Re: [RFC] ipack: ipoctal: fix use-after-free on remove

[Shuangpeng]

Hi Pei,

Thanks for working on this!

I applied the patch to commit:

390d73adf896bf4883c7d3bcd13c1b53d64351e3 (Jun 19 2026)

and reran the same reproducer. The original slab-use-after-free report did
not show up in the same form, but the reproducer still triggers another
KASAN report in ipoctal_write_tty():

[   73.728267] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
[   73.730941] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[   73.731780] CPU: 0 UID: 0 PID: 8289 Comm: ipoctal_fd_afte Not tainted 7.1.0-10997-g390d73adf896-dirty #33 PREEMPT(full)
[   73.734223] RIP: 0010:ipoctal_write_tty (drivers/ipack/devices/ipoctal.c:453 drivers/ipack/devices/ipoctal.c:470)

Call Trace:
[   73.746486]  n_tty_write (drivers/tty/n_tty.c:2388)
[   73.752256]  file_tty_write (drivers/tty/tty_io.c:1006 drivers/tty/tty_io.c:1081)
[   73.752746]  vfs_write (fs/read_write.c:595 fs/read_write.c:687)
[   73.754695]  ksys_write (fs/read_write.c:739)
[   73.756837]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[   73.757309]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)

So the same open-tty-fd-after-tpci200-unbind reproducer still crashes the
kernel after this patch.

Best,
Shuangpeng



> On Jun 23, 2026, at 03:50, Pei Xiao <xiaopei01@xxxxxxxxxx> wrote:
> 
> A use-after-free occurs when the device is removed while a tty
> session is still active.  The remove callback frees the ipoctal
> structure via kfree() while ipoctal_write_tty() and other tty ops
> may still access it.
> 
> Fix this by introducing kref-based lifetime management for the
> ipoctal structure. A kref is taken in ipoctal_install() when a tty is
> initialized, and released in ipoctal_cleanup() when the tty is finally
> destroyed. The remove callback replaces direct kfree() with kref_put(),
> ensuring the memory is only freed after all tty references have been
> released.
> 
> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
> Closes: https://lore.kernel.org/lkml/178144969601.60470.1257088106279546587@xxxxxxxxx/
> Fixes: 05e5027efc9c ("Staging: ipack: move out of staging")
> Signed-off-by: Pei Xiao <xiaopei01@xxxxxxxxxx>
> ---
> drivers/ipack/devices/ipoctal.c | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/ipack/devices/ipoctal.c b/drivers/ipack/devices/ipoctal.c
> index 1bbefc6de708..079bda93ad5a 100644
> --- a/drivers/ipack/devices/ipoctal.c
> +++ b/drivers/ipack/devices/ipoctal.c
> @@ -10,6 +10,7 @@
> #include <linux/device.h>
> #include <linux/module.h>
> #include <linux/interrupt.h>
> +#include <linux/kref.h>
> #include <linux/sched.h>
> #include <linux/tty.h>
> #include <linux/serial.h>
> @@ -25,6 +26,8 @@
> 
> static const struct tty_operations ipoctal_fops;
> 
> +static void ipoctal_release(struct kref *kref);
> +
> struct ipoctal_channel {
> struct ipoctal_stats stats;
> unsigned int nb_bytes;
> @@ -49,6 +52,7 @@ struct ipoctal {
> struct tty_driver *tty_drv;
> u8 __iomem *mem8_space;
> u8 __iomem *int_space;
> + struct kref kref;
> };
> 
> static inline struct ipoctal *chan_to_ipoctal(struct ipoctal_channel *chan,
> @@ -95,6 +99,7 @@ static int ipoctal_install(struct tty_driver *driver, struct tty_struct *tty)
> if (res)
> goto err_put_carrier;
> 
> + kref_get(&ipoctal->kref);
> tty->driver_data = channel;
> 
> return 0;
> @@ -666,6 +671,7 @@ static void ipoctal_cleanup(struct tty_struct *tty)
> 
> /* release the carrier driver */
> ipack_put_carrier(ipoctal->dev);
> + kref_put(&ipoctal->kref, ipoctal_release);
> }
> 
> static const struct tty_operations ipoctal_fops = {
> @@ -683,6 +689,13 @@ static const struct tty_operations ipoctal_fops = {
> .cleanup =              ipoctal_cleanup,
> };
> 
> +static void ipoctal_release(struct kref *kref)
> +{
> + struct ipoctal *ipoctal = container_of(kref, struct ipoctal, kref);
> +
> + kfree(ipoctal);
> +}
> +
> static int ipoctal_probe(struct ipack_device *dev)
> {
> int res;
> @@ -692,6 +705,8 @@ static int ipoctal_probe(struct ipack_device *dev)
> if (ipoctal == NULL)
> return -ENOMEM;
> 
> + kref_init(&ipoctal->kref);
> +
> ipoctal->dev = dev;
> res = ipoctal_inst_slot(ipoctal, dev->bus->bus_nr, dev->slot);
> if (res)
> @@ -701,7 +716,7 @@ static int ipoctal_probe(struct ipack_device *dev)
> return 0;
> 
> out_uninst:
> - kfree(ipoctal);
> + kref_put(&ipoctal->kref, ipoctal_release);
> return res;
> }
> 
> @@ -725,7 +740,7 @@ static void __ipoctal_remove(struct ipoctal *ipoctal)
> tty_unregister_driver(ipoctal->tty_drv);
> kfree(ipoctal->tty_drv->name);
> tty_driver_kref_put(ipoctal->tty_drv);
> - kfree(ipoctal);
> + kref_put(&ipoctal->kref, ipoctal_release);
> }
> 
> static void ipoctal_remove(struct ipack_device *idev)
> -- 
> 2.25.1
>