Date
Nov. 26, 2024, 6:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.022671] ================================================================== [ 31.024216] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 31.025042] Read of size 1 at addr fff00000c43ac000 by task kunit_try_catch/153 [ 31.026139] [ 31.026547] CPU: 1 UID: 0 PID: 153 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.027589] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.028203] Hardware name: linux,dummy-virt (DT) [ 31.028724] Call trace: [ 31.029212] show_stack+0x20/0x38 (C) [ 31.029887] dump_stack_lvl+0x8c/0xd0 [ 31.030491] print_report+0x118/0x5e0 [ 31.031174] kasan_report+0xc8/0x118 [ 31.031800] __kasan_check_byte+0x54/0x70 [ 31.032510] krealloc_noprof+0x44/0x360 [ 31.033105] krealloc_uaf+0x180/0x520 [ 31.033763] kunit_try_run_case+0x14c/0x3d0 [ 31.034390] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.035246] kthread+0x24c/0x2d0 [ 31.035774] ret_from_fork+0x10/0x20 [ 31.036471] [ 31.036870] Allocated by task 153: [ 31.037352] kasan_save_stack+0x3c/0x68 [ 31.038038] kasan_save_track+0x20/0x40 [ 31.038698] kasan_save_alloc_info+0x40/0x58 [ 31.039392] __kasan_kmalloc+0xd4/0xd8 [ 31.040048] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.040658] krealloc_uaf+0xc8/0x520 [ 31.041278] kunit_try_run_case+0x14c/0x3d0 [ 31.041937] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.042691] kthread+0x24c/0x2d0 [ 31.043263] ret_from_fork+0x10/0x20 [ 31.043882] [ 31.044234] Freed by task 153: [ 31.044749] kasan_save_stack+0x3c/0x68 [ 31.045372] kasan_save_track+0x20/0x40 [ 31.046049] kasan_save_free_info+0x4c/0x78 [ 31.046711] __kasan_slab_free+0x6c/0x98 [ 31.047360] kfree+0x114/0x3d0 [ 31.048012] krealloc_uaf+0x12c/0x520 [ 31.048515] kunit_try_run_case+0x14c/0x3d0 [ 31.049118] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.049821] kthread+0x24c/0x2d0 [ 31.050394] ret_from_fork+0x10/0x20 [ 31.050974] [ 31.051416] The buggy address belongs to the object at fff00000c43ac000 [ 31.051416] which belongs to the cache kmalloc-256 of size 256 [ 31.052960] The buggy address is located 0 bytes inside of [ 31.052960] freed 256-byte region [fff00000c43ac000, fff00000c43ac100) [ 31.054258] [ 31.054638] The buggy address belongs to the physical page: [ 31.055440] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1043ac [ 31.056460] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.057380] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.058333] page_type: f5(slab) [ 31.058923] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.059873] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.060895] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.061863] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.062852] head: 0bfffe0000000001 ffffc1ffc310eb01 ffffffffffffffff 0000000000000000 [ 31.063850] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 31.064754] page dumped because: kasan: bad access detected [ 31.065434] [ 31.065866] Memory state around the buggy address: [ 31.066555] fff00000c43abf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.067432] fff00000c43abf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.068307] >fff00000c43ac000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.069265] ^ [ 31.069807] fff00000c43ac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.070669] fff00000c43ac100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.071558] ================================================================== [ 31.074211] ================================================================== [ 31.075364] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 31.076778] Read of size 1 at addr fff00000c43ac000 by task kunit_try_catch/153 [ 31.077819] [ 31.078220] CPU: 1 UID: 0 PID: 153 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.079453] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.080094] Hardware name: linux,dummy-virt (DT) [ 31.080640] Call trace: [ 31.081100] show_stack+0x20/0x38 (C) [ 31.081696] dump_stack_lvl+0x8c/0xd0 [ 31.082292] print_report+0x118/0x5e0 [ 31.082840] kasan_report+0xc8/0x118 [ 31.083472] __asan_report_load1_noabort+0x20/0x30 [ 31.084100] krealloc_uaf+0x4c8/0x520 [ 31.084710] kunit_try_run_case+0x14c/0x3d0 [ 31.085369] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.086166] kthread+0x24c/0x2d0 [ 31.086741] ret_from_fork+0x10/0x20 [ 31.087380] [ 31.087729] Allocated by task 153: [ 31.088253] kasan_save_stack+0x3c/0x68 [ 31.088870] kasan_save_track+0x20/0x40 [ 31.089416] kasan_save_alloc_info+0x40/0x58 [ 31.090086] __kasan_kmalloc+0xd4/0xd8 [ 31.090584] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.091276] krealloc_uaf+0xc8/0x520 [ 31.091739] kunit_try_run_case+0x14c/0x3d0 [ 31.092401] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.093058] kthread+0x24c/0x2d0 [ 31.093613] ret_from_fork+0x10/0x20 [ 31.094150] [ 31.094518] Freed by task 153: [ 31.095042] kasan_save_stack+0x3c/0x68 [ 31.095643] kasan_save_track+0x20/0x40 [ 31.096158] kasan_save_free_info+0x4c/0x78 [ 31.096811] __kasan_slab_free+0x6c/0x98 [ 31.097364] kfree+0x114/0x3d0 [ 31.097918] krealloc_uaf+0x12c/0x520 [ 31.098425] kunit_try_run_case+0x14c/0x3d0 [ 31.099111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.099823] kthread+0x24c/0x2d0 [ 31.100327] ret_from_fork+0x10/0x20 [ 31.100926] [ 31.101224] The buggy address belongs to the object at fff00000c43ac000 [ 31.101224] which belongs to the cache kmalloc-256 of size 256 [ 31.102381] The buggy address is located 0 bytes inside of [ 31.102381] freed 256-byte region [fff00000c43ac000, fff00000c43ac100) [ 31.103724] [ 31.104044] The buggy address belongs to the physical page: [ 31.104775] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1043ac [ 31.105635] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.106536] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.107339] page_type: f5(slab) [ 31.107823] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.108779] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.109514] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.110505] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.111512] head: 0bfffe0000000001 ffffc1ffc310eb01 ffffffffffffffff 0000000000000000 [ 31.112480] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 31.113174] page dumped because: kasan: bad access detected [ 31.113889] [ 31.114269] Memory state around the buggy address: [ 31.114871] fff00000c43abf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.115776] fff00000c43abf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.116524] >fff00000c43ac000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.117418] ^ [ 31.117892] fff00000c43ac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.118742] fff00000c43ac100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.119372] ==================================================================
[ 31.050377] ================================================================== [ 31.051063] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 31.051940] Read of size 1 at addr fff00000c47dfe00 by task kunit_try_catch/153 [ 31.052718] [ 31.053149] CPU: 0 UID: 0 PID: 153 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.054218] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.054894] Hardware name: linux,dummy-virt (DT) [ 31.055561] Call trace: [ 31.056067] show_stack+0x20/0x38 (C) [ 31.056711] dump_stack_lvl+0x8c/0xd0 [ 31.057374] print_report+0x118/0x5e0 [ 31.057901] kasan_report+0xc8/0x118 [ 31.058517] __asan_report_load1_noabort+0x20/0x30 [ 31.059251] krealloc_uaf+0x4c8/0x520 [ 31.059932] kunit_try_run_case+0x14c/0x3d0 [ 31.060795] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.061567] kthread+0x24c/0x2d0 [ 31.062182] ret_from_fork+0x10/0x20 [ 31.062900] [ 31.063320] Allocated by task 153: [ 31.063934] kasan_save_stack+0x3c/0x68 [ 31.064549] kasan_save_track+0x20/0x40 [ 31.065211] kasan_save_alloc_info+0x40/0x58 [ 31.065836] __kasan_kmalloc+0xd4/0xd8 [ 31.066385] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.067122] krealloc_uaf+0xc8/0x520 [ 31.067807] kunit_try_run_case+0x14c/0x3d0 [ 31.068437] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.069182] kthread+0x24c/0x2d0 [ 31.069799] ret_from_fork+0x10/0x20 [ 31.070390] [ 31.070795] Freed by task 153: [ 31.071382] kasan_save_stack+0x3c/0x68 [ 31.072031] kasan_save_track+0x20/0x40 [ 31.072693] kasan_save_free_info+0x4c/0x78 [ 31.073390] __kasan_slab_free+0x6c/0x98 [ 31.073909] kfree+0x114/0x3d0 [ 31.074502] krealloc_uaf+0x12c/0x520 [ 31.075106] kunit_try_run_case+0x14c/0x3d0 [ 31.075783] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.076592] kthread+0x24c/0x2d0 [ 31.077084] ret_from_fork+0x10/0x20 [ 31.077787] [ 31.078136] The buggy address belongs to the object at fff00000c47dfe00 [ 31.078136] which belongs to the cache kmalloc-256 of size 256 [ 31.079450] The buggy address is located 0 bytes inside of [ 31.079450] freed 256-byte region [fff00000c47dfe00, fff00000c47dff00) [ 31.080839] [ 31.081236] The buggy address belongs to the physical page: [ 31.081930] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1047de [ 31.082876] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.083839] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.084663] page_type: f5(slab) [ 31.085511] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.086413] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.087282] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.088462] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.089343] head: 0bfffe0000000001 ffffc1ffc311f781 ffffffffffffffff 0000000000000000 [ 31.090580] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 31.091558] page dumped because: kasan: bad access detected [ 31.092319] [ 31.092928] Memory state around the buggy address: [ 31.093437] fff00000c47dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.094481] fff00000c47dfd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.095558] >fff00000c47dfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.096615] ^ [ 31.097139] fff00000c47dfe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.098148] fff00000c47dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.099167] ================================================================== [ 30.993512] ================================================================== [ 30.994895] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 30.995581] Read of size 1 at addr fff00000c47dfe00 by task kunit_try_catch/153 [ 30.996663] [ 30.997085] CPU: 1 UID: 0 PID: 153 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 30.998221] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.998861] Hardware name: linux,dummy-virt (DT) [ 30.999513] Call trace: [ 30.999889] show_stack+0x20/0x38 (C) [ 31.001002] dump_stack_lvl+0x8c/0xd0 [ 31.001745] print_report+0x118/0x5e0 [ 31.002705] kasan_report+0xc8/0x118 [ 31.003518] __kasan_check_byte+0x54/0x70 [ 31.004352] krealloc_noprof+0x44/0x360 [ 31.005025] krealloc_uaf+0x180/0x520 [ 31.005759] kunit_try_run_case+0x14c/0x3d0 [ 31.006684] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.007607] kthread+0x24c/0x2d0 [ 31.008299] ret_from_fork+0x10/0x20 [ 31.008987] [ 31.009416] Allocated by task 153: [ 31.010306] kasan_save_stack+0x3c/0x68 [ 31.011019] kasan_save_track+0x20/0x40 [ 31.011586] kasan_save_alloc_info+0x40/0x58 [ 31.012330] __kasan_kmalloc+0xd4/0xd8 [ 31.012955] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.014595] krealloc_uaf+0xc8/0x520 [ 31.015180] kunit_try_run_case+0x14c/0x3d0 [ 31.015936] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.016697] kthread+0x24c/0x2d0 [ 31.016952] ret_from_fork+0x10/0x20 [ 31.017193] [ 31.017348] Freed by task 153: [ 31.018346] kasan_save_stack+0x3c/0x68 [ 31.018926] kasan_save_track+0x20/0x40 [ 31.019402] kasan_save_free_info+0x4c/0x78 [ 31.020085] __kasan_slab_free+0x6c/0x98 [ 31.020710] kfree+0x114/0x3d0 [ 31.021257] krealloc_uaf+0x12c/0x520 [ 31.021828] kunit_try_run_case+0x14c/0x3d0 [ 31.022699] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.023394] kthread+0x24c/0x2d0 [ 31.023985] ret_from_fork+0x10/0x20 [ 31.024748] [ 31.025135] The buggy address belongs to the object at fff00000c47dfe00 [ 31.025135] which belongs to the cache kmalloc-256 of size 256 [ 31.026931] The buggy address is located 0 bytes inside of [ 31.026931] freed 256-byte region [fff00000c47dfe00, fff00000c47dff00) [ 31.028196] [ 31.028631] The buggy address belongs to the physical page: [ 31.029235] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1047de [ 31.030685] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.031574] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.032501] page_type: f5(slab) [ 31.032965] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.034236] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.035019] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.035932] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.037364] head: 0bfffe0000000001 ffffc1ffc311f781 ffffffffffffffff 0000000000000000 [ 31.038487] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 31.039702] page dumped because: kasan: bad access detected [ 31.040281] [ 31.040700] Memory state around the buggy address: [ 31.041418] fff00000c47dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.042226] fff00000c47dfd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.043107] >fff00000c47dfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.044194] ^ [ 31.044852] fff00000c47dfe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.046000] fff00000c47dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.047092] ==================================================================
[ 25.209566] ================================================================== [ 25.210262] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53e/0x5e0 [ 25.210262] Read of size 1 at addr ffff888100aa9c00 by task kunit_try_catch/173 [ 25.210262] [ 25.210262] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 25.210262] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.210262] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.210262] Call Trace: [ 25.210262] <TASK> [ 25.210262] dump_stack_lvl+0x73/0xb0 [ 25.210262] print_report+0xd1/0x640 [ 25.210262] ? __virt_addr_valid+0x1db/0x2d0 [ 25.210262] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.210262] kasan_report+0x102/0x140 [ 25.210262] ? krealloc_uaf+0x53e/0x5e0 [ 25.210262] ? krealloc_uaf+0x53e/0x5e0 [ 25.210262] __asan_report_load1_noabort+0x18/0x20 [ 25.210262] krealloc_uaf+0x53e/0x5e0 [ 25.210262] ? __pfx_read_hpet+0x10/0x10 [ 25.210262] ? __pfx_krealloc_uaf+0x10/0x10 [ 25.210262] ? __switch_to+0x5d9/0xf60 [ 25.210262] ? __schedule+0xc3e/0x2790 [ 25.210262] ? ktime_get_ts64+0x84/0x230 [ 25.210262] kunit_try_run_case+0x1b3/0x490 [ 25.210262] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.210262] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.210262] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.210262] ? __kthread_parkme+0x82/0x160 [ 25.210262] ? preempt_count_sub+0x50/0x80 [ 25.210262] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.210262] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.210262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.210262] kthread+0x257/0x310 [ 25.210262] ? __pfx_kthread+0x10/0x10 [ 25.210262] ret_from_fork+0x41/0x80 [ 25.210262] ? __pfx_kthread+0x10/0x10 [ 25.210262] ret_from_fork_asm+0x1a/0x30 [ 25.210262] </TASK> [ 25.210262] [ 25.210262] Allocated by task 173: [ 25.210262] kasan_save_stack+0x3d/0x60 [ 25.210262] kasan_save_track+0x18/0x40 [ 25.210262] kasan_save_alloc_info+0x3b/0x50 [ 25.210262] __kasan_kmalloc+0xb7/0xc0 [ 25.210262] __kmalloc_cache_noprof+0x184/0x410 [ 25.210262] krealloc_uaf+0xbc/0x5e0 [ 25.210262] kunit_try_run_case+0x1b3/0x490 [ 25.210262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.210262] kthread+0x257/0x310 [ 25.210262] ret_from_fork+0x41/0x80 [ 25.210262] ret_from_fork_asm+0x1a/0x30 [ 25.210262] [ 25.210262] Freed by task 173: [ 25.210262] kasan_save_stack+0x3d/0x60 [ 25.210262] kasan_save_track+0x18/0x40 [ 25.210262] kasan_save_free_info+0x3f/0x60 [ 25.210262] __kasan_slab_free+0x56/0x70 [ 25.210262] kfree+0x123/0x3f0 [ 25.210262] krealloc_uaf+0x13e/0x5e0 [ 25.210262] kunit_try_run_case+0x1b3/0x490 [ 25.210262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.210262] kthread+0x257/0x310 [ 25.210262] ret_from_fork+0x41/0x80 [ 25.210262] ret_from_fork_asm+0x1a/0x30 [ 25.210262] [ 25.210262] The buggy address belongs to the object at ffff888100aa9c00 [ 25.210262] which belongs to the cache kmalloc-256 of size 256 [ 25.210262] The buggy address is located 0 bytes inside of [ 25.210262] freed 256-byte region [ffff888100aa9c00, ffff888100aa9d00) [ 25.210262] [ 25.210262] The buggy address belongs to the physical page: [ 25.210262] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aa8 [ 25.210262] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.210262] flags: 0x200000000000040(head|node=0|zone=2) [ 25.210262] page_type: f5(slab) [ 25.210262] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 25.210262] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.210262] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 25.210262] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.210262] head: 0200000000000001 ffffea000402aa01 ffffffffffffffff 0000000000000000 [ 25.210262] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 25.210262] page dumped because: kasan: bad access detected [ 25.210262] [ 25.210262] Memory state around the buggy address: [ 25.210262] ffff888100aa9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.210262] ffff888100aa9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.210262] >ffff888100aa9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.210262] ^ [ 25.210262] ffff888100aa9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.210262] ffff888100aa9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.210262] ================================================================== [ 25.156429] ================================================================== [ 25.157007] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b9/0x5e0 [ 25.157007] Read of size 1 at addr ffff888100aa9c00 by task kunit_try_catch/173 [ 25.157007] [ 25.157007] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 25.157007] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.157007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.157007] Call Trace: [ 25.157007] <TASK> [ 25.157007] dump_stack_lvl+0x73/0xb0 [ 25.157007] print_report+0xd1/0x640 [ 25.157007] ? __virt_addr_valid+0x1db/0x2d0 [ 25.157007] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.157007] kasan_report+0x102/0x140 [ 25.157007] ? krealloc_uaf+0x1b9/0x5e0 [ 25.157007] ? krealloc_uaf+0x1b9/0x5e0 [ 25.157007] ? krealloc_uaf+0x1b9/0x5e0 [ 25.157007] __kasan_check_byte+0x3d/0x50 [ 25.157007] krealloc_noprof+0x3f/0x340 [ 25.157007] krealloc_uaf+0x1b9/0x5e0 [ 25.157007] ? __pfx_read_hpet+0x10/0x10 [ 25.157007] ? __pfx_krealloc_uaf+0x10/0x10 [ 25.157007] ? __switch_to+0x5d9/0xf60 [ 25.157007] ? __schedule+0xc3e/0x2790 [ 25.157007] ? ktime_get_ts64+0x84/0x230 [ 25.157007] kunit_try_run_case+0x1b3/0x490 [ 25.157007] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.157007] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.157007] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.157007] ? __kthread_parkme+0x82/0x160 [ 25.157007] ? preempt_count_sub+0x50/0x80 [ 25.157007] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.157007] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.157007] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.157007] kthread+0x257/0x310 [ 25.157007] ? __pfx_kthread+0x10/0x10 [ 25.157007] ret_from_fork+0x41/0x80 [ 25.157007] ? __pfx_kthread+0x10/0x10 [ 25.157007] ret_from_fork_asm+0x1a/0x30 [ 25.157007] </TASK> [ 25.157007] [ 25.157007] Allocated by task 173: [ 25.157007] kasan_save_stack+0x3d/0x60 [ 25.157007] kasan_save_track+0x18/0x40 [ 25.157007] kasan_save_alloc_info+0x3b/0x50 [ 25.157007] __kasan_kmalloc+0xb7/0xc0 [ 25.157007] __kmalloc_cache_noprof+0x184/0x410 [ 25.157007] krealloc_uaf+0xbc/0x5e0 [ 25.157007] kunit_try_run_case+0x1b3/0x490 [ 25.157007] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.157007] kthread+0x257/0x310 [ 25.157007] ret_from_fork+0x41/0x80 [ 25.157007] ret_from_fork_asm+0x1a/0x30 [ 25.157007] [ 25.157007] Freed by task 173: [ 25.157007] kasan_save_stack+0x3d/0x60 [ 25.157007] kasan_save_track+0x18/0x40 [ 25.157007] kasan_save_free_info+0x3f/0x60 [ 25.157007] __kasan_slab_free+0x56/0x70 [ 25.157007] kfree+0x123/0x3f0 [ 25.157007] krealloc_uaf+0x13e/0x5e0 [ 25.157007] kunit_try_run_case+0x1b3/0x490 [ 25.157007] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.157007] kthread+0x257/0x310 [ 25.157007] ret_from_fork+0x41/0x80 [ 25.157007] ret_from_fork_asm+0x1a/0x30 [ 25.157007] [ 25.157007] The buggy address belongs to the object at ffff888100aa9c00 [ 25.157007] which belongs to the cache kmalloc-256 of size 256 [ 25.157007] The buggy address is located 0 bytes inside of [ 25.157007] freed 256-byte region [ffff888100aa9c00, ffff888100aa9d00) [ 25.157007] [ 25.157007] The buggy address belongs to the physical page: [ 25.157007] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aa8 [ 25.157007] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.157007] flags: 0x200000000000040(head|node=0|zone=2) [ 25.157007] page_type: f5(slab) [ 25.157007] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 25.157007] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.157007] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 25.157007] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.157007] head: 0200000000000001 ffffea000402aa01 ffffffffffffffff 0000000000000000 [ 25.157007] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 25.157007] page dumped because: kasan: bad access detected [ 25.157007] [ 25.157007] Memory state around the buggy address: [ 25.157007] ffff888100aa9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.157007] ffff888100aa9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.157007] >ffff888100aa9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.157007] ^ [ 25.157007] ffff888100aa9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.157007] ffff888100aa9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.157007] ==================================================================
[ 20.169948] ================================================================== [ 20.170971] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b9/0x5e0 [ 20.171623] Read of size 1 at addr ffff888100a23000 by task kunit_try_catch/171 [ 20.172568] [ 20.172819] CPU: 1 UID: 0 PID: 171 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 20.173866] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.174386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.175477] Call Trace: [ 20.175866] <TASK> [ 20.176575] dump_stack_lvl+0x73/0xb0 [ 20.177438] print_report+0xd1/0x640 [ 20.178385] ? __virt_addr_valid+0x1db/0x2d0 [ 20.179054] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.179858] kasan_report+0x102/0x140 [ 20.180462] ? krealloc_uaf+0x1b9/0x5e0 [ 20.181445] ? krealloc_uaf+0x1b9/0x5e0 [ 20.181842] ? krealloc_uaf+0x1b9/0x5e0 [ 20.182379] __kasan_check_byte+0x3d/0x50 [ 20.182868] krealloc_noprof+0x3f/0x340 [ 20.183519] krealloc_uaf+0x1b9/0x5e0 [ 20.183930] ? __pfx_krealloc_uaf+0x10/0x10 [ 20.184549] ? finish_task_switch.isra.0+0x153/0x700 [ 20.185237] ? __switch_to+0x5d9/0xf60 [ 20.185562] ? __schedule+0xc3e/0x2790 [ 20.186544] ? __pfx_read_tsc+0x10/0x10 [ 20.186925] ? ktime_get_ts64+0x84/0x230 [ 20.187329] kunit_try_run_case+0x1b3/0x490 [ 20.187754] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.188245] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 20.188878] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.189544] ? __kthread_parkme+0x82/0x160 [ 20.190109] ? preempt_count_sub+0x50/0x80 [ 20.190670] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.191309] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.192464] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.192966] kthread+0x257/0x310 [ 20.193573] ? __pfx_kthread+0x10/0x10 [ 20.194194] ret_from_fork+0x41/0x80 [ 20.194579] ? __pfx_kthread+0x10/0x10 [ 20.194958] ret_from_fork_asm+0x1a/0x30 [ 20.195664] </TASK> [ 20.196098] [ 20.196334] Allocated by task 171: [ 20.196627] kasan_save_stack+0x3d/0x60 [ 20.197609] kasan_save_track+0x18/0x40 [ 20.198241] kasan_save_alloc_info+0x3b/0x50 [ 20.198715] __kasan_kmalloc+0xb7/0xc0 [ 20.199305] __kmalloc_cache_noprof+0x184/0x410 [ 20.199710] krealloc_uaf+0xbc/0x5e0 [ 20.200314] kunit_try_run_case+0x1b3/0x490 [ 20.200863] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.201517] kthread+0x257/0x310 [ 20.201903] ret_from_fork+0x41/0x80 [ 20.202956] ret_from_fork_asm+0x1a/0x30 [ 20.203316] [ 20.203608] Freed by task 171: [ 20.203905] kasan_save_stack+0x3d/0x60 [ 20.204525] kasan_save_track+0x18/0x40 [ 20.204841] kasan_save_free_info+0x3f/0x60 [ 20.205427] __kasan_slab_free+0x56/0x70 [ 20.205930] kfree+0x123/0x3f0 [ 20.206503] krealloc_uaf+0x13e/0x5e0 [ 20.207083] kunit_try_run_case+0x1b3/0x490 [ 20.207469] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.208628] kthread+0x257/0x310 [ 20.208908] ret_from_fork+0x41/0x80 [ 20.209554] ret_from_fork_asm+0x1a/0x30 [ 20.209972] [ 20.210214] The buggy address belongs to the object at ffff888100a23000 [ 20.210214] which belongs to the cache kmalloc-256 of size 256 [ 20.211459] The buggy address is located 0 bytes inside of [ 20.211459] freed 256-byte region [ffff888100a23000, ffff888100a23100) [ 20.212532] [ 20.212840] The buggy address belongs to the physical page: [ 20.213934] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a22 [ 20.214724] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.215533] flags: 0x200000000000040(head|node=0|zone=2) [ 20.215936] page_type: f5(slab) [ 20.216291] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 20.217367] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 20.218131] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 20.219113] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 20.219683] head: 0200000000000001 ffffea0004028881 ffffffffffffffff 0000000000000000 [ 20.220434] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 20.221252] page dumped because: kasan: bad access detected [ 20.221738] [ 20.222120] Memory state around the buggy address: [ 20.222669] ffff888100a22f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.223804] ffff888100a22f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.224416] >ffff888100a23000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.225305] ^ [ 20.225728] ffff888100a23080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.226504] ffff888100a23100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.227262] ================================================================== [ 20.230297] ================================================================== [ 20.231045] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53e/0x5e0 [ 20.232141] Read of size 1 at addr ffff888100a23000 by task kunit_try_catch/171 [ 20.232773] [ 20.233033] CPU: 1 UID: 0 PID: 171 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 20.234184] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.234649] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.235570] Call Trace: [ 20.235867] <TASK> [ 20.236803] dump_stack_lvl+0x73/0xb0 [ 20.237200] print_report+0xd1/0x640 [ 20.237605] ? __virt_addr_valid+0x1db/0x2d0 [ 20.237924] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.238348] kasan_report+0x102/0x140 [ 20.239320] ? krealloc_uaf+0x53e/0x5e0 [ 20.239860] ? krealloc_uaf+0x53e/0x5e0 [ 20.240541] __asan_report_load1_noabort+0x18/0x20 [ 20.241382] krealloc_uaf+0x53e/0x5e0 [ 20.241797] ? __pfx_krealloc_uaf+0x10/0x10 [ 20.242983] ? finish_task_switch.isra.0+0x153/0x700 [ 20.243742] ? __switch_to+0x5d9/0xf60 [ 20.244422] ? __schedule+0xc3e/0x2790 [ 20.244919] ? __pfx_read_tsc+0x10/0x10 [ 20.245533] ? ktime_get_ts64+0x84/0x230 [ 20.246013] kunit_try_run_case+0x1b3/0x490 [ 20.246826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.247819] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 20.248501] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.249282] ? __kthread_parkme+0x82/0x160 [ 20.249463] ? preempt_count_sub+0x50/0x80 [ 20.249777] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.250774] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.251437] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.251843] kthread+0x257/0x310 [ 20.252232] ? __pfx_kthread+0x10/0x10 [ 20.252880] ret_from_fork+0x41/0x80 [ 20.253752] ? __pfx_kthread+0x10/0x10 [ 20.254583] ret_from_fork_asm+0x1a/0x30 [ 20.255176] </TASK> [ 20.255447] [ 20.256024] Allocated by task 171: [ 20.256575] kasan_save_stack+0x3d/0x60 [ 20.257028] kasan_save_track+0x18/0x40 [ 20.257424] kasan_save_alloc_info+0x3b/0x50 [ 20.258614] __kasan_kmalloc+0xb7/0xc0 [ 20.259233] __kmalloc_cache_noprof+0x184/0x410 [ 20.259781] krealloc_uaf+0xbc/0x5e0 [ 20.260098] kunit_try_run_case+0x1b3/0x490 [ 20.261214] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.261796] kthread+0x257/0x310 [ 20.262575] ret_from_fork+0x41/0x80 [ 20.262997] ret_from_fork_asm+0x1a/0x30 [ 20.263885] [ 20.264073] Freed by task 171: [ 20.264443] kasan_save_stack+0x3d/0x60 [ 20.265329] kasan_save_track+0x18/0x40 [ 20.265750] kasan_save_free_info+0x3f/0x60 [ 20.266414] __kasan_slab_free+0x56/0x70 [ 20.266942] kfree+0x123/0x3f0 [ 20.267543] krealloc_uaf+0x13e/0x5e0 [ 20.268402] kunit_try_run_case+0x1b3/0x490 [ 20.269008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.269700] kthread+0x257/0x310 [ 20.270229] ret_from_fork+0x41/0x80 [ 20.270691] ret_from_fork_asm+0x1a/0x30 [ 20.271308] [ 20.271551] The buggy address belongs to the object at ffff888100a23000 [ 20.271551] which belongs to the cache kmalloc-256 of size 256 [ 20.272544] The buggy address is located 0 bytes inside of [ 20.272544] freed 256-byte region [ffff888100a23000, ffff888100a23100) [ 20.273417] [ 20.274619] The buggy address belongs to the physical page: [ 20.275204] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a22 [ 20.275824] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.276256] flags: 0x200000000000040(head|node=0|zone=2) [ 20.277201] page_type: f5(slab) [ 20.277480] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 20.278415] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 20.279354] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 20.280569] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 20.281293] head: 0200000000000001 ffffea0004028881 ffffffffffffffff 0000000000000000 [ 20.281720] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 20.282393] page dumped because: kasan: bad access detected [ 20.283340] [ 20.283546] Memory state around the buggy address: [ 20.284224] ffff888100a22f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.285117] ffff888100a22f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.285671] >ffff888100a23000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.286826] ^ [ 20.287353] ffff888100a23080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.288041] ffff888100a23100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.288533] ==================================================================