Re: [PATCH v3] serial: 8250: fix use-after-free in IRQ chain handling
From: Wang Zhaolong
Date: Fri May 29 2026 - 03:30:29 EST
v3 fixes the Bugzilla reproducer on my setup.
But this error path is still racy:
> +
> + ret = request_irq(up->port.irq, serial8250_interrupt,
> + up->port.irqflags, up->port.name, i);
> +
> + mutex_unlock(&hash_mutex);
> +
> if (ret < 0)
> serial_do_unlink(i, up);
>
>
i is already in irq_lists and i->head is already visible here. On
request_irq() failure, another port can join the chain and return success
without any IRQ handler installed.
The cleanup must happen before dropping hash_mutex.
> Dropping hash_mutex before request_irq() completes also allows another
> port sharing the same IRQ to join the chain and run the shared-IRQ THRE
> test while IRQ startup is still in progress, which can also trigger the
> "Unbalanced enable for IRQ" warning (kernel/irq/manage.c:774) because
> irq_shutdown() in the premature free_irq() path hard-sets desc->depth
> to 1, breaking the disable_irq/enable_irq pairing in
> serial8250_THRE_test().
The changelog is also still inaccurate: irq_shutdown() does not hard-set
desc->depth to 1 on current mainline; it increments desc->depth.
Best regards,
Wang Zhaolong