Hay
Date
June 20, 2025, 12:38 p.m.

Environment
qemu-arm64
qemu-x86_64

[   31.819452] ==================================================================
[   31.820586] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   31.821153] Read of size 1 at addr fff00000c4497000 by task kunit_try_catch/175
[   31.821351] 
[   31.821644] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250620 #1 PREEMPT 
[   31.822184] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.822257] Hardware name: linux,dummy-virt (DT)
[   31.822747] Call trace:
[   31.822913]  show_stack+0x20/0x38 (C)
[   31.823240]  dump_stack_lvl+0x8c/0xd0
[   31.823524]  print_report+0x118/0x608
[   31.824877]  kasan_report+0xdc/0x128
[   31.825191]  __kasan_check_byte+0x54/0x70
[   31.825329]  krealloc_noprof+0x44/0x360
[   31.825461]  krealloc_uaf+0x180/0x520
[   31.825575]  kunit_try_run_case+0x170/0x3f0
[   31.825676]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.825780]  kthread+0x328/0x630
[   31.825875]  ret_from_fork+0x10/0x20
[   31.826123] 
[   31.826257] Allocated by task 175:
[   31.826345]  kasan_save_stack+0x3c/0x68
[   31.826553]  kasan_save_track+0x20/0x40
[   31.826881]  kasan_save_alloc_info+0x40/0x58
[   31.827189]  __kasan_kmalloc+0xd4/0xd8
[   31.827388]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.827766]  krealloc_uaf+0xc8/0x520
[   31.827869]  kunit_try_run_case+0x170/0x3f0
[   31.828404]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.828640]  kthread+0x328/0x630
[   31.828784]  ret_from_fork+0x10/0x20
[   31.828861] 
[   31.828964] Freed by task 175:
[   31.829317]  kasan_save_stack+0x3c/0x68
[   31.829547]  kasan_save_track+0x20/0x40
[   31.829659]  kasan_save_free_info+0x4c/0x78
[   31.829756]  __kasan_slab_free+0x6c/0x98
[   31.829859]  kfree+0x214/0x3c8
[   31.829944]  krealloc_uaf+0x12c/0x520
[   31.830338]  kunit_try_run_case+0x170/0x3f0
[   31.830560]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.830839]  kthread+0x328/0x630
[   31.830965]  ret_from_fork+0x10/0x20
[   31.831173] 
[   31.831460] The buggy address belongs to the object at fff00000c4497000
[   31.831460]  which belongs to the cache kmalloc-256 of size 256
[   31.831809] The buggy address is located 0 bytes inside of
[   31.831809]  freed 256-byte region [fff00000c4497000, fff00000c4497100)
[   31.832071] 
[   31.832220] The buggy address belongs to the physical page:
[   31.832429] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104496
[   31.832836] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   31.833012] anon flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   31.833214] page_type: f5(slab)
[   31.833305] raw: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001
[   31.833394] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.833483] head: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001
[   31.833591] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.833727] head: 0bfffe0000000001 ffffc1ffc3112581 00000000ffffffff 00000000ffffffff
[   31.833854] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   31.833959] page dumped because: kasan: bad access detected
[   31.834041] 
[   31.834091] Memory state around the buggy address:
[   31.834177]  fff00000c4496f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.834288]  fff00000c4496f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.834396] >fff00000c4497000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.834498]                    ^
[   31.834576]  fff00000c4497080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.835432]  fff00000c4497100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.835551] ==================================================================
[   31.840083] ==================================================================
[   31.840404] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   31.840556] Read of size 1 at addr fff00000c4497000 by task kunit_try_catch/175
[   31.841185] 
[   31.841468] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250620 #1 PREEMPT 
[   31.841908] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.842054] Hardware name: linux,dummy-virt (DT)
[   31.842216] Call trace:
[   31.842357]  show_stack+0x20/0x38 (C)
[   31.842735]  dump_stack_lvl+0x8c/0xd0
[   31.842929]  print_report+0x118/0x608
[   31.843307]  kasan_report+0xdc/0x128
[   31.843549]  __asan_report_load1_noabort+0x20/0x30
[   31.843846]  krealloc_uaf+0x4c8/0x520
[   31.843967]  kunit_try_run_case+0x170/0x3f0
[   31.844458]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.844583]  kthread+0x328/0x630
[   31.844699]  ret_from_fork+0x10/0x20
[   31.844794] 
[   31.844830] Allocated by task 175:
[   31.844883]  kasan_save_stack+0x3c/0x68
[   31.844973]  kasan_save_track+0x20/0x40
[   31.845228]  kasan_save_alloc_info+0x40/0x58
[   31.845462]  __kasan_kmalloc+0xd4/0xd8
[   31.846099]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.846434]  krealloc_uaf+0xc8/0x520
[   31.846546]  kunit_try_run_case+0x170/0x3f0
[   31.846659]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.847114]  kthread+0x328/0x630
[   31.847213]  ret_from_fork+0x10/0x20
[   31.847386] 
[   31.847450] Freed by task 175:
[   31.847518]  kasan_save_stack+0x3c/0x68
[   31.847631]  kasan_save_track+0x20/0x40
[   31.847932]  kasan_save_free_info+0x4c/0x78
[   31.848222]  __kasan_slab_free+0x6c/0x98
[   31.848604]  kfree+0x214/0x3c8
[   31.848720]  krealloc_uaf+0x12c/0x520
[   31.848800]  kunit_try_run_case+0x170/0x3f0
[   31.848888]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.849190]  kthread+0x328/0x630
[   31.849342]  ret_from_fork+0x10/0x20
[   31.849447] 
[   31.849497] The buggy address belongs to the object at fff00000c4497000
[   31.849497]  which belongs to the cache kmalloc-256 of size 256
[   31.849998] The buggy address is located 0 bytes inside of
[   31.849998]  freed 256-byte region [fff00000c4497000, fff00000c4497100)
[   31.850417] 
[   31.850509] The buggy address belongs to the physical page:
[   31.850665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104496
[   31.851072] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   31.851520] anon flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   31.851707] page_type: f5(slab)
[   31.851814] raw: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001
[   31.851944] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.852076] head: 0bfffe0000000040 fff00000c0001b40 0000000000000000 dead000000000001
[   31.852206] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.852757] head: 0bfffe0000000001 ffffc1ffc3112581 00000000ffffffff 00000000ffffffff
[   31.852964] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   31.853018] page dumped because: kasan: bad access detected
[   31.853055] 
[   31.853076] Memory state around the buggy address:
[   31.853116]  fff00000c4496f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.853165]  fff00000c4496f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.853212] >fff00000c4497000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.853258]                    ^
[   31.853291]  fff00000c4497080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.853337]  fff00000c4497100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.853379] ==================================================================

[   25.496875] ==================================================================
[   25.497483] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0
[   25.497845] Read of size 1 at addr ffff888100a1be00 by task kunit_try_catch/193
[   25.498817] 
[   25.499006] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) 
[   25.499098] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.499120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.499156] Call Trace:
[   25.499194]  <TASK>
[   25.499231]  dump_stack_lvl+0x73/0xb0
[   25.499298]  print_report+0xd1/0x650
[   25.499342]  ? __virt_addr_valid+0x1db/0x2d0
[   25.499388]  ? krealloc_uaf+0x53c/0x5e0
[   25.499432]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.499496]  ? krealloc_uaf+0x53c/0x5e0
[   25.499538]  kasan_report+0x141/0x180
[   25.499580]  ? krealloc_uaf+0x53c/0x5e0
[   25.499631]  __asan_report_load1_noabort+0x18/0x20
[   25.499677]  krealloc_uaf+0x53c/0x5e0
[   25.499720]  ? __pfx_krealloc_uaf+0x10/0x10
[   25.499760]  ? finish_task_switch.isra.0+0x153/0x700
[   25.499818]  ? __switch_to+0x47/0xf50
[   25.499891]  ? __schedule+0x10cc/0x2b60
[   25.499936]  ? __pfx_read_tsc+0x10/0x10
[   25.499974]  ? ktime_get_ts64+0x86/0x230
[   25.500017]  kunit_try_run_case+0x1a5/0x480
[   25.500057]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.500091]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.500129]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.500168]  ? __kthread_parkme+0x82/0x180
[   25.500199]  ? preempt_count_sub+0x50/0x80
[   25.500233]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.500268]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.500305]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.500337]  kthread+0x337/0x6f0
[   25.500367]  ? trace_preempt_on+0x20/0xc0
[   25.500402]  ? __pfx_kthread+0x10/0x10
[   25.500434]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.500481]  ? calculate_sigpending+0x7b/0xa0
[   25.500519]  ? __pfx_kthread+0x10/0x10
[   25.500555]  ret_from_fork+0x116/0x1d0
[   25.500588]  ? __pfx_kthread+0x10/0x10
[   25.500623]  ret_from_fork_asm+0x1a/0x30
[   25.500677]  </TASK>
[   25.500697] 
[   25.513371] Allocated by task 193:
[   25.513614]  kasan_save_stack+0x45/0x70
[   25.514020]  kasan_save_track+0x18/0x40
[   25.514878]  kasan_save_alloc_info+0x3b/0x50
[   25.515304]  __kasan_kmalloc+0xb7/0xc0
[   25.515499]  __kmalloc_cache_noprof+0x189/0x420
[   25.515701]  krealloc_uaf+0xbb/0x5e0
[   25.515997]  kunit_try_run_case+0x1a5/0x480
[   25.516602]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.517207]  kthread+0x337/0x6f0
[   25.517538]  ret_from_fork+0x116/0x1d0
[   25.518191]  ret_from_fork_asm+0x1a/0x30
[   25.518526] 
[   25.518834] Freed by task 193:
[   25.519124]  kasan_save_stack+0x45/0x70
[   25.519319]  kasan_save_track+0x18/0x40
[   25.519904]  kasan_save_free_info+0x3f/0x60
[   25.520116]  __kasan_slab_free+0x56/0x70
[   25.520593]  kfree+0x222/0x3f0
[   25.521005]  krealloc_uaf+0x13d/0x5e0
[   25.521460]  kunit_try_run_case+0x1a5/0x480
[   25.521653]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.522089]  kthread+0x337/0x6f0
[   25.522950]  ret_from_fork+0x116/0x1d0
[   25.523326]  ret_from_fork_asm+0x1a/0x30
[   25.524111] 
[   25.524307] The buggy address belongs to the object at ffff888100a1be00
[   25.524307]  which belongs to the cache kmalloc-256 of size 256
[   25.525173] The buggy address is located 0 bytes inside of
[   25.525173]  freed 256-byte region [ffff888100a1be00, ffff888100a1bf00)
[   25.525887] 
[   25.526080] The buggy address belongs to the physical page:
[   25.527199] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1a
[   25.528299] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   25.528708] flags: 0x200000000000040(head|node=0|zone=2)
[   25.528935] page_type: f5(slab)
[   25.529175] raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122
[   25.529691] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.530112] head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122
[   25.530618] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.530831] head: 0200000000000001 ffffea0004028681 00000000ffffffff 00000000ffffffff
[   25.531036] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   25.531472] page dumped because: kasan: bad access detected
[   25.531899] 
[   25.532060] Memory state around the buggy address:
[   25.532430]  ffff888100a1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.532941]  ffff888100a1bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.533197] >ffff888100a1be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.533506]                    ^
[   25.533915]  ffff888100a1be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.534509]  ffff888100a1bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.535136] ==================================================================
[   25.456286] ==================================================================
[   25.457312] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0
[   25.458124] Read of size 1 at addr ffff888100a1be00 by task kunit_try_catch/193
[   25.458694] 
[   25.459132] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) 
[   25.459257] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.459285] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.459328] Call Trace:
[   25.459356]  <TASK>
[   25.459397]  dump_stack_lvl+0x73/0xb0
[   25.459486]  print_report+0xd1/0x650
[   25.459535]  ? __virt_addr_valid+0x1db/0x2d0
[   25.459593]  ? krealloc_uaf+0x1b8/0x5e0
[   25.459631]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.459706]  ? krealloc_uaf+0x1b8/0x5e0
[   25.459850]  kasan_report+0x141/0x180
[   25.459903]  ? krealloc_uaf+0x1b8/0x5e0
[   25.459957]  ? krealloc_uaf+0x1b8/0x5e0
[   25.460005]  __kasan_check_byte+0x3d/0x50
[   25.460052]  krealloc_noprof+0x3f/0x340
[   25.460093]  krealloc_uaf+0x1b8/0x5e0
[   25.460129]  ? __pfx_krealloc_uaf+0x10/0x10
[   25.460196]  ? finish_task_switch.isra.0+0x153/0x700
[   25.460241]  ? __switch_to+0x47/0xf50
[   25.460279]  ? __schedule+0x10cc/0x2b60
[   25.460305]  ? __pfx_read_tsc+0x10/0x10
[   25.460328]  ? ktime_get_ts64+0x86/0x230
[   25.460357]  kunit_try_run_case+0x1a5/0x480
[   25.460385]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.460408]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.460431]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.460481]  ? __kthread_parkme+0x82/0x180
[   25.460505]  ? preempt_count_sub+0x50/0x80
[   25.460529]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.460553]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.460590]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.460628]  kthread+0x337/0x6f0
[   25.460666]  ? trace_preempt_on+0x20/0xc0
[   25.460695]  ? __pfx_kthread+0x10/0x10
[   25.460717]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.460739]  ? calculate_sigpending+0x7b/0xa0
[   25.460765]  ? __pfx_kthread+0x10/0x10
[   25.460788]  ret_from_fork+0x116/0x1d0
[   25.460808]  ? __pfx_kthread+0x10/0x10
[   25.460829]  ret_from_fork_asm+0x1a/0x30
[   25.460861]  </TASK>
[   25.460876] 
[   25.472766] Allocated by task 193:
[   25.473012]  kasan_save_stack+0x45/0x70
[   25.473380]  kasan_save_track+0x18/0x40
[   25.473795]  kasan_save_alloc_info+0x3b/0x50
[   25.474240]  __kasan_kmalloc+0xb7/0xc0
[   25.474690]  __kmalloc_cache_noprof+0x189/0x420
[   25.475258]  krealloc_uaf+0xbb/0x5e0
[   25.475746]  kunit_try_run_case+0x1a5/0x480
[   25.476087]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.476509]  kthread+0x337/0x6f0
[   25.476900]  ret_from_fork+0x116/0x1d0
[   25.477282]  ret_from_fork_asm+0x1a/0x30
[   25.477485] 
[   25.477572] Freed by task 193:
[   25.477723]  kasan_save_stack+0x45/0x70
[   25.477904]  kasan_save_track+0x18/0x40
[   25.478089]  kasan_save_free_info+0x3f/0x60
[   25.478363]  __kasan_slab_free+0x56/0x70
[   25.478787]  kfree+0x222/0x3f0
[   25.479429]  krealloc_uaf+0x13d/0x5e0
[   25.479735]  kunit_try_run_case+0x1a5/0x480
[   25.479966]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.480317]  kthread+0x337/0x6f0
[   25.480830]  ret_from_fork+0x116/0x1d0
[   25.481012]  ret_from_fork_asm+0x1a/0x30
[   25.481299] 
[   25.481494] The buggy address belongs to the object at ffff888100a1be00
[   25.481494]  which belongs to the cache kmalloc-256 of size 256
[   25.482616] The buggy address is located 0 bytes inside of
[   25.482616]  freed 256-byte region [ffff888100a1be00, ffff888100a1bf00)
[   25.483903] 
[   25.484085] The buggy address belongs to the physical page:
[   25.484699] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1a
[   25.485322] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   25.485820] flags: 0x200000000000040(head|node=0|zone=2)
[   25.486358] page_type: f5(slab)
[   25.486719] raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122
[   25.487621] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.488221] head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122
[   25.488739] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.489035] head: 0200000000000001 ffffea0004028681 00000000ffffffff 00000000ffffffff
[   25.489851] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   25.490616] page dumped because: kasan: bad access detected
[   25.491485] 
[   25.491746] Memory state around the buggy address:
[   25.492125]  ffff888100a1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.492661]  ffff888100a1bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.493172] >ffff888100a1be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.494350]                    ^
[   25.494572]  ffff888100a1be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.495111]  ffff888100a1bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.495967] ==================================================================