[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2025050851-splatter-thesaurus-f54e@gregkh>
Date: Thu, 8 May 2025 11:41:52 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Xin Chen <quic_cxin@...cinc.com>
Cc: Rob Herring <robh@...nel.org>, Jiri Slaby <jirislaby@...nel.org>,
linux-serial@...r.kernel.org, linux-kernel@...r.kernel.org,
liulzhao@....qualcomm.com, quic_chejiang@...cinc.com,
zaiyongc@....qualcomm.com, quic_zijuhu@...cinc.com,
quic_mohamull@...cinc.com,
Panicker Harish <quic_pharish@...cinc.com>
Subject: Re: [PATCH v1] tty: serdev: serdev-ttyport: Fix use-after-free in
ttyport_close() due to uninitialized serport->tty
On Thu, May 08, 2025 at 05:29:18PM +0800, Xin Chen wrote:
>
> On 4/30/2025 7:40 PM, Greg Kroah-Hartman wrote:
> > On Wed, Apr 30, 2025 at 07:16:17PM +0800, Xin Chen wrote:
> >> When ttyport_open() fails to initialize a tty device, serport->tty is not
> >> --- a/drivers/tty/serdev/serdev-ttyport.c
> >> +++ b/drivers/tty/serdev/serdev-ttyport.c
> >> @@ -88,6 +88,10 @@ static void ttyport_write_flush(struct serdev_controller *ctrl)
> >> {
> >> struct serport *serport = serdev_controller_get_drvdata(ctrl);
> >> struct tty_struct *tty = serport->tty;
> >> + if (!tty) {
> >> + dev_err(&ctrl->dev, "tty is null\n");
> >> + return;
> >> + }
> >
> > What prevents tty from going NULL right after you just checked this?
>
> First sorry for reply so late for I have a long statutory holidays.
> Maybe I don't get your point. From my side, there is nothing to prevent it.
> Check here is to avoid code go on if tty is NULL.
Yes, but the problem is, serport->tty could change to be NULL right
after you check it, so you have not removed the real race that can
happen here. There is no lock, so by adding this check you are only
reducing the risk of the problem happening, not actually fixing the
issue so that it will never happen.
Please fix it so that this can never happen.
thanks,
greg k-h
Powered by blists - more mailing lists