Re: [PATCH] mISDN: socket: drop device references acquired by get_mdevice()

Next message: Matt Fleming: "Re: [PATCH] mm: Require LRU reclaim progress before retrying direct reclaim"
Previous message: Sun Jian: "[PATCH bpf] bpf: reject ERR_PTR map-&gt;record in map_check_btf"
In reply to: Simon Horman: "Re: [PATCH] mISDN: socket: drop device references acquired by get_mdevice()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shuvam Pandey

Date: Thu Apr 16 2026 - 10:50:33 EST

> Could this introduce a use-after-free regression if the underlying
> hardware is removed before the socket is closed?
>
> [...]
>
> This isn't a regression, but is there a use-after-free in the stack
> teardown when the hardware is removed?

Thanks for the review.

Looking at it more closely, I agree the close-path part of this patch is
not safe as posted.

While get_mdevice() does return a referenced device, the sockets also
keep raw mISDNdevice / mISDNstack pointers across bind, and
mISDN_unregister_device() tears the stack down while those pointers can
still be reached later from socket release. In addition, several mISDN
drivers free the enclosing allocation immediately after
mISDN_unregister_device() returns, so adding put_device() in the socket
release paths can turn this into a close-time UAF. The delete_channel()
/ ch->st case on the data-socket side is the same underlying lifetime
problem.

I'll drop this version and revisit it after reworking the unregister /
socket lifetime handling first. I also want to re-check whether the
temporary get_mdevice() lookup references should be fixed separately or
only once that lifetime side is addressed.

Thanks,
Shuvam