Re: [PATCH] net: caif: serial: fix TX UAF on ser->tty

Next message: Konrad Dybcio: "Re: [PATCH v2 1/2] arm64: dts: qcom: lemans-evk: Enable GPIO expander interrupt for Lemans EVK"
Previous message: Miklos Szeredi: "Re: Re: Re: Re: [PATCH v5 1/3] fuse: add compound command to combine multiple requests"
In reply to: Shuangpeng Bai: "[PATCH] net: caif: serial: fix TX UAF on ser-&gt;tty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Thu Feb 12 2026 - 07:13:35 EST

On 2/12/26 5:22 AM, Shuangpeng Bai wrote:
> KASAN reported a slab-use-after-free in tty_write_room() reachable from
> caif_serial's TX path. The TX handler dereferences ser->tty while
> ldisc_close() can drop the driver's tty reference. Since ser->tty was
> not cleared and accesses were not synchronized, the TX path could race
> with tty teardown and dereference a stale ser->tty pointer.
>
> Fix it by serializing accesses to ser->tty with a dedicated lock. The TX
> path grabs a tty kref under the lock and drops it after the TX attempt,
> while ldisc_close() clears ser->tty under the same lock before putting
> the old tty reference. This prevents the TX path from observing a freed
> tty object via ser->tty.
>
> Reported-by: Shuangpeng Bai <baisp@xxxxxxx>
> Closes: https://groups.google.com/g/syzkaller/c/usNe0oKtoXw/m/x8qUc3yUAQAJ
>

Please, no empty lines in the tag area.

You must include a fixes tag and specify the target tree in the subj prefix

Does not apply cleanly to net nor net-next

Please read carefully the process documentation under:

Documentation/process/

and especially Documentation/process/maintainer-netdev.rst

before resubmitting

/P