From: Greg KH <gregkh@linuxfoundation.org>
To: Shuangpeng <shuangpeng.kernel@gmail.com>
Cc: vaibhavgupta40@gmail.com, jens.taprogge@taprogge.org,
kees@kernel.org, industrypack-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: [BUG] KASAN: slab-use-after-free in ipoctal_write_tty
Date: Tue, 16 Jun 2026 08:16:00 +0530 [thread overview]
Message-ID: <2026061658-expert-chimp-f49c@gregkh> (raw)
In-Reply-To: <D546833B-3655-42A5-A838-6A84A61AC2A5@gmail.com>
On Mon, Jun 15, 2026 at 08:11:49PM -0400, Shuangpeng wrote:
>
>
> > On Jun 15, 2026, at 16:49, Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Mon, Jun 15, 2026 at 04:33:09PM -0400, Shuangpeng wrote:
> >>
> >>
> >>> On Jun 15, 2026, at 00:03, Greg KH <gregkh@linuxfoundation.org> wrote:
> >>>
> >>> On Sun, Jun 14, 2026 at 03:48:50PM -0400, Shuangpeng Bai wrote:
> >>>> Hi Kernel Maintainers,
> >>>>
> >>>> I hit the following report while testing current upstream kernel:
> >>>>
> >>>> KASAN: slab-use-after-free in ipoctal_write_tty
> >>>
> >>> Cool, do you have this hardware, or is this only virtual testing?
> >>
> >> No, I do not have the physical hardware. This was reproduced with
> >> unmodified QEMU using its existing TPCI200/IP-Octal emulation.
> >>
> >>>
> >>> If virtual, are you sure that the hardware is being emulated properly?
> >>
> >>
> >> I understand this is not the same as testing on real hardware. However,
> >> my current understanding is that the crash is triggered after a
> >> successful probe through the normal sysfs unbind/remove path while the
> >> ipoctal tty fd is still open. The failing path does not seem to rely on
> >> device-specific emulation details after probe, but rather on the
> >> lifetime of the tty/device state during removal.
> >
> > What specific sysfs unbind path? That's only for root and for testing
> > kernel development, it's not a normal thing that a user does at all,
> > right?
> >
>
> The sysfs path used by the reproducer is:
>
> /sys/bus/pci/drivers/tpci200/unbind
>
> So yes, this is a root-only kernel testing/development path, not a
> normal unprivileged user path.
>
> >> Please let me know if I am missing anything here. I would also
> >> appreciate any suggestions on what I could check to better evaluate
> >> whether the emulation is appropriate for this report.
> >
> > What exactly are you trying to test?
>
> I was trying to test whether the driver handles open ipoctal tty file
> descriptors safely when the backing TPCI200/IPack device is removed.
As you found, it doesn't :)
See the discussions about device unbind and misc/char device nodes on
the mailing lists for many messages about this and potential ways to
resolve it. As it's not a real issue for drivers like this, it's a very
low priority for other people to resolve, but we will always gladly
review patches from others.
thanks,
greg k-h
prev parent reply other threads:[~2026-06-16 2:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 19:48 [BUG] KASAN: slab-use-after-free in ipoctal_write_tty Shuangpeng Bai
2026-06-15 4:03 ` Greg KH
2026-06-15 20:33 ` Shuangpeng
2026-06-15 20:49 ` Greg KH
2026-06-16 0:11 ` Shuangpeng
2026-06-16 2:46 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026061658-expert-chimp-f49c@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=industrypack-devel@lists.sourceforge.net \
--cc=jens.taprogge@taprogge.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shuangpeng.kernel@gmail.com \
--cc=vaibhavgupta40@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.