[BUG] KASAN: slab-use-after-free in get_pfrt_log_data_info
From: Shuangpeng Bai
Date: Sun Jun 14 2026 - 15:43:01 EST
Hi Kernel Maintainers,
I hit the following report while testing current upstream kernel:
KASAN: slab-use-after-free in get_pfrt_log_data_info
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/d516798907ff96ec17e58f43057f3060
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
[ 52.268064][ T8345] BUG: KASAN: slab-use-after-free in get_pfrt_log_data_info (drivers/acpi/pfr_telemetry.c:82)
[ 52.270424][ T8345] Read of size 8 at addr ffff8881023d9048 by task pfrt_telemetry_/8345
[ 52.272696][ T8345]
[ 52.273378][ T8345] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 52.273386][ T8345] Call Trace:
[ 52.273392][ T8345] <TASK>
[ 52.273396][ T8345] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 52.273410][ T8345] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 52.273456][ T8345] kasan_report (mm/kasan/report.c:595)
[ 52.273475][ T8345] get_pfrt_log_data_info (drivers/acpi/pfr_telemetry.c:82)
[ 52.273542][ T8345] pfrt_log_mmap (drivers/acpi/pfr_telemetry.c:314)
[ 52.273588][ T8345] mmap_region (include/linux/fs.h:2071 mm/internal.h:168 mm/vma.c:2496 mm/vma.c:2562 mm/vma.c:2771 mm/vma.c:2857)
[ 52.273703][ T8345] do_mmap (mm/mmap.c:560)
[ 52.273756][ T8345] vm_mmap_pgoff (mm/util.c:581)
[ 52.273805][ T8345] ksys_mmap_pgoff (mm/mmap.c:606)
[ 52.273815][ T8345] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 52.273829][ T8345] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 52.273840][ T8345] RIP: 0033:0x7f7d75db90d2
[ 52.273850][ T8345] Code: e4 e8 62 64 01 00 66 90 41 f7 c1 ff 0f 00 00 75 27 55 48 89 fd 53 89 cb 48 85 ff 74 3b 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 5b 5d c3 0f 1f 00 48 8b 05 89 8d 0d 00 64
[ 52.273859][ T8345] RSP: 002b:00007ffe41f36ac8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 52.273874][ T8345] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f7d75db90d2
[ 52.273881][ T8345] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 52.273887][ T8345] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
[ 52.273892][ T8345] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003
[ 52.273898][ T8345] R13: 0000000000000004 R14: 0000559ef11e17bb R15: 0000000000000000
[ 52.273908][ T8345] </TASK>
[ 52.273912][ T8345]
[ 52.304291][ T8345] Freed by task 8345 on cpu 0 at 52.064366s:
[ 52.304903][ T8345] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 52.305383][ T8345] kasan_save_free_info (mm/kasan/generic.c:584)
[ 52.305893][ T8345] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 52.306381][ T8345] kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 52.306779][ T8345] devres_release_all (drivers/base/devres.c:50 drivers/base/devres.c:547 drivers/base/devres.c:576)
[ 52.307297][ T8345] device_release_driver_internal (drivers/base/dd.c:598 drivers/base/dd.c:1357 drivers/base/dd.c:1375)
[ 52.307907][ T8345] unbind_store (drivers/base/bus.c:244)
[ 52.308372][ T8345] kernfs_fop_write_iter (fs/kernfs/file.c:352)
[ 52.308908][ T8345] vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[ 52.309346][ T8345] ksys_write (fs/read_write.c:740)
[ 52.309785][ T8345] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 52.310257][ T8345] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 52.310850][ T8345]
[ 52.311090][ T8345] The buggy address belongs to the object at ffff8881023d9000
[ 52.311090][ T8345] which belongs to the cache kmalloc-192 of size 192
[ 52.312495][ T8345] The buggy address is located 72 bytes inside of
[ 52.312495][ T8345] freed 192-byte region [ffff8881023d9000, ffff8881023d90c0)
[ 52.313851][ T8345]
Best,
Shuangpeng