[BUG] KASAN: slab-use-after-free in parport_register_dev_model
From: Chris Bainbridge
Date: Sat Feb 28 2026 - 16:55:47 EST
Hi,
I saw the following when booting 7.0-rc1 (on a modern AMD laptop with no
parallel port). The bug appears to be intermittent - I tried rebooting a
few times to see if it would trivially reoccur, but it did not.
[ 7.234416] systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
[ 7.249613] ==================================================================
[ 7.250299] BUG: KASAN: slab-use-after-free in parport_register_dev_model+0xd99/0xe20 [parport]
[ 7.250864] Read of size 8 at addr ffff88810969feb8 by task systemd-modules/289
[ 7.251957] CPU: 11 UID: 0 PID: 289 Comm: systemd-modules Not tainted 7.0.0-rc1 #446 PREEMPT(lazy)
[ 7.251961] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.14 10/25/2023
[ 7.251962] Call Trace:
[ 7.251964] <TASK>
[ 7.251965] dump_stack_lvl+0x6a/0x90
[ 7.251972] print_report+0x174/0x4f2
[ 7.251975] ? __virt_addr_valid+0x208/0x430
[ 7.251979] ? parport_register_dev_model+0xd99/0xe20 [parport]
[ 7.251983] kasan_report+0xdb/0x1b0
[ 7.251988] ? parport_register_dev_model+0xd99/0xe20 [parport]
[ 7.251993] parport_register_dev_model+0xd99/0xe20 [parport]
[ 7.251999] lp_register+0xfe/0x320 [lp]
[ 7.252003] ? lp_reset.isra.0+0x4e0/0x4e0 [lp]
[ 7.252006] ? 0xffffffffc0440000
[ 7.252009] ? mark_held_locks+0x40/0x70
[ 7.252012] ? _raw_spin_unlock_irqrestore+0x48/0x60
[ 7.252016] ? _raw_spin_unlock_irqrestore+0x48/0x60
[ 7.252018] lp_attach+0x123/0x1e0 [lp]
[ 7.252021] ? parport_irq_handler+0xc0/0xc0 [parport]
[ 7.252026] port_check+0x5c/0x90 [parport]
[ 7.252031] bus_for_each_dev+0x101/0x180
[ 7.252035] ? bus_remove_file+0x40/0x40
[ 7.252038] ? kobject_put+0x5d/0x4e0
[ 7.252043] __parport_register_driver+0x145/0x1d0 [parport]
[ 7.252048] lp_init_module+0x57d/0x1000 [lp]
[ 7.252051] ? ppdev_cleanup+0xd30/0xd30 [ppdev]
[ 7.252056] ? ppdev_cleanup+0xd30/0xd30 [ppdev]
[ 7.252059] do_one_initcall+0xce/0x4d0
[ 7.252062] ? trace_event_raw_event_initcall_level+0x200/0x200
[ 7.252066] ? kasan_unpoison+0x40/0x60
[ 7.252069] do_init_module+0x27b/0x830
[ 7.252073] ? free_module+0x450/0x450
[ 7.252075] ? kfree+0x226/0x5e0
[ 7.252078] ? lockdep_hardirqs_on+0x78/0x100
[ 7.252081] load_module+0x5f71/0x8f70
[ 7.252088] ? module_frob_arch_sections+0x20/0x20
[ 7.252090] ? process_measurement+0x1c80/0x1c80
[ 7.252095] ? rw_verify_area+0x33d/0x540
[ 7.252100] ? kernel_read_file+0x3db/0x870
[ 7.252103] ? __ia32_sys_fsconfig+0x150/0x150
[ 7.252107] ? init_module_from_file+0x153/0x180
[ 7.252109] init_module_from_file+0x153/0x180
[ 7.252111] ? __do_sys_init_module+0x250/0x250
[ 7.252114] ? __x64_sys_pread64+0x199/0x1e0
[ 7.252118] ? find_held_lock+0x2b/0x80
[ 7.252120] ? idempotent_init_module+0x5e5/0x760
[ 7.252123] ? idempotent_init_module+0x5e5/0x760
[ 7.252125] ? lock_release+0x17b/0x2d0
[ 7.252127] ? do_raw_spin_unlock+0x54/0x1e0
[ 7.252130] idempotent_init_module+0x22d/0x760
[ 7.252133] ? init_module_from_file+0x180/0x180
[ 7.252139] __x64_sys_finit_module+0xca/0x150
[ 7.252141] ? do_syscall_64+0x57/0x810
[ 7.252144] do_syscall_64+0x13a/0x810
[ 7.252146] ? lockdep_hardirqs_on+0x78/0x100
[ 7.252148] ? do_syscall_64+0x281/0x810
[ 7.252150] ? do_syscall_64+0x263/0x810
[ 7.252153] ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 7.252155] ? lockdep_hardirqs_on+0x78/0x100
[ 7.252157] ? do_syscall_64+0x281/0x810
[ 7.252159] ? find_held_lock+0x2b/0x80
[ 7.252161] ? exc_page_fault+0x83/0x110
[ 7.252163] ? exc_page_fault+0x83/0x110
[ 7.252165] ? lock_release+0x17b/0x2d0
[ 7.252168] ? irqentry_exit+0xe7/0x670
[ 7.252170] ? lockdep_hardirqs_on_prepare+0xdd/0x1a0
[ 7.252173] ? irqentry_exit+0xec/0x670
[ 7.252175] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 7.252177] RIP: 0033:0x7f93c92de8cd
[ 7.252179] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 c5 0d 00 f7 d8 64 89 01 48
[ 7.252182] RSP: 002b:00007f93c8975b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 7.252185] RAX: ffffffffffffffda RBX: 00007f93c0009bf0 RCX: 00007f93c92de8cd
[ 7.252187] RDX: 0000000000000000 RSI: 00007f93c716d317 RDI: 000000000000000b
[ 7.252188] RBP: 00007f93c8975be0 R08: 0000000000000000 R09: 00007f93c0009e80
[ 7.252190] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f93c716d317
[ 7.252191] R13: 00007f93c00020a0 R14: 0000000000020000 R15: 0000000000000000
[ 7.252195] </TASK>
[ 7.257125] systemd[1]: Starting systemd-tmpfiles-setup-dev-early.service - Create Static Device Nodes in /dev gracefully...
[ 7.257511] Allocated by task 277:
[ 7.257513] kasan_save_stack+0x2c/0x50
[ 7.277216] kasan_save_track+0x10/0x30
[ 7.277220] __kasan_kmalloc+0x83/0x90
[ 7.277222] __parport_pc_probe_port+0x8c3/0x1950 [parport_pc]
[ 7.277226] parport_pc_exit+0x1efc/0x2650 [parport_pc]
[ 7.277229] do_one_initcall+0xce/0x4d0
[ 7.277232] do_init_module+0x27b/0x830
[ 7.277234] load_module+0x5f71/0x8f70
[ 7.277236] init_module_from_file+0x153/0x180
[ 7.277238] idempotent_init_module+0x22d/0x760
[ 7.277240] __x64_sys_finit_module+0xca/0x150
[ 7.277242] do_syscall_64+0x13a/0x810
[ 7.277244] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 7.277247] Freed by task 277:
[ 7.277249] kasan_save_stack+0x2c/0x50
[ 7.277251] kasan_save_track+0x10/0x30
[ 7.277253] kasan_save_free_info+0x37/0x50
[ 7.277255] __kasan_slab_free+0x3b/0x60
[ 7.277257] kfree+0x226/0x5e0
[ 7.277259] __parport_pc_probe_port+0x521/0x1950 [parport_pc]
[ 7.277262] parport_pc_exit+0x1efc/0x2650 [parport_pc]
[ 7.277264] do_one_initcall+0xce/0x4d0
[ 7.277266] do_init_module+0x27b/0x830
[ 7.277268] load_module+0x5f71/0x8f70
[ 7.277270] init_module_from_file+0x153/0x180
[ 7.277272] idempotent_init_module+0x22d/0x760
[ 7.277274] __x64_sys_finit_module+0xca/0x150
[ 7.277276] do_syscall_64+0x13a/0x810
[ 7.277278] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 7.277280] The buggy address belongs to the object at ffff88810969fe00
which belongs to the cache kmalloc-192 of size 192
[ 7.277282] The buggy address is located 184 bytes inside of
freed 192-byte region [ffff88810969fe00, ffff88810969fec0)
[ 7.277285] The buggy address belongs to the physical page:
[ 7.277287] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10969e
[ 7.277289] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 7.277291] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 7.277294] page_type: f5(slab)
[ 7.277297] raw: 0017ffffc0000040 ffff8881000423c0 dead000000000100 dead000000000122
[ 7.277299] raw: 0000000000000000 0000000000200020 00000000f5000000 0000000000000000
[ 7.277301] head: 0017ffffc0000040 ffff8881000423c0 dead000000000100 dead000000000122
[ 7.277303] head: 0000000000000000 0000000000200020 00000000f5000000 0000000000000000
[ 7.277304] head: 0017ffffc0000001 ffffea000425a781 00000000ffffffff 00000000ffffffff
[ 7.277305] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[ 7.277306] page dumped because: kasan: bad access detected
[ 7.277308] Memory state around the buggy address:
[ 7.277309] ffff88810969fd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 7.277311] ffff88810969fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 7.277312] >ffff88810969fe80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 7.277313] ^
[ 7.277314] ffff88810969ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 7.277316] ffff88810969ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 7.277317] ==================================================================
[ 7.277390] Disabling lock debugging due to kernel taint
[ 7.294143] lp: driver loaded but no devices found
[ 7.294157] ppdev: user-space parallel port driver
[ 7.318526] systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.