Date
July 14, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 41.586779] ================================================================== [ 41.596682] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 41.603275] Read of size 1 at addr ffff0008042d2400 by task kunit_try_catch/248 [ 41.610567] [ 41.612051] CPU: 2 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 41.612100] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.612116] Hardware name: WinLink E850-96 board (DT) [ 41.612135] Call trace: [ 41.612148] show_stack+0x20/0x38 (C) [ 41.612184] dump_stack_lvl+0x8c/0xd0 [ 41.612217] print_report+0x118/0x5d0 [ 41.612242] kasan_report+0xdc/0x128 [ 41.612271] __kasan_check_byte+0x54/0x70 [ 41.612297] krealloc_noprof+0x44/0x360 [ 41.612335] krealloc_uaf+0x180/0x520 [ 41.612365] kunit_try_run_case+0x170/0x3f0 [ 41.612401] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.612434] kthread+0x328/0x630 [ 41.612464] ret_from_fork+0x10/0x20 [ 41.612497] [ 41.678623] Allocated by task 248: [ 41.682009] kasan_save_stack+0x3c/0x68 [ 41.685826] kasan_save_track+0x20/0x40 [ 41.689646] kasan_save_alloc_info+0x40/0x58 [ 41.693899] __kasan_kmalloc+0xd4/0xd8 [ 41.697631] __kmalloc_cache_noprof+0x16c/0x3c0 [ 41.702145] krealloc_uaf+0xc8/0x520 [ 41.705704] kunit_try_run_case+0x170/0x3f0 [ 41.709871] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.715339] kthread+0x328/0x630 [ 41.718552] ret_from_fork+0x10/0x20 [ 41.722110] [ 41.723587] Freed by task 248: [ 41.726624] kasan_save_stack+0x3c/0x68 [ 41.730443] kasan_save_track+0x20/0x40 [ 41.734263] kasan_save_free_info+0x4c/0x78 [ 41.738430] __kasan_slab_free+0x6c/0x98 [ 41.742337] kfree+0x214/0x3c8 [ 41.745374] krealloc_uaf+0x12c/0x520 [ 41.749020] kunit_try_run_case+0x170/0x3f0 [ 41.753186] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.758655] kthread+0x328/0x630 [ 41.761867] ret_from_fork+0x10/0x20 [ 41.765426] [ 41.766903] The buggy address belongs to the object at ffff0008042d2400 [ 41.766903] which belongs to the cache kmalloc-256 of size 256 [ 41.779404] The buggy address is located 0 bytes inside of [ 41.779404] freed 256-byte region [ffff0008042d2400, ffff0008042d2500) [ 41.791467] [ 41.792945] The buggy address belongs to the physical page: [ 41.798503] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8842d0 [ 41.806486] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 41.814126] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 41.821070] page_type: f5(slab) [ 41.824205] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 41.831924] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 41.839651] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 41.847462] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 41.855275] head: 0bfffe0000000002 fffffdffe010b401 00000000ffffffff 00000000ffffffff [ 41.863087] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 41.870893] page dumped because: kasan: bad access detected [ 41.876448] [ 41.877925] Memory state around the buggy address: [ 41.882705] ffff0008042d2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.889907] ffff0008042d2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.897111] >ffff0008042d2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.904313] ^ [ 41.907528] ffff0008042d2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.914732] ffff0008042d2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.921935] ================================================================== [ 41.929346] ================================================================== [ 41.936348] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 41.942941] Read of size 1 at addr ffff0008042d2400 by task kunit_try_catch/248 [ 41.950232] [ 41.951717] CPU: 2 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 41.951768] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.951782] Hardware name: WinLink E850-96 board (DT) [ 41.951801] Call trace: [ 41.951814] show_stack+0x20/0x38 (C) [ 41.951849] dump_stack_lvl+0x8c/0xd0 [ 41.951881] print_report+0x118/0x5d0 [ 41.951908] kasan_report+0xdc/0x128 [ 41.951933] __asan_report_load1_noabort+0x20/0x30 [ 41.951968] krealloc_uaf+0x4c8/0x520 [ 41.951998] kunit_try_run_case+0x170/0x3f0 [ 41.952034] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.952065] kthread+0x328/0x630 [ 41.952093] ret_from_fork+0x10/0x20 [ 41.952125] [ 42.015248] Allocated by task 248: [ 42.018634] kasan_save_stack+0x3c/0x68 [ 42.022453] kasan_save_track+0x20/0x40 [ 42.026273] kasan_save_alloc_info+0x40/0x58 [ 42.030526] __kasan_kmalloc+0xd4/0xd8 [ 42.034258] __kmalloc_cache_noprof+0x16c/0x3c0 [ 42.038772] krealloc_uaf+0xc8/0x520 [ 42.042331] kunit_try_run_case+0x170/0x3f0 [ 42.046498] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.051966] kthread+0x328/0x630 [ 42.055178] ret_from_fork+0x10/0x20 [ 42.058737] [ 42.060213] Freed by task 248: [ 42.063251] kasan_save_stack+0x3c/0x68 [ 42.067070] kasan_save_track+0x20/0x40 [ 42.070890] kasan_save_free_info+0x4c/0x78 [ 42.075056] __kasan_slab_free+0x6c/0x98 [ 42.078963] kfree+0x214/0x3c8 [ 42.082001] krealloc_uaf+0x12c/0x520 [ 42.085647] kunit_try_run_case+0x170/0x3f0 [ 42.089813] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.095282] kthread+0x328/0x630 [ 42.098494] ret_from_fork+0x10/0x20 [ 42.102053] [ 42.103529] The buggy address belongs to the object at ffff0008042d2400 [ 42.103529] which belongs to the cache kmalloc-256 of size 256 [ 42.116031] The buggy address is located 0 bytes inside of [ 42.116031] freed 256-byte region [ffff0008042d2400, ffff0008042d2500) [ 42.128094] [ 42.129572] The buggy address belongs to the physical page: [ 42.135127] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8842d0 [ 42.143113] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 42.150753] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 42.157695] page_type: f5(slab) [ 42.160830] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 42.168551] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.176278] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 42.184089] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.191902] head: 0bfffe0000000002 fffffdffe010b401 00000000ffffffff 00000000ffffffff [ 42.199714] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 42.207519] page dumped because: kasan: bad access detected [ 42.213075] [ 42.214551] Memory state around the buggy address: [ 42.219330] ffff0008042d2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.226533] ffff0008042d2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.233738] >ffff0008042d2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.240939] ^ [ 42.244155] ffff0008042d2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.251359] ffff0008042d2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.258561] ==================================================================
[ 29.531496] ================================================================== [ 29.531561] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 29.531704] Read of size 1 at addr fff00000c9688400 by task kunit_try_catch/195 [ 29.531769] [ 29.531802] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 29.531884] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.531909] Hardware name: linux,dummy-virt (DT) [ 29.531939] Call trace: [ 29.531961] show_stack+0x20/0x38 (C) [ 29.532009] dump_stack_lvl+0x8c/0xd0 [ 29.532065] print_report+0x118/0x5d0 [ 29.532120] kasan_report+0xdc/0x128 [ 29.532256] __kasan_check_byte+0x54/0x70 [ 29.532348] krealloc_noprof+0x44/0x360 [ 29.532419] krealloc_uaf+0x180/0x520 [ 29.532482] kunit_try_run_case+0x170/0x3f0 [ 29.532528] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.532576] kthread+0x328/0x630 [ 29.532616] ret_from_fork+0x10/0x20 [ 29.532663] [ 29.532681] Allocated by task 195: [ 29.532709] kasan_save_stack+0x3c/0x68 [ 29.532750] kasan_save_track+0x20/0x40 [ 29.532787] kasan_save_alloc_info+0x40/0x58 [ 29.532843] __kasan_kmalloc+0xd4/0xd8 [ 29.532880] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.532918] krealloc_uaf+0xc8/0x520 [ 29.533008] kunit_try_run_case+0x170/0x3f0 [ 29.533058] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.533098] kthread+0x328/0x630 [ 29.533131] ret_from_fork+0x10/0x20 [ 29.533166] [ 29.533199] Freed by task 195: [ 29.533247] kasan_save_stack+0x3c/0x68 [ 29.533285] kasan_save_track+0x20/0x40 [ 29.533321] kasan_save_free_info+0x4c/0x78 [ 29.533357] __kasan_slab_free+0x6c/0x98 [ 29.533394] kfree+0x214/0x3c8 [ 29.533428] krealloc_uaf+0x12c/0x520 [ 29.533472] kunit_try_run_case+0x170/0x3f0 [ 29.533670] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.533712] kthread+0x328/0x630 [ 29.533744] ret_from_fork+0x10/0x20 [ 29.533796] [ 29.533918] The buggy address belongs to the object at fff00000c9688400 [ 29.533918] which belongs to the cache kmalloc-256 of size 256 [ 29.534084] The buggy address is located 0 bytes inside of [ 29.534084] freed 256-byte region [fff00000c9688400, fff00000c9688500) [ 29.534145] [ 29.534166] The buggy address belongs to the physical page: [ 29.534197] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109688 [ 29.534248] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 29.534294] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 29.534422] page_type: f5(slab) [ 29.534540] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 29.534710] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.534758] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 29.534805] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.534853] head: 0bfffe0000000001 ffffc1ffc325a201 00000000ffffffff 00000000ffffffff [ 29.534901] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 29.534940] page dumped because: kasan: bad access detected [ 29.534971] [ 29.534989] Memory state around the buggy address: [ 29.535021] fff00000c9688300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.535081] fff00000c9688380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.535121] >fff00000c9688400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.535157] ^ [ 29.535183] fff00000c9688480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.535223] fff00000c9688500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.535260] ================================================================== [ 29.536698] ================================================================== [ 29.536748] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 29.536795] Read of size 1 at addr fff00000c9688400 by task kunit_try_catch/195 [ 29.536931] [ 29.536965] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 29.537044] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.537081] Hardware name: linux,dummy-virt (DT) [ 29.537110] Call trace: [ 29.537131] show_stack+0x20/0x38 (C) [ 29.537187] dump_stack_lvl+0x8c/0xd0 [ 29.537233] print_report+0x118/0x5d0 [ 29.537275] kasan_report+0xdc/0x128 [ 29.537316] __asan_report_load1_noabort+0x20/0x30 [ 29.537362] krealloc_uaf+0x4c8/0x520 [ 29.537407] kunit_try_run_case+0x170/0x3f0 [ 29.537453] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.537571] kthread+0x328/0x630 [ 29.537694] ret_from_fork+0x10/0x20 [ 29.537742] [ 29.537759] Allocated by task 195: [ 29.537791] kasan_save_stack+0x3c/0x68 [ 29.537864] kasan_save_track+0x20/0x40 [ 29.537901] kasan_save_alloc_info+0x40/0x58 [ 29.537936] __kasan_kmalloc+0xd4/0xd8 [ 29.537972] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.538011] krealloc_uaf+0xc8/0x520 [ 29.538045] kunit_try_run_case+0x170/0x3f0 [ 29.538091] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.538129] kthread+0x328/0x630 [ 29.538160] ret_from_fork+0x10/0x20 [ 29.538263] [ 29.538349] Freed by task 195: [ 29.538470] kasan_save_stack+0x3c/0x68 [ 29.538552] kasan_save_track+0x20/0x40 [ 29.538589] kasan_save_free_info+0x4c/0x78 [ 29.538624] __kasan_slab_free+0x6c/0x98 [ 29.538660] kfree+0x214/0x3c8 [ 29.538692] krealloc_uaf+0x12c/0x520 [ 29.538726] kunit_try_run_case+0x170/0x3f0 [ 29.538763] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.538808] kthread+0x328/0x630 [ 29.538957] ret_from_fork+0x10/0x20 [ 29.539080] [ 29.539097] The buggy address belongs to the object at fff00000c9688400 [ 29.539097] which belongs to the cache kmalloc-256 of size 256 [ 29.539153] The buggy address is located 0 bytes inside of [ 29.539153] freed 256-byte region [fff00000c9688400, fff00000c9688500) [ 29.539210] [ 29.539229] The buggy address belongs to the physical page: [ 29.539259] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109688 [ 29.539309] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 29.539354] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 29.539439] page_type: f5(slab) [ 29.539670] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 29.539720] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.539769] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 29.539816] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.539863] head: 0bfffe0000000001 ffffc1ffc325a201 00000000ffffffff 00000000ffffffff [ 29.539910] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 29.539948] page dumped because: kasan: bad access detected [ 29.539986] [ 29.540004] Memory state around the buggy address: [ 29.540034] fff00000c9688300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.540084] fff00000c9688380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.540125] >fff00000c9688400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.540183] ^ [ 29.540210] fff00000c9688480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.540250] fff00000c9688500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.540302] ==================================================================
[ 24.200597] ================================================================== [ 24.201087] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 24.201350] Read of size 1 at addr ffff888103d99800 by task kunit_try_catch/213 [ 24.201668] [ 24.201789] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 24.201840] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.201853] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.201876] Call Trace: [ 24.201888] <TASK> [ 24.201906] dump_stack_lvl+0x73/0xb0 [ 24.201938] print_report+0xd1/0x610 [ 24.202004] ? __virt_addr_valid+0x1db/0x2d0 [ 24.202027] ? krealloc_uaf+0x53c/0x5e0 [ 24.202054] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.202078] ? krealloc_uaf+0x53c/0x5e0 [ 24.202099] kasan_report+0x141/0x180 [ 24.202120] ? krealloc_uaf+0x53c/0x5e0 [ 24.202144] __asan_report_load1_noabort+0x18/0x20 [ 24.202167] krealloc_uaf+0x53c/0x5e0 [ 24.202188] ? __pfx_krealloc_uaf+0x10/0x10 [ 24.202208] ? finish_task_switch.isra.0+0x153/0x700 [ 24.202230] ? __switch_to+0x47/0xf80 [ 24.202256] ? __schedule+0x10cc/0x2b60 [ 24.202279] ? __pfx_read_tsc+0x10/0x10 [ 24.202301] ? ktime_get_ts64+0x86/0x230 [ 24.202325] kunit_try_run_case+0x1a5/0x480 [ 24.202348] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.202367] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.202390] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.202596] ? __kthread_parkme+0x82/0x180 [ 24.202624] ? preempt_count_sub+0x50/0x80 [ 24.202646] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.202683] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.202708] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.202732] kthread+0x337/0x6f0 [ 24.202761] ? trace_preempt_on+0x20/0xc0 [ 24.202785] ? __pfx_kthread+0x10/0x10 [ 24.202805] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.202826] ? calculate_sigpending+0x7b/0xa0 [ 24.202849] ? __pfx_kthread+0x10/0x10 [ 24.202870] ret_from_fork+0x116/0x1d0 [ 24.202888] ? __pfx_kthread+0x10/0x10 [ 24.202908] ret_from_fork_asm+0x1a/0x30 [ 24.202938] </TASK> [ 24.202998] [ 24.213679] Allocated by task 213: [ 24.214305] kasan_save_stack+0x45/0x70 [ 24.214501] kasan_save_track+0x18/0x40 [ 24.214848] kasan_save_alloc_info+0x3b/0x50 [ 24.215227] __kasan_kmalloc+0xb7/0xc0 [ 24.215613] __kmalloc_cache_noprof+0x189/0x420 [ 24.216075] krealloc_uaf+0xbb/0x5e0 [ 24.216274] kunit_try_run_case+0x1a5/0x480 [ 24.216481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.216738] kthread+0x337/0x6f0 [ 24.216909] ret_from_fork+0x116/0x1d0 [ 24.217175] ret_from_fork_asm+0x1a/0x30 [ 24.217382] [ 24.217464] Freed by task 213: [ 24.217601] kasan_save_stack+0x45/0x70 [ 24.218236] kasan_save_track+0x18/0x40 [ 24.218416] kasan_save_free_info+0x3f/0x60 [ 24.218744] __kasan_slab_free+0x56/0x70 [ 24.218915] kfree+0x222/0x3f0 [ 24.219195] krealloc_uaf+0x13d/0x5e0 [ 24.219332] kunit_try_run_case+0x1a5/0x480 [ 24.219619] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.220214] kthread+0x337/0x6f0 [ 24.220370] ret_from_fork+0x116/0x1d0 [ 24.220803] ret_from_fork_asm+0x1a/0x30 [ 24.220984] [ 24.221174] The buggy address belongs to the object at ffff888103d99800 [ 24.221174] which belongs to the cache kmalloc-256 of size 256 [ 24.221668] The buggy address is located 0 bytes inside of [ 24.221668] freed 256-byte region [ffff888103d99800, ffff888103d99900) [ 24.222469] [ 24.222667] The buggy address belongs to the physical page: [ 24.223192] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103d98 [ 24.223487] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.224130] flags: 0x200000000000040(head|node=0|zone=2) [ 24.224524] page_type: f5(slab) [ 24.224708] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 24.225177] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.225601] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 24.226140] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.226594] head: 0200000000000001 ffffea00040f6601 00000000ffffffff 00000000ffffffff [ 24.226963] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 24.227203] page dumped because: kasan: bad access detected [ 24.227453] [ 24.227547] Memory state around the buggy address: [ 24.227747] ffff888103d99700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.228413] ffff888103d99780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.228958] >ffff888103d99800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.229425] ^ [ 24.229578] ffff888103d99880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.229937] ffff888103d99900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.230478] ================================================================== [ 24.165175] ================================================================== [ 24.166330] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 24.167382] Read of size 1 at addr ffff888103d99800 by task kunit_try_catch/213 [ 24.167633] [ 24.167962] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 24.168197] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.168211] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.168236] Call Trace: [ 24.168250] <TASK> [ 24.168272] dump_stack_lvl+0x73/0xb0 [ 24.168314] print_report+0xd1/0x610 [ 24.168338] ? __virt_addr_valid+0x1db/0x2d0 [ 24.168363] ? krealloc_uaf+0x1b8/0x5e0 [ 24.168383] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.168408] ? krealloc_uaf+0x1b8/0x5e0 [ 24.168429] kasan_report+0x141/0x180 [ 24.168449] ? krealloc_uaf+0x1b8/0x5e0 [ 24.168472] ? krealloc_uaf+0x1b8/0x5e0 [ 24.168492] __kasan_check_byte+0x3d/0x50 [ 24.168513] krealloc_noprof+0x3f/0x340 [ 24.168540] krealloc_uaf+0x1b8/0x5e0 [ 24.168560] ? __pfx_krealloc_uaf+0x10/0x10 [ 24.168580] ? finish_task_switch.isra.0+0x153/0x700 [ 24.168602] ? __switch_to+0x47/0xf80 [ 24.168628] ? __schedule+0x10cc/0x2b60 [ 24.168651] ? __pfx_read_tsc+0x10/0x10 [ 24.168686] ? ktime_get_ts64+0x86/0x230 [ 24.168711] kunit_try_run_case+0x1a5/0x480 [ 24.168742] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.168762] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.168784] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.168807] ? __kthread_parkme+0x82/0x180 [ 24.168827] ? preempt_count_sub+0x50/0x80 [ 24.168849] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.168870] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.168894] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.168918] kthread+0x337/0x6f0 [ 24.168937] ? trace_preempt_on+0x20/0xc0 [ 24.168961] ? __pfx_kthread+0x10/0x10 [ 24.168981] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.169002] ? calculate_sigpending+0x7b/0xa0 [ 24.169026] ? __pfx_kthread+0x10/0x10 [ 24.169047] ret_from_fork+0x116/0x1d0 [ 24.169065] ? __pfx_kthread+0x10/0x10 [ 24.169085] ret_from_fork_asm+0x1a/0x30 [ 24.169116] </TASK> [ 24.169127] [ 24.181617] Allocated by task 213: [ 24.182409] kasan_save_stack+0x45/0x70 [ 24.182601] kasan_save_track+0x18/0x40 [ 24.182925] kasan_save_alloc_info+0x3b/0x50 [ 24.183267] __kasan_kmalloc+0xb7/0xc0 [ 24.183438] __kmalloc_cache_noprof+0x189/0x420 [ 24.183645] krealloc_uaf+0xbb/0x5e0 [ 24.184183] kunit_try_run_case+0x1a5/0x480 [ 24.184367] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.184767] kthread+0x337/0x6f0 [ 24.185111] ret_from_fork+0x116/0x1d0 [ 24.185447] ret_from_fork_asm+0x1a/0x30 [ 24.185646] [ 24.185932] Freed by task 213: [ 24.186297] kasan_save_stack+0x45/0x70 [ 24.186487] kasan_save_track+0x18/0x40 [ 24.186679] kasan_save_free_info+0x3f/0x60 [ 24.187115] __kasan_slab_free+0x56/0x70 [ 24.187284] kfree+0x222/0x3f0 [ 24.187409] krealloc_uaf+0x13d/0x5e0 [ 24.187861] kunit_try_run_case+0x1a5/0x480 [ 24.188249] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.188441] kthread+0x337/0x6f0 [ 24.188612] ret_from_fork+0x116/0x1d0 [ 24.188793] ret_from_fork_asm+0x1a/0x30 [ 24.189271] [ 24.189345] The buggy address belongs to the object at ffff888103d99800 [ 24.189345] which belongs to the cache kmalloc-256 of size 256 [ 24.190547] The buggy address is located 0 bytes inside of [ 24.190547] freed 256-byte region [ffff888103d99800, ffff888103d99900) [ 24.191295] [ 24.191376] The buggy address belongs to the physical page: [ 24.191764] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103d98 [ 24.192271] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.192617] flags: 0x200000000000040(head|node=0|zone=2) [ 24.193130] page_type: f5(slab) [ 24.193279] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 24.193631] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.194349] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 24.194753] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.195222] head: 0200000000000001 ffffea00040f6601 00000000ffffffff 00000000ffffffff [ 24.195558] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 24.196096] page dumped because: kasan: bad access detected [ 24.196409] [ 24.196503] Memory state around the buggy address: [ 24.196860] ffff888103d99700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.197363] ffff888103d99780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.197708] >ffff888103d99800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.198397] ^ [ 24.198573] ffff888103d99880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.199166] ffff888103d99900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.199525] ==================================================================