From: Weiming Shi <bestswngs@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>, Shuah Khan <shuah@kernel.org>
Cc: "Starke, Daniel" <daniel.starke@siemens.com>,
Xiang Mei <xmei5@asu.edu>,
linux-serial@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-kernel@vger.kernel.org, Weiming Shi <bestswngs@gmail.com>
Subject: [PATCH v2 0/2] tty: n_gsm: fix gsm_queue() UAF and add a base regression test
Date: Tue, 16 Jun 2026 10:32:38 -0700 [thread overview]
Message-ID: <20260616173240.3665059-1-bestswngs@gmail.com> (raw)
The receive worker walks gsm->dlci[] without gsm->mutex while a
concurrent GSMIOC_SETCONF -> gsm_cleanup_mux() frees the DLCIs, so the
control handlers can dereference a freed gsm_dlci. v1's NULL check only
narrowed the window; v2 fixes the use-after-free itself.
The fix pins each DLCI the dispatch dereferences with its existing
tty_port reference (option 2), so the data path stays lock-free. See the
patch 1 commit message for details, including why the late destructor
uses cmpxchg() so it cannot wipe a re-created mux (Daniel's teardown
concern).
Changes since v1:
- Fix the UAF by reference-pinning instead of a NULL check in the
handlers; no gsm->mutex in the data path (Greg, Daniel).
- Pin every DLCI the dispatch touches, not just the addressed one:
MSC/RLS/PN operate on gsm->dlci[k] named in the payload.
- Add a base selftest (patch 2), as Greg asked.
Verification (KASAN, panic_on_warn=1): the originally reported splat is
the gsm_control_reply() / CMD_TEST path (see the Link in patch 1). A
reproducer targeting the MSC handler crashes the unpatched kernel and
survives 270 race rounds on v2. The selftest passes on both the clean
and patched kernel (pass:3 fail:0 skip:0).
Weiming Shi (2):
tty: n_gsm: fix use-after-free in gsm_queue() control frame dispatch
selftests: tty: add base regression test for n_gsm line discipline
drivers/tty/n_gsm.c | 105 +++++-
tools/testing/selftests/tty/.gitignore | 1 +
tools/testing/selftests/tty/Makefile | 2 +-
tools/testing/selftests/tty/config | 1 +
tools/testing/selftests/tty/tty_n_gsm_test.c | 344 +++++++++++++++++++
5 files changed, 443 insertions(+), 10 deletions(-)
create mode 100644 tools/testing/selftests/tty/tty_n_gsm_test.c
--
2.43.0
next reply other threads:[~2026-06-16 17:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 17:32 Weiming Shi [this message]
2026-06-16 17:32 ` [PATCH v2 1/2] tty: n_gsm: fix use-after-free in gsm_queue() control frame dispatch Weiming Shi
2026-06-16 17:32 ` [PATCH v2 2/2] selftests: tty: add base regression test for n_gsm line discipline Weiming Shi
2026-06-17 1:24 ` [PATCH v2 0/2] tty: n_gsm: fix gsm_queue() UAF and add a base regression test Greg Kroah-Hartman
2026-06-17 5:54 ` Weiming Shi
2026-06-17 7:26 ` Starke, Daniel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616173240.3665059-1-bestswngs@gmail.com \
--to=bestswngs@gmail.com \
--cc=daniel.starke@siemens.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.