Date
July 1, 2025, 3:08 p.m.
| Environment | |
|---|---|
| qemu-x86_64 |
[ 11.528759] ================================================================== [ 11.529098] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 11.529389] Read of size 1 at addr ffff888100ab3600 by task kunit_try_catch/181 [ 11.529901] [ 11.530047] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.530092] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.530103] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.530123] Call Trace: [ 11.530143] <TASK> [ 11.530161] dump_stack_lvl+0x73/0xb0 [ 11.530190] print_report+0xd1/0x650 [ 11.530212] ? __virt_addr_valid+0x1db/0x2d0 [ 11.530235] ? krealloc_uaf+0x53c/0x5e0 [ 11.530255] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.530275] ? krealloc_uaf+0x53c/0x5e0 [ 11.530295] kasan_report+0x141/0x180 [ 11.530316] ? krealloc_uaf+0x53c/0x5e0 [ 11.530340] __asan_report_load1_noabort+0x18/0x20 [ 11.530363] krealloc_uaf+0x53c/0x5e0 [ 11.530383] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.530402] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 11.530430] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.530454] kunit_try_run_case+0x1a5/0x480 [ 11.530477] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.530497] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.530520] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.530540] ? __kthread_parkme+0x82/0x180 [ 11.530559] ? preempt_count_sub+0x50/0x80 [ 11.530582] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.530603] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.530624] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.530645] kthread+0x337/0x6f0 [ 11.530663] ? trace_preempt_on+0x20/0xc0 [ 11.530686] ? __pfx_kthread+0x10/0x10 [ 11.530705] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.530725] ? calculate_sigpending+0x7b/0xa0 [ 11.530747] ? __pfx_kthread+0x10/0x10 [ 11.530767] ret_from_fork+0x116/0x1d0 [ 11.530785] ? __pfx_kthread+0x10/0x10 [ 11.530804] ret_from_fork_asm+0x1a/0x30 [ 11.530834] </TASK> [ 11.530845] [ 11.538378] Allocated by task 181: [ 11.538550] kasan_save_stack+0x45/0x70 [ 11.539830] kasan_save_track+0x18/0x40 [ 11.539994] kasan_save_alloc_info+0x3b/0x50 [ 11.540164] __kasan_kmalloc+0xb7/0xc0 [ 11.540300] __kmalloc_cache_noprof+0x189/0x420 [ 11.540466] krealloc_uaf+0xbb/0x5e0 [ 11.540595] kunit_try_run_case+0x1a5/0x480 [ 11.540971] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.541239] kthread+0x337/0x6f0 [ 11.541392] ret_from_fork+0x116/0x1d0 [ 11.541567] ret_from_fork_asm+0x1a/0x30 [ 11.541817] [ 11.541912] Freed by task 181: [ 11.542063] kasan_save_stack+0x45/0x70 [ 11.542234] kasan_save_track+0x18/0x40 [ 11.542405] kasan_save_free_info+0x3f/0x60 [ 11.542550] __kasan_slab_free+0x56/0x70 [ 11.542761] kfree+0x222/0x3f0 [ 11.542934] krealloc_uaf+0x13d/0x5e0 [ 11.543135] kunit_try_run_case+0x1a5/0x480 [ 11.543342] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.543554] kthread+0x337/0x6f0 [ 11.543791] ret_from_fork+0x116/0x1d0 [ 11.543970] ret_from_fork_asm+0x1a/0x30 [ 11.544149] [ 11.544242] The buggy address belongs to the object at ffff888100ab3600 [ 11.544242] which belongs to the cache kmalloc-256 of size 256 [ 11.545073] The buggy address is located 0 bytes inside of [ 11.545073] freed 256-byte region [ffff888100ab3600, ffff888100ab3700) [ 11.545436] [ 11.545510] The buggy address belongs to the physical page: [ 11.545688] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100ab2 [ 11.545936] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.546175] flags: 0x200000000000040(head|node=0|zone=2) [ 11.546438] page_type: f5(slab) [ 11.546607] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.547170] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.547517] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.547862] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.548201] head: 0200000000000001 ffffea000402ac81 00000000ffffffff 00000000ffffffff [ 11.548587] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 11.548938] page dumped because: kasan: bad access detected [ 11.549260] [ 11.550122] Memory state around the buggy address: [ 11.550328] ffff888100ab3500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.550548] ffff888100ab3580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.550771] >ffff888100ab3600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.550986] ^ [ 11.551192] ffff888100ab3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.552273] ffff888100ab3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.552993] ================================================================== [ 11.497882] ================================================================== [ 11.498358] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 11.498644] Read of size 1 at addr ffff888100ab3600 by task kunit_try_catch/181 [ 11.498957] [ 11.499093] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.499138] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.499149] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.499169] Call Trace: [ 11.499181] <TASK> [ 11.499198] dump_stack_lvl+0x73/0xb0 [ 11.499460] print_report+0xd1/0x650 [ 11.499483] ? __virt_addr_valid+0x1db/0x2d0 [ 11.499508] ? krealloc_uaf+0x1b8/0x5e0 [ 11.499527] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.499548] ? krealloc_uaf+0x1b8/0x5e0 [ 11.499568] kasan_report+0x141/0x180 [ 11.499588] ? krealloc_uaf+0x1b8/0x5e0 [ 11.499611] ? krealloc_uaf+0x1b8/0x5e0 [ 11.499631] __kasan_check_byte+0x3d/0x50 [ 11.499652] krealloc_noprof+0x3f/0x340 [ 11.499673] krealloc_uaf+0x1b8/0x5e0 [ 11.499693] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.499713] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 11.499741] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.499765] kunit_try_run_case+0x1a5/0x480 [ 11.499789] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.499810] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.499875] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.499899] ? __kthread_parkme+0x82/0x180 [ 11.499919] ? preempt_count_sub+0x50/0x80 [ 11.499941] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.499963] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.499985] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.500006] kthread+0x337/0x6f0 [ 11.500035] ? trace_preempt_on+0x20/0xc0 [ 11.500058] ? __pfx_kthread+0x10/0x10 [ 11.500077] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.500097] ? calculate_sigpending+0x7b/0xa0 [ 11.500119] ? __pfx_kthread+0x10/0x10 [ 11.500139] ret_from_fork+0x116/0x1d0 [ 11.500164] ? __pfx_kthread+0x10/0x10 [ 11.500183] ret_from_fork_asm+0x1a/0x30 [ 11.500213] </TASK> [ 11.500225] [ 11.508335] Allocated by task 181: [ 11.508513] kasan_save_stack+0x45/0x70 [ 11.509131] kasan_save_track+0x18/0x40 [ 11.509351] kasan_save_alloc_info+0x3b/0x50 [ 11.509935] __kasan_kmalloc+0xb7/0xc0 [ 11.510193] __kmalloc_cache_noprof+0x189/0x420 [ 11.510405] krealloc_uaf+0xbb/0x5e0 [ 11.510851] kunit_try_run_case+0x1a5/0x480 [ 11.511246] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.511600] kthread+0x337/0x6f0 [ 11.511912] ret_from_fork+0x116/0x1d0 [ 11.512101] ret_from_fork_asm+0x1a/0x30 [ 11.512285] [ 11.512407] Freed by task 181: [ 11.512571] kasan_save_stack+0x45/0x70 [ 11.513064] kasan_save_track+0x18/0x40 [ 11.513475] kasan_save_free_info+0x3f/0x60 [ 11.513791] __kasan_slab_free+0x56/0x70 [ 11.514320] kfree+0x222/0x3f0 [ 11.514483] krealloc_uaf+0x13d/0x5e0 [ 11.514901] kunit_try_run_case+0x1a5/0x480 [ 11.515240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.515629] kthread+0x337/0x6f0 [ 11.515990] ret_from_fork+0x116/0x1d0 [ 11.516181] ret_from_fork_asm+0x1a/0x30 [ 11.516383] [ 11.516478] The buggy address belongs to the object at ffff888100ab3600 [ 11.516478] which belongs to the cache kmalloc-256 of size 256 [ 11.517613] The buggy address is located 0 bytes inside of [ 11.517613] freed 256-byte region [ffff888100ab3600, ffff888100ab3700) [ 11.518388] [ 11.518633] The buggy address belongs to the physical page: [ 11.519097] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100ab2 [ 11.519701] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.520214] flags: 0x200000000000040(head|node=0|zone=2) [ 11.520608] page_type: f5(slab) [ 11.520917] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.521257] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.521573] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.522190] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.522901] head: 0200000000000001 ffffea000402ac81 00000000ffffffff 00000000ffffffff [ 11.523358] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 11.524209] page dumped because: kasan: bad access detected [ 11.524589] [ 11.524948] Memory state around the buggy address: [ 11.525158] ffff888100ab3500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.525456] ffff888100ab3580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.526120] >ffff888100ab3600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.526581] ^ [ 11.526903] ffff888100ab3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.527422] ffff888100ab3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.527943] ==================================================================