From nobody Thu Apr 16 07:09:21 2026 Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F01652E92D2 for ; Sun, 1 Mar 2026 22:06:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772402797; cv=none; b=hib6NLoVttAX9ZlFl0O7WtASna4ToKuPXmjTdmO2YPivYpl5QTBJE8enUHbzrbKo9m34kDJ2yD2Io/jK93yFuhu0VZtnSMX3SJU4iyX3s17Em4wjqDl7kiD9cCEzamgLomW/3NZ7wySQntGPM5dD57+j0cEWv6xrFSgZLWm6CmE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772402797; c=relaxed/simple; bh=4aDbahTsAxWptkKELlnXx/m2/Evtrb9Jr7QiEDNJg2U=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=p0A3igkcqonWOMgUhIV/VAMrlMQ15JS1DnhCdiat4ND7qn5IjgKIjmeYbBgBUNMzvTzqnKOZqkD8e3ZXW8UeMWu6elrZZc7aW17sCuu1ca8qAH/6RuDsC7sX7VlgtwSxw5hgSHYOfrOvVDSAtP2lJbnj7+q5udaYPTyGK+zl/iY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F9DCLEBC; arc=none smtp.client-ip=209.85.222.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F9DCLEBC" Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-8cbad8e6610so431116285a.0 for ; Sun, 01 Mar 2026 14:06:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772402795; x=1773007595; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=C6RompYSWO41huen7yAapfSM0kh71UiS0m1JToPd3m8=; b=F9DCLEBCClpKoSLJWg3ssZoWfrXzMAM7v89waXQfjKueZxsl1oLquO1tiXTSdCFpht aIVlOyOnK1rAwOcLb9oscpNDMmxqttmc7O60aCZFAcv/RjbWd1zNKCJpHuoinIcI4hs0 TzlAQB23X4mEKBoQtEKThJ3HT5H9ZsUd+bPooRMdjCHGn637KfGUC4sFK+Fg4slqgDYl MKeQk9q98ovYD8eRMM3Sk1ki9R+6KQnQJKvZHxmDSUJEAMsT6xeZmdB9LAcbLWSQErTZ uQQckE9hjrnWHTAcnC33KFXuP9ykcDdzZzrRdfPFJHd8vZIUALodDgnXEn4WYVeUYLIF G/fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772402795; x=1773007595; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=C6RompYSWO41huen7yAapfSM0kh71UiS0m1JToPd3m8=; b=UMfioF3yp9Rj4dWFH2paKmXeazkq6A8ZymzEDpkg1oNoH5VXWtzYI31L0w0G8HvZxr znAG6+BqhaLAVwo1mmVmOomX1dSMVrmbmcOZW1GmUDRZW2Yo+b1QOa6Rrm+PHCCUFJCv tkb8SuYfx8UyzFhVxR3BxdSFiEsgjQ3r1Y1htqkhwVuQD0ESjz3o7cpfwWSvFFtwiffW ddASQrbd2Y7CTRCP9TWdM/IW9xUg1aTDrCc3RjHnpI0T9w+CkdCo7NVpmgttGkpsXEjg N8HP/eaVWWFfuw3ouK4mExncw743sjpZhDX21gRlsBMADqUndfeBUCp9EoT4OKbSIe7r Exyg== X-Forwarded-Encrypted: i=1; AJvYcCUFDPaPzbIVw6rKERCbQn+syAXHSjW1dMQRxRosa0hGD5w8bvR08Ya0TIOR/mdvicGPnuJP73+UBGiUcoQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxkYlJX6aEbZEDGIHoJTbhSbQlyyooSIjrP8XW+pVRV1XNciZQR m7baVXPCc1PE/epgff3D04QJNtYWcVrE4shtGnee/mEXWRm5ykGhwneGDbcr+QSq X-Gm-Gg: ATEYQzzAAEKl8rbF5IiNQ+951PC4TIixJZuEFcIN3DYSyPfemHv6nJJK5TIjUokVNI5 8n/156uaM4jCxnFm7bFpB/BQNvIb3JUv6TO9YDmLsTO/7h2/1ZRLbw0Po60eutgvt6BguTN2T1k 30Du7KLBNe5QtzFnuWF6+tFqgggfcOYgW5pwXLjSZbwMoP+YnprsN/n5844E7P5OlBRVomeiuQL cfii/N1/3qaQoDyxDitGK/V1uY8xDTVDdLF3/n7QY2B28equkwuPUom3V/1+mvNmtLbKKZWhaVH wrqC/8X8cwr3+ICIUrjjdFkF4fLU0HsnjQW3QTmwFb4sCaj648KcmI9p2AkOg72ePr9xr5qL7QB T9hqSHQ07HA+u/P4Ad3FYPMsDGZD9xwBEWHJZPG2ZW2fAe/ViezSnsZ+v51Cycy1ilqUB+0SoE9 0Pxg81zBJWpyD/6wS6zxUPOGtH76e9/wlqLDumGDiisZ+g10HyVou2AQ== X-Received: by 2002:a05:620a:f14:b0:8c7:140a:7dbf with SMTP id af79cd13be357-8cbc8f65113mr1287009585a.77.1772402794849; Sun, 01 Mar 2026 14:06:34 -0800 (PST) Received: from I4-L-HQH5357-01.ad.psu.edu ([130.203.159.160]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8cbbf65921bsm999703785a.1.2026.03.01.14.06.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Mar 2026 14:06:34 -0800 (PST) From: Shuangpeng Bai To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, jirislaby@kernel.org, shaojijie@huawei.com, jiayuan.chen@shopee.com, Shuangpeng Bai Subject: [PATCH net v4] serial: caif: hold tty->link reference in ldisc_open and ser_release Date: Sun, 1 Mar 2026 17:05:25 -0500 Message-Id: <20260301220525.1546355-1-shuangpeng.kernel@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing. This issue becomes reproducible on top of 308e7e4d0a84. Before that, the reproducer typically hits another bug first, so this UAF is not observable there. Link: https://lore.kernel.org/all/20260228094741.1e248271@kernel.org/ Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f Fixes: 308e7e4d0a84 ("serial: caif: fix use-after-free in caif_serial ldisc= _close()") Signed-off-by: Shuangpeng Bai --- Changes since v3: - No code changes; repost without cover letter and with updated Cc list. drivers/net/caif/caif_serial.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index b90890030751..1873d8287bb9 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c @@ -297,6 +297,7 @@ static void ser_release(struct work_struct *work) dev_close(ser->dev); unregister_netdevice(ser->dev); debugfs_deinit(ser); + tty_kref_put(tty->link); tty_kref_put(tty); } rtnl_unlock(); @@ -331,6 +332,7 @@ static int ldisc_open(struct tty_struct *tty) =20 ser =3D netdev_priv(dev); ser->tty =3D tty_kref_get(tty); + tty_kref_get(tty->link); ser->dev =3D dev; debugfs_init(ser, tty); tty->receive_room =3D 4096; @@ -339,6 +341,7 @@ static int ldisc_open(struct tty_struct *tty) rtnl_lock(); result =3D register_netdevice(dev); if (result) { + tty_kref_put(tty->link); tty_kref_put(tty); rtnl_unlock(); free_netdev(dev); --=20 2.34.1