Re: [PATCH] USB: serial: opticon: fix UAF in write callback during port removal

Next message: Peter Zijlstra: "Re: [tip:sched/hrtick] [hrtimer] 2889243848: stress-ng.timermix.ops_per_sec 30.1% regression"
Previous message: Niklas Cassel: "Re: [PATCH v3] PCI: dw-rockchip: Enable async probe by default"
In reply to: Fan Wu: "Re: [PATCH] USB: serial: opticon: fix UAF in write callback during port removal"
Next in thread: Fan Wu: "Re: [PATCH] USB: serial: opticon: fix UAF in write callback during port removal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Wed Mar 11 2026 - 08:14:47 EST

On Tue, Mar 10, 2026 at 05:04:24PM +0000, Fan Wu wrote:
> On Tue, Mar 10, 2026 at 09:56:48 +0100, Johan Hovold wrote:
> > How was this potential issue found? Are you using some kind of LLM or
> > other tool?
>
> Hi Johan,
>
> Thanks for the explanation. You're right — I missed the lifecycle guarantees
> provided by usb_serial_disconnect(), and since opticon_close() already handles
> the URB cleanup, this report is a false positive.
>
> I'm currently researching static analysis techniques (CodeQL combined with LLM
> assistance) for detecting UAF bugs, particularly around cross-entry lifetimes.
> In this case, the analysis missed the subsystem-level guarantee that close runs
> before remove.

As is required, you always have to document this type of thing in the
changelog text.

thanks,

greg k-h