Hay
Sign in
Date
June 26, 2025, 11:12 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   26.170075] ==================================================================
[   26.177020] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   26.183613] Read of size 1 at addr ffff000802fae600 by task kunit_try_catch/213
[   26.190906] 
[   26.192390] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   26.192438] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.192454] Hardware name: WinLink E850-96 board (DT)
[   26.192472] Call trace:
[   26.192484]  show_stack+0x20/0x38 (C)
[   26.192516]  dump_stack_lvl+0x8c/0xd0
[   26.192553]  print_report+0x118/0x608
[   26.192582]  kasan_report+0xdc/0x128
[   26.192610]  __asan_report_load1_noabort+0x20/0x30
[   26.192645]  krealloc_uaf+0x4c8/0x520
[   26.192671]  kunit_try_run_case+0x170/0x3f0
[   26.192708]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.192747]  kthread+0x328/0x630
[   26.192779]  ret_from_fork+0x10/0x20
[   26.192812] 
[   26.254705] Allocated by task 213:
[   26.258093]  kasan_save_stack+0x3c/0x68
[   26.261910]  kasan_save_track+0x20/0x40
[   26.265730]  kasan_save_alloc_info+0x40/0x58
[   26.269983]  __kasan_kmalloc+0xd4/0xd8
[   26.273716]  __kmalloc_cache_noprof+0x16c/0x3c0
[   26.278230]  krealloc_uaf+0xc8/0x520
[   26.281789]  kunit_try_run_case+0x170/0x3f0
[   26.285955]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.291425]  kthread+0x328/0x630
[   26.294636]  ret_from_fork+0x10/0x20
[   26.298195] 
[   26.299670] Freed by task 213:
[   26.302708]  kasan_save_stack+0x3c/0x68
[   26.306528]  kasan_save_track+0x20/0x40
[   26.310348]  kasan_save_free_info+0x4c/0x78
[   26.314514]  __kasan_slab_free+0x6c/0x98
[   26.318420]  kfree+0x214/0x3c8
[   26.321458]  krealloc_uaf+0x12c/0x520
[   26.325104]  kunit_try_run_case+0x170/0x3f0
[   26.329270]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.334739]  kthread+0x328/0x630
[   26.337951]  ret_from_fork+0x10/0x20
[   26.341510] 
[   26.342987] The buggy address belongs to the object at ffff000802fae600
[   26.342987]  which belongs to the cache kmalloc-256 of size 256
[   26.355487] The buggy address is located 0 bytes inside of
[   26.355487]  freed 256-byte region [ffff000802fae600, ffff000802fae700)
[   26.367551] 
[   26.369030] The buggy address belongs to the physical page:
[   26.374586] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882fac
[   26.382568] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   26.390209] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   26.397151] page_type: f5(slab)
[   26.400288] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   26.408009] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   26.415737] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   26.423547] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   26.431359] head: 0bfffe0000000002 fffffdffe00beb01 00000000ffffffff 00000000ffffffff
[   26.439172] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   26.446977] page dumped because: kasan: bad access detected
[   26.452532] 
[   26.454008] Memory state around the buggy address:
[   26.458789]  ffff000802fae500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.465991]  ffff000802fae580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.473196] >ffff000802fae600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.480396]                    ^
[   26.483612]  ffff000802fae680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.490817]  ffff000802fae700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.498018] ==================================================================
[   25.828773] ==================================================================
[   25.838571] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   25.845166] Read of size 1 at addr ffff000802fae600 by task kunit_try_catch/213
[   25.852455] 
[   25.853942] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   25.854000] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.854016] Hardware name: WinLink E850-96 board (DT)
[   25.854038] Call trace:
[   25.854054]  show_stack+0x20/0x38 (C)
[   25.854089]  dump_stack_lvl+0x8c/0xd0
[   25.854126]  print_report+0x118/0x608
[   25.854159]  kasan_report+0xdc/0x128
[   25.854191]  __kasan_check_byte+0x54/0x70
[   25.854220]  krealloc_noprof+0x44/0x360
[   25.854252]  krealloc_uaf+0x180/0x520
[   25.854277]  kunit_try_run_case+0x170/0x3f0
[   25.854315]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.854353]  kthread+0x328/0x630
[   25.854388]  ret_from_fork+0x10/0x20
[   25.854426] 
[   25.919296] Allocated by task 213:
[   25.922684]  kasan_save_stack+0x3c/0x68
[   25.926498]  kasan_save_track+0x20/0x40
[   25.930318]  kasan_save_alloc_info+0x40/0x58
[   25.934572]  __kasan_kmalloc+0xd4/0xd8
[   25.938304]  __kmalloc_cache_noprof+0x16c/0x3c0
[   25.942818]  krealloc_uaf+0xc8/0x520
[   25.946377]  kunit_try_run_case+0x170/0x3f0
[   25.950544]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.956012]  kthread+0x328/0x630
[   25.959224]  ret_from_fork+0x10/0x20
[   25.962783] 
[   25.964260] Freed by task 213:
[   25.967296]  kasan_save_stack+0x3c/0x68
[   25.971116]  kasan_save_track+0x20/0x40
[   25.974937]  kasan_save_free_info+0x4c/0x78
[   25.979102]  __kasan_slab_free+0x6c/0x98
[   25.983008]  kfree+0x214/0x3c8
[   25.986046]  krealloc_uaf+0x12c/0x520
[   25.989692]  kunit_try_run_case+0x170/0x3f0
[   25.993859]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.999327]  kthread+0x328/0x630
[   26.002539]  ret_from_fork+0x10/0x20
[   26.006098] 
[   26.007575] The buggy address belongs to the object at ffff000802fae600
[   26.007575]  which belongs to the cache kmalloc-256 of size 256
[   26.020077] The buggy address is located 0 bytes inside of
[   26.020077]  freed 256-byte region [ffff000802fae600, ffff000802fae700)
[   26.032139] 
[   26.033620] The buggy address belongs to the physical page:
[   26.039176] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882fac
[   26.047160] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   26.054798] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   26.061741] page_type: f5(slab)
[   26.064880] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   26.072597] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   26.080323] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   26.088135] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   26.095948] head: 0bfffe0000000002 fffffdffe00beb01 00000000ffffffff 00000000ffffffff
[   26.103760] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   26.111565] page dumped because: kasan: bad access detected
[   26.117122] 
[   26.118598] Memory state around the buggy address:
[   26.123377]  ffff000802fae500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.130581]  ffff000802fae580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.137786] >ffff000802fae600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.144985]                    ^
[   26.148201]  ffff000802fae680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.155405]  ffff000802fae700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.162606] ==================================================================
Metadata Full log Test run details 

[   17.882848] ==================================================================
[   17.882977] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   17.883072] Read of size 1 at addr fff00000c4776000 by task kunit_try_catch/166
[   17.883125] 
[   17.883161] CPU: 0 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   17.883380] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.883441] Hardware name: linux,dummy-virt (DT)
[   17.883490] Call trace:
[   17.883512]  show_stack+0x20/0x38 (C)
[   17.883562]  dump_stack_lvl+0x8c/0xd0
[   17.883772]  print_report+0x118/0x608
[   17.883917]  kasan_report+0xdc/0x128
[   17.884011]  __kasan_check_byte+0x54/0x70
[   17.884243]  krealloc_noprof+0x44/0x360
[   17.884467]  krealloc_uaf+0x180/0x520
[   17.884617]  kunit_try_run_case+0x170/0x3f0
[   17.884670]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.884969]  kthread+0x328/0x630
[   17.885140]  ret_from_fork+0x10/0x20
[   17.885300] 
[   17.885369] Allocated by task 166:
[   17.885485]  kasan_save_stack+0x3c/0x68
[   17.885618]  kasan_save_track+0x20/0x40
[   17.885707]  kasan_save_alloc_info+0x40/0x58
[   17.885945]  __kasan_kmalloc+0xd4/0xd8
[   17.886165]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.886235]  krealloc_uaf+0xc8/0x520
[   17.886271]  kunit_try_run_case+0x170/0x3f0
[   17.886368]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.886421]  kthread+0x328/0x630
[   17.886456]  ret_from_fork+0x10/0x20
[   17.886492] 
[   17.886528] Freed by task 166:
[   17.886566]  kasan_save_stack+0x3c/0x68
[   17.886613]  kasan_save_track+0x20/0x40
[   17.886656]  kasan_save_free_info+0x4c/0x78
[   17.886704]  __kasan_slab_free+0x6c/0x98
[   17.886739]  kfree+0x214/0x3c8
[   17.886771]  krealloc_uaf+0x12c/0x520
[   17.886803]  kunit_try_run_case+0x170/0x3f0
[   17.886864]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.886910]  kthread+0x328/0x630
[   17.886945]  ret_from_fork+0x10/0x20
[   17.887007] 
[   17.887032] The buggy address belongs to the object at fff00000c4776000
[   17.887032]  which belongs to the cache kmalloc-256 of size 256
[   17.887159] The buggy address is located 0 bytes inside of
[   17.887159]  freed 256-byte region [fff00000c4776000, fff00000c4776100)
[   17.887223] 
[   17.887248] The buggy address belongs to the physical page:
[   17.887279] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104776
[   17.887339] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   17.887384] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   17.887444] page_type: f5(slab)
[   17.887489] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   17.887550] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.887601] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   17.887652] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.887701] head: 0bfffe0000000001 ffffc1ffc311dd81 00000000ffffffff 00000000ffffffff
[   17.887751] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   17.887791] page dumped because: kasan: bad access detected
[   17.887841] 
[   17.887931] Memory state around the buggy address:
[   17.888202]  fff00000c4775f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.888291]  fff00000c4775f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.888337] >fff00000c4776000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.888385]                    ^
[   17.888416]  fff00000c4776080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.888459]  fff00000c4776100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.888499] ==================================================================
[   17.889574] ==================================================================
[   17.889744] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   17.889827] Read of size 1 at addr fff00000c4776000 by task kunit_try_catch/166
[   17.889957] 
[   17.890006] CPU: 0 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   17.890293] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.890419] Hardware name: linux,dummy-virt (DT)
[   17.890472] Call trace:
[   17.890563]  show_stack+0x20/0x38 (C)
[   17.890617]  dump_stack_lvl+0x8c/0xd0
[   17.890664]  print_report+0x118/0x608
[   17.890708]  kasan_report+0xdc/0x128
[   17.890803]  __asan_report_load1_noabort+0x20/0x30
[   17.890866]  krealloc_uaf+0x4c8/0x520
[   17.890909]  kunit_try_run_case+0x170/0x3f0
[   17.890962]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.891015]  kthread+0x328/0x630
[   17.891099]  ret_from_fork+0x10/0x20
[   17.891191] 
[   17.891210] Allocated by task 166:
[   17.891237]  kasan_save_stack+0x3c/0x68
[   17.891481]  kasan_save_track+0x20/0x40
[   17.891526]  kasan_save_alloc_info+0x40/0x58
[   17.891575]  __kasan_kmalloc+0xd4/0xd8
[   17.891611]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.891713]  krealloc_uaf+0xc8/0x520
[   17.891821]  kunit_try_run_case+0x170/0x3f0
[   17.891875]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.892181]  kthread+0x328/0x630
[   17.892270]  ret_from_fork+0x10/0x20
[   17.892436] 
[   17.892462] Freed by task 166:
[   17.892581]  kasan_save_stack+0x3c/0x68
[   17.892651]  kasan_save_track+0x20/0x40
[   17.892687]  kasan_save_free_info+0x4c/0x78
[   17.892732]  __kasan_slab_free+0x6c/0x98
[   17.892870]  kfree+0x214/0x3c8
[   17.892970]  krealloc_uaf+0x12c/0x520
[   17.893134]  kunit_try_run_case+0x170/0x3f0
[   17.893304]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.893352]  kthread+0x328/0x630
[   17.893615]  ret_from_fork+0x10/0x20
[   17.893909] 
[   17.894080] The buggy address belongs to the object at fff00000c4776000
[   17.894080]  which belongs to the cache kmalloc-256 of size 256
[   17.894205] The buggy address is located 0 bytes inside of
[   17.894205]  freed 256-byte region [fff00000c4776000, fff00000c4776100)
[   17.894350] 
[   17.894370] The buggy address belongs to the physical page:
[   17.894400] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104776
[   17.894693] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   17.894800] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   17.894956] page_type: f5(slab)
[   17.895105] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   17.895210] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.895318] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   17.895606] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.895682] head: 0bfffe0000000001 ffffc1ffc311dd81 00000000ffffffff 00000000ffffffff
[   17.895846] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   17.896057] page dumped because: kasan: bad access detected
[   17.896147] 
[   17.896282] Memory state around the buggy address:
[   17.896421]  fff00000c4775f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.896470]  fff00000c4775f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.896534] >fff00000c4776000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.896582]                    ^
[   17.896747]  fff00000c4776080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.897036]  fff00000c4776100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.897181] ==================================================================
Metadata Full log Test run details 

[   10.838343] ==================================================================
[   10.839018] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0
[   10.839669] Read of size 1 at addr ffff8881009a2e00 by task kunit_try_catch/183
[   10.840293] 
[   10.840438] CPU: 1 UID: 0 PID: 183 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT(voluntary) 
[   10.840485] Tainted: [B]=BAD_PAGE, [N]=TEST
[   10.840496] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   10.840531] Call Trace:
[   10.840543]  <TASK>
[   10.840561]  dump_stack_lvl+0x73/0xb0
[   10.840589]  print_report+0xd1/0x650
[   10.840654]  ? __virt_addr_valid+0x1db/0x2d0
[   10.840678]  ? krealloc_uaf+0x53c/0x5e0
[   10.840695]  ? kasan_complete_mode_report_info+0x64/0x200
[   10.840717]  ? krealloc_uaf+0x53c/0x5e0
[   10.840735]  kasan_report+0x141/0x180
[   10.840756]  ? krealloc_uaf+0x53c/0x5e0
[   10.840779]  __asan_report_load1_noabort+0x18/0x20
[   10.840799]  krealloc_uaf+0x53c/0x5e0
[   10.840907]  ? __pfx_krealloc_uaf+0x10/0x10
[   10.840940]  ? finish_task_switch.isra.0+0x153/0x700
[   10.840967]  ? __switch_to+0x5d9/0xf60
[   10.840989]  ? dequeue_task_fair+0x166/0x4e0
[   10.841014]  ? __schedule+0x10cc/0x2b60
[   10.841037]  ? __pfx_read_tsc+0x10/0x10
[   10.841057]  ? ktime_get_ts64+0x86/0x230
[   10.841083]  kunit_try_run_case+0x1a5/0x480
[   10.841109]  ? __pfx_kunit_try_run_case+0x10/0x10
[   10.841130]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   10.841155]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   10.841177]  ? __kthread_parkme+0x82/0x180
[   10.841200]  ? preempt_count_sub+0x50/0x80
[   10.841224]  ? __pfx_kunit_try_run_case+0x10/0x10
[   10.841247]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.841269]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   10.841549]  kthread+0x337/0x6f0
[   10.841571]  ? trace_preempt_on+0x20/0xc0
[   10.841600]  ? __pfx_kthread+0x10/0x10
[   10.841618]  ? _raw_spin_unlock_irq+0x47/0x80
[   10.841640]  ? calculate_sigpending+0x7b/0xa0
[   10.841661]  ? __pfx_kthread+0x10/0x10
[   10.841679]  ret_from_fork+0x41/0x80
[   10.841700]  ? __pfx_kthread+0x10/0x10
[   10.841727]  ret_from_fork_asm+0x1a/0x30
[   10.841758]  </TASK>
[   10.841769] 
[   10.855927] Allocated by task 183:
[   10.856328]  kasan_save_stack+0x45/0x70
[   10.856488]  kasan_save_track+0x18/0x40
[   10.857004]  kasan_save_alloc_info+0x3b/0x50
[   10.857414]  __kasan_kmalloc+0xb7/0xc0
[   10.857550]  __kmalloc_cache_noprof+0x189/0x420
[   10.857700]  krealloc_uaf+0xbb/0x5e0
[   10.858398]  kunit_try_run_case+0x1a5/0x480
[   10.858950]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.859635]  kthread+0x337/0x6f0
[   10.860101]  ret_from_fork+0x41/0x80
[   10.860239]  ret_from_fork_asm+0x1a/0x30
[   10.860381] 
[   10.860450] Freed by task 183:
[   10.860557]  kasan_save_stack+0x45/0x70
[   10.860688]  kasan_save_track+0x18/0x40
[   10.861469]  kasan_save_free_info+0x3f/0x60
[   10.862029]  __kasan_slab_free+0x56/0x70
[   10.862508]  kfree+0x222/0x3f0
[   10.862969]  krealloc_uaf+0x13d/0x5e0
[   10.863458]  kunit_try_run_case+0x1a5/0x480
[   10.864009]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.864631]  kthread+0x337/0x6f0
[   10.864984]  ret_from_fork+0x41/0x80
[   10.865117]  ret_from_fork_asm+0x1a/0x30
[   10.865251] 
[   10.865321] The buggy address belongs to the object at ffff8881009a2e00
[   10.865321]  which belongs to the cache kmalloc-256 of size 256
[   10.865673] The buggy address is located 0 bytes inside of
[   10.865673]  freed 256-byte region [ffff8881009a2e00, ffff8881009a2f00)
[   10.866134] 
[   10.866288] The buggy address belongs to the physical page:
[   10.866503] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1009a2
[   10.866978] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   10.867412] flags: 0x200000000000040(head|node=0|zone=2)
[   10.867761] page_type: f5(slab)
[   10.867949] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   10.868320] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   10.868638] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   10.869094] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   10.869439] head: 0200000000000001 ffffea0004026881 00000000ffffffff 00000000ffffffff
[   10.869769] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   10.870506] page dumped because: kasan: bad access detected
[   10.871058] 
[   10.871254] Memory state around the buggy address:
[   10.871705]  ffff8881009a2d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.872262]  ffff8881009a2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.872746] >ffff8881009a2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   10.873126]                    ^
[   10.873306]  ffff8881009a2e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   10.873762]  ffff8881009a2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.874221] ==================================================================
[   10.798195] ==================================================================
[   10.798688] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0
[   10.799357] Read of size 1 at addr ffff8881009a2e00 by task kunit_try_catch/183
[   10.799830] 
[   10.800102] CPU: 1 UID: 0 PID: 183 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT(voluntary) 
[   10.800154] Tainted: [B]=BAD_PAGE, [N]=TEST
[   10.800166] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   10.800187] Call Trace:
[   10.800199]  <TASK>
[   10.800218]  dump_stack_lvl+0x73/0xb0
[   10.800246]  print_report+0xd1/0x650
[   10.800273]  ? __virt_addr_valid+0x1db/0x2d0
[   10.800295]  ? krealloc_uaf+0x1b8/0x5e0
[   10.800312]  ? kasan_complete_mode_report_info+0x64/0x200
[   10.800334]  ? krealloc_uaf+0x1b8/0x5e0
[   10.800352]  kasan_report+0x141/0x180
[   10.800374]  ? krealloc_uaf+0x1b8/0x5e0
[   10.800394]  ? krealloc_uaf+0x1b8/0x5e0
[   10.800412]  __kasan_check_byte+0x3d/0x50
[   10.800435]  krealloc_noprof+0x3f/0x340
[   10.800459]  krealloc_uaf+0x1b8/0x5e0
[   10.800476]  ? __pfx_krealloc_uaf+0x10/0x10
[   10.800493]  ? finish_task_switch.isra.0+0x153/0x700
[   10.800517]  ? __switch_to+0x5d9/0xf60
[   10.800539]  ? dequeue_task_fair+0x166/0x4e0
[   10.800573]  ? __schedule+0x10cc/0x2b60
[   10.800596]  ? __pfx_read_tsc+0x10/0x10
[   10.800615]  ? ktime_get_ts64+0x86/0x230
[   10.800641]  kunit_try_run_case+0x1a5/0x480
[   10.800666]  ? __pfx_kunit_try_run_case+0x10/0x10
[   10.800688]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   10.800711]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   10.800734]  ? __kthread_parkme+0x82/0x180
[   10.800755]  ? preempt_count_sub+0x50/0x80
[   10.800779]  ? __pfx_kunit_try_run_case+0x10/0x10
[   10.800801]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.800824]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   10.800846]  kthread+0x337/0x6f0
[   10.800862]  ? trace_preempt_on+0x20/0xc0
[   10.800885]  ? __pfx_kthread+0x10/0x10
[   10.800904]  ? _raw_spin_unlock_irq+0x47/0x80
[   10.800936]  ? calculate_sigpending+0x7b/0xa0
[   10.800960]  ? __pfx_kthread+0x10/0x10
[   10.800978]  ret_from_fork+0x41/0x80
[   10.800998]  ? __pfx_kthread+0x10/0x10
[   10.801016]  ret_from_fork_asm+0x1a/0x30
[   10.801046]  </TASK>
[   10.801058] 
[   10.815246] Allocated by task 183:
[   10.815625]  kasan_save_stack+0x45/0x70
[   10.816080]  kasan_save_track+0x18/0x40
[   10.816444]  kasan_save_alloc_info+0x3b/0x50
[   10.816951]  __kasan_kmalloc+0xb7/0xc0
[   10.817265]  __kmalloc_cache_noprof+0x189/0x420
[   10.817517]  krealloc_uaf+0xbb/0x5e0
[   10.817656]  kunit_try_run_case+0x1a5/0x480
[   10.818127]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.818671]  kthread+0x337/0x6f0
[   10.818998]  ret_from_fork+0x41/0x80
[   10.819332]  ret_from_fork_asm+0x1a/0x30
[   10.819675] 
[   10.819845] Freed by task 183:
[   10.820084]  kasan_save_stack+0x45/0x70
[   10.820408]  kasan_save_track+0x18/0x40
[   10.820778]  kasan_save_free_info+0x3f/0x60
[   10.821071]  __kasan_slab_free+0x56/0x70
[   10.821447]  kfree+0x222/0x3f0
[   10.821726]  krealloc_uaf+0x13d/0x5e0
[   10.821884]  kunit_try_run_case+0x1a5/0x480
[   10.822179]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.822694]  kthread+0x337/0x6f0
[   10.823067]  ret_from_fork+0x41/0x80
[   10.823450]  ret_from_fork_asm+0x1a/0x30
[   10.823628] 
[   10.823812] The buggy address belongs to the object at ffff8881009a2e00
[   10.823812]  which belongs to the cache kmalloc-256 of size 256
[   10.824992] The buggy address is located 0 bytes inside of
[   10.824992]  freed 256-byte region [ffff8881009a2e00, ffff8881009a2f00)
[   10.825551] 
[   10.825727] The buggy address belongs to the physical page:
[   10.826293] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1009a2
[   10.827022] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   10.827799] flags: 0x200000000000040(head|node=0|zone=2)
[   10.828305] page_type: f5(slab)
[   10.828432] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   10.828843] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   10.829731] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   10.830642] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   10.831446] head: 0200000000000001 ffffea0004026881 00000000ffffffff 00000000ffffffff
[   10.832047] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   10.832618] page dumped because: kasan: bad access detected
[   10.833172] 
[   10.833329] Memory state around the buggy address:
[   10.833526]  ffff8881009a2d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.834114]  ffff8881009a2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.834889] >ffff8881009a2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   10.835478]                    ^
[   10.835609]  ffff8881009a2e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   10.836180]  ffff8881009a2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.836935] ==================================================================
Metadata Full log Test run details