Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 37.788324] ================================================================== [ 37.800061] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 37.806768] Read of size 1 at addr ffff000086189800 by task kunit_try_catch/273 [ 37.814179] [ 37.815721] CPU: 3 UID: 0 PID: 273 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 37.815750] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.815758] Hardware name: Thundercomm Dragonboard 845c (DT) [ 37.815768] Call trace: [ 37.815775] show_stack+0x20/0x38 (C) [ 37.815793] dump_stack_lvl+0x8c/0xd0 [ 37.815812] print_report+0x118/0x608 [ 37.815830] kasan_report+0xdc/0x128 [ 37.815850] __kasan_check_byte+0x54/0x70 [ 37.815868] krealloc_noprof+0x44/0x360 [ 37.815886] krealloc_uaf+0x180/0x520 [ 37.815904] kunit_try_run_case+0x170/0x3f0 [ 37.815923] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.815944] kthread+0x328/0x630 [ 37.815959] ret_from_fork+0x10/0x20 [ 37.815976] [ 37.884249] Allocated by task 273: [ 37.887711] kasan_save_stack+0x3c/0x68 [ 37.891614] kasan_save_track+0x20/0x40 [ 37.895516] kasan_save_alloc_info+0x40/0x58 [ 37.899854] __kasan_kmalloc+0xd4/0xd8 [ 37.903666] __kmalloc_cache_noprof+0x16c/0x3c0 [ 37.908278] krealloc_uaf+0xc8/0x520 [ 37.911917] kunit_try_run_case+0x170/0x3f0 [ 37.916173] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.921750] kthread+0x328/0x630 [ 37.925042] ret_from_fork+0x10/0x20 [ 37.928680] [ 37.930210] Freed by task 273: [ 37.933325] kasan_save_stack+0x3c/0x68 [ 37.937237] kasan_save_track+0x20/0x40 [ 37.941148] kasan_save_free_info+0x4c/0x78 [ 37.945402] __kasan_slab_free+0x6c/0x98 [ 37.949401] kfree+0x214/0x3c8 [ 37.952521] krealloc_uaf+0x12c/0x520 [ 37.956246] kunit_try_run_case+0x170/0x3f0 [ 37.960501] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.966076] kthread+0x328/0x630 [ 37.969369] ret_from_fork+0x10/0x20 [ 37.973007] [ 37.974537] The buggy address belongs to the object at ffff000086189800 [ 37.974537] which belongs to the cache kmalloc-256 of size 256 [ 37.987202] The buggy address is located 0 bytes inside of [ 37.987202] freed 256-byte region [ffff000086189800, ffff000086189900) [ 37.999430] [ 38.000958] The buggy address belongs to the physical page: [ 38.006610] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106188 [ 38.014714] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 38.022473] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 38.029531] page_type: f5(slab) [ 38.032737] raw: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 38.040585] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 38.048434] head: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 38.056368] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 38.064300] head: 0bfffe0000000002 fffffdffc2186201 00000000ffffffff 00000000ffffffff [ 38.072233] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 38.080164] page dumped because: kasan: bad access detected [ 38.085815] [ 38.087343] Memory state around the buggy address: [ 38.092204] ffff000086189700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.099523] ffff000086189780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.106840] >ffff000086189800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.114154] ^ [ 38.117443] ffff000086189880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.124759] ffff000086189900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.132073] ================================================================== [ 38.139451] ================================================================== [ 38.146771] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 38.153485] Read of size 1 at addr ffff000086189800 by task kunit_try_catch/273 [ 38.160898] [ 38.162432] CPU: 3 UID: 0 PID: 273 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 38.162462] Tainted: [B]=BAD_PAGE, [N]=TEST [ 38.162472] Hardware name: Thundercomm Dragonboard 845c (DT) [ 38.162483] Call trace: [ 38.162489] show_stack+0x20/0x38 (C) [ 38.162509] dump_stack_lvl+0x8c/0xd0 [ 38.162530] print_report+0x118/0x608 [ 38.162549] kasan_report+0xdc/0x128 [ 38.162568] __asan_report_load1_noabort+0x20/0x30 [ 38.162586] krealloc_uaf+0x4c8/0x520 [ 38.162604] kunit_try_run_case+0x170/0x3f0 [ 38.162622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.162644] kthread+0x328/0x630 [ 38.162659] ret_from_fork+0x10/0x20 [ 38.162677] [ 38.227864] Allocated by task 273: [ 38.231328] kasan_save_stack+0x3c/0x68 [ 38.235239] kasan_save_track+0x20/0x40 [ 38.239152] kasan_save_alloc_info+0x40/0x58 [ 38.243491] __kasan_kmalloc+0xd4/0xd8 [ 38.247305] __kmalloc_cache_noprof+0x16c/0x3c0 [ 38.251916] krealloc_uaf+0xc8/0x520 [ 38.255558] kunit_try_run_case+0x170/0x3f0 [ 38.259810] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.265386] kthread+0x328/0x630 [ 38.268678] ret_from_fork+0x10/0x20 [ 38.272318] [ 38.273848] Freed by task 273: [ 38.276962] kasan_save_stack+0x3c/0x68 [ 38.280874] kasan_save_track+0x20/0x40 [ 38.284785] kasan_save_free_info+0x4c/0x78 [ 38.289037] __kasan_slab_free+0x6c/0x98 [ 38.293034] kfree+0x214/0x3c8 [ 38.296155] krealloc_uaf+0x12c/0x520 [ 38.299882] kunit_try_run_case+0x170/0x3f0 [ 38.304137] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.309711] kthread+0x328/0x630 [ 38.313006] ret_from_fork+0x10/0x20 [ 38.316645] [ 38.318176] The buggy address belongs to the object at ffff000086189800 [ 38.318176] which belongs to the cache kmalloc-256 of size 256 [ 38.330835] The buggy address is located 0 bytes inside of [ 38.330835] freed 256-byte region [ffff000086189800, ffff000086189900) [ 38.343058] [ 38.344587] The buggy address belongs to the physical page: [ 38.350237] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106188 [ 38.358342] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 38.366102] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 38.373160] page_type: f5(slab) [ 38.376365] raw: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 38.384213] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 38.392060] head: 0bfffe0000000040 ffff000080002b40 dead000000000122 0000000000000000 [ 38.399994] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 38.407927] head: 0bfffe0000000002 fffffdffc2186201 00000000ffffffff 00000000ffffffff [ 38.415859] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 38.423789] page dumped because: kasan: bad access detected [ 38.429439] [ 38.430968] Memory state around the buggy address: [ 38.435828] ffff000086189700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.443145] ffff000086189780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.450464] >ffff000086189800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.457777] ^ [ 38.461066] ffff000086189880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.468383] ffff000086189900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.475698] ==================================================================
[ 31.001399] ================================================================== [ 31.001463] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 31.001520] Read of size 1 at addr fff00000c872c800 by task kunit_try_catch/196 [ 31.001869] [ 31.001981] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.002328] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.002445] Hardware name: linux,dummy-virt (DT) [ 31.002489] Call trace: [ 31.002553] show_stack+0x20/0x38 (C) [ 31.002655] dump_stack_lvl+0x8c/0xd0 [ 31.002708] print_report+0x118/0x608 [ 31.002755] kasan_report+0xdc/0x128 [ 31.002898] __asan_report_load1_noabort+0x20/0x30 [ 31.002955] krealloc_uaf+0x4c8/0x520 [ 31.003135] kunit_try_run_case+0x170/0x3f0 [ 31.003201] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.003405] kthread+0x328/0x630 [ 31.003499] ret_from_fork+0x10/0x20 [ 31.003565] [ 31.003584] Allocated by task 196: [ 31.003611] kasan_save_stack+0x3c/0x68 [ 31.003827] kasan_save_track+0x20/0x40 [ 31.004076] kasan_save_alloc_info+0x40/0x58 [ 31.004170] __kasan_kmalloc+0xd4/0xd8 [ 31.004531] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.004720] krealloc_uaf+0xc8/0x520 [ 31.004919] kunit_try_run_case+0x170/0x3f0 [ 31.005016] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.005132] kthread+0x328/0x630 [ 31.005189] ret_from_fork+0x10/0x20 [ 31.005250] [ 31.005269] Freed by task 196: [ 31.005295] kasan_save_stack+0x3c/0x68 [ 31.005333] kasan_save_track+0x20/0x40 [ 31.005370] kasan_save_free_info+0x4c/0x78 [ 31.005666] __kasan_slab_free+0x6c/0x98 [ 31.005811] kfree+0x214/0x3c8 [ 31.005940] krealloc_uaf+0x12c/0x520 [ 31.006082] kunit_try_run_case+0x170/0x3f0 [ 31.006268] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.006366] kthread+0x328/0x630 [ 31.006405] ret_from_fork+0x10/0x20 [ 31.006764] [ 31.006814] The buggy address belongs to the object at fff00000c872c800 [ 31.006814] which belongs to the cache kmalloc-256 of size 256 [ 31.007060] The buggy address is located 0 bytes inside of [ 31.007060] freed 256-byte region [fff00000c872c800, fff00000c872c900) [ 31.007408] [ 31.007463] The buggy address belongs to the physical page: [ 31.007675] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10872c [ 31.007859] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.008032] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.008151] page_type: f5(slab) [ 31.008525] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.008585] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.008680] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.008731] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.008898] head: 0bfffe0000000001 ffffc1ffc321cb01 00000000ffffffff 00000000ffffffff [ 31.009136] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 31.009272] page dumped because: kasan: bad access detected [ 31.009430] [ 31.009502] Memory state around the buggy address: [ 31.009654] fff00000c872c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.009728] fff00000c872c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.009769] >fff00000c872c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.009847] ^ [ 31.010183] fff00000c872c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.010349] fff00000c872c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.010513] ================================================================== [ 30.987935] ================================================================== [ 30.988119] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 30.988179] Read of size 1 at addr fff00000c872c800 by task kunit_try_catch/196 [ 30.988612] [ 30.988681] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 30.988902] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.989036] Hardware name: linux,dummy-virt (DT) [ 30.989119] Call trace: [ 30.989142] show_stack+0x20/0x38 (C) [ 30.989201] dump_stack_lvl+0x8c/0xd0 [ 30.989397] print_report+0x118/0x608 [ 30.989635] kasan_report+0xdc/0x128 [ 30.989790] __kasan_check_byte+0x54/0x70 [ 30.990078] krealloc_noprof+0x44/0x360 [ 30.990688] krealloc_uaf+0x180/0x520 [ 30.990987] kunit_try_run_case+0x170/0x3f0 [ 30.991249] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.991582] kthread+0x328/0x630 [ 30.991752] ret_from_fork+0x10/0x20 [ 30.991889] [ 30.991910] Allocated by task 196: [ 30.992112] kasan_save_stack+0x3c/0x68 [ 30.992295] kasan_save_track+0x20/0x40 [ 30.992380] kasan_save_alloc_info+0x40/0x58 [ 30.992555] __kasan_kmalloc+0xd4/0xd8 [ 30.992868] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.992996] krealloc_uaf+0xc8/0x520 [ 30.993142] kunit_try_run_case+0x170/0x3f0 [ 30.993281] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.993436] kthread+0x328/0x630 [ 30.993517] ret_from_fork+0x10/0x20 [ 30.993555] [ 30.993598] Freed by task 196: [ 30.993638] kasan_save_stack+0x3c/0x68 [ 30.993829] kasan_save_track+0x20/0x40 [ 30.994155] kasan_save_free_info+0x4c/0x78 [ 30.994238] __kasan_slab_free+0x6c/0x98 [ 30.994443] kfree+0x214/0x3c8 [ 30.994729] krealloc_uaf+0x12c/0x520 [ 30.994852] kunit_try_run_case+0x170/0x3f0 [ 30.994896] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.995419] kthread+0x328/0x630 [ 30.995545] ret_from_fork+0x10/0x20 [ 30.995777] [ 30.996023] The buggy address belongs to the object at fff00000c872c800 [ 30.996023] which belongs to the cache kmalloc-256 of size 256 [ 30.996562] The buggy address is located 0 bytes inside of [ 30.996562] freed 256-byte region [fff00000c872c800, fff00000c872c900) [ 30.996757] [ 30.996824] The buggy address belongs to the physical page: [ 30.996988] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10872c [ 30.997194] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.997320] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 30.997427] page_type: f5(slab) [ 30.997636] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 30.998005] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.998080] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 30.998243] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.998305] head: 0bfffe0000000001 ffffc1ffc321cb01 00000000ffffffff 00000000ffffffff [ 30.998545] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 30.998604] page dumped because: kasan: bad access detected [ 30.998635] [ 30.998918] Memory state around the buggy address: [ 30.999097] fff00000c872c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.999169] fff00000c872c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.999317] >fff00000c872c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.999507] ^ [ 30.999576] fff00000c872c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.999772] fff00000c872c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.000219] ==================================================================
[ 23.081385] ================================================================== [ 23.081862] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 23.082140] Read of size 1 at addr ffff8881055a1000 by task kunit_try_catch/213 [ 23.082683] [ 23.082781] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.082868] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.082882] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.082903] Call Trace: [ 23.082915] <TASK> [ 23.082931] dump_stack_lvl+0x73/0xb0 [ 23.082961] print_report+0xd1/0x650 [ 23.083016] ? __virt_addr_valid+0x1db/0x2d0 [ 23.083041] ? krealloc_uaf+0x1b8/0x5e0 [ 23.083061] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.083087] ? krealloc_uaf+0x1b8/0x5e0 [ 23.083108] kasan_report+0x141/0x180 [ 23.083129] ? krealloc_uaf+0x1b8/0x5e0 [ 23.083153] ? krealloc_uaf+0x1b8/0x5e0 [ 23.083207] __kasan_check_byte+0x3d/0x50 [ 23.083230] krealloc_noprof+0x3f/0x340 [ 23.083258] krealloc_uaf+0x1b8/0x5e0 [ 23.083289] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.083469] ? finish_task_switch.isra.0+0x153/0x700 [ 23.083493] ? __switch_to+0x47/0xf50 [ 23.083527] ? __schedule+0x10cc/0x2b60 [ 23.083553] ? __pfx_read_tsc+0x10/0x10 [ 23.083580] ? ktime_get_ts64+0x86/0x230 [ 23.083607] kunit_try_run_case+0x1a5/0x480 [ 23.083634] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.083657] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.083678] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.083703] ? __kthread_parkme+0x82/0x180 [ 23.083723] ? preempt_count_sub+0x50/0x80 [ 23.083747] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.083771] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.083794] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.083818] kthread+0x337/0x6f0 [ 23.083837] ? trace_preempt_on+0x20/0xc0 [ 23.083860] ? __pfx_kthread+0x10/0x10 [ 23.083880] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.083904] ? calculate_sigpending+0x7b/0xa0 [ 23.083928] ? __pfx_kthread+0x10/0x10 [ 23.083949] ret_from_fork+0x116/0x1d0 [ 23.083969] ? __pfx_kthread+0x10/0x10 [ 23.083989] ret_from_fork_asm+0x1a/0x30 [ 23.084023] </TASK> [ 23.084035] [ 23.092710] Allocated by task 213: [ 23.092832] kasan_save_stack+0x45/0x70 [ 23.092970] kasan_save_track+0x18/0x40 [ 23.093095] kasan_save_alloc_info+0x3b/0x50 [ 23.093402] __kasan_kmalloc+0xb7/0xc0 [ 23.093732] __kmalloc_cache_noprof+0x189/0x420 [ 23.094335] krealloc_uaf+0xbb/0x5e0 [ 23.094600] kunit_try_run_case+0x1a5/0x480 [ 23.094818] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.095093] kthread+0x337/0x6f0 [ 23.095367] ret_from_fork+0x116/0x1d0 [ 23.095578] ret_from_fork_asm+0x1a/0x30 [ 23.095730] [ 23.095795] Freed by task 213: [ 23.095897] kasan_save_stack+0x45/0x70 [ 23.096077] kasan_save_track+0x18/0x40 [ 23.096253] kasan_save_free_info+0x3f/0x60 [ 23.096444] __kasan_slab_free+0x56/0x70 [ 23.096777] kfree+0x222/0x3f0 [ 23.096896] krealloc_uaf+0x13d/0x5e0 [ 23.097219] kunit_try_run_case+0x1a5/0x480 [ 23.097417] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.097661] kthread+0x337/0x6f0 [ 23.097922] ret_from_fork+0x116/0x1d0 [ 23.098050] ret_from_fork_asm+0x1a/0x30 [ 23.098554] [ 23.098659] The buggy address belongs to the object at ffff8881055a1000 [ 23.098659] which belongs to the cache kmalloc-256 of size 256 [ 23.099330] The buggy address is located 0 bytes inside of [ 23.099330] freed 256-byte region [ffff8881055a1000, ffff8881055a1100) [ 23.099856] [ 23.099984] The buggy address belongs to the physical page: [ 23.100347] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1055a0 [ 23.100594] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.100807] flags: 0x200000000000040(head|node=0|zone=2) [ 23.101053] page_type: f5(slab) [ 23.101244] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.101725] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.102152] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.102751] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.102989] head: 0200000000000001 ffffea0004156801 00000000ffffffff 00000000ffffffff [ 23.103634] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.103979] page dumped because: kasan: bad access detected [ 23.104217] [ 23.104279] Memory state around the buggy address: [ 23.104679] ffff8881055a0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.104992] ffff8881055a0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.105365] >ffff8881055a1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.105710] ^ [ 23.105871] ffff8881055a1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.106200] ffff8881055a1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.106589] ================================================================== [ 23.107581] ================================================================== [ 23.107961] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 23.108288] Read of size 1 at addr ffff8881055a1000 by task kunit_try_catch/213 [ 23.108725] [ 23.108830] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.108877] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.108888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.108910] Call Trace: [ 23.108923] <TASK> [ 23.108938] dump_stack_lvl+0x73/0xb0 [ 23.108966] print_report+0xd1/0x650 [ 23.108989] ? __virt_addr_valid+0x1db/0x2d0 [ 23.109012] ? krealloc_uaf+0x53c/0x5e0 [ 23.109033] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.109058] ? krealloc_uaf+0x53c/0x5e0 [ 23.109079] kasan_report+0x141/0x180 [ 23.109100] ? krealloc_uaf+0x53c/0x5e0 [ 23.109127] __asan_report_load1_noabort+0x18/0x20 [ 23.109150] krealloc_uaf+0x53c/0x5e0 [ 23.109171] ? __pfx_krealloc_uaf+0x10/0x10 [ 23.109191] ? finish_task_switch.isra.0+0x153/0x700 [ 23.109212] ? __switch_to+0x47/0xf50 [ 23.109245] ? __schedule+0x10cc/0x2b60 [ 23.109270] ? __pfx_read_tsc+0x10/0x10 [ 23.109296] ? ktime_get_ts64+0x86/0x230 [ 23.109322] kunit_try_run_case+0x1a5/0x480 [ 23.109347] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.109369] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.109390] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.109415] ? __kthread_parkme+0x82/0x180 [ 23.109435] ? preempt_count_sub+0x50/0x80 [ 23.109469] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.109494] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.109517] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.109581] kthread+0x337/0x6f0 [ 23.109602] ? trace_preempt_on+0x20/0xc0 [ 23.109625] ? __pfx_kthread+0x10/0x10 [ 23.109646] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.109669] ? calculate_sigpending+0x7b/0xa0 [ 23.109693] ? __pfx_kthread+0x10/0x10 [ 23.109715] ret_from_fork+0x116/0x1d0 [ 23.109734] ? __pfx_kthread+0x10/0x10 [ 23.109755] ret_from_fork_asm+0x1a/0x30 [ 23.109788] </TASK> [ 23.109799] [ 23.121764] Allocated by task 213: [ 23.122383] kasan_save_stack+0x45/0x70 [ 23.122986] kasan_save_track+0x18/0x40 [ 23.123658] kasan_save_alloc_info+0x3b/0x50 [ 23.123898] __kasan_kmalloc+0xb7/0xc0 [ 23.124033] __kmalloc_cache_noprof+0x189/0x420 [ 23.124597] krealloc_uaf+0xbb/0x5e0 [ 23.125098] kunit_try_run_case+0x1a5/0x480 [ 23.125753] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.126416] kthread+0x337/0x6f0 [ 23.126568] ret_from_fork+0x116/0x1d0 [ 23.126701] ret_from_fork_asm+0x1a/0x30 [ 23.126834] [ 23.126900] Freed by task 213: [ 23.127005] kasan_save_stack+0x45/0x70 [ 23.127229] kasan_save_track+0x18/0x40 [ 23.127578] kasan_save_free_info+0x3f/0x60 [ 23.128369] __kasan_slab_free+0x56/0x70 [ 23.128933] kfree+0x222/0x3f0 [ 23.129323] krealloc_uaf+0x13d/0x5e0 [ 23.129676] kunit_try_run_case+0x1a5/0x480 [ 23.130052] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.130598] kthread+0x337/0x6f0 [ 23.130890] ret_from_fork+0x116/0x1d0 [ 23.131434] ret_from_fork_asm+0x1a/0x30 [ 23.131595] [ 23.131662] The buggy address belongs to the object at ffff8881055a1000 [ 23.131662] which belongs to the cache kmalloc-256 of size 256 [ 23.132013] The buggy address is located 0 bytes inside of [ 23.132013] freed 256-byte region [ffff8881055a1000, ffff8881055a1100) [ 23.132946] [ 23.133112] The buggy address belongs to the physical page: [ 23.133695] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1055a0 [ 23.134494] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.135109] flags: 0x200000000000040(head|node=0|zone=2) [ 23.135692] page_type: f5(slab) [ 23.135979] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.136277] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.137110] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 23.137695] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.137932] head: 0200000000000001 ffffea0004156801 00000000ffffffff 00000000ffffffff [ 23.138355] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 23.138637] page dumped because: kasan: bad access detected [ 23.138804] [ 23.138869] Memory state around the buggy address: [ 23.139016] ffff8881055a0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.139817] ffff8881055a0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.140649] >ffff8881055a1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.141435] ^ [ 23.141765] ffff8881055a1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.142615] ffff8881055a1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.143335] ==================================================================