From nobody Tue Apr 7 14:02:48 2026 Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 969FD37104A for ; Thu, 26 Feb 2026 01:37:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772069824; cv=none; b=Hol6XRxjsLJBMjeOOUia3TydUAvw9XASlznWyxGU5KRne7mtMo+qkSP+VYvNV2AYqEEjq3vxFOg0IKRL8rJasYpRVk83sBwTyiPeoyEa0uvFCtt8cXmkh7U61UKn4s0mmsS6mvw6LCQC1tXoNYxuuSSo8WlIlw2t4MEbpuMlTX4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772069824; c=relaxed/simple; bh=gAM4awADKSdsPrbx1wNHgpDGmlspJ6kUCc7JuLL+93w=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=TyJYtxrwkl73yFIEImQBsT2CaG9gz+OAa/Ti8TIYwFkTUATuhClfJQXBcmf0wglpbgZQT4CFbst3jTh/033pGf3AvxbBeQ9Y/DyCcsMomRM6dKGbNbr6XsrUwJHWWWW7mGHFUZdnZ2GpxTc/7u7rh6Fx+zfabvM4xDA4szAYYL4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WvmvmoV+; arc=none smtp.client-ip=209.85.160.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WvmvmoV+" Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-506a1b23c05so3850831cf.0 for ; Wed, 25 Feb 2026 17:37:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772069822; x=1772674622; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BEzs+NEbBHCW6agJfY0Z7umIryAW2GMRfZymnqKt8AI=; b=WvmvmoV+sJa/HkmAZaVNGQm1d1fto2MbOOOCKWymGITf1QLaUskAV/jYYtGcnKYOU6 ubEcZCyFCKcp+6iI/8brMUoarxd13DgoDt6w2pvFpgFb0qKppAjgx1zkwo7kjy/W166X 1yTyXqYhi7xxevaC8Zcau9gT5M8b/nkw3xR5ZSbElR1SQdQDyTMFTiAQNIezU7bbNKTM ni2iPfTBB6ZbTYWtp96eenS4v3TkjCZ9ewR9P6rrj5M/87Me3UkYLM0pdI0oTJToJMri vX7QriYo3X5+wBciHU0iuK1XBrMckIY78Db6+RsjYsncyrZYvkdDp2dp9Y0WfhhEQtnX lxvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772069822; x=1772674622; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BEzs+NEbBHCW6agJfY0Z7umIryAW2GMRfZymnqKt8AI=; b=txqDbYSvxKkRjhTl7J02FxccxPYQgp8JIF8JR9b8S8d6TTzQHAGbl4tZ6xIUfpnSJT KvkJN4/yT1m3PeTB/ADPtrWxg3/LUs9QUzZ1UcoUo4DQH/3pXSV0AYdAdjpbp2FdNADO Cw+jpymqQ5dHTzI6xMgj9+QRP1rt1atU/Cv3hhE7zdCiz+justfEh6reRJoMaW7dozRT 9MYbXOy4Ha7/z2xMCo+AyDtCsHyD5i6o+dDvLmMyafSSpHG/9IvmoVEv0Kad9K+bMD7d POEIwtxvVWL4fyJjVsdCjaE0UAJqLWZ0TGwGXhRVDYCE3MDiaAk6oJeey6c8iWwc1Eyo BctQ== X-Forwarded-Encrypted: i=1; AJvYcCVMYzDsoNmBtxNLXgJTFr29VNuXdaMq3u7gJ+qebozanoCVEvjUIvjBpVoM+9WqC1lcnNOGyh9WfjhWU8g=@vger.kernel.org X-Gm-Message-State: AOJu0YwDZoucxXOx6q4aDiN+qRkb/1vxoFvh0A7HVS8OUqJ+E7qAiBno WS60l74wgPgHIdV7O82B3TxoHiuDU+Mq7OLbnBFZzmBDf1MdeFgxOdEL X-Gm-Gg: ATEYQzyi/Y9tg0JRoGBD/aSJA+5KsNMfs0iTkqrmd92DpJNGFKkBU8MQbDsw7H5ZYKW GaZCegA0JrJvam+v7wfxLljbcp4CPAuYzn7pQ8RktokA/qICuN6WCH4Yb0DTUs6LdG5UaMyoU0d HE3XCvArJgImYadGIXcrwLfs2JTFelZdhthC8DQo7wsr3zDuZgzqUrNoZhZIaDsj7NWNE8rENqe 9GqM3y2ix9506TC1Gx9Pp+5T8Qx7zQvGqn1baveK0ZVafnbDbbMOJJ9dogfu+x4vUeWU8fjDNcZ cGltC0bIxW2ymeectFfWJ6Dco2s30YChX2QEjUnx+BsLet5n3AC0wSlIQLk1BgF1rnzidTkaNqe VPZNa87LOeLS4g6vp562PtcKvAyoAnM36cNhmUPrLTZc0arOEcK6cTbcsOwXLt5AKEBmtHxWWre p7NUOf5OAhlG8XE41mOXVBUXNOMUjrB+iGRYCacaTK7+MyPkrG2RO8UhbzKqHpDBMy X-Received: by 2002:a05:622a:406:b0:501:426b:d497 with SMTP id d75a77b69052e-50741f9c7f2mr34651541cf.52.1772069822560; Wed, 25 Feb 2026 17:37:02 -0800 (PST) Received: from I4-L-HQH5357-01.ad.psu.edu ([130.203.159.160]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-507451cda23sm6638401cf.18.2026.02.25.17.37.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 17:37:02 -0800 (PST) From: Shuangpeng Bai To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, hdanton@sina.com, vadim.fedorenko@linux.dev, simon.horman@kernel.org, Shuangpeng Bai Subject: [PATCH net v3 1/1] serial: caif: hold tty->link reference in ldisc_open and ser_release Date: Wed, 25 Feb 2026 20:36:42 -0500 Message-Id: <99a19d63fa322bf21463de1671085655a3f444f9.1772055898.git.shuangpeng.kernel@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing. This issue becomes reproducible on top of 308e7e4d0a84. Before that, the reproducer typically hits another bug first, so this UAF is not observable there. Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f Link: https://lore.kernel.org/all/20260215025141.1106576-1-shuangpeng.kerne= l@gmail.com/T/#maee804ef687b4442f18c74e8801f5cde421ab000 Fixes: 308e7e4d0a84 ("serial: caif: fix use-after-free in caif_serial ldisc= _close()") Signed-off-by: Shuangpeng Bai --- drivers/net/caif/caif_serial.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index b90890030751..1873d8287bb9 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c @@ -297,6 +297,7 @@ static void ser_release(struct work_struct *work) dev_close(ser->dev); unregister_netdevice(ser->dev); debugfs_deinit(ser); + tty_kref_put(tty->link); tty_kref_put(tty); } rtnl_unlock(); @@ -331,6 +332,7 @@ static int ldisc_open(struct tty_struct *tty) =20 ser =3D netdev_priv(dev); ser->tty =3D tty_kref_get(tty); + tty_kref_get(tty->link); ser->dev =3D dev; debugfs_init(ser, tty); tty->receive_room =3D 4096; @@ -339,6 +341,7 @@ static int ldisc_open(struct tty_struct *tty) rtnl_lock(); result =3D register_netdevice(dev); if (result) { + tty_kref_put(tty->link); tty_kref_put(tty); rtnl_unlock(); free_netdev(dev); --=20 2.34.1