Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.776716] ================================================================== [ 30.776770] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 30.776817] Read of size 1 at addr fff00000c8f6fc00 by task kunit_try_catch/197 [ 30.777140] [ 30.777202] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 30.777299] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.777328] Hardware name: linux,dummy-virt (DT) [ 30.777412] Call trace: [ 30.777462] show_stack+0x20/0x38 (C) [ 30.777514] dump_stack_lvl+0x8c/0xd0 [ 30.777609] print_report+0x118/0x608 [ 30.777689] kasan_report+0xdc/0x128 [ 30.777758] __asan_report_load1_noabort+0x20/0x30 [ 30.777807] krealloc_uaf+0x4c8/0x520 [ 30.778008] kunit_try_run_case+0x170/0x3f0 [ 30.778203] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.778335] kthread+0x328/0x630 [ 30.778403] ret_from_fork+0x10/0x20 [ 30.778460] [ 30.778479] Allocated by task 197: [ 30.778514] kasan_save_stack+0x3c/0x68 [ 30.778630] kasan_save_track+0x20/0x40 [ 30.778689] kasan_save_alloc_info+0x40/0x58 [ 30.778725] __kasan_kmalloc+0xd4/0xd8 [ 30.778761] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.779035] krealloc_uaf+0xc8/0x520 [ 30.779172] kunit_try_run_case+0x170/0x3f0 [ 30.779219] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.779263] kthread+0x328/0x630 [ 30.779352] ret_from_fork+0x10/0x20 [ 30.779409] [ 30.779449] Freed by task 197: [ 30.779487] kasan_save_stack+0x3c/0x68 [ 30.779607] kasan_save_track+0x20/0x40 [ 30.779676] kasan_save_free_info+0x4c/0x78 [ 30.779800] __kasan_slab_free+0x6c/0x98 [ 30.779849] kfree+0x214/0x3c8 [ 30.779881] krealloc_uaf+0x12c/0x520 [ 30.780090] kunit_try_run_case+0x170/0x3f0 [ 30.780148] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.780312] kthread+0x328/0x630 [ 30.780426] ret_from_fork+0x10/0x20 [ 30.780483] [ 30.780528] The buggy address belongs to the object at fff00000c8f6fc00 [ 30.780528] which belongs to the cache kmalloc-256 of size 256 [ 30.780662] The buggy address is located 0 bytes inside of [ 30.780662] freed 256-byte region [fff00000c8f6fc00, fff00000c8f6fd00) [ 30.780739] [ 30.780758] The buggy address belongs to the physical page: [ 30.780788] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108f6e [ 30.781251] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.781375] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 30.781466] page_type: f5(slab) [ 30.781530] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 30.781649] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.781857] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 30.782082] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.782179] head: 0bfffe0000000001 ffffc1ffc323db81 00000000ffffffff 00000000ffffffff [ 30.782310] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 30.782380] page dumped because: kasan: bad access detected [ 30.782439] [ 30.782536] Memory state around the buggy address: [ 30.782607] fff00000c8f6fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.782666] fff00000c8f6fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.782960] >fff00000c8f6fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.783107] ^ [ 30.783201] fff00000c8f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.783277] fff00000c8f6fd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.783347] ================================================================== [ 30.768662] ================================================================== [ 30.768911] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 30.768996] Read of size 1 at addr fff00000c8f6fc00 by task kunit_try_catch/197 [ 30.769117] [ 30.769153] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 30.769516] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.769630] Hardware name: linux,dummy-virt (DT) [ 30.769680] Call trace: [ 30.769719] show_stack+0x20/0x38 (C) [ 30.769818] dump_stack_lvl+0x8c/0xd0 [ 30.769897] print_report+0x118/0x608 [ 30.769958] kasan_report+0xdc/0x128 [ 30.770006] __kasan_check_byte+0x54/0x70 [ 30.770289] krealloc_noprof+0x44/0x360 [ 30.770380] krealloc_uaf+0x180/0x520 [ 30.770595] kunit_try_run_case+0x170/0x3f0 [ 30.770666] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.770911] kthread+0x328/0x630 [ 30.770983] ret_from_fork+0x10/0x20 [ 30.771033] [ 30.771265] Allocated by task 197: [ 30.771341] kasan_save_stack+0x3c/0x68 [ 30.771396] kasan_save_track+0x20/0x40 [ 30.771553] kasan_save_alloc_info+0x40/0x58 [ 30.771644] __kasan_kmalloc+0xd4/0xd8 [ 30.771695] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.771820] krealloc_uaf+0xc8/0x520 [ 30.771869] kunit_try_run_case+0x170/0x3f0 [ 30.771989] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.772074] kthread+0x328/0x630 [ 30.772119] ret_from_fork+0x10/0x20 [ 30.772156] [ 30.772194] Freed by task 197: [ 30.772576] kasan_save_stack+0x3c/0x68 [ 30.772648] kasan_save_track+0x20/0x40 [ 30.772782] kasan_save_free_info+0x4c/0x78 [ 30.772849] __kasan_slab_free+0x6c/0x98 [ 30.772972] kfree+0x214/0x3c8 [ 30.773072] krealloc_uaf+0x12c/0x520 [ 30.773140] kunit_try_run_case+0x170/0x3f0 [ 30.773253] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.773299] kthread+0x328/0x630 [ 30.773628] ret_from_fork+0x10/0x20 [ 30.773794] [ 30.773864] The buggy address belongs to the object at fff00000c8f6fc00 [ 30.773864] which belongs to the cache kmalloc-256 of size 256 [ 30.774064] The buggy address is located 0 bytes inside of [ 30.774064] freed 256-byte region [fff00000c8f6fc00, fff00000c8f6fd00) [ 30.774470] [ 30.774500] The buggy address belongs to the physical page: [ 30.774535] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108f6e [ 30.774589] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.774682] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 30.774735] page_type: f5(slab) [ 30.774787] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 30.774847] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.774895] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 30.774964] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.775029] head: 0bfffe0000000001 ffffc1ffc323db81 00000000ffffffff 00000000ffffffff [ 30.775086] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 30.775127] page dumped because: kasan: bad access detected [ 30.775166] [ 30.775185] Memory state around the buggy address: [ 30.775217] fff00000c8f6fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.775259] fff00000c8f6fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.775308] >fff00000c8f6fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.775354] ^ [ 30.775382] fff00000c8f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.775428] fff00000c8f6fd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.775466] ==================================================================
[ 32.558374] ================================================================== [ 32.558421] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 32.558467] Read of size 1 at addr fff00000c893f600 by task kunit_try_catch/195 [ 32.558515] [ 32.558542] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.558625] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.558651] Hardware name: linux,dummy-virt (DT) [ 32.558681] Call trace: [ 32.558703] show_stack+0x20/0x38 (C) [ 32.558750] dump_stack_lvl+0x8c/0xd0 [ 32.558799] print_report+0x118/0x608 [ 32.559269] kasan_report+0xdc/0x128 [ 32.559341] __asan_report_load1_noabort+0x20/0x30 [ 32.559503] krealloc_uaf+0x4c8/0x520 [ 32.559550] kunit_try_run_case+0x170/0x3f0 [ 32.559598] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.559650] kthread+0x328/0x630 [ 32.559713] ret_from_fork+0x10/0x20 [ 32.559760] [ 32.559778] Allocated by task 195: [ 32.559855] kasan_save_stack+0x3c/0x68 [ 32.559904] kasan_save_track+0x20/0x40 [ 32.559942] kasan_save_alloc_info+0x40/0x58 [ 32.560135] __kasan_kmalloc+0xd4/0xd8 [ 32.560304] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.560350] krealloc_uaf+0xc8/0x520 [ 32.560385] kunit_try_run_case+0x170/0x3f0 [ 32.560422] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.560482] kthread+0x328/0x630 [ 32.560553] ret_from_fork+0x10/0x20 [ 32.560643] [ 32.560662] Freed by task 195: [ 32.560708] kasan_save_stack+0x3c/0x68 [ 32.560853] kasan_save_track+0x20/0x40 [ 32.560906] kasan_save_free_info+0x4c/0x78 [ 32.560981] __kasan_slab_free+0x6c/0x98 [ 32.561019] kfree+0x214/0x3c8 [ 32.561091] krealloc_uaf+0x12c/0x520 [ 32.561186] kunit_try_run_case+0x170/0x3f0 [ 32.561223] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.561265] kthread+0x328/0x630 [ 32.561296] ret_from_fork+0x10/0x20 [ 32.561330] [ 32.561348] The buggy address belongs to the object at fff00000c893f600 [ 32.561348] which belongs to the cache kmalloc-256 of size 256 [ 32.561695] The buggy address is located 0 bytes inside of [ 32.561695] freed 256-byte region [fff00000c893f600, fff00000c893f700) [ 32.561758] [ 32.561845] The buggy address belongs to the physical page: [ 32.561919] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10893e [ 32.562178] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.562224] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.562273] page_type: f5(slab) [ 32.562318] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122 [ 32.562636] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.562689] head: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122 [ 32.562758] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.562806] head: 0bfffe0000000001 ffffc1ffc3224f81 00000000ffffffff 00000000ffffffff [ 32.563035] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.563138] page dumped because: kasan: bad access detected [ 32.563180] [ 32.563197] Memory state around the buggy address: [ 32.563227] fff00000c893f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.563275] fff00000c893f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.563315] >fff00000c893f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.563351] ^ [ 32.563378] fff00000c893f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.563791] fff00000c893f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.563849] ================================================================== [ 32.552140] ================================================================== [ 32.552229] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 32.552283] Read of size 1 at addr fff00000c893f600 by task kunit_try_catch/195 [ 32.552397] [ 32.552481] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.552569] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.552594] Hardware name: linux,dummy-virt (DT) [ 32.552624] Call trace: [ 32.552646] show_stack+0x20/0x38 (C) [ 32.552996] dump_stack_lvl+0x8c/0xd0 [ 32.553068] print_report+0x118/0x608 [ 32.553116] kasan_report+0xdc/0x128 [ 32.553175] __kasan_check_byte+0x54/0x70 [ 32.553221] krealloc_noprof+0x44/0x360 [ 32.553269] krealloc_uaf+0x180/0x520 [ 32.553314] kunit_try_run_case+0x170/0x3f0 [ 32.553361] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.553412] kthread+0x328/0x630 [ 32.553454] ret_from_fork+0x10/0x20 [ 32.553506] [ 32.553524] Allocated by task 195: [ 32.553587] kasan_save_stack+0x3c/0x68 [ 32.553635] kasan_save_track+0x20/0x40 [ 32.553771] kasan_save_alloc_info+0x40/0x58 [ 32.553806] __kasan_kmalloc+0xd4/0xd8 [ 32.553848] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.553931] krealloc_uaf+0xc8/0x520 [ 32.554063] kunit_try_run_case+0x170/0x3f0 [ 32.554101] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.554144] kthread+0x328/0x630 [ 32.554191] ret_from_fork+0x10/0x20 [ 32.554351] [ 32.554446] Freed by task 195: [ 32.554538] kasan_save_stack+0x3c/0x68 [ 32.554617] kasan_save_track+0x20/0x40 [ 32.554659] kasan_save_free_info+0x4c/0x78 [ 32.554783] __kasan_slab_free+0x6c/0x98 [ 32.554820] kfree+0x214/0x3c8 [ 32.554852] krealloc_uaf+0x12c/0x520 [ 32.554887] kunit_try_run_case+0x170/0x3f0 [ 32.554924] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.554971] kthread+0x328/0x630 [ 32.555091] ret_from_fork+0x10/0x20 [ 32.555126] [ 32.555474] The buggy address belongs to the object at fff00000c893f600 [ 32.555474] which belongs to the cache kmalloc-256 of size 256 [ 32.556010] The buggy address is located 0 bytes inside of [ 32.556010] freed 256-byte region [fff00000c893f600, fff00000c893f700) [ 32.556240] [ 32.556265] The buggy address belongs to the physical page: [ 32.556298] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10893e [ 32.556350] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.556396] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.556542] page_type: f5(slab) [ 32.556584] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122 [ 32.556633] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.556681] head: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122 [ 32.556729] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.556777] head: 0bfffe0000000001 ffffc1ffc3224f81 00000000ffffffff 00000000ffffffff [ 32.556824] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.556862] page dumped because: kasan: bad access detected [ 32.556989] [ 32.557066] Memory state around the buggy address: [ 32.557378] fff00000c893f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.557512] fff00000c893f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.557620] >fff00000c893f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.557657] ^ [ 32.557685] fff00000c893f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.557726] fff00000c893f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.557762] ==================================================================
[ 22.998009] ================================================================== [ 22.998503] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 22.998982] Read of size 1 at addr ffff888100a03a00 by task kunit_try_catch/212 [ 23.000030] [ 23.000329] CPU: 1 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.000382] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.000395] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.000415] Call Trace: [ 23.000427] <TASK> [ 23.000442] dump_stack_lvl+0x73/0xb0 [ 23.000471] print_report+0xd1/0x650 [ 23.000593] ? __virt_addr_valid+0x1db/0x2d0 [ 23.000622] ? krealloc_uaf+0x1b8/0x5e0 [ 23.000643] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.000668] ? krealloc_uaf+0x1b8/0x5e0 [ 23.000760] kasan_report+0x141/0x180 [ 23.000783] ? krealloc_uaf+0x1b8/0x5e0 [ 23.000806] ? krealloc_uaf+0x1b8/0x5e0 [ 23.000827] __kasan_check_byte+0x3d/0x50 [ 23.000848] krealloc_noprof+0x3f/0x340 [ 23.000875] krealloc_uaf+0x1b8/0x5e0 [ 23.000896] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.000972] ? ktime_get_ts64+0x13a/0x230 [ 23.000997] ? ktime_get_ts64+0x86/0x230 [ 23.001020] kunit_try_run_case+0x1a5/0x480 [ 23.001044] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.001067] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.001088] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.001109] ? __kthread_parkme+0x82/0x180 [ 23.001129] ? preempt_count_sub+0x50/0x80 [ 23.001152] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.001176] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.001199] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.001222] kthread+0x337/0x6f0 [ 23.001241] ? trace_preempt_on+0x20/0xc0 [ 23.001263] ? __pfx_kthread+0x10/0x10 [ 23.001283] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.001317] ? calculate_sigpending+0x7b/0xa0 [ 23.001340] ? __pfx_kthread+0x10/0x10 [ 23.001361] ret_from_fork+0x116/0x1d0 [ 23.001380] ? __pfx_kthread+0x10/0x10 [ 23.001399] ret_from_fork_asm+0x1a/0x30 [ 23.001429] </TASK> [ 23.001441] [ 23.013442] Allocated by task 212: [ 23.013813] kasan_save_stack+0x45/0x70 [ 23.014359] kasan_save_track+0x18/0x40 [ 23.014759] kasan_save_alloc_info+0x3b/0x50 [ 23.015059] __kasan_kmalloc+0xb7/0xc0 [ 23.015187] __kmalloc_cache_noprof+0x189/0x420 [ 23.015347] krealloc_uaf+0xbb/0x5e0 [ 23.015471] kunit_try_run_case+0x1a5/0x480 [ 23.015904] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.016375] kthread+0x337/0x6f0 [ 23.016725] ret_from_fork+0x116/0x1d0 [ 23.017059] ret_from_fork_asm+0x1a/0x30 [ 23.017419] [ 23.017570] Freed by task 212: [ 23.017887] kasan_save_stack+0x45/0x70 [ 23.018437] kasan_save_track+0x18/0x40 [ 23.018909] kasan_save_free_info+0x3f/0x60 [ 23.019244] __kasan_slab_free+0x56/0x70 [ 23.019390] kfree+0x222/0x3f0 [ 23.019515] krealloc_uaf+0x13d/0x5e0 [ 23.019830] kunit_try_run_case+0x1a5/0x480 [ 23.020339] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.020893] kthread+0x337/0x6f0 [ 23.021180] ret_from_fork+0x116/0x1d0 [ 23.021522] ret_from_fork_asm+0x1a/0x30 [ 23.021930] [ 23.022006] The buggy address belongs to the object at ffff888100a03a00 [ 23.022006] which belongs to the cache kmalloc-256 of size 256 [ 23.022426] The buggy address is located 0 bytes inside of [ 23.022426] freed 256-byte region [ffff888100a03a00, ffff888100a03b00) [ 23.022926] [ 23.023107] The buggy address belongs to the physical page: [ 23.023331] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a02 [ 23.023863] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.024130] flags: 0x200000000000040(head|node=0|zone=2) [ 23.024380] page_type: f5(slab) [ 23.024498] raw: 0200000000000040 ffff888100041b40 ffffea0004028480 dead000000000002 [ 23.024804] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.025168] head: 0200000000000040 ffff888100041b40 ffffea0004028480 dead000000000002 [ 23.025431] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.025859] head: 0200000000000001 ffffea0004028081 00000000ffffffff 00000000ffffffff [ 23.026212] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.026759] page dumped because: kasan: bad access detected [ 23.027091] [ 23.027174] Memory state around the buggy address: [ 23.027390] ffff888100a03900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.027619] ffff888100a03980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.027929] >ffff888100a03a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.028314] ^ [ 23.028454] ffff888100a03a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.028704] ffff888100a03b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.029080] ================================================================== [ 23.029798] ================================================================== [ 23.030304] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 23.030642] Read of size 1 at addr ffff888100a03a00 by task kunit_try_catch/212 [ 23.031287] [ 23.031416] CPU: 1 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.031463] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.031476] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.031496] Call Trace: [ 23.031509] <TASK> [ 23.031525] dump_stack_lvl+0x73/0xb0 [ 23.031556] print_report+0xd1/0x650 [ 23.031578] ? __virt_addr_valid+0x1db/0x2d0 [ 23.031601] ? krealloc_uaf+0x53c/0x5e0 [ 23.031621] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.031647] ? krealloc_uaf+0x53c/0x5e0 [ 23.031667] kasan_report+0x141/0x180 [ 23.031688] ? krealloc_uaf+0x53c/0x5e0 [ 23.031713] __asan_report_load1_noabort+0x18/0x20 [ 23.031736] krealloc_uaf+0x53c/0x5e0 [ 23.031757] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.031836] ? ktime_get_ts64+0x13a/0x230 [ 23.031859] ? ktime_get_ts64+0x86/0x230 [ 23.031882] kunit_try_run_case+0x1a5/0x480 [ 23.031908] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.031931] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.031953] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.031975] ? __kthread_parkme+0x82/0x180 [ 23.031995] ? preempt_count_sub+0x50/0x80 [ 23.032018] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.032042] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.032065] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.032089] kthread+0x337/0x6f0 [ 23.032107] ? trace_preempt_on+0x20/0xc0 [ 23.032130] ? __pfx_kthread+0x10/0x10 [ 23.032150] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.032173] ? calculate_sigpending+0x7b/0xa0 [ 23.032197] ? __pfx_kthread+0x10/0x10 [ 23.032218] ret_from_fork+0x116/0x1d0 [ 23.032237] ? __pfx_kthread+0x10/0x10 [ 23.032257] ret_from_fork_asm+0x1a/0x30 [ 23.032287] </TASK> [ 23.032298] [ 23.039214] Allocated by task 212: [ 23.039477] kasan_save_stack+0x45/0x70 [ 23.039630] kasan_save_track+0x18/0x40 [ 23.039987] kasan_save_alloc_info+0x3b/0x50 [ 23.040180] __kasan_kmalloc+0xb7/0xc0 [ 23.040343] __kmalloc_cache_noprof+0x189/0x420 [ 23.040509] krealloc_uaf+0xbb/0x5e0 [ 23.040729] kunit_try_run_case+0x1a5/0x480 [ 23.040938] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.041163] kthread+0x337/0x6f0 [ 23.041323] ret_from_fork+0x116/0x1d0 [ 23.041475] ret_from_fork_asm+0x1a/0x30 [ 23.041666] [ 23.041762] Freed by task 212: [ 23.041899] kasan_save_stack+0x45/0x70 [ 23.042068] kasan_save_track+0x18/0x40 [ 23.042225] kasan_save_free_info+0x3f/0x60 [ 23.042382] __kasan_slab_free+0x56/0x70 [ 23.042923] kfree+0x222/0x3f0 [ 23.043123] krealloc_uaf+0x13d/0x5e0 [ 23.043264] kunit_try_run_case+0x1a5/0x480 [ 23.043463] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.043821] kthread+0x337/0x6f0 [ 23.043975] ret_from_fork+0x116/0x1d0 [ 23.044143] ret_from_fork_asm+0x1a/0x30 [ 23.044336] [ 23.044429] The buggy address belongs to the object at ffff888100a03a00 [ 23.044429] which belongs to the cache kmalloc-256 of size 256 [ 23.045035] The buggy address is located 0 bytes inside of [ 23.045035] freed 256-byte region [ffff888100a03a00, ffff888100a03b00) [ 23.045432] [ 23.045520] The buggy address belongs to the physical page: [ 23.045813] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a02 [ 23.046171] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.046450] flags: 0x200000000000040(head|node=0|zone=2) [ 23.046881] page_type: f5(slab) [ 23.047015] raw: 0200000000000040 ffff888100041b40 ffffea0004028480 dead000000000002 [ 23.047239] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.047557] head: 0200000000000040 ffff888100041b40 ffffea0004028480 dead000000000002 [ 23.047886] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.048119] head: 0200000000000001 ffffea0004028081 00000000ffffffff 00000000ffffffff [ 23.048699] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.048924] page dumped because: kasan: bad access detected [ 23.049088] [ 23.049151] Memory state around the buggy address: [ 23.049360] ffff888100a03900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.049868] ffff888100a03980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.050248] >ffff888100a03a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.050795] ^ [ 23.050959] ffff888100a03a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.051203] ffff888100a03b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.051420] ==================================================================
[ 23.283314] ================================================================== [ 23.283681] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 23.284533] Read of size 1 at addr ffff888105572a00 by task kunit_try_catch/213 [ 23.284858] [ 23.285001] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.285054] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.285081] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.285104] Call Trace: [ 23.285128] <TASK> [ 23.285148] dump_stack_lvl+0x73/0xb0 [ 23.285180] print_report+0xd1/0x650 [ 23.285326] ? __virt_addr_valid+0x1db/0x2d0 [ 23.285351] ? krealloc_uaf+0x53c/0x5e0 [ 23.285372] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.285411] ? krealloc_uaf+0x53c/0x5e0 [ 23.285433] kasan_report+0x141/0x180 [ 23.285454] ? krealloc_uaf+0x53c/0x5e0 [ 23.285493] __asan_report_load1_noabort+0x18/0x20 [ 23.285518] krealloc_uaf+0x53c/0x5e0 [ 23.285539] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.285568] ? finish_task_switch.isra.0+0x153/0x700 [ 23.285592] ? __switch_to+0x47/0xf50 [ 23.285618] ? __schedule+0x10cc/0x2b60 [ 23.285651] ? __pfx_read_tsc+0x10/0x10 [ 23.285673] ? ktime_get_ts64+0x86/0x230 [ 23.285699] kunit_try_run_case+0x1a5/0x480 [ 23.285725] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.285748] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.285769] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.285791] ? __kthread_parkme+0x82/0x180 [ 23.285811] ? preempt_count_sub+0x50/0x80 [ 23.285838] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.285863] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.285887] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.285911] kthread+0x337/0x6f0 [ 23.285942] ? trace_preempt_on+0x20/0xc0 [ 23.285965] ? __pfx_kthread+0x10/0x10 [ 23.285986] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.286010] ? calculate_sigpending+0x7b/0xa0 [ 23.286034] ? __pfx_kthread+0x10/0x10 [ 23.286056] ret_from_fork+0x116/0x1d0 [ 23.286085] ? __pfx_kthread+0x10/0x10 [ 23.286106] ret_from_fork_asm+0x1a/0x30 [ 23.286137] </TASK> [ 23.286149] [ 23.294136] Allocated by task 213: [ 23.294587] kasan_save_stack+0x45/0x70 [ 23.294742] kasan_save_track+0x18/0x40 [ 23.294952] kasan_save_alloc_info+0x3b/0x50 [ 23.295234] __kasan_kmalloc+0xb7/0xc0 [ 23.295427] __kmalloc_cache_noprof+0x189/0x420 [ 23.295616] krealloc_uaf+0xbb/0x5e0 [ 23.295786] kunit_try_run_case+0x1a5/0x480 [ 23.296004] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.296319] kthread+0x337/0x6f0 [ 23.296495] ret_from_fork+0x116/0x1d0 [ 23.296674] ret_from_fork_asm+0x1a/0x30 [ 23.296880] [ 23.296995] Freed by task 213: [ 23.297150] kasan_save_stack+0x45/0x70 [ 23.297342] kasan_save_track+0x18/0x40 [ 23.297474] kasan_save_free_info+0x3f/0x60 [ 23.297617] __kasan_slab_free+0x56/0x70 [ 23.297836] kfree+0x222/0x3f0 [ 23.298018] krealloc_uaf+0x13d/0x5e0 [ 23.298258] kunit_try_run_case+0x1a5/0x480 [ 23.298465] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.298676] kthread+0x337/0x6f0 [ 23.298790] ret_from_fork+0x116/0x1d0 [ 23.298981] ret_from_fork_asm+0x1a/0x30 [ 23.299467] [ 23.299570] The buggy address belongs to the object at ffff888105572a00 [ 23.299570] which belongs to the cache kmalloc-256 of size 256 [ 23.300137] The buggy address is located 0 bytes inside of [ 23.300137] freed 256-byte region [ffff888105572a00, ffff888105572b00) [ 23.300699] [ 23.300770] The buggy address belongs to the physical page: [ 23.300955] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105572 [ 23.301358] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.301690] flags: 0x200000000000040(head|node=0|zone=2) [ 23.301975] page_type: f5(slab) [ 23.302152] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.302570] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.302834] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.303153] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.303599] head: 0200000000000001 ffffea0004155c81 00000000ffffffff 00000000ffffffff [ 23.303984] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.304300] page dumped because: kasan: bad access detected [ 23.304508] [ 23.304955] Memory state around the buggy address: [ 23.305136] ffff888105572900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.305496] ffff888105572980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.305808] >ffff888105572a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.306084] ^ [ 23.306313] ffff888105572a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.306655] ffff888105572b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.306973] ================================================================== [ 23.254760] ================================================================== [ 23.255241] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 23.255676] Read of size 1 at addr ffff888105572a00 by task kunit_try_catch/213 [ 23.256007] [ 23.256151] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.256207] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.256220] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.256243] Call Trace: [ 23.256258] <TASK> [ 23.256278] dump_stack_lvl+0x73/0xb0 [ 23.256311] print_report+0xd1/0x650 [ 23.256346] ? __virt_addr_valid+0x1db/0x2d0 [ 23.256383] ? krealloc_uaf+0x1b8/0x5e0 [ 23.256403] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.256429] ? krealloc_uaf+0x1b8/0x5e0 [ 23.256503] kasan_report+0x141/0x180 [ 23.256526] ? krealloc_uaf+0x1b8/0x5e0 [ 23.256550] ? krealloc_uaf+0x1b8/0x5e0 [ 23.256571] __kasan_check_byte+0x3d/0x50 [ 23.256592] krealloc_noprof+0x3f/0x340 [ 23.256631] krealloc_uaf+0x1b8/0x5e0 [ 23.256652] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.256672] ? finish_task_switch.isra.0+0x153/0x700 [ 23.256706] ? __switch_to+0x47/0xf50 [ 23.256733] ? __schedule+0x10cc/0x2b60 [ 23.256755] ? __pfx_read_tsc+0x10/0x10 [ 23.256777] ? ktime_get_ts64+0x86/0x230 [ 23.256813] kunit_try_run_case+0x1a5/0x480 [ 23.256841] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.256874] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.256896] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.256917] ? __kthread_parkme+0x82/0x180 [ 23.256938] ? preempt_count_sub+0x50/0x80 [ 23.256971] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.256996] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.257019] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.257043] kthread+0x337/0x6f0 [ 23.257072] ? trace_preempt_on+0x20/0xc0 [ 23.257097] ? __pfx_kthread+0x10/0x10 [ 23.257117] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.257141] ? calculate_sigpending+0x7b/0xa0 [ 23.257165] ? __pfx_kthread+0x10/0x10 [ 23.257197] ret_from_fork+0x116/0x1d0 [ 23.257216] ? __pfx_kthread+0x10/0x10 [ 23.257236] ret_from_fork_asm+0x1a/0x30 [ 23.257268] </TASK> [ 23.257281] [ 23.268915] Allocated by task 213: [ 23.269363] kasan_save_stack+0x45/0x70 [ 23.269602] kasan_save_track+0x18/0x40 [ 23.269735] kasan_save_alloc_info+0x3b/0x50 [ 23.269884] __kasan_kmalloc+0xb7/0xc0 [ 23.270039] __kmalloc_cache_noprof+0x189/0x420 [ 23.270265] krealloc_uaf+0xbb/0x5e0 [ 23.270463] kunit_try_run_case+0x1a5/0x480 [ 23.270606] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.271051] kthread+0x337/0x6f0 [ 23.271280] ret_from_fork+0x116/0x1d0 [ 23.271499] ret_from_fork_asm+0x1a/0x30 [ 23.271691] [ 23.271789] Freed by task 213: [ 23.271920] kasan_save_stack+0x45/0x70 [ 23.272220] kasan_save_track+0x18/0x40 [ 23.272433] kasan_save_free_info+0x3f/0x60 [ 23.272602] __kasan_slab_free+0x56/0x70 [ 23.272791] kfree+0x222/0x3f0 [ 23.272933] krealloc_uaf+0x13d/0x5e0 [ 23.273080] kunit_try_run_case+0x1a5/0x480 [ 23.273262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.273519] kthread+0x337/0x6f0 [ 23.273743] ret_from_fork+0x116/0x1d0 [ 23.273912] ret_from_fork_asm+0x1a/0x30 [ 23.274105] [ 23.274172] The buggy address belongs to the object at ffff888105572a00 [ 23.274172] which belongs to the cache kmalloc-256 of size 256 [ 23.274808] The buggy address is located 0 bytes inside of [ 23.274808] freed 256-byte region [ffff888105572a00, ffff888105572b00) [ 23.275549] [ 23.275647] The buggy address belongs to the physical page: [ 23.275889] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105572 [ 23.276396] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.276735] flags: 0x200000000000040(head|node=0|zone=2) [ 23.277010] page_type: f5(slab) [ 23.277246] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.277493] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.277973] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.278238] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.278621] head: 0200000000000001 ffffea0004155c81 00000000ffffffff 00000000ffffffff [ 23.279011] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.279399] page dumped because: kasan: bad access detected [ 23.279654] [ 23.279744] Memory state around the buggy address: [ 23.279983] ffff888105572900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.280369] ffff888105572980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.280596] >ffff888105572a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.280899] ^ [ 23.281093] ffff888105572a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.281406] ffff888105572b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.281675] ==================================================================