Date
July 20, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.530095] ================================================================== [ 16.530279] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.530446] Read of size 1 at addr fff00000c653c600 by task kunit_try_catch/164 [ 16.530832] [ 16.530960] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.531056] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.531092] Hardware name: linux,dummy-virt (DT) [ 16.531125] Call trace: [ 16.531147] show_stack+0x20/0x38 (C) [ 16.531580] dump_stack_lvl+0x8c/0xd0 [ 16.531664] print_report+0x118/0x5d0 [ 16.531719] kasan_report+0xdc/0x128 [ 16.531878] __kasan_check_byte+0x54/0x70 [ 16.531938] krealloc_noprof+0x44/0x360 [ 16.532149] krealloc_uaf+0x180/0x520 [ 16.532318] kunit_try_run_case+0x170/0x3f0 [ 16.532366] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.532417] kthread+0x328/0x630 [ 16.532458] ret_from_fork+0x10/0x20 [ 16.532506] [ 16.532525] Allocated by task 164: [ 16.532553] kasan_save_stack+0x3c/0x68 [ 16.532595] kasan_save_track+0x20/0x40 [ 16.532632] kasan_save_alloc_info+0x40/0x58 [ 16.532684] __kasan_kmalloc+0xd4/0xd8 [ 16.532720] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.533085] krealloc_uaf+0xc8/0x520 [ 16.533329] kunit_try_run_case+0x170/0x3f0 [ 16.533418] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.533494] kthread+0x328/0x630 [ 16.533526] ret_from_fork+0x10/0x20 [ 16.533621] [ 16.533711] Freed by task 164: [ 16.533866] kasan_save_stack+0x3c/0x68 [ 16.533918] kasan_save_track+0x20/0x40 [ 16.533956] kasan_save_free_info+0x4c/0x78 [ 16.533995] __kasan_slab_free+0x6c/0x98 [ 16.534031] kfree+0x214/0x3c8 [ 16.534064] krealloc_uaf+0x12c/0x520 [ 16.534099] kunit_try_run_case+0x170/0x3f0 [ 16.534136] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.534550] kthread+0x328/0x630 [ 16.534646] ret_from_fork+0x10/0x20 [ 16.534739] [ 16.534763] The buggy address belongs to the object at fff00000c653c600 [ 16.534763] which belongs to the cache kmalloc-256 of size 256 [ 16.535249] The buggy address is located 0 bytes inside of [ 16.535249] freed 256-byte region [fff00000c653c600, fff00000c653c700) [ 16.535348] [ 16.535380] The buggy address belongs to the physical page: [ 16.535441] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10653c [ 16.535540] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.535585] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.535929] page_type: f5(slab) [ 16.536009] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.536059] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.536108] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.536156] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.536214] head: 0bfffe0000000001 ffffc1ffc3194f01 00000000ffffffff 00000000ffffffff [ 16.536261] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.536432] page dumped because: kasan: bad access detected [ 16.536467] [ 16.536485] Memory state around the buggy address: [ 16.536518] fff00000c653c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.536967] fff00000c653c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.537029] >fff00000c653c600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.537067] ^ [ 16.537279] fff00000c653c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.537365] fff00000c653c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.537403] ================================================================== [ 16.539015] ================================================================== [ 16.539066] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.539114] Read of size 1 at addr fff00000c653c600 by task kunit_try_catch/164 [ 16.539164] [ 16.539195] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.539275] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.539314] Hardware name: linux,dummy-virt (DT) [ 16.539344] Call trace: [ 16.539365] show_stack+0x20/0x38 (C) [ 16.539717] dump_stack_lvl+0x8c/0xd0 [ 16.539802] print_report+0x118/0x5d0 [ 16.539908] kasan_report+0xdc/0x128 [ 16.539954] __asan_report_load1_noabort+0x20/0x30 [ 16.540351] krealloc_uaf+0x4c8/0x520 [ 16.540402] kunit_try_run_case+0x170/0x3f0 [ 16.540505] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.540557] kthread+0x328/0x630 [ 16.540854] ret_from_fork+0x10/0x20 [ 16.540995] [ 16.541013] Allocated by task 164: [ 16.541040] kasan_save_stack+0x3c/0x68 [ 16.541080] kasan_save_track+0x20/0x40 [ 16.541117] kasan_save_alloc_info+0x40/0x58 [ 16.541156] __kasan_kmalloc+0xd4/0xd8 [ 16.541192] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.541230] krealloc_uaf+0xc8/0x520 [ 16.541270] kunit_try_run_case+0x170/0x3f0 [ 16.541447] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.541576] kthread+0x328/0x630 [ 16.541643] ret_from_fork+0x10/0x20 [ 16.541684] [ 16.541730] Freed by task 164: [ 16.541756] kasan_save_stack+0x3c/0x68 [ 16.541855] kasan_save_track+0x20/0x40 [ 16.541891] kasan_save_free_info+0x4c/0x78 [ 16.541940] __kasan_slab_free+0x6c/0x98 [ 16.541976] kfree+0x214/0x3c8 [ 16.542008] krealloc_uaf+0x12c/0x520 [ 16.542043] kunit_try_run_case+0x170/0x3f0 [ 16.542410] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.542552] kthread+0x328/0x630 [ 16.542584] ret_from_fork+0x10/0x20 [ 16.542619] [ 16.542644] The buggy address belongs to the object at fff00000c653c600 [ 16.542644] which belongs to the cache kmalloc-256 of size 256 [ 16.542757] The buggy address is located 0 bytes inside of [ 16.542757] freed 256-byte region [fff00000c653c600, fff00000c653c700) [ 16.542817] [ 16.542837] The buggy address belongs to the physical page: [ 16.543143] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10653c [ 16.543254] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.543310] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.543499] page_type: f5(slab) [ 16.543629] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.543682] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.543730] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.543948] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.543998] head: 0bfffe0000000001 ffffc1ffc3194f01 00000000ffffffff 00000000ffffffff [ 16.544056] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.544149] page dumped because: kasan: bad access detected [ 16.544302] [ 16.544320] Memory state around the buggy address: [ 16.544369] fff00000c653c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.544412] fff00000c653c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.544455] >fff00000c653c600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.544493] ^ [ 16.544521] fff00000c653c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.544563] fff00000c653c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.544601] ==================================================================
[ 16.511643] ================================================================== [ 16.511760] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.511846] Read of size 1 at addr fff00000c5b4fe00 by task kunit_try_catch/164 [ 16.512192] [ 16.512445] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.512544] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.512571] Hardware name: linux,dummy-virt (DT) [ 16.512605] Call trace: [ 16.512757] show_stack+0x20/0x38 (C) [ 16.512821] dump_stack_lvl+0x8c/0xd0 [ 16.512943] print_report+0x118/0x5d0 [ 16.513046] kasan_report+0xdc/0x128 [ 16.513167] __asan_report_load1_noabort+0x20/0x30 [ 16.513330] krealloc_uaf+0x4c8/0x520 [ 16.513425] kunit_try_run_case+0x170/0x3f0 [ 16.513482] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.513535] kthread+0x328/0x630 [ 16.513851] ret_from_fork+0x10/0x20 [ 16.514080] [ 16.514120] Allocated by task 164: [ 16.514407] kasan_save_stack+0x3c/0x68 [ 16.514481] kasan_save_track+0x20/0x40 [ 16.514695] kasan_save_alloc_info+0x40/0x58 [ 16.514762] __kasan_kmalloc+0xd4/0xd8 [ 16.514934] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.515143] krealloc_uaf+0xc8/0x520 [ 16.515212] kunit_try_run_case+0x170/0x3f0 [ 16.515409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.515587] kthread+0x328/0x630 [ 16.515640] ret_from_fork+0x10/0x20 [ 16.515985] [ 16.516110] Freed by task 164: [ 16.516157] kasan_save_stack+0x3c/0x68 [ 16.516257] kasan_save_track+0x20/0x40 [ 16.516424] kasan_save_free_info+0x4c/0x78 [ 16.516641] __kasan_slab_free+0x6c/0x98 [ 16.516696] kfree+0x214/0x3c8 [ 16.516879] krealloc_uaf+0x12c/0x520 [ 16.517079] kunit_try_run_case+0x170/0x3f0 [ 16.517138] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.517196] kthread+0x328/0x630 [ 16.517229] ret_from_fork+0x10/0x20 [ 16.517417] [ 16.517557] The buggy address belongs to the object at fff00000c5b4fe00 [ 16.517557] which belongs to the cache kmalloc-256 of size 256 [ 16.517763] The buggy address is located 0 bytes inside of [ 16.517763] freed 256-byte region [fff00000c5b4fe00, fff00000c5b4ff00) [ 16.517847] [ 16.517970] The buggy address belongs to the physical page: [ 16.518002] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b4e [ 16.518094] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.518271] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.518373] page_type: f5(slab) [ 16.518553] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.518945] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.519035] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.519190] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.519248] head: 0bfffe0000000001 ffffc1ffc316d381 00000000ffffffff 00000000ffffffff [ 16.519592] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.519833] page dumped because: kasan: bad access detected [ 16.519901] [ 16.519994] Memory state around the buggy address: [ 16.520028] fff00000c5b4fd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.520234] fff00000c5b4fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.520457] >fff00000c5b4fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.520641] ^ [ 16.520841] fff00000c5b4fe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.520895] fff00000c5b4ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.520934] ================================================================== [ 16.500806] ================================================================== [ 16.501296] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.501433] Read of size 1 at addr fff00000c5b4fe00 by task kunit_try_catch/164 [ 16.501551] [ 16.501701] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.501792] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.501818] Hardware name: linux,dummy-virt (DT) [ 16.501850] Call trace: [ 16.501873] show_stack+0x20/0x38 (C) [ 16.501928] dump_stack_lvl+0x8c/0xd0 [ 16.501975] print_report+0x118/0x5d0 [ 16.502022] kasan_report+0xdc/0x128 [ 16.502067] __kasan_check_byte+0x54/0x70 [ 16.502113] krealloc_noprof+0x44/0x360 [ 16.502160] krealloc_uaf+0x180/0x520 [ 16.502689] kunit_try_run_case+0x170/0x3f0 [ 16.502773] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.503128] kthread+0x328/0x630 [ 16.503216] ret_from_fork+0x10/0x20 [ 16.503464] [ 16.503659] Allocated by task 164: [ 16.503768] kasan_save_stack+0x3c/0x68 [ 16.504159] kasan_save_track+0x20/0x40 [ 16.504316] kasan_save_alloc_info+0x40/0x58 [ 16.504510] __kasan_kmalloc+0xd4/0xd8 [ 16.504690] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.504737] krealloc_uaf+0xc8/0x520 [ 16.504821] kunit_try_run_case+0x170/0x3f0 [ 16.504867] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.504910] kthread+0x328/0x630 [ 16.505097] ret_from_fork+0x10/0x20 [ 16.505307] [ 16.505459] Freed by task 164: [ 16.505521] kasan_save_stack+0x3c/0x68 [ 16.505602] kasan_save_track+0x20/0x40 [ 16.505652] kasan_save_free_info+0x4c/0x78 [ 16.505934] __kasan_slab_free+0x6c/0x98 [ 16.506148] kfree+0x214/0x3c8 [ 16.506198] krealloc_uaf+0x12c/0x520 [ 16.506234] kunit_try_run_case+0x170/0x3f0 [ 16.506282] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.506327] kthread+0x328/0x630 [ 16.506361] ret_from_fork+0x10/0x20 [ 16.506397] [ 16.506431] The buggy address belongs to the object at fff00000c5b4fe00 [ 16.506431] which belongs to the cache kmalloc-256 of size 256 [ 16.506561] The buggy address is located 0 bytes inside of [ 16.506561] freed 256-byte region [fff00000c5b4fe00, fff00000c5b4ff00) [ 16.506640] [ 16.506672] The buggy address belongs to the physical page: [ 16.506705] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b4e [ 16.506767] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.506814] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.506865] page_type: f5(slab) [ 16.506920] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.506995] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.507045] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.507093] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.507141] head: 0bfffe0000000001 ffffc1ffc316d381 00000000ffffffff 00000000ffffffff [ 16.507198] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.507236] page dumped because: kasan: bad access detected [ 16.507267] [ 16.507285] Memory state around the buggy address: [ 16.507318] fff00000c5b4fd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.507360] fff00000c5b4fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.507401] >fff00000c5b4fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.507438] ^ [ 16.507466] fff00000c5b4fe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.507508] fff00000c5b4ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.507544] ==================================================================
[ 12.634268] ================================================================== [ 12.634605] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 12.634974] Read of size 1 at addr ffff888100ab0a00 by task kunit_try_catch/182 [ 12.635197] [ 12.635279] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 12.635320] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.635332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.635352] Call Trace: [ 12.635368] <TASK> [ 12.635383] dump_stack_lvl+0x73/0xb0 [ 12.635697] print_report+0xd1/0x610 [ 12.635722] ? __virt_addr_valid+0x1db/0x2d0 [ 12.635744] ? krealloc_uaf+0x53c/0x5e0 [ 12.635765] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.635787] ? krealloc_uaf+0x53c/0x5e0 [ 12.635808] kasan_report+0x141/0x180 [ 12.635830] ? krealloc_uaf+0x53c/0x5e0 [ 12.635857] __asan_report_load1_noabort+0x18/0x20 [ 12.635881] krealloc_uaf+0x53c/0x5e0 [ 12.635902] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.635923] ? finish_task_switch.isra.0+0x153/0x700 [ 12.635944] ? __switch_to+0x47/0xf50 [ 12.635970] ? __schedule+0x10c6/0x2b60 [ 12.635992] ? __pfx_read_tsc+0x10/0x10 [ 12.636012] ? ktime_get_ts64+0x86/0x230 [ 12.636101] kunit_try_run_case+0x1a5/0x480 [ 12.636128] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.636151] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.636175] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.636198] ? __kthread_parkme+0x82/0x180 [ 12.636218] ? preempt_count_sub+0x50/0x80 [ 12.636241] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.636264] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.636287] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.636310] kthread+0x337/0x6f0 [ 12.636329] ? trace_preempt_on+0x20/0xc0 [ 12.636352] ? __pfx_kthread+0x10/0x10 [ 12.636372] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.636393] ? calculate_sigpending+0x7b/0xa0 [ 12.636429] ? __pfx_kthread+0x10/0x10 [ 12.636451] ret_from_fork+0x116/0x1d0 [ 12.636469] ? __pfx_kthread+0x10/0x10 [ 12.636490] ret_from_fork_asm+0x1a/0x30 [ 12.636523] </TASK> [ 12.636533] [ 12.644685] Allocated by task 182: [ 12.644868] kasan_save_stack+0x45/0x70 [ 12.645152] kasan_save_track+0x18/0x40 [ 12.645352] kasan_save_alloc_info+0x3b/0x50 [ 12.645575] __kasan_kmalloc+0xb7/0xc0 [ 12.645723] __kmalloc_cache_noprof+0x189/0x420 [ 12.645882] krealloc_uaf+0xbb/0x5e0 [ 12.646015] kunit_try_run_case+0x1a5/0x480 [ 12.646270] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.646535] kthread+0x337/0x6f0 [ 12.646845] ret_from_fork+0x116/0x1d0 [ 12.647175] ret_from_fork_asm+0x1a/0x30 [ 12.647375] [ 12.647475] Freed by task 182: [ 12.647590] kasan_save_stack+0x45/0x70 [ 12.647792] kasan_save_track+0x18/0x40 [ 12.647984] kasan_save_free_info+0x3f/0x60 [ 12.648266] __kasan_slab_free+0x56/0x70 [ 12.648429] kfree+0x222/0x3f0 [ 12.648550] krealloc_uaf+0x13d/0x5e0 [ 12.648740] kunit_try_run_case+0x1a5/0x480 [ 12.648951] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.649349] kthread+0x337/0x6f0 [ 12.649520] ret_from_fork+0x116/0x1d0 [ 12.649806] ret_from_fork_asm+0x1a/0x30 [ 12.649985] [ 12.650141] The buggy address belongs to the object at ffff888100ab0a00 [ 12.650141] which belongs to the cache kmalloc-256 of size 256 [ 12.650646] The buggy address is located 0 bytes inside of [ 12.650646] freed 256-byte region [ffff888100ab0a00, ffff888100ab0b00) [ 12.651313] [ 12.651412] The buggy address belongs to the physical page: [ 12.651683] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100ab0 [ 12.651945] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.652177] flags: 0x200000000000040(head|node=0|zone=2) [ 12.652356] page_type: f5(slab) [ 12.652521] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.653193] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.653547] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.653883] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.654121] head: 0200000000000001 ffffea000402ac01 00000000ffffffff 00000000ffffffff [ 12.654355] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.654879] page dumped because: kasan: bad access detected [ 12.655140] [ 12.655235] Memory state around the buggy address: [ 12.655802] ffff888100ab0900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.656192] ffff888100ab0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.656447] >ffff888100ab0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.656863] ^ [ 12.657035] ffff888100ab0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.657252] ffff888100ab0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.657475] ================================================================== [ 12.609199] ================================================================== [ 12.610383] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 12.610855] Read of size 1 at addr ffff888100ab0a00 by task kunit_try_catch/182 [ 12.611495] [ 12.611612] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 12.611662] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.611676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.611699] Call Trace: [ 12.611712] <TASK> [ 12.611730] dump_stack_lvl+0x73/0xb0 [ 12.611765] print_report+0xd1/0x610 [ 12.611788] ? __virt_addr_valid+0x1db/0x2d0 [ 12.611812] ? krealloc_uaf+0x1b8/0x5e0 [ 12.611833] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.611856] ? krealloc_uaf+0x1b8/0x5e0 [ 12.611878] kasan_report+0x141/0x180 [ 12.611900] ? krealloc_uaf+0x1b8/0x5e0 [ 12.611926] ? krealloc_uaf+0x1b8/0x5e0 [ 12.611947] __kasan_check_byte+0x3d/0x50 [ 12.611969] krealloc_noprof+0x3f/0x340 [ 12.611993] krealloc_uaf+0x1b8/0x5e0 [ 12.612014] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.612049] ? finish_task_switch.isra.0+0x153/0x700 [ 12.612071] ? __switch_to+0x47/0xf50 [ 12.612098] ? __schedule+0x10c6/0x2b60 [ 12.612121] ? __pfx_read_tsc+0x10/0x10 [ 12.612141] ? ktime_get_ts64+0x86/0x230 [ 12.612168] kunit_try_run_case+0x1a5/0x480 [ 12.612194] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.612215] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.612239] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.612262] ? __kthread_parkme+0x82/0x180 [ 12.612282] ? preempt_count_sub+0x50/0x80 [ 12.612305] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.612329] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.612351] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.612375] kthread+0x337/0x6f0 [ 12.612394] ? trace_preempt_on+0x20/0xc0 [ 12.612428] ? __pfx_kthread+0x10/0x10 [ 12.612448] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.612469] ? calculate_sigpending+0x7b/0xa0 [ 12.612493] ? __pfx_kthread+0x10/0x10 [ 12.612515] ret_from_fork+0x116/0x1d0 [ 12.612533] ? __pfx_kthread+0x10/0x10 [ 12.612553] ret_from_fork_asm+0x1a/0x30 [ 12.612586] </TASK> [ 12.612597] [ 12.620855] Allocated by task 182: [ 12.620992] kasan_save_stack+0x45/0x70 [ 12.621148] kasan_save_track+0x18/0x40 [ 12.621345] kasan_save_alloc_info+0x3b/0x50 [ 12.621577] __kasan_kmalloc+0xb7/0xc0 [ 12.621771] __kmalloc_cache_noprof+0x189/0x420 [ 12.621997] krealloc_uaf+0xbb/0x5e0 [ 12.622242] kunit_try_run_case+0x1a5/0x480 [ 12.622439] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.622887] kthread+0x337/0x6f0 [ 12.623022] ret_from_fork+0x116/0x1d0 [ 12.623212] ret_from_fork_asm+0x1a/0x30 [ 12.623445] [ 12.623545] Freed by task 182: [ 12.623708] kasan_save_stack+0x45/0x70 [ 12.623933] kasan_save_track+0x18/0x40 [ 12.624245] kasan_save_free_info+0x3f/0x60 [ 12.624465] __kasan_slab_free+0x56/0x70 [ 12.624607] kfree+0x222/0x3f0 [ 12.624733] krealloc_uaf+0x13d/0x5e0 [ 12.624867] kunit_try_run_case+0x1a5/0x480 [ 12.625015] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.625222] kthread+0x337/0x6f0 [ 12.625388] ret_from_fork+0x116/0x1d0 [ 12.625701] ret_from_fork_asm+0x1a/0x30 [ 12.625902] [ 12.625998] The buggy address belongs to the object at ffff888100ab0a00 [ 12.625998] which belongs to the cache kmalloc-256 of size 256 [ 12.626989] The buggy address is located 0 bytes inside of [ 12.626989] freed 256-byte region [ffff888100ab0a00, ffff888100ab0b00) [ 12.627483] [ 12.627586] The buggy address belongs to the physical page: [ 12.627869] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100ab0 [ 12.628153] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.628411] flags: 0x200000000000040(head|node=0|zone=2) [ 12.628811] page_type: f5(slab) [ 12.628991] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.629366] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.629774] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.630272] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.630575] head: 0200000000000001 ffffea000402ac01 00000000ffffffff 00000000ffffffff [ 12.630910] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.631305] page dumped because: kasan: bad access detected [ 12.631556] [ 12.631653] Memory state around the buggy address: [ 12.631955] ffff888100ab0900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.632258] ffff888100ab0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.632522] >ffff888100ab0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.632846] ^ [ 12.633009] ffff888100ab0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.633267] ffff888100ab0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.633545] ==================================================================
[ 12.749737] ================================================================== [ 12.750074] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 12.750602] Read of size 1 at addr ffff888100a28200 by task kunit_try_catch/181 [ 12.751006] [ 12.751103] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 12.751158] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.751170] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.751191] Call Trace: [ 12.751209] <TASK> [ 12.751224] dump_stack_lvl+0x73/0xb0 [ 12.751263] print_report+0xd1/0x610 [ 12.751283] ? __virt_addr_valid+0x1db/0x2d0 [ 12.751305] ? krealloc_uaf+0x53c/0x5e0 [ 12.751336] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.751357] ? krealloc_uaf+0x53c/0x5e0 [ 12.751378] kasan_report+0x141/0x180 [ 12.751398] ? krealloc_uaf+0x53c/0x5e0 [ 12.751424] __asan_report_load1_noabort+0x18/0x20 [ 12.751447] krealloc_uaf+0x53c/0x5e0 [ 12.751468] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.751488] ? __schedule+0x2079/0x2b60 [ 12.751508] ? schedule+0x7c/0x2e0 [ 12.751527] ? trace_hardirqs_on+0x37/0xe0 [ 12.751549] ? __schedule+0x2079/0x2b60 [ 12.751570] ? __pfx_read_tsc+0x10/0x10 [ 12.751590] ? ktime_get_ts64+0x86/0x230 [ 12.751613] kunit_try_run_case+0x1a5/0x480 [ 12.751646] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.751676] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.751698] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.751733] ? __kthread_parkme+0x82/0x180 [ 12.751753] ? preempt_count_sub+0x50/0x80 [ 12.751776] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.751800] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.751822] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.751845] kthread+0x337/0x6f0 [ 12.751864] ? trace_preempt_on+0x20/0xc0 [ 12.751885] ? __pfx_kthread+0x10/0x10 [ 12.751904] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.751925] ? calculate_sigpending+0x7b/0xa0 [ 12.751948] ? __pfx_kthread+0x10/0x10 [ 12.751968] ret_from_fork+0x116/0x1d0 [ 12.751986] ? __pfx_kthread+0x10/0x10 [ 12.752005] ret_from_fork_asm+0x1a/0x30 [ 12.752034] </TASK> [ 12.752044] [ 12.760212] Allocated by task 181: [ 12.760412] kasan_save_stack+0x45/0x70 [ 12.760634] kasan_save_track+0x18/0x40 [ 12.760805] kasan_save_alloc_info+0x3b/0x50 [ 12.761063] __kasan_kmalloc+0xb7/0xc0 [ 12.761465] __kmalloc_cache_noprof+0x189/0x420 [ 12.761675] krealloc_uaf+0xbb/0x5e0 [ 12.761810] kunit_try_run_case+0x1a5/0x480 [ 12.761960] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.762247] kthread+0x337/0x6f0 [ 12.762417] ret_from_fork+0x116/0x1d0 [ 12.762601] ret_from_fork_asm+0x1a/0x30 [ 12.762795] [ 12.763020] Freed by task 181: [ 12.763198] kasan_save_stack+0x45/0x70 [ 12.763488] kasan_save_track+0x18/0x40 [ 12.763679] kasan_save_free_info+0x3f/0x60 [ 12.763988] __kasan_slab_free+0x56/0x70 [ 12.764207] kfree+0x222/0x3f0 [ 12.764401] krealloc_uaf+0x13d/0x5e0 [ 12.764574] kunit_try_run_case+0x1a5/0x480 [ 12.764806] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.765338] kthread+0x337/0x6f0 [ 12.765531] ret_from_fork+0x116/0x1d0 [ 12.765721] ret_from_fork_asm+0x1a/0x30 [ 12.765971] [ 12.766058] The buggy address belongs to the object at ffff888100a28200 [ 12.766058] which belongs to the cache kmalloc-256 of size 256 [ 12.766433] The buggy address is located 0 bytes inside of [ 12.766433] freed 256-byte region [ffff888100a28200, ffff888100a28300) [ 12.766789] [ 12.766868] The buggy address belongs to the physical page: [ 12.767196] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a28 [ 12.767834] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.768173] flags: 0x200000000000040(head|node=0|zone=2) [ 12.768664] page_type: f5(slab) [ 12.768798] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.769440] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.769820] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.770226] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.770563] head: 0200000000000001 ffffea0004028a01 00000000ffffffff 00000000ffffffff [ 12.770798] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.771202] page dumped because: kasan: bad access detected [ 12.771653] [ 12.771753] Memory state around the buggy address: [ 12.772244] ffff888100a28100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.772601] ffff888100a28180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.772973] >ffff888100a28200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.773426] ^ [ 12.773586] ffff888100a28280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.773855] ffff888100a28300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.774250] ================================================================== [ 12.722693] ================================================================== [ 12.723534] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 12.723924] Read of size 1 at addr ffff888100a28200 by task kunit_try_catch/181 [ 12.724256] [ 12.724413] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 12.724469] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.724481] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.724501] Call Trace: [ 12.724513] <TASK> [ 12.724541] dump_stack_lvl+0x73/0xb0 [ 12.724570] print_report+0xd1/0x610 [ 12.724592] ? __virt_addr_valid+0x1db/0x2d0 [ 12.724615] ? krealloc_uaf+0x1b8/0x5e0 [ 12.724635] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.724656] ? krealloc_uaf+0x1b8/0x5e0 [ 12.724676] kasan_report+0x141/0x180 [ 12.724697] ? krealloc_uaf+0x1b8/0x5e0 [ 12.724720] ? krealloc_uaf+0x1b8/0x5e0 [ 12.724740] __kasan_check_byte+0x3d/0x50 [ 12.724770] krealloc_noprof+0x3f/0x340 [ 12.724792] krealloc_uaf+0x1b8/0x5e0 [ 12.724812] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.724842] ? __schedule+0x2079/0x2b60 [ 12.724862] ? schedule+0x7c/0x2e0 [ 12.724881] ? trace_hardirqs_on+0x37/0xe0 [ 12.724904] ? __schedule+0x2079/0x2b60 [ 12.724925] ? __pfx_read_tsc+0x10/0x10 [ 12.725005] ? ktime_get_ts64+0x86/0x230 [ 12.725030] kunit_try_run_case+0x1a5/0x480 [ 12.725054] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.725076] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.725098] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.725120] ? __kthread_parkme+0x82/0x180 [ 12.725140] ? preempt_count_sub+0x50/0x80 [ 12.725175] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.725198] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.725220] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.725242] kthread+0x337/0x6f0 [ 12.725261] ? trace_preempt_on+0x20/0xc0 [ 12.725282] ? __pfx_kthread+0x10/0x10 [ 12.725302] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.725330] ? calculate_sigpending+0x7b/0xa0 [ 12.725353] ? __pfx_kthread+0x10/0x10 [ 12.725374] ret_from_fork+0x116/0x1d0 [ 12.725392] ? __pfx_kthread+0x10/0x10 [ 12.725411] ret_from_fork_asm+0x1a/0x30 [ 12.725441] </TASK> [ 12.725451] [ 12.734469] Allocated by task 181: [ 12.734693] kasan_save_stack+0x45/0x70 [ 12.734996] kasan_save_track+0x18/0x40 [ 12.735162] kasan_save_alloc_info+0x3b/0x50 [ 12.735319] __kasan_kmalloc+0xb7/0xc0 [ 12.735483] __kmalloc_cache_noprof+0x189/0x420 [ 12.735743] krealloc_uaf+0xbb/0x5e0 [ 12.735954] kunit_try_run_case+0x1a5/0x480 [ 12.736336] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.736578] kthread+0x337/0x6f0 [ 12.736761] ret_from_fork+0x116/0x1d0 [ 12.736910] ret_from_fork_asm+0x1a/0x30 [ 12.737052] [ 12.737231] Freed by task 181: [ 12.737506] kasan_save_stack+0x45/0x70 [ 12.737740] kasan_save_track+0x18/0x40 [ 12.737915] kasan_save_free_info+0x3f/0x60 [ 12.738305] __kasan_slab_free+0x56/0x70 [ 12.738534] kfree+0x222/0x3f0 [ 12.738758] krealloc_uaf+0x13d/0x5e0 [ 12.738962] kunit_try_run_case+0x1a5/0x480 [ 12.739276] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.739537] kthread+0x337/0x6f0 [ 12.739731] ret_from_fork+0x116/0x1d0 [ 12.739926] ret_from_fork_asm+0x1a/0x30 [ 12.740088] [ 12.740178] The buggy address belongs to the object at ffff888100a28200 [ 12.740178] which belongs to the cache kmalloc-256 of size 256 [ 12.740580] The buggy address is located 0 bytes inside of [ 12.740580] freed 256-byte region [ffff888100a28200, ffff888100a28300) [ 12.741460] [ 12.741692] The buggy address belongs to the physical page: [ 12.742082] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a28 [ 12.742692] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.742955] flags: 0x200000000000040(head|node=0|zone=2) [ 12.743142] page_type: f5(slab) [ 12.743452] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.744119] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.744478] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.744880] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.745297] head: 0200000000000001 ffffea0004028a01 00000000ffffffff 00000000ffffffff [ 12.745634] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.746162] page dumped because: kasan: bad access detected [ 12.746449] [ 12.746557] Memory state around the buggy address: [ 12.746773] ffff888100a28100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.747168] ffff888100a28180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.747513] >ffff888100a28200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.747896] ^ [ 12.748016] ffff888100a28280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.748518] ffff888100a28300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.748837] ==================================================================