[BUG] KASAN: slab-use-after-free in firmware_map_add_hotplug

[Shuangpeng Bai]

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-use-after-free in firmware_map_add_hotplug

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/05186849a5f624d676dc87d1aada1ebb

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[  260.257996][ T8288] BUG: KASAN: slab-use-after-free in firmware_map_add_hotplug (drivers/firmware/memmap.c:225 drivers/firmware/memmap.c:248 drivers/firmware/memmap.c:286)
[  260.258917][ T8288] Read of size 8 at addr ffff8881164bca00 by task bash/8288
[  260.259645][ T8288]
[  260.259920][ T8288] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  260.259923][ T8288] Call Trace:
[  260.259926][ T8288]  <TASK>
[  260.259929][ T8288]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  260.259935][ T8288]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  260.259953][ T8288]  kasan_report (mm/kasan/report.c:595)
[  260.259963][ T8288]  firmware_map_add_hotplug (drivers/firmware/memmap.c:225 drivers/firmware/memmap.c:248 drivers/firmware/memmap.c:286)
[  260.259968][ T8288]  add_memory_resource (mm/memory_hotplug.c:1569)
[  260.260013][ T8288]  __add_memory (mm/memory_hotplug.c:1609)
[  260.260017][ T8288]  probe_store (drivers/base/memory.c:582)
[  260.260039][ T8288]  kernfs_fop_write_iter (fs/kernfs/file.c:352)
[  260.260044][ T8288]  vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[  260.260071][ T8288]  ksys_write (fs/read_write.c:740)
[  260.260081][ T8288]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[  260.260087][ T8288]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[  260.260091][ T8288] RIP: 0033:0x7fa5761be473
[  260.260096][ T8288] Code: 8b 15 21 2a 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
[  260.260100][ T8288] RSP: 002b:00007ffd2ca767d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  260.260106][ T8288] RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fa5761be473
[  260.260110][ T8288] RDX: 000000000000000b RSI: 000056533b27a5d0 RDI: 0000000000000001
[  260.260113][ T8288] RBP: 000056533b27a5d0 R08: 00007fa576262040 R09: 00007fa5762620c0
[  260.260115][ T8288] R10: 00007fa576261fc0 R11: 0000000000000246 R12: 000000000000000b
[  260.260118][ T8288] R13: 00007fa5762a26a0 R14: 000000000000000b R15: 00007fa57629d880
[  260.260124][ T8288]  </TASK>
[  260.260126][ T8288]
[  260.281956][ T8288] Freed by task 8288 on cpu 1 at 260.173806s:
[  260.282369][ T8288]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  260.282774][ T8288]  kasan_save_free_info (mm/kasan/generic.c:584)
[  260.283119][ T8288]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  260.283451][ T8288]  kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[  260.283722][ T8288]  kobject_put (lib/kobject.c:689 lib/kobject.c:720 ./include/linux/kref.h:65 lib/kobject.c:737)
[  260.284025][ T8288]  firmware_map_add_hotplug (drivers/firmware/memmap.c:192 drivers/firmware/memmap.c:306)
[  260.284404][ T8288]  add_memory_resource (mm/memory_hotplug.c:1569)
[  260.284758][ T8288]  __add_memory (mm/memory_hotplug.c:1609)
[  260.285054][ T8288]  probe_store (drivers/base/memory.c:582)
[  260.285371][ T8288]  kernfs_fop_write_iter (fs/kernfs/file.c:352)
[  260.285733][ T8288]  vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[  260.286026][ T8288]  ksys_write (fs/read_write.c:740)
[  260.286327][ T8288]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[  260.286644][ T8288]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[  260.287054][ T8288]
[  260.287220][ T8288] The buggy address belongs to the object at ffff8881164bca00
[  260.287220][ T8288]  which belongs to the cache kmalloc-128 of size 128
[  260.288174][ T8288] The buggy address is located 0 bytes inside of
[  260.288174][ T8288]  freed 128-byte region [ffff8881164bca00, ffff8881164bca80)
[  260.289086][ T8288]
[  260.289251][ T8288] The buggy address belongs to the physical page:
[  260.289690][ T8288] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1164bc
[  260.290298][ T8288] flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff)
[  260.290809][ T8288] page_type: f5(slab)
[  260.291086][ T8288] raw: 017ff00000000000 ffff888100041a00 dead000000000122 0000000000000000
[  260.291676][ T8288] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[  260.292270][ T8288] page dumped because: kasan: bad access detected
[  260.292726][ T8288] page_owner tracks the page as allocated
[  260.293302][ T8288] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8288, tgid 8288 (bash), ts 260132581045, free_ts 260130593098


Best,
Shuangpeng