[PATCH net v3 0/1] serial: caif: hold tty->link reference to avoid UAF in pty_write_room

Next message: Shuangpeng Bai: "[PATCH net v3 1/1] serial: caif: hold tty-&gt;link reference in ldisc_open and ser_release"
Previous message: Ian Rogers: "[PATCH v1 4/5] perf header: Refactor pipe mode end marker handling"
Next in thread: Shuangpeng Bai: "[PATCH net v3 1/1] serial: caif: hold tty-&gt;link reference in ldisc_open and ser_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shuangpeng Bai

Date: Wed Feb 25 2026 - 20:37:31 EST

Follow-up to the v2 discussion: further debugging shows the KASAN
slab-use-after-free is triggered in pty_write_room(), and the faulting
access is on tty->link->port.

The report points to the peer access in pty_write_room():

tty_buffer_space_avail(tty->link->port);

This patch holds an extra kref on tty->link for the lifetime of the
caif_serial line discipline: get the reference in ldisc_open() and drop
it in ser_release(), and also drop it on the ldisc_open() error path.

Changes since v2:
- Update the analysis: the observed UAF is on tty->link, not ser->tty.
- Keep tty->link alive while the line discipline is active.

Link: https://lore.kernel.org/all/20260215025141.1106576-1-shuangpeng.kernel@xxxxxxxxx/T/#maee804ef687b4442f18c74e8801f5cde421ab000 (v2 thread)
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f (reproducer)

Shuangpeng Bai (1):
serial: caif: hold tty->link reference in ldisc_open and ser_release

drivers/net/caif/caif_serial.c | 3 +++
1 file changed, 3 insertions(+)

--
2.34.1