Date
June 17, 2025, 3:39 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 92.412669] ================================================================== [ 92.414111] BUG: KASAN: slab-use-after-free in krealloc_uaf+0xe4/0x2c0 [ 92.415092] Read of size 1 at addr ffff0000c0b91a00 by task kunit_try_catch/143 [ 92.416343] [ 92.416820] CPU: 1 PID: 143 Comm: kunit_try_catch Tainted: G B N 6.6.94-rc1 #1 [ 92.417935] Hardware name: linux,dummy-virt (DT) [ 92.418641] Call trace: [ 92.419046] dump_backtrace+0x9c/0x128 [ 92.419799] show_stack+0x20/0x38 [ 92.420573] dump_stack_lvl+0x60/0xb0 [ 92.421373] print_report+0xf8/0x5e8 [ 92.422195] kasan_report+0xdc/0x128 [ 92.422965] __kasan_check_byte+0x54/0x70 [ 92.423823] krealloc+0x48/0x1a0 [ 92.424590] krealloc_uaf+0xe4/0x2c0 [ 92.425351] kunit_try_run_case+0x114/0x298 [ 92.426163] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 92.427109] kthread+0x18c/0x1a8 [ 92.427779] ret_from_fork+0x10/0x20 [ 92.428544] [ 92.428937] Allocated by task 143: [ 92.429578] kasan_save_stack+0x3c/0x68 [ 92.430368] kasan_set_track+0x2c/0x40 [ 92.431122] kasan_save_alloc_info+0x24/0x38 [ 92.431890] __kasan_kmalloc+0xd4/0xd8 [ 92.432691] kmalloc_trace+0x68/0x130 [ 92.433460] krealloc_uaf+0xb0/0x2c0 [ 92.434221] kunit_try_run_case+0x114/0x298 [ 92.435056] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 92.436061] kthread+0x18c/0x1a8 [ 92.436786] ret_from_fork+0x10/0x20 [ 92.437506] [ 92.437927] Freed by task 143: [ 92.438519] kasan_save_stack+0x3c/0x68 [ 92.439263] kasan_set_track+0x2c/0x40 [ 92.440092] kasan_save_free_info+0x38/0x60 [ 92.440938] __kasan_slab_free+0x100/0x170 [ 92.441756] __kmem_cache_free+0x178/0x2c8 [ 92.442474] kfree+0x74/0x138 [ 92.443003] krealloc_uaf+0xcc/0x2c0 [ 92.443778] kunit_try_run_case+0x114/0x298 [ 92.445670] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 92.448298] kthread+0x18c/0x1a8 [ 92.448917] ret_from_fork+0x10/0x20 [ 92.449611] [ 92.449935] The buggy address belongs to the object at ffff0000c0b91a00 [ 92.449935] which belongs to the cache kmalloc-256 of size 256 [ 92.453541] The buggy address is located 0 bytes inside of [ 92.453541] freed 256-byte region [ffff0000c0b91a00, ffff0000c0b91b00) [ 92.455368] [ 92.456141] The buggy address belongs to the physical page: [ 92.457178] page:00000000c3af2b0d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100b90 [ 92.459125] head:00000000c3af2b0d order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 92.460385] flags: 0xbfffc0000000840(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 92.461597] page_type: 0xffffffff() [ 92.462434] raw: 0bfffc0000000840 ffff0000c0001b40 dead000000000122 0000000000000000 [ 92.463618] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 92.464777] page dumped because: kasan: bad access detected [ 92.465687] [ 92.466094] Memory state around the buggy address: [ 92.467033] ffff0000c0b91900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.468195] ffff0000c0b91980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.469334] >ffff0000c0b91a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.470384] ^ [ 92.471091] ffff0000c0b91a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.472282] ffff0000c0b91b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.473341] ================================================================== [ 92.477213] ================================================================== [ 92.478310] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x10c/0x2c0 [ 92.479418] Read of size 1 at addr ffff0000c0b91a00 by task kunit_try_catch/143 [ 92.480686] [ 92.481189] CPU: 1 PID: 143 Comm: kunit_try_catch Tainted: G B N 6.6.94-rc1 #1 [ 92.482383] Hardware name: linux,dummy-virt (DT) [ 92.483168] Call trace: [ 92.483565] dump_backtrace+0x9c/0x128 [ 92.484223] show_stack+0x20/0x38 [ 92.484843] dump_stack_lvl+0x60/0xb0 [ 92.485674] print_report+0xf8/0x5e8 [ 92.486591] kasan_report+0xdc/0x128 [ 92.487324] __asan_load1+0x60/0x70 [ 92.488153] krealloc_uaf+0x10c/0x2c0 [ 92.488968] kunit_try_run_case+0x114/0x298 [ 92.489740] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 92.490756] kthread+0x18c/0x1a8 [ 92.491521] ret_from_fork+0x10/0x20 [ 92.492542] [ 92.492888] Allocated by task 143: [ 92.493362] kasan_save_stack+0x3c/0x68 [ 92.494705] kasan_set_track+0x2c/0x40 [ 92.495523] kasan_save_alloc_info+0x24/0x38 [ 92.496362] __kasan_kmalloc+0xd4/0xd8 [ 92.497219] kmalloc_trace+0x68/0x130 [ 92.497939] krealloc_uaf+0xb0/0x2c0 [ 92.498772] kunit_try_run_case+0x114/0x298 [ 92.500003] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 92.501175] kthread+0x18c/0x1a8 [ 92.502109] ret_from_fork+0x10/0x20 [ 92.502857] [ 92.503190] Freed by task 143: [ 92.503832] kasan_save_stack+0x3c/0x68 [ 92.504651] kasan_set_track+0x2c/0x40 [ 92.505461] kasan_save_free_info+0x38/0x60 [ 92.506239] __kasan_slab_free+0x100/0x170 [ 92.507146] __kmem_cache_free+0x178/0x2c8 [ 92.508186] kfree+0x74/0x138 [ 92.509216] krealloc_uaf+0xcc/0x2c0 [ 92.510046] kunit_try_run_case+0x114/0x298 [ 92.510882] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 92.511844] kthread+0x18c/0x1a8 [ 92.512547] ret_from_fork+0x10/0x20 [ 92.513320] [ 92.513677] The buggy address belongs to the object at ffff0000c0b91a00 [ 92.513677] which belongs to the cache kmalloc-256 of size 256 [ 92.515545] The buggy address is located 0 bytes inside of [ 92.515545] freed 256-byte region [ffff0000c0b91a00, ffff0000c0b91b00) [ 92.517116] [ 92.517553] The buggy address belongs to the physical page: [ 92.518367] page:00000000c3af2b0d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100b90 [ 92.520267] head:00000000c3af2b0d order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 92.521433] flags: 0xbfffc0000000840(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 92.522524] page_type: 0xffffffff() [ 92.523213] raw: 0bfffc0000000840 ffff0000c0001b40 dead000000000122 0000000000000000 [ 92.525219] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 92.526025] page dumped because: kasan: bad access detected [ 92.526575] [ 92.526975] Memory state around the buggy address: [ 92.527815] ffff0000c0b91900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.528894] ffff0000c0b91980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.529899] >ffff0000c0b91a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.531180] ^ [ 92.531728] ffff0000c0b91a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.532653] ffff0000c0b91b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.533795] ==================================================================
[ 33.767917] ================================================================== [ 33.769240] BUG: KASAN: slab-use-after-free in krealloc_uaf+0xf1/0x2e0 [ 33.769752] Read of size 1 at addr ffff888100366800 by task kunit_try_catch/158 [ 33.770366] [ 33.770587] CPU: 0 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.6.94-rc1 #1 [ 33.771115] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 33.771763] Call Trace: [ 33.771938] <TASK> [ 33.772129] dump_stack_lvl+0x4e/0x90 [ 33.772618] print_report+0xd2/0x650 [ 33.773070] ? __virt_addr_valid+0x156/0x1e0 [ 33.773349] ? krealloc_uaf+0xf1/0x2e0 [ 33.773674] ? kasan_complete_mode_report_info+0x64/0x200 [ 33.774079] ? krealloc_uaf+0xf1/0x2e0 [ 33.774420] kasan_report+0x147/0x180 [ 33.774804] ? krealloc_uaf+0xf1/0x2e0 [ 33.775079] ? krealloc_uaf+0xf1/0x2e0 [ 33.775441] __kasan_check_byte+0x3d/0x50 [ 33.775712] krealloc+0x35/0x140 [ 33.776050] krealloc_uaf+0xf1/0x2e0 [ 33.776293] ? __pfx_krealloc_uaf+0x10/0x10 [ 33.776661] ? finish_task_switch.isra.0+0xc8/0x3e0 [ 33.777171] ? __schedule+0x715/0x11a0 [ 33.777423] ? ktime_get_ts64+0x118/0x140 [ 33.778101] kunit_try_run_case+0x120/0x290 [ 33.778451] ? __pfx_kunit_try_run_case+0x10/0x10 [ 33.778794] ? __kasan_check_write+0x18/0x20 [ 33.779107] ? trace_preempt_on+0x20/0xa0 [ 33.779370] ? __kthread_parkme+0x4f/0xd0 [ 33.779752] ? preempt_count_sub+0x50/0x80 [ 33.780039] ? __pfx_kunit_try_run_case+0x10/0x10 [ 33.780445] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 33.780815] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 33.781258] kthread+0x19e/0x1e0 [ 33.781621] ? __pfx_kthread+0x10/0x10 [ 33.781915] ret_from_fork+0x41/0x70 [ 33.782188] ? __pfx_kthread+0x10/0x10 [ 33.782586] ret_from_fork_asm+0x1b/0x30 [ 33.782931] </TASK> [ 33.783085] [ 33.783215] Allocated by task 158: [ 33.783403] kasan_save_stack+0x44/0x70 [ 33.783823] kasan_set_track+0x29/0x40 [ 33.784061] kasan_save_alloc_info+0x22/0x30 [ 33.784421] __kasan_kmalloc+0xb7/0xc0 [ 33.784661] kmalloc_trace+0x4c/0xb0 [ 33.785000] krealloc_uaf+0xb0/0x2e0 [ 33.785208] kunit_try_run_case+0x120/0x290 [ 33.785564] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 33.785858] kthread+0x19e/0x1e0 [ 33.786134] ret_from_fork+0x41/0x70 [ 33.786365] ret_from_fork_asm+0x1b/0x30 [ 33.786724] [ 33.786916] Freed by task 158: [ 33.787110] kasan_save_stack+0x44/0x70 [ 33.787420] kasan_set_track+0x29/0x40 [ 33.787668] kasan_save_free_info+0x2f/0x50 [ 33.788141] ____kasan_slab_free+0x172/0x1d0 [ 33.788398] __kasan_slab_free+0x16/0x20 [ 33.788750] __kmem_cache_free+0x190/0x310 [ 33.789021] kfree+0x7c/0x120 [ 33.789245] krealloc_uaf+0xd0/0x2e0 [ 33.789610] kunit_try_run_case+0x120/0x290 [ 33.789957] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 33.790270] kthread+0x19e/0x1e0 [ 33.790645] ret_from_fork+0x41/0x70 [ 33.790916] ret_from_fork_asm+0x1b/0x30 [ 33.791202] [ 33.791326] The buggy address belongs to the object at ffff888100366800 [ 33.791326] which belongs to the cache kmalloc-256 of size 256 [ 33.792127] The buggy address is located 0 bytes inside of [ 33.792127] freed 256-byte region [ffff888100366800, ffff888100366900) [ 33.792844] [ 33.792964] The buggy address belongs to the physical page: [ 33.793297] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100366 [ 33.793803] head:(____ptrval____) order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.794515] flags: 0x200000000000840(slab|head|node=0|zone=2) [ 33.794955] page_type: 0xffffffff() [ 33.795211] raw: 0200000000000840 ffff888100041b40 dead000000000122 0000000000000000 [ 33.795700] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 33.796191] page dumped because: kasan: bad access detected [ 33.796564] [ 33.796702] Memory state around the buggy address: [ 33.796998] ffff888100366700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.797482] ffff888100366780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.797855] >ffff888100366800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.798299] ^ [ 33.798542] ffff888100366880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.799018] ffff888100366900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.799575] ================================================================== [ 33.800449] ================================================================== [ 33.800814] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x131/0x2e0 [ 33.801281] Read of size 1 at addr ffff888100366800 by task kunit_try_catch/158 [ 33.802030] [ 33.802173] CPU: 0 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.6.94-rc1 #1 [ 33.802691] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 33.803613] Call Trace: [ 33.803789] <TASK> [ 33.804064] dump_stack_lvl+0x4e/0x90 [ 33.804328] print_report+0xd2/0x650 [ 33.804667] ? __virt_addr_valid+0x156/0x1e0 [ 33.804981] ? krealloc_uaf+0x131/0x2e0 [ 33.805235] ? kasan_complete_mode_report_info+0x64/0x200 [ 33.805687] ? krealloc_uaf+0x131/0x2e0 [ 33.805959] kasan_report+0x147/0x180 [ 33.806232] ? krealloc_uaf+0x131/0x2e0 [ 33.806921] __asan_load1+0x66/0x70 [ 33.807197] krealloc_uaf+0x131/0x2e0 [ 33.807498] ? __pfx_krealloc_uaf+0x10/0x10 [ 33.807776] ? finish_task_switch.isra.0+0xc8/0x3e0 [ 33.808115] ? __schedule+0x715/0x11a0 [ 33.808356] ? ktime_get_ts64+0x118/0x140 [ 33.808612] kunit_try_run_case+0x120/0x290 [ 33.808953] ? __pfx_kunit_try_run_case+0x10/0x10 [ 33.809240] ? __kasan_check_write+0x18/0x20 [ 33.809539] ? trace_preempt_on+0x20/0xa0 [ 33.809799] ? __kthread_parkme+0x4f/0xd0 [ 33.810071] ? preempt_count_sub+0x50/0x80 [ 33.810361] ? __pfx_kunit_try_run_case+0x10/0x10 [ 33.810673] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 33.811029] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 33.811573] kthread+0x19e/0x1e0 [ 33.811883] ? __pfx_kthread+0x10/0x10 [ 33.812179] ret_from_fork+0x41/0x70 [ 33.812403] ? __pfx_kthread+0x10/0x10 [ 33.812839] ret_from_fork_asm+0x1b/0x30 [ 33.813191] </TASK> [ 33.813421] [ 33.813539] Allocated by task 158: [ 33.813761] kasan_save_stack+0x44/0x70 [ 33.814044] kasan_set_track+0x29/0x40 [ 33.814306] kasan_save_alloc_info+0x22/0x30 [ 33.814630] __kasan_kmalloc+0xb7/0xc0 [ 33.814930] kmalloc_trace+0x4c/0xb0 [ 33.815195] krealloc_uaf+0xb0/0x2e0 [ 33.815502] kunit_try_run_case+0x120/0x290 [ 33.816154] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 33.816542] kthread+0x19e/0x1e0 [ 33.816736] ret_from_fork+0x41/0x70 [ 33.817061] ret_from_fork_asm+0x1b/0x30 [ 33.817411] [ 33.817553] Freed by task 158: [ 33.817756] kasan_save_stack+0x44/0x70 [ 33.817985] kasan_set_track+0x29/0x40 [ 33.818254] kasan_save_free_info+0x2f/0x50 [ 33.818706] ____kasan_slab_free+0x172/0x1d0 [ 33.819003] __kasan_slab_free+0x16/0x20 [ 33.819259] __kmem_cache_free+0x190/0x310 [ 33.819550] kfree+0x7c/0x120 [ 33.819834] krealloc_uaf+0xd0/0x2e0 [ 33.820108] kunit_try_run_case+0x120/0x290 [ 33.820738] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 33.821137] kthread+0x19e/0x1e0 [ 33.821435] ret_from_fork+0x41/0x70 [ 33.821684] ret_from_fork_asm+0x1b/0x30 [ 33.822045] [ 33.822160] The buggy address belongs to the object at ffff888100366800 [ 33.822160] which belongs to the cache kmalloc-256 of size 256 [ 33.822878] The buggy address is located 0 bytes inside of [ 33.822878] freed 256-byte region [ffff888100366800, ffff888100366900) [ 33.823713] [ 33.823874] The buggy address belongs to the physical page: [ 33.824198] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100366 [ 33.824812] head:(____ptrval____) order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.825381] flags: 0x200000000000840(slab|head|node=0|zone=2) [ 33.826467] page_type: 0xffffffff() [ 33.826721] raw: 0200000000000840 ffff888100041b40 dead000000000122 0000000000000000 [ 33.827191] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 33.827663] page dumped because: kasan: bad access detected [ 33.828023] [ 33.828143] Memory state around the buggy address: [ 33.828526] ffff888100366700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.828922] ffff888100366780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.829313] >ffff888100366800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.829793] ^ [ 33.830075] ffff888100366880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.830920] ffff888100366900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.831294] ==================================================================