Date
June 2, 2025, 2:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 23.707591] ================================================================== [ 23.717393] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 23.723988] Read of size 1 at addr ffff000801c37c00 by task kunit_try_catch/211 [ 23.731279] [ 23.732765] CPU: 4 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 23.732815] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.732828] Hardware name: WinLink E850-96 board (DT) [ 23.732849] Call trace: [ 23.732862] show_stack+0x20/0x38 (C) [ 23.732893] dump_stack_lvl+0x8c/0xd0 [ 23.732926] print_report+0x118/0x608 [ 23.732956] kasan_report+0xdc/0x128 [ 23.732984] __kasan_check_byte+0x54/0x70 [ 23.733013] krealloc_noprof+0x44/0x360 [ 23.733040] krealloc_uaf+0x180/0x520 [ 23.733070] kunit_try_run_case+0x170/0x3f0 [ 23.733103] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.733141] kthread+0x328/0x630 [ 23.733174] ret_from_fork+0x10/0x20 [ 23.733208] [ 23.798120] Allocated by task 211: [ 23.801508] kasan_save_stack+0x3c/0x68 [ 23.805323] kasan_save_track+0x20/0x40 [ 23.809143] kasan_save_alloc_info+0x40/0x58 [ 23.813396] __kasan_kmalloc+0xd4/0xd8 [ 23.817128] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.821642] krealloc_uaf+0xc8/0x520 [ 23.825201] kunit_try_run_case+0x170/0x3f0 [ 23.829368] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.834836] kthread+0x328/0x630 [ 23.838048] ret_from_fork+0x10/0x20 [ 23.841607] [ 23.843084] Freed by task 211: [ 23.846121] kasan_save_stack+0x3c/0x68 [ 23.849940] kasan_save_track+0x20/0x40 [ 23.853760] kasan_save_free_info+0x4c/0x78 [ 23.857927] __kasan_slab_free+0x6c/0x98 [ 23.861833] kfree+0x214/0x3c8 [ 23.864871] krealloc_uaf+0x12c/0x520 [ 23.868516] kunit_try_run_case+0x170/0x3f0 [ 23.872683] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.878152] kthread+0x328/0x630 [ 23.881364] ret_from_fork+0x10/0x20 [ 23.884923] [ 23.886401] The buggy address belongs to the object at ffff000801c37c00 [ 23.886401] which belongs to the cache kmalloc-256 of size 256 [ 23.898900] The buggy address is located 0 bytes inside of [ 23.898900] freed 256-byte region [ffff000801c37c00, ffff000801c37d00) [ 23.910964] [ 23.912443] The buggy address belongs to the physical page: [ 23.917999] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881c34 [ 23.925985] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.933623] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 23.940566] page_type: f5(slab) [ 23.943702] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 23.951421] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.959148] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 23.966959] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.974772] head: 0bfffe0000000002 fffffdffe0070d01 00000000ffffffff 00000000ffffffff [ 23.982584] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 23.990390] page dumped because: kasan: bad access detected [ 23.995945] [ 23.997421] Memory state around the buggy address: [ 24.002202] ffff000801c37b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.009403] ffff000801c37b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.016608] >ffff000801c37c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.023809] ^ [ 24.027024] ffff000801c37c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.034229] ffff000801c37d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.041432] ================================================================== [ 24.048984] ================================================================== [ 24.055848] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 24.062438] Read of size 1 at addr ffff000801c37c00 by task kunit_try_catch/211 [ 24.069729] [ 24.071215] CPU: 2 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 24.071267] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.071283] Hardware name: WinLink E850-96 board (DT) [ 24.071307] Call trace: [ 24.071318] show_stack+0x20/0x38 (C) [ 24.071352] dump_stack_lvl+0x8c/0xd0 [ 24.071383] print_report+0x118/0x608 [ 24.071410] kasan_report+0xdc/0x128 [ 24.071436] __asan_report_load1_noabort+0x20/0x30 [ 24.071467] krealloc_uaf+0x4c8/0x520 [ 24.071497] kunit_try_run_case+0x170/0x3f0 [ 24.071535] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.071574] kthread+0x328/0x630 [ 24.071609] ret_from_fork+0x10/0x20 [ 24.071643] [ 24.133530] Allocated by task 211: [ 24.136916] kasan_save_stack+0x3c/0x68 [ 24.140735] kasan_save_track+0x20/0x40 [ 24.144554] kasan_save_alloc_info+0x40/0x58 [ 24.148808] __kasan_kmalloc+0xd4/0xd8 [ 24.152540] __kmalloc_cache_noprof+0x16c/0x3c0 [ 24.157054] krealloc_uaf+0xc8/0x520 [ 24.160613] kunit_try_run_case+0x170/0x3f0 [ 24.164779] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.170248] kthread+0x328/0x630 [ 24.173460] ret_from_fork+0x10/0x20 [ 24.177019] [ 24.178494] Freed by task 211: [ 24.181533] kasan_save_stack+0x3c/0x68 [ 24.185352] kasan_save_track+0x20/0x40 [ 24.189171] kasan_save_free_info+0x4c/0x78 [ 24.193338] __kasan_slab_free+0x6c/0x98 [ 24.197244] kfree+0x214/0x3c8 [ 24.200282] krealloc_uaf+0x12c/0x520 [ 24.203928] kunit_try_run_case+0x170/0x3f0 [ 24.208095] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.213564] kthread+0x328/0x630 [ 24.216775] ret_from_fork+0x10/0x20 [ 24.220334] [ 24.221812] The buggy address belongs to the object at ffff000801c37c00 [ 24.221812] which belongs to the cache kmalloc-256 of size 256 [ 24.234310] The buggy address is located 0 bytes inside of [ 24.234310] freed 256-byte region [ffff000801c37c00, ffff000801c37d00) [ 24.246375] [ 24.247853] The buggy address belongs to the physical page: [ 24.253411] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881c34 [ 24.261394] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.269035] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 24.275978] page_type: f5(slab) [ 24.279111] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 24.286833] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.294559] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 24.302370] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.310184] head: 0bfffe0000000002 fffffdffe0070d01 00000000ffffffff 00000000ffffffff [ 24.317996] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.325801] page dumped because: kasan: bad access detected [ 24.331357] [ 24.332832] Memory state around the buggy address: [ 24.337613] ffff000801c37b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.344815] ffff000801c37b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.352020] >ffff000801c37c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.359221] ^ [ 24.362436] ffff000801c37c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.369641] ffff000801c37d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.376842] ==================================================================
[ 17.731672] ================================================================== [ 17.732466] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 17.732570] Read of size 1 at addr fff00000c5adea00 by task kunit_try_catch/167 [ 17.732623] [ 17.733486] CPU: 1 UID: 0 PID: 167 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 17.734392] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.734423] Hardware name: linux,dummy-virt (DT) [ 17.734456] Call trace: [ 17.734501] show_stack+0x20/0x38 (C) [ 17.734565] dump_stack_lvl+0x8c/0xd0 [ 17.734614] print_report+0x118/0x608 [ 17.737370] kasan_report+0xdc/0x128 [ 17.737436] __kasan_check_byte+0x54/0x70 [ 17.737507] krealloc_noprof+0x44/0x360 [ 17.737553] krealloc_uaf+0x180/0x520 [ 17.738411] kunit_try_run_case+0x170/0x3f0 [ 17.738478] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.738538] kthread+0x328/0x630 [ 17.738585] ret_from_fork+0x10/0x20 [ 17.738639] [ 17.738657] Allocated by task 167: [ 17.738687] kasan_save_stack+0x3c/0x68 [ 17.739503] kasan_save_track+0x20/0x40 [ 17.740635] kasan_save_alloc_info+0x40/0x58 [ 17.742355] __kasan_kmalloc+0xd4/0xd8 [ 17.742513] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.742561] krealloc_uaf+0xc8/0x520 [ 17.742599] kunit_try_run_case+0x170/0x3f0 [ 17.742640] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.744751] kthread+0x328/0x630 [ 17.744801] ret_from_fork+0x10/0x20 [ 17.744860] [ 17.744950] Freed by task 167: [ 17.744992] kasan_save_stack+0x3c/0x68 [ 17.745264] kasan_save_track+0x20/0x40 [ 17.745652] kasan_save_free_info+0x4c/0x78 [ 17.745703] __kasan_slab_free+0x6c/0x98 [ 17.748100] kfree+0x214/0x3c8 [ 17.748238] krealloc_uaf+0x12c/0x520 [ 17.750776] kunit_try_run_case+0x170/0x3f0 [ 17.750841] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.750888] kthread+0x328/0x630 [ 17.750927] ret_from_fork+0x10/0x20 [ 17.750985] [ 17.751496] The buggy address belongs to the object at fff00000c5adea00 [ 17.751496] which belongs to the cache kmalloc-256 of size 256 [ 17.754650] The buggy address is located 0 bytes inside of [ 17.754650] freed 256-byte region [fff00000c5adea00, fff00000c5adeb00) [ 17.754987] [ 17.755024] The buggy address belongs to the physical page: [ 17.755059] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ade [ 17.755145] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.755197] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 17.755255] page_type: f5(slab) [ 17.755300] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.755360] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.755409] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.755456] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.755503] head: 0bfffe0000000001 ffffc1ffc316b781 00000000ffffffff 00000000ffffffff [ 17.755550] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.755587] page dumped because: kasan: bad access detected [ 17.755618] [ 17.757495] Memory state around the buggy address: [ 17.758457] fff00000c5ade900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.758522] fff00000c5ade980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.758565] >fff00000c5adea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.758627] ^ [ 17.758671] fff00000c5adea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.758712] fff00000c5adeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.758749] ================================================================== [ 17.764093] ================================================================== [ 17.764158] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 17.764224] Read of size 1 at addr fff00000c5adea00 by task kunit_try_catch/167 [ 17.764273] [ 17.764312] CPU: 1 UID: 0 PID: 167 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 17.770692] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.770732] Hardware name: linux,dummy-virt (DT) [ 17.770766] Call trace: [ 17.770791] show_stack+0x20/0x38 (C) [ 17.770856] dump_stack_lvl+0x8c/0xd0 [ 17.770959] print_report+0x118/0x608 [ 17.771017] kasan_report+0xdc/0x128 [ 17.771062] __asan_report_load1_noabort+0x20/0x30 [ 17.771430] krealloc_uaf+0x4c8/0x520 [ 17.771491] kunit_try_run_case+0x170/0x3f0 [ 17.771543] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.771599] kthread+0x328/0x630 [ 17.771647] ret_from_fork+0x10/0x20 [ 17.772720] [ 17.772975] Allocated by task 167: [ 17.773011] kasan_save_stack+0x3c/0x68 [ 17.773072] kasan_save_track+0x20/0x40 [ 17.773116] kasan_save_alloc_info+0x40/0x58 [ 17.773155] __kasan_kmalloc+0xd4/0xd8 [ 17.773192] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.773252] krealloc_uaf+0xc8/0x520 [ 17.773301] kunit_try_run_case+0x170/0x3f0 [ 17.773341] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.773599] kthread+0x328/0x630 [ 17.773637] ret_from_fork+0x10/0x20 [ 17.773673] [ 17.773692] Freed by task 167: [ 17.773719] kasan_save_stack+0x3c/0x68 [ 17.773755] kasan_save_track+0x20/0x40 [ 17.773790] kasan_save_free_info+0x4c/0x78 [ 17.773828] __kasan_slab_free+0x6c/0x98 [ 17.773864] kfree+0x214/0x3c8 [ 17.773901] krealloc_uaf+0x12c/0x520 [ 17.773939] kunit_try_run_case+0x170/0x3f0 [ 17.773977] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.774157] kthread+0x328/0x630 [ 17.774193] ret_from_fork+0x10/0x20 [ 17.774229] [ 17.774249] The buggy address belongs to the object at fff00000c5adea00 [ 17.774249] which belongs to the cache kmalloc-256 of size 256 [ 17.774306] The buggy address is located 0 bytes inside of [ 17.774306] freed 256-byte region [fff00000c5adea00, fff00000c5adeb00) [ 17.774395] [ 17.774416] The buggy address belongs to the physical page: [ 17.774449] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ade [ 17.774504] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 17.774788] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 17.774851] page_type: f5(slab) [ 17.774896] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.774946] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.774997] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 17.775051] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.775098] head: 0bfffe0000000001 ffffc1ffc316b781 00000000ffffffff 00000000ffffffff [ 17.775145] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 17.775182] page dumped because: kasan: bad access detected [ 17.775212] [ 17.775231] Memory state around the buggy address: [ 17.775268] fff00000c5ade900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.775311] fff00000c5ade980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.775371] >fff00000c5adea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.775407] ^ [ 17.775435] fff00000c5adea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.775475] fff00000c5adeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.775511] ==================================================================
[ 16.397708] ================================================================== [ 16.398764] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 16.399460] Read of size 1 at addr ffff88810099d600 by task kunit_try_catch/185 [ 16.400105] [ 16.400901] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 16.401035] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.401066] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 16.401113] Call Trace: [ 16.401143] <TASK> [ 16.401187] dump_stack_lvl+0x73/0xb0 [ 16.401263] print_report+0xd1/0x650 [ 16.401305] ? __virt_addr_valid+0x1db/0x2d0 [ 16.401341] ? krealloc_uaf+0x1b8/0x5e0 [ 16.401364] ? kasan_complete_mode_report_info+0x64/0x200 [ 16.401389] ? krealloc_uaf+0x1b8/0x5e0 [ 16.401412] kasan_report+0x141/0x180 [ 16.401436] ? krealloc_uaf+0x1b8/0x5e0 [ 16.401461] ? krealloc_uaf+0x1b8/0x5e0 [ 16.401484] __kasan_check_byte+0x3d/0x50 [ 16.401508] krealloc_noprof+0x3f/0x340 [ 16.401533] krealloc_uaf+0x1b8/0x5e0 [ 16.401556] ? __pfx_krealloc_uaf+0x10/0x10 [ 16.401579] ? finish_task_switch.isra.0+0x153/0x700 [ 16.401606] ? __switch_to+0x5d9/0xf60 [ 16.401628] ? dequeue_task_fair+0x166/0x4e0 [ 16.401654] ? __schedule+0x10cc/0x2b30 [ 16.401678] ? __pfx_read_tsc+0x10/0x10 [ 16.401702] ? ktime_get_ts64+0x86/0x230 [ 16.401725] ? irqentry_exit+0x2a/0x60 [ 16.401777] kunit_try_run_case+0x1a5/0x480 [ 16.401809] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.401833] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 16.401858] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 16.401882] ? __kthread_parkme+0x82/0x180 [ 16.401906] ? preempt_count_sub+0x50/0x80 [ 16.401932] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.401956] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.401980] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 16.402004] kthread+0x337/0x6f0 [ 16.402023] ? trace_preempt_on+0x20/0xc0 [ 16.402050] ? __pfx_kthread+0x10/0x10 [ 16.402069] ? _raw_spin_unlock_irq+0x47/0x80 [ 16.402092] ? calculate_sigpending+0x7b/0xa0 [ 16.402149] ? __pfx_kthread+0x10/0x10 [ 16.402173] ret_from_fork+0x41/0x80 [ 16.402208] ? __pfx_kthread+0x10/0x10 [ 16.402242] ret_from_fork_asm+0x1a/0x30 [ 16.402292] </TASK> [ 16.402308] [ 16.415369] Allocated by task 185: [ 16.415663] kasan_save_stack+0x45/0x70 [ 16.416041] kasan_save_track+0x18/0x40 [ 16.416349] kasan_save_alloc_info+0x3b/0x50 [ 16.416722] __kasan_kmalloc+0xb7/0xc0 [ 16.418306] __kmalloc_cache_noprof+0x189/0x420 [ 16.418733] krealloc_uaf+0xbb/0x5e0 [ 16.419079] kunit_try_run_case+0x1a5/0x480 [ 16.419367] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.419653] kthread+0x337/0x6f0 [ 16.419968] ret_from_fork+0x41/0x80 [ 16.420324] ret_from_fork_asm+0x1a/0x30 [ 16.420584] [ 16.420895] Freed by task 185: [ 16.421285] kasan_save_stack+0x45/0x70 [ 16.421503] kasan_save_track+0x18/0x40 [ 16.421817] kasan_save_free_info+0x3f/0x60 [ 16.422185] __kasan_slab_free+0x56/0x70 [ 16.422429] kfree+0x222/0x3f0 [ 16.422630] krealloc_uaf+0x13d/0x5e0 [ 16.423046] kunit_try_run_case+0x1a5/0x480 [ 16.423412] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.423654] kthread+0x337/0x6f0 [ 16.423985] ret_from_fork+0x41/0x80 [ 16.424881] ret_from_fork_asm+0x1a/0x30 [ 16.425368] [ 16.425484] The buggy address belongs to the object at ffff88810099d600 [ 16.425484] which belongs to the cache kmalloc-256 of size 256 [ 16.425979] The buggy address is located 0 bytes inside of [ 16.425979] freed 256-byte region [ffff88810099d600, ffff88810099d700) [ 16.426829] [ 16.427009] The buggy address belongs to the physical page: [ 16.427192] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10099c [ 16.427436] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.429051] flags: 0x200000000000040(head|node=0|zone=2) [ 16.429636] page_type: f5(slab) [ 16.429858] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 16.430352] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.430805] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 16.431254] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.432027] head: 0200000000000001 ffffea0004026701 00000000ffffffff 00000000ffffffff [ 16.432518] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.433420] page dumped because: kasan: bad access detected [ 16.433884] [ 16.433961] Memory state around the buggy address: [ 16.434083] ffff88810099d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.435036] ffff88810099d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.435743] >ffff88810099d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.436243] ^ [ 16.436413] ffff88810099d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.437313] ffff88810099d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.438282] ================================================================== [ 16.439550] ================================================================== [ 16.440177] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 16.441044] Read of size 1 at addr ffff88810099d600 by task kunit_try_catch/185 [ 16.441699] [ 16.441937] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 16.442055] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.442083] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 16.442140] Call Trace: [ 16.442172] <TASK> [ 16.442260] dump_stack_lvl+0x73/0xb0 [ 16.442342] print_report+0xd1/0x650 [ 16.442393] ? __virt_addr_valid+0x1db/0x2d0 [ 16.442444] ? krealloc_uaf+0x53c/0x5e0 [ 16.442514] ? kasan_complete_mode_report_info+0x64/0x200 [ 16.442564] ? krealloc_uaf+0x53c/0x5e0 [ 16.442610] kasan_report+0x141/0x180 [ 16.442660] ? krealloc_uaf+0x53c/0x5e0 [ 16.442723] __asan_report_load1_noabort+0x18/0x20 [ 16.442774] krealloc_uaf+0x53c/0x5e0 [ 16.442818] ? __pfx_krealloc_uaf+0x10/0x10 [ 16.442861] ? finish_task_switch.isra.0+0x153/0x700 [ 16.442910] ? __switch_to+0x5d9/0xf60 [ 16.442954] ? dequeue_task_fair+0x166/0x4e0 [ 16.443006] ? __schedule+0x10cc/0x2b30 [ 16.443056] ? __pfx_read_tsc+0x10/0x10 [ 16.443133] ? ktime_get_ts64+0x86/0x230 [ 16.443180] ? irqentry_exit+0x2a/0x60 [ 16.443234] kunit_try_run_case+0x1a5/0x480 [ 16.443290] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.443338] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 16.443386] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 16.443454] ? __kthread_parkme+0x82/0x180 [ 16.443500] ? preempt_count_sub+0x50/0x80 [ 16.443549] ? __pfx_kunit_try_run_case+0x10/0x10 [ 16.443600] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.443661] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 16.443713] kthread+0x337/0x6f0 [ 16.443767] ? trace_preempt_on+0x20/0xc0 [ 16.443823] ? __pfx_kthread+0x10/0x10 [ 16.443862] ? _raw_spin_unlock_irq+0x47/0x80 [ 16.443908] ? calculate_sigpending+0x7b/0xa0 [ 16.443957] ? __pfx_kthread+0x10/0x10 [ 16.444001] ret_from_fork+0x41/0x80 [ 16.444048] ? __pfx_kthread+0x10/0x10 [ 16.444091] ret_from_fork_asm+0x1a/0x30 [ 16.444161] </TASK> [ 16.444179] [ 16.455889] Allocated by task 185: [ 16.456240] kasan_save_stack+0x45/0x70 [ 16.456669] kasan_save_track+0x18/0x40 [ 16.457014] kasan_save_alloc_info+0x3b/0x50 [ 16.457430] __kasan_kmalloc+0xb7/0xc0 [ 16.457791] __kmalloc_cache_noprof+0x189/0x420 [ 16.458235] krealloc_uaf+0xbb/0x5e0 [ 16.458595] kunit_try_run_case+0x1a5/0x480 [ 16.458935] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.459224] kthread+0x337/0x6f0 [ 16.459413] ret_from_fork+0x41/0x80 [ 16.459663] ret_from_fork_asm+0x1a/0x30 [ 16.460059] [ 16.460280] Freed by task 185: [ 16.460608] kasan_save_stack+0x45/0x70 [ 16.460971] kasan_save_track+0x18/0x40 [ 16.461363] kasan_save_free_info+0x3f/0x60 [ 16.461765] __kasan_slab_free+0x56/0x70 [ 16.462155] kfree+0x222/0x3f0 [ 16.462487] krealloc_uaf+0x13d/0x5e0 [ 16.462745] kunit_try_run_case+0x1a5/0x480 [ 16.463038] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 16.463444] kthread+0x337/0x6f0 [ 16.463651] ret_from_fork+0x41/0x80 [ 16.463865] ret_from_fork_asm+0x1a/0x30 [ 16.464214] [ 16.464392] The buggy address belongs to the object at ffff88810099d600 [ 16.464392] which belongs to the cache kmalloc-256 of size 256 [ 16.465366] The buggy address is located 0 bytes inside of [ 16.465366] freed 256-byte region [ffff88810099d600, ffff88810099d700) [ 16.466329] [ 16.466481] The buggy address belongs to the physical page: [ 16.466823] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10099c [ 16.467363] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.467735] flags: 0x200000000000040(head|node=0|zone=2) [ 16.468033] page_type: f5(slab) [ 16.468314] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 16.468930] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.469536] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 16.470185] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.470815] head: 0200000000000001 ffffea0004026701 00000000ffffffff 00000000ffffffff [ 16.471353] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.471948] page dumped because: kasan: bad access detected [ 16.472438] [ 16.472587] Memory state around the buggy address: [ 16.472996] ffff88810099d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.473482] ffff88810099d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.473995] >ffff88810099d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.474465] ^ [ 16.474766] ffff88810099d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.475267] ffff88810099d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.475724] ==================================================================