tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

serial: caif: hold tty->link reference in ldisc_open and ser_release

A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.

Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.

With this change applied, the reproducer no longer triggers the UAF in
my testing.

Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f
Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com
Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference")
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Shuangpeng Bai and committed by
Jakub Kicinski 288598d8 87d12685

+3
+3
drivers/net/caif/caif_serial.c
··· 297 297 dev_close(ser->dev); 298 298 unregister_netdevice(ser->dev); 299 299 debugfs_deinit(ser); 300 + tty_kref_put(tty->link); 300 301 tty_kref_put(tty); 301 302 } 302 303 rtnl_unlock(); ··· 332 331 333 332 ser = netdev_priv(dev); 334 333 ser->tty = tty_kref_get(tty); 334 + tty_kref_get(tty->link); 335 335 ser->dev = dev; 336 336 debugfs_init(ser, tty); 337 337 tty->receive_room = 4096; ··· 341 339 rtnl_lock(); 342 340 result = register_netdevice(dev); 343 341 if (result) { 342 + tty_kref_put(tty->link); 344 343 tty_kref_put(tty); 345 344 rtnl_unlock(); 346 345 free_netdev(dev);