Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 37.323270] ================================================================== [ 37.330595] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 37.337305] Read of size 1 at addr ffff00008036f000 by task kunit_try_catch/250 [ 37.344717] [ 37.346250] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 37.346280] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.346289] Hardware name: Thundercomm Dragonboard 845c (DT) [ 37.346301] Call trace: [ 37.346308] show_stack+0x20/0x38 (C) [ 37.346328] dump_stack_lvl+0x8c/0xd0 [ 37.346346] print_report+0x118/0x608 [ 37.346365] kasan_report+0xdc/0x128 [ 37.346383] __asan_report_load1_noabort+0x20/0x30 [ 37.346401] krealloc_uaf+0x4c8/0x520 [ 37.346419] kunit_try_run_case+0x170/0x3f0 [ 37.346439] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.346461] kthread+0x328/0x630 [ 37.346475] ret_from_fork+0x10/0x20 [ 37.346492] [ 37.411693] Allocated by task 250: [ 37.415153] kasan_save_stack+0x3c/0x68 [ 37.419064] kasan_save_track+0x20/0x40 [ 37.422971] kasan_save_alloc_info+0x40/0x58 [ 37.427309] __kasan_kmalloc+0xd4/0xd8 [ 37.431132] __kmalloc_cache_noprof+0x16c/0x3c0 [ 37.435739] krealloc_uaf+0xc8/0x520 [ 37.439377] kunit_try_run_case+0x170/0x3f0 [ 37.443630] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.449194] kthread+0x328/0x630 [ 37.452485] ret_from_fork+0x10/0x20 [ 37.456124] [ 37.457650] Freed by task 250: [ 37.460762] kasan_save_stack+0x3c/0x68 [ 37.464672] kasan_save_track+0x20/0x40 [ 37.468578] kasan_save_free_info+0x4c/0x78 [ 37.472828] __kasan_slab_free+0x6c/0x98 [ 37.476825] kfree+0x214/0x3c8 [ 37.479945] krealloc_uaf+0x12c/0x520 [ 37.483669] kunit_try_run_case+0x170/0x3f0 [ 37.487920] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.493487] kthread+0x328/0x630 [ 37.496777] ret_from_fork+0x10/0x20 [ 37.500414] [ 37.501944] The buggy address belongs to the object at ffff00008036f000 [ 37.501944] which belongs to the cache kmalloc-256 of size 256 [ 37.514603] The buggy address is located 0 bytes inside of [ 37.514603] freed 256-byte region [ffff00008036f000, ffff00008036f100) [ 37.526825] [ 37.528360] The buggy address belongs to the physical page: [ 37.534008] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10036c [ 37.542120] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 37.549877] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 37.556929] page_type: f5(slab) [ 37.560136] raw: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 37.567979] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 37.575825] head: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 37.583755] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 37.591685] head: 0bfffe0000000002 fffffdffc200db01 00000000ffffffff 00000000ffffffff [ 37.599617] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 37.607542] page dumped because: kasan: bad access detected [ 37.613195] [ 37.614724] Memory state around the buggy address: [ 37.619584] ffff00008036ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.626907] ffff00008036ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.634231] >ffff00008036f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.641551] ^ [ 37.644838] ffff00008036f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.652160] ffff00008036f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.659475] ================================================================== [ 36.972115] ================================================================== [ 36.983845] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 36.990558] Read of size 1 at addr ffff00008036f000 by task kunit_try_catch/250 [ 36.997967] [ 36.999499] CPU: 0 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 36.999529] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.999536] Hardware name: Thundercomm Dragonboard 845c (DT) [ 36.999548] Call trace: [ 36.999556] show_stack+0x20/0x38 (C) [ 36.999575] dump_stack_lvl+0x8c/0xd0 [ 36.999593] print_report+0x118/0x608 [ 36.999612] kasan_report+0xdc/0x128 [ 36.999630] __kasan_check_byte+0x54/0x70 [ 36.999648] krealloc_noprof+0x44/0x360 [ 36.999667] krealloc_uaf+0x180/0x520 [ 36.999684] kunit_try_run_case+0x170/0x3f0 [ 36.999703] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.999723] kthread+0x328/0x630 [ 36.999738] ret_from_fork+0x10/0x20 [ 36.999755] [ 37.068051] Allocated by task 250: [ 37.071515] kasan_save_stack+0x3c/0x68 [ 37.075425] kasan_save_track+0x20/0x40 [ 37.079333] kasan_save_alloc_info+0x40/0x58 [ 37.083669] __kasan_kmalloc+0xd4/0xd8 [ 37.087491] __kmalloc_cache_noprof+0x16c/0x3c0 [ 37.092097] krealloc_uaf+0xc8/0x520 [ 37.095736] kunit_try_run_case+0x170/0x3f0 [ 37.099987] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.105555] kthread+0x328/0x630 [ 37.108845] ret_from_fork+0x10/0x20 [ 37.112491] [ 37.114020] Freed by task 250: [ 37.117132] kasan_save_stack+0x3c/0x68 [ 37.121042] kasan_save_track+0x20/0x40 [ 37.124948] kasan_save_free_info+0x4c/0x78 [ 37.129199] __kasan_slab_free+0x6c/0x98 [ 37.133195] kfree+0x214/0x3c8 [ 37.136312] krealloc_uaf+0x12c/0x520 [ 37.140036] kunit_try_run_case+0x170/0x3f0 [ 37.144287] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.149859] kthread+0x328/0x630 [ 37.153151] ret_from_fork+0x10/0x20 [ 37.156788] [ 37.158317] The buggy address belongs to the object at ffff00008036f000 [ 37.158317] which belongs to the cache kmalloc-256 of size 256 [ 37.170979] The buggy address is located 0 bytes inside of [ 37.170979] freed 256-byte region [ffff00008036f000, ffff00008036f100) [ 37.183199] [ 37.184732] The buggy address belongs to the physical page: [ 37.190383] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10036c [ 37.198493] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 37.206249] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 37.213304] page_type: f5(slab) [ 37.216508] raw: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 37.224351] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 37.232197] head: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 37.240127] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 37.248056] head: 0bfffe0000000002 fffffdffc200db01 00000000ffffffff 00000000ffffffff [ 37.255987] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 37.263911] page dumped because: kasan: bad access detected [ 37.269556] [ 37.271085] Memory state around the buggy address: [ 37.275945] ffff00008036ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.283259] ffff00008036ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.290582] >ffff00008036f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.297901] ^ [ 37.301189] ffff00008036f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.308512] ffff00008036f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.315827] ==================================================================
[ 26.791479] ================================================================== [ 26.791533] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 26.791782] Read of size 1 at addr fff00000c1c40e00 by task kunit_try_catch/176 [ 26.791907] [ 26.792147] CPU: 0 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.792357] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.792383] Hardware name: linux,dummy-virt (DT) [ 26.792630] Call trace: [ 26.792799] show_stack+0x20/0x38 (C) [ 26.792924] dump_stack_lvl+0x8c/0xd0 [ 26.793124] print_report+0x118/0x608 [ 26.793243] kasan_report+0xdc/0x128 [ 26.793300] __asan_report_load1_noabort+0x20/0x30 [ 26.793575] krealloc_uaf+0x4c8/0x520 [ 26.793916] kunit_try_run_case+0x170/0x3f0 [ 26.794087] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.794207] kthread+0x328/0x630 [ 26.794267] ret_from_fork+0x10/0x20 [ 26.794601] [ 26.794821] Allocated by task 176: [ 26.794910] kasan_save_stack+0x3c/0x68 [ 26.794988] kasan_save_track+0x20/0x40 [ 26.795199] kasan_save_alloc_info+0x40/0x58 [ 26.795266] __kasan_kmalloc+0xd4/0xd8 [ 26.795437] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.795692] krealloc_uaf+0xc8/0x520 [ 26.795759] kunit_try_run_case+0x170/0x3f0 [ 26.795940] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.796039] kthread+0x328/0x630 [ 26.796217] ret_from_fork+0x10/0x20 [ 26.796255] [ 26.796273] Freed by task 176: [ 26.796320] kasan_save_stack+0x3c/0x68 [ 26.796523] kasan_save_track+0x20/0x40 [ 26.796671] kasan_save_free_info+0x4c/0x78 [ 26.796856] __kasan_slab_free+0x6c/0x98 [ 26.796992] kfree+0x214/0x3c8 [ 26.797155] krealloc_uaf+0x12c/0x520 [ 26.797236] kunit_try_run_case+0x170/0x3f0 [ 26.797300] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.797471] kthread+0x328/0x630 [ 26.797707] ret_from_fork+0x10/0x20 [ 26.797818] [ 26.797910] The buggy address belongs to the object at fff00000c1c40e00 [ 26.797910] which belongs to the cache kmalloc-256 of size 256 [ 26.797996] The buggy address is located 0 bytes inside of [ 26.797996] freed 256-byte region [fff00000c1c40e00, fff00000c1c40f00) [ 26.798140] [ 26.798244] The buggy address belongs to the physical page: [ 26.798275] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c40 [ 26.798499] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.798674] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.798907] page_type: f5(slab) [ 26.798951] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 26.799073] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.799568] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 26.799642] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.799804] head: 0bfffe0000000001 ffffc1ffc3071001 00000000ffffffff 00000000ffffffff [ 26.800012] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 26.800125] page dumped because: kasan: bad access detected [ 26.800263] [ 26.800313] Memory state around the buggy address: [ 26.800376] fff00000c1c40d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.800521] fff00000c1c40d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.800604] >fff00000c1c40e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.800775] ^ [ 26.800832] fff00000c1c40e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.801043] fff00000c1c40f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.801115] ================================================================== [ 26.783507] ================================================================== [ 26.783596] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 26.783861] Read of size 1 at addr fff00000c1c40e00 by task kunit_try_catch/176 [ 26.783937] [ 26.784012] CPU: 0 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.784147] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.784173] Hardware name: linux,dummy-virt (DT) [ 26.784223] Call trace: [ 26.784246] show_stack+0x20/0x38 (C) [ 26.784296] dump_stack_lvl+0x8c/0xd0 [ 26.784496] print_report+0x118/0x608 [ 26.784629] kasan_report+0xdc/0x128 [ 26.784768] __kasan_check_byte+0x54/0x70 [ 26.784836] krealloc_noprof+0x44/0x360 [ 26.785138] krealloc_uaf+0x180/0x520 [ 26.785240] kunit_try_run_case+0x170/0x3f0 [ 26.785365] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.785489] kthread+0x328/0x630 [ 26.785532] ret_from_fork+0x10/0x20 [ 26.785625] [ 26.785850] Allocated by task 176: [ 26.785886] kasan_save_stack+0x3c/0x68 [ 26.786237] kasan_save_track+0x20/0x40 [ 26.786390] kasan_save_alloc_info+0x40/0x58 [ 26.786538] __kasan_kmalloc+0xd4/0xd8 [ 26.786691] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.786780] krealloc_uaf+0xc8/0x520 [ 26.786923] kunit_try_run_case+0x170/0x3f0 [ 26.787028] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.787278] kthread+0x328/0x630 [ 26.787420] ret_from_fork+0x10/0x20 [ 26.787539] [ 26.787621] Freed by task 176: [ 26.787756] kasan_save_stack+0x3c/0x68 [ 26.787836] kasan_save_track+0x20/0x40 [ 26.787873] kasan_save_free_info+0x4c/0x78 [ 26.787922] __kasan_slab_free+0x6c/0x98 [ 26.788262] kfree+0x214/0x3c8 [ 26.788330] krealloc_uaf+0x12c/0x520 [ 26.788368] kunit_try_run_case+0x170/0x3f0 [ 26.788404] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.788447] kthread+0x328/0x630 [ 26.788496] ret_from_fork+0x10/0x20 [ 26.788579] [ 26.788606] The buggy address belongs to the object at fff00000c1c40e00 [ 26.788606] which belongs to the cache kmalloc-256 of size 256 [ 26.788772] The buggy address is located 0 bytes inside of [ 26.788772] freed 256-byte region [fff00000c1c40e00, fff00000c1c40f00) [ 26.788856] [ 26.788892] The buggy address belongs to the physical page: [ 26.788925] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c40 [ 26.788975] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.789026] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.789090] page_type: f5(slab) [ 26.789127] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 26.789175] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.789232] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 26.789288] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.789336] head: 0bfffe0000000001 ffffc1ffc3071001 00000000ffffffff 00000000ffffffff [ 26.789391] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 26.789430] page dumped because: kasan: bad access detected [ 26.789459] [ 26.789477] Memory state around the buggy address: [ 26.789507] fff00000c1c40d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.789548] fff00000c1c40d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.789594] >fff00000c1c40e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.789636] ^ [ 26.789662] fff00000c1c40e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.789717] fff00000c1c40f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.789763] ==================================================================
[ 22.079732] ================================================================== [ 22.080180] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 22.080747] Read of size 1 at addr ffff888103aaaa00 by task kunit_try_catch/193 [ 22.081133] [ 22.081273] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.081326] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.081338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.081361] Call Trace: [ 22.081376] <TASK> [ 22.081396] dump_stack_lvl+0x73/0xb0 [ 22.081427] print_report+0xd1/0x650 [ 22.081451] ? __virt_addr_valid+0x1db/0x2d0 [ 22.081476] ? krealloc_uaf+0x1b8/0x5e0 [ 22.081508] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.081534] ? krealloc_uaf+0x1b8/0x5e0 [ 22.081554] kasan_report+0x141/0x180 [ 22.081586] ? krealloc_uaf+0x1b8/0x5e0 [ 22.081609] ? krealloc_uaf+0x1b8/0x5e0 [ 22.081629] __kasan_check_byte+0x3d/0x50 [ 22.081812] krealloc_noprof+0x3f/0x340 [ 22.081839] krealloc_uaf+0x1b8/0x5e0 [ 22.081860] ? __pfx_krealloc_uaf+0x10/0x10 [ 22.081879] ? finish_task_switch.isra.0+0x153/0x700 [ 22.081902] ? __switch_to+0x47/0xf50 [ 22.081929] ? __schedule+0x10cc/0x2b60 [ 22.081953] ? __pfx_read_tsc+0x10/0x10 [ 22.081976] ? ktime_get_ts64+0x86/0x230 [ 22.082002] kunit_try_run_case+0x1a5/0x480 [ 22.082028] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.082050] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.082074] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.082108] ? __kthread_parkme+0x82/0x180 [ 22.082129] ? preempt_count_sub+0x50/0x80 [ 22.082151] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.082185] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.082208] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.082240] kthread+0x337/0x6f0 [ 22.082260] ? trace_preempt_on+0x20/0xc0 [ 22.082284] ? __pfx_kthread+0x10/0x10 [ 22.082303] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.082326] ? calculate_sigpending+0x7b/0xa0 [ 22.082350] ? __pfx_kthread+0x10/0x10 [ 22.082370] ret_from_fork+0x116/0x1d0 [ 22.082389] ? __pfx_kthread+0x10/0x10 [ 22.082418] ret_from_fork_asm+0x1a/0x30 [ 22.082451] </TASK> [ 22.082463] [ 22.092380] Allocated by task 193: [ 22.092555] kasan_save_stack+0x45/0x70 [ 22.092746] kasan_save_track+0x18/0x40 [ 22.092962] kasan_save_alloc_info+0x3b/0x50 [ 22.093783] __kasan_kmalloc+0xb7/0xc0 [ 22.093947] __kmalloc_cache_noprof+0x189/0x420 [ 22.094181] krealloc_uaf+0xbb/0x5e0 [ 22.094428] kunit_try_run_case+0x1a5/0x480 [ 22.094635] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.094893] kthread+0x337/0x6f0 [ 22.095014] ret_from_fork+0x116/0x1d0 [ 22.095433] ret_from_fork_asm+0x1a/0x30 [ 22.095639] [ 22.095754] Freed by task 193: [ 22.095967] kasan_save_stack+0x45/0x70 [ 22.096104] kasan_save_track+0x18/0x40 [ 22.096297] kasan_save_free_info+0x3f/0x60 [ 22.096527] __kasan_slab_free+0x56/0x70 [ 22.096719] kfree+0x222/0x3f0 [ 22.096895] krealloc_uaf+0x13d/0x5e0 [ 22.097158] kunit_try_run_case+0x1a5/0x480 [ 22.097372] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.097615] kthread+0x337/0x6f0 [ 22.097750] ret_from_fork+0x116/0x1d0 [ 22.097932] ret_from_fork_asm+0x1a/0x30 [ 22.098355] [ 22.098587] The buggy address belongs to the object at ffff888103aaaa00 [ 22.098587] which belongs to the cache kmalloc-256 of size 256 [ 22.100058] The buggy address is located 0 bytes inside of [ 22.100058] freed 256-byte region [ffff888103aaaa00, ffff888103aaab00) [ 22.100695] [ 22.100781] The buggy address belongs to the physical page: [ 22.101316] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103aaa [ 22.101727] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.102432] flags: 0x200000000000040(head|node=0|zone=2) [ 22.102777] page_type: f5(slab) [ 22.103126] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.103534] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.103908] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.104425] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.104889] head: 0200000000000001 ffffea00040eaa81 00000000ffffffff 00000000ffffffff [ 22.105404] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 22.105695] page dumped because: kasan: bad access detected [ 22.106145] [ 22.106252] Memory state around the buggy address: [ 22.106470] ffff888103aaa900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.106888] ffff888103aaa980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.107499] >ffff888103aaaa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.107891] ^ [ 22.108016] ffff888103aaaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.108414] ffff888103aaab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.109085] ================================================================== [ 22.109771] ================================================================== [ 22.110062] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 22.110402] Read of size 1 at addr ffff888103aaaa00 by task kunit_try_catch/193 [ 22.110684] [ 22.110792] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.110842] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.110854] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.110876] Call Trace: [ 22.110897] <TASK> [ 22.110917] dump_stack_lvl+0x73/0xb0 [ 22.110943] print_report+0xd1/0x650 [ 22.110964] ? __virt_addr_valid+0x1db/0x2d0 [ 22.110988] ? krealloc_uaf+0x53c/0x5e0 [ 22.111007] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.111098] ? krealloc_uaf+0x53c/0x5e0 [ 22.111119] kasan_report+0x141/0x180 [ 22.111140] ? krealloc_uaf+0x53c/0x5e0 [ 22.111165] __asan_report_load1_noabort+0x18/0x20 [ 22.111189] krealloc_uaf+0x53c/0x5e0 [ 22.111210] ? __pfx_krealloc_uaf+0x10/0x10 [ 22.111241] ? finish_task_switch.isra.0+0x153/0x700 [ 22.111265] ? __switch_to+0x47/0xf50 [ 22.111292] ? __schedule+0x10cc/0x2b60 [ 22.111319] ? __pfx_read_tsc+0x10/0x10 [ 22.111341] ? ktime_get_ts64+0x86/0x230 [ 22.111365] kunit_try_run_case+0x1a5/0x480 [ 22.111389] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.111412] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.111437] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.111461] ? __kthread_parkme+0x82/0x180 [ 22.111481] ? preempt_count_sub+0x50/0x80 [ 22.111502] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.111526] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.111549] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.111572] kthread+0x337/0x6f0 [ 22.111591] ? trace_preempt_on+0x20/0xc0 [ 22.111614] ? __pfx_kthread+0x10/0x10 [ 22.111634] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.111656] ? calculate_sigpending+0x7b/0xa0 [ 22.111680] ? __pfx_kthread+0x10/0x10 [ 22.111700] ret_from_fork+0x116/0x1d0 [ 22.111720] ? __pfx_kthread+0x10/0x10 [ 22.111739] ret_from_fork_asm+0x1a/0x30 [ 22.111769] </TASK> [ 22.111781] [ 22.119404] Allocated by task 193: [ 22.119560] kasan_save_stack+0x45/0x70 [ 22.119759] kasan_save_track+0x18/0x40 [ 22.119913] kasan_save_alloc_info+0x3b/0x50 [ 22.120238] __kasan_kmalloc+0xb7/0xc0 [ 22.120398] __kmalloc_cache_noprof+0x189/0x420 [ 22.120644] krealloc_uaf+0xbb/0x5e0 [ 22.120768] kunit_try_run_case+0x1a5/0x480 [ 22.120971] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.121211] kthread+0x337/0x6f0 [ 22.121336] ret_from_fork+0x116/0x1d0 [ 22.121577] ret_from_fork_asm+0x1a/0x30 [ 22.121778] [ 22.121891] Freed by task 193: [ 22.122056] kasan_save_stack+0x45/0x70 [ 22.122191] kasan_save_track+0x18/0x40 [ 22.122390] kasan_save_free_info+0x3f/0x60 [ 22.122583] __kasan_slab_free+0x56/0x70 [ 22.122761] kfree+0x222/0x3f0 [ 22.122904] krealloc_uaf+0x13d/0x5e0 [ 22.123204] kunit_try_run_case+0x1a5/0x480 [ 22.123429] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.123642] kthread+0x337/0x6f0 [ 22.123795] ret_from_fork+0x116/0x1d0 [ 22.123922] ret_from_fork_asm+0x1a/0x30 [ 22.124055] [ 22.124120] The buggy address belongs to the object at ffff888103aaaa00 [ 22.124120] which belongs to the cache kmalloc-256 of size 256 [ 22.124480] The buggy address is located 0 bytes inside of [ 22.124480] freed 256-byte region [ffff888103aaaa00, ffff888103aaab00) [ 22.125069] [ 22.125159] The buggy address belongs to the physical page: [ 22.126081] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103aaa [ 22.126426] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.126648] flags: 0x200000000000040(head|node=0|zone=2) [ 22.126928] page_type: f5(slab) [ 22.127170] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.127522] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.127864] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.128301] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.128556] head: 0200000000000001 ffffea00040eaa81 00000000ffffffff 00000000ffffffff [ 22.128840] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 22.129208] page dumped because: kasan: bad access detected [ 22.129472] [ 22.129566] Memory state around the buggy address: [ 22.129817] ffff888103aaa900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.130129] ffff888103aaa980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.130379] >ffff888103aaaa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.130600] ^ [ 22.130765] ffff888103aaaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.131411] ffff888103aaab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.131727] ==================================================================