Date
July 18, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.909021] ================================================================== [ 16.909075] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.909190] Read of size 1 at addr fff00000c1bc4800 by task kunit_try_catch/164 [ 16.909290] [ 16.909325] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.909885] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.910007] Hardware name: linux,dummy-virt (DT) [ 16.910042] Call trace: [ 16.910081] show_stack+0x20/0x38 (C) [ 16.910149] dump_stack_lvl+0x8c/0xd0 [ 16.910201] print_report+0x118/0x5d0 [ 16.910247] kasan_report+0xdc/0x128 [ 16.910337] __asan_report_load1_noabort+0x20/0x30 [ 16.910392] krealloc_uaf+0x4c8/0x520 [ 16.910435] kunit_try_run_case+0x170/0x3f0 [ 16.910480] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.910645] kthread+0x328/0x630 [ 16.910921] ret_from_fork+0x10/0x20 [ 16.911041] [ 16.911103] Allocated by task 164: [ 16.911173] kasan_save_stack+0x3c/0x68 [ 16.911287] kasan_save_track+0x20/0x40 [ 16.911509] kasan_save_alloc_info+0x40/0x58 [ 16.911583] __kasan_kmalloc+0xd4/0xd8 [ 16.911627] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.911664] krealloc_uaf+0xc8/0x520 [ 16.911698] kunit_try_run_case+0x170/0x3f0 [ 16.911958] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.912006] kthread+0x328/0x630 [ 16.912087] ret_from_fork+0x10/0x20 [ 16.912213] [ 16.912282] Freed by task 164: [ 16.912321] kasan_save_stack+0x3c/0x68 [ 16.912366] kasan_save_track+0x20/0x40 [ 16.912641] kasan_save_free_info+0x4c/0x78 [ 16.912839] __kasan_slab_free+0x6c/0x98 [ 16.912965] kfree+0x214/0x3c8 [ 16.913095] krealloc_uaf+0x12c/0x520 [ 16.913224] kunit_try_run_case+0x170/0x3f0 [ 16.913302] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.913366] kthread+0x328/0x630 [ 16.913404] ret_from_fork+0x10/0x20 [ 16.913762] [ 16.913877] The buggy address belongs to the object at fff00000c1bc4800 [ 16.913877] which belongs to the cache kmalloc-256 of size 256 [ 16.913983] The buggy address is located 0 bytes inside of [ 16.913983] freed 256-byte region [fff00000c1bc4800, fff00000c1bc4900) [ 16.914151] [ 16.914240] The buggy address belongs to the physical page: [ 16.914347] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bc4 [ 16.914443] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.914514] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.914906] page_type: f5(slab) [ 16.914961] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.915047] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.915180] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.915325] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.915478] head: 0bfffe0000000001 ffffc1ffc306f101 00000000ffffffff 00000000ffffffff [ 16.915565] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.915610] page dumped because: kasan: bad access detected [ 16.915946] [ 16.916083] Memory state around the buggy address: [ 16.916218] fff00000c1bc4700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.916284] fff00000c1bc4780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.916450] >fff00000c1bc4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.916528] ^ [ 16.916616] fff00000c1bc4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.916747] fff00000c1bc4900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.916784] ================================================================== [ 16.899755] ================================================================== [ 16.900125] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.900323] Read of size 1 at addr fff00000c1bc4800 by task kunit_try_catch/164 [ 16.900507] [ 16.900576] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.900774] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.900828] Hardware name: linux,dummy-virt (DT) [ 16.901240] Call trace: [ 16.901330] show_stack+0x20/0x38 (C) [ 16.901458] dump_stack_lvl+0x8c/0xd0 [ 16.901528] print_report+0x118/0x5d0 [ 16.901741] kasan_report+0xdc/0x128 [ 16.901811] __kasan_check_byte+0x54/0x70 [ 16.901929] krealloc_noprof+0x44/0x360 [ 16.902035] krealloc_uaf+0x180/0x520 [ 16.902192] kunit_try_run_case+0x170/0x3f0 [ 16.902247] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.902483] kthread+0x328/0x630 [ 16.902550] ret_from_fork+0x10/0x20 [ 16.902686] [ 16.902783] Allocated by task 164: [ 16.902990] kasan_save_stack+0x3c/0x68 [ 16.903051] kasan_save_track+0x20/0x40 [ 16.903141] kasan_save_alloc_info+0x40/0x58 [ 16.903208] __kasan_kmalloc+0xd4/0xd8 [ 16.903245] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.903290] krealloc_uaf+0xc8/0x520 [ 16.903387] kunit_try_run_case+0x170/0x3f0 [ 16.903437] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.903479] kthread+0x328/0x630 [ 16.903533] ret_from_fork+0x10/0x20 [ 16.903569] [ 16.903853] Freed by task 164: [ 16.904029] kasan_save_stack+0x3c/0x68 [ 16.904351] kasan_save_track+0x20/0x40 [ 16.904472] kasan_save_free_info+0x4c/0x78 [ 16.904606] __kasan_slab_free+0x6c/0x98 [ 16.904825] kfree+0x214/0x3c8 [ 16.904913] krealloc_uaf+0x12c/0x520 [ 16.905050] kunit_try_run_case+0x170/0x3f0 [ 16.905090] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.905383] kthread+0x328/0x630 [ 16.905559] ret_from_fork+0x10/0x20 [ 16.905704] [ 16.905805] The buggy address belongs to the object at fff00000c1bc4800 [ 16.905805] which belongs to the cache kmalloc-256 of size 256 [ 16.905958] The buggy address is located 0 bytes inside of [ 16.905958] freed 256-byte region [fff00000c1bc4800, fff00000c1bc4900) [ 16.906043] [ 16.906065] The buggy address belongs to the physical page: [ 16.906099] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bc4 [ 16.906154] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.906226] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.906281] page_type: f5(slab) [ 16.906324] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.906372] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.906419] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.906475] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.906522] head: 0bfffe0000000001 ffffc1ffc306f101 00000000ffffffff 00000000ffffffff [ 16.906576] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.906615] page dumped because: kasan: bad access detected [ 16.906656] [ 16.906675] Memory state around the buggy address: [ 16.906708] fff00000c1bc4700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.906757] fff00000c1bc4780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.906812] >fff00000c1bc4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.906877] ^ [ 16.906905] fff00000c1bc4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.906953] fff00000c1bc4900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.906998] ==================================================================
[ 16.575080] ================================================================== [ 16.575193] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.575246] Read of size 1 at addr fff00000c45d0000 by task kunit_try_catch/164 [ 16.575700] [ 16.575751] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.575861] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.575898] Hardware name: linux,dummy-virt (DT) [ 16.575929] Call trace: [ 16.575953] show_stack+0x20/0x38 (C) [ 16.576013] dump_stack_lvl+0x8c/0xd0 [ 16.576063] print_report+0x118/0x5d0 [ 16.576111] kasan_report+0xdc/0x128 [ 16.576161] __kasan_check_byte+0x54/0x70 [ 16.576209] krealloc_noprof+0x44/0x360 [ 16.576255] krealloc_uaf+0x180/0x520 [ 16.576308] kunit_try_run_case+0x170/0x3f0 [ 16.576375] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.576426] kthread+0x328/0x630 [ 16.576467] ret_from_fork+0x10/0x20 [ 16.576804] [ 16.577619] Allocated by task 164: [ 16.577682] kasan_save_stack+0x3c/0x68 [ 16.578045] kasan_save_track+0x20/0x40 [ 16.578119] kasan_save_alloc_info+0x40/0x58 [ 16.578428] __kasan_kmalloc+0xd4/0xd8 [ 16.578586] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.578902] krealloc_uaf+0xc8/0x520 [ 16.578992] kunit_try_run_case+0x170/0x3f0 [ 16.579090] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.579261] kthread+0x328/0x630 [ 16.579376] ret_from_fork+0x10/0x20 [ 16.579455] [ 16.579551] Freed by task 164: [ 16.580014] kasan_save_stack+0x3c/0x68 [ 16.580095] kasan_save_track+0x20/0x40 [ 16.580221] kasan_save_free_info+0x4c/0x78 [ 16.580292] __kasan_slab_free+0x6c/0x98 [ 16.580767] kfree+0x214/0x3c8 [ 16.580992] krealloc_uaf+0x12c/0x520 [ 16.581062] kunit_try_run_case+0x170/0x3f0 [ 16.581260] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.581401] kthread+0x328/0x630 [ 16.581438] ret_from_fork+0x10/0x20 [ 16.581837] [ 16.581909] The buggy address belongs to the object at fff00000c45d0000 [ 16.581909] which belongs to the cache kmalloc-256 of size 256 [ 16.582011] The buggy address is located 0 bytes inside of [ 16.582011] freed 256-byte region [fff00000c45d0000, fff00000c45d0100) [ 16.582378] [ 16.582439] The buggy address belongs to the physical page: [ 16.582484] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1045d0 [ 16.582673] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.582878] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.583005] page_type: f5(slab) [ 16.583047] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.583404] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.583539] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.583598] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.583683] head: 0bfffe0000000001 ffffc1ffc3117401 00000000ffffffff 00000000ffffffff [ 16.584048] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.584165] page dumped because: kasan: bad access detected [ 16.584227] [ 16.584246] Memory state around the buggy address: [ 16.584613] fff00000c45cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.584696] fff00000c45cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.584801] >fff00000c45d0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.584840] ^ [ 16.584885] fff00000c45d0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.585196] fff00000c45d0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.585272] ================================================================== [ 16.588764] ================================================================== [ 16.588819] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.588877] Read of size 1 at addr fff00000c45d0000 by task kunit_try_catch/164 [ 16.588924] [ 16.588958] CPU: 1 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.589036] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.589062] Hardware name: linux,dummy-virt (DT) [ 16.589363] Call trace: [ 16.589415] show_stack+0x20/0x38 (C) [ 16.589491] dump_stack_lvl+0x8c/0xd0 [ 16.589831] print_report+0x118/0x5d0 [ 16.589913] kasan_report+0xdc/0x128 [ 16.589982] __asan_report_load1_noabort+0x20/0x30 [ 16.590062] krealloc_uaf+0x4c8/0x520 [ 16.590124] kunit_try_run_case+0x170/0x3f0 [ 16.590432] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.590529] kthread+0x328/0x630 [ 16.590577] ret_from_fork+0x10/0x20 [ 16.590645] [ 16.590664] Allocated by task 164: [ 16.590702] kasan_save_stack+0x3c/0x68 [ 16.590742] kasan_save_track+0x20/0x40 [ 16.590779] kasan_save_alloc_info+0x40/0x58 [ 16.590817] __kasan_kmalloc+0xd4/0xd8 [ 16.590853] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.590891] krealloc_uaf+0xc8/0x520 [ 16.590935] kunit_try_run_case+0x170/0x3f0 [ 16.590972] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.591013] kthread+0x328/0x630 [ 16.591054] ret_from_fork+0x10/0x20 [ 16.591099] [ 16.591117] Freed by task 164: [ 16.591152] kasan_save_stack+0x3c/0x68 [ 16.591194] kasan_save_track+0x20/0x40 [ 16.591229] kasan_save_free_info+0x4c/0x78 [ 16.591276] __kasan_slab_free+0x6c/0x98 [ 16.591313] kfree+0x214/0x3c8 [ 16.591357] krealloc_uaf+0x12c/0x520 [ 16.591400] kunit_try_run_case+0x170/0x3f0 [ 16.591441] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.591493] kthread+0x328/0x630 [ 16.591533] ret_from_fork+0x10/0x20 [ 16.591573] [ 16.591591] The buggy address belongs to the object at fff00000c45d0000 [ 16.591591] which belongs to the cache kmalloc-256 of size 256 [ 16.591645] The buggy address is located 0 bytes inside of [ 16.591645] freed 256-byte region [fff00000c45d0000, fff00000c45d0100) [ 16.591704] [ 16.591722] The buggy address belongs to the physical page: [ 16.591752] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1045d0 [ 16.591812] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.591858] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.591912] page_type: f5(slab) [ 16.591960] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.592008] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.592055] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.592111] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.592165] head: 0bfffe0000000001 ffffc1ffc3117401 00000000ffffffff 00000000ffffffff [ 16.592213] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.592250] page dumped because: kasan: bad access detected [ 16.592290] [ 16.592307] Memory state around the buggy address: [ 16.592692] fff00000c45cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.592741] fff00000c45cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.593106] >fff00000c45d0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.593485] ^ [ 16.593537] fff00000c45d0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.593617] fff00000c45d0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.593671] ==================================================================
[ 16.577666] ================================================================== [ 16.578590] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 16.578672] Read of size 1 at addr fff00000c17c7a00 by task kunit_try_catch/164 [ 16.579171] [ 16.579320] CPU: 0 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.579447] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.579481] Hardware name: linux,dummy-virt (DT) [ 16.579513] Call trace: [ 16.579538] show_stack+0x20/0x38 (C) [ 16.579591] dump_stack_lvl+0x8c/0xd0 [ 16.580119] print_report+0x118/0x5d0 [ 16.580651] kasan_report+0xdc/0x128 [ 16.580728] __kasan_check_byte+0x54/0x70 [ 16.581006] krealloc_noprof+0x44/0x360 [ 16.581066] krealloc_uaf+0x180/0x520 [ 16.581123] kunit_try_run_case+0x170/0x3f0 [ 16.581194] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.581256] kthread+0x328/0x630 [ 16.581304] ret_from_fork+0x10/0x20 [ 16.581360] [ 16.581379] Allocated by task 164: [ 16.581408] kasan_save_stack+0x3c/0x68 [ 16.581449] kasan_save_track+0x20/0x40 [ 16.581486] kasan_save_alloc_info+0x40/0x58 [ 16.581526] __kasan_kmalloc+0xd4/0xd8 [ 16.581571] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.581609] krealloc_uaf+0xc8/0x520 [ 16.581642] kunit_try_run_case+0x170/0x3f0 [ 16.581694] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.581769] kthread+0x328/0x630 [ 16.581801] ret_from_fork+0x10/0x20 [ 16.581845] [ 16.582310] Freed by task 164: [ 16.582618] kasan_save_stack+0x3c/0x68 [ 16.582704] kasan_save_track+0x20/0x40 [ 16.582809] kasan_save_free_info+0x4c/0x78 [ 16.582854] __kasan_slab_free+0x6c/0x98 [ 16.582893] kfree+0x214/0x3c8 [ 16.583244] krealloc_uaf+0x12c/0x520 [ 16.583691] kunit_try_run_case+0x170/0x3f0 [ 16.583856] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.583915] kthread+0x328/0x630 [ 16.583948] ret_from_fork+0x10/0x20 [ 16.584388] [ 16.584425] The buggy address belongs to the object at fff00000c17c7a00 [ 16.584425] which belongs to the cache kmalloc-256 of size 256 [ 16.584940] The buggy address is located 0 bytes inside of [ 16.584940] freed 256-byte region [fff00000c17c7a00, fff00000c17c7b00) [ 16.585018] [ 16.585223] The buggy address belongs to the physical page: [ 16.585435] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017c6 [ 16.585510] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.585556] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.586022] page_type: f5(slab) [ 16.586346] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.586677] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.586806] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.586855] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.587270] head: 0bfffe0000000001 ffffc1ffc305f181 00000000ffffffff 00000000ffffffff [ 16.587451] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.587637] page dumped because: kasan: bad access detected [ 16.587769] [ 16.587848] Memory state around the buggy address: [ 16.588104] fff00000c17c7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.588188] fff00000c17c7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.588527] >fff00000c17c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.588893] ^ [ 16.588949] fff00000c17c7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.589207] fff00000c17c7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.589413] ================================================================== [ 16.592875] ================================================================== [ 16.593091] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 16.593235] Read of size 1 at addr fff00000c17c7a00 by task kunit_try_catch/164 [ 16.593336] [ 16.593415] CPU: 0 UID: 0 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.593502] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.593734] Hardware name: linux,dummy-virt (DT) [ 16.594004] Call trace: [ 16.594178] show_stack+0x20/0x38 (C) [ 16.594433] dump_stack_lvl+0x8c/0xd0 [ 16.594707] print_report+0x118/0x5d0 [ 16.594817] kasan_report+0xdc/0x128 [ 16.594864] __asan_report_load1_noabort+0x20/0x30 [ 16.594977] krealloc_uaf+0x4c8/0x520 [ 16.595065] kunit_try_run_case+0x170/0x3f0 [ 16.595114] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.595501] kthread+0x328/0x630 [ 16.595628] ret_from_fork+0x10/0x20 [ 16.595682] [ 16.595701] Allocated by task 164: [ 16.595771] kasan_save_stack+0x3c/0x68 [ 16.595834] kasan_save_track+0x20/0x40 [ 16.595877] kasan_save_alloc_info+0x40/0x58 [ 16.595916] __kasan_kmalloc+0xd4/0xd8 [ 16.595951] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.595988] krealloc_uaf+0xc8/0x520 [ 16.596031] kunit_try_run_case+0x170/0x3f0 [ 16.596067] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.596108] kthread+0x328/0x630 [ 16.596149] ret_from_fork+0x10/0x20 [ 16.596193] [ 16.596211] Freed by task 164: [ 16.596237] kasan_save_stack+0x3c/0x68 [ 16.596274] kasan_save_track+0x20/0x40 [ 16.596309] kasan_save_free_info+0x4c/0x78 [ 16.596354] __kasan_slab_free+0x6c/0x98 [ 16.596395] kfree+0x214/0x3c8 [ 16.596427] krealloc_uaf+0x12c/0x520 [ 16.596475] kunit_try_run_case+0x170/0x3f0 [ 16.596512] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.596553] kthread+0x328/0x630 [ 16.596584] ret_from_fork+0x10/0x20 [ 16.596617] [ 16.596636] The buggy address belongs to the object at fff00000c17c7a00 [ 16.596636] which belongs to the cache kmalloc-256 of size 256 [ 16.596692] The buggy address is located 0 bytes inside of [ 16.596692] freed 256-byte region [fff00000c17c7a00, fff00000c17c7b00) [ 16.596760] [ 16.596789] The buggy address belongs to the physical page: [ 16.596821] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1017c6 [ 16.596882] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 16.596929] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 16.596982] page_type: f5(slab) [ 16.597019] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.597066] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.597122] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 16.597170] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.597226] head: 0bfffe0000000001 ffffc1ffc305f181 00000000ffffffff 00000000ffffffff [ 16.597272] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 16.597316] page dumped because: kasan: bad access detected [ 16.597361] [ 16.597379] Memory state around the buggy address: [ 16.597409] fff00000c17c7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.597450] fff00000c17c7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.597491] >fff00000c17c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.597526] ^ [ 16.597553] fff00000c17c7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.597602] fff00000c17c7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.597659] ==================================================================
[ 12.207919] ================================================================== [ 12.208760] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 12.209473] Read of size 1 at addr ffff888100a1ec00 by task kunit_try_catch/181 [ 12.210334] [ 12.210581] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.210626] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.210637] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.210658] Call Trace: [ 12.210672] <TASK> [ 12.210690] dump_stack_lvl+0x73/0xb0 [ 12.210720] print_report+0xd1/0x610 [ 12.210742] ? __virt_addr_valid+0x1db/0x2d0 [ 12.210771] ? krealloc_uaf+0x53c/0x5e0 [ 12.210792] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.210814] ? krealloc_uaf+0x53c/0x5e0 [ 12.210835] kasan_report+0x141/0x180 [ 12.210856] ? krealloc_uaf+0x53c/0x5e0 [ 12.210883] __asan_report_load1_noabort+0x18/0x20 [ 12.210916] krealloc_uaf+0x53c/0x5e0 [ 12.210937] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.210957] ? finish_task_switch.isra.0+0x153/0x700 [ 12.210979] ? __switch_to+0x47/0xf50 [ 12.211005] ? __schedule+0x10cc/0x2b60 [ 12.211027] ? __pfx_read_tsc+0x10/0x10 [ 12.211047] ? ktime_get_ts64+0x86/0x230 [ 12.211071] kunit_try_run_case+0x1a5/0x480 [ 12.211095] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.211117] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.211140] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.211163] ? __kthread_parkme+0x82/0x180 [ 12.211183] ? preempt_count_sub+0x50/0x80 [ 12.211206] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.211229] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.211252] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.211275] kthread+0x337/0x6f0 [ 12.211293] ? trace_preempt_on+0x20/0xc0 [ 12.211316] ? __pfx_kthread+0x10/0x10 [ 12.211335] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.211356] ? calculate_sigpending+0x7b/0xa0 [ 12.211381] ? __pfx_kthread+0x10/0x10 [ 12.211401] ret_from_fork+0x116/0x1d0 [ 12.211419] ? __pfx_kthread+0x10/0x10 [ 12.211439] ret_from_fork_asm+0x1a/0x30 [ 12.211470] </TASK> [ 12.211480] [ 12.225679] Allocated by task 181: [ 12.226192] kasan_save_stack+0x45/0x70 [ 12.226634] kasan_save_track+0x18/0x40 [ 12.227129] kasan_save_alloc_info+0x3b/0x50 [ 12.227671] __kasan_kmalloc+0xb7/0xc0 [ 12.228029] __kmalloc_cache_noprof+0x189/0x420 [ 12.228588] krealloc_uaf+0xbb/0x5e0 [ 12.229008] kunit_try_run_case+0x1a5/0x480 [ 12.229540] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.230088] kthread+0x337/0x6f0 [ 12.230291] ret_from_fork+0x116/0x1d0 [ 12.230424] ret_from_fork_asm+0x1a/0x30 [ 12.230768] [ 12.230937] Freed by task 181: [ 12.231296] kasan_save_stack+0x45/0x70 [ 12.231720] kasan_save_track+0x18/0x40 [ 12.232132] kasan_save_free_info+0x3f/0x60 [ 12.232561] __kasan_slab_free+0x56/0x70 [ 12.232877] kfree+0x222/0x3f0 [ 12.233218] krealloc_uaf+0x13d/0x5e0 [ 12.233540] kunit_try_run_case+0x1a5/0x480 [ 12.233728] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.234308] kthread+0x337/0x6f0 [ 12.234699] ret_from_fork+0x116/0x1d0 [ 12.235042] ret_from_fork_asm+0x1a/0x30 [ 12.235391] [ 12.235465] The buggy address belongs to the object at ffff888100a1ec00 [ 12.235465] which belongs to the cache kmalloc-256 of size 256 [ 12.235975] The buggy address is located 0 bytes inside of [ 12.235975] freed 256-byte region [ffff888100a1ec00, ffff888100a1ed00) [ 12.237310] [ 12.237541] The buggy address belongs to the physical page: [ 12.238173] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1e [ 12.238903] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.239415] flags: 0x200000000000040(head|node=0|zone=2) [ 12.240009] page_type: f5(slab) [ 12.240280] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.240985] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.241503] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.242276] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.242977] head: 0200000000000001 ffffea0004028781 00000000ffffffff 00000000ffffffff [ 12.243495] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.244084] page dumped because: kasan: bad access detected [ 12.244316] [ 12.244487] Memory state around the buggy address: [ 12.245076] ffff888100a1eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.245423] ffff888100a1eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.246174] >ffff888100a1ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.246713] ^ [ 12.246853] ffff888100a1ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.247326] ffff888100a1ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.248139] ================================================================== [ 12.165575] ================================================================== [ 12.166685] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 12.166951] Read of size 1 at addr ffff888100a1ec00 by task kunit_try_catch/181 [ 12.168149] [ 12.168443] CPU: 1 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.168491] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.168502] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.168524] Call Trace: [ 12.168536] <TASK> [ 12.168554] dump_stack_lvl+0x73/0xb0 [ 12.168586] print_report+0xd1/0x610 [ 12.168609] ? __virt_addr_valid+0x1db/0x2d0 [ 12.168633] ? krealloc_uaf+0x1b8/0x5e0 [ 12.168654] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.168676] ? krealloc_uaf+0x1b8/0x5e0 [ 12.168697] kasan_report+0x141/0x180 [ 12.168719] ? krealloc_uaf+0x1b8/0x5e0 [ 12.168746] ? krealloc_uaf+0x1b8/0x5e0 [ 12.168770] __kasan_check_byte+0x3d/0x50 [ 12.168792] krealloc_noprof+0x3f/0x340 [ 12.168815] krealloc_uaf+0x1b8/0x5e0 [ 12.168836] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.168857] ? finish_task_switch.isra.0+0x153/0x700 [ 12.168881] ? __switch_to+0x47/0xf50 [ 12.168927] ? __schedule+0x10cc/0x2b60 [ 12.168952] ? __pfx_read_tsc+0x10/0x10 [ 12.168973] ? ktime_get_ts64+0x86/0x230 [ 12.168998] kunit_try_run_case+0x1a5/0x480 [ 12.169024] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.169047] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.169071] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.169093] ? __kthread_parkme+0x82/0x180 [ 12.169114] ? preempt_count_sub+0x50/0x80 [ 12.169137] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.169160] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.169184] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.169207] kthread+0x337/0x6f0 [ 12.169226] ? trace_preempt_on+0x20/0xc0 [ 12.169250] ? __pfx_kthread+0x10/0x10 [ 12.169270] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.169291] ? calculate_sigpending+0x7b/0xa0 [ 12.169315] ? __pfx_kthread+0x10/0x10 [ 12.169335] ret_from_fork+0x116/0x1d0 [ 12.169353] ? __pfx_kthread+0x10/0x10 [ 12.169373] ret_from_fork_asm+0x1a/0x30 [ 12.169405] </TASK> [ 12.169416] [ 12.183751] Allocated by task 181: [ 12.184225] kasan_save_stack+0x45/0x70 [ 12.184639] kasan_save_track+0x18/0x40 [ 12.185075] kasan_save_alloc_info+0x3b/0x50 [ 12.185562] __kasan_kmalloc+0xb7/0xc0 [ 12.185950] __kmalloc_cache_noprof+0x189/0x420 [ 12.186406] krealloc_uaf+0xbb/0x5e0 [ 12.186809] kunit_try_run_case+0x1a5/0x480 [ 12.187266] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.187840] kthread+0x337/0x6f0 [ 12.188150] ret_from_fork+0x116/0x1d0 [ 12.188647] ret_from_fork_asm+0x1a/0x30 [ 12.189138] [ 12.189370] Freed by task 181: [ 12.189767] kasan_save_stack+0x45/0x70 [ 12.190252] kasan_save_track+0x18/0x40 [ 12.190668] kasan_save_free_info+0x3f/0x60 [ 12.191142] __kasan_slab_free+0x56/0x70 [ 12.191386] kfree+0x222/0x3f0 [ 12.191504] krealloc_uaf+0x13d/0x5e0 [ 12.192075] kunit_try_run_case+0x1a5/0x480 [ 12.192497] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.193134] kthread+0x337/0x6f0 [ 12.193450] ret_from_fork+0x116/0x1d0 [ 12.193745] ret_from_fork_asm+0x1a/0x30 [ 12.194243] [ 12.194417] The buggy address belongs to the object at ffff888100a1ec00 [ 12.194417] which belongs to the cache kmalloc-256 of size 256 [ 12.195539] The buggy address is located 0 bytes inside of [ 12.195539] freed 256-byte region [ffff888100a1ec00, ffff888100a1ed00) [ 12.196177] [ 12.196255] The buggy address belongs to the physical page: [ 12.196432] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a1e [ 12.197198] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.197969] flags: 0x200000000000040(head|node=0|zone=2) [ 12.198548] page_type: f5(slab) [ 12.198918] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.199841] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.200625] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.201391] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.201772] head: 0200000000000001 ffffea0004028781 00000000ffffffff 00000000ffffffff [ 12.202037] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.202796] page dumped because: kasan: bad access detected [ 12.203389] [ 12.203597] Memory state around the buggy address: [ 12.204141] ffff888100a1eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.204865] ffff888100a1eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.205510] >ffff888100a1ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.205743] ^ [ 12.205861] ffff888100a1ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.206121] ffff888100a1ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.206924] ==================================================================
[ 11.930644] ================================================================== [ 11.931924] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 11.932589] Read of size 1 at addr ffff888100a28400 by task kunit_try_catch/182 [ 11.933473] [ 11.933724] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 11.933783] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.933795] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.933816] Call Trace: [ 11.933829] <TASK> [ 11.933846] dump_stack_lvl+0x73/0xb0 [ 11.933878] print_report+0xd1/0x610 [ 11.933900] ? __virt_addr_valid+0x1db/0x2d0 [ 11.933923] ? krealloc_uaf+0x1b8/0x5e0 [ 11.933944] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.933966] ? krealloc_uaf+0x1b8/0x5e0 [ 11.933987] kasan_report+0x141/0x180 [ 11.934009] ? krealloc_uaf+0x1b8/0x5e0 [ 11.934033] ? krealloc_uaf+0x1b8/0x5e0 [ 11.934055] __kasan_check_byte+0x3d/0x50 [ 11.934077] krealloc_noprof+0x3f/0x340 [ 11.934100] krealloc_uaf+0x1b8/0x5e0 [ 11.934121] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.934141] ? finish_task_switch.isra.0+0x153/0x700 [ 11.934164] ? __switch_to+0x47/0xf50 [ 11.934190] ? __schedule+0x10cc/0x2b60 [ 11.934211] ? __pfx_read_tsc+0x10/0x10 [ 11.934231] ? ktime_get_ts64+0x86/0x230 [ 11.934257] kunit_try_run_case+0x1a5/0x480 [ 11.934281] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.934303] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.934326] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.934349] ? __kthread_parkme+0x82/0x180 [ 11.934370] ? preempt_count_sub+0x50/0x80 [ 11.934394] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.934606] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.934631] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.934655] kthread+0x337/0x6f0 [ 11.934709] ? trace_preempt_on+0x20/0xc0 [ 11.934734] ? __pfx_kthread+0x10/0x10 [ 11.934754] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.934776] ? calculate_sigpending+0x7b/0xa0 [ 11.934800] ? __pfx_kthread+0x10/0x10 [ 11.934820] ret_from_fork+0x116/0x1d0 [ 11.934838] ? __pfx_kthread+0x10/0x10 [ 11.934858] ret_from_fork_asm+0x1a/0x30 [ 11.934890] </TASK> [ 11.934901] [ 11.952639] Allocated by task 182: [ 11.952792] kasan_save_stack+0x45/0x70 [ 11.952939] kasan_save_track+0x18/0x40 [ 11.953072] kasan_save_alloc_info+0x3b/0x50 [ 11.953224] __kasan_kmalloc+0xb7/0xc0 [ 11.953351] __kmalloc_cache_noprof+0x189/0x420 [ 11.953764] krealloc_uaf+0xbb/0x5e0 [ 11.954081] kunit_try_run_case+0x1a5/0x480 [ 11.954536] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.955021] kthread+0x337/0x6f0 [ 11.955140] ret_from_fork+0x116/0x1d0 [ 11.955270] ret_from_fork_asm+0x1a/0x30 [ 11.955405] [ 11.955486] Freed by task 182: [ 11.955619] kasan_save_stack+0x45/0x70 [ 11.955800] kasan_save_track+0x18/0x40 [ 11.955931] kasan_save_free_info+0x3f/0x60 [ 11.956072] __kasan_slab_free+0x56/0x70 [ 11.956287] kfree+0x222/0x3f0 [ 11.956452] krealloc_uaf+0x13d/0x5e0 [ 11.956631] kunit_try_run_case+0x1a5/0x480 [ 11.956772] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.957181] kthread+0x337/0x6f0 [ 11.957830] ret_from_fork+0x116/0x1d0 [ 11.958006] ret_from_fork_asm+0x1a/0x30 [ 11.958174] [ 11.958245] The buggy address belongs to the object at ffff888100a28400 [ 11.958245] which belongs to the cache kmalloc-256 of size 256 [ 11.959032] The buggy address is located 0 bytes inside of [ 11.959032] freed 256-byte region [ffff888100a28400, ffff888100a28500) [ 11.960023] [ 11.960124] The buggy address belongs to the physical page: [ 11.960336] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a28 [ 11.960860] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.961318] flags: 0x200000000000040(head|node=0|zone=2) [ 11.961713] page_type: f5(slab) [ 11.961895] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.962199] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.962534] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.962848] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.963156] head: 0200000000000001 ffffea0004028a01 00000000ffffffff 00000000ffffffff [ 11.963816] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 11.964135] page dumped because: kasan: bad access detected [ 11.964340] [ 11.964526] Memory state around the buggy address: [ 11.964891] ffff888100a28300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.965178] ffff888100a28380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.965747] >ffff888100a28400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.966206] ^ [ 11.966333] ffff888100a28480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.966823] ffff888100a28500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.967280] ================================================================== [ 11.967985] ================================================================== [ 11.968447] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 11.968757] Read of size 1 at addr ffff888100a28400 by task kunit_try_catch/182 [ 11.969086] [ 11.969603] CPU: 1 UID: 0 PID: 182 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 11.969649] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.969659] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.969678] Call Trace: [ 11.969694] <TASK> [ 11.969709] dump_stack_lvl+0x73/0xb0 [ 11.969738] print_report+0xd1/0x610 [ 11.969760] ? __virt_addr_valid+0x1db/0x2d0 [ 11.969783] ? krealloc_uaf+0x53c/0x5e0 [ 11.969803] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.969826] ? krealloc_uaf+0x53c/0x5e0 [ 11.969847] kasan_report+0x141/0x180 [ 11.969868] ? krealloc_uaf+0x53c/0x5e0 [ 11.969895] __asan_report_load1_noabort+0x18/0x20 [ 11.969918] krealloc_uaf+0x53c/0x5e0 [ 11.969939] ? __pfx_krealloc_uaf+0x10/0x10 [ 11.969959] ? finish_task_switch.isra.0+0x153/0x700 [ 11.969981] ? __switch_to+0x47/0xf50 [ 11.970006] ? __schedule+0x10cc/0x2b60 [ 11.970028] ? __pfx_read_tsc+0x10/0x10 [ 11.970048] ? ktime_get_ts64+0x86/0x230 [ 11.970072] kunit_try_run_case+0x1a5/0x480 [ 11.970095] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.970117] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.970140] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.970163] ? __kthread_parkme+0x82/0x180 [ 11.970183] ? preempt_count_sub+0x50/0x80 [ 11.970206] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.970229] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.970252] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.970276] kthread+0x337/0x6f0 [ 11.970294] ? trace_preempt_on+0x20/0xc0 [ 11.970317] ? __pfx_kthread+0x10/0x10 [ 11.970337] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.970357] ? calculate_sigpending+0x7b/0xa0 [ 11.970380] ? __pfx_kthread+0x10/0x10 [ 11.970401] ret_from_fork+0x116/0x1d0 [ 11.970432] ? __pfx_kthread+0x10/0x10 [ 11.970464] ret_from_fork_asm+0x1a/0x30 [ 11.970496] </TASK> [ 11.970506] [ 11.982368] Allocated by task 182: [ 11.982740] kasan_save_stack+0x45/0x70 [ 11.983187] kasan_save_track+0x18/0x40 [ 11.983536] kasan_save_alloc_info+0x3b/0x50 [ 11.984129] __kasan_kmalloc+0xb7/0xc0 [ 11.984547] __kmalloc_cache_noprof+0x189/0x420 [ 11.984963] krealloc_uaf+0xbb/0x5e0 [ 11.985288] kunit_try_run_case+0x1a5/0x480 [ 11.985812] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.986497] kthread+0x337/0x6f0 [ 11.986847] ret_from_fork+0x116/0x1d0 [ 11.987080] ret_from_fork_asm+0x1a/0x30 [ 11.987220] [ 11.987291] Freed by task 182: [ 11.987402] kasan_save_stack+0x45/0x70 [ 11.987766] kasan_save_track+0x18/0x40 [ 11.988125] kasan_save_free_info+0x3f/0x60 [ 11.988669] __kasan_slab_free+0x56/0x70 [ 11.989037] kfree+0x222/0x3f0 [ 11.989317] krealloc_uaf+0x13d/0x5e0 [ 11.989773] kunit_try_run_case+0x1a5/0x480 [ 11.990122] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.990300] kthread+0x337/0x6f0 [ 11.990502] ret_from_fork+0x116/0x1d0 [ 11.990883] ret_from_fork_asm+0x1a/0x30 [ 11.991226] [ 11.991383] The buggy address belongs to the object at ffff888100a28400 [ 11.991383] which belongs to the cache kmalloc-256 of size 256 [ 11.992543] The buggy address is located 0 bytes inside of [ 11.992543] freed 256-byte region [ffff888100a28400, ffff888100a28500) [ 11.993048] [ 11.993126] The buggy address belongs to the physical page: [ 11.993309] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a28 [ 11.993575] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 11.994057] flags: 0x200000000000040(head|node=0|zone=2) [ 11.994357] page_type: f5(slab) [ 11.994614] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.994951] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.995260] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 11.995674] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.996006] head: 0200000000000001 ffffea0004028a01 00000000ffffffff 00000000ffffffff [ 11.996324] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 11.996684] page dumped because: kasan: bad access detected [ 11.996855] [ 11.996923] Memory state around the buggy address: [ 11.997153] ffff888100a28300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.997639] ffff888100a28380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.997912] >ffff888100a28400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.998158] ^ [ 11.998326] ffff888100a28480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.998718] ffff888100a28500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.998948] ==================================================================
[ 12.123173] ================================================================== [ 12.123502] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0 [ 12.123811] Read of size 1 at addr ffff888100348c00 by task kunit_try_catch/181 [ 12.124124] [ 12.124239] CPU: 0 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.124285] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.124296] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.124317] Call Trace: [ 12.124338] <TASK> [ 12.124359] dump_stack_lvl+0x73/0xb0 [ 12.124389] print_report+0xd1/0x610 [ 12.124413] ? __virt_addr_valid+0x1db/0x2d0 [ 12.124435] ? krealloc_uaf+0x53c/0x5e0 [ 12.124455] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.124476] ? krealloc_uaf+0x53c/0x5e0 [ 12.124496] kasan_report+0x141/0x180 [ 12.124516] ? krealloc_uaf+0x53c/0x5e0 [ 12.124540] __asan_report_load1_noabort+0x18/0x20 [ 12.124563] krealloc_uaf+0x53c/0x5e0 [ 12.124583] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.124602] ? finish_task_switch.isra.0+0x153/0x700 [ 12.124624] ? __switch_to+0x47/0xf50 [ 12.124648] ? __schedule+0x10cc/0x2b60 [ 12.124669] ? __pfx_read_tsc+0x10/0x10 [ 12.124689] ? ktime_get_ts64+0x86/0x230 [ 12.124711] kunit_try_run_case+0x1a5/0x480 [ 12.124734] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.124755] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.124777] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.124798] ? __kthread_parkme+0x82/0x180 [ 12.124818] ? preempt_count_sub+0x50/0x80 [ 12.124839] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.124868] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.124890] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.124912] kthread+0x337/0x6f0 [ 12.124929] ? trace_preempt_on+0x20/0xc0 [ 12.124951] ? __pfx_kthread+0x10/0x10 [ 12.124970] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.124989] ? calculate_sigpending+0x7b/0xa0 [ 12.125022] ? __pfx_kthread+0x10/0x10 [ 12.125042] ret_from_fork+0x116/0x1d0 [ 12.125059] ? __pfx_kthread+0x10/0x10 [ 12.125077] ret_from_fork_asm+0x1a/0x30 [ 12.125107] </TASK> [ 12.125116] [ 12.133391] Allocated by task 181: [ 12.133619] kasan_save_stack+0x45/0x70 [ 12.133842] kasan_save_track+0x18/0x40 [ 12.134307] kasan_save_alloc_info+0x3b/0x50 [ 12.134537] __kasan_kmalloc+0xb7/0xc0 [ 12.134749] __kmalloc_cache_noprof+0x189/0x420 [ 12.134942] krealloc_uaf+0xbb/0x5e0 [ 12.135266] kunit_try_run_case+0x1a5/0x480 [ 12.135450] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.135704] kthread+0x337/0x6f0 [ 12.135833] ret_from_fork+0x116/0x1d0 [ 12.135972] ret_from_fork_asm+0x1a/0x30 [ 12.136258] [ 12.136358] Freed by task 181: [ 12.136543] kasan_save_stack+0x45/0x70 [ 12.136737] kasan_save_track+0x18/0x40 [ 12.136909] kasan_save_free_info+0x3f/0x60 [ 12.137179] __kasan_slab_free+0x56/0x70 [ 12.137389] kfree+0x222/0x3f0 [ 12.137562] krealloc_uaf+0x13d/0x5e0 [ 12.137740] kunit_try_run_case+0x1a5/0x480 [ 12.137919] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.138438] kthread+0x337/0x6f0 [ 12.138596] ret_from_fork+0x116/0x1d0 [ 12.138776] ret_from_fork_asm+0x1a/0x30 [ 12.138920] [ 12.139120] The buggy address belongs to the object at ffff888100348c00 [ 12.139120] which belongs to the cache kmalloc-256 of size 256 [ 12.139657] The buggy address is located 0 bytes inside of [ 12.139657] freed 256-byte region [ffff888100348c00, ffff888100348d00) [ 12.140259] [ 12.140358] The buggy address belongs to the physical page: [ 12.140613] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100348 [ 12.140864] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.141234] flags: 0x200000000000040(head|node=0|zone=2) [ 12.141518] page_type: f5(slab) [ 12.141689] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.142247] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.142626] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.142939] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.143352] head: 0200000000000001 ffffea000400d201 00000000ffffffff 00000000ffffffff [ 12.143690] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.143920] page dumped because: kasan: bad access detected [ 12.144222] [ 12.144318] Memory state around the buggy address: [ 12.144568] ffff888100348b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.144890] ffff888100348b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.145211] >ffff888100348c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.145562] ^ [ 12.145728] ffff888100348c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.146275] ffff888100348d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.146561] ================================================================== [ 12.097001] ================================================================== [ 12.097504] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0 [ 12.097798] Read of size 1 at addr ffff888100348c00 by task kunit_try_catch/181 [ 12.098104] [ 12.098225] CPU: 0 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.098273] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.098284] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.098306] Call Trace: [ 12.098320] <TASK> [ 12.098338] dump_stack_lvl+0x73/0xb0 [ 12.098369] print_report+0xd1/0x610 [ 12.098391] ? __virt_addr_valid+0x1db/0x2d0 [ 12.098415] ? krealloc_uaf+0x1b8/0x5e0 [ 12.098434] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.098455] ? krealloc_uaf+0x1b8/0x5e0 [ 12.098475] kasan_report+0x141/0x180 [ 12.098495] ? krealloc_uaf+0x1b8/0x5e0 [ 12.098518] ? krealloc_uaf+0x1b8/0x5e0 [ 12.098538] __kasan_check_byte+0x3d/0x50 [ 12.098558] krealloc_noprof+0x3f/0x340 [ 12.098580] krealloc_uaf+0x1b8/0x5e0 [ 12.098600] ? __pfx_krealloc_uaf+0x10/0x10 [ 12.098620] ? finish_task_switch.isra.0+0x153/0x700 [ 12.098642] ? __switch_to+0x47/0xf50 [ 12.098667] ? __schedule+0x10cc/0x2b60 [ 12.098689] ? __pfx_read_tsc+0x10/0x10 [ 12.098709] ? ktime_get_ts64+0x86/0x230 [ 12.098732] kunit_try_run_case+0x1a5/0x480 [ 12.098758] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.098778] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.098801] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.098823] ? __kthread_parkme+0x82/0x180 [ 12.098843] ? preempt_count_sub+0x50/0x80 [ 12.098864] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.098886] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.098908] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.098930] kthread+0x337/0x6f0 [ 12.098948] ? trace_preempt_on+0x20/0xc0 [ 12.098971] ? __pfx_kthread+0x10/0x10 [ 12.098990] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.099105] ? calculate_sigpending+0x7b/0xa0 [ 12.099134] ? __pfx_kthread+0x10/0x10 [ 12.099155] ret_from_fork+0x116/0x1d0 [ 12.099174] ? __pfx_kthread+0x10/0x10 [ 12.099193] ret_from_fork_asm+0x1a/0x30 [ 12.099224] </TASK> [ 12.099233] [ 12.107280] Allocated by task 181: [ 12.107448] kasan_save_stack+0x45/0x70 [ 12.107691] kasan_save_track+0x18/0x40 [ 12.107843] kasan_save_alloc_info+0x3b/0x50 [ 12.108163] __kasan_kmalloc+0xb7/0xc0 [ 12.108346] __kmalloc_cache_noprof+0x189/0x420 [ 12.108566] krealloc_uaf+0xbb/0x5e0 [ 12.108753] kunit_try_run_case+0x1a5/0x480 [ 12.108929] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.109237] kthread+0x337/0x6f0 [ 12.109384] ret_from_fork+0x116/0x1d0 [ 12.109579] ret_from_fork_asm+0x1a/0x30 [ 12.109754] [ 12.109875] Freed by task 181: [ 12.110101] kasan_save_stack+0x45/0x70 [ 12.110288] kasan_save_track+0x18/0x40 [ 12.110482] kasan_save_free_info+0x3f/0x60 [ 12.110671] __kasan_slab_free+0x56/0x70 [ 12.110843] kfree+0x222/0x3f0 [ 12.111202] krealloc_uaf+0x13d/0x5e0 [ 12.111395] kunit_try_run_case+0x1a5/0x480 [ 12.111625] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.111802] kthread+0x337/0x6f0 [ 12.111923] ret_from_fork+0x116/0x1d0 [ 12.112148] ret_from_fork_asm+0x1a/0x30 [ 12.112314] [ 12.112391] The buggy address belongs to the object at ffff888100348c00 [ 12.112391] which belongs to the cache kmalloc-256 of size 256 [ 12.113112] The buggy address is located 0 bytes inside of [ 12.113112] freed 256-byte region [ffff888100348c00, ffff888100348d00) [ 12.113675] [ 12.113765] The buggy address belongs to the physical page: [ 12.113942] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100348 [ 12.114273] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.114605] flags: 0x200000000000040(head|node=0|zone=2) [ 12.114868] page_type: f5(slab) [ 12.115354] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.115733] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.116173] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 12.116545] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.116895] head: 0200000000000001 ffffea000400d201 00000000ffffffff 00000000ffffffff [ 12.117300] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 12.117564] page dumped because: kasan: bad access detected [ 12.117735] [ 12.117829] Memory state around the buggy address: [ 12.118131] ffff888100348b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.118474] ffff888100348b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.118761] >ffff888100348c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.119322] ^ [ 12.119516] ffff888100348c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.119809] ffff888100348d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.120194] ==================================================================