[BUG] KASAN: slab-use-after-free in phantom_poll

[Shuangpeng Bai]

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-use-after-free in phantom_poll

I reproduced this on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/9ebd2c068afd887ba91fcb77f312d6e4

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[  175.822967][ T8426] BUG: KASAN: slab-use-after-free in phantom_poll (drivers/misc/phantom.c:266)
[  175.827261][ T8426] Read of size 8 at addr ffff888124e23020 by task phantom_old_fd_/8426
[  175.828414][ T8426] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  175.828418][ T8426] Call Trace:
[  175.828422][ T8426]  <TASK>
[  175.828425][ T8426]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  175.828433][ T8426]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  175.828445][ T8426]  kasan_report (mm/kasan/report.c:595)
[  175.828452][ T8426]  phantom_poll (drivers/misc/phantom.c:266)
[  175.828456][ T8426]  do_sys_poll (include/linux/poll.h:82 fs/select.c:877 fs/select.c:920 fs/select.c:1015)
[  175.829625][ T8426]  __x64_sys_poll (fs/select.c:1072 fs/select.c:1060 fs/select.c:1060)
[  175.829637][ T8426]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[  175.829641][ T8426]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[  175.829673][ T8426]  </TASK>
[  175.857686][ T8426] Freed by task 8426 on cpu 0 at 175.821282s:
[  175.858322][ T8426]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  175.858811][ T8426]  kasan_save_free_info (mm/kasan/generic.c:584)
[  175.859338][ T8426]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  175.859831][ T8426]  kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[  175.860237][ T8426]  phantom_remove (drivers/misc/phantom.c:453)
[  175.860721][ T8426]  pci_device_remove (drivers/pci/pci-driver.c:512)
[  175.861226][ T8426]  device_release_driver_internal (drivers/base/dd.c:619 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[  175.861849][ T8426]  unbind_store (drivers/base/bus.c:244)
[  175.862325][ T8426]  kernfs_fop_write_iter (fs/kernfs/file.c:352)
[  175.862872][ T8426]  vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[  175.863323][ T8426]  ksys_write (fs/read_write.c:740)
[  175.863774][ T8426]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[  175.864261][ T8426]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[  175.865117][ T8426] The buggy address belongs to the object at ffff888124e23000
[  175.865117][ T8426]  which belongs to the cache kmalloc-256 of size 256
[  175.866544][ T8426] The buggy address is located 32 bytes inside of
[  175.866544][ T8426]  freed 256-byte region [ffff888124e23000, ffff888124e23100)


Best,
Shuangpeng