Date
June 3, 2025, 7:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 18.309173] ================================================================== [ 18.309476] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 18.309558] Read of size 1 at addr fff00000c1828a00 by task kunit_try_catch/164 [ 18.309645] [ 18.309694] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.309778] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.309840] Hardware name: linux,dummy-virt (DT) [ 18.309888] Call trace: [ 18.309910] show_stack+0x20/0x38 (C) [ 18.309964] dump_stack_lvl+0x8c/0xd0 [ 18.310031] print_report+0x118/0x608 [ 18.310103] kasan_report+0xdc/0x128 [ 18.310167] __asan_report_load1_noabort+0x20/0x30 [ 18.310234] krealloc_uaf+0x4c8/0x520 [ 18.310280] kunit_try_run_case+0x170/0x3f0 [ 18.310355] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.310409] kthread+0x328/0x630 [ 18.310465] ret_from_fork+0x10/0x20 [ 18.310530] [ 18.310736] Allocated by task 164: [ 18.310771] kasan_save_stack+0x3c/0x68 [ 18.310813] kasan_save_track+0x20/0x40 [ 18.310849] kasan_save_alloc_info+0x40/0x58 [ 18.310885] __kasan_kmalloc+0xd4/0xd8 [ 18.310937] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.310977] krealloc_uaf+0xc8/0x520 [ 18.311027] kunit_try_run_case+0x170/0x3f0 [ 18.311095] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.311139] kthread+0x328/0x630 [ 18.311199] ret_from_fork+0x10/0x20 [ 18.311254] [ 18.311272] Freed by task 164: [ 18.311298] kasan_save_stack+0x3c/0x68 [ 18.311334] kasan_save_track+0x20/0x40 [ 18.311501] kasan_save_free_info+0x4c/0x78 [ 18.311560] __kasan_slab_free+0x6c/0x98 [ 18.311597] kfree+0x214/0x3c8 [ 18.311629] krealloc_uaf+0x12c/0x520 [ 18.311683] kunit_try_run_case+0x170/0x3f0 [ 18.311720] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.311762] kthread+0x328/0x630 [ 18.311794] ret_from_fork+0x10/0x20 [ 18.311828] [ 18.311847] The buggy address belongs to the object at fff00000c1828a00 [ 18.311847] which belongs to the cache kmalloc-256 of size 256 [ 18.311995] The buggy address is located 0 bytes inside of [ 18.311995] freed 256-byte region [fff00000c1828a00, fff00000c1828b00) [ 18.312114] [ 18.312183] The buggy address belongs to the physical page: [ 18.312248] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101828 [ 18.312346] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.312494] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.312592] page_type: f5(slab) [ 18.312666] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 18.312749] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.312855] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 18.312941] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.313011] head: 0bfffe0000000001 ffffc1ffc3060a01 00000000ffffffff 00000000ffffffff [ 18.313071] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 18.313376] page dumped because: kasan: bad access detected [ 18.313482] [ 18.313598] Memory state around the buggy address: [ 18.313667] fff00000c1828900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.313740] fff00000c1828980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.313862] >fff00000c1828a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.313970] ^ [ 18.314066] fff00000c1828a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.314123] fff00000c1828b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.314231] ================================================================== [ 18.302606] ================================================================== [ 18.302683] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 18.302747] Read of size 1 at addr fff00000c1828a00 by task kunit_try_catch/164 [ 18.302798] [ 18.302839] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.303017] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.303060] Hardware name: linux,dummy-virt (DT) [ 18.303090] Call trace: [ 18.303112] show_stack+0x20/0x38 (C) [ 18.303177] dump_stack_lvl+0x8c/0xd0 [ 18.303225] print_report+0x118/0x608 [ 18.303271] kasan_report+0xdc/0x128 [ 18.303328] __kasan_check_byte+0x54/0x70 [ 18.303436] krealloc_noprof+0x44/0x360 [ 18.303485] krealloc_uaf+0x180/0x520 [ 18.303728] kunit_try_run_case+0x170/0x3f0 [ 18.303794] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.303869] kthread+0x328/0x630 [ 18.303916] ret_from_fork+0x10/0x20 [ 18.303965] [ 18.303984] Allocated by task 164: [ 18.304012] kasan_save_stack+0x3c/0x68 [ 18.304053] kasan_save_track+0x20/0x40 [ 18.304090] kasan_save_alloc_info+0x40/0x58 [ 18.304126] __kasan_kmalloc+0xd4/0xd8 [ 18.304268] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.304340] krealloc_uaf+0xc8/0x520 [ 18.304389] kunit_try_run_case+0x170/0x3f0 [ 18.304496] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.304575] kthread+0x328/0x630 [ 18.304694] ret_from_fork+0x10/0x20 [ 18.304786] [ 18.304860] Freed by task 164: [ 18.304943] kasan_save_stack+0x3c/0x68 [ 18.305000] kasan_save_track+0x20/0x40 [ 18.305037] kasan_save_free_info+0x4c/0x78 [ 18.305299] __kasan_slab_free+0x6c/0x98 [ 18.305376] kfree+0x214/0x3c8 [ 18.305456] krealloc_uaf+0x12c/0x520 [ 18.305568] kunit_try_run_case+0x170/0x3f0 [ 18.305651] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.305765] kthread+0x328/0x630 [ 18.305810] ret_from_fork+0x10/0x20 [ 18.305845] [ 18.305877] The buggy address belongs to the object at fff00000c1828a00 [ 18.305877] which belongs to the cache kmalloc-256 of size 256 [ 18.306266] The buggy address is located 0 bytes inside of [ 18.306266] freed 256-byte region [fff00000c1828a00, fff00000c1828b00) [ 18.306365] [ 18.306405] The buggy address belongs to the physical page: [ 18.306450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101828 [ 18.306511] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.306555] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.306624] page_type: f5(slab) [ 18.306663] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 18.306712] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.306761] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 18.306808] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.306863] head: 0bfffe0000000001 ffffc1ffc3060a01 00000000ffffffff 00000000ffffffff [ 18.306911] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 18.306949] page dumped because: kasan: bad access detected [ 18.306980] [ 18.306997] Memory state around the buggy address: [ 18.307045] fff00000c1828900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.307087] fff00000c1828980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.307128] >fff00000c1828a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.307165] ^ [ 18.307201] fff00000c1828a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.307244] fff00000c1828b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.307291] ==================================================================
[ 14.392279] ================================================================== [ 14.393492] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 14.393828] Read of size 1 at addr ffff888100342000 by task kunit_try_catch/181 [ 14.394106] [ 14.394263] CPU: 0 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 14.394417] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.394447] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.394513] Call Trace: [ 14.394558] <TASK> [ 14.394599] dump_stack_lvl+0x73/0xb0 [ 14.394666] print_report+0xd1/0x650 [ 14.394787] ? __virt_addr_valid+0x1db/0x2d0 [ 14.394859] ? krealloc_uaf+0x53c/0x5e0 [ 14.394902] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.394941] ? krealloc_uaf+0x53c/0x5e0 [ 14.394979] kasan_report+0x141/0x180 [ 14.395021] ? krealloc_uaf+0x53c/0x5e0 [ 14.395076] __asan_report_load1_noabort+0x18/0x20 [ 14.395151] krealloc_uaf+0x53c/0x5e0 [ 14.395231] ? __pfx_krealloc_uaf+0x10/0x10 [ 14.395281] ? finish_task_switch.isra.0+0x153/0x700 [ 14.395332] ? __switch_to+0x47/0xf50 [ 14.395429] ? __schedule+0x10cc/0x2b60 [ 14.395502] ? __pfx_read_tsc+0x10/0x10 [ 14.395548] ? ktime_get_ts64+0x86/0x230 [ 14.395583] kunit_try_run_case+0x1a5/0x480 [ 14.395610] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.395632] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.395659] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.395705] ? __kthread_parkme+0x82/0x180 [ 14.395772] ? preempt_count_sub+0x50/0x80 [ 14.395811] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.395849] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.395893] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.395938] kthread+0x337/0x6f0 [ 14.395980] ? trace_preempt_on+0x20/0xc0 [ 14.396025] ? __pfx_kthread+0x10/0x10 [ 14.396070] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.396118] ? calculate_sigpending+0x7b/0xa0 [ 14.396167] ? __pfx_kthread+0x10/0x10 [ 14.396228] ret_from_fork+0x116/0x1d0 [ 14.396269] ? __pfx_kthread+0x10/0x10 [ 14.396324] ret_from_fork_asm+0x1a/0x30 [ 14.396395] </TASK> [ 14.396420] [ 14.410151] Allocated by task 181: [ 14.410436] kasan_save_stack+0x45/0x70 [ 14.411284] kasan_save_track+0x18/0x40 [ 14.411551] kasan_save_alloc_info+0x3b/0x50 [ 14.412274] __kasan_kmalloc+0xb7/0xc0 [ 14.412595] __kmalloc_cache_noprof+0x189/0x420 [ 14.413168] krealloc_uaf+0xbb/0x5e0 [ 14.413467] kunit_try_run_case+0x1a5/0x480 [ 14.414066] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.414567] kthread+0x337/0x6f0 [ 14.414847] ret_from_fork+0x116/0x1d0 [ 14.415106] ret_from_fork_asm+0x1a/0x30 [ 14.415801] [ 14.416101] Freed by task 181: [ 14.416522] kasan_save_stack+0x45/0x70 [ 14.417204] kasan_save_track+0x18/0x40 [ 14.417542] kasan_save_free_info+0x3f/0x60 [ 14.418199] __kasan_slab_free+0x56/0x70 [ 14.418579] kfree+0x222/0x3f0 [ 14.419102] krealloc_uaf+0x13d/0x5e0 [ 14.419835] kunit_try_run_case+0x1a5/0x480 [ 14.420333] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.420564] kthread+0x337/0x6f0 [ 14.420811] ret_from_fork+0x116/0x1d0 [ 14.421577] ret_from_fork_asm+0x1a/0x30 [ 14.422271] [ 14.422407] The buggy address belongs to the object at ffff888100342000 [ 14.422407] which belongs to the cache kmalloc-256 of size 256 [ 14.423555] The buggy address is located 0 bytes inside of [ 14.423555] freed 256-byte region [ffff888100342000, ffff888100342100) [ 14.424028] [ 14.424159] The buggy address belongs to the physical page: [ 14.424383] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100342 [ 14.425120] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.425613] flags: 0x200000000000040(head|node=0|zone=2) [ 14.426074] page_type: f5(slab) [ 14.426475] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.426876] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.427780] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.428569] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.429512] head: 0200000000000001 ffffea000400d081 00000000ffffffff 00000000ffffffff [ 14.430261] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 14.430845] page dumped because: kasan: bad access detected [ 14.431482] [ 14.431638] Memory state around the buggy address: [ 14.432024] ffff888100341f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.432669] ffff888100341f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.432889] >ffff888100342000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.433343] ^ [ 14.433696] ffff888100342080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.434565] ffff888100342100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.435383] ================================================================== [ 14.341532] ================================================================== [ 14.342795] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 14.343418] Read of size 1 at addr ffff888100342000 by task kunit_try_catch/181 [ 14.344652] [ 14.345015] CPU: 0 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 14.345132] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.345161] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.345206] Call Trace: [ 14.345237] <TASK> [ 14.345281] dump_stack_lvl+0x73/0xb0 [ 14.345355] print_report+0xd1/0x650 [ 14.345405] ? __virt_addr_valid+0x1db/0x2d0 [ 14.345467] ? krealloc_uaf+0x1b8/0x5e0 [ 14.345522] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.345580] ? krealloc_uaf+0x1b8/0x5e0 [ 14.345624] kasan_report+0x141/0x180 [ 14.345671] ? krealloc_uaf+0x1b8/0x5e0 [ 14.345720] ? krealloc_uaf+0x1b8/0x5e0 [ 14.345824] __kasan_check_byte+0x3d/0x50 [ 14.345863] krealloc_noprof+0x3f/0x340 [ 14.345900] krealloc_uaf+0x1b8/0x5e0 [ 14.345931] ? __pfx_krealloc_uaf+0x10/0x10 [ 14.345960] ? finish_task_switch.isra.0+0x153/0x700 [ 14.345993] ? __switch_to+0x47/0xf50 [ 14.346029] ? __schedule+0x10cc/0x2b60 [ 14.346063] ? __pfx_read_tsc+0x10/0x10 [ 14.346094] ? ktime_get_ts64+0x86/0x230 [ 14.346133] kunit_try_run_case+0x1a5/0x480 [ 14.346172] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.346200] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.346239] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.346278] ? __kthread_parkme+0x82/0x180 [ 14.346310] ? preempt_count_sub+0x50/0x80 [ 14.346345] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.346375] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.346412] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.346492] kthread+0x337/0x6f0 [ 14.346518] ? trace_preempt_on+0x20/0xc0 [ 14.346545] ? __pfx_kthread+0x10/0x10 [ 14.346567] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.346592] ? calculate_sigpending+0x7b/0xa0 [ 14.346618] ? __pfx_kthread+0x10/0x10 [ 14.346641] ret_from_fork+0x116/0x1d0 [ 14.346661] ? __pfx_kthread+0x10/0x10 [ 14.346687] ret_from_fork_asm+0x1a/0x30 [ 14.346778] </TASK> [ 14.346802] [ 14.363373] Allocated by task 181: [ 14.363672] kasan_save_stack+0x45/0x70 [ 14.364254] kasan_save_track+0x18/0x40 [ 14.365043] kasan_save_alloc_info+0x3b/0x50 [ 14.365422] __kasan_kmalloc+0xb7/0xc0 [ 14.366070] __kmalloc_cache_noprof+0x189/0x420 [ 14.366416] krealloc_uaf+0xbb/0x5e0 [ 14.366960] kunit_try_run_case+0x1a5/0x480 [ 14.367171] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.368140] kthread+0x337/0x6f0 [ 14.368392] ret_from_fork+0x116/0x1d0 [ 14.368564] ret_from_fork_asm+0x1a/0x30 [ 14.368905] [ 14.369402] Freed by task 181: [ 14.369705] kasan_save_stack+0x45/0x70 [ 14.370609] kasan_save_track+0x18/0x40 [ 14.371070] kasan_save_free_info+0x3f/0x60 [ 14.371869] __kasan_slab_free+0x56/0x70 [ 14.372172] kfree+0x222/0x3f0 [ 14.372357] krealloc_uaf+0x13d/0x5e0 [ 14.372744] kunit_try_run_case+0x1a5/0x480 [ 14.373351] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.374168] kthread+0x337/0x6f0 [ 14.374382] ret_from_fork+0x116/0x1d0 [ 14.375033] ret_from_fork_asm+0x1a/0x30 [ 14.375611] [ 14.375796] The buggy address belongs to the object at ffff888100342000 [ 14.375796] which belongs to the cache kmalloc-256 of size 256 [ 14.377236] The buggy address is located 0 bytes inside of [ 14.377236] freed 256-byte region [ffff888100342000, ffff888100342100) [ 14.378341] [ 14.378765] The buggy address belongs to the physical page: [ 14.379083] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100342 [ 14.379647] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.380439] flags: 0x200000000000040(head|node=0|zone=2) [ 14.380876] page_type: f5(slab) [ 14.381319] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.381657] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.382216] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.382974] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.383660] head: 0200000000000001 ffffea000400d081 00000000ffffffff 00000000ffffffff [ 14.384767] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 14.385086] page dumped because: kasan: bad access detected [ 14.385262] [ 14.385395] Memory state around the buggy address: [ 14.386446] ffff888100341f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.387353] ffff888100341f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.388171] >ffff888100342000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.388878] ^ [ 14.389202] ffff888100342080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.390370] ffff888100342100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.390878] ==================================================================
[ 26.108866] ================================================================== [ 26.120448] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 26.127061] Read of size 1 at addr ffff888104476600 by task kunit_try_catch/204 [ 26.134383] [ 26.135904] CPU: 2 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G S B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 26.135913] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 26.135915] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 26.135919] Call Trace: [ 26.135920] <TASK> [ 26.135922] dump_stack_lvl+0x73/0xb0 [ 26.135926] print_report+0xd1/0x650 [ 26.135930] ? __virt_addr_valid+0x1db/0x2d0 [ 26.135934] ? krealloc_uaf+0x1b8/0x5e0 [ 26.135938] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.135942] ? krealloc_uaf+0x1b8/0x5e0 [ 26.135946] kasan_report+0x141/0x180 [ 26.135950] ? krealloc_uaf+0x1b8/0x5e0 [ 26.135955] ? krealloc_uaf+0x1b8/0x5e0 [ 26.135959] __kasan_check_byte+0x3d/0x50 [ 26.135963] krealloc_noprof+0x3f/0x340 [ 26.135967] krealloc_uaf+0x1b8/0x5e0 [ 26.135971] ? __pfx_krealloc_uaf+0x10/0x10 [ 26.135975] ? finish_task_switch.isra.0+0x153/0x700 [ 26.135979] ? __switch_to+0x544/0xf50 [ 26.135984] ? __schedule+0x10cc/0x2b60 [ 26.135988] ? ktime_get_ts64+0x83/0x230 [ 26.135992] kunit_try_run_case+0x1a2/0x480 [ 26.135996] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.135999] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.136004] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.136009] ? __kthread_parkme+0x82/0x180 [ 26.136012] ? preempt_count_sub+0x50/0x80 [ 26.136016] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.136020] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 26.136024] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.136029] kthread+0x334/0x6f0 [ 26.136032] ? trace_preempt_on+0x20/0xc0 [ 26.136036] ? __pfx_kthread+0x10/0x10 [ 26.136040] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.136044] ? calculate_sigpending+0x7b/0xa0 [ 26.136048] ? __pfx_kthread+0x10/0x10 [ 26.136052] ret_from_fork+0x113/0x1d0 [ 26.136055] ? __pfx_kthread+0x10/0x10 [ 26.136059] ret_from_fork_asm+0x1a/0x30 [ 26.136065] </TASK> [ 26.136066] [ 26.315116] Allocated by task 204: [ 26.318524] kasan_save_stack+0x45/0x70 [ 26.322382] kasan_save_track+0x18/0x40 [ 26.326243] kasan_save_alloc_info+0x3b/0x50 [ 26.330517] __kasan_kmalloc+0xb7/0xc0 [ 26.334269] __kmalloc_cache_noprof+0x189/0x420 [ 26.338803] krealloc_uaf+0xbb/0x5e0 [ 26.342383] kunit_try_run_case+0x1a2/0x480 [ 26.346592] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 26.351993] kthread+0x334/0x6f0 [ 26.355227] ret_from_fork+0x113/0x1d0 [ 26.358977] ret_from_fork_asm+0x1a/0x30 [ 26.362904] [ 26.364413] Freed by task 204: [ 26.367471] kasan_save_stack+0x45/0x70 [ 26.371310] kasan_save_track+0x18/0x40 [ 26.375151] kasan_save_free_info+0x3f/0x60 [ 26.379334] __kasan_slab_free+0x56/0x70 [ 26.383261] kfree+0x222/0x3f0 [ 26.386320] krealloc_uaf+0x13d/0x5e0 [ 26.389987] kunit_try_run_case+0x1a2/0x480 [ 26.394174] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 26.399581] kthread+0x334/0x6f0 [ 26.402813] ret_from_fork+0x113/0x1d0 [ 26.406566] ret_from_fork_asm+0x1a/0x30 [ 26.410493] [ 26.411992] The buggy address belongs to the object at ffff888104476600 [ 26.411992] which belongs to the cache kmalloc-256 of size 256 [ 26.424506] The buggy address is located 0 bytes inside of [ 26.424506] freed 256-byte region [ffff888104476600, ffff888104476700) [ 26.436585] [ 26.438085] The buggy address belongs to the physical page: [ 26.443659] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104476 [ 26.451667] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.459326] flags: 0x200000000000040(head|node=0|zone=2) [ 26.464640] page_type: f5(slab) [ 26.467789] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 26.475535] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.483275] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 26.491108] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.498935] head: 0200000000000001 ffffea0004111d81 00000000ffffffff 00000000ffffffff [ 26.506769] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 26.514595] page dumped because: kasan: bad access detected [ 26.520167] [ 26.521666] Memory state around the buggy address: [ 26.526458] ffff888104476500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.533678] ffff888104476580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.540898] >ffff888104476600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.548116] ^ [ 26.551350] ffff888104476680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.558593] ffff888104476700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.565813] ================================================================== [ 26.573064] ================================================================== [ 26.580296] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 26.586915] Read of size 1 at addr ffff888104476600 by task kunit_try_catch/204 [ 26.594222] [ 26.595723] CPU: 2 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G S B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 26.595732] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 26.595734] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 26.595738] Call Trace: [ 26.595739] <TASK> [ 26.595741] dump_stack_lvl+0x73/0xb0 [ 26.595745] print_report+0xd1/0x650 [ 26.595749] ? __virt_addr_valid+0x1db/0x2d0 [ 26.595752] ? krealloc_uaf+0x53c/0x5e0 [ 26.595756] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.595760] ? krealloc_uaf+0x53c/0x5e0 [ 26.595764] kasan_report+0x141/0x180 [ 26.595768] ? krealloc_uaf+0x53c/0x5e0 [ 26.595773] __asan_report_load1_noabort+0x18/0x20 [ 26.595777] krealloc_uaf+0x53c/0x5e0 [ 26.595781] ? __pfx_krealloc_uaf+0x10/0x10 [ 26.595785] ? finish_task_switch.isra.0+0x153/0x700 [ 26.595789] ? __switch_to+0x544/0xf50 [ 26.595793] ? __schedule+0x10cc/0x2b60 [ 26.595798] ? ktime_get_ts64+0x83/0x230 [ 26.595802] kunit_try_run_case+0x1a2/0x480 [ 26.595806] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.595809] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.595814] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.595818] ? __kthread_parkme+0x82/0x180 [ 26.595821] ? preempt_count_sub+0x50/0x80 [ 26.595826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.595829] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 26.595834] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.595838] kthread+0x334/0x6f0 [ 26.595842] ? trace_preempt_on+0x20/0xc0 [ 26.595846] ? __pfx_kthread+0x10/0x10 [ 26.595849] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.595853] ? calculate_sigpending+0x7b/0xa0 [ 26.595858] ? __pfx_kthread+0x10/0x10 [ 26.595862] ret_from_fork+0x113/0x1d0 [ 26.595865] ? __pfx_kthread+0x10/0x10 [ 26.595868] ret_from_fork_asm+0x1a/0x30 [ 26.595874] </TASK> [ 26.595876] [ 26.768088] Allocated by task 204: [ 26.771496] kasan_save_stack+0x45/0x70 [ 26.775333] kasan_save_track+0x18/0x40 [ 26.779173] kasan_save_alloc_info+0x3b/0x50 [ 26.783446] __kasan_kmalloc+0xb7/0xc0 [ 26.787199] __kmalloc_cache_noprof+0x189/0x420 [ 26.791732] krealloc_uaf+0xbb/0x5e0 [ 26.795311] kunit_try_run_case+0x1a2/0x480 [ 26.799498] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 26.804898] kthread+0x334/0x6f0 [ 26.808128] ret_from_fork+0x113/0x1d0 [ 26.811882] ret_from_fork_asm+0x1a/0x30 [ 26.815808] [ 26.817306] Freed by task 204: [ 26.820383] kasan_save_stack+0x45/0x70 [ 26.824250] kasan_save_track+0x18/0x40 [ 26.828089] kasan_save_free_info+0x3f/0x60 [ 26.832273] __kasan_slab_free+0x56/0x70 [ 26.836200] kfree+0x222/0x3f0 [ 26.839260] krealloc_uaf+0x13d/0x5e0 [ 26.842932] kunit_try_run_case+0x1a2/0x480 [ 26.847120] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 26.852519] kthread+0x334/0x6f0 [ 26.855751] ret_from_fork+0x113/0x1d0 [ 26.859504] ret_from_fork_asm+0x1a/0x30 [ 26.863429] [ 26.864929] The buggy address belongs to the object at ffff888104476600 [ 26.864929] which belongs to the cache kmalloc-256 of size 256 [ 26.877436] The buggy address is located 0 bytes inside of [ 26.877436] freed 256-byte region [ffff888104476600, ffff888104476700) [ 26.889516] [ 26.891017] The buggy address belongs to the physical page: [ 26.896589] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104476 [ 26.904596] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.912258] flags: 0x200000000000040(head|node=0|zone=2) [ 26.917569] page_type: f5(slab) [ 26.920717] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 26.928456] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.936195] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 26.944030] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.951863] head: 0200000000000001 ffffea0004111d81 00000000ffffffff 00000000ffffffff [ 26.959691] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 26.967524] page dumped because: kasan: bad access detected [ 26.973095] [ 26.974596] Memory state around the buggy address: [ 26.979401] ffff888104476500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.986634] ffff888104476580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.993853] >ffff888104476600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.001072] ^ [ 27.004306] ffff888104476680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.011525] ffff888104476700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.018741] ==================================================================