Date
July 25, 2025, 3:13 a.m.
Environment | |
---|---|
qemu-x86_64 |
[ 25.671770] ================================================================== [ 25.672497] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 25.672828] Read of size 1 at addr ffff8881049ae200 by task kunit_try_catch/213 [ 25.673271] [ 25.673397] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 25.673448] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.673461] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.673483] Call Trace: [ 25.673496] <TASK> [ 25.673513] dump_stack_lvl+0x73/0xb0 [ 25.673543] print_report+0xd1/0x640 [ 25.673566] ? __virt_addr_valid+0x1db/0x2d0 [ 25.673591] ? krealloc_uaf+0x1b8/0x5e0 [ 25.673611] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.673651] ? krealloc_uaf+0x1b8/0x5e0 [ 25.673673] kasan_report+0x141/0x180 [ 25.673704] ? krealloc_uaf+0x1b8/0x5e0 [ 25.673728] ? krealloc_uaf+0x1b8/0x5e0 [ 25.673750] __kasan_check_byte+0x3d/0x50 [ 25.673772] krealloc_noprof+0x3f/0x340 [ 25.673812] krealloc_uaf+0x1b8/0x5e0 [ 25.673834] ? __pfx_krealloc_uaf+0x10/0x10 [ 25.673854] ? finish_task_switch.isra.0+0x153/0x700 [ 25.673877] ? __switch_to+0x47/0xf80 [ 25.673904] ? __schedule+0x10da/0x2b60 [ 25.673926] ? __pfx_read_tsc+0x10/0x10 [ 25.673957] ? ktime_get_ts64+0x86/0x230 [ 25.673984] kunit_try_run_case+0x1a5/0x480 [ 25.674010] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.674033] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.674055] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.674082] ? __kthread_parkme+0x82/0x180 [ 25.674103] ? preempt_count_sub+0x50/0x80 [ 25.674126] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.674150] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.674174] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.674198] kthread+0x337/0x6f0 [ 25.674218] ? trace_preempt_on+0x20/0xc0 [ 25.674242] ? __pfx_kthread+0x10/0x10 [ 25.674263] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.674287] ? calculate_sigpending+0x7b/0xa0 [ 25.674311] ? __pfx_kthread+0x10/0x10 [ 25.674333] ret_from_fork+0x116/0x1d0 [ 25.674352] ? __pfx_kthread+0x10/0x10 [ 25.674372] ret_from_fork_asm+0x1a/0x30 [ 25.674404] </TASK> [ 25.674415] [ 25.684686] Allocated by task 213: [ 25.684905] kasan_save_stack+0x45/0x70 [ 25.685187] kasan_save_track+0x18/0x40 [ 25.685369] kasan_save_alloc_info+0x3b/0x50 [ 25.685573] __kasan_kmalloc+0xb7/0xc0 [ 25.685745] __kmalloc_cache_noprof+0x189/0x420 [ 25.686027] krealloc_uaf+0xbb/0x5e0 [ 25.686213] kunit_try_run_case+0x1a5/0x480 [ 25.686375] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.686552] kthread+0x337/0x6f0 [ 25.686671] ret_from_fork+0x116/0x1d0 [ 25.686803] ret_from_fork_asm+0x1a/0x30 [ 25.686964] [ 25.687057] Freed by task 213: [ 25.687231] kasan_save_stack+0x45/0x70 [ 25.687420] kasan_save_track+0x18/0x40 [ 25.687607] kasan_save_free_info+0x3f/0x60 [ 25.687814] __kasan_slab_free+0x5e/0x80 [ 25.688011] kfree+0x222/0x3f0 [ 25.688313] krealloc_uaf+0x13d/0x5e0 [ 25.688548] kunit_try_run_case+0x1a5/0x480 [ 25.688702] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.689016] kthread+0x337/0x6f0 [ 25.689188] ret_from_fork+0x116/0x1d0 [ 25.689544] ret_from_fork_asm+0x1a/0x30 [ 25.689725] [ 25.689869] The buggy address belongs to the object at ffff8881049ae200 [ 25.689869] which belongs to the cache kmalloc-256 of size 256 [ 25.690448] The buggy address is located 0 bytes inside of [ 25.690448] freed 256-byte region [ffff8881049ae200, ffff8881049ae300) [ 25.690959] [ 25.691057] The buggy address belongs to the physical page: [ 25.691339] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049ae [ 25.691620] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.691853] flags: 0x200000000000040(head|node=0|zone=2) [ 25.692042] page_type: f5(slab) [ 25.692166] raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.692511] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.692857] head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.693328] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.693569] head: 0200000000000001 ffffea0004126b81 00000000ffffffff 00000000ffffffff [ 25.693805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.694378] page dumped because: kasan: bad access detected [ 25.694633] [ 25.694721] Memory state around the buggy address: [ 25.695173] ffff8881049ae100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.695495] ffff8881049ae180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.695775] >ffff8881049ae200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.696126] ^ [ 25.696259] ffff8881049ae280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.696565] ffff8881049ae300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.696836] ================================================================== [ 25.697618] ================================================================== [ 25.697864] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 25.698164] Read of size 1 at addr ffff8881049ae200 by task kunit_try_catch/213 [ 25.698660] [ 25.698751] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 25.698835] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.698849] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.698869] Call Trace: [ 25.698882] <TASK> [ 25.698896] dump_stack_lvl+0x73/0xb0 [ 25.698924] print_report+0xd1/0x640 [ 25.698958] ? __virt_addr_valid+0x1db/0x2d0 [ 25.698981] ? krealloc_uaf+0x53c/0x5e0 [ 25.699002] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.699028] ? krealloc_uaf+0x53c/0x5e0 [ 25.699050] kasan_report+0x141/0x180 [ 25.699080] ? krealloc_uaf+0x53c/0x5e0 [ 25.699106] __asan_report_load1_noabort+0x18/0x20 [ 25.699131] krealloc_uaf+0x53c/0x5e0 [ 25.699152] ? __pfx_krealloc_uaf+0x10/0x10 [ 25.699174] ? finish_task_switch.isra.0+0x153/0x700 [ 25.699197] ? __switch_to+0x47/0xf80 [ 25.699223] ? __schedule+0x10da/0x2b60 [ 25.699245] ? __pfx_read_tsc+0x10/0x10 [ 25.699266] ? ktime_get_ts64+0x86/0x230 [ 25.699292] kunit_try_run_case+0x1a5/0x480 [ 25.699316] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.699338] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.699360] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.699387] ? __kthread_parkme+0x82/0x180 [ 25.699408] ? preempt_count_sub+0x50/0x80 [ 25.699431] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.699455] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.699478] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.699502] kthread+0x337/0x6f0 [ 25.699522] ? trace_preempt_on+0x20/0xc0 [ 25.699545] ? __pfx_kthread+0x10/0x10 [ 25.699566] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.699590] ? calculate_sigpending+0x7b/0xa0 [ 25.699614] ? __pfx_kthread+0x10/0x10 [ 25.699635] ret_from_fork+0x116/0x1d0 [ 25.699654] ? __pfx_kthread+0x10/0x10 [ 25.699675] ret_from_fork_asm+0x1a/0x30 [ 25.699706] </TASK> [ 25.699717] [ 25.707284] Allocated by task 213: [ 25.707467] kasan_save_stack+0x45/0x70 [ 25.707628] kasan_save_track+0x18/0x40 [ 25.707761] kasan_save_alloc_info+0x3b/0x50 [ 25.707917] __kasan_kmalloc+0xb7/0xc0 [ 25.708069] __kmalloc_cache_noprof+0x189/0x420 [ 25.708293] krealloc_uaf+0xbb/0x5e0 [ 25.708475] kunit_try_run_case+0x1a5/0x480 [ 25.708662] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.708862] kthread+0x337/0x6f0 [ 25.709080] ret_from_fork+0x116/0x1d0 [ 25.709228] ret_from_fork_asm+0x1a/0x30 [ 25.709367] [ 25.709432] Freed by task 213: [ 25.709542] kasan_save_stack+0x45/0x70 [ 25.709676] kasan_save_track+0x18/0x40 [ 25.709868] kasan_save_free_info+0x3f/0x60 [ 25.710099] __kasan_slab_free+0x5e/0x80 [ 25.710294] kfree+0x222/0x3f0 [ 25.710455] krealloc_uaf+0x13d/0x5e0 [ 25.710639] kunit_try_run_case+0x1a5/0x480 [ 25.710907] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.711201] kthread+0x337/0x6f0 [ 25.711370] ret_from_fork+0x116/0x1d0 [ 25.711556] ret_from_fork_asm+0x1a/0x30 [ 25.711747] [ 25.712025] The buggy address belongs to the object at ffff8881049ae200 [ 25.712025] which belongs to the cache kmalloc-256 of size 256 [ 25.712611] The buggy address is located 0 bytes inside of [ 25.712611] freed 256-byte region [ffff8881049ae200, ffff8881049ae300) [ 25.713152] [ 25.713225] The buggy address belongs to the physical page: [ 25.713447] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049ae [ 25.713871] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 25.714252] flags: 0x200000000000040(head|node=0|zone=2) [ 25.714509] page_type: f5(slab) [ 25.714653] raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.715039] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.715378] head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122 [ 25.715703] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.716107] head: 0200000000000001 ffffea0004126b81 00000000ffffffff 00000000ffffffff [ 25.716421] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 25.716729] page dumped because: kasan: bad access detected [ 25.717130] [ 25.717246] Memory state around the buggy address: [ 25.717464] ffff8881049ae100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.717733] ffff8881049ae180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.718091] >ffff8881049ae200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.718411] ^ [ 25.718578] ffff8881049ae280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.718887] ffff8881049ae300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.719243] ==================================================================