Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.838543] ================================================================== [ 15.838602] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 15.838650] Read of size 1 at addr fff00000c171e200 by task kunit_try_catch/165 [ 15.838697] [ 15.838726] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.838804] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.838830] Hardware name: linux,dummy-virt (DT) [ 15.838860] Call trace: [ 15.838901] show_stack+0x20/0x38 (C) [ 15.838951] dump_stack_lvl+0x8c/0xd0 [ 15.839004] print_report+0x118/0x5d0 [ 15.839050] kasan_report+0xdc/0x128 [ 15.839103] __asan_report_load1_noabort+0x20/0x30 [ 15.839153] krealloc_uaf+0x4c8/0x520 [ 15.839210] kunit_try_run_case+0x170/0x3f0 [ 15.839256] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.839528] kthread+0x328/0x630 [ 15.839894] ret_from_fork+0x10/0x20 [ 15.840275] [ 15.840309] Allocated by task 165: [ 15.840338] kasan_save_stack+0x3c/0x68 [ 15.840380] kasan_save_track+0x20/0x40 [ 15.840417] kasan_save_alloc_info+0x40/0x58 [ 15.840783] __kasan_kmalloc+0xd4/0xd8 [ 15.840877] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.840954] krealloc_uaf+0xc8/0x520 [ 15.841097] kunit_try_run_case+0x170/0x3f0 [ 15.841154] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.841244] kthread+0x328/0x630 [ 15.841339] ret_from_fork+0x10/0x20 [ 15.841375] [ 15.841624] Freed by task 165: [ 15.841691] kasan_save_stack+0x3c/0x68 [ 15.841843] kasan_save_track+0x20/0x40 [ 15.841911] kasan_save_free_info+0x4c/0x78 [ 15.841981] __kasan_slab_free+0x6c/0x98 [ 15.842141] kfree+0x214/0x3c8 [ 15.842224] krealloc_uaf+0x12c/0x520 [ 15.842533] kunit_try_run_case+0x170/0x3f0 [ 15.842603] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.842678] kthread+0x328/0x630 [ 15.842790] ret_from_fork+0x10/0x20 [ 15.842867] [ 15.842901] The buggy address belongs to the object at fff00000c171e200 [ 15.842901] which belongs to the cache kmalloc-256 of size 256 [ 15.842982] The buggy address is located 0 bytes inside of [ 15.842982] freed 256-byte region [fff00000c171e200, fff00000c171e300) [ 15.843336] [ 15.843394] The buggy address belongs to the physical page: [ 15.843503] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10171e [ 15.843577] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.843645] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 15.843788] page_type: f5(slab) [ 15.843857] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.843916] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.844350] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.844417] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.844551] head: 0bfffe0000000001 ffffc1ffc305c781 00000000ffffffff 00000000ffffffff [ 15.844636] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 15.844694] page dumped because: kasan: bad access detected [ 15.845297] [ 15.845352] Memory state around the buggy address: [ 15.845469] fff00000c171e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.845523] fff00000c171e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.845579] >fff00000c171e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.845635] ^ [ 15.845718] fff00000c171e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.845829] fff00000c171e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.845898] ================================================================== [ 15.829865] ================================================================== [ 15.829947] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 15.830325] Read of size 1 at addr fff00000c171e200 by task kunit_try_catch/165 [ 15.830484] [ 15.830553] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.830696] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.830724] Hardware name: linux,dummy-virt (DT) [ 15.830771] Call trace: [ 15.830799] show_stack+0x20/0x38 (C) [ 15.830877] dump_stack_lvl+0x8c/0xd0 [ 15.830924] print_report+0x118/0x5d0 [ 15.830968] kasan_report+0xdc/0x128 [ 15.831179] __kasan_check_byte+0x54/0x70 [ 15.831531] krealloc_noprof+0x44/0x360 [ 15.831603] krealloc_uaf+0x180/0x520 [ 15.831647] kunit_try_run_case+0x170/0x3f0 [ 15.831745] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.831800] kthread+0x328/0x630 [ 15.831841] ret_from_fork+0x10/0x20 [ 15.831903] [ 15.831921] Allocated by task 165: [ 15.831949] kasan_save_stack+0x3c/0x68 [ 15.831997] kasan_save_track+0x20/0x40 [ 15.832034] kasan_save_alloc_info+0x40/0x58 [ 15.832072] __kasan_kmalloc+0xd4/0xd8 [ 15.832116] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.832571] krealloc_uaf+0xc8/0x520 [ 15.832769] kunit_try_run_case+0x170/0x3f0 [ 15.832830] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.832974] kthread+0x328/0x630 [ 15.833044] ret_from_fork+0x10/0x20 [ 15.833102] [ 15.833212] Freed by task 165: [ 15.833262] kasan_save_stack+0x3c/0x68 [ 15.833343] kasan_save_track+0x20/0x40 [ 15.833457] kasan_save_free_info+0x4c/0x78 [ 15.833536] __kasan_slab_free+0x6c/0x98 [ 15.833599] kfree+0x214/0x3c8 [ 15.833632] krealloc_uaf+0x12c/0x520 [ 15.833921] kunit_try_run_case+0x170/0x3f0 [ 15.834013] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.834163] kthread+0x328/0x630 [ 15.834243] ret_from_fork+0x10/0x20 [ 15.834369] [ 15.834423] The buggy address belongs to the object at fff00000c171e200 [ 15.834423] which belongs to the cache kmalloc-256 of size 256 [ 15.834833] The buggy address is located 0 bytes inside of [ 15.834833] freed 256-byte region [fff00000c171e200, fff00000c171e300) [ 15.834933] [ 15.834964] The buggy address belongs to the physical page: [ 15.835101] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10171e [ 15.835217] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.835389] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 15.835488] page_type: f5(slab) [ 15.835542] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.835663] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.835727] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.835963] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.836168] head: 0bfffe0000000001 ffffc1ffc305c781 00000000ffffffff 00000000ffffffff [ 15.836321] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 15.836421] page dumped because: kasan: bad access detected [ 15.836460] [ 15.836477] Memory state around the buggy address: [ 15.836510] fff00000c171e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.836884] fff00000c171e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.836932] >fff00000c171e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.837282] ^ [ 15.837342] fff00000c171e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.837502] fff00000c171e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.837566] ==================================================================
[ 16.650084] ================================================================== [ 16.650132] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.650177] Read of size 1 at addr fff00000c4519000 by task kunit_try_catch/165 [ 16.650238] [ 16.650267] CPU: 1 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.650344] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.650370] Hardware name: linux,dummy-virt (DT) [ 16.650400] Call trace: [ 16.650440] show_stack+0x20/0x38 (C) [ 16.650487] dump_stack_lvl+0x8c/0xd0 [ 16.650532] print_report+0x118/0x5d0 [ 16.650581] kasan_report+0xdc/0x128 [ 16.650626] __asan_report_load1_noabort+0x20/0x30 [ 16.650675] krealloc_uaf+0x4c8/0x520 [ 16.650723] kunit_try_run_case+0x170/0x3f0 [ 16.650771] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.650822] kthread+0x328/0x630 [ 16.650862] ret_from_fork+0x10/0x20 [ 16.650908] [ 16.650925] Allocated by task 165: [ 16.650952] kasan_save_stack+0x3c/0x68 [ 16.650991] kasan_save_track+0x20/0x40 [ 16.651026] kasan_save_alloc_info+0x40/0x58 [ 16.651065] __kasan_kmalloc+0xd4/0xd8 [ 16.651110] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.651149] krealloc_uaf+0xc8/0x520 [ 16.651193] kunit_try_run_case+0x170/0x3f0 [ 16.651229] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.651270] kthread+0x328/0x630 [ 16.651301] ret_from_fork+0x10/0x20 [ 16.651334] [ 16.651351] Freed by task 165: [ 16.651496] kasan_save_stack+0x3c/0x68 [ 16.651708] kasan_save_track+0x20/0x40 [ 16.651750] kasan_save_free_info+0x4c/0x78 [ 16.651811] __kasan_slab_free+0x6c/0x98 [ 16.651865] kfree+0x214/0x3c8 [ 16.652003] krealloc_uaf+0x12c/0x520 [ 16.652102] kunit_try_run_case+0x170/0x3f0 [ 16.652216] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.652355] kthread+0x328/0x630 [ 16.652484] ret_from_fork+0x10/0x20 [ 16.652606] [ 16.652657] The buggy address belongs to the object at fff00000c4519000 [ 16.652657] which belongs to the cache kmalloc-256 of size 256 [ 16.652789] The buggy address is located 0 bytes inside of [ 16.652789] freed 256-byte region [fff00000c4519000, fff00000c4519100) [ 16.653088] [ 16.653111] The buggy address belongs to the physical page: [ 16.653232] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104518 [ 16.653288] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.653334] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.653492] page_type: f5(slab) [ 16.653589] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.653719] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.653814] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.653883] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.654016] head: 0bfffe0000000001 ffffc1ffc3114601 00000000ffffffff 00000000ffffffff [ 16.654107] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.654147] page dumped because: kasan: bad access detected [ 16.654195] [ 16.654212] Memory state around the buggy address: [ 16.654242] fff00000c4518f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.654439] fff00000c4518f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.654542] >fff00000c4519000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.654620] ^ [ 16.654648] fff00000c4519080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.654728] fff00000c4519100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.654801] ================================================================== [ 16.642715] ================================================================== [ 16.642793] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.642843] Read of size 1 at addr fff00000c4519000 by task kunit_try_catch/165 [ 16.642908] [ 16.642939] CPU: 1 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.643019] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.643045] Hardware name: linux,dummy-virt (DT) [ 16.643075] Call trace: [ 16.643095] show_stack+0x20/0x38 (C) [ 16.643141] dump_stack_lvl+0x8c/0xd0 [ 16.643209] print_report+0x118/0x5d0 [ 16.643255] kasan_report+0xdc/0x128 [ 16.643298] __kasan_check_byte+0x54/0x70 [ 16.643342] krealloc_noprof+0x44/0x360 [ 16.643417] krealloc_uaf+0x180/0x520 [ 16.643460] kunit_try_run_case+0x170/0x3f0 [ 16.643505] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.643555] kthread+0x328/0x630 [ 16.643595] ret_from_fork+0x10/0x20 [ 16.643640] [ 16.643993] Allocated by task 165: [ 16.644060] kasan_save_stack+0x3c/0x68 [ 16.644125] kasan_save_track+0x20/0x40 [ 16.644244] kasan_save_alloc_info+0x40/0x58 [ 16.644315] __kasan_kmalloc+0xd4/0xd8 [ 16.644383] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.644421] krealloc_uaf+0xc8/0x520 [ 16.644483] kunit_try_run_case+0x170/0x3f0 [ 16.644520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.644563] kthread+0x328/0x630 [ 16.644784] ret_from_fork+0x10/0x20 [ 16.644852] [ 16.644947] Freed by task 165: [ 16.645013] kasan_save_stack+0x3c/0x68 [ 16.645124] kasan_save_track+0x20/0x40 [ 16.645171] kasan_save_free_info+0x4c/0x78 [ 16.645219] __kasan_slab_free+0x6c/0x98 [ 16.645257] kfree+0x214/0x3c8 [ 16.645477] krealloc_uaf+0x12c/0x520 [ 16.645635] kunit_try_run_case+0x170/0x3f0 [ 16.645722] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.645834] kthread+0x328/0x630 [ 16.645915] ret_from_fork+0x10/0x20 [ 16.646034] [ 16.646124] The buggy address belongs to the object at fff00000c4519000 [ 16.646124] which belongs to the cache kmalloc-256 of size 256 [ 16.646364] The buggy address is located 0 bytes inside of [ 16.646364] freed 256-byte region [fff00000c4519000, fff00000c4519100) [ 16.646620] [ 16.646691] The buggy address belongs to the physical page: [ 16.646734] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104518 [ 16.646971] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.647090] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.647218] page_type: f5(slab) [ 16.647363] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.647457] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.647521] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.647924] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.648087] head: 0bfffe0000000001 ffffc1ffc3114601 00000000ffffffff 00000000ffffffff [ 16.648271] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.648371] page dumped because: kasan: bad access detected [ 16.648460] [ 16.648521] Memory state around the buggy address: [ 16.648605] fff00000c4518f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.648746] fff00000c4518f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.648849] >fff00000c4519000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.648911] ^ [ 16.648938] fff00000c4519080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.649110] fff00000c4519100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.649286] ==================================================================
[ 12.531896] ================================================================== [ 12.532388] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 12.532765] Read of size 1 at addr ffff888100aab200 by task kunit_try_catch/181 [ 12.533175] [ 12.533351] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.533393] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.533405] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.533425] Call Trace: [ 12.533437] <TASK> [ 12.533462] dump_stack_lvl+0x73/0xb0 [ 12.533489] print_report+0xd1/0x610 [ 12.533512] ? __virt_addr_valid+0x1db/0x2d0 [ 12.533547] ? krealloc_uaf+0x53c/0x5e0 [ 12.533579] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.533603] ? krealloc_uaf+0x53c/0x5e0 [ 12.533624] kasan_report+0x141/0x180 [ 12.533652] ? krealloc_uaf+0x53c/0x5e0 [ 12.533678] __asan_report_load1_noabort+0x18/0x20 [ 12.533703] krealloc_uaf+0x53c/0x5e0 [ 12.533725] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.533746] ? finish_task_switch.isra.0+0x153/0x700 [ 12.533769] ? __switch_to+0x47/0xf50 [ 12.533794] ? __schedule+0x10cc/0x2b60 [ 12.533816] ? __pfx_read_tsc+0x10/0x10 [ 12.533845] ? ktime_get_ts64+0x86/0x230 [ 12.533871] kunit_try_run_case+0x1a5/0x480 [ 12.533897] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.533921] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.533945] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.533970] ? __kthread_parkme+0x82/0x180 [ 12.533990] ? preempt_count_sub+0x50/0x80 [ 12.534014] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.534039] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.534063] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.534089] kthread+0x337/0x6f0 [ 12.534108] ? trace_preempt_on+0x20/0xc0 [ 12.534131] ? __pfx_kthread+0x10/0x10 [ 12.534152] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.534173] ? calculate_sigpending+0x7b/0xa0 [ 12.534197] ? __pfx_kthread+0x10/0x10 [ 12.534219] ret_from_fork+0x116/0x1d0 [ 12.534237] ? __pfx_kthread+0x10/0x10 [ 12.534258] ret_from_fork_asm+0x1a/0x30 [ 12.534289] </TASK> [ 12.534298] [ 12.548787] Allocated by task 181: [ 12.549148] kasan_save_stack+0x45/0x70 [ 12.549307] kasan_save_track+0x18/0x40 [ 12.549760] kasan_save_alloc_info+0x3b/0x50 [ 12.550242] __kasan_kmalloc+0xb7/0xc0 [ 12.550416] __kmalloc_cache_noprof+0x189/0x420 [ 12.550653] krealloc_uaf+0xbb/0x5e0 [ 12.551068] kunit_try_run_case+0x1a5/0x480 [ 12.551470] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.552006] kthread+0x337/0x6f0 [ 12.552413] ret_from_fork+0x116/0x1d0 [ 12.552853] ret_from_fork_asm+0x1a/0x30 [ 12.553234] [ 12.553387] Freed by task 181: [ 12.553582] kasan_save_stack+0x45/0x70 [ 12.554023] kasan_save_track+0x18/0x40 [ 12.554238] kasan_save_free_info+0x3f/0x60 [ 12.555042] __kasan_slab_free+0x56/0x70 [ 12.555425] kfree+0x222/0x3f0 [ 12.555569] krealloc_uaf+0x13d/0x5e0 [ 12.555827] kunit_try_run_case+0x1a5/0x480 [ 12.556285] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.556884] kthread+0x337/0x6f0 [ 12.557276] ret_from_fork+0x116/0x1d0 [ 12.557418] ret_from_fork_asm+0x1a/0x30 [ 12.557709] [ 12.557868] The buggy address belongs to the object at ffff888100aab200 [ 12.557868] which belongs to the cache kmalloc-256 of size 256 [ 12.559011] The buggy address is located 0 bytes inside of [ 12.559011] freed 256-byte region [ffff888100aab200, ffff888100aab300) [ 12.559820] [ 12.559979] The buggy address belongs to the physical page: [ 12.560544] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aaa [ 12.560787] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.561013] flags: 0x200000000000040(head|node=0|zone=2) [ 12.561213] page_type: f5(slab) [ 12.561333] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.561935] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.562306] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.562770] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.563145] head: 0200000000000001 ffffea000402aa81 00000000ffffffff 00000000ffffffff [ 12.563444] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.563816] page dumped because: kasan: bad access detected [ 12.564088] [ 12.564198] Memory state around the buggy address: [ 12.564383] ffff888100aab100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.564801] ffff888100aab180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.565258] >ffff888100aab200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.565648] ^ [ 12.565978] ffff888100aab280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.566264] ffff888100aab300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.566652] ================================================================== [ 12.491250] ================================================================== [ 12.491884] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 12.492115] Read of size 1 at addr ffff888100aab200 by task kunit_try_catch/181 [ 12.492430] [ 12.492666] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.492722] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.492733] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.492754] Call Trace: [ 12.492766] <TASK> [ 12.492782] dump_stack_lvl+0x73/0xb0 [ 12.492812] print_report+0xd1/0x610 [ 12.492835] ? __virt_addr_valid+0x1db/0x2d0 [ 12.492859] ? krealloc_uaf+0x1b8/0x5e0 [ 12.492881] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.492905] ? krealloc_uaf+0x1b8/0x5e0 [ 12.492926] kasan_report+0x141/0x180 [ 12.492947] ? krealloc_uaf+0x1b8/0x5e0 [ 12.492971] ? krealloc_uaf+0x1b8/0x5e0 [ 12.493003] __kasan_check_byte+0x3d/0x50 [ 12.493024] krealloc_noprof+0x3f/0x340 [ 12.493048] krealloc_uaf+0x1b8/0x5e0 [ 12.493080] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.493101] ? finish_task_switch.isra.0+0x153/0x700 [ 12.493125] ? __switch_to+0x47/0xf50 [ 12.493161] ? __schedule+0x10cc/0x2b60 [ 12.493183] ? __pfx_read_tsc+0x10/0x10 [ 12.493204] ? ktime_get_ts64+0x86/0x230 [ 12.493229] kunit_try_run_case+0x1a5/0x480 [ 12.493255] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.493278] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.493301] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.493325] ? __kthread_parkme+0x82/0x180 [ 12.493346] ? preempt_count_sub+0x50/0x80 [ 12.493377] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.493402] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.493437] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.493472] kthread+0x337/0x6f0 [ 12.493511] ? trace_preempt_on+0x20/0xc0 [ 12.493534] ? __pfx_kthread+0x10/0x10 [ 12.493555] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.493587] ? calculate_sigpending+0x7b/0xa0 [ 12.493611] ? __pfx_kthread+0x10/0x10 [ 12.493632] ret_from_fork+0x116/0x1d0 [ 12.493651] ? __pfx_kthread+0x10/0x10 [ 12.493672] ret_from_fork_asm+0x1a/0x30 [ 12.493711] </TASK> [ 12.493721] [ 12.508800] Allocated by task 181: [ 12.509151] kasan_save_stack+0x45/0x70 [ 12.509585] kasan_save_track+0x18/0x40 [ 12.510024] kasan_save_alloc_info+0x3b/0x50 [ 12.510518] __kasan_kmalloc+0xb7/0xc0 [ 12.510921] __kmalloc_cache_noprof+0x189/0x420 [ 12.511122] krealloc_uaf+0xbb/0x5e0 [ 12.511253] kunit_try_run_case+0x1a5/0x480 [ 12.511398] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.511961] kthread+0x337/0x6f0 [ 12.512342] ret_from_fork+0x116/0x1d0 [ 12.512772] ret_from_fork_asm+0x1a/0x30 [ 12.513217] [ 12.513406] Freed by task 181: [ 12.513747] kasan_save_stack+0x45/0x70 [ 12.514102] kasan_save_track+0x18/0x40 [ 12.514550] kasan_save_free_info+0x3f/0x60 [ 12.515009] __kasan_slab_free+0x56/0x70 [ 12.515330] kfree+0x222/0x3f0 [ 12.515682] krealloc_uaf+0x13d/0x5e0 [ 12.515875] kunit_try_run_case+0x1a5/0x480 [ 12.516295] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.516798] kthread+0x337/0x6f0 [ 12.517146] ret_from_fork+0x116/0x1d0 [ 12.517318] ret_from_fork_asm+0x1a/0x30 [ 12.517624] [ 12.517836] The buggy address belongs to the object at ffff888100aab200 [ 12.517836] which belongs to the cache kmalloc-256 of size 256 [ 12.519143] The buggy address is located 0 bytes inside of [ 12.519143] freed 256-byte region [ffff888100aab200, ffff888100aab300) [ 12.520021] [ 12.520221] The buggy address belongs to the physical page: [ 12.520484] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aaa [ 12.521066] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.521869] flags: 0x200000000000040(head|node=0|zone=2) [ 12.522371] page_type: f5(slab) [ 12.522571] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.523260] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.523963] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.524622] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.525123] head: 0200000000000001 ffffea000402aa81 00000000ffffffff 00000000ffffffff [ 12.525381] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.526135] page dumped because: kasan: bad access detected [ 12.526696] [ 12.526886] Memory state around the buggy address: [ 12.527420] ffff888100aab100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.528177] ffff888100aab180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.529014] >ffff888100aab200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.529587] ^ [ 12.529918] ffff888100aab280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.530442] ffff888100aab300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.530894] ==================================================================
[ 12.811231] ================================================================== [ 12.812268] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 12.812612] Read of size 1 at addr ffff888100343a00 by task kunit_try_catch/182 [ 12.812939] [ 12.813118] CPU: 0 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.813162] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.813173] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.813192] Call Trace: [ 12.813204] <TASK> [ 12.813219] dump_stack_lvl+0x73/0xb0 [ 12.813298] print_report+0xd1/0x610 [ 12.813334] ? __virt_addr_valid+0x1db/0x2d0 [ 12.813370] ? krealloc_uaf+0x1b8/0x5e0 [ 12.813391] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.813414] ? krealloc_uaf+0x1b8/0x5e0 [ 12.813435] kasan_report+0x141/0x180 [ 12.813457] ? krealloc_uaf+0x1b8/0x5e0 [ 12.813525] ? krealloc_uaf+0x1b8/0x5e0 [ 12.813547] __kasan_check_byte+0x3d/0x50 [ 12.813569] krealloc_noprof+0x3f/0x340 [ 12.813630] krealloc_uaf+0x1b8/0x5e0 [ 12.813720] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.813743] ? finish_task_switch.isra.0+0x153/0x700 [ 12.813767] ? __switch_to+0x47/0xf50 [ 12.813792] ? __schedule+0x10cc/0x2b60 [ 12.813814] ? __pfx_read_tsc+0x10/0x10 [ 12.813836] ? ktime_get_ts64+0x86/0x230 [ 12.813862] kunit_try_run_case+0x1a5/0x480 [ 12.813888] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.813911] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.813935] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.813960] ? __kthread_parkme+0x82/0x180 [ 12.813983] ? preempt_count_sub+0x50/0x80 [ 12.814007] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.814033] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.814072] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.814099] kthread+0x337/0x6f0 [ 12.814128] ? trace_preempt_on+0x20/0xc0 [ 12.814152] ? __pfx_kthread+0x10/0x10 [ 12.814172] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.814194] ? calculate_sigpending+0x7b/0xa0 [ 12.814218] ? __pfx_kthread+0x10/0x10 [ 12.814239] ret_from_fork+0x116/0x1d0 [ 12.814258] ? __pfx_kthread+0x10/0x10 [ 12.814279] ret_from_fork_asm+0x1a/0x30 [ 12.814310] </TASK> [ 12.814320] [ 12.823326] Allocated by task 182: [ 12.823583] kasan_save_stack+0x45/0x70 [ 12.823955] kasan_save_track+0x18/0x40 [ 12.824292] kasan_save_alloc_info+0x3b/0x50 [ 12.824449] __kasan_kmalloc+0xb7/0xc0 [ 12.824580] __kmalloc_cache_noprof+0x189/0x420 [ 12.824769] krealloc_uaf+0xbb/0x5e0 [ 12.824954] kunit_try_run_case+0x1a5/0x480 [ 12.825430] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.825900] kthread+0x337/0x6f0 [ 12.826092] ret_from_fork+0x116/0x1d0 [ 12.826286] ret_from_fork_asm+0x1a/0x30 [ 12.826434] [ 12.826699] Freed by task 182: [ 12.826875] kasan_save_stack+0x45/0x70 [ 12.827082] kasan_save_track+0x18/0x40 [ 12.827392] kasan_save_free_info+0x3f/0x60 [ 12.827607] __kasan_slab_free+0x56/0x70 [ 12.827932] kfree+0x222/0x3f0 [ 12.828068] krealloc_uaf+0x13d/0x5e0 [ 12.828252] kunit_try_run_case+0x1a5/0x480 [ 12.828465] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.829346] kthread+0x337/0x6f0 [ 12.829520] ret_from_fork+0x116/0x1d0 [ 12.829690] ret_from_fork_asm+0x1a/0x30 [ 12.829832] [ 12.829904] The buggy address belongs to the object at ffff888100343a00 [ 12.829904] which belongs to the cache kmalloc-256 of size 256 [ 12.830328] The buggy address is located 0 bytes inside of [ 12.830328] freed 256-byte region [ffff888100343a00, ffff888100343b00) [ 12.830676] [ 12.830753] The buggy address belongs to the physical page: [ 12.830928] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100342 [ 12.831743] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.832099] flags: 0x200000000000040(head|node=0|zone=2) [ 12.832367] page_type: f5(slab) [ 12.832541] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.833909] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.835203] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.835440] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.835764] head: 0200000000000001 ffffea000400d081 00000000ffffffff 00000000ffffffff [ 12.835995] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.836284] page dumped because: kasan: bad access detected [ 12.837662] [ 12.837749] Memory state around the buggy address: [ 12.837942] ffff888100343900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.838259] ffff888100343980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.839001] >ffff888100343a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.839272] ^ [ 12.839393] ffff888100343a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.840217] ffff888100343b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.840551] ================================================================== [ 12.843381] ================================================================== [ 12.843920] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 12.844369] Read of size 1 at addr ffff888100343a00 by task kunit_try_catch/182 [ 12.845762] [ 12.845901] CPU: 0 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.845948] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.845960] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.845980] Call Trace: [ 12.845996] <TASK> [ 12.846012] dump_stack_lvl+0x73/0xb0 [ 12.846044] print_report+0xd1/0x610 [ 12.846082] ? __virt_addr_valid+0x1db/0x2d0 [ 12.846105] ? krealloc_uaf+0x53c/0x5e0 [ 12.846126] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.846149] ? krealloc_uaf+0x53c/0x5e0 [ 12.846321] kasan_report+0x141/0x180 [ 12.846344] ? krealloc_uaf+0x53c/0x5e0 [ 12.846371] __asan_report_load1_noabort+0x18/0x20 [ 12.846396] krealloc_uaf+0x53c/0x5e0 [ 12.846417] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.846439] ? finish_task_switch.isra.0+0x153/0x700 [ 12.846463] ? __switch_to+0x47/0xf50 [ 12.846488] ? __schedule+0x10cc/0x2b60 [ 12.846510] ? __pfx_read_tsc+0x10/0x10 [ 12.846531] ? ktime_get_ts64+0x86/0x230 [ 12.846555] kunit_try_run_case+0x1a5/0x480 [ 12.846579] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.846603] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.846627] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.846798] ? __kthread_parkme+0x82/0x180 [ 12.846824] ? preempt_count_sub+0x50/0x80 [ 12.846847] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.846872] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.846897] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.846924] kthread+0x337/0x6f0 [ 12.846943] ? trace_preempt_on+0x20/0xc0 [ 12.846967] ? __pfx_kthread+0x10/0x10 [ 12.846988] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.847009] ? calculate_sigpending+0x7b/0xa0 [ 12.847034] ? __pfx_kthread+0x10/0x10 [ 12.847074] ret_from_fork+0x116/0x1d0 [ 12.847093] ? __pfx_kthread+0x10/0x10 [ 12.847114] ret_from_fork_asm+0x1a/0x30 [ 12.847145] </TASK> [ 12.847155] [ 12.856356] Allocated by task 182: [ 12.856580] kasan_save_stack+0x45/0x70 [ 12.856728] kasan_save_track+0x18/0x40 [ 12.856863] kasan_save_alloc_info+0x3b/0x50 [ 12.857013] __kasan_kmalloc+0xb7/0xc0 [ 12.857255] __kmalloc_cache_noprof+0x189/0x420 [ 12.857536] krealloc_uaf+0xbb/0x5e0 [ 12.857727] kunit_try_run_case+0x1a5/0x480 [ 12.857943] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.858249] kthread+0x337/0x6f0 [ 12.858410] ret_from_fork+0x116/0x1d0 [ 12.858582] ret_from_fork_asm+0x1a/0x30 [ 12.858771] [ 12.858870] Freed by task 182: [ 12.859003] kasan_save_stack+0x45/0x70 [ 12.859471] kasan_save_track+0x18/0x40 [ 12.859758] kasan_save_free_info+0x3f/0x60 [ 12.859960] __kasan_slab_free+0x56/0x70 [ 12.860188] kfree+0x222/0x3f0 [ 12.860309] krealloc_uaf+0x13d/0x5e0 [ 12.860441] kunit_try_run_case+0x1a5/0x480 [ 12.860587] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.861209] kthread+0x337/0x6f0 [ 12.861537] ret_from_fork+0x116/0x1d0 [ 12.861797] ret_from_fork_asm+0x1a/0x30 [ 12.862111] [ 12.862227] The buggy address belongs to the object at ffff888100343a00 [ 12.862227] which belongs to the cache kmalloc-256 of size 256 [ 12.862993] The buggy address is located 0 bytes inside of [ 12.862993] freed 256-byte region [ffff888100343a00, ffff888100343b00) [ 12.863617] [ 12.863774] The buggy address belongs to the physical page: [ 12.863984] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100342 [ 12.864295] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.864840] flags: 0x200000000000040(head|node=0|zone=2) [ 12.865157] page_type: f5(slab) [ 12.865356] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.865656] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.866249] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.866591] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.867263] head: 0200000000000001 ffffea000400d081 00000000ffffffff 00000000ffffffff [ 12.867638] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.868046] page dumped because: kasan: bad access detected [ 12.868355] [ 12.868473] Memory state around the buggy address: [ 12.868648] ffff888100343900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.869095] ffff888100343980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.869358] >ffff888100343a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.869807] ^ [ 12.870011] ffff888100343a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.870431] ffff888100343b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.870775] ==================================================================