[BUG] KASAN: slab-use-after-free in smo8800_misc_release

[Shuangpeng Bai]

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-use-after-free in smo8800_misc_release

I reproduced this on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/0e7f7e0272ec4df28a7070a6e757b03b

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[   54.037363][ T8372] BUG: KASAN: slab-use-after-free in smo8800_misc_release (include/linux/instrumented.h:97 include/asm-generic/bitops/instrumented-atomic.h:41 drivers/platform/x86/dell/dell-smo8800.c:95)
[   54.039643][ T8372] Write of size 8 at addr ffff888120aa1c90 by task smo8800_oldfd_r/8372
[   54.042358][ T8372] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   54.042364][ T8372] Call Trace:
[   54.042373][ T8372]  <TASK>
[   54.042379][ T8372]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[   54.042393][ T8372]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[   54.042436][ T8372]  kasan_report (mm/kasan/report.c:595)
[   54.042454][ T8372]  kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[   54.042463][ T8372]  smo8800_misc_release (include/linux/instrumented.h:97 include/asm-generic/bitops/instrumented-atomic.h:41 drivers/platform/x86/dell/dell-smo8800.c:95)
[   54.042471][ T8372]  __fput (fs/file_table.c:510)
[   54.042487][ T8372]  fput_close_sync (fs/file_table.c:615)
[   54.042523][ T8372]  __x64_sys_close (fs/open.c:1507 fs/open.c:1492 fs/open.c:1492)
[   54.042534][ T8372]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[   54.042549][ T8372]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[   54.042621][ T8372]  </TASK>
[   54.064208][ T8372] Freed by task 8372 on cpu 0 at 53.931664s:
[   54.064831][ T8372]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[   54.065319][ T8372]  kasan_save_free_info (mm/kasan/generic.c:584)
[   54.065842][ T8372]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[   54.066340][ T8372]  kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[   54.066752][ T8372]  devres_release_all (drivers/base/devres.c:50 drivers/base/devres.c:547 drivers/base/devres.c:576)
[   54.067280][ T8372]  device_release_driver_internal (drivers/base/dd.c:598 drivers/base/dd.c:1357 drivers/base/dd.c:1375)
[   54.067908][ T8372]  unbind_store (drivers/base/bus.c:244)
[   54.068376][ T8372]  kernfs_fop_write_iter (fs/kernfs/file.c:352)
[   54.068920][ T8372]  vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[   54.069355][ T8372]  ksys_write (fs/read_write.c:740)
[   54.069803][ T8372]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[   54.070280][ T8372]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[   54.071132][ T8372] The buggy address belongs to the object at ffff888120aa1c00
[   54.071132][ T8372]  which belongs to the cache kmalloc-192 of size 192
[   54.072546][ T8372] The buggy address is located 144 bytes inside of
[   54.072546][ T8372]  freed 192-byte region [ffff888120aa1c00, ffff888120aa1cc0)


Best,
Shuangpeng