Date
July 4, 2025, 3:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 23.750901] ================================================================== [ 23.760905] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 23.767500] Read of size 1 at addr ffff000803bc6600 by task kunit_try_catch/213 [ 23.774790] [ 23.776276] CPU: 2 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 23.776331] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.776348] Hardware name: WinLink E850-96 board (DT) [ 23.776368] Call trace: [ 23.776383] show_stack+0x20/0x38 (C) [ 23.776414] dump_stack_lvl+0x8c/0xd0 [ 23.776452] print_report+0x118/0x608 [ 23.776481] kasan_report+0xdc/0x128 [ 23.776511] __kasan_check_byte+0x54/0x70 [ 23.776539] krealloc_noprof+0x44/0x360 [ 23.776570] krealloc_uaf+0x180/0x520 [ 23.776595] kunit_try_run_case+0x170/0x3f0 [ 23.776632] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.776668] kthread+0x328/0x630 [ 23.776701] ret_from_fork+0x10/0x20 [ 23.776732] [ 23.841629] Allocated by task 213: [ 23.845017] kasan_save_stack+0x3c/0x68 [ 23.848832] kasan_save_track+0x20/0x40 [ 23.852652] kasan_save_alloc_info+0x40/0x58 [ 23.856906] __kasan_kmalloc+0xd4/0xd8 [ 23.860638] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.865152] krealloc_uaf+0xc8/0x520 [ 23.868711] kunit_try_run_case+0x170/0x3f0 [ 23.872878] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.878346] kthread+0x328/0x630 [ 23.881558] ret_from_fork+0x10/0x20 [ 23.885117] [ 23.886594] Freed by task 213: [ 23.889632] kasan_save_stack+0x3c/0x68 [ 23.893450] kasan_save_track+0x20/0x40 [ 23.897269] kasan_save_free_info+0x4c/0x78 [ 23.901436] __kasan_slab_free+0x6c/0x98 [ 23.905342] kfree+0x214/0x3c8 [ 23.908380] krealloc_uaf+0x12c/0x520 [ 23.912026] kunit_try_run_case+0x170/0x3f0 [ 23.916193] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.921663] kthread+0x328/0x630 [ 23.924873] ret_from_fork+0x10/0x20 [ 23.928432] [ 23.929910] The buggy address belongs to the object at ffff000803bc6600 [ 23.929910] which belongs to the cache kmalloc-256 of size 256 [ 23.942411] The buggy address is located 0 bytes inside of [ 23.942411] freed 256-byte region [ffff000803bc6600, ffff000803bc6700) [ 23.954473] [ 23.955953] The buggy address belongs to the physical page: [ 23.961508] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883bc4 [ 23.969493] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 23.977131] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 23.984075] page_type: f5(slab) [ 23.987212] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 23.994931] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.002657] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 24.010469] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.018282] head: 0bfffe0000000002 fffffdffe00ef101 00000000ffffffff 00000000ffffffff [ 24.026094] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.033899] page dumped because: kasan: bad access detected [ 24.039454] [ 24.040930] Memory state around the buggy address: [ 24.045714] ffff000803bc6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.052913] ffff000803bc6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.060120] >ffff000803bc6600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.067319] ^ [ 24.070534] ffff000803bc6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.077739] ffff000803bc6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.084942] ================================================================== [ 24.092356] ================================================================== [ 24.099355] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 24.105947] Read of size 1 at addr ffff000803bc6600 by task kunit_try_catch/213 [ 24.113239] [ 24.114725] CPU: 2 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 24.114773] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.114790] Hardware name: WinLink E850-96 board (DT) [ 24.114810] Call trace: [ 24.114823] show_stack+0x20/0x38 (C) [ 24.114855] dump_stack_lvl+0x8c/0xd0 [ 24.114890] print_report+0x118/0x608 [ 24.114919] kasan_report+0xdc/0x128 [ 24.114949] __asan_report_load1_noabort+0x20/0x30 [ 24.114979] krealloc_uaf+0x4c8/0x520 [ 24.115003] kunit_try_run_case+0x170/0x3f0 [ 24.115037] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.115073] kthread+0x328/0x630 [ 24.115105] ret_from_fork+0x10/0x20 [ 24.115139] [ 24.177039] Allocated by task 213: [ 24.180428] kasan_save_stack+0x3c/0x68 [ 24.184244] kasan_save_track+0x20/0x40 [ 24.188064] kasan_save_alloc_info+0x40/0x58 [ 24.192317] __kasan_kmalloc+0xd4/0xd8 [ 24.196050] __kmalloc_cache_noprof+0x16c/0x3c0 [ 24.200563] krealloc_uaf+0xc8/0x520 [ 24.204122] kunit_try_run_case+0x170/0x3f0 [ 24.208289] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.213758] kthread+0x328/0x630 [ 24.216970] ret_from_fork+0x10/0x20 [ 24.220528] [ 24.222004] Freed by task 213: [ 24.225044] kasan_save_stack+0x3c/0x68 [ 24.228862] kasan_save_track+0x20/0x40 [ 24.232681] kasan_save_free_info+0x4c/0x78 [ 24.236848] __kasan_slab_free+0x6c/0x98 [ 24.240754] kfree+0x214/0x3c8 [ 24.243792] krealloc_uaf+0x12c/0x520 [ 24.247438] kunit_try_run_case+0x170/0x3f0 [ 24.251604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.257073] kthread+0x328/0x630 [ 24.260285] ret_from_fork+0x10/0x20 [ 24.263844] [ 24.265319] The buggy address belongs to the object at ffff000803bc6600 [ 24.265319] which belongs to the cache kmalloc-256 of size 256 [ 24.277820] The buggy address is located 0 bytes inside of [ 24.277820] freed 256-byte region [ffff000803bc6600, ffff000803bc6700) [ 24.289885] [ 24.291364] The buggy address belongs to the physical page: [ 24.296919] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883bc4 [ 24.304904] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 24.312542] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 24.319487] page_type: f5(slab) [ 24.322620] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 24.330343] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.338069] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000 [ 24.345880] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.353694] head: 0bfffe0000000002 fffffdffe00ef101 00000000ffffffff 00000000ffffffff [ 24.361505] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 24.369311] page dumped because: kasan: bad access detected [ 24.374866] [ 24.376342] Memory state around the buggy address: [ 24.381123] ffff000803bc6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.388325] ffff000803bc6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.395533] >ffff000803bc6600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.402731] ^ [ 24.405947] ffff000803bc6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.413151] ffff000803bc6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.420353] ==================================================================
[ 15.533690] ================================================================== [ 15.533736] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 15.533780] Read of size 1 at addr fff00000c0923000 by task kunit_try_catch/169 [ 15.533828] [ 15.533857] CPU: 0 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 15.534112] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.534262] Hardware name: linux,dummy-virt (DT) [ 15.534292] Call trace: [ 15.534579] show_stack+0x20/0x38 (C) [ 15.534652] dump_stack_lvl+0x8c/0xd0 [ 15.534702] print_report+0x118/0x608 [ 15.535116] kasan_report+0xdc/0x128 [ 15.535302] __asan_report_load1_noabort+0x20/0x30 [ 15.535645] krealloc_uaf+0x4c8/0x520 [ 15.535760] kunit_try_run_case+0x170/0x3f0 [ 15.535806] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.535867] kthread+0x328/0x630 [ 15.536119] ret_from_fork+0x10/0x20 [ 15.536167] [ 15.536185] Allocated by task 169: [ 15.536228] kasan_save_stack+0x3c/0x68 [ 15.536265] kasan_save_track+0x20/0x40 [ 15.536299] kasan_save_alloc_info+0x40/0x58 [ 15.536499] __kasan_kmalloc+0xd4/0xd8 [ 15.536543] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.536804] krealloc_uaf+0xc8/0x520 [ 15.536841] kunit_try_run_case+0x170/0x3f0 [ 15.536877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.536919] kthread+0x328/0x630 [ 15.536953] ret_from_fork+0x10/0x20 [ 15.536986] [ 15.537004] Freed by task 169: [ 15.537076] kasan_save_stack+0x3c/0x68 [ 15.537248] kasan_save_track+0x20/0x40 [ 15.537321] kasan_save_free_info+0x4c/0x78 [ 15.537384] __kasan_slab_free+0x6c/0x98 [ 15.537456] kfree+0x214/0x3c8 [ 15.537530] krealloc_uaf+0x12c/0x520 [ 15.537594] kunit_try_run_case+0x170/0x3f0 [ 15.537662] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.537704] kthread+0x328/0x630 [ 15.537737] ret_from_fork+0x10/0x20 [ 15.537771] [ 15.537788] The buggy address belongs to the object at fff00000c0923000 [ 15.537788] which belongs to the cache kmalloc-256 of size 256 [ 15.537887] The buggy address is located 0 bytes inside of [ 15.537887] freed 256-byte region [fff00000c0923000, fff00000c0923100) [ 15.538149] [ 15.538168] The buggy address belongs to the physical page: [ 15.538204] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100922 [ 15.538345] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.538389] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 15.538437] page_type: f5(slab) [ 15.538479] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.538653] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.538700] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.538802] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.539235] head: 0bfffe0000000001 ffffc1ffc3024881 00000000ffffffff 00000000ffffffff [ 15.539337] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 15.539379] page dumped because: kasan: bad access detected [ 15.539409] [ 15.539426] Memory state around the buggy address: [ 15.539457] fff00000c0922f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.540138] fff00000c0922f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.540199] >fff00000c0923000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.540235] ^ [ 15.540262] fff00000c0923080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.540303] fff00000c0923100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.540338] ================================================================== [ 15.524873] ================================================================== [ 15.525256] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 15.525413] Read of size 1 at addr fff00000c0923000 by task kunit_try_catch/169 [ 15.525460] [ 15.525491] CPU: 0 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 15.525992] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.526020] Hardware name: linux,dummy-virt (DT) [ 15.526051] Call trace: [ 15.526239] show_stack+0x20/0x38 (C) [ 15.526380] dump_stack_lvl+0x8c/0xd0 [ 15.526601] print_report+0x118/0x608 [ 15.526784] kasan_report+0xdc/0x128 [ 15.526827] __kasan_check_byte+0x54/0x70 [ 15.526870] krealloc_noprof+0x44/0x360 [ 15.526916] krealloc_uaf+0x180/0x520 [ 15.526956] kunit_try_run_case+0x170/0x3f0 [ 15.527002] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.527053] kthread+0x328/0x630 [ 15.527095] ret_from_fork+0x10/0x20 [ 15.527139] [ 15.527157] Allocated by task 169: [ 15.527185] kasan_save_stack+0x3c/0x68 [ 15.527222] kasan_save_track+0x20/0x40 [ 15.527257] kasan_save_alloc_info+0x40/0x58 [ 15.527294] __kasan_kmalloc+0xd4/0xd8 [ 15.527328] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.527373] krealloc_uaf+0xc8/0x520 [ 15.527408] kunit_try_run_case+0x170/0x3f0 [ 15.527684] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.528091] kthread+0x328/0x630 [ 15.528352] ret_from_fork+0x10/0x20 [ 15.528388] [ 15.528425] Freed by task 169: [ 15.528462] kasan_save_stack+0x3c/0x68 [ 15.528498] kasan_save_track+0x20/0x40 [ 15.528977] kasan_save_free_info+0x4c/0x78 [ 15.529025] __kasan_slab_free+0x6c/0x98 [ 15.529061] kfree+0x214/0x3c8 [ 15.529361] krealloc_uaf+0x12c/0x520 [ 15.529493] kunit_try_run_case+0x170/0x3f0 [ 15.529531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.529818] kthread+0x328/0x630 [ 15.529947] ret_from_fork+0x10/0x20 [ 15.530438] [ 15.530481] The buggy address belongs to the object at fff00000c0923000 [ 15.530481] which belongs to the cache kmalloc-256 of size 256 [ 15.530648] The buggy address is located 0 bytes inside of [ 15.530648] freed 256-byte region [fff00000c0923000, fff00000c0923100) [ 15.530860] [ 15.531031] The buggy address belongs to the physical page: [ 15.531145] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100922 [ 15.531240] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.531373] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 15.531421] page_type: f5(slab) [ 15.531474] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.531521] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.531567] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 15.531672] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.531882] head: 0bfffe0000000001 ffffc1ffc3024881 00000000ffffffff 00000000ffffffff [ 15.531941] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 15.532021] page dumped because: kasan: bad access detected [ 15.532050] [ 15.532067] Memory state around the buggy address: [ 15.532098] fff00000c0922f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.532280] fff00000c0922f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.532410] >fff00000c0923000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.532446] ^ [ 15.532474] fff00000c0923080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.532872] fff00000c0923100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.532965] ==================================================================
[ 14.161865] ================================================================== [ 14.162737] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 14.164125] Read of size 1 at addr ffff88810034f400 by task kunit_try_catch/185 [ 14.164675] [ 14.164815] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 14.164877] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.164891] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.164915] Call Trace: [ 14.164932] <TASK> [ 14.164960] dump_stack_lvl+0x73/0xb0 [ 14.164998] print_report+0xd1/0x650 [ 14.165043] ? __virt_addr_valid+0x1db/0x2d0 [ 14.165075] ? krealloc_uaf+0x53c/0x5e0 [ 14.165107] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.165145] ? krealloc_uaf+0x53c/0x5e0 [ 14.165178] kasan_report+0x141/0x180 [ 14.165221] ? krealloc_uaf+0x53c/0x5e0 [ 14.165269] __asan_report_load1_noabort+0x18/0x20 [ 14.165311] krealloc_uaf+0x53c/0x5e0 [ 14.165367] ? __pfx_krealloc_uaf+0x10/0x10 [ 14.165448] ? finish_task_switch.isra.0+0x153/0x700 [ 14.165497] ? __switch_to+0x5d9/0xf60 [ 14.165533] ? dequeue_task_fair+0x166/0x4e0 [ 14.165574] ? __schedule+0x10cc/0x2b60 [ 14.165618] ? __pfx_read_tsc+0x10/0x10 [ 14.165655] ? ktime_get_ts64+0x86/0x230 [ 14.165697] kunit_try_run_case+0x1a5/0x480 [ 14.165746] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.165789] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.165840] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.165891] ? __kthread_parkme+0x82/0x180 [ 14.165940] ? preempt_count_sub+0x50/0x80 [ 14.165978] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.166004] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.166030] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.166056] kthread+0x337/0x6f0 [ 14.166080] ? trace_preempt_on+0x20/0xc0 [ 14.166112] ? __pfx_kthread+0x10/0x10 [ 14.166132] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.166156] ? calculate_sigpending+0x7b/0xa0 [ 14.166180] ? __pfx_kthread+0x10/0x10 [ 14.166201] ret_from_fork+0x41/0x80 [ 14.166236] ? __pfx_kthread+0x10/0x10 [ 14.166267] ret_from_fork_asm+0x1a/0x30 [ 14.166322] </TASK> [ 14.166355] [ 14.180625] Allocated by task 185: [ 14.181033] kasan_save_stack+0x45/0x70 [ 14.181626] kasan_save_track+0x18/0x40 [ 14.182628] kasan_save_alloc_info+0x3b/0x50 [ 14.183070] __kasan_kmalloc+0xb7/0xc0 [ 14.183269] __kmalloc_cache_noprof+0x189/0x420 [ 14.183494] krealloc_uaf+0xbb/0x5e0 [ 14.184013] kunit_try_run_case+0x1a5/0x480 [ 14.184559] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.184860] kthread+0x337/0x6f0 [ 14.185192] ret_from_fork+0x41/0x80 [ 14.185941] ret_from_fork_asm+0x1a/0x30 [ 14.186361] [ 14.186571] Freed by task 185: [ 14.186798] kasan_save_stack+0x45/0x70 [ 14.187107] kasan_save_track+0x18/0x40 [ 14.187670] kasan_save_free_info+0x3f/0x60 [ 14.187978] __kasan_slab_free+0x56/0x70 [ 14.188170] kfree+0x222/0x3f0 [ 14.188348] krealloc_uaf+0x13d/0x5e0 [ 14.188661] kunit_try_run_case+0x1a5/0x480 [ 14.189062] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.190107] kthread+0x337/0x6f0 [ 14.190944] ret_from_fork+0x41/0x80 [ 14.191512] ret_from_fork_asm+0x1a/0x30 [ 14.191773] [ 14.191973] The buggy address belongs to the object at ffff88810034f400 [ 14.191973] which belongs to the cache kmalloc-256 of size 256 [ 14.192754] The buggy address is located 0 bytes inside of [ 14.192754] freed 256-byte region [ffff88810034f400, ffff88810034f500) [ 14.193435] [ 14.193871] The buggy address belongs to the physical page: [ 14.194532] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10034e [ 14.194959] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.195518] flags: 0x200000000000040(head|node=0|zone=2) [ 14.195940] page_type: f5(slab) [ 14.196253] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.197040] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.197684] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.198516] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.199510] head: 0200000000000001 ffffea000400d381 00000000ffffffff 00000000ffffffff [ 14.199794] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 14.200521] page dumped because: kasan: bad access detected [ 14.200974] [ 14.201072] Memory state around the buggy address: [ 14.201198] ffff88810034f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.201845] ffff88810034f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.202659] >ffff88810034f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.203167] ^ [ 14.203980] ffff88810034f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.204482] ffff88810034f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.204913] ================================================================== [ 14.117997] ================================================================== [ 14.119261] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 14.119584] Read of size 1 at addr ffff88810034f400 by task kunit_try_catch/185 [ 14.120111] [ 14.121164] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 14.121294] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.121321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.121378] Call Trace: [ 14.121407] <TASK> [ 14.121443] dump_stack_lvl+0x73/0xb0 [ 14.121484] print_report+0xd1/0x650 [ 14.121512] ? __virt_addr_valid+0x1db/0x2d0 [ 14.121540] ? krealloc_uaf+0x1b8/0x5e0 [ 14.121560] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.121585] ? krealloc_uaf+0x1b8/0x5e0 [ 14.121605] kasan_report+0x141/0x180 [ 14.121629] ? krealloc_uaf+0x1b8/0x5e0 [ 14.121652] ? krealloc_uaf+0x1b8/0x5e0 [ 14.121672] __kasan_check_byte+0x3d/0x50 [ 14.121697] krealloc_noprof+0x3f/0x340 [ 14.121725] krealloc_uaf+0x1b8/0x5e0 [ 14.121745] ? __pfx_krealloc_uaf+0x10/0x10 [ 14.121764] ? finish_task_switch.isra.0+0x153/0x700 [ 14.121791] ? __switch_to+0x5d9/0xf60 [ 14.121815] ? dequeue_task_fair+0x166/0x4e0 [ 14.121841] ? __schedule+0x10cc/0x2b60 [ 14.121867] ? __pfx_read_tsc+0x10/0x10 [ 14.121889] ? ktime_get_ts64+0x86/0x230 [ 14.121918] kunit_try_run_case+0x1a5/0x480 [ 14.121947] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.121971] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.121999] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.122024] ? __kthread_parkme+0x82/0x180 [ 14.122050] ? preempt_count_sub+0x50/0x80 [ 14.122076] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.122102] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.122127] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.122152] kthread+0x337/0x6f0 [ 14.122170] ? trace_preempt_on+0x20/0xc0 [ 14.122197] ? __pfx_kthread+0x10/0x10 [ 14.122217] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.122241] ? calculate_sigpending+0x7b/0xa0 [ 14.122362] ? __pfx_kthread+0x10/0x10 [ 14.122400] ret_from_fork+0x41/0x80 [ 14.122427] ? __pfx_kthread+0x10/0x10 [ 14.122448] ret_from_fork_asm+0x1a/0x30 [ 14.122484] </TASK> [ 14.122496] [ 14.137441] Allocated by task 185: [ 14.137797] kasan_save_stack+0x45/0x70 [ 14.138382] kasan_save_track+0x18/0x40 [ 14.138946] kasan_save_alloc_info+0x3b/0x50 [ 14.139475] __kasan_kmalloc+0xb7/0xc0 [ 14.139871] __kmalloc_cache_noprof+0x189/0x420 [ 14.140432] krealloc_uaf+0xbb/0x5e0 [ 14.140617] kunit_try_run_case+0x1a5/0x480 [ 14.140984] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.141696] kthread+0x337/0x6f0 [ 14.141898] ret_from_fork+0x41/0x80 [ 14.142211] ret_from_fork_asm+0x1a/0x30 [ 14.142888] [ 14.143302] Freed by task 185: [ 14.143595] kasan_save_stack+0x45/0x70 [ 14.143982] kasan_save_track+0x18/0x40 [ 14.144331] kasan_save_free_info+0x3f/0x60 [ 14.144484] __kasan_slab_free+0x56/0x70 [ 14.144583] kfree+0x222/0x3f0 [ 14.144665] krealloc_uaf+0x13d/0x5e0 [ 14.144752] kunit_try_run_case+0x1a5/0x480 [ 14.144851] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.144963] kthread+0x337/0x6f0 [ 14.145061] ret_from_fork+0x41/0x80 [ 14.145644] ret_from_fork_asm+0x1a/0x30 [ 14.146184] [ 14.146416] The buggy address belongs to the object at ffff88810034f400 [ 14.146416] which belongs to the cache kmalloc-256 of size 256 [ 14.148026] The buggy address is located 0 bytes inside of [ 14.148026] freed 256-byte region [ffff88810034f400, ffff88810034f500) [ 14.148816] [ 14.149382] The buggy address belongs to the physical page: [ 14.149811] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10034e [ 14.150624] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.151606] flags: 0x200000000000040(head|node=0|zone=2) [ 14.152010] page_type: f5(slab) [ 14.152431] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.153007] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.153816] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 14.154374] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.154893] head: 0200000000000001 ffffea000400d381 00000000ffffffff 00000000ffffffff [ 14.155256] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 14.155521] page dumped because: kasan: bad access detected [ 14.155985] [ 14.156153] Memory state around the buggy address: [ 14.157095] ffff88810034f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.157633] ffff88810034f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.157908] >ffff88810034f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.158891] ^ [ 14.159115] ffff88810034f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.159364] ffff88810034f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.160243] ==================================================================
[ 27.240527] ================================================================== [ 27.252157] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 27.258777] Read of size 1 at addr ffff8881041c0000 by task kunit_try_catch/207 [ 27.266084] [ 27.267585] CPU: 0 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 27.267593] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.267595] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 27.267599] Call Trace: [ 27.267601] <TASK> [ 27.267602] dump_stack_lvl+0x73/0xb0 [ 27.267606] print_report+0xd1/0x650 [ 27.267611] ? __virt_addr_valid+0x1db/0x2d0 [ 27.267615] ? krealloc_uaf+0x1b8/0x5e0 [ 27.267618] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.267622] ? krealloc_uaf+0x1b8/0x5e0 [ 27.267625] kasan_report+0x141/0x180 [ 27.267630] ? krealloc_uaf+0x1b8/0x5e0 [ 27.267633] ? krealloc_uaf+0x1b8/0x5e0 [ 27.267636] __kasan_check_byte+0x3d/0x50 [ 27.267641] krealloc_noprof+0x3f/0x340 [ 27.267645] krealloc_uaf+0x1b8/0x5e0 [ 27.267648] ? __pfx_krealloc_uaf+0x10/0x10 [ 27.267651] ? finish_task_switch.isra.0+0x153/0x700 [ 27.267656] ? __switch_to+0x5d9/0xf60 [ 27.267660] ? dequeue_task_fair+0x166/0x4e0 [ 27.267664] ? __schedule+0x10cc/0x2b60 [ 27.267669] ? ktime_get_ts64+0x83/0x230 [ 27.267673] kunit_try_run_case+0x1a2/0x480 [ 27.267678] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.267683] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.267687] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.267692] ? __kthread_parkme+0x82/0x180 [ 27.267696] ? preempt_count_sub+0x50/0x80 [ 27.267700] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.267705] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.267710] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.267714] kthread+0x334/0x6f0 [ 27.267717] ? trace_preempt_on+0x20/0xc0 [ 27.267721] ? __pfx_kthread+0x10/0x10 [ 27.267724] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.267729] ? calculate_sigpending+0x7b/0xa0 [ 27.267732] ? __pfx_kthread+0x10/0x10 [ 27.267736] ret_from_fork+0x3e/0x80 [ 27.267740] ? __pfx_kthread+0x10/0x10 [ 27.267743] ret_from_fork_asm+0x1a/0x30 [ 27.267748] </TASK> [ 27.267750] [ 27.448327] Allocated by task 207: [ 27.451732] kasan_save_stack+0x45/0x70 [ 27.455571] kasan_save_track+0x18/0x40 [ 27.459409] kasan_save_alloc_info+0x3b/0x50 [ 27.463682] __kasan_kmalloc+0xb7/0xc0 [ 27.467437] __kmalloc_cache_noprof+0x189/0x420 [ 27.471976] krealloc_uaf+0xbb/0x5e0 [ 27.475555] kunit_try_run_case+0x1a2/0x480 [ 27.479743] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.485142] kthread+0x334/0x6f0 [ 27.488373] ret_from_fork+0x3e/0x80 [ 27.491958] ret_from_fork_asm+0x1a/0x30 [ 27.495879] [ 27.497379] Freed by task 207: [ 27.500437] kasan_save_stack+0x45/0x70 [ 27.504277] kasan_save_track+0x18/0x40 [ 27.508116] kasan_save_free_info+0x3f/0x60 [ 27.512302] __kasan_slab_free+0x56/0x70 [ 27.516227] kfree+0x222/0x3f0 [ 27.519288] krealloc_uaf+0x13d/0x5e0 [ 27.522964] kunit_try_run_case+0x1a2/0x480 [ 27.527157] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.532557] kthread+0x334/0x6f0 [ 27.535791] ret_from_fork+0x3e/0x80 [ 27.539378] ret_from_fork_asm+0x1a/0x30 [ 27.543305] [ 27.544804] The buggy address belongs to the object at ffff8881041c0000 [ 27.544804] which belongs to the cache kmalloc-256 of size 256 [ 27.557316] The buggy address is located 0 bytes inside of [ 27.557316] freed 256-byte region [ffff8881041c0000, ffff8881041c0100) [ 27.569398] [ 27.570914] The buggy address belongs to the physical page: [ 27.576515] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1041c0 [ 27.584521] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 27.592174] flags: 0x200000000000040(head|node=0|zone=2) [ 27.597487] page_type: f5(slab) [ 27.600633] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 27.608372] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.616113] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 27.623971] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.631799] head: 0200000000000001 ffffea0004107001 00000000ffffffff 00000000ffffffff [ 27.639625] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 27.647450] page dumped because: kasan: bad access detected [ 27.653022] [ 27.654523] Memory state around the buggy address: [ 27.659315] ffff8881041bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.666533] ffff8881041bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.673755] >ffff8881041c0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.680982] ^ [ 27.684213] ffff8881041c0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.691434] ffff8881041c0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.698651] ================================================================== [ 27.705909] ================================================================== [ 27.713161] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 27.719774] Read of size 1 at addr ffff8881041c0000 by task kunit_try_catch/207 [ 27.727089] [ 27.728588] CPU: 0 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 27.728596] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.728598] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 27.728601] Call Trace: [ 27.728603] <TASK> [ 27.728604] dump_stack_lvl+0x73/0xb0 [ 27.728608] print_report+0xd1/0x650 [ 27.728612] ? __virt_addr_valid+0x1db/0x2d0 [ 27.728616] ? krealloc_uaf+0x53c/0x5e0 [ 27.728619] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.728623] ? krealloc_uaf+0x53c/0x5e0 [ 27.728627] kasan_report+0x141/0x180 [ 27.728631] ? krealloc_uaf+0x53c/0x5e0 [ 27.728635] __asan_report_load1_noabort+0x18/0x20 [ 27.728639] krealloc_uaf+0x53c/0x5e0 [ 27.728642] ? __pfx_krealloc_uaf+0x10/0x10 [ 27.728645] ? finish_task_switch.isra.0+0x153/0x700 [ 27.728649] ? __switch_to+0x5d9/0xf60 [ 27.728653] ? dequeue_task_fair+0x166/0x4e0 [ 27.728657] ? __schedule+0x10cc/0x2b60 [ 27.728662] ? ktime_get_ts64+0x83/0x230 [ 27.728667] kunit_try_run_case+0x1a2/0x480 [ 27.728671] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.728676] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.728680] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.728685] ? __kthread_parkme+0x82/0x180 [ 27.728689] ? preempt_count_sub+0x50/0x80 [ 27.728693] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.728698] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.728702] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.728707] kthread+0x334/0x6f0 [ 27.728710] ? trace_preempt_on+0x20/0xc0 [ 27.728714] ? __pfx_kthread+0x10/0x10 [ 27.728717] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.728721] ? calculate_sigpending+0x7b/0xa0 [ 27.728725] ? __pfx_kthread+0x10/0x10 [ 27.728728] ret_from_fork+0x3e/0x80 [ 27.728732] ? __pfx_kthread+0x10/0x10 [ 27.728735] ret_from_fork_asm+0x1a/0x30 [ 27.728741] </TASK> [ 27.728742] [ 27.902334] Allocated by task 207: [ 27.905743] kasan_save_stack+0x45/0x70 [ 27.909589] kasan_save_track+0x18/0x40 [ 27.913430] kasan_save_alloc_info+0x3b/0x50 [ 27.917703] __kasan_kmalloc+0xb7/0xc0 [ 27.921455] __kmalloc_cache_noprof+0x189/0x420 [ 27.925993] krealloc_uaf+0xbb/0x5e0 [ 27.929576] kunit_try_run_case+0x1a2/0x480 [ 27.933768] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.939170] kthread+0x334/0x6f0 [ 27.942401] ret_from_fork+0x3e/0x80 [ 27.945982] ret_from_fork_asm+0x1a/0x30 [ 27.949931] [ 27.951449] Freed by task 207: [ 27.954509] kasan_save_stack+0x45/0x70 [ 27.958349] kasan_save_track+0x18/0x40 [ 27.962195] kasan_save_free_info+0x3f/0x60 [ 27.966381] __kasan_slab_free+0x56/0x70 [ 27.970309] kfree+0x222/0x3f0 [ 27.973368] krealloc_uaf+0x13d/0x5e0 [ 27.977032] kunit_try_run_case+0x1a2/0x480 [ 27.981219] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.986617] kthread+0x334/0x6f0 [ 27.989852] ret_from_fork+0x3e/0x80 [ 27.993430] ret_from_fork_asm+0x1a/0x30 [ 27.997357] [ 27.998856] The buggy address belongs to the object at ffff8881041c0000 [ 27.998856] which belongs to the cache kmalloc-256 of size 256 [ 28.011369] The buggy address is located 0 bytes inside of [ 28.011369] freed 256-byte region [ffff8881041c0000, ffff8881041c0100) [ 28.023452] [ 28.024961] The buggy address belongs to the physical page: [ 28.030533] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1041c0 [ 28.038542] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.046203] flags: 0x200000000000040(head|node=0|zone=2) [ 28.051523] page_type: f5(slab) [ 28.054672] raw: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 28.062418] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.070167] head: 0200000000000040 ffff888100042b40 dead000000000122 0000000000000000 [ 28.078001] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.085834] head: 0200000000000001 ffffea0004107001 00000000ffffffff 00000000ffffffff [ 28.093662] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 28.101495] page dumped because: kasan: bad access detected [ 28.107067] [ 28.108568] Memory state around the buggy address: [ 28.113358] ffff8881041bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.120579] ffff8881041bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.127797] >ffff8881041c0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.135018] ^ [ 28.138249] ffff8881041c0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.145470] ffff8881041c0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.152690] ==================================================================