Re: [BUG] KASAN: slab-use-after-free in ipoctal_write_tty

Next message: Greg KH: "Re: [PATCH] binder: synchronize Rust Binder stats with freeze commands"
Previous message: Hungyu Lin: "Re: [PATCH] iio: pressure: bm1390: replace short msleeps with usleep_range"
In reply to: Shuangpeng: "Re: [BUG] KASAN: slab-use-after-free in ipoctal_write_tty"
Next in thread: Shuangpeng: "Re: [BUG] KASAN: slab-use-after-free in ipoctal_write_tty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Mon Jun 15 2026 - 16:52:57 EST

On Mon, Jun 15, 2026 at 04:33:09PM -0400, Shuangpeng wrote:
>
>
> > On Jun 15, 2026, at 00:03, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Sun, Jun 14, 2026 at 03:48:50PM -0400, Shuangpeng Bai wrote:
> >> Hi Kernel Maintainers,
> >>
> >> I hit the following report while testing current upstream kernel:
> >>
> >> KASAN: slab-use-after-free in ipoctal_write_tty
> >
> > Cool, do you have this hardware, or is this only virtual testing?
>
> No, I do not have the physical hardware. This was reproduced with
> unmodified QEMU using its existing TPCI200/IP-Octal emulation.
>
> >
> > If virtual, are you sure that the hardware is being emulated properly?
>
>
> I understand this is not the same as testing on real hardware. However,
> my current understanding is that the crash is triggered after a
> successful probe through the normal sysfs unbind/remove path while the
> ipoctal tty fd is still open. The failing path does not seem to rely on
> device-specific emulation details after probe, but rather on the
> lifetime of the tty/device state during removal.

What specific sysfs unbind path? That's only for root and for testing
kernel development, it's not a normal thing that a user does at all,
right?

> Please let me know if I am missing anything here. I would also
> appreciate any suggestions on what I could check to better evaluate
> whether the emulation is appropriate for this report.

What exactly are you trying to test?

thanks,

greg k-h