Re: [PATCH v2] serial: 8250: fix use-after-free in IRQ chain handling

From: Wang Zhaolong

Date: Thu May 28 2026 - 22:43:31 EST


My patch should cover that link/unlink lifetime race as well.

serial_unlink_irq_chain() already holds hash_mutex before walking irq_lists
and before calling serial_do_unlink(), which can kfree(i).  My patch keeps
hash_mutex held in serial_link_irq_chain() from serial_get_or_create_irq_info()
through the list update and the first request_irq() completion.

So once serial_link_irq_chain() has found or allocated i, a concurrent unlink
cannot enter serial_unlink_irq_chain() and free that irq_info until the link
path is done.

The important difference is that the lock is also held across the first
request_irq().  That is required for the reported "Unbalanced enable for IRQ"
race, because publishing i->head before request_irq() completes lets another
port join the chain and run the shared-IRQ THRE test while IRQ startup is still
in progress.

Thanks,
Wang Zhaolong