Re: [PATCH v2] serial: 8250: fix use-after-free in IRQ chain handling
From: Wang Zhaolong
Date: Thu May 28 2026 - 22:43:31 EST
My patch should cover that link/unlink lifetime race as well.
serial_unlink_irq_chain() already holds hash_mutex before walking irq_lists
and before calling serial_do_unlink(), which can kfree(i). My patch keeps
hash_mutex held in serial_link_irq_chain() from serial_get_or_create_irq_info()
through the list update and the first request_irq() completion.
So once serial_link_irq_chain() has found or allocated i, a concurrent unlink
cannot enter serial_unlink_irq_chain() and free that irq_info until the link
path is done.
The important difference is that the lock is also held across the first
request_irq(). That is required for the reported "Unbalanced enable for IRQ"
race, because publishing i->head before request_irq() completes lets another
port join the chain and run the shared-IRQ THRE test while IRQ startup is still
in progress.
Thanks,
Wang Zhaolong