[PATCH net v3 0/1] serial: caif: hold tty->link reference to avoid UAF in pty_write

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net v3 0/1] serial: caif: hold tty->link reference to avoid UAF in pty_write_room
@ 2026-02-26  1:36 Shuangpeng Bai
  2026-02-26  1:36 ` [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release Shuangpeng Bai
  0 siblings, 1 reply; 4+ messages in thread
From: Shuangpeng Bai @ 2026-02-26  1:36 UTC (permalink / raw)
  To: netdev
  Cc: davem, edumazet, kuba, pabeni, linux-kernel, hdanton,
	vadim.fedorenko, simon.horman, Shuangpeng Bai

Follow-up to the v2 discussion: further debugging shows the KASAN
slab-use-after-free is triggered in pty_write_room(), and the faulting
access is on tty->link->port.

The report points to the peer access in pty_write_room():

    tty_buffer_space_avail(tty->link->port);

This patch holds an extra kref on tty->link for the lifetime of the
caif_serial line discipline: get the reference in ldisc_open() and drop
it in ser_release(), and also drop it on the ldisc_open() error path.

Changes since v2:
  - Update the analysis: the observed UAF is on tty->link, not ser->tty.
  - Keep tty->link alive while the line discipline is active.

Link: https://lore.kernel.org/all/20260215025141.1106576-1-shuangpeng.kernel@gmail.com/T/#maee804ef687b4442f18c74e8801f5cde421ab000 (v2 thread)
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f (reproducer)

Shuangpeng Bai (1):
  serial: caif: hold tty->link reference in ldisc_open and ser_release

 drivers/net/caif/caif_serial.c | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.34.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release
  2026-02-26  1:36 [PATCH net v3 0/1] serial: caif: hold tty->link reference to avoid UAF in pty_write_room Shuangpeng Bai
@ 2026-02-26  1:36 ` Shuangpeng Bai
  2026-02-28 17:49   ` Jakub Kicinski
  0 siblings, 1 reply; 4+ messages in thread
From: Shuangpeng Bai @ 2026-02-26  1:36 UTC (permalink / raw)
  To: netdev
  Cc: davem, edumazet, kuba, pabeni, linux-kernel, hdanton,
	vadim.fedorenko, simon.horman, Shuangpeng Bai

A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.

Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.

With this change applied, the reproducer no longer triggers the UAF in
my testing.

This issue becomes reproducible on top of 308e7e4d0a84. Before that, the
reproducer typically hits another bug first, so this UAF is not
observable there.

Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f
Link: https://lore.kernel.org/all/20260215025141.1106576-1-shuangpeng.kernel@gmail.com/T/#maee804ef687b4442f18c74e8801f5cde421ab000
Fixes: 308e7e4d0a84 ("serial: caif: fix use-after-free in caif_serial ldisc_close()")
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
---
 drivers/net/caif/caif_serial.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index b90890030751..1873d8287bb9 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -297,6 +297,7 @@ static void ser_release(struct work_struct *work)
 			dev_close(ser->dev);
 			unregister_netdevice(ser->dev);
 			debugfs_deinit(ser);
+			tty_kref_put(tty->link);
 			tty_kref_put(tty);
 		}
 		rtnl_unlock();
@@ -331,6 +332,7 @@ static int ldisc_open(struct tty_struct *tty)
 
 	ser = netdev_priv(dev);
 	ser->tty = tty_kref_get(tty);
+	tty_kref_get(tty->link);
 	ser->dev = dev;
 	debugfs_init(ser, tty);
 	tty->receive_room = 4096;
@@ -339,6 +341,7 @@ static int ldisc_open(struct tty_struct *tty)
 	rtnl_lock();
 	result = register_netdevice(dev);
 	if (result) {
+		tty_kref_put(tty->link);
 		tty_kref_put(tty);
 		rtnl_unlock();
 		free_netdev(dev);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release
  2026-02-26  1:36 ` [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release Shuangpeng Bai
@ 2026-02-28 17:49   ` Jakub Kicinski
  2026-03-01 22:24     ` Shuangpeng Bai
  0 siblings, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2026-02-28 17:49 UTC (permalink / raw)
  To: Shuangpeng Bai
  Cc: netdev, davem, edumazet, pabeni, linux-kernel, hdanton,
	vadim.fedorenko, horms

On Wed, 25 Feb 2026 20:36:42 -0500 Shuangpeng Bai wrote:
> Fixes: 308e7e4d0a84 ("serial: caif: fix use-after-free in caif_serial ldisc_close()")

Please repost and make sure you CC everyone who has given tags to this
commit. The get_maintainers script will point them out to you.

And there's no need for a cover letter on a single patch submission,
just add the extra info under the --- marker in the patch

Also simon.horman@kernel.org is not a real address, horms@ 
-- 
pw-bot: cr

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release
  2026-02-28 17:49   ` Jakub Kicinski
@ 2026-03-01 22:24     ` Shuangpeng Bai
  0 siblings, 0 replies; 4+ messages in thread
From: Shuangpeng Bai @ 2026-03-01 22:24 UTC (permalink / raw)
  To: kuba
  Cc: netdev, davem, edumazet, pabeni, linux-kernel, hdanton,
	vadim.fedorenko, horms

Hi Jakub,

Thanks for the guidance. I've reposted as v4 without a cover letter and
CC'd everyone pointed out by get_maintainer.pl, including the taggers of
the Fixes commit. I also fixed the horms@kernel.org address.

Thanks,
Shuangpeng

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-01 22:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26  1:36 [PATCH net v3 0/1] serial: caif: hold tty->link reference to avoid UAF in pty_write_room Shuangpeng Bai
2026-02-26  1:36 ` [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release Shuangpeng Bai
2026-02-28 17:49   ` Jakub Kicinski
2026-03-01 22:24     ` Shuangpeng Bai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox