* [BUG] ptp: vmclock: KASAN slab-use-after-free in vmclock_miscdev_read
@ 2026-06-15 2:15 Shuangpeng Bai
0 siblings, 0 replies; only message in thread
From: Shuangpeng Bai @ 2026-06-15 2:15 UTC (permalink / raw)
To: dwmw2, richardcochran, netdev, linux-kernel
Hi,
I hit the following KASAN report while testing current upstream kernel.
The issue was reproduced by opening /dev/vmclock0, unbinding the vmclock
platform device, and then reading from the old fd.
KASAN: slab-use-after-free in vmclock_miscdev_read
I reproduced this on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/7c2d117852611448a80026f8aa4d4bc4
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ 148.011605][ T8390] BUG: KASAN: slab-use-after-free in vmclock_miscdev_read (drivers/ptp/ptp_vmclock.c:409)
[ 148.015241][ T8390] Read of size 8 at addr ffff88811fdc7478 by task repro_vmclock_o/8390
[ 148.018209][ T8390] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 148.018216][ T8390] Call Trace:
[ 148.018226][ T8390] <TASK>
[ 148.018232][ T8390] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 148.018248][ T8390] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 148.018314][ T8390] kasan_report (mm/kasan/report.c:595)
[ 148.018335][ T8390] vmclock_miscdev_read (drivers/ptp/ptp_vmclock.c:409)
[ 148.018384][ T8390] vfs_read (fs/read_write.c:572)
[ 148.018453][ T8390] __x64_sys_pread64 (fs/read_write.c:765 fs/read_write.c:773 fs/read_write.c:770 fs/read_write.c:770)
[ 148.018483][ T8390] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 148.018498][ T8390] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 148.018604][ T8390] </TASK>
[ 148.042173][ T8390] Freed by task 8390 on cpu 1 at 147.908511s:
[ 148.042791][ T8390] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 148.043265][ T8390] kasan_save_free_info (mm/kasan/generic.c:584)
[ 148.043775][ T8390] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 148.044256][ T8390] kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 148.044668][ T8390] devres_release_all (drivers/base/devres.c:50 drivers/base/devres.c:547 drivers/base/devres.c:576)
[ 148.045171][ T8390] device_release_driver_internal (drivers/base/dd.c:598 drivers/base/dd.c:1357 drivers/base/dd.c:1375)
[ 148.045791][ T8390] unbind_store (drivers/base/bus.c:244)
[ 148.046252][ T8390] kernfs_fop_write_iter (fs/kernfs/file.c:352)
[ 148.046798][ T8390] vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[ 148.047229][ T8390] ksys_write (fs/read_write.c:740)
[ 148.047678][ T8390] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 148.048144][ T8390] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 148.048996][ T8390] The buggy address belongs to the object at ffff88811fdc7400
[ 148.048996][ T8390] which belongs to the cache kmalloc-512 of size 512
[ 148.050394][ T8390] The buggy address is located 120 bytes inside of
[ 148.050394][ T8390] freed 512-byte region [ffff88811fdc7400, ffff88811fdc7600)
Best,
Shuangpeng
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-15 2:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-15 2:15 [BUG] ptp: vmclock: KASAN slab-use-after-free in vmclock_miscdev_read Shuangpeng Bai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox