Date
July 15, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 105.509978] ================================================================== [ 105.510575] BUG: KASAN: use-after-free in krealloc_uaf+0x10c/0x2f0 [ 105.511197] Read of size 1 at addr ffff0000c6260800 by task kunit_try_catch/217 [ 105.513397] [ 105.513642] CPU: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 105.514385] Hardware name: linux,dummy-virt (DT) [ 105.514807] Call trace: [ 105.515099] dump_backtrace+0xe0/0x134 [ 105.515531] show_stack+0x20/0x2c [ 105.515943] dump_stack_lvl+0x88/0xb4 [ 105.516384] print_report+0x158/0x44c [ 105.516808] kasan_report+0xc8/0x180 [ 105.517256] __asan_load1+0x68/0x74 [ 105.517674] krealloc_uaf+0x10c/0x2f0 [ 105.518994] kunit_try_run_case+0x8c/0x124 [ 105.519489] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.520048] kthread+0x15c/0x170 [ 105.520851] ret_from_fork+0x10/0x20 [ 105.521293] [ 105.521518] Allocated by task 217: [ 105.521853] kasan_save_stack+0x3c/0x70 [ 105.522346] kasan_set_track+0x2c/0x40 [ 105.522790] kasan_save_alloc_info+0x24/0x34 [ 105.523259] __kasan_kmalloc+0xd4/0xe0 [ 105.523704] kmalloc_trace+0x8c/0x150 [ 105.524181] krealloc_uaf+0xb0/0x2f0 [ 105.525457] kunit_try_run_case+0x8c/0x124 [ 105.525943] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.526494] kthread+0x15c/0x170 [ 105.526884] ret_from_fork+0x10/0x20 [ 105.527336] [ 105.527526] Freed by task 217: [ 105.527867] kasan_save_stack+0x3c/0x70 [ 105.528332] kasan_set_track+0x2c/0x40 [ 105.528943] kasan_save_free_info+0x38/0x5c [ 105.529416] __kasan_slab_free+0x100/0x170 [ 105.529894] slab_free_freelist_hook+0xd8/0x1c0 [ 105.530366] __kmem_cache_free+0x15c/0x2a0 [ 105.530985] kfree+0x88/0x150 [ 105.531357] krealloc_uaf+0xd0/0x2f0 [ 105.531834] kunit_try_run_case+0x8c/0x124 [ 105.532316] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.533683] kthread+0x15c/0x170 [ 105.534113] ret_from_fork+0x10/0x20 [ 105.534497] [ 105.534720] The buggy address belongs to the object at ffff0000c6260800 [ 105.534720] which belongs to the cache kmalloc-256 of size 256 [ 105.535686] The buggy address is located 0 bytes inside of [ 105.535686] 256-byte region [ffff0000c6260800, ffff0000c6260900) [ 105.536959] [ 105.537160] The buggy address belongs to the physical page: [ 105.537638] page:0000000090416edb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106260 [ 105.538422] head:0000000090416edb order:1 compound_mapcount:0 compound_pincount:0 [ 105.539023] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 105.539722] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 105.540406] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 105.541041] page dumped because: kasan: bad access detected [ 105.541512] [ 105.541699] Memory state around the buggy address: [ 105.542166] ffff0000c6260700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.543602] ffff0000c6260780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.544222] >ffff0000c6260800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.545132] ^ [ 105.545489] ffff0000c6260880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.546123] ffff0000c6260900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.546727] ================================================================== [ 105.470438] ================================================================== [ 105.471397] BUG: KASAN: use-after-free in krealloc_uaf+0xe8/0x2f0 [ 105.472197] Read of size 1 at addr ffff0000c6260800 by task kunit_try_catch/217 [ 105.473920] [ 105.474220] CPU: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 105.475236] Hardware name: linux,dummy-virt (DT) [ 105.475834] Call trace: [ 105.476209] dump_backtrace+0xe0/0x134 [ 105.477016] show_stack+0x20/0x2c [ 105.477368] dump_stack_lvl+0x88/0xb4 [ 105.477787] print_report+0x158/0x44c [ 105.478171] kasan_report+0xc8/0x180 [ 105.478644] __kasan_check_byte+0x54/0x70 [ 105.479137] krealloc+0xec/0x1c0 [ 105.479512] krealloc_uaf+0xe8/0x2f0 [ 105.479963] kunit_try_run_case+0x8c/0x124 [ 105.480420] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.480989] kthread+0x15c/0x170 [ 105.481388] ret_from_fork+0x10/0x20 [ 105.481826] [ 105.482015] Allocated by task 217: [ 105.482336] kasan_save_stack+0x3c/0x70 [ 105.483649] kasan_set_track+0x2c/0x40 [ 105.484104] kasan_save_alloc_info+0x24/0x34 [ 105.485000] __kasan_kmalloc+0xd4/0xe0 [ 105.485428] kmalloc_trace+0x8c/0x150 [ 105.485872] krealloc_uaf+0xb0/0x2f0 [ 105.486297] kunit_try_run_case+0x8c/0x124 [ 105.486785] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.487321] kthread+0x15c/0x170 [ 105.487753] ret_from_fork+0x10/0x20 [ 105.488194] [ 105.488416] Freed by task 217: [ 105.489587] kasan_save_stack+0x3c/0x70 [ 105.490046] kasan_set_track+0x2c/0x40 [ 105.490506] kasan_save_free_info+0x38/0x5c [ 105.491012] __kasan_slab_free+0x100/0x170 [ 105.491469] slab_free_freelist_hook+0xd8/0x1c0 [ 105.491964] __kmem_cache_free+0x15c/0x2a0 [ 105.492420] kfree+0x88/0x150 [ 105.492816] krealloc_uaf+0xd0/0x2f0 [ 105.493298] kunit_try_run_case+0x8c/0x124 [ 105.494125] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.494695] kthread+0x15c/0x170 [ 105.495123] ret_from_fork+0x10/0x20 [ 105.495530] [ 105.495760] The buggy address belongs to the object at ffff0000c6260800 [ 105.495760] which belongs to the cache kmalloc-256 of size 256 [ 105.497486] The buggy address is located 0 bytes inside of [ 105.497486] 256-byte region [ffff0000c6260800, ffff0000c6260900) [ 105.498377] [ 105.498614] The buggy address belongs to the physical page: [ 105.499101] page:0000000090416edb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106260 [ 105.499892] head:0000000090416edb order:1 compound_mapcount:0 compound_pincount:0 [ 105.500672] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 105.501397] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 105.502087] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 105.502694] page dumped because: kasan: bad access detected [ 105.503348] [ 105.503553] Memory state around the buggy address: [ 105.504021] ffff0000c6260700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.505503] ffff0000c6260780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.506126] >ffff0000c6260800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.506720] ^ [ 105.507082] ffff0000c6260880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.507699] ffff0000c6260900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.508304] ==================================================================
[ 75.268508] ================================================================== [ 75.269367] BUG: KASAN: use-after-free in krealloc_uaf+0xd0/0x21c [ 75.270019] Read of size 1 at addr ffff0000c56f1800 by task kunit_try_catch/133 [ 75.270646] [ 75.270870] CPU: 0 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.271574] Hardware name: linux,dummy-virt (DT) [ 75.272027] Call trace: [ 75.272302] dump_backtrace+0xf8/0x118 [ 75.273431] show_stack+0x18/0x24 [ 75.273909] __dump_stack+0x28/0x38 [ 75.274358] dump_stack_lvl+0x54/0x6c [ 75.274790] print_address_description+0x7c/0x1ec [ 75.275319] print_report+0x50/0x68 [ 75.275763] kasan_report+0xac/0x100 [ 75.276211] __asan_load1+0x6c/0x70 [ 75.276933] krealloc_uaf+0xd0/0x21c [ 75.277376] kunit_try_run_case+0x80/0x184 [ 75.277893] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.278457] kthread+0x16c/0x21c [ 75.278874] ret_from_fork+0x10/0x20 [ 75.279305] [ 75.279498] Allocated by task 133: [ 75.279860] kasan_set_track+0x4c/0x80 [ 75.280329] kasan_save_alloc_info+0x28/0x34 [ 75.281356] __kasan_kmalloc+0x88/0xa0 [ 75.281851] kmalloc_trace+0x54/0x68 [ 75.282286] krealloc_uaf+0x48/0x21c [ 75.282682] kunit_try_run_case+0x80/0x184 [ 75.283148] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.283708] kthread+0x16c/0x21c [ 75.284144] ret_from_fork+0x10/0x20 [ 75.284558] [ 75.285009] Freed by task 133: [ 75.285325] kasan_set_track+0x4c/0x80 [ 75.285799] kasan_save_free_info+0x3c/0x60 [ 75.286313] ____kasan_slab_free+0xe8/0x140 [ 75.286885] __kasan_slab_free+0x18/0x28 [ 75.287388] __kmem_cache_free+0xdc/0x284 [ 75.287842] kfree+0x60/0x74 [ 75.288235] krealloc_uaf+0x90/0x21c [ 75.288929] kunit_try_run_case+0x80/0x184 [ 75.289415] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.290045] kthread+0x16c/0x21c [ 75.290453] ret_from_fork+0x10/0x20 [ 75.291160] [ 75.291352] The buggy address belongs to the object at ffff0000c56f1800 [ 75.291352] which belongs to the cache kmalloc-256 of size 256 [ 75.292324] The buggy address is located 0 bytes inside of [ 75.292324] 256-byte region [ffff0000c56f1800, ffff0000c56f1900) [ 75.293456] [ 75.293690] The buggy address belongs to the physical page: [ 75.294166] page:00000000b1c7ebef refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056f0 [ 75.294961] head:00000000b1c7ebef order:1 compound_mapcount:0 compound_pincount:0 [ 75.295596] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 75.296320] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 75.297459] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.298090] page dumped because: kasan: bad access detected [ 75.298563] [ 75.298767] Memory state around the buggy address: [ 75.299199] ffff0000c56f1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.299834] ffff0000c56f1780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.300463] >ffff0000c56f1800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.301299] ^ [ 75.301658] ffff0000c56f1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.302284] ffff0000c56f1900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.302894] ================================================================== [ 75.232336] ================================================================== [ 75.233840] BUG: KASAN: use-after-free in krealloc_uaf+0xac/0x21c [ 75.234437] Read of size 1 at addr ffff0000c56f1800 by task kunit_try_catch/133 [ 75.235077] [ 75.235302] CPU: 0 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.236034] Hardware name: linux,dummy-virt (DT) [ 75.236495] Call trace: [ 75.236774] dump_backtrace+0xf8/0x118 [ 75.237291] show_stack+0x18/0x24 [ 75.237723] __dump_stack+0x28/0x38 [ 75.238149] dump_stack_lvl+0x54/0x6c [ 75.238565] print_address_description+0x7c/0x1ec [ 75.239406] print_report+0x50/0x68 [ 75.239889] kasan_report+0xac/0x100 [ 75.240332] __kasan_check_byte+0x3c/0x54 [ 75.241327] krealloc+0x54/0x270 [ 75.241773] krealloc_uaf+0xac/0x21c [ 75.242217] kunit_try_run_case+0x80/0x184 [ 75.242671] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.243242] kthread+0x16c/0x21c [ 75.243686] ret_from_fork+0x10/0x20 [ 75.244114] [ 75.244329] Allocated by task 133: [ 75.244654] kasan_set_track+0x4c/0x80 [ 75.245177] kasan_save_alloc_info+0x28/0x34 [ 75.245620] __kasan_kmalloc+0x88/0xa0 [ 75.246078] kmalloc_trace+0x54/0x68 [ 75.246518] krealloc_uaf+0x48/0x21c [ 75.247206] kunit_try_run_case+0x80/0x184 [ 75.247666] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.248243] kthread+0x16c/0x21c [ 75.249126] ret_from_fork+0x10/0x20 [ 75.249547] [ 75.249786] Freed by task 133: [ 75.250125] kasan_set_track+0x4c/0x80 [ 75.250558] kasan_save_free_info+0x3c/0x60 [ 75.251053] ____kasan_slab_free+0xe8/0x140 [ 75.251536] __kasan_slab_free+0x18/0x28 [ 75.252048] __kmem_cache_free+0xdc/0x284 [ 75.252539] kfree+0x60/0x74 [ 75.252947] krealloc_uaf+0x90/0x21c [ 75.253399] kunit_try_run_case+0x80/0x184 [ 75.253872] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.254427] kthread+0x16c/0x21c [ 75.255110] ret_from_fork+0x10/0x20 [ 75.255568] [ 75.255780] The buggy address belongs to the object at ffff0000c56f1800 [ 75.255780] which belongs to the cache kmalloc-256 of size 256 [ 75.256720] The buggy address is located 0 bytes inside of [ 75.256720] 256-byte region [ffff0000c56f1800, ffff0000c56f1900) [ 75.258083] [ 75.258280] The buggy address belongs to the physical page: [ 75.258708] page:00000000b1c7ebef refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056f0 [ 75.259551] head:00000000b1c7ebef order:1 compound_mapcount:0 compound_pincount:0 [ 75.260239] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 75.261147] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 75.261844] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.262432] page dumped because: kasan: bad access detected [ 75.262917] [ 75.263104] Memory state around the buggy address: [ 75.263538] ffff0000c56f1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.264190] ffff0000c56f1780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.264890] >ffff0000c56f1800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.265483] ^ [ 75.265837] ffff0000c56f1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.266472] ffff0000c56f1900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.267497] ==================================================================
[ 74.282637] ================================================================== [ 74.283184] BUG: KASAN: use-after-free in krealloc_uaf+0xd0/0x21c [ 74.283865] Read of size 1 at addr ffff0000c4b2bc00 by task kunit_try_catch/133 [ 74.284517] [ 74.284723] CPU: 1 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.285450] Hardware name: linux,dummy-virt (DT) [ 74.286402] Call trace: [ 74.286688] dump_backtrace+0xf4/0x114 [ 74.287227] show_stack+0x18/0x24 [ 74.287655] __dump_stack+0x28/0x38 [ 74.288071] dump_stack_lvl+0x50/0x68 [ 74.288518] print_address_description+0x7c/0x1ec [ 74.289054] print_report+0x50/0x68 [ 74.289537] kasan_report+0xac/0xfc [ 74.289984] __asan_load1+0x6c/0x70 [ 74.290417] krealloc_uaf+0xd0/0x21c [ 74.290863] kunit_try_run_case+0x80/0x184 [ 74.291360] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.292483] kthread+0x16c/0x21c [ 74.292924] ret_from_fork+0x10/0x20 [ 74.293380] [ 74.293575] Allocated by task 133: [ 74.293953] kasan_set_track+0x4c/0x80 [ 74.294472] kasan_save_alloc_info+0x28/0x34 [ 74.294946] __kasan_kmalloc+0x88/0xa0 [ 74.295399] kmalloc_trace+0x54/0x68 [ 74.295851] krealloc_uaf+0x48/0x21c [ 74.296298] kunit_try_run_case+0x80/0x184 [ 74.296813] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.297393] kthread+0x16c/0x21c [ 74.297830] ret_from_fork+0x10/0x20 [ 74.298267] [ 74.298469] Freed by task 133: [ 74.298782] kasan_set_track+0x4c/0x80 [ 74.299273] kasan_save_free_info+0x3c/0x60 [ 74.300283] ____kasan_slab_free+0xe8/0x140 [ 74.300803] __kasan_slab_free+0x18/0x28 [ 74.301273] __kmem_cache_free+0xdc/0x27c [ 74.301725] kfree+0x60/0x74 [ 74.302129] krealloc_uaf+0x90/0x21c [ 74.302565] kunit_try_run_case+0x80/0x184 [ 74.303049] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.303603] kthread+0x16c/0x21c [ 74.304063] ret_from_fork+0x10/0x20 [ 74.304535] [ 74.304718] The buggy address belongs to the object at ffff0000c4b2bc00 [ 74.304718] which belongs to the cache kmalloc-256 of size 256 [ 74.305673] The buggy address is located 0 bytes inside of [ 74.305673] 256-byte region [ffff0000c4b2bc00, ffff0000c4b2bd00) [ 74.306566] [ 74.306783] The buggy address belongs to the physical page: [ 74.307230] page:00000000c9970dfc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104b2a [ 74.308564] head:00000000c9970dfc order:1 compound_mapcount:0 compound_pincount:0 [ 74.309223] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 74.309928] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 74.310585] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.311206] page dumped because: kasan: bad access detected [ 74.311673] [ 74.311908] Memory state around the buggy address: [ 74.312369] ffff0000c4b2bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.312998] ffff0000c4b2bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.313604] >ffff0000c4b2bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.314186] ^ [ 74.314542] ffff0000c4b2bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.315150] ffff0000c4b2bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.316297] ================================================================== [ 74.247602] ================================================================== [ 74.248472] BUG: KASAN: use-after-free in krealloc_uaf+0xac/0x21c [ 74.249022] Read of size 1 at addr ffff0000c4b2bc00 by task kunit_try_catch/133 [ 74.249698] [ 74.250066] CPU: 1 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.250838] Hardware name: linux,dummy-virt (DT) [ 74.251295] Call trace: [ 74.251531] dump_backtrace+0xf4/0x114 [ 74.251986] show_stack+0x18/0x24 [ 74.252506] __dump_stack+0x28/0x38 [ 74.253003] dump_stack_lvl+0x50/0x68 [ 74.253556] print_address_description+0x7c/0x1ec [ 74.254122] print_report+0x50/0x68 [ 74.254586] kasan_report+0xac/0xfc [ 74.255146] __kasan_check_byte+0x3c/0x54 [ 74.255635] krealloc+0x54/0x26c [ 74.256146] krealloc_uaf+0xac/0x21c [ 74.256630] kunit_try_run_case+0x80/0x184 [ 74.257123] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.257704] kthread+0x16c/0x21c [ 74.258240] ret_from_fork+0x10/0x20 [ 74.258682] [ 74.258918] Allocated by task 133: [ 74.259302] kasan_set_track+0x4c/0x80 [ 74.260103] kasan_save_alloc_info+0x28/0x34 [ 74.260553] __kasan_kmalloc+0x88/0xa0 [ 74.261014] kmalloc_trace+0x54/0x68 [ 74.261460] krealloc_uaf+0x48/0x21c [ 74.261886] kunit_try_run_case+0x80/0x184 [ 74.262341] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.262942] kthread+0x16c/0x21c [ 74.263377] ret_from_fork+0x10/0x20 [ 74.263965] [ 74.264168] Freed by task 133: [ 74.264508] kasan_set_track+0x4c/0x80 [ 74.264963] kasan_save_free_info+0x3c/0x60 [ 74.265443] ____kasan_slab_free+0xe8/0x140 [ 74.265952] __kasan_slab_free+0x18/0x28 [ 74.266420] __kmem_cache_free+0xdc/0x27c [ 74.266889] kfree+0x60/0x74 [ 74.267252] krealloc_uaf+0x90/0x21c [ 74.268327] kunit_try_run_case+0x80/0x184 [ 74.268826] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.269395] kthread+0x16c/0x21c [ 74.269809] ret_from_fork+0x10/0x20 [ 74.270245] [ 74.270449] The buggy address belongs to the object at ffff0000c4b2bc00 [ 74.270449] which belongs to the cache kmalloc-256 of size 256 [ 74.271373] The buggy address is located 0 bytes inside of [ 74.271373] 256-byte region [ffff0000c4b2bc00, ffff0000c4b2bd00) [ 74.272294] [ 74.272508] The buggy address belongs to the physical page: [ 74.272972] page:00000000c9970dfc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104b2a [ 74.273778] head:00000000c9970dfc order:1 compound_mapcount:0 compound_pincount:0 [ 74.274400] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 74.275138] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 74.276407] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.277034] page dumped because: kasan: bad access detected [ 74.277504] [ 74.277697] Memory state around the buggy address: [ 74.278152] ffff0000c4b2bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.278803] ffff0000c4b2bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.279419] >ffff0000c4b2bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.280023] ^ [ 74.280375] ffff0000c4b2bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.281013] ffff0000c4b2bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.281628] ==================================================================
[ 72.896921] ================================================================== [ 72.897455] BUG: KASAN: use-after-free in krealloc_uaf+0x104/0x2f0 [ 72.898165] Read of size 1 at addr ffff0000c55e6400 by task kunit_try_catch/133 [ 72.898789] [ 72.899129] CPU: 1 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 72.899920] Hardware name: linux,dummy-virt (DT) [ 72.900305] Call trace: [ 72.901161] dump_backtrace.part.0+0xdc/0xf0 [ 72.901691] show_stack+0x18/0x30 [ 72.902554] dump_stack_lvl+0x64/0x80 [ 72.902978] print_report+0x158/0x438 [ 72.903425] kasan_report+0xb4/0xf4 [ 72.903853] __asan_load1+0x68/0x74 [ 72.904261] krealloc_uaf+0x104/0x2f0 [ 72.904705] kunit_try_run_case+0x84/0x120 [ 72.905162] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.905696] kthread+0x180/0x190 [ 72.906229] ret_from_fork+0x10/0x20 [ 72.906658] [ 72.906868] Allocated by task 133: [ 72.907217] kasan_save_stack+0x3c/0x70 [ 72.907649] kasan_set_track+0x2c/0x40 [ 72.908056] kasan_save_alloc_info+0x24/0x34 [ 72.908547] __kasan_kmalloc+0xb8/0xc0 [ 72.908985] kmalloc_trace+0x58/0x6c [ 72.909405] krealloc_uaf+0xa8/0x2f0 [ 72.909987] kunit_try_run_case+0x84/0x120 [ 72.910438] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.910963] kthread+0x180/0x190 [ 72.911342] ret_from_fork+0x10/0x20 [ 72.911758] [ 72.911944] Freed by task 133: [ 72.912267] kasan_save_stack+0x3c/0x70 [ 72.912679] kasan_set_track+0x2c/0x40 [ 72.913063] kasan_save_free_info+0x38/0x5c [ 72.913528] __kasan_slab_free+0xe4/0x150 [ 72.914598] __kmem_cache_free+0x130/0x2a4 [ 72.915066] kfree+0x58/0x80 [ 72.915448] krealloc_uaf+0xc8/0x2f0 [ 72.915881] kunit_try_run_case+0x84/0x120 [ 72.916339] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.916871] kthread+0x180/0x190 [ 72.917256] ret_from_fork+0x10/0x20 [ 72.917682] [ 72.917897] The buggy address belongs to the object at ffff0000c55e6400 [ 72.917897] which belongs to the cache kmalloc-256 of size 256 [ 72.918820] The buggy address is located 0 bytes inside of [ 72.918820] 256-byte region [ffff0000c55e6400, ffff0000c55e6500) [ 72.919695] [ 72.919901] The buggy address belongs to the physical page: [ 72.920351] page:0000000087736949 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1055e6 [ 72.921298] head:0000000087736949 order:1 compound_mapcount:0 compound_pincount:0 [ 72.922044] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 72.922762] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 72.923432] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 72.924084] page dumped because: kasan: bad access detected [ 72.924533] [ 72.924729] Memory state around the buggy address: [ 72.925139] ffff0000c55e6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.925733] ffff0000c55e6380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.926333] >ffff0000c55e6400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.927079] ^ [ 72.927435] ffff0000c55e6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.928028] ffff0000c55e6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.928611] ================================================================== [ 72.860314] ================================================================== [ 72.861222] BUG: KASAN: use-after-free in krealloc_uaf+0xe0/0x2f0 [ 72.861845] Read of size 1 at addr ffff0000c55e6400 by task kunit_try_catch/133 [ 72.862376] [ 72.862621] CPU: 1 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 72.863275] Hardware name: linux,dummy-virt (DT) [ 72.863911] Call trace: [ 72.864180] dump_backtrace.part.0+0xdc/0xf0 [ 72.864712] show_stack+0x18/0x30 [ 72.865117] dump_stack_lvl+0x64/0x80 [ 72.865611] print_report+0x158/0x438 [ 72.866205] kasan_report+0xb4/0xf4 [ 72.866635] __kasan_check_byte+0x54/0x70 [ 72.867062] krealloc+0xe0/0x1a0 [ 72.867457] krealloc_uaf+0xe0/0x2f0 [ 72.867898] kunit_try_run_case+0x84/0x120 [ 72.868362] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.868948] kthread+0x180/0x190 [ 72.869344] ret_from_fork+0x10/0x20 [ 72.869816] [ 72.870034] Allocated by task 133: [ 72.870345] kasan_save_stack+0x3c/0x70 [ 72.870760] kasan_set_track+0x2c/0x40 [ 72.871175] kasan_save_alloc_info+0x24/0x34 [ 72.871786] __kasan_kmalloc+0xb8/0xc0 [ 72.872203] kmalloc_trace+0x58/0x6c [ 72.872642] krealloc_uaf+0xa8/0x2f0 [ 72.873078] kunit_try_run_case+0x84/0x120 [ 72.873557] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.874255] kthread+0x180/0x190 [ 72.874662] ret_from_fork+0x10/0x20 [ 72.875072] [ 72.875301] Freed by task 133: [ 72.875636] kasan_save_stack+0x3c/0x70 [ 72.876061] kasan_set_track+0x2c/0x40 [ 72.876480] kasan_save_free_info+0x38/0x5c [ 72.876922] __kasan_slab_free+0xe4/0x150 [ 72.877349] __kmem_cache_free+0x130/0x2a4 [ 72.877883] kfree+0x58/0x80 [ 72.878248] krealloc_uaf+0xc8/0x2f0 [ 72.878677] kunit_try_run_case+0x84/0x120 [ 72.879124] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.879959] kthread+0x180/0x190 [ 72.880363] ret_from_fork+0x10/0x20 [ 72.880799] [ 72.880976] The buggy address belongs to the object at ffff0000c55e6400 [ 72.880976] which belongs to the cache kmalloc-256 of size 256 [ 72.882242] The buggy address is located 0 bytes inside of [ 72.882242] 256-byte region [ffff0000c55e6400, ffff0000c55e6500) [ 72.883101] [ 72.883294] The buggy address belongs to the physical page: [ 72.883766] page:0000000087736949 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1055e6 [ 72.884732] head:0000000087736949 order:1 compound_mapcount:0 compound_pincount:0 [ 72.885412] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 72.886307] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 72.887097] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 72.887828] page dumped because: kasan: bad access detected [ 72.888344] [ 72.888642] Memory state around the buggy address: [ 72.889176] ffff0000c55e6300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.889923] ffff0000c55e6380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.890764] >ffff0000c55e6400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.891332] ^ [ 72.891692] ffff0000c55e6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.892271] ffff0000c55e6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.892827] ==================================================================
[ 64.469020] ================================================================== [ 64.469934] BUG: KASAN: use-after-free in krealloc_uaf+0xec/0x2c8 [ 64.470639] Read of size 1 at addr ffff0000c17a6800 by task kunit_try_catch/131 [ 64.471191] [ 64.471397] CPU: 0 PID: 131 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 64.472022] Hardware name: linux,dummy-virt (DT) [ 64.472379] Call trace: [ 64.472639] dump_backtrace+0x110/0x120 [ 64.473053] show_stack+0x18/0x28 [ 64.473479] dump_stack_lvl+0x68/0x84 [ 64.473919] print_report+0x158/0x484 [ 64.474282] kasan_report+0x98/0xe0 [ 64.474645] __kasan_check_byte+0x58/0x70 [ 64.475075] krealloc+0x48/0x178 [ 64.475465] krealloc_uaf+0xec/0x2c8 [ 64.475847] kunit_try_run_case+0x7c/0x120 [ 64.476270] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.476787] kthread+0x1a4/0x1b8 [ 64.477117] ret_from_fork+0x10/0x20 [ 64.477575] [ 64.477780] Allocated by task 131: [ 64.478115] kasan_save_stack+0x2c/0x58 [ 64.478508] kasan_set_track+0x2c/0x40 [ 64.478866] kasan_save_alloc_info+0x24/0x38 [ 64.479316] __kasan_kmalloc+0xa0/0xb8 [ 64.479702] kmalloc_trace+0x50/0x68 [ 64.480081] krealloc_uaf+0xb0/0x2c8 [ 64.480496] kunit_try_run_case+0x7c/0x120 [ 64.480905] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.481441] kthread+0x1a4/0x1b8 [ 64.481848] ret_from_fork+0x10/0x20 [ 64.482255] [ 64.482419] Freed by task 131: [ 64.482711] kasan_save_stack+0x2c/0x58 [ 64.483097] kasan_set_track+0x2c/0x40 [ 64.483469] kasan_save_free_info+0x38/0x60 [ 64.483836] __kasan_slab_free+0xe8/0x158 [ 64.484265] __kmem_cache_free+0x138/0x2b0 [ 64.484722] kfree+0x5c/0x70 [ 64.485036] krealloc_uaf+0xd0/0x2c8 [ 64.485439] kunit_try_run_case+0x7c/0x120 [ 64.485862] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.486455] kthread+0x1a4/0x1b8 [ 64.486807] ret_from_fork+0x10/0x20 [ 64.487219] [ 64.487422] The buggy address belongs to the object at ffff0000c17a6800 [ 64.487422] which belongs to the cache kmalloc-256 of size 256 [ 64.488239] The buggy address is located 0 bytes inside of [ 64.488239] 256-byte region [ffff0000c17a6800, ffff0000c17a6900) [ 64.488988] [ 64.489201] The buggy address belongs to the physical page: [ 64.489664] page:00000000d35011b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017a6 [ 64.490573] head:00000000d35011b9 order:1 compound_mapcount:0 compound_pincount:0 [ 64.491140] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 64.491838] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 64.492468] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 64.493072] page dumped because: kasan: bad access detected [ 64.493558] [ 64.493909] Memory state around the buggy address: [ 64.494489] ffff0000c17a6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.495036] ffff0000c17a6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.495573] >ffff0000c17a6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.496372] ^ [ 64.496770] ffff0000c17a6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.497462] ffff0000c17a6900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.498053] ================================================================== [ 64.499346] ================================================================== [ 64.500186] BUG: KASAN: use-after-free in krealloc_uaf+0x118/0x2c8 [ 64.500881] Read of size 1 at addr ffff0000c17a6800 by task kunit_try_catch/131 [ 64.501649] [ 64.501855] CPU: 0 PID: 131 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 64.502491] Hardware name: linux,dummy-virt (DT) [ 64.502850] Call trace: [ 64.503076] dump_backtrace+0x110/0x120 [ 64.503514] show_stack+0x18/0x28 [ 64.503889] dump_stack_lvl+0x68/0x84 [ 64.504285] print_report+0x158/0x484 [ 64.504667] kasan_report+0x98/0xe0 [ 64.505021] __asan_load1+0x68/0x78 [ 64.505380] krealloc_uaf+0x118/0x2c8 [ 64.505901] kunit_try_run_case+0x7c/0x120 [ 64.506312] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.506800] kthread+0x1a4/0x1b8 [ 64.507168] ret_from_fork+0x10/0x20 [ 64.507550] [ 64.507844] Allocated by task 131: [ 64.508155] kasan_save_stack+0x2c/0x58 [ 64.508587] kasan_set_track+0x2c/0x40 [ 64.508910] kasan_save_alloc_info+0x24/0x38 [ 64.509365] __kasan_kmalloc+0xa0/0xb8 [ 64.509755] kmalloc_trace+0x50/0x68 [ 64.510123] krealloc_uaf+0xb0/0x2c8 [ 64.510543] kunit_try_run_case+0x7c/0x120 [ 64.510966] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.511471] kthread+0x1a4/0x1b8 [ 64.511821] ret_from_fork+0x10/0x20 [ 64.512181] [ 64.512374] Freed by task 131: [ 64.512631] kasan_save_stack+0x2c/0x58 [ 64.513008] kasan_set_track+0x2c/0x40 [ 64.513397] kasan_save_free_info+0x38/0x60 [ 64.513853] __kasan_slab_free+0xe8/0x158 [ 64.514219] __kmem_cache_free+0x138/0x2b0 [ 64.514661] kfree+0x5c/0x70 [ 64.515001] krealloc_uaf+0xd0/0x2c8 [ 64.515410] kunit_try_run_case+0x7c/0x120 [ 64.515815] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.516386] kthread+0x1a4/0x1b8 [ 64.516737] ret_from_fork+0x10/0x20 [ 64.517085] [ 64.517252] The buggy address belongs to the object at ffff0000c17a6800 [ 64.517252] which belongs to the cache kmalloc-256 of size 256 [ 64.518051] The buggy address is located 0 bytes inside of [ 64.518051] 256-byte region [ffff0000c17a6800, ffff0000c17a6900) [ 64.518853] [ 64.519034] The buggy address belongs to the physical page: [ 64.519479] page:00000000d35011b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017a6 [ 64.520120] head:00000000d35011b9 order:1 compound_mapcount:0 compound_pincount:0 [ 64.520695] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 64.521347] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000c0002480 [ 64.522032] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 64.522575] page dumped because: kasan: bad access detected [ 64.522972] [ 64.523154] Memory state around the buggy address: [ 64.523681] ffff0000c17a6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.524257] ffff0000c17a6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.524820] >ffff0000c17a6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.525376] ^ [ 64.525671] ffff0000c17a6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.526201] ffff0000c17a6900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.526711] ==================================================================
[ 30.755338] ================================================================== [ 30.756519] BUG: KASAN: use-after-free in krealloc_uaf+0xed/0x2e0 [ 30.757020] Read of size 1 at addr ffff88810090ca00 by task kunit_try_catch/237 [ 30.757539] [ 30.757674] CPU: 1 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 30.758056] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.758818] Call Trace: [ 30.759084] <TASK> [ 30.759367] dump_stack_lvl+0x49/0x62 [ 30.759721] print_report+0x189/0x492 [ 30.760101] ? kasan_complete_mode_report_info+0x7c/0x200 [ 30.760543] ? krealloc_uaf+0xed/0x2e0 [ 30.760735] kasan_report+0x10c/0x190 [ 30.760924] ? krealloc_uaf+0xed/0x2e0 [ 30.761111] ? krealloc_uaf+0xed/0x2e0 [ 30.761358] __kasan_check_byte+0x39/0x50 [ 30.761706] krealloc+0x35/0x140 [ 30.762274] krealloc_uaf+0xed/0x2e0 [ 30.762625] ? kmalloc_memmove_negative_size+0x1e0/0x1e0 [ 30.763049] ? preempt_count_sub+0x4c/0x70 [ 30.763429] ? _raw_spin_unlock_irqrestore+0x2d/0x60 [ 30.763822] ? __kunit_add_resource+0xd1/0x100 [ 30.764246] kunit_try_run_case+0x8f/0xd0 [ 30.764659] ? kunit_catch_run_case+0x80/0x80 [ 30.764914] ? kunit_try_catch_throw+0x40/0x40 [ 30.765157] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.765662] kthread+0x17b/0x1b0 [ 30.765990] ? kthread_complete_and_exit+0x30/0x30 [ 30.766432] ret_from_fork+0x22/0x30 [ 30.766813] </TASK> [ 30.767066] [ 30.767329] Allocated by task 237: [ 30.767639] kasan_save_stack+0x41/0x70 [ 30.767993] kasan_set_track+0x25/0x40 [ 30.768218] kasan_save_alloc_info+0x1e/0x30 [ 30.768681] __kasan_kmalloc+0xb6/0xc0 [ 30.769037] kmalloc_trace+0x48/0xb0 [ 30.769397] krealloc_uaf+0xac/0x2e0 [ 30.769732] kunit_try_run_case+0x8f/0xd0 [ 30.770082] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.770482] kthread+0x17b/0x1b0 [ 30.770683] ret_from_fork+0x22/0x30 [ 30.770883] [ 30.770979] Freed by task 237: [ 30.771143] kasan_save_stack+0x41/0x70 [ 30.771710] kasan_set_track+0x25/0x40 [ 30.772031] kasan_save_free_info+0x2e/0x50 [ 30.772478] ____kasan_slab_free+0x175/0x1d0 [ 30.772807] __kasan_slab_free+0x12/0x20 [ 30.773144] __kmem_cache_free+0x188/0x2f0 [ 30.773671] kfree+0x78/0x120 [ 30.773880] krealloc_uaf+0xcc/0x2e0 [ 30.774268] kunit_try_run_case+0x8f/0xd0 [ 30.774505] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.774882] kthread+0x17b/0x1b0 [ 30.775202] ret_from_fork+0x22/0x30 [ 30.775547] [ 30.775767] The buggy address belongs to the object at ffff88810090ca00 [ 30.775767] which belongs to the cache kmalloc-256 of size 256 [ 30.776601] The buggy address is located 0 bytes inside of [ 30.776601] 256-byte region [ffff88810090ca00, ffff88810090cb00) [ 30.777393] [ 30.777528] The buggy address belongs to the physical page: [ 30.777920] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10090c [ 30.778528] head:(____ptrval____) order:1 compound_mapcount:0 compound_pincount:0 [ 30.778979] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 30.779477] raw: 0200000000010200 0000000000000000 dead000000000122 ffff888100041b40 [ 30.779966] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.780494] page dumped because: kasan: bad access detected [ 30.780831] [ 30.780926] Memory state around the buggy address: [ 30.781491] ffff88810090c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.781812] ffff88810090c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.782170] >ffff88810090ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.782656] ^ [ 30.782951] ffff88810090ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.783475] ffff88810090cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.783914] ================================================================== [ 30.784963] ================================================================== [ 30.785310] BUG: KASAN: use-after-free in krealloc_uaf+0x126/0x2e0 [ 30.785702] Read of size 1 at addr ffff88810090ca00 by task kunit_try_catch/237 [ 30.786730] [ 30.786863] CPU: 1 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 30.787241] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.787624] Call Trace: [ 30.787780] <TASK> [ 30.787923] dump_stack_lvl+0x49/0x62 [ 30.788157] print_report+0x189/0x492 [ 30.788429] ? kasan_complete_mode_report_info+0x7c/0x200 [ 30.789268] ? krealloc_uaf+0x126/0x2e0 [ 30.789510] kasan_report+0x10c/0x190 [ 30.789742] ? krealloc_uaf+0x126/0x2e0 [ 30.789964] __asan_load1+0x62/0x70 [ 30.790176] krealloc_uaf+0x126/0x2e0 [ 30.790738] ? kmalloc_memmove_negative_size+0x1e0/0x1e0 [ 30.791116] ? preempt_count_sub+0x4c/0x70 [ 30.791518] ? _raw_spin_unlock_irqrestore+0x2d/0x60 [ 30.791911] ? __kunit_add_resource+0xd1/0x100 [ 30.792294] kunit_try_run_case+0x8f/0xd0 [ 30.792647] ? kunit_catch_run_case+0x80/0x80 [ 30.793012] ? kunit_try_catch_throw+0x40/0x40 [ 30.793422] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.793817] kthread+0x17b/0x1b0 [ 30.794020] ? kthread_complete_and_exit+0x30/0x30 [ 30.794507] ret_from_fork+0x22/0x30 [ 30.794759] </TASK> [ 30.795059] [ 30.795305] Allocated by task 237: [ 30.795492] kasan_save_stack+0x41/0x70 [ 30.795862] kasan_set_track+0x25/0x40 [ 30.796103] kasan_save_alloc_info+0x1e/0x30 [ 30.796580] __kasan_kmalloc+0xb6/0xc0 [ 30.796824] kmalloc_trace+0x48/0xb0 [ 30.797208] krealloc_uaf+0xac/0x2e0 [ 30.797538] kunit_try_run_case+0x8f/0xd0 [ 30.797883] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.798193] kthread+0x17b/0x1b0 [ 30.798552] ret_from_fork+0x22/0x30 [ 30.798871] [ 30.799006] Freed by task 237: [ 30.799347] kasan_save_stack+0x41/0x70 [ 30.799592] kasan_set_track+0x25/0x40 [ 30.800002] kasan_save_free_info+0x2e/0x50 [ 30.800394] ____kasan_slab_free+0x175/0x1d0 [ 30.800651] __kasan_slab_free+0x12/0x20 [ 30.800868] __kmem_cache_free+0x188/0x2f0 [ 30.801105] kfree+0x78/0x120 [ 30.801619] krealloc_uaf+0xcc/0x2e0 [ 30.801849] kunit_try_run_case+0x8f/0xd0 [ 30.802173] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.802566] kthread+0x17b/0x1b0 [ 30.802875] ret_from_fork+0x22/0x30 [ 30.803102] [ 30.803392] The buggy address belongs to the object at ffff88810090ca00 [ 30.803392] which belongs to the cache kmalloc-256 of size 256 [ 30.804042] The buggy address is located 0 bytes inside of [ 30.804042] 256-byte region [ffff88810090ca00, ffff88810090cb00) [ 30.804787] [ 30.804940] The buggy address belongs to the physical page: [ 30.805358] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10090c [ 30.805919] head:(____ptrval____) order:1 compound_mapcount:0 compound_pincount:0 [ 30.806280] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 30.806742] raw: 0200000000010200 0000000000000000 dead000000000122 ffff888100041b40 [ 30.807227] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.807675] page dumped because: kasan: bad access detected [ 30.808033] [ 30.808173] Memory state around the buggy address: [ 30.808507] ffff88810090c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.808992] ffff88810090c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.809533] >ffff88810090ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.809872] ^ [ 30.810145] ffff88810090ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.810589] ffff88810090cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.810925] ==================================================================