Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi

Next message: Matt Evans: "Re: [PATCH v3 4/9] vfio/pci: Convert BAR mmap() to use a DMABUF"
Previous message: Leon Hwang: "[PATCH bpf-next v6 09/12] selftests/bpf: Add test to verify accessing rdonly percpu_array"
In reply to: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi"
Next in thread: Armin Wolf: "Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnd Bergmann

Date: Mon Jun 15 2026 - 11:35:25 EST

On Mon, Jun 15, 2026, at 15:30, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> On Mon, Jun 15, 2026 at 02:19:16PM +0200, Armin Wolf wrote:
>> Am 14.06.26 um 21:15 schrieb Shuangpeng Bai:
>>
>> > Hi Kernel Maintainers,
>> >
>> > I hit the following report while testing current upstream kernel:
>> >
>> > KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi
>> >
>> > on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>> >
>> > The reproducer and .config files are here.
>> > https://gist.github.com/shuangpengbai/f5b15c099e80897486b4238ddb91df79
>> >
>> > I'm happy to test debug patches or provide additional information.
>>
>> It seems that unbinding the dell-smbios-wmi driver races with any outstanding
>> file operations on the misc device, causing them to access memory already freed
>> by the unbound driver.
>
> How can that happen if the module reference count is properly
> incremented when the file is open? Perhaps the driver isn't doing that
> correctly?

It's not, and I think in addition, the probe function needs to
take a reference on the wmi_device do that does not go away while
the misc device exists.

Arnd