From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-kernel@vger.kernel.org,
hdanton@sina.com, vadim.fedorenko@linux.dev,
simon.horman@kernel.org,
Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Subject: [PATCH net v3 0/1] serial: caif: hold tty->link reference to avoid UAF in pty_write_room
Date: Wed, 25 Feb 2026 20:36:41 -0500 [thread overview]
Message-ID: <cover.1772055898.git.shuangpeng.kernel@gmail.com> (raw)
Follow-up to the v2 discussion: further debugging shows the KASAN
slab-use-after-free is triggered in pty_write_room(), and the faulting
access is on tty->link->port.
The report points to the peer access in pty_write_room():
tty_buffer_space_avail(tty->link->port);
This patch holds an extra kref on tty->link for the lifetime of the
caif_serial line discipline: get the reference in ldisc_open() and drop
it in ser_release(), and also drop it on the ldisc_open() error path.
Changes since v2:
- Update the analysis: the observed UAF is on tty->link, not ser->tty.
- Keep tty->link alive while the line discipline is active.
Link: https://lore.kernel.org/all/20260215025141.1106576-1-shuangpeng.kernel@gmail.com/T/#maee804ef687b4442f18c74e8801f5cde421ab000 (v2 thread)
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f (reproducer)
Shuangpeng Bai (1):
serial: caif: hold tty->link reference in ldisc_open and ser_release
drivers/net/caif/caif_serial.c | 3 +++
1 file changed, 3 insertions(+)
--
2.34.1
next reply other threads:[~2026-02-26 1:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-26 1:36 Shuangpeng Bai [this message]
2026-02-26 1:36 ` [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release Shuangpeng Bai
2026-02-28 17:49 ` Jakub Kicinski
2026-03-01 22:24 ` Shuangpeng Bai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1772055898.git.shuangpeng.kernel@gmail.com \
--to=shuangpeng.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hdanton@sina.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=simon.horman@kernel.org \
--cc=vadim.fedorenko@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.