From: "Wang Zhaolong" <wangzhaolong@fnnas.com>
To: "Qiliang Yuan" <realwujing@gmail.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Jiri Slaby" <jirislaby@kernel.org>,
"Anton Vorontsov" <avorontsov@ru.mvista.com>,
"Alan Cox" <alan@redhat.com>, <linux-kernel@vger.kernel.org>,
<linux-serial@vger.kernel.org>
Subject: Re: [PATCH v3] serial: 8250: fix use-after-free in IRQ chain handling
Date: Fri, 29 May 2026 15:27:33 +0800 [thread overview]
Message-ID: <ahk_5U5QAuavMA9U@MiniServer> (raw)
In-Reply-To: <20260529-bug-221579-8250-shared-irq-race-v3-1-fe4d430862a9@gmail.com>
v3 fixes the Bugzilla reproducer on my setup.
But this error path is still racy:
> +
> + ret = request_irq(up->port.irq, serial8250_interrupt,
> + up->port.irqflags, up->port.name, i);
> +
> + mutex_unlock(&hash_mutex);
> +
> if (ret < 0)
> serial_do_unlink(i, up);
>
>
i is already in irq_lists and i->head is already visible here. On
request_irq() failure, another port can join the chain and return success
without any IRQ handler installed.
The cleanup must happen before dropping hash_mutex.
> Dropping hash_mutex before request_irq() completes also allows another
> port sharing the same IRQ to join the chain and run the shared-IRQ THRE
> test while IRQ startup is still in progress, which can also trigger the
> "Unbalanced enable for IRQ" warning (kernel/irq/manage.c:774) because
> irq_shutdown() in the premature free_irq() path hard-sets desc->depth
> to 1, breaking the disable_irq/enable_irq pairing in
> serial8250_THRE_test().
The changelog is also still inaccurate: irq_shutdown() does not hard-set
desc->depth to 1 on current mainline; it increments desc->depth.
Best regards,
Wang Zhaolong
prev parent reply other threads:[~2026-05-29 7:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 4:36 [PATCH v3] serial: 8250: fix use-after-free in IRQ chain handling Qiliang Yuan
2026-05-29 7:27 ` Wang Zhaolong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahk_5U5QAuavMA9U@MiniServer \
--to=wangzhaolong@fnnas.com \
--cc=alan@redhat.com \
--cc=avorontsov@ru.mvista.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=realwujing@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox