Re: [PATCH v5] serial: 8250: fix use-after-free in IRQ chain handling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jing Wu <realwujing@gmail.com>
To: jirislaby@kernel.org
Cc: gregkh@linuxfoundation.org, avorontsov@ru.mvista.com,
	alan@redhat.com, linux-kernel@vger.kernel.org,
	linux-serial@vger.kernel.org, wangzhaolong@fnnas.com
Subject: Re: [PATCH v5] serial: 8250: fix use-after-free in IRQ chain handling
Date: Wed, 24 Jun 2026 16:43:52 +0800	[thread overview]
Message-ID: <20260624084352.2978059-1-realwujing@gmail.com> (raw)
In-Reply-To: <b7c51606-e95a-4a15-9aff-d0c293ebe986@kernel.org>

From: Qiliang Yuan <realwujing@gmail.com>

On Wed, Jun 24, 2026 at 05:31:59AM +0200, Jiri Slaby wrote:
> So what is the reason to switch from guards to manual locking?

Scope-based guards release the lock at the end of the enclosing block,
but the fix requires hash_mutex to be held across request_irq() and
released at different exit points:

  1. IS_ERR(i) -- release hash_mutex and return error.
  2. Already in chain -- release i->lock, release hash_mutex, return 0.
  3. First port, request_irq() fails -- cleanup under hash_mutex, then
     release it and return error.
  4. First port, request_irq() succeeds -- release hash_mutex, return 0.

These paths span different nesting levels and early returns, so scope
guards cannot express the required lock lifecycle.  The same applies to
i->lock: it must be dropped before calling request_irq() (cannot hold a
spinlock while sleeping), but hash_mutex must remain held across the
call, which also breaks the guard model.

Thanks,
Qiliang

     prev parent reply	other threads:[~2026-06-24  8:43 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-24  1:21 [PATCH v5] serial: 8250: fix use-after-free in IRQ chain handling Qiliang Yuan
2026-06-24  3:31 ` Jiri Slaby
2026-06-24  8:43   ` Jing Wu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260624084352.2978059-1-realwujing@gmail.com \
    --to=realwujing@gmail.com \
    --cc=alan@redhat.com \
    --cc=avorontsov@ru.mvista.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jirislaby@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-serial@vger.kernel.org \
    --cc=wangzhaolong@fnnas.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.