Hay
Sign in
Date
July 10, 2025, 9:07 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   29.439652] ==================================================================
[   29.439702] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   29.439760] Read of size 1 at addr fff00000c83c9c00 by task kunit_try_catch/195
[   29.439857] 
[   29.439914] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT 
[   29.440039] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.440079] Hardware name: linux,dummy-virt (DT)
[   29.440109] Call trace:
[   29.440151]  show_stack+0x20/0x38 (C)
[   29.440228]  dump_stack_lvl+0x8c/0xd0
[   29.440383]  print_report+0x118/0x5d0
[   29.440506]  kasan_report+0xdc/0x128
[   29.440548]  __asan_report_load1_noabort+0x20/0x30
[   29.440596]  krealloc_uaf+0x4c8/0x520
[   29.440642]  kunit_try_run_case+0x170/0x3f0
[   29.440689]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.440742]  kthread+0x328/0x630
[   29.440791]  ret_from_fork+0x10/0x20
[   29.440838] 
[   29.440855] Allocated by task 195:
[   29.440882]  kasan_save_stack+0x3c/0x68
[   29.441077]  kasan_save_track+0x20/0x40
[   29.441116]  kasan_save_alloc_info+0x40/0x58
[   29.441162]  __kasan_kmalloc+0xd4/0xd8
[   29.441198]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.441236]  krealloc_uaf+0xc8/0x520
[   29.441271]  kunit_try_run_case+0x170/0x3f0
[   29.441318]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.441362]  kthread+0x328/0x630
[   29.441412]  ret_from_fork+0x10/0x20
[   29.441446] 
[   29.441464] Freed by task 195:
[   29.441489]  kasan_save_stack+0x3c/0x68
[   29.441614]  kasan_save_track+0x20/0x40
[   29.441783]  kasan_save_free_info+0x4c/0x78
[   29.441964]  __kasan_slab_free+0x6c/0x98
[   29.442068]  kfree+0x214/0x3c8
[   29.442100]  krealloc_uaf+0x12c/0x520
[   29.442144]  kunit_try_run_case+0x170/0x3f0
[   29.442184]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.442227]  kthread+0x328/0x630
[   29.442423]  ret_from_fork+0x10/0x20
[   29.442605] 
[   29.442624] The buggy address belongs to the object at fff00000c83c9c00
[   29.442624]  which belongs to the cache kmalloc-256 of size 256
[   29.442683] The buggy address is located 0 bytes inside of
[   29.442683]  freed 256-byte region [fff00000c83c9c00, fff00000c83c9d00)
[   29.442744] 
[   29.442762] The buggy address belongs to the physical page:
[   29.442793] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1083c8
[   29.442854] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   29.442901] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   29.442972] page_type: f5(slab)
[   29.443010] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   29.443068] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.443123] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   29.443184] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.443261] head: 0bfffe0000000001 ffffc1ffc320f201 00000000ffffffff 00000000ffffffff
[   29.443370] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   29.443478] page dumped because: kasan: bad access detected
[   29.443582] 
[   29.443599] Memory state around the buggy address:
[   29.443630]  fff00000c83c9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.443672]  fff00000c83c9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.443713] >fff00000c83c9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.443917]                    ^
[   29.443947]  fff00000c83c9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.444085]  fff00000c83c9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.444135] ==================================================================
[   29.434557] ==================================================================
[   29.434619] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   29.434674] Read of size 1 at addr fff00000c83c9c00 by task kunit_try_catch/195
[   29.434756] 
[   29.434788] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT 
[   29.434899] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.434925] Hardware name: linux,dummy-virt (DT)
[   29.434968] Call trace:
[   29.435021]  show_stack+0x20/0x38 (C)
[   29.435071]  dump_stack_lvl+0x8c/0xd0
[   29.435126]  print_report+0x118/0x5d0
[   29.435179]  kasan_report+0xdc/0x128
[   29.435220]  __kasan_check_byte+0x54/0x70
[   29.435266]  krealloc_noprof+0x44/0x360
[   29.435313]  krealloc_uaf+0x180/0x520
[   29.435357]  kunit_try_run_case+0x170/0x3f0
[   29.435424]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.435476]  kthread+0x328/0x630
[   29.435603]  ret_from_fork+0x10/0x20
[   29.435682] 
[   29.435707] Allocated by task 195:
[   29.435734]  kasan_save_stack+0x3c/0x68
[   29.435776]  kasan_save_track+0x20/0x40
[   29.435823]  kasan_save_alloc_info+0x40/0x58
[   29.435860]  __kasan_kmalloc+0xd4/0xd8
[   29.435926]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.435968]  krealloc_uaf+0xc8/0x520
[   29.436014]  kunit_try_run_case+0x170/0x3f0
[   29.436158]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.436228]  kthread+0x328/0x630
[   29.436259]  ret_from_fork+0x10/0x20
[   29.436294] 
[   29.436328] Freed by task 195:
[   29.436401]  kasan_save_stack+0x3c/0x68
[   29.436453]  kasan_save_track+0x20/0x40
[   29.436584]  kasan_save_free_info+0x4c/0x78
[   29.436730]  __kasan_slab_free+0x6c/0x98
[   29.436845]  kfree+0x214/0x3c8
[   29.436879]  krealloc_uaf+0x12c/0x520
[   29.436977]  kunit_try_run_case+0x170/0x3f0
[   29.437016]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.437061]  kthread+0x328/0x630
[   29.437099]  ret_from_fork+0x10/0x20
[   29.437211] 
[   29.437278] The buggy address belongs to the object at fff00000c83c9c00
[   29.437278]  which belongs to the cache kmalloc-256 of size 256
[   29.437601] The buggy address is located 0 bytes inside of
[   29.437601]  freed 256-byte region [fff00000c83c9c00, fff00000c83c9d00)
[   29.437813] 
[   29.437840] The buggy address belongs to the physical page:
[   29.437960] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1083c8
[   29.438013] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   29.438104] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   29.438184] page_type: f5(slab)
[   29.438222] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   29.438308] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.438395] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   29.438444] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.438504] head: 0bfffe0000000001 ffffc1ffc320f201 00000000ffffffff 00000000ffffffff
[   29.438552] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   29.438592] page dumped because: kasan: bad access detected
[   29.438623] 
[   29.438642] Memory state around the buggy address:
[   29.438672]  fff00000c83c9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.438742]  fff00000c83c9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.438784] >fff00000c83c9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.438822]                    ^
[   29.438849]  fff00000c83c9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.438890]  fff00000c83c9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.438928] ==================================================================
Metadata Full log Test run details 

[   24.959730] ==================================================================
[   24.960210] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0
[   24.960521] Read of size 1 at addr ffff888100a1c200 by task kunit_try_catch/212
[   24.961079] 
[   24.961198] CPU: 1 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) 
[   24.961249] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.961261] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.961283] Call Trace:
[   24.961296]  <TASK>
[   24.961314]  dump_stack_lvl+0x73/0xb0
[   24.961347]  print_report+0xd1/0x610
[   24.961370]  ? __virt_addr_valid+0x1db/0x2d0
[   24.961395]  ? krealloc_uaf+0x1b8/0x5e0
[   24.961416]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.961441]  ? krealloc_uaf+0x1b8/0x5e0
[   24.961462]  kasan_report+0x141/0x180
[   24.961513]  ? krealloc_uaf+0x1b8/0x5e0
[   24.961537]  ? krealloc_uaf+0x1b8/0x5e0
[   24.961558]  __kasan_check_byte+0x3d/0x50
[   24.961579]  krealloc_noprof+0x3f/0x340
[   24.961606]  krealloc_uaf+0x1b8/0x5e0
[   24.961627]  ? __pfx_krealloc_uaf+0x10/0x10
[   24.961647]  ? finish_task_switch.isra.0+0x153/0x700
[   24.961670]  ? __switch_to+0x47/0xf80
[   24.961696]  ? __schedule+0x10cc/0x2b60
[   24.961730]  ? __pfx_read_tsc+0x10/0x10
[   24.961752]  ? ktime_get_ts64+0x86/0x230
[   24.961807]  kunit_try_run_case+0x1a5/0x480
[   24.961830]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.961850]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.961872]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.961895]  ? __kthread_parkme+0x82/0x180
[   24.961915]  ? preempt_count_sub+0x50/0x80
[   24.961937]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.961958]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.961983]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.962008]  kthread+0x337/0x6f0
[   24.962028]  ? trace_preempt_on+0x20/0xc0
[   24.962051]  ? __pfx_kthread+0x10/0x10
[   24.962072]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.962093]  ? calculate_sigpending+0x7b/0xa0
[   24.962116]  ? __pfx_kthread+0x10/0x10
[   24.962137]  ret_from_fork+0x116/0x1d0
[   24.962156]  ? __pfx_kthread+0x10/0x10
[   24.962177]  ret_from_fork_asm+0x1a/0x30
[   24.962208]  </TASK>
[   24.962220] 
[   24.970026] Allocated by task 212:
[   24.970163]  kasan_save_stack+0x45/0x70
[   24.970307]  kasan_save_track+0x18/0x40
[   24.970508]  kasan_save_alloc_info+0x3b/0x50
[   24.970729]  __kasan_kmalloc+0xb7/0xc0
[   24.970911]  __kmalloc_cache_noprof+0x189/0x420
[   24.971123]  krealloc_uaf+0xbb/0x5e0
[   24.971278]  kunit_try_run_case+0x1a5/0x480
[   24.971468]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.971671]  kthread+0x337/0x6f0
[   24.972101]  ret_from_fork+0x116/0x1d0
[   24.972294]  ret_from_fork_asm+0x1a/0x30
[   24.972450] 
[   24.972549] Freed by task 212:
[   24.972670]  kasan_save_stack+0x45/0x70
[   24.972966]  kasan_save_track+0x18/0x40
[   24.973155]  kasan_save_free_info+0x3f/0x60
[   24.973330]  __kasan_slab_free+0x56/0x70
[   24.973519]  kfree+0x222/0x3f0
[   24.973661]  krealloc_uaf+0x13d/0x5e0
[   24.973912]  kunit_try_run_case+0x1a5/0x480
[   24.974066]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.974240]  kthread+0x337/0x6f0
[   24.974355]  ret_from_fork+0x116/0x1d0
[   24.974481]  ret_from_fork_asm+0x1a/0x30
[   24.974707] 
[   24.974873] The buggy address belongs to the object at ffff888100a1c200
[   24.974873]  which belongs to the cache kmalloc-256 of size 256
[   24.975463] The buggy address is located 0 bytes inside of
[   24.975463]  freed 256-byte region [ffff888100a1c200, ffff888100a1c300)
[   24.976158] 
[   24.976264] The buggy address belongs to the physical page:
[   24.976552] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1c
[   24.976927] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   24.977247] anon flags: 0x200000000000040(head|node=0|zone=2)
[   24.977443] page_type: f5(slab)
[   24.977563] raw: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   24.978938] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.979299] head: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   24.981315] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.981587] head: 0200000000000001 ffffea0004028701 00000000ffffffff 00000000ffffffff
[   24.982778] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   24.983409] page dumped because: kasan: bad access detected
[   24.983591] 
[   24.983661] Memory state around the buggy address:
[   24.984543]  ffff888100a1c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.984989]  ffff888100a1c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.985321] >ffff888100a1c200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.985633]                    ^
[   24.986004]  ffff888100a1c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.986241]  ffff888100a1c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.986515] ==================================================================
[   24.987150] ==================================================================
[   24.987450] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0
[   24.988725] Read of size 1 at addr ffff888100a1c200 by task kunit_try_catch/212
[   24.989108] 
[   24.989213] CPU: 1 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) 
[   24.989263] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.989275] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.989296] Call Trace:
[   24.989315]  <TASK>
[   24.989332]  dump_stack_lvl+0x73/0xb0
[   24.989361]  print_report+0xd1/0x610
[   24.989385]  ? __virt_addr_valid+0x1db/0x2d0
[   24.989410]  ? krealloc_uaf+0x53c/0x5e0
[   24.989430]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.989455]  ? krealloc_uaf+0x53c/0x5e0
[   24.989476]  kasan_report+0x141/0x180
[   24.989497]  ? krealloc_uaf+0x53c/0x5e0
[   24.989543]  __asan_report_load1_noabort+0x18/0x20
[   24.989567]  krealloc_uaf+0x53c/0x5e0
[   24.989588]  ? __pfx_krealloc_uaf+0x10/0x10
[   24.989608]  ? finish_task_switch.isra.0+0x153/0x700
[   24.989629]  ? __switch_to+0x47/0xf80
[   24.989655]  ? __schedule+0x10cc/0x2b60
[   24.989677]  ? __pfx_read_tsc+0x10/0x10
[   24.989712]  ? ktime_get_ts64+0x86/0x230
[   24.989736]  kunit_try_run_case+0x1a5/0x480
[   24.989758]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.989967]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.989993]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.990016]  ? __kthread_parkme+0x82/0x180
[   24.990037]  ? preempt_count_sub+0x50/0x80
[   24.990060]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.990082]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.990108]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.990133]  kthread+0x337/0x6f0
[   24.990152]  ? trace_preempt_on+0x20/0xc0
[   24.990175]  ? __pfx_kthread+0x10/0x10
[   24.990195]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.990216]  ? calculate_sigpending+0x7b/0xa0
[   24.990239]  ? __pfx_kthread+0x10/0x10
[   24.990260]  ret_from_fork+0x116/0x1d0
[   24.990280]  ? __pfx_kthread+0x10/0x10
[   24.990300]  ret_from_fork_asm+0x1a/0x30
[   24.990331]  </TASK>
[   24.990343] 
[   24.997610] Allocated by task 212:
[   24.997746]  kasan_save_stack+0x45/0x70
[   24.998109]  kasan_save_track+0x18/0x40
[   24.998300]  kasan_save_alloc_info+0x3b/0x50
[   24.998505]  __kasan_kmalloc+0xb7/0xc0
[   24.998723]  __kmalloc_cache_noprof+0x189/0x420
[   24.999293]  krealloc_uaf+0xbb/0x5e0
[   24.999488]  kunit_try_run_case+0x1a5/0x480
[   24.999720]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.000030]  kthread+0x337/0x6f0
[   25.000200]  ret_from_fork+0x116/0x1d0
[   25.000356]  ret_from_fork_asm+0x1a/0x30
[   25.000576] 
[   25.000653] Freed by task 212:
[   25.000877]  kasan_save_stack+0x45/0x70
[   25.001037]  kasan_save_track+0x18/0x40
[   25.001222]  kasan_save_free_info+0x3f/0x60
[   25.001396]  __kasan_slab_free+0x56/0x70
[   25.001608]  kfree+0x222/0x3f0
[   25.001757]  krealloc_uaf+0x13d/0x5e0
[   25.002140]  kunit_try_run_case+0x1a5/0x480
[   25.002316]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.002528]  kthread+0x337/0x6f0
[   25.002713]  ret_from_fork+0x116/0x1d0
[   25.002888]  ret_from_fork_asm+0x1a/0x30
[   25.003063] 
[   25.003156] The buggy address belongs to the object at ffff888100a1c200
[   25.003156]  which belongs to the cache kmalloc-256 of size 256
[   25.003638] The buggy address is located 0 bytes inside of
[   25.003638]  freed 256-byte region [ffff888100a1c200, ffff888100a1c300)
[   25.004090] 
[   25.004183] The buggy address belongs to the physical page:
[   25.004411] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1c
[   25.004869] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   25.005219] anon flags: 0x200000000000040(head|node=0|zone=2)
[   25.005519] page_type: f5(slab)
[   25.005670] raw: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   25.006161] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.006407] head: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   25.006668] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.007101] head: 0200000000000001 ffffea0004028701 00000000ffffffff 00000000ffffffff
[   25.007443] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   25.007880] page dumped because: kasan: bad access detected
[   25.008131] 
[   25.008218] Memory state around the buggy address:
[   25.008381]  ffff888100a1c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.008620]  ffff888100a1c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.009015] >ffff888100a1c200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.009332]                    ^
[   25.009475]  ffff888100a1c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.009748]  ffff888100a1c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.010189] ==================================================================
Metadata Full log Test run details