Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi
From: gregkh@xxxxxxxxxxxxxxxxxxx
Date: Mon Jun 15 2026 - 09:31:54 EST
On Mon, Jun 15, 2026 at 02:19:16PM +0200, Armin Wolf wrote:
> Am 14.06.26 um 21:15 schrieb Shuangpeng Bai:
>
> > Hi Kernel Maintainers,
> >
> > I hit the following report while testing current upstream kernel:
> >
> > KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi
> >
> > on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
> >
> > The reproducer and .config files are here.
> > https://gist.github.com/shuangpengbai/f5b15c099e80897486b4238ddb91df79
> >
> > I'm happy to test debug patches or provide additional information.
>
> It seems that unbinding the dell-smbios-wmi driver races with any outstanding
> file operations on the misc device, causing them to access memory already freed
> by the unbound driver.
How can that happen if the module reference count is properly
incremented when the file is open? Perhaps the driver isn't doing that
correctly?
> I do not know if the misc device synchronizes file operations against removal,
> but i do not think that this is the case. I added the maintains of the char drivers
> to the discussion, maybe they know this.
Wait, is this a module unload, or a manual "unbind" operation from
sysfs? Either way, this something that only root does, and is not part
of any normal operation that a user can trigger, or should ever be
doing, so it's kind of "best effort" if it works at all :)
thanks,
greg k-h