belongs to the physical page: [ 13.300809] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10034c [ 13.301262] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.301748] flags: 0x200000000000040(head|node=0|zone=2) [ 13.301968] page_type: f5(slab) [ 13.302252] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.302496] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.303130] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.303461] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.304138] head: 0200000000000001 ffffea000400d301 00000000ffffffff 00000000ffffffff [ 13.304953] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 13.305285] page dumped because: kasan: bad access detected [ 13.305792] [ 13.305939] Memory state around the buggy address: [ 13.306220] ffff88810034cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.307137] ffff88810034cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.307463] >ffff88810034ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.308061] ^ [ 13.308293] ffff88810034ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.309028] ffff88810034cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.309704] ================================================================== [ 13.236155] ================================================================== [ 13.236613] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 13.238030] Read of size 1 at addr ffff88810034ce00 by task kunit_try_catch/182 [ 13.238371] [ 13.238495] CPU: 0 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.238558] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.238576] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.238602] Call Trace: [ 13.238629] <TASK> [ 13.238653] dump_stack_lvl+0x73/0xb0 [ 13.238704] print_report+0xd1/0x650 [ 13.238741] ? __virt_addr_valid+0x1db/0x2d0 [ 13.238776] ? krealloc_uaf+0x1b8/0x5e0 [ 13.238807] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.238848] ? krealloc_uaf+0x1b8/0x5e0 [ 13.238887] kasan_report+0x141/0x180 [ 13.238921] ? krealloc_uaf+0x1b8/0x5e0 [ 13.238957] ? krealloc_uaf+0x1b8/0x5e0 [ 13.238986] __kasan_check_byte+0x3d/0x50 [ 13.239021] krealloc_noprof+0x3f/0x340 [ 13.239060] krealloc_uaf+0x1b8/0x5e0 [ 13.239096] ? __pfx_krealloc_uaf+0x10/0x10 [ 13.239130] ? finish_task_switch.isra.0+0x153/0x700 [ 13.239170] ? __switch_to+0x47/0xf50 [ 13.239215] ? __schedule+0x10cc/0x2b60 [ 13.239249] ? __pfx_read_tsc+0x10/0x10 [ 13.239276] ? ktime_get_ts64+0x86/0x230 [ 13.239307] kunit_try_run_case+0x1a5/0x480 [ 13.239336] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.239356] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.239377] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.239398] ? __kthread_parkme+0x82/0x180 [ 13.239418] ? preempt_count_sub+0x50/0x80 [ 13.239438] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.239459] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.239479] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.239501] kthread+0x337/0x6f0 [ 13.239527] ? trace_preempt_on+0x20/0xc0 [ 13.239557] ? __pfx_kthread+0x10/0x10 [ 13.239584] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.239613] ? calculate_sigpending+0x7b/0xa0 [ 13.239654] ? __pfx_kthread+0x10/0x10 [ 13.239673] ret_from_fork+0x116/0x1d0 [ 13.239690] ? __pfx_kthread+0x10/0x10 [ 13.239708] ret_from_fork_asm+0x1a/0x30 [ 13.239737] </TASK> [ 13.239748] [ 13.252507] Allocated by task 182: [ 13.252884] kasan_save_stack+0x45/0x70 [ 13.253182] kasan_save_track+0x18/0x40 [ 13.253392] kasan_save_alloc_info+0x3b/0x50 [ 13.253836] __kasan_kmalloc+0xb7/0xc0 [ 13.254296] __kmalloc_cache_noprof+0x189/0x420 [ 13.254814] krealloc_uaf+0xbb/0x5e0 [ 13.255332] kunit_try_run_case+0x1a5/0x480 [ 13.255811] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.256288] kthread+0x337/0x6f0 [ 13.256443] ret_from_fork+0x116/0x1d0 [ 13.256611] ret_from_fork_asm+0x1a/0x30 [ 13.256903] [ 13.257096] Freed by task 182: [ 13.257765] kasan_save_stack+0x45/0x70 [ 13.257957] kasan_save_track+0x18/0x40 [ 13.258705] kasan_save_free_info+0x3f/0x60 [ 13.259154] __kasan_slab_free+0x56/0x70 [ 13.259578] kfree+0x222/0x3f0 [ 13.259745] krealloc_uaf+0x13d/0x5e0 [ 13.259861] kunit_try_run_case+0x1a5/0x480 [ 13.259975] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.260093] kthread+0x337/0x6f0 [ 13.260382] ret_from_fork+0x116/0x1d0 [ 13.260780] ret_from_fork_asm+0x1a/0x30 [ 13.261361] [ 13.261607] The buggy address belongs to the object at ffff88810034ce00 [ 13.261607] which belongs to the cache kmalloc-256 of size 256 [ 13.262669] The buggy address is located 0 bytes inside of [ 13.262669] freed 256-byte region [ffff88810034ce00, ffff88810034cf00) [ 13.263450] [ 13.263843] The buggy address belongs to the physical page: [ 13.264062] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10034c [ 13.264810] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.265030] flags: 0x200000000000040(head|node=0|zone=2) [ 13.265909] page_type: f5(slab) [ 13.266204] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.266417] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.267310] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.267628] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.267992] head: 0200000000000001 ffffea000400d301 00000000ffffffff 00000000ffffffff [ 13.268503] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 13.268946] page dumped because: kasan: bad access detected [ 13.269172] [ 13.269571] Memory state around the buggy address: [ 13.269869] ffff88810034cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.270777] ffff88810034cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.270995] >ffff88810034ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.271486] ^ [ 13.271802] ffff88810034ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.272467] ffff88810034cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.272874] ==================================================================
[ 13.458169] ================================================================== [ 13.458485] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 13.459032] Read of size 1 at addr ffff888100a30400 by task kunit_try_catch/181 [ 13.459771] [ 13.460070] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.460245] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.460259] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.460279] Call Trace: [ 13.460291] <TASK> [ 13.460308] dump_stack_lvl+0x73/0xb0 [ 13.460339] print_report+0xd1/0x650 [ 13.460361] ? __virt_addr_valid+0x1db/0x2d0 [ 13.460383] ? krealloc_uaf+0x53c/0x5e0 [ 13.460403] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.460428] ? krealloc_uaf+0x53c/0x5e0 [ 13.460449] kasan_report+0x141/0x180 [ 13.460471] ? krealloc_uaf+0x53c/0x5e0 [ 13.460498] __asan_report_load1_noabort+0x18/0x20 [ 13.460521] krealloc_uaf+0x53c/0x5e0 [ 13.460542] ? __pfx_krealloc_uaf+0x10/0x10 [ 13.460562] ? finish_task_switch.isra.0+0x153/0x700 [ 13.460584] ? __switch_to+0x47/0xf50 [ 13.460610] ? __schedule+0x10cc/0x2b60 [ 13.460632] ? __pfx_read_tsc+0x10/0x10 [ 13.460652] ? ktime_get_ts64+0x86/0x230 [ 13.460677] kunit_try_run_case+0x1a5/0x480 [ 13.460701] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.460771] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.460797] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.460819] ? __kthread_parkme+0x82/0x180 [ 13.460838] ? preempt_count_sub+0x50/0x80 [ 13.460861] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.460884] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.460906] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.460928] kthread+0x337/0x6f0 [ 13.460947] ? trace_preempt_on+0x20/0xc0 [ 13.460971] ? __pfx_kthread+0x10/0x10 [ 13.460991] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.461012] ? calculate_sigpending+0x7b/0xa0 [ 13.461036] ? __pfx_kthread+0x10/0x10 [ 13.461069] ret_from_fork+0x116/0x1d0 [ 13.461086] ? __pfx_kthread+0x10/0x10 [ 13.461106] ret_from_fork_asm+0x1a/0x30 [ 13.461138] </TASK> [ 13.461149] [ 13.473563] Allocated by task 181: [ 13.474099] kasan_save_stack+0x45/0x70 [ 13.474326] kasan_save_track+0x18/0x40 [ 13.474482] kasan_save_alloc_info+0x3b/0x50 [ 13.474638] __kasan_kmalloc+0xb7/0xc0 [ 13.474781] __kmalloc_cache_noprof+0x189/0x420 [ 13.474944] krealloc_uaf+0xbb/0x5e0 [ 13.475097] kunit_try_run_case+0x1a5/0x480 [ 13.475312] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.475645] kthread+0x337/0x6f0 [ 13.476091] ret_from_fork+0x116/0x1d0 [ 13.476444] ret_from_fork_asm+0x1a/0x30 [ 13.476814] [ 13.476892] Freed by task 181: [ 13.477040] kasan_save_stack+0x45/0x70 [ 13.477440] kasan_save_track+0x18/0x40 [ 13.477831] kasan_save_free_info+0x3f/0x60 [ 13.478350] __kasan_slab_free+0x56/0x70 [ 13.478790] kfree+0x222/0x3f0 [ 13.479014] krealloc_uaf+0x13d/0x5e0 [ 13.479365] kunit_try_run_case+0x1a5/0x480 [ 13.479553] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.479745] kthread+0x337/0x6f0 [ 13.479873] ret_from_fork+0x116/0x1d0 [ 13.480012] ret_from_fork_asm+0x1a/0x30 [ 13.480175] [ 13.480278] The buggy address belongs to the object at ffff888100a30400 [ 13.480278] which belongs to the cache kmalloc-256 of size 256 [ 13.480786] The buggy address is located 0 bytes inside of [ 13.480786] freed 256-byte region [ffff888100a30400, ffff888100a30500) [ 13.481333] [ 13.481413] The buggy address belongs to the physical page: [ 13.481645] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a30 [ 13.482031] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.482299] flags: 0x200000000000040(head|node=0|zone=2) [ 13.482567] page_type: f5(slab) [ 13.482750] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.483116] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.483434] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.483780] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.484236] head: 0200000000000001 ffffea0004028c01 00000000ffffffff 00000000ffffffff [ 13.484487] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 13.484875] page dumped because: kasan: bad access detected [ 13.485166] [ 13.485246] Memory state around the buggy address: [ 13.485496] ffff888100a30300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.485988] ffff888100a30380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.486313] >ffff888100a30400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.486591] ^ [ 13.486740] ffff888100a30480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.487095] ffff888100a30500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.487367] ================================================================== [ 13.417269] ================================================================== [ 13.417823] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 13.418127] Read of size 1 at addr ffff888100a30400 by task kunit_try_catch/181 [ 13.418413] [ 13.418532] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.418577] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.418588] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.418608] Call Trace: [ 13.418621] <TASK> [ 13.418636] dump_stack_lvl+0x73/0xb0 [ 13.418666] print_report+0xd1/0x650 [ 13.418687] ? __virt_addr_valid+0x1db/0x2d0 [ 13.418711] ? krealloc_uaf+0x1b8/0x5e0 [ 13.418732] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.418757] ? krealloc_uaf+0x1b8/0x5e0 [ 13.418777] kasan_report+0x141/0x180 [ 13.418799] ? krealloc_uaf+0x1b8/0x5e0 [ 13.418823] ? krealloc_uaf+0x1b8/0x5e0 [ 13.418843] __kasan_check_byte+0x3d/0x50 [ 13.418865] krealloc_noprof+0x3f/0x340 [ 13.418889] krealloc_uaf+0x1b8/0x5e0 [ 13.418910] ? __pfx_krealloc_uaf+0x10/0x10 [ 13.418930] ? finish_task_switch.isra.0+0x153/0x700 [ 13.418952] ? __switch_to+0x47/0xf50 [ 13.418979] ? __schedule+0x10cc/0x2b60 [ 13.419002] ? __pfx_read_tsc+0x10/0x10 [ 13.419022] ? ktime_get_ts64+0x86/0x230 [ 13.419084] kunit_try_run_case+0x1a5/0x480 [ 13.419111] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.419132] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.419155] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.419177] ? __kthread_parkme+0x82/0x180 [ 13.419197] ? preempt_count_sub+0x50/0x80 [ 13.419219] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.419242] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.419263] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.419297] kthread+0x337/0x6f0 [ 13.419317] ? trace_preempt_on+0x20/0xc0 [ 13.419357] ? __pfx_kthread+0x10/0x10 [ 13.419377] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.419397] ? calculate_sigpending+0x7b/0xa0 [ 13.419422] ? __pfx_kthread+0x10/0x10 [ 13.419443] ret_from_fork+0x116/0x1d0 [ 13.419461] ? __pfx_kthread+0x10/0x10 [ 13.419481] ret_from_fork_asm+0x1a/0x30 [ 13.419513] </TASK> [ 13.419524] [ 13.432765] Allocated by task 181: [ 13.432907] kasan_save_stack+0x45/0x70 [ 13.433364] kasan_save_track+0x18/0x40 [ 13.435278] kasan_save_alloc_info+0x3b/0x50 [ 13.435556] __kasan_kmalloc+0xb7/0xc0 [ 13.436143] __kmalloc_cache_noprof+0x189/0x420 [ 13.436368] krealloc_uaf+0xbb/0x5e0 [ 13.437026] kunit_try_run_case+0x1a5/0x480 [ 13.437240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.437661] kthread+0x337/0x6f0 [ 13.438206] ret_from_fork+0x116/0x1d0 [ 13.438428] ret_from_fork_asm+0x1a/0x30 [ 13.438783] [ 13.438949] Freed by task 181: [ 13.439403] kasan_save_stack+0x45/0x70 [ 13.439714] kasan_save_track+0x18/0x40 [ 13.440118] kasan_save_free_info+0x3f/0x60 [ 13.440595] __kasan_slab_free+0x56/0x70 [ 13.440972] kfree+0x222/0x3f0 [ 13.441195] krealloc_uaf+0x13d/0x5e0 [ 13.441693] kunit_try_run_case+0x1a5/0x480 [ 13.442129] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.442564] kthread+0x337/0x6f0 [ 13.442706] ret_from_fork+0x116/0x1d0 [ 13.443402] ret_from_fork_asm+0x1a/0x30 [ 13.444030] [ 13.444425] The buggy address belongs to the object at ffff888100a30400 [ 13.444425] which belongs to the cache kmalloc-256 of size 256 [ 13.445757] The buggy address is located 0 bytes inside of [ 13.445757] freed 256-byte region [ffff888100a30400, ffff888100a30500) [ 13.446829] [ 13.447219] The buggy address belongs to the physical page: [ 13.448092] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a30 [ 13.449042] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.449400] flags: 0x200000000000040(head|node=0|zone=2) [ 13.449891] page_type: f5(slab) [ 13.450301] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.450684] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.451259] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 13.451791] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.452416] head: 0200000000000001 ffffea0004028c01 00000000ffffffff 00000000ffffffff [ 13.452737] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 13.453351] page dumped because: kasan: bad access detected [ 13.453843] [ 13.453962] Memory state around the buggy address: [ 13.454210] ffff888100a30300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.454744] ffff888100a30380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.455270] >ffff888100a30400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.455832] ^ [ 13.455991] ffff888100a30480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.456310] ffff888100a30500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.456634] ==================================================================
[ 23.442665] ================================================================== [ 23.449896] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 23.456516] Read of size 1 at addr ffff88810033ec00 by task kunit_try_catch/205 [ 23.463830] [ 23.465348] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 23.465356] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 23.465359] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 23.465362] Call Trace: [ 23.465363] <TASK> [ 23.465365] dump_stack_lvl+0x73/0xb0 [ 23.465369] print_report+0xd1/0x650 [ 23.465386] ? __virt_addr_valid+0x1db/0x2d0 [ 23.465390] ? krealloc_uaf+0x53c/0x5e0 [ 23.465393] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.465398] ? krealloc_uaf+0x53c/0x5e0 [ 23.465402] kasan_report+0x141/0x180 [ 23.465406] ? krealloc_uaf+0x53c/0x5e0 [ 23.465411] __asan_report_load1_noabort+0x18/0x20 [ 23.465416] krealloc_uaf+0x53c/0x5e0 [ 23.465419] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.465423] ? finish_task_switch.isra.0+0x153/0x700 [ 23.465427] ? __switch_to+0x544/0xf50 [ 23.465432] ? __schedule+0x10cc/0x2b60 [ 23.465436] ? ktime_get_ts64+0x83/0x230 [ 23.465440] kunit_try_run_case+0x1a2/0x480 [ 23.465444] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.465449] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.465453] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.465457] ? __kthread_parkme+0x82/0x180 [ 23.465460] ? preempt_count_sub+0x50/0x80 [ 23.465464] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.465469] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.465473] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.465477] kthread+0x334/0x6f0 [ 23.465480] ? trace_preempt_on+0x20/0xc0 [ 23.465484] ? __pfx_kthread+0x10/0x10 [ 23.465488] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.465492] ? calculate_sigpending+0x7b/0xa0 [ 23.465496] ? __pfx_kthread+0x10/0x10 [ 23.465500] ret_from_fork+0x113/0x1d0 [ 23.465503] ? __pfx_kthread+0x10/0x10 [ 23.465507] ret_from_fork_asm+0x1a/0x30 [ 23.465513] </TASK> [ 23.465514] [ 23.636904] Allocated by task 205: [ 23.640307] kasan_save_stack+0x45/0x70 [ 23.644148] kasan_save_track+0x18/0x40 [ 23.647986] kasan_save_alloc_info+0x3b/0x50 [ 23.652259] __kasan_kmalloc+0xb7/0xc0 [ 23.656013] __kmalloc_cache_noprof+0x189/0x420 [ 23.660553] krealloc_uaf+0xbb/0x5e0 [ 23.664133] kunit_try_run_case+0x1a2/0x480 [ 23.668320] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.673753] kthread+0x334/0x6f0 [ 23.676986] ret_from_fork+0x113/0x1d0 [ 23.680739] ret_from_fork_asm+0x1a/0x30 [ 23.684665] [ 23.686163] Freed by task 205: [ 23.689222] kasan_save_stack+0x45/0x70 [ 23.693061] kasan_save_track+0x18/0x40 [ 23.696902] kasan_save_free_info+0x3f/0x60 [ 23.701087] __kasan_slab_free+0x56/0x70 [ 23.705015] kfree+0x222/0x3f0 [ 23.708073] krealloc_uaf+0x13d/0x5e0 [ 23.711740] kunit_try_run_case+0x1a2/0x480 [ 23.715925] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.721326] kthread+0x334/0x6f0 [ 23.724583] ret_from_fork+0x113/0x1d0 [ 23.728363] ret_from_fork_asm+0x1a/0x30 [ 23.732313] [ 23.733814] The buggy address belongs to the object at ffff88810033ec00 [ 23.733814] which belongs to the cache kmalloc-256 of size 256 [ 23.746328] The buggy address is located 0 bytes inside of [ 23.746328] freed 256-byte region [ffff88810033ec00, ffff88810033ed00) [ 23.758426] [ 23.759926] The buggy address belongs to the physical page: [ 23.765497] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10033e [ 23.773498] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.781149] flags: 0x200000000000040(head|node=0|zone=2) [ 23.786463] page_type: f5(slab) [ 23.789611] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.797362] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.805131] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.812957] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.820782] head: 0200000000000001 ffffea000400cf81 00000000ffffffff 00000000ffffffff [ 23.828611] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.836444] page dumped because: kasan: bad access detected [ 23.842016] [ 23.843514] Memory state around the buggy address: [ 23.848308] ffff88810033eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.855526] ffff88810033eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.862746] >ffff88810033ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.869964] ^ [ 23.873198] ffff88810033ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.880418] ffff88810033ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.887636] ================================================================== [ 22.979323] ================================================================== [ 22.990929] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 22.997548] Read of size 1 at addr ffff88810033ec00 by task kunit_try_catch/205 [ 23.004862] [ 23.006365] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 23.006373] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 23.006388] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 23.006391] Call Trace: [ 23.006393] <TASK> [ 23.006394] dump_stack_lvl+0x73/0xb0 [ 23.006399] print_report+0xd1/0x650 [ 23.006403] ? __virt_addr_valid+0x1db/0x2d0 [ 23.006407] ? krealloc_uaf+0x1b8/0x5e0 [ 23.006410] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.006415] ? krealloc_uaf+0x1b8/0x5e0 [ 23.006419] kasan_report+0x141/0x180 [ 23.006423] ? krealloc_uaf+0x1b8/0x5e0 [ 23.006427] ? krealloc_uaf+0x1b8/0x5e0 [ 23.006431] __kasan_check_byte+0x3d/0x50 [ 23.006435] krealloc_noprof+0x3f/0x340 [ 23.006439] krealloc_uaf+0x1b8/0x5e0 [ 23.006443] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.006447] ? finish_task_switch.isra.0+0x153/0x700 [ 23.006451] ? __switch_to+0x544/0xf50 [ 23.006455] ? __schedule+0x10cc/0x2b60 [ 23.006459] ? ktime_get_ts64+0x83/0x230 [ 23.006463] kunit_try_run_case+0x1a2/0x480 [ 23.006468] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.006472] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.006476] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.006480] ? __kthread_parkme+0x82/0x180 [ 23.006483] ? preempt_count_sub+0x50/0x80 [ 23.006487] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.006492] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.006496] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.006500] kthread+0x334/0x6f0 [ 23.006503] ? trace_preempt_on+0x20/0xc0 [ 23.006507] ? __pfx_kthread+0x10/0x10 [ 23.006511] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.006515] ? calculate_sigpending+0x7b/0xa0 [ 23.006519] ? __pfx_kthread+0x10/0x10 [ 23.006523] ret_from_fork+0x113/0x1d0 [ 23.006526] ? __pfx_kthread+0x10/0x10 [ 23.006530] ret_from_fork_asm+0x1a/0x30 [ 23.006535] </TASK> [ 23.006537] [ 23.184740] Allocated by task 205: [ 23.188145] kasan_save_stack+0x45/0x70 [ 23.191985] kasan_save_track+0x18/0x40 [ 23.195824] kasan_save_alloc_info+0x3b/0x50 [ 23.200097] __kasan_kmalloc+0xb7/0xc0 [ 23.203850] __kmalloc_cache_noprof+0x189/0x420 [ 23.208405] krealloc_uaf+0xbb/0x5e0 [ 23.211986] kunit_try_run_case+0x1a2/0x480 [ 23.216173] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.221573] kthread+0x334/0x6f0 [ 23.224804] ret_from_fork+0x113/0x1d0 [ 23.228556] ret_from_fork_asm+0x1a/0x30 [ 23.232483] [ 23.233982] Freed by task 205: [ 23.237041] kasan_save_stack+0x45/0x70 [ 23.240881] kasan_save_track+0x18/0x40 [ 23.244722] kasan_save_free_info+0x3f/0x60 [ 23.248914] __kasan_slab_free+0x56/0x70 [ 23.252841] kfree+0x222/0x3f0 [ 23.255901] krealloc_uaf+0x13d/0x5e0 [ 23.259565] kunit_try_run_case+0x1a2/0x480 [ 23.263753] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 23.269153] kthread+0x334/0x6f0 [ 23.272405] ret_from_fork+0x113/0x1d0 [ 23.276163] ret_from_fork_asm+0x1a/0x30 [ 23.280090] [ 23.281589] The buggy address belongs to the object at ffff88810033ec00 [ 23.281589] which belongs to the cache kmalloc-256 of size 256 [ 23.294103] The buggy address is located 0 bytes inside of [ 23.294103] freed 256-byte region [ffff88810033ec00, ffff88810033ed00) [ 23.306185] [ 23.307684] The buggy address belongs to the physical page: [ 23.313256] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10033e [ 23.321263] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.328915] flags: 0x200000000000040(head|node=0|zone=2) [ 23.334228] page_type: f5(slab) [ 23.337376] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.345141] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.352881] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 23.360706] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.368532] head: 0200000000000001 ffffea000400cf81 00000000ffffffff 00000000ffffffff [ 23.376365] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.384220] page dumped because: kasan: bad access detected [ 23.389792] [ 23.391291] Memory state around the buggy address: [ 23.396082] ffff88810033eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.403303] ffff88810033eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.410524] >ffff88810033ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.417749] ^ [ 23.420984] ffff88810033ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.428201] ffff88810033ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.435421] ==================================================================