From: Shuangpeng <shuangpeng.kernel@gmail.com>
To: Hillf Danton <hdanton@sina.com>
Cc: netdev@vger.kernel.org, edumazet@google.com,
linux-kernel@vger.kernel.org,
Jiayuan Chen <jiayuan.chen@shopee.com>
Subject: Re: [PATCH net v2 1/1] serial: caif: fix remaining ser->tty UAF in TX path
Date: Sun, 15 Feb 2026 14:22:02 -0500 [thread overview]
Message-ID: <2CCEDE30-6BDF-4815-9975-40EF6C982520@gmail.com> (raw)
In-Reply-To: <20260215085510.3081-1-hdanton@sina.com>
> On Feb 15, 2026, at 03:55, Hillf Danton <hdanton@sina.com> wrote:
>
> On Sat, 14 Feb 2026 21:51:41 -0500 Shuangpeng Bai wrote:
>> A reproducer exposes a KASAN use-after-free in caif_serial's TX path
>> (e.g., via tty_write_room() / tty->ops->write()) on top of commit
>> <308e7e4d0a84> ("serial: caif: fix use-after-free in caif_serial
>> ldisc_close()").
>>
>> That commit moved tty_kref_put() to ser_release(). There is still a race
>> because the TX path may fetch ser->tty and use it while ser_release()
>> drops the last tty reference:
>>
>> CPU 0 (ser_release worker) CPU 1 (xmit)
>> ------------------------- ------------
>> caif_xmit()
>> handle_tx()
>> tty = ser->tty
>>
>> ser_release()
>> tty = ser->tty
>> dev_close(ser->dev)
>> unregister_netdevice(ser->dev)
>> debugfs_deinit(ser)
>> tty_kref_put(tty) // may drop the last ref
>> <-- race window -->
>> tty->ops->write(tty, ...) // UAF
>>
> What is unclear is -- why is the xmit callback still active after
> unregister_netdevice().
In my understanding, no new ndo_start_xmit should begin after
unregister_netdevice() has completed, but an in-flight TX still needs
proper synchronization with teardown.
Concretely, CPU1 enters the TX path (ndo_start_xmit -> caif_xmit ->
handle_tx) and reads ser->tty to use it. Before CPU1 actually uses the
tty, CPU0 drops the last tty kref during teardown, so the tty may get
freed. CPU1 then continues and dereferences the stale tty in
tty_write_room() / tty->ops->write(), triggering the UAF.
The KASAN stack trace is in the report:
https://groups.google.com/g/syzkaller/c/usNe0oKtoXw/m/x8qUc3yUAQAJ
Please let me know if I’m missing anything.
Best,
Shuangpeng
next prev parent reply other threads:[~2026-02-15 19:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-15 2:51 [PATCH net v2 0/1] serial: caif: fix remaining ser->tty UAF in TX Shuangpeng Bai
2026-02-15 2:51 ` [PATCH net v2 1/1] serial: caif: fix remaining ser->tty UAF in TX path Shuangpeng Bai
2026-02-15 8:55 ` Hillf Danton
2026-02-15 19:22 ` Shuangpeng [this message]
2026-02-16 0:24 ` Hillf Danton
2026-02-16 23:59 ` Hillf Danton
2026-02-16 13:43 ` [net,v2,1/1] " Simon Horman
2026-02-18 14:25 ` [PATCH net v2 1/1] " Vadim Fedorenko
2026-02-19 21:47 ` Shuangpeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2CCEDE30-6BDF-4815-9975-40EF6C982520@gmail.com \
--to=shuangpeng.kernel@gmail.com \
--cc=edumazet@google.com \
--cc=hdanton@sina.com \
--cc=jiayuan.chen@shopee.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox