CVE-2026-23115

In the Linux kernel, the following vulnerability has been resolved:

serial: Fix not set tty->port race condition

Revert commit bfc467db60b7 ("serial: remove redundant ttyportlinkdevice()") because the ttyportlinkdevice() is not redundant: the tty->port has to be confured before we call uartconfigureport(), otherwise user-space can open console without TTY linked to the driver.

This ttyportlink_device() was added explicitly to avoid this exact issue in commit fb2b90014d78 ("tty: link tty and port before configuring it as console"), so offending commit basically reverted the fix saying it is redundant without addressing the actual race condition presented there.

Reproducible always as tty->port warning on Qualcomm SoC with most of devices disabled, so with very fast boot, and one serial device being the console:

printk: legacy console [ttyMSM0] enabled printk: legacy console [ttyMSM0] enabled printk: legacy bootconsole [qcomgeni0] disabled printk: legacy bootconsole [qcomgeni0] disabled ------------[ cut here ]------------ ttyinitdev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver! WARNING: drivers/tty/ttyio.c:1414 at ttyinitdev.part.0+0x228/0x25c, CPU#2: systemd/1 Modules linked in: socinfo tcsrcceliza gcceliza sm3ce fuse ipv6 CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT Tainted: [S]=CPUOUTOFSPEC Hardware name: Qualcomm Technologies, Inc. Eliza (DT) ... ttyinitdev.part.0 (drivers/tty/ttyio.c:1414 (discriminator 11)) (P) ttyopen (arch/arm64/include/asm/atomicllsc.h:95 (discriminator 3) drivers/tty/ttyio.c:2073 (discriminator 3) drivers/tty/ttyio.c:2120 (discriminator 3)) chrdevopen (fs/chardev.c:411) dodentryopen (fs/open.c:962) vfsopen (fs/open.c:1094) doopen (fs/namei.c:4634) pathopenat (fs/namei.c:4793) dofilpopen (fs/namei.c:4820) dosysopenat2 (fs/open.c:1391 (discriminator 3)) ... Starting Network Name Resolution...

Apparently the flow with this small Yocto-based ramdisk user-space is:

driver (qcomgeniserial.c): user-space: ============================ =========== qcomgeniserialprobe() uartaddoneport() serialcoreregisterport() serialcoreaddoneport() uartconfigureport() registerconsole() | | open console | ... | ttyinitdev() | driver->ports[idx] is NULL | ttyportregisterdeviceattrserdev() ttyportlinkdevice() <- set driver->ports[idx]