From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
To: dwmw2@infradead.org, richardcochran@gmail.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [BUG] ptp: vmclock: KASAN slab-use-after-free in vmclock_miscdev_read
Date: Sun, 14 Jun 2026 22:15:08 -0400 [thread overview]
Message-ID: <178144969601.60470.14493569608271069160@gmail.com> (raw)
Hi,
I hit the following KASAN report while testing current upstream kernel.
The issue was reproduced by opening /dev/vmclock0, unbinding the vmclock
platform device, and then reading from the old fd.
KASAN: slab-use-after-free in vmclock_miscdev_read
I reproduced this on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/7c2d117852611448a80026f8aa4d4bc4
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ 148.011605][ T8390] BUG: KASAN: slab-use-after-free in vmclock_miscdev_read (drivers/ptp/ptp_vmclock.c:409)
[ 148.015241][ T8390] Read of size 8 at addr ffff88811fdc7478 by task repro_vmclock_o/8390
[ 148.018209][ T8390] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 148.018216][ T8390] Call Trace:
[ 148.018226][ T8390] <TASK>
[ 148.018232][ T8390] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 148.018248][ T8390] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 148.018314][ T8390] kasan_report (mm/kasan/report.c:595)
[ 148.018335][ T8390] vmclock_miscdev_read (drivers/ptp/ptp_vmclock.c:409)
[ 148.018384][ T8390] vfs_read (fs/read_write.c:572)
[ 148.018453][ T8390] __x64_sys_pread64 (fs/read_write.c:765 fs/read_write.c:773 fs/read_write.c:770 fs/read_write.c:770)
[ 148.018483][ T8390] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 148.018498][ T8390] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 148.018604][ T8390] </TASK>
[ 148.042173][ T8390] Freed by task 8390 on cpu 1 at 147.908511s:
[ 148.042791][ T8390] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 148.043265][ T8390] kasan_save_free_info (mm/kasan/generic.c:584)
[ 148.043775][ T8390] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 148.044256][ T8390] kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 148.044668][ T8390] devres_release_all (drivers/base/devres.c:50 drivers/base/devres.c:547 drivers/base/devres.c:576)
[ 148.045171][ T8390] device_release_driver_internal (drivers/base/dd.c:598 drivers/base/dd.c:1357 drivers/base/dd.c:1375)
[ 148.045791][ T8390] unbind_store (drivers/base/bus.c:244)
[ 148.046252][ T8390] kernfs_fop_write_iter (fs/kernfs/file.c:352)
[ 148.046798][ T8390] vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[ 148.047229][ T8390] ksys_write (fs/read_write.c:740)
[ 148.047678][ T8390] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 148.048144][ T8390] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 148.048996][ T8390] The buggy address belongs to the object at ffff88811fdc7400
[ 148.048996][ T8390] which belongs to the cache kmalloc-512 of size 512
[ 148.050394][ T8390] The buggy address is located 120 bytes inside of
[ 148.050394][ T8390] freed 512-byte region [ffff88811fdc7400, ffff88811fdc7600)
Best,
Shuangpeng
reply other threads:[~2026-06-15 2:15 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178144969601.60470.14493569608271069160@gmail.com \
--to=shuangpeng.kernel@gmail.com \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=richardcochran@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox