Re: [PATCH v3] serial: 8250: fix use-after-free in IRQ chain handling

From: Wang Zhaolong

Date: Fri May 29 2026 - 03:30:29 EST


v3 fixes the Bugzilla reproducer on my setup.

But this error path is still racy:

> +
> + ret = request_irq(up->port.irq, serial8250_interrupt,
> + up->port.irqflags, up->port.name, i);
> +
> + mutex_unlock(&hash_mutex);
> +
> if (ret < 0)
> serial_do_unlink(i, up);
>
>

i is already in irq_lists and i->head is already visible here. On
request_irq() failure, another port can join the chain and return success
without any IRQ handler installed.

The cleanup must happen before dropping hash_mutex.

> Dropping hash_mutex before request_irq() completes also allows another
> port sharing the same IRQ to join the chain and run the shared-IRQ THRE
> test while IRQ startup is still in progress, which can also trigger the
> "Unbalanced enable for IRQ" warning (kernel/irq/manage.c:774) because
> irq_shutdown() in the premature free_irq() path hard-sets desc->depth
> to 1, breaking the disable_irq/enable_irq pairing in
> serial8250_THRE_test().

The changelog is also still inaccurate: irq_shutdown() does not hard-set
desc->depth to 1 on current mainline; it increments desc->depth.

Best regards,
Wang Zhaolong