[BUG] KASAN: slab-use-after-free in __mptctl_ioctl
From: Shuangpeng Bai
Date: Sun Jun 14 2026 - 13:32:09 EST
Hi Kernel Maintainers,
I hit the following report while testing current upstream kernel:
KASAN: slab-use-after-free in __mptctl_ioctl
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds delays and print statements.
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/f6aa77a9c6e552b7ff7e79b39286ed45
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
[ 63.990467][ T8321] BUG: KASAN: slab-use-after-free in __mptctl_ioctl (drivers/message/fusion/mptctl.c:1274 drivers/message/fusion/mptctl.c:656)
[ 63.992791][ T8321] Read of size 1 at addr ffff888119b82080 by task mptctl_iocinfo_/8321
[ 63.994574][ T8321]
[ 63.994953][ T8321] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 63.994958][ T8321] Call Trace:
[ 63.994963][ T8321] <TASK>
[ 63.994966][ T8321] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 63.994977][ T8321] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 63.995002][ T8321] kasan_report (mm/kasan/report.c:595)
[ 63.995034][ T8321] __mptctl_ioctl (drivers/message/fusion/mptctl.c:1274 drivers/message/fusion/mptctl.c:656)
[ 63.995102][ T8321] mptctl_ioctl (drivers/message/fusion/mptctl.c:700)
[ 63.995108][ T8321] __se_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:597 fs/ioctl.c:583)
[ 63.995112][ T8321] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 63.995122][ T8321] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 63.995128][ T8321] RIP: 0033:0x7ff74f883237
[ 63.995135][ T8321] Code: 00 00 00 48 8b 05 59 cc 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 29 cc 0d 00 f7 d8 64 89 01 48
[ 63.995141][ T8321] RSP: 002b:00007ff74f78dd68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 63.995150][ T8321] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff74f883237
[ 63.995154][ T8321] RDX: 00007ff74f78de60 RSI: 00000000c05c6d11 RDI: 0000000000000003
[ 63.995158][ T8321] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ff74f78e700
[ 63.995161][ T8321] R10: fffffffffffff5ea R11: 0000000000000202 R12: 00007ff74f78de60
[ 63.995164][ T8321] R13: 0000000000000020 R14: 000000006a2b030a R15: 0000000000000000
[ 63.995171][ T8321] </TASK>
[ 63.995173][ T8321]
[ 64.015739][ T8321] Freed by task 8303 on cpu 0 at 62.780944s:
[ 64.016310][ T8321] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 64.016757][ T8321] kasan_save_free_info (mm/kasan/generic.c:584)
[ 64.017239][ T8321] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 64.017692][ T8321] kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 64.018075][ T8321] mpt_detach (drivers/message/fusion/mptbase.c:2849 drivers/message/fusion/mptbase.c:2125)
[ 64.018507][ T8321] pci_device_remove (drivers/pci/pci-driver.c:512)
[ 64.018969][ T8321] device_release_driver_internal (drivers/base/dd.c:619 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[ 64.019552][ T8321] unbind_store (drivers/base/bus.c:244)
[ 64.019982][ T8321] kernfs_fop_write_iter (fs/kernfs/file.c:352)
[ 64.020487][ T8321] vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[ 64.020888][ T8321] ksys_write (fs/read_write.c:740)
[ 64.021307][ T8321] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 64.021745][ T8321] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 64.022305][ T8321]
[ 64.022533][ T8321] The buggy address belongs to the object at ffff888119b82000
[ 64.022533][ T8321] which belongs to the cache kmalloc-4k of size 4096
[ 64.023834][ T8321] The buggy address is located 128 bytes inside of
[ 64.023834][ T8321] freed 4096-byte region [ffff888119b82000, ffff888119b83000)
[ 64.025137][ T8321]
Best,
Shuangpeng