Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 35.956371] ================================================================== [ 35.963690] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 35.970396] Read of size 1 at addr ffff000086408c00 by task kunit_try_catch/262 [ 35.977811] [ 35.979342] CPU: 3 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 35.979372] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.979381] Hardware name: Thundercomm Dragonboard 845c (DT) [ 35.979394] Call trace: [ 35.979400] show_stack+0x20/0x38 (C) [ 35.979418] dump_stack_lvl+0x8c/0xd0 [ 35.979437] print_report+0x118/0x608 [ 35.979457] kasan_report+0xdc/0x128 [ 35.979477] __asan_report_load1_noabort+0x20/0x30 [ 35.979495] krealloc_uaf+0x4c8/0x520 [ 35.979511] kunit_try_run_case+0x170/0x3f0 [ 35.979531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.979552] kthread+0x328/0x630 [ 35.979567] ret_from_fork+0x10/0x20 [ 35.979585] [ 36.044749] Allocated by task 262: [ 36.048209] kasan_save_stack+0x3c/0x68 [ 36.052119] kasan_save_track+0x20/0x40 [ 36.056030] kasan_save_alloc_info+0x40/0x58 [ 36.060369] __kasan_kmalloc+0xd4/0xd8 [ 36.064192] __kmalloc_cache_noprof+0x16c/0x3c0 [ 36.068805] krealloc_uaf+0xc8/0x520 [ 36.072444] kunit_try_run_case+0x170/0x3f0 [ 36.076698] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.082274] kthread+0x328/0x630 [ 36.085564] ret_from_fork+0x10/0x20 [ 36.089205] [ 36.090735] Freed by task 262: [ 36.093846] kasan_save_stack+0x3c/0x68 [ 36.097758] kasan_save_track+0x20/0x40 [ 36.101667] kasan_save_free_info+0x4c/0x78 [ 36.105920] __kasan_slab_free+0x6c/0x98 [ 36.109917] kfree+0x214/0x3c8 [ 36.113037] krealloc_uaf+0x12c/0x520 [ 36.116771] kunit_try_run_case+0x170/0x3f0 [ 36.121027] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.126598] kthread+0x328/0x630 [ 36.129891] ret_from_fork+0x10/0x20 [ 36.133528] [ 36.135056] The buggy address belongs to the object at ffff000086408c00 [ 36.135056] which belongs to the cache kmalloc-256 of size 256 [ 36.147717] The buggy address is located 0 bytes inside of [ 36.147717] freed 256-byte region [ffff000086408c00, ffff000086408d00) [ 36.159942] [ 36.161473] The buggy address belongs to the physical page: [ 36.167121] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106408 [ 36.175225] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 36.182985] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 36.190042] page_type: f5(slab) [ 36.193248] raw: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 36.201095] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.208943] head: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 36.216875] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 36.224808] head: 0bfffe0000000002 fffffdffc2190201 00000000ffffffff 00000000ffffffff [ 36.232739] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 36.240668] page dumped because: kasan: bad access detected [ 36.246318] [ 36.247853] Memory state around the buggy address: [ 36.252716] ffff000086408b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.260041] ffff000086408b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.267358] >ffff000086408c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.274674] ^ [ 36.277961] ffff000086408c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.285277] ffff000086408d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.292588] ================================================================== [ 35.605223] ================================================================== [ 35.616954] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 35.623666] Read of size 1 at addr ffff000086408c00 by task kunit_try_catch/262 [ 35.631070] [ 35.632608] CPU: 3 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 35.632636] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.632644] Hardware name: Thundercomm Dragonboard 845c (DT) [ 35.632655] Call trace: [ 35.632662] show_stack+0x20/0x38 (C) [ 35.632681] dump_stack_lvl+0x8c/0xd0 [ 35.632700] print_report+0x118/0x608 [ 35.632719] kasan_report+0xdc/0x128 [ 35.632737] __kasan_check_byte+0x54/0x70 [ 35.632757] krealloc_noprof+0x44/0x360 [ 35.632779] krealloc_uaf+0x180/0x520 [ 35.632796] kunit_try_run_case+0x170/0x3f0 [ 35.632815] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.632838] kthread+0x328/0x630 [ 35.632854] ret_from_fork+0x10/0x20 [ 35.632871] [ 35.701135] Allocated by task 262: [ 35.704596] kasan_save_stack+0x3c/0x68 [ 35.708505] kasan_save_track+0x20/0x40 [ 35.712415] kasan_save_alloc_info+0x40/0x58 [ 35.716755] __kasan_kmalloc+0xd4/0xd8 [ 35.720577] __kmalloc_cache_noprof+0x16c/0x3c0 [ 35.725188] krealloc_uaf+0xc8/0x520 [ 35.728827] kunit_try_run_case+0x170/0x3f0 [ 35.733080] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.738653] kthread+0x328/0x630 [ 35.741943] ret_from_fork+0x10/0x20 [ 35.745582] [ 35.747109] Freed by task 262: [ 35.750222] kasan_save_stack+0x3c/0x68 [ 35.754133] kasan_save_track+0x20/0x40 [ 35.758042] kasan_save_free_info+0x4c/0x78 [ 35.762295] __kasan_slab_free+0x6c/0x98 [ 35.766290] kfree+0x214/0x3c8 [ 35.769411] krealloc_uaf+0x12c/0x520 [ 35.773145] kunit_try_run_case+0x170/0x3f0 [ 35.777400] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.782971] kthread+0x328/0x630 [ 35.786263] ret_from_fork+0x10/0x20 [ 35.789900] [ 35.791426] The buggy address belongs to the object at ffff000086408c00 [ 35.791426] which belongs to the cache kmalloc-256 of size 256 [ 35.804087] The buggy address is located 0 bytes inside of [ 35.804087] freed 256-byte region [ffff000086408c00, ffff000086408d00) [ 35.816309] [ 35.817839] The buggy address belongs to the physical page: [ 35.823487] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106408 [ 35.831588] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.839344] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 35.846405] page_type: f5(slab) [ 35.849613] raw: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 35.857458] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 35.865305] head: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 35.873237] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 35.881169] head: 0bfffe0000000002 fffffdffc2190201 00000000ffffffff 00000000ffffffff [ 35.889102] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 35.897029] page dumped because: kasan: bad access detected [ 35.902680] [ 35.904215] Memory state around the buggy address: [ 35.909077] ffff000086408b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.916401] ffff000086408b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.923717] >ffff000086408c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.931032] ^ [ 35.934321] ffff000086408c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.941635] ffff000086408d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.948948] ==================================================================
[ 32.868501] ================================================================== [ 32.868564] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 32.868625] Read of size 1 at addr fff00000c4633a00 by task kunit_try_catch/175 [ 32.868683] [ 32.868724] CPU: 0 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 32.868822] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.868853] Hardware name: linux,dummy-virt (DT) [ 32.868913] Call trace: [ 32.868988] show_stack+0x20/0x38 (C) [ 32.869106] dump_stack_lvl+0x8c/0xd0 [ 32.869219] print_report+0x118/0x608 [ 32.869334] kasan_report+0xdc/0x128 [ 32.869458] __asan_report_load1_noabort+0x20/0x30 [ 32.869576] krealloc_uaf+0x4c8/0x520 [ 32.869683] kunit_try_run_case+0x170/0x3f0 [ 32.869795] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.869937] kthread+0x328/0x630 [ 32.870043] ret_from_fork+0x10/0x20 [ 32.870155] [ 32.870197] Allocated by task 175: [ 32.870261] kasan_save_stack+0x3c/0x68 [ 32.870371] kasan_save_track+0x20/0x40 [ 32.870477] kasan_save_alloc_info+0x40/0x58 [ 32.870667] __kasan_kmalloc+0xd4/0xd8 [ 32.870950] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.871143] krealloc_uaf+0xc8/0x520 [ 32.871282] kunit_try_run_case+0x170/0x3f0 [ 32.871382] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.871503] kthread+0x328/0x630 [ 32.871597] ret_from_fork+0x10/0x20 [ 32.871815] [ 32.871865] Freed by task 175: [ 32.871983] kasan_save_stack+0x3c/0x68 [ 32.872134] kasan_save_track+0x20/0x40 [ 32.872328] kasan_save_free_info+0x4c/0x78 [ 32.872430] __kasan_slab_free+0x6c/0x98 [ 32.872656] kfree+0x214/0x3c8 [ 32.872899] krealloc_uaf+0x12c/0x520 [ 32.873079] kunit_try_run_case+0x170/0x3f0 [ 32.873218] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.873336] kthread+0x328/0x630 [ 32.873477] ret_from_fork+0x10/0x20 [ 32.873576] [ 32.873629] The buggy address belongs to the object at fff00000c4633a00 [ 32.873629] which belongs to the cache kmalloc-256 of size 256 [ 32.873771] The buggy address is located 0 bytes inside of [ 32.873771] freed 256-byte region [fff00000c4633a00, fff00000c4633b00) [ 32.873972] [ 32.874025] The buggy address belongs to the physical page: [ 32.874134] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104632 [ 32.874328] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.874461] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.874777] page_type: f5(slab) [ 32.874976] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 32.875244] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.875370] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 32.875537] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.875667] head: 0bfffe0000000001 ffffc1ffc3118c81 00000000ffffffff 00000000ffffffff [ 32.875797] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.875944] page dumped because: kasan: bad access detected [ 32.876088] [ 32.876136] Memory state around the buggy address: [ 32.876223] fff00000c4633900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.876328] fff00000c4633980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.876430] >fff00000c4633a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.877483] ^ [ 32.878162] fff00000c4633a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.878465] fff00000c4633b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.878590] ================================================================== [ 32.850203] ================================================================== [ 32.850390] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 32.850505] Read of size 1 at addr fff00000c4633a00 by task kunit_try_catch/175 [ 32.850615] [ 32.850683] CPU: 0 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 32.850876] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.850957] Hardware name: linux,dummy-virt (DT) [ 32.851043] Call trace: [ 32.851110] show_stack+0x20/0x38 (C) [ 32.851285] dump_stack_lvl+0x8c/0xd0 [ 32.851511] print_report+0x118/0x608 [ 32.851644] kasan_report+0xdc/0x128 [ 32.851792] __kasan_check_byte+0x54/0x70 [ 32.852069] krealloc_noprof+0x44/0x360 [ 32.852191] krealloc_uaf+0x180/0x520 [ 32.852317] kunit_try_run_case+0x170/0x3f0 [ 32.852540] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.852793] kthread+0x328/0x630 [ 32.852929] ret_from_fork+0x10/0x20 [ 32.853242] [ 32.853293] Allocated by task 175: [ 32.853417] kasan_save_stack+0x3c/0x68 [ 32.853561] kasan_save_track+0x20/0x40 [ 32.853861] kasan_save_alloc_info+0x40/0x58 [ 32.854009] __kasan_kmalloc+0xd4/0xd8 [ 32.854107] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.854226] krealloc_uaf+0xc8/0x520 [ 32.854476] kunit_try_run_case+0x170/0x3f0 [ 32.854643] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.855014] kthread+0x328/0x630 [ 32.855151] ret_from_fork+0x10/0x20 [ 32.855308] [ 32.855512] Freed by task 175: [ 32.855623] kasan_save_stack+0x3c/0x68 [ 32.855841] kasan_save_track+0x20/0x40 [ 32.856159] kasan_save_free_info+0x4c/0x78 [ 32.856273] __kasan_slab_free+0x6c/0x98 [ 32.856871] kfree+0x214/0x3c8 [ 32.857047] krealloc_uaf+0x12c/0x520 [ 32.857172] kunit_try_run_case+0x170/0x3f0 [ 32.857426] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.857691] kthread+0x328/0x630 [ 32.857877] ret_from_fork+0x10/0x20 [ 32.858045] [ 32.858165] The buggy address belongs to the object at fff00000c4633a00 [ 32.858165] which belongs to the cache kmalloc-256 of size 256 [ 32.858691] The buggy address is located 0 bytes inside of [ 32.858691] freed 256-byte region [fff00000c4633a00, fff00000c4633b00) [ 32.859179] [ 32.859876] The buggy address belongs to the physical page: [ 32.860023] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104632 [ 32.860560] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.861466] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.861856] page_type: f5(slab) [ 32.861995] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 32.862384] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.862618] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 32.862852] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.862994] head: 0bfffe0000000001 ffffc1ffc3118c81 00000000ffffffff 00000000ffffffff [ 32.863578] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.863981] page dumped because: kasan: bad access detected [ 32.864097] [ 32.864174] Memory state around the buggy address: [ 32.864348] fff00000c4633900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.864510] fff00000c4633980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.864797] >fff00000c4633a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.865097] ^ [ 32.865263] fff00000c4633a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.866044] fff00000c4633b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.867059] ==================================================================
[ 28.884210] ================================================================== [ 28.884749] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 28.885262] Read of size 1 at addr ffff888100386000 by task kunit_try_catch/194 [ 28.886114] [ 28.886681] CPU: 0 UID: 0 PID: 194 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 28.886796] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.886827] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.886891] Call Trace: [ 28.886928] <TASK> [ 28.886964] dump_stack_lvl+0x73/0xb0 [ 28.887037] print_report+0xd1/0x650 [ 28.887109] ? __virt_addr_valid+0x1db/0x2d0 [ 28.887171] ? krealloc_uaf+0x53c/0x5e0 [ 28.887220] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.887285] ? krealloc_uaf+0x53c/0x5e0 [ 28.887340] kasan_report+0x141/0x180 [ 28.887401] ? krealloc_uaf+0x53c/0x5e0 [ 28.887469] __asan_report_load1_noabort+0x18/0x20 [ 28.887535] krealloc_uaf+0x53c/0x5e0 [ 28.887613] ? __pfx_krealloc_uaf+0x10/0x10 [ 28.887660] ? finish_task_switch.isra.0+0x153/0x700 [ 28.887712] ? __switch_to+0x47/0xf50 [ 28.887777] ? __schedule+0x10cc/0x2b60 [ 28.887855] ? __pfx_read_tsc+0x10/0x10 [ 28.887915] ? ktime_get_ts64+0x86/0x230 [ 28.887980] kunit_try_run_case+0x1a5/0x480 [ 28.888048] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.888118] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.888193] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.888230] ? __kthread_parkme+0x82/0x180 [ 28.888259] ? preempt_count_sub+0x50/0x80 [ 28.888290] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.888322] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.888354] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.888385] kthread+0x337/0x6f0 [ 28.888410] ? trace_preempt_on+0x20/0xc0 [ 28.888441] ? __pfx_kthread+0x10/0x10 [ 28.888468] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.888497] ? calculate_sigpending+0x7b/0xa0 [ 28.888527] ? __pfx_kthread+0x10/0x10 [ 28.888575] ret_from_fork+0x116/0x1d0 [ 28.888601] ? __pfx_kthread+0x10/0x10 [ 28.888628] ret_from_fork_asm+0x1a/0x30 [ 28.888682] </TASK> [ 28.888697] [ 28.904664] Allocated by task 194: [ 28.905036] kasan_save_stack+0x45/0x70 [ 28.905473] kasan_save_track+0x18/0x40 [ 28.906032] kasan_save_alloc_info+0x3b/0x50 [ 28.906569] __kasan_kmalloc+0xb7/0xc0 [ 28.906868] __kmalloc_cache_noprof+0x189/0x420 [ 28.907203] krealloc_uaf+0xbb/0x5e0 [ 28.908020] kunit_try_run_case+0x1a5/0x480 [ 28.908619] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.909059] kthread+0x337/0x6f0 [ 28.909364] ret_from_fork+0x116/0x1d0 [ 28.909624] ret_from_fork_asm+0x1a/0x30 [ 28.909871] [ 28.909996] Freed by task 194: [ 28.910181] kasan_save_stack+0x45/0x70 [ 28.910608] kasan_save_track+0x18/0x40 [ 28.910973] kasan_save_free_info+0x3f/0x60 [ 28.911425] __kasan_slab_free+0x56/0x70 [ 28.912352] kfree+0x222/0x3f0 [ 28.912737] krealloc_uaf+0x13d/0x5e0 [ 28.913117] kunit_try_run_case+0x1a5/0x480 [ 28.913529] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.913936] kthread+0x337/0x6f0 [ 28.914305] ret_from_fork+0x116/0x1d0 [ 28.914683] ret_from_fork_asm+0x1a/0x30 [ 28.914979] [ 28.915168] The buggy address belongs to the object at ffff888100386000 [ 28.915168] which belongs to the cache kmalloc-256 of size 256 [ 28.915866] The buggy address is located 0 bytes inside of [ 28.915866] freed 256-byte region [ffff888100386000, ffff888100386100) [ 28.916624] [ 28.916769] The buggy address belongs to the physical page: [ 28.917044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100386 [ 28.918183] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.918919] flags: 0x200000000000040(head|node=0|zone=2) [ 28.919399] page_type: f5(slab) [ 28.919791] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 28.920450] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.920984] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 28.921358] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.921735] head: 0200000000000001 ffffea000400e181 00000000ffffffff 00000000ffffffff [ 28.922362] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 28.923584] page dumped because: kasan: bad access detected [ 28.924504] [ 28.924745] Memory state around the buggy address: [ 28.925330] ffff888100385f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.925958] ffff888100385f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.926832] >ffff888100386000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.927402] ^ [ 28.927636] ffff888100386080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.928363] ffff888100386100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.929312] ================================================================== [ 28.834374] ================================================================== [ 28.835247] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 28.836405] Read of size 1 at addr ffff888100386000 by task kunit_try_catch/194 [ 28.836887] [ 28.837076] CPU: 0 UID: 0 PID: 194 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 28.837185] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.837217] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.837267] Call Trace: [ 28.837300] <TASK> [ 28.837343] dump_stack_lvl+0x73/0xb0 [ 28.837420] print_report+0xd1/0x650 [ 28.837474] ? __virt_addr_valid+0x1db/0x2d0 [ 28.837530] ? krealloc_uaf+0x1b8/0x5e0 [ 28.837601] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.837662] ? krealloc_uaf+0x1b8/0x5e0 [ 28.837715] kasan_report+0x141/0x180 [ 28.837771] ? krealloc_uaf+0x1b8/0x5e0 [ 28.837831] ? krealloc_uaf+0x1b8/0x5e0 [ 28.837886] __kasan_check_byte+0x3d/0x50 [ 28.837938] krealloc_noprof+0x3f/0x340 [ 28.837997] ? stack_depot_save_flags+0x48b/0x840 [ 28.838062] krealloc_uaf+0x1b8/0x5e0 [ 28.838154] ? __pfx_krealloc_uaf+0x10/0x10 [ 28.838200] ? finish_task_switch.isra.0+0x153/0x700 [ 28.838257] ? __switch_to+0x47/0xf50 [ 28.838314] ? __schedule+0x10cc/0x2b60 [ 28.838372] ? __pfx_read_tsc+0x10/0x10 [ 28.838432] ? ktime_get_ts64+0x86/0x230 [ 28.838499] kunit_try_run_case+0x1a5/0x480 [ 28.838563] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.838596] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.838631] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.838678] ? __kthread_parkme+0x82/0x180 [ 28.838706] ? preempt_count_sub+0x50/0x80 [ 28.838737] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.838768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.838799] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.838829] kthread+0x337/0x6f0 [ 28.838855] ? trace_preempt_on+0x20/0xc0 [ 28.838886] ? __pfx_kthread+0x10/0x10 [ 28.838914] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.838943] ? calculate_sigpending+0x7b/0xa0 [ 28.838974] ? __pfx_kthread+0x10/0x10 [ 28.839002] ret_from_fork+0x116/0x1d0 [ 28.839027] ? __pfx_kthread+0x10/0x10 [ 28.839059] ret_from_fork_asm+0x1a/0x30 [ 28.839126] </TASK> [ 28.839152] [ 28.857097] Allocated by task 194: [ 28.857466] kasan_save_stack+0x45/0x70 [ 28.857917] kasan_save_track+0x18/0x40 [ 28.858388] kasan_save_alloc_info+0x3b/0x50 [ 28.858873] __kasan_kmalloc+0xb7/0xc0 [ 28.859285] __kmalloc_cache_noprof+0x189/0x420 [ 28.859811] krealloc_uaf+0xbb/0x5e0 [ 28.860337] kunit_try_run_case+0x1a5/0x480 [ 28.860669] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.861181] kthread+0x337/0x6f0 [ 28.861538] ret_from_fork+0x116/0x1d0 [ 28.861813] ret_from_fork_asm+0x1a/0x30 [ 28.862212] [ 28.862414] Freed by task 194: [ 28.863179] kasan_save_stack+0x45/0x70 [ 28.863608] kasan_save_track+0x18/0x40 [ 28.863957] kasan_save_free_info+0x3f/0x60 [ 28.864570] __kasan_slab_free+0x56/0x70 [ 28.864876] kfree+0x222/0x3f0 [ 28.865333] krealloc_uaf+0x13d/0x5e0 [ 28.865728] kunit_try_run_case+0x1a5/0x480 [ 28.866474] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.867009] kthread+0x337/0x6f0 [ 28.867430] ret_from_fork+0x116/0x1d0 [ 28.867811] ret_from_fork_asm+0x1a/0x30 [ 28.868078] [ 28.868280] The buggy address belongs to the object at ffff888100386000 [ 28.868280] which belongs to the cache kmalloc-256 of size 256 [ 28.869358] The buggy address is located 0 bytes inside of [ 28.869358] freed 256-byte region [ffff888100386000, ffff888100386100) [ 28.870617] [ 28.870844] The buggy address belongs to the physical page: [ 28.871339] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100386 [ 28.872003] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.872782] flags: 0x200000000000040(head|node=0|zone=2) [ 28.873467] page_type: f5(slab) [ 28.873872] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 28.874783] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.875480] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 28.876183] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.876746] head: 0200000000000001 ffffea000400e181 00000000ffffffff 00000000ffffffff [ 28.877574] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 28.878203] page dumped because: kasan: bad access detected [ 28.878960] [ 28.879167] Memory state around the buggy address: [ 28.879425] ffff888100385f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.880062] ffff888100385f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.880499] >ffff888100386000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.881360] ^ [ 28.881932] ffff888100386080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.882523] ffff888100386100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.882891] ==================================================================