Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 25.922366] ================================================================== [ 25.932122] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 25.938717] Read of size 1 at addr ffff000803394a00 by task kunit_try_catch/208 [ 25.946007] [ 25.947491] CPU: 5 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.947539] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.947553] Hardware name: WinLink E850-96 board (DT) [ 25.947573] Call trace: [ 25.947589] show_stack+0x20/0x38 (C) [ 25.947623] dump_stack_lvl+0x8c/0xd0 [ 25.947658] print_report+0x118/0x608 [ 25.947693] kasan_report+0xdc/0x128 [ 25.947725] __kasan_check_byte+0x54/0x70 [ 25.947757] krealloc_noprof+0x44/0x360 [ 25.947793] krealloc_uaf+0x180/0x520 [ 25.947821] kunit_try_run_case+0x170/0x3f0 [ 25.947857] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.947898] kthread+0x328/0x630 [ 25.947924] ret_from_fork+0x10/0x20 [ 25.947959] [ 26.013715] Allocated by task 208: [ 26.017102] kasan_save_stack+0x3c/0x68 [ 26.020921] kasan_save_track+0x20/0x40 [ 26.024739] kasan_save_alloc_info+0x40/0x58 [ 26.028992] __kasan_kmalloc+0xd4/0xd8 [ 26.032725] __kmalloc_cache_noprof+0x15c/0x3c0 [ 26.037239] krealloc_uaf+0xc8/0x520 [ 26.040797] kunit_try_run_case+0x170/0x3f0 [ 26.044964] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.050433] kthread+0x328/0x630 [ 26.053645] ret_from_fork+0x10/0x20 [ 26.057204] [ 26.058681] Freed by task 208: [ 26.061717] kasan_save_stack+0x3c/0x68 [ 26.065537] kasan_save_track+0x20/0x40 [ 26.069356] kasan_save_free_info+0x4c/0x78 [ 26.073523] __kasan_slab_free+0x6c/0x98 [ 26.077429] kfree+0x214/0x3c8 [ 26.080467] krealloc_uaf+0x12c/0x520 [ 26.084114] kunit_try_run_case+0x170/0x3f0 [ 26.088280] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.093748] kthread+0x328/0x630 [ 26.096960] ret_from_fork+0x10/0x20 [ 26.100519] [ 26.101996] The buggy address belongs to the object at ffff000803394a00 [ 26.101996] which belongs to the cache kmalloc-256 of size 256 [ 26.114496] The buggy address is located 0 bytes inside of [ 26.114496] freed 256-byte region [ffff000803394a00, ffff000803394b00) [ 26.126560] [ 26.128040] The buggy address belongs to the physical page: [ 26.133596] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883394 [ 26.141580] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.149218] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.156162] page_type: f5(slab) [ 26.159298] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.167017] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.174746] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.182555] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.190368] head: 0bfffe0000000002 fffffdffe00ce501 00000000ffffffff 00000000ffffffff [ 26.198180] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.205986] page dumped because: kasan: bad access detected [ 26.211543] [ 26.213017] Memory state around the buggy address: [ 26.217796] ffff000803394900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.225000] ffff000803394980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.232205] >ffff000803394a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.239406] ^ [ 26.242621] ffff000803394a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.249826] ffff000803394b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.257027] ================================================================== [ 26.264413] ================================================================== [ 26.271441] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 26.278034] Read of size 1 at addr ffff000803394a00 by task kunit_try_catch/208 [ 26.285325] [ 26.286808] CPU: 5 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 26.286853] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.286867] Hardware name: WinLink E850-96 board (DT) [ 26.286886] Call trace: [ 26.286896] show_stack+0x20/0x38 (C) [ 26.286927] dump_stack_lvl+0x8c/0xd0 [ 26.286962] print_report+0x118/0x608 [ 26.286996] kasan_report+0xdc/0x128 [ 26.287028] __asan_report_load1_noabort+0x20/0x30 [ 26.287058] krealloc_uaf+0x4c8/0x520 [ 26.287087] kunit_try_run_case+0x170/0x3f0 [ 26.287120] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.287158] kthread+0x328/0x630 [ 26.287183] ret_from_fork+0x10/0x20 [ 26.287213] [ 26.349994] Allocated by task 208: [ 26.353381] kasan_save_stack+0x3c/0x68 [ 26.357199] kasan_save_track+0x20/0x40 [ 26.361019] kasan_save_alloc_info+0x40/0x58 [ 26.365272] __kasan_kmalloc+0xd4/0xd8 [ 26.369006] __kmalloc_cache_noprof+0x15c/0x3c0 [ 26.373518] krealloc_uaf+0xc8/0x520 [ 26.377077] kunit_try_run_case+0x170/0x3f0 [ 26.381244] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.386713] kthread+0x328/0x630 [ 26.389925] ret_from_fork+0x10/0x20 [ 26.393483] [ 26.394959] Freed by task 208: [ 26.397997] kasan_save_stack+0x3c/0x68 [ 26.401816] kasan_save_track+0x20/0x40 [ 26.405636] kasan_save_free_info+0x4c/0x78 [ 26.409802] __kasan_slab_free+0x6c/0x98 [ 26.413709] kfree+0x214/0x3c8 [ 26.416747] krealloc_uaf+0x12c/0x520 [ 26.420394] kunit_try_run_case+0x170/0x3f0 [ 26.424559] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.430028] kthread+0x328/0x630 [ 26.433240] ret_from_fork+0x10/0x20 [ 26.436798] [ 26.438275] The buggy address belongs to the object at ffff000803394a00 [ 26.438275] which belongs to the cache kmalloc-256 of size 256 [ 26.450776] The buggy address is located 0 bytes inside of [ 26.450776] freed 256-byte region [ffff000803394a00, ffff000803394b00) [ 26.462840] [ 26.464317] The buggy address belongs to the physical page: [ 26.469873] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883394 [ 26.477857] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.485497] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.492440] page_type: f5(slab) [ 26.495574] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.503297] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.511024] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 26.518835] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.526648] head: 0bfffe0000000002 fffffdffe00ce501 00000000ffffffff 00000000ffffffff [ 26.534460] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.542266] page dumped because: kasan: bad access detected [ 26.547822] [ 26.549297] Memory state around the buggy address: [ 26.554075] ffff000803394900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.561279] ffff000803394980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.568484] >ffff000803394a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.575685] ^ [ 26.578901] ffff000803394a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.586105] ffff000803394b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.593307] ==================================================================
[ 24.671288] ================================================================== [ 24.671546] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 24.671673] Read of size 1 at addr fff00000c5fb2200 by task kunit_try_catch/165 [ 24.671804] [ 24.671880] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 24.672195] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.672351] Hardware name: linux,dummy-virt (DT) [ 24.672739] Call trace: [ 24.672843] show_stack+0x20/0x38 (C) [ 24.672973] dump_stack_lvl+0x8c/0xd0 [ 24.673096] print_report+0x118/0x608 [ 24.673208] kasan_report+0xdc/0x128 [ 24.673336] __asan_report_load1_noabort+0x20/0x30 [ 24.673456] krealloc_uaf+0x4c8/0x520 [ 24.673566] kunit_try_run_case+0x170/0x3f0 [ 24.673704] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.673847] kthread+0x328/0x630 [ 24.674163] ret_from_fork+0x10/0x20 [ 24.674414] [ 24.674459] Allocated by task 165: [ 24.674620] kasan_save_stack+0x3c/0x68 [ 24.674802] kasan_save_track+0x20/0x40 [ 24.674912] kasan_save_alloc_info+0x40/0x58 [ 24.675021] __kasan_kmalloc+0xd4/0xd8 [ 24.675397] __kmalloc_cache_noprof+0x15c/0x3c0 [ 24.675828] krealloc_uaf+0xc8/0x520 [ 24.676100] kunit_try_run_case+0x170/0x3f0 [ 24.676459] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.676664] kthread+0x328/0x630 [ 24.676773] ret_from_fork+0x10/0x20 [ 24.676869] [ 24.676917] Freed by task 165: [ 24.677031] kasan_save_stack+0x3c/0x68 [ 24.677180] kasan_save_track+0x20/0x40 [ 24.677296] kasan_save_free_info+0x4c/0x78 [ 24.677630] __kasan_slab_free+0x6c/0x98 [ 24.677949] kfree+0x214/0x3c8 [ 24.678072] krealloc_uaf+0x12c/0x520 [ 24.678323] kunit_try_run_case+0x170/0x3f0 [ 24.678452] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.678733] kthread+0x328/0x630 [ 24.678825] ret_from_fork+0x10/0x20 [ 24.678925] [ 24.678975] The buggy address belongs to the object at fff00000c5fb2200 [ 24.678975] which belongs to the cache kmalloc-256 of size 256 [ 24.679159] The buggy address is located 0 bytes inside of [ 24.679159] freed 256-byte region [fff00000c5fb2200, fff00000c5fb2300) [ 24.679525] [ 24.679643] The buggy address belongs to the physical page: [ 24.679848] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105fb2 [ 24.680004] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.680142] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 24.680296] page_type: f5(slab) [ 24.680467] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 24.680610] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.680795] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 24.681328] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.681558] head: 0bfffe0000000001 ffffc1ffc317ec81 00000000ffffffff 00000000ffffffff [ 24.682067] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 24.682167] page dumped because: kasan: bad access detected [ 24.682238] [ 24.682401] Memory state around the buggy address: [ 24.682505] fff00000c5fb2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.682615] fff00000c5fb2180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.682820] >fff00000c5fb2200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.683017] ^ [ 24.683160] fff00000c5fb2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.683265] fff00000c5fb2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.683998] ================================================================== [ 24.649809] ================================================================== [ 24.650275] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 24.650556] Read of size 1 at addr fff00000c5fb2200 by task kunit_try_catch/165 [ 24.650750] [ 24.650838] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 24.651155] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.651231] Hardware name: linux,dummy-virt (DT) [ 24.651313] Call trace: [ 24.651376] show_stack+0x20/0x38 (C) [ 24.651646] dump_stack_lvl+0x8c/0xd0 [ 24.652276] print_report+0x118/0x608 [ 24.652399] kasan_report+0xdc/0x128 [ 24.652650] __kasan_check_byte+0x54/0x70 [ 24.652789] krealloc_noprof+0x44/0x360 [ 24.652962] krealloc_uaf+0x180/0x520 [ 24.653088] kunit_try_run_case+0x170/0x3f0 [ 24.653440] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.653581] kthread+0x328/0x630 [ 24.653759] ret_from_fork+0x10/0x20 [ 24.654008] [ 24.654110] Allocated by task 165: [ 24.654243] kasan_save_stack+0x3c/0x68 [ 24.654346] kasan_save_track+0x20/0x40 [ 24.654443] kasan_save_alloc_info+0x40/0x58 [ 24.654534] __kasan_kmalloc+0xd4/0xd8 [ 24.654623] __kmalloc_cache_noprof+0x15c/0x3c0 [ 24.654943] krealloc_uaf+0xc8/0x520 [ 24.655061] kunit_try_run_case+0x170/0x3f0 [ 24.655174] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.655297] kthread+0x328/0x630 [ 24.655403] ret_from_fork+0x10/0x20 [ 24.655509] [ 24.655585] Freed by task 165: [ 24.655726] kasan_save_stack+0x3c/0x68 [ 24.656027] kasan_save_track+0x20/0x40 [ 24.656134] kasan_save_free_info+0x4c/0x78 [ 24.656269] __kasan_slab_free+0x6c/0x98 [ 24.656478] kfree+0x214/0x3c8 [ 24.656600] krealloc_uaf+0x12c/0x520 [ 24.656851] kunit_try_run_case+0x170/0x3f0 [ 24.657013] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.657120] kthread+0x328/0x630 [ 24.657209] ret_from_fork+0x10/0x20 [ 24.657360] [ 24.657544] The buggy address belongs to the object at fff00000c5fb2200 [ 24.657544] which belongs to the cache kmalloc-256 of size 256 [ 24.657956] The buggy address is located 0 bytes inside of [ 24.657956] freed 256-byte region [fff00000c5fb2200, fff00000c5fb2300) [ 24.658485] [ 24.658547] The buggy address belongs to the physical page: [ 24.658708] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105fb2 [ 24.658856] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.658962] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 24.659330] page_type: f5(slab) [ 24.659742] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 24.660527] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.661404] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 24.661986] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.662152] head: 0bfffe0000000001 ffffc1ffc317ec81 00000000ffffffff 00000000ffffffff [ 24.662425] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 24.662519] page dumped because: kasan: bad access detected [ 24.663344] [ 24.663969] Memory state around the buggy address: [ 24.664212] fff00000c5fb2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.664621] fff00000c5fb2180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.664970] >fff00000c5fb2200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.665338] ^ [ 24.665413] fff00000c5fb2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.666368] fff00000c5fb2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.666517] ==================================================================
[ 17.906663] ================================================================== [ 17.908080] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 17.908974] Read of size 1 at addr ffff888100a24400 by task kunit_try_catch/181 [ 17.910476] [ 17.910718] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 17.910843] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.910871] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.910902] Call Trace: [ 17.910925] <TASK> [ 17.910972] dump_stack_lvl+0x73/0xb0 [ 17.911024] print_report+0xd1/0x650 [ 17.911086] ? __virt_addr_valid+0x1db/0x2d0 [ 17.911120] ? krealloc_uaf+0x1b8/0x5e0 [ 17.911150] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.911210] ? krealloc_uaf+0x1b8/0x5e0 [ 17.911284] kasan_report+0x141/0x180 [ 17.911357] ? krealloc_uaf+0x1b8/0x5e0 [ 17.911396] ? krealloc_uaf+0x1b8/0x5e0 [ 17.911427] __kasan_check_byte+0x3d/0x50 [ 17.911457] krealloc_noprof+0x3f/0x340 [ 17.911486] ? stack_depot_save_flags+0x48b/0x840 [ 17.911524] krealloc_uaf+0x1b8/0x5e0 [ 17.911555] ? __pfx_krealloc_uaf+0x10/0x10 [ 17.911585] ? finish_task_switch.isra.0+0x153/0x700 [ 17.911615] ? __switch_to+0x47/0xf50 [ 17.911649] ? __schedule+0x10cc/0x2b60 [ 17.911683] ? __pfx_read_tsc+0x10/0x10 [ 17.911712] ? ktime_get_ts64+0x86/0x230 [ 17.911747] kunit_try_run_case+0x1a5/0x480 [ 17.911806] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.911834] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.911870] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.911904] ? __kthread_parkme+0x82/0x180 [ 17.911931] ? preempt_count_sub+0x50/0x80 [ 17.911962] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.911989] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.912023] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.912134] kthread+0x337/0x6f0 [ 17.912220] ? trace_preempt_on+0x20/0xc0 [ 17.912302] ? __pfx_kthread+0x10/0x10 [ 17.912406] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.912469] ? calculate_sigpending+0x7b/0xa0 [ 17.912507] ? __pfx_kthread+0x10/0x10 [ 17.912537] ret_from_fork+0x116/0x1d0 [ 17.912564] ? __pfx_kthread+0x10/0x10 [ 17.912592] ret_from_fork_asm+0x1a/0x30 [ 17.912633] </TASK> [ 17.912648] [ 17.935863] Allocated by task 181: [ 17.936887] kasan_save_stack+0x45/0x70 [ 17.937253] kasan_save_track+0x18/0x40 [ 17.937628] kasan_save_alloc_info+0x3b/0x50 [ 17.938428] __kasan_kmalloc+0xb7/0xc0 [ 17.938722] __kmalloc_cache_noprof+0x189/0x420 [ 17.939703] krealloc_uaf+0xbb/0x5e0 [ 17.940267] kunit_try_run_case+0x1a5/0x480 [ 17.940895] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.941776] kthread+0x337/0x6f0 [ 17.942210] ret_from_fork+0x116/0x1d0 [ 17.943251] ret_from_fork_asm+0x1a/0x30 [ 17.943616] [ 17.943969] Freed by task 181: [ 17.944488] kasan_save_stack+0x45/0x70 [ 17.945284] kasan_save_track+0x18/0x40 [ 17.945670] kasan_save_free_info+0x3f/0x60 [ 17.946639] __kasan_slab_free+0x56/0x70 [ 17.947781] kfree+0x222/0x3f0 [ 17.948126] krealloc_uaf+0x13d/0x5e0 [ 17.948825] kunit_try_run_case+0x1a5/0x480 [ 17.949852] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.950368] kthread+0x337/0x6f0 [ 17.950713] ret_from_fork+0x116/0x1d0 [ 17.951100] ret_from_fork_asm+0x1a/0x30 [ 17.951545] [ 17.951759] The buggy address belongs to the object at ffff888100a24400 [ 17.951759] which belongs to the cache kmalloc-256 of size 256 [ 17.953453] The buggy address is located 0 bytes inside of [ 17.953453] freed 256-byte region [ffff888100a24400, ffff888100a24500) [ 17.955494] [ 17.956142] The buggy address belongs to the physical page: [ 17.956960] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a24 [ 17.958121] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.959021] flags: 0x200000000000040(head|node=0|zone=2) [ 17.959564] page_type: f5(slab) [ 17.959906] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.960527] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.961100] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 17.961951] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.962676] head: 0200000000000001 ffffea0004028901 00000000ffffffff 00000000ffffffff [ 17.963368] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.964115] page dumped because: kasan: bad access detected [ 17.964682] [ 17.965092] Memory state around the buggy address: [ 17.965686] ffff888100a24300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.966517] ffff888100a24380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.967147] >ffff888100a24400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.967937] ^ [ 17.968401] ffff888100a24480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.969272] ffff888100a24500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.970187] ================================================================== [ 17.971492] ================================================================== [ 17.972266] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 17.973004] Read of size 1 at addr ffff888100a24400 by task kunit_try_catch/181 [ 17.973725] [ 17.974013] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 17.974160] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.974198] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.974252] Call Trace: [ 17.974311] <TASK> [ 17.974359] dump_stack_lvl+0x73/0xb0 [ 17.974440] print_report+0xd1/0x650 [ 17.974517] ? __virt_addr_valid+0x1db/0x2d0 [ 17.974599] ? krealloc_uaf+0x53c/0x5e0 [ 17.974669] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.974759] ? krealloc_uaf+0x53c/0x5e0 [ 17.974836] kasan_report+0x141/0x180 [ 17.974914] ? krealloc_uaf+0x53c/0x5e0 [ 17.975000] __asan_report_load1_noabort+0x18/0x20 [ 17.975095] krealloc_uaf+0x53c/0x5e0 [ 17.975173] ? __pfx_krealloc_uaf+0x10/0x10 [ 17.975251] ? finish_task_switch.isra.0+0x153/0x700 [ 17.975327] ? __switch_to+0x47/0xf50 [ 17.975409] ? __schedule+0x10cc/0x2b60 [ 17.975488] ? __pfx_read_tsc+0x10/0x10 [ 17.975561] ? ktime_get_ts64+0x86/0x230 [ 17.975644] kunit_try_run_case+0x1a5/0x480 [ 17.975719] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.975786] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.975873] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.975952] ? __kthread_parkme+0x82/0x180 [ 17.976022] ? preempt_count_sub+0x50/0x80 [ 17.976246] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.976299] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.976339] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.976375] kthread+0x337/0x6f0 [ 17.976402] ? trace_preempt_on+0x20/0xc0 [ 17.976434] ? __pfx_kthread+0x10/0x10 [ 17.976462] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.976494] ? calculate_sigpending+0x7b/0xa0 [ 17.976527] ? __pfx_kthread+0x10/0x10 [ 17.976556] ret_from_fork+0x116/0x1d0 [ 17.976579] ? __pfx_kthread+0x10/0x10 [ 17.976607] ret_from_fork_asm+0x1a/0x30 [ 17.976647] </TASK> [ 17.976661] [ 17.996496] Allocated by task 181: [ 17.996886] kasan_save_stack+0x45/0x70 [ 17.997724] kasan_save_track+0x18/0x40 [ 17.998093] kasan_save_alloc_info+0x3b/0x50 [ 17.998692] __kasan_kmalloc+0xb7/0xc0 [ 17.999414] __kmalloc_cache_noprof+0x189/0x420 [ 17.999824] krealloc_uaf+0xbb/0x5e0 [ 18.000630] kunit_try_run_case+0x1a5/0x480 [ 18.001075] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.001981] kthread+0x337/0x6f0 [ 18.002858] ret_from_fork+0x116/0x1d0 [ 18.003471] ret_from_fork_asm+0x1a/0x30 [ 18.004099] [ 18.004316] Freed by task 181: [ 18.004637] kasan_save_stack+0x45/0x70 [ 18.005237] kasan_save_track+0x18/0x40 [ 18.005722] kasan_save_free_info+0x3f/0x60 [ 18.006137] __kasan_slab_free+0x56/0x70 [ 18.006635] kfree+0x222/0x3f0 [ 18.007509] krealloc_uaf+0x13d/0x5e0 [ 18.007796] kunit_try_run_case+0x1a5/0x480 [ 18.008631] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.009463] kthread+0x337/0x6f0 [ 18.010007] ret_from_fork+0x116/0x1d0 [ 18.010470] ret_from_fork_asm+0x1a/0x30 [ 18.011269] [ 18.011425] The buggy address belongs to the object at ffff888100a24400 [ 18.011425] which belongs to the cache kmalloc-256 of size 256 [ 18.012301] The buggy address is located 0 bytes inside of [ 18.012301] freed 256-byte region [ffff888100a24400, ffff888100a24500) [ 18.013739] [ 18.014007] The buggy address belongs to the physical page: [ 18.015196] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a24 [ 18.015797] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.016569] flags: 0x200000000000040(head|node=0|zone=2) [ 18.017428] page_type: f5(slab) [ 18.017964] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 18.018783] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.019696] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 18.020820] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.021827] head: 0200000000000001 ffffea0004028901 00000000ffffffff 00000000ffffffff [ 18.022693] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 18.023584] page dumped because: kasan: bad access detected [ 18.024312] [ 18.024524] Memory state around the buggy address: [ 18.025248] ffff888100a24300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.026378] ffff888100a24380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.027051] >ffff888100a24400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.027902] ^ [ 18.028414] ffff888100a24480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.029122] ffff888100a24500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.030508] ==================================================================
[ 52.864105] ================================================================== [ 52.871368] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x580/0x5d4 [ 52.878051] Read of size 1 at addr cb2c8000 by task kunit_try_catch/216 [ 52.884704] [ 52.886199] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 52.886230] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 52.886230] Hardware name: Generic DRA74X (Flattened Device Tree) [ 52.886260] Call trace: [ 52.886260] unwind_backtrace from show_stack+0x18/0x1c [ 52.886291] show_stack from dump_stack_lvl+0x70/0x90 [ 52.886322] dump_stack_lvl from print_report+0x158/0x528 [ 52.886322] print_report from kasan_report+0xdc/0x118 [ 52.886352] kasan_report from krealloc_uaf+0x580/0x5d4 [ 52.886383] krealloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 52.886413] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.886444] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 52.886444] kthread from ret_from_fork+0x14/0x20 [ 52.886474] Exception stack(0xf2243fb0 to 0xf2243ff8) [ 52.886474] 3fa0: 00000000 00000000 00000000 00000000 [ 52.886505] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 52.886505] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 52.886535] [ 52.991394] Allocated by task 216: [ 52.994812] kasan_save_track+0x30/0x5c [ 52.998687] __kasan_kmalloc+0x8c/0x94 [ 53.002471] krealloc_uaf+0xd8/0x5d4 [ 53.006072] kunit_try_run_case+0x22c/0x5a8 [ 53.010284] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.015808] kthread+0x464/0x810 [ 53.019073] ret_from_fork+0x14/0x20 [ 53.022674] [ 53.024169] Freed by task 216: [ 53.027252] kasan_save_track+0x30/0x5c [ 53.031127] kasan_save_free_info+0x3c/0x48 [ 53.035339] __kasan_slab_free+0x40/0x50 [ 53.039276] kfree+0xe8/0x384 [ 53.042297] krealloc_uaf+0x180/0x5d4 [ 53.045989] kunit_try_run_case+0x22c/0x5a8 [ 53.050201] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.055725] kthread+0x464/0x810 [ 53.058990] ret_from_fork+0x14/0x20 [ 53.062591] [ 53.064086] The buggy address belongs to the object at cb2c8000 [ 53.064086] which belongs to the cache kmalloc-256 of size 256 [ 53.075988] The buggy address is located 0 bytes inside of [ 53.075988] freed 256-byte region [cb2c8000, cb2c8100) [ 53.086730] [ 53.088256] The buggy address belongs to the physical page: [ 53.093841] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8b2c8 [ 53.101135] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 53.108825] flags: 0x40(head|zone=0) [ 53.112426] page_type: f5(slab) [ 53.115600] raw: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 53.123748] raw: 00000000 [ 53.126373] head: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 53.134613] head: 00000000 00000001 eeb91421 ffffffff 00000000 ffffffff 00000000 ffffffff [ 53.142852] head: 00000000 00000002 [ 53.146362] page dumped because: kasan: bad access detected [ 53.151977] [ 53.153472] Memory state around the buggy address: [ 53.158294] cb2c7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.164855] cb2c7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.171417] >cb2c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.178009] ^ [ 53.180541] cb2c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.187133] cb2c8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.193695] ================================================================== [ 52.510711] ================================================================== [ 52.522369] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x208/0x5d4 [ 52.529022] Read of size 1 at addr cb2c8000 by task kunit_try_catch/216 [ 52.535675] [ 52.537200] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 52.537200] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 52.537231] Hardware name: Generic DRA74X (Flattened Device Tree) [ 52.537231] Call trace: [ 52.537231] unwind_backtrace from show_stack+0x18/0x1c [ 52.537261] show_stack from dump_stack_lvl+0x70/0x90 [ 52.537292] dump_stack_lvl from print_report+0x158/0x528 [ 52.537322] print_report from kasan_report+0xdc/0x118 [ 52.537322] kasan_report from __kasan_check_byte+0x34/0x3c [ 52.537353] __kasan_check_byte from krealloc_noprof+0x30/0x2e4 [ 52.537384] krealloc_noprof from krealloc_uaf+0x208/0x5d4 [ 52.537384] krealloc_uaf from kunit_try_run_case+0x22c/0x5a8 [ 52.537414] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.537445] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 52.537475] kthread from ret_from_fork+0x14/0x20 [ 52.537506] Exception stack(0xf2243fb0 to 0xf2243ff8) [ 52.537506] 3fa0: 00000000 00000000 00000000 00000000 [ 52.537536] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 52.537536] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 52.537536] [ 52.654205] Allocated by task 216: [ 52.657653] kasan_save_track+0x30/0x5c [ 52.661499] __kasan_kmalloc+0x8c/0x94 [ 52.665283] krealloc_uaf+0xd8/0x5d4 [ 52.668884] kunit_try_run_case+0x22c/0x5a8 [ 52.673126] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.678649] kthread+0x464/0x810 [ 52.681884] ret_from_fork+0x14/0x20 [ 52.685485] [ 52.687011] Freed by task 216: [ 52.690063] kasan_save_track+0x30/0x5c [ 52.693939] kasan_save_free_info+0x3c/0x48 [ 52.698150] __kasan_slab_free+0x40/0x50 [ 52.702117] kfree+0xe8/0x384 [ 52.705108] krealloc_uaf+0x180/0x5d4 [ 52.708801] kunit_try_run_case+0x22c/0x5a8 [ 52.713012] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 52.718536] kthread+0x464/0x810 [ 52.721801] ret_from_fork+0x14/0x20 [ 52.725402] [ 52.726898] The buggy address belongs to the object at cb2c8000 [ 52.726898] which belongs to the cache kmalloc-256 of size 256 [ 52.738800] The buggy address is located 0 bytes inside of [ 52.738800] freed 256-byte region [cb2c8000, cb2c8100) [ 52.749572] [ 52.751068] The buggy address belongs to the physical page: [ 52.756683] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8b2c8 [ 52.763946] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 52.771667] flags: 0x40(head|zone=0) [ 52.775268] page_type: f5(slab) [ 52.778442] raw: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 52.786560] raw: 00000000 [ 52.789215] head: 00000040 c7001500 00000122 00000000 00000000 80100010 f5000000 00000000 [ 52.797454] head: 00000000 00000001 eeb91421 ffffffff 00000000 ffffffff 00000000 ffffffff [ 52.805694] head: 00000000 00000002 [ 52.809204] page dumped because: kasan: bad access detected [ 52.814788] [ 52.816314] Memory state around the buggy address: [ 52.821136] cb2c7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.827697] cb2c7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.834259] >cb2c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.840850] ^ [ 52.843383] cb2c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.849945] cb2c8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.856536] ==================================================================