Date
June 20, 2025, 12:38 p.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 31.819452] ================================================================== [ 31.820586] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 31.821153] Read of size 1 at addr fff00000c4497000 by task kunit_try_catch/175 [ 31.821351] [ 31.821644] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 31.822184] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.822257] Hardware name: linux,dummy-virt (DT) [ 31.822747] Call trace: [ 31.822913] show_stack+0x20/0x38 (C) [ 31.823240] dump_stack_lvl+0x8c/0xd0 [ 31.823524] print_report+0x118/0x608 [ 31.824877] kasan_report+0xdc/0x128 [ 31.825191] __kasan_check_byte+0x54/0x70 [ 31.825329] krealloc_noprof+0x44/0x360 [ 31.825461] krealloc_uaf+0x180/0x520 [ 31.825575] kunit_try_run_case+0x170/0x3f0 [ 31.825676] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.825780] kthread+0x328/0x630 [ 31.825875] ret_from_fork+0x10/0x20 [ 31.826123] [ 31.826257] Allocated by task 175: [ 31.826345] kasan_save_stack+0x3c/0x68 [ 31.826553] kasan_save_track+0x20/0x40 [ 31.826881] kasan_save_alloc_info+0x40/0x58 [ 31.827189] __kasan_kmalloc+0xd4/0xd8 [ 31.827388] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.827766] krealloc_uaf+0xc8/0x520 [ 31.827869] kunit_try_run_case+0x170/0x3f0 [ 31.828404] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.828640] kthread+0x328/0x630 [ 31.828784] ret_from_fork+0x10/0x20 [ 31.828861] [ 31.828964] Freed by task 175: [ 31.829317] kasan_save_stack+0x3c/0x68 [ 31.829547] kasan_save_track+0x20/0x40 [ 31.829659] kasan_save_free_info+0x4c/0x78 [ 31.829756] __kasan_slab_free+0x6c/0x98 [ 31.829859] kfree+0x214/0x3c8 [ 31.829944] krealloc_uaf+0x12c/0x520 [ 31.830338] kunit_try_run_case+0x170/0x3f0 [ 31.830560] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.830839] kthread+0x328/0x630 [ 31.830965] ret_from_fork+0x10/0x20 [ 31.831173] [ 31.831460] The buggy address belongs to the object at fff00000c4497000 [ 31.831460] which belongs to the cache kmalloc-256 of size 256 [ 31.831809] The buggy address is located 0 bytes inside of [ 31.831809] freed 256-byte region [fff00000c4497000, fff00000c4497100) [ 31.832071] [ 31.832220] The buggy address belongs to the physical page: [ 31.832429] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104496 [ 31.832836] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.833012] anon flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.833214] page_type: f5(slab) [ 31.833305] raw: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001 [ 31.833394] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.833483] head: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001 [ 31.833591] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.833727] head: 0bfffe0000000001 ffffc1ffc3112581 00000000ffffffff 00000000ffffffff [ 31.833854] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 31.833959] page dumped because: kasan: bad access detected [ 31.834041] [ 31.834091] Memory state around the buggy address: [ 31.834177] fff00000c4496f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.834288] fff00000c4496f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.834396] >fff00000c4497000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.834498] ^ [ 31.834576] fff00000c4497080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.835432] fff00000c4497100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.835551] ================================================================== [ 31.840083] ================================================================== [ 31.840404] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 31.840556] Read of size 1 at addr fff00000c4497000 by task kunit_try_catch/175 [ 31.841185] [ 31.841468] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 31.841908] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.842054] Hardware name: linux,dummy-virt (DT) [ 31.842216] Call trace: [ 31.842357] show_stack+0x20/0x38 (C) [ 31.842735] dump_stack_lvl+0x8c/0xd0 [ 31.842929] print_report+0x118/0x608 [ 31.843307] kasan_report+0xdc/0x128 [ 31.843549] __asan_report_load1_noabort+0x20/0x30 [ 31.843846] krealloc_uaf+0x4c8/0x520 [ 31.843967] kunit_try_run_case+0x170/0x3f0 [ 31.844458] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.844583] kthread+0x328/0x630 [ 31.844699] ret_from_fork+0x10/0x20 [ 31.844794] [ 31.844830] Allocated by task 175: [ 31.844883] kasan_save_stack+0x3c/0x68 [ 31.844973] kasan_save_track+0x20/0x40 [ 31.845228] kasan_save_alloc_info+0x40/0x58 [ 31.845462] __kasan_kmalloc+0xd4/0xd8 [ 31.846099] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.846434] krealloc_uaf+0xc8/0x520 [ 31.846546] kunit_try_run_case+0x170/0x3f0 [ 31.846659] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.847114] kthread+0x328/0x630 [ 31.847213] ret_from_fork+0x10/0x20 [ 31.847386] [ 31.847450] Freed by task 175: [ 31.847518] kasan_save_stack+0x3c/0x68 [ 31.847631] kasan_save_track+0x20/0x40 [ 31.847932] kasan_save_free_info+0x4c/0x78 [ 31.848222] __kasan_slab_free+0x6c/0x98 [ 31.848604] kfree+0x214/0x3c8 [ 31.848720] krealloc_uaf+0x12c/0x520 [ 31.848800] kunit_try_run_case+0x170/0x3f0 [ 31.848888] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.849190] kthread+0x328/0x630 [ 31.849342] ret_from_fork+0x10/0x20 [ 31.849447] [ 31.849497] The buggy address belongs to the object at fff00000c4497000 [ 31.849497] which belongs to the cache kmalloc-256 of size 256 [ 31.849998] The buggy address is located 0 bytes inside of [ 31.849998] freed 256-byte region [fff00000c4497000, fff00000c4497100) [ 31.850417] [ 31.850509] The buggy address belongs to the physical page: [ 31.850665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104496 [ 31.851072] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.851520] anon flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.851707] page_type: f5(slab) [ 31.851814] raw: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001 [ 31.851944] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.852076] head: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001 [ 31.852206] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.852757] head: 0bfffe0000000001 ffffc1ffc3112581 00000000ffffffff 00000000ffffffff [ 31.852964] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 31.853018] page dumped because: kasan: bad access detected [ 31.853055] [ 31.853076] Memory state around the buggy address: [ 31.853116] fff00000c4496f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.853165] fff00000c4496f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.853212] >fff00000c4497000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.853258] ^ [ 31.853291] fff00000c4497080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.853337] fff00000c4497100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.853379] ==================================================================
[ 25.496875] ================================================================== [ 25.497483] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 25.497845] Read of size 1 at addr ffff888100a1be00 by task kunit_try_catch/193 [ 25.498817] [ 25.499006] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 25.499098] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.499120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.499156] Call Trace: [ 25.499194] <TASK> [ 25.499231] dump_stack_lvl+0x73/0xb0 [ 25.499298] print_report+0xd1/0x650 [ 25.499342] ? __virt_addr_valid+0x1db/0x2d0 [ 25.499388] ? krealloc_uaf+0x53c/0x5e0 [ 25.499432] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.499496] ? krealloc_uaf+0x53c/0x5e0 [ 25.499538] kasan_report+0x141/0x180 [ 25.499580] ? krealloc_uaf+0x53c/0x5e0 [ 25.499631] __asan_report_load1_noabort+0x18/0x20 [ 25.499677] krealloc_uaf+0x53c/0x5e0 [ 25.499720] ? __pfx_krealloc_uaf+0x10/0x10 [ 25.499760] ? finish_task_switch.isra.0+0x153/0x700 [ 25.499818] ? __switch_to+0x47/0xf50 [ 25.499891] ? __schedule+0x10cc/0x2b60 [ 25.499936] ? __pfx_read_tsc+0x10/0x10 [ 25.499974] ? ktime_get_ts64+0x86/0x230 [ 25.500017] kunit_try_run_case+0x1a5/0x480 [ 25.500057] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.500091] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.500129] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.500168] ? __kthread_parkme+0x82/0x180 [ 25.500199] ? preempt_count_sub+0x50/0x80 [ 25.500233] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.500268] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.500305] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.500337] kthread+0x337/0x6f0 [ 25.500367] ? trace_preempt_on+0x20/0xc0 [ 25.500402] ? __pfx_kthread+0x10/0x10 [ 25.500434] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.500481] ? calculate_sigpending+0x7b/0xa0 [ 25.500519] ? __pfx_kthread+0x10/0x10 [ 25.500555] ret_from_fork+0x116/0x1d0 [ 25.500588] ? __pfx_kthread+0x10/0x10 [ 25.500623] ret_from_fork_asm+0x1a/0x30 [ 25.500677] </TASK> [ 25.500697] [ 25.513371] Allocated by task 193: [ 25.513614] kasan_save_stack+0x45/0x70 [ 25.514020] kasan_save_track+0x18/0x40 [ 25.514878] kasan_save_alloc_info+0x3b/0x50 [ 25.515304] __kasan_kmalloc+0xb7/0xc0 [ 25.515499] __kmalloc_cache_noprof+0x189/0x420 [ 25.515701] krealloc_uaf+0xbb/0x5e0 [ 25.515997] kunit_try_run_case+0x1a5/0x480 [ 25.516602] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.517207] kthread+0x337/0x6f0 [ 25.517538] ret_from_fork+0x116/0x1d0 [ 25.518191] ret_from_fork_asm+0x1a/0x30 [ 25.518526] [ 25.518834] Freed by task 193: [ 25.519124] kasan_save_stack+0x45/0x70 [ 25.519319] kasan_save_track+0x18/0x40 [ 25.519904] kasan_save_free_info+0x3f/0x60 [ 25.520116] __kasan_slab_free+0x56/0x70 [ 25.520593] kfree+0x222/0x3f0 [ 25.521005] krealloc_uaf+0x13d/0x5e0 [ 25.521460] kunit_try_run_case+0x1a5/0x480 [ 25.521653] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.522089] kthread+0x337/0x6f0 [ 25.522950] ret_from_fork+0x116/0x1d0 [ 25.523326] ret_from_fork_asm+0x1a/0x30 [ 25.524111] [ 25.524307] The buggy address belongs to the object at ffff888100a1be00 [ 25.524307] which belongs to the cache kmalloc-256 of size 256 [ 25.525173] The buggy address is located 0 bytes inside of [ 25.525173] freed 256-byte region [ffff888100a1be00, ffff888100a1bf00) [ 25.525887] [ 25.526080] The buggy address belongs to the physical page: [ 25.527199] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1a [ 25.528299] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.528708] flags: 0x200000000000040(head|node=0|zone=2) [ 25.528935] page_type: f5(slab) [ 25.529175] raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.529691] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.530112] head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.530618] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.530831] head: 0200000000000001 ffffea0004028681 00000000ffffffff 00000000ffffffff [ 25.531036] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.531472] page dumped because: kasan: bad access detected [ 25.531899] [ 25.532060] Memory state around the buggy address: [ 25.532430] ffff888100a1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.532941] ffff888100a1bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.533197] >ffff888100a1be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.533506] ^ [ 25.533915] ffff888100a1be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.534509] ffff888100a1bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.535136] ================================================================== [ 25.456286] ================================================================== [ 25.457312] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 25.458124] Read of size 1 at addr ffff888100a1be00 by task kunit_try_catch/193 [ 25.458694] [ 25.459132] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 25.459257] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.459285] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.459328] Call Trace: [ 25.459356] <TASK> [ 25.459397] dump_stack_lvl+0x73/0xb0 [ 25.459486] print_report+0xd1/0x650 [ 25.459535] ? __virt_addr_valid+0x1db/0x2d0 [ 25.459593] ? krealloc_uaf+0x1b8/0x5e0 [ 25.459631] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.459706] ? krealloc_uaf+0x1b8/0x5e0 [ 25.459850] kasan_report+0x141/0x180 [ 25.459903] ? krealloc_uaf+0x1b8/0x5e0 [ 25.459957] ? krealloc_uaf+0x1b8/0x5e0 [ 25.460005] __kasan_check_byte+0x3d/0x50 [ 25.460052] krealloc_noprof+0x3f/0x340 [ 25.460093] krealloc_uaf+0x1b8/0x5e0 [ 25.460129] ? __pfx_krealloc_uaf+0x10/0x10 [ 25.460196] ? finish_task_switch.isra.0+0x153/0x700 [ 25.460241] ? __switch_to+0x47/0xf50 [ 25.460279] ? __schedule+0x10cc/0x2b60 [ 25.460305] ? __pfx_read_tsc+0x10/0x10 [ 25.460328] ? ktime_get_ts64+0x86/0x230 [ 25.460357] kunit_try_run_case+0x1a5/0x480 [ 25.460385] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.460408] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.460431] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.460481] ? __kthread_parkme+0x82/0x180 [ 25.460505] ? preempt_count_sub+0x50/0x80 [ 25.460529] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.460553] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.460590] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.460628] kthread+0x337/0x6f0 [ 25.460666] ? trace_preempt_on+0x20/0xc0 [ 25.460695] ? __pfx_kthread+0x10/0x10 [ 25.460717] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.460739] ? calculate_sigpending+0x7b/0xa0 [ 25.460765] ? __pfx_kthread+0x10/0x10 [ 25.460788] ret_from_fork+0x116/0x1d0 [ 25.460808] ? __pfx_kthread+0x10/0x10 [ 25.460829] ret_from_fork_asm+0x1a/0x30 [ 25.460861] </TASK> [ 25.460876] [ 25.472766] Allocated by task 193: [ 25.473012] kasan_save_stack+0x45/0x70 [ 25.473380] kasan_save_track+0x18/0x40 [ 25.473795] kasan_save_alloc_info+0x3b/0x50 [ 25.474240] __kasan_kmalloc+0xb7/0xc0 [ 25.474690] __kmalloc_cache_noprof+0x189/0x420 [ 25.475258] krealloc_uaf+0xbb/0x5e0 [ 25.475746] kunit_try_run_case+0x1a5/0x480 [ 25.476087] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.476509] kthread+0x337/0x6f0 [ 25.476900] ret_from_fork+0x116/0x1d0 [ 25.477282] ret_from_fork_asm+0x1a/0x30 [ 25.477485] [ 25.477572] Freed by task 193: [ 25.477723] kasan_save_stack+0x45/0x70 [ 25.477904] kasan_save_track+0x18/0x40 [ 25.478089] kasan_save_free_info+0x3f/0x60 [ 25.478363] __kasan_slab_free+0x56/0x70 [ 25.478787] kfree+0x222/0x3f0 [ 25.479429] krealloc_uaf+0x13d/0x5e0 [ 25.479735] kunit_try_run_case+0x1a5/0x480 [ 25.479966] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.480317] kthread+0x337/0x6f0 [ 25.480830] ret_from_fork+0x116/0x1d0 [ 25.481012] ret_from_fork_asm+0x1a/0x30 [ 25.481299] [ 25.481494] The buggy address belongs to the object at ffff888100a1be00 [ 25.481494] which belongs to the cache kmalloc-256 of size 256 [ 25.482616] The buggy address is located 0 bytes inside of [ 25.482616] freed 256-byte region [ffff888100a1be00, ffff888100a1bf00) [ 25.483903] [ 25.484085] The buggy address belongs to the physical page: [ 25.484699] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1a [ 25.485322] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.485820] flags: 0x200000000000040(head|node=0|zone=2) [ 25.486358] page_type: f5(slab) [ 25.486719] raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.487621] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.488221] head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.488739] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.489035] head: 0200000000000001 ffffea0004028681 00000000ffffffff 00000000ffffffff [ 25.489851] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.490616] page dumped because: kasan: bad access detected [ 25.491485] [ 25.491746] Memory state around the buggy address: [ 25.492125] ffff888100a1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.492661] ffff888100a1bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.493172] >ffff888100a1be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.494350] ^ [ 25.494572] ffff888100a1be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.495111] ffff888100a1bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.495967] ==================================================================