Re: [BUG] KASAN: slab-use-after-free in is_free_buddy_page from megaraid_sas

From: Shuangpeng Bai

Date: Sun Jun 14 2026 - 22:28:06 EST

Hi,

I hit another KASAN report that may be related to this megaraid_sas
management ioctl lifetime issue. I have not confirmed that it has the same
root cause, but this report trips earlier in megasas_mgmt_ioctl_fw(), while
accessing instance->requestorId after megasas_lookup_instance().

The issue was reproduced by racing MEGASAS_IOC_FIRMWARE ioctls against
unbind/bind of the megaraid_sas PCI device.

KASAN: use-after-free in megasas_mgmt_ioctl_fw

I reproduced this on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds a delay.

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/72dca59b156aed25639db779bafdf7e4

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[ 1445.240069][ T8341] BUG: KASAN: use-after-free in megasas_mgmt_ioctl_fw (drivers/scsi/megaraid/megaraid_sas_base.c:8546)
[ 1445.242466][ T8341] Read of size 1 at addr ffff888115b7d909 by task repro_megasas_l/8341
[ 1445.244862][ T8341]
[ 1445.245578][ T8341] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 1445.245586][ T8341] Call Trace:
[ 1445.245595][ T8341] <TASK>
[ 1445.245601][ T8341] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 1445.245617][ T8341] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 1445.245670][ T8341] kasan_report (mm/kasan/report.c:595)
[ 1445.245697][ T8341] megasas_mgmt_ioctl_fw (drivers/scsi/megaraid/megaraid_sas_base.c:8546)
[ 1445.245721][ T8341] megasas_mgmt_ioctl (drivers/scsi/megaraid/megaraid_sas_base.c:8630)
[ 1445.245731][ T8341] __se_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:597 fs/ioctl.c:583)
[ 1445.245741][ T8341] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 1445.245772][ T8341] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 1445.245783][ T8341] RIP: 0033:0x7f11ae510237
[ 1445.245794][ T8341] Code: 00 00 00 48 8b 05 59 cc 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 29 cc 0d 00 f7 d8 64 89 01 48
[ 1445.245804][ T8341] RSP: 002b:00007f11ae41ad38 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 1445.245819][ T8341] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f11ae510237
[ 1445.245827][ T8341] RDX: 00007f11ae41ad40 RSI: 00000000c1944d01 RDI: 0000000000000003
[ 1445.245834][ T8341] RBP: 00007f11ae41ad40 R08: 0000000000000000 R09: 00007f11ae41b700
[ 1445.245840][ T8341] R10: fffffffffffff7ee R11: 0000000000000202 R12: 0000000000000003
[ 1445.245846][ T8341] R13: 00007ffe50e3399f R14: 00007f11ae41afc0 R15: 0000000000802000
[ 1445.245859][ T8341] </TASK>
[ 1445.245863][ T8341]


Best,
Shuangpeng