Re: [PATCH v2 1/2] greybus: raw: fix use-after-free on cdev close
From: Johan Hovold
Date: Mon Mar 23 2026 - 10:38:43 EST
On Thu, Mar 19, 2026 at 12:20:48PM -0400, Damien Riégel wrote:
> This addresses a use-after-free bug when a raw bundle is disconnected
> but its chardev is still opened by an application. When the application
> releases the cdev, it causes the following panic when init on free is
> enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
> Fixes: e806c7fb8e9b ("greybus: raw: add raw greybus kernel driver")
> Signed-off-by: Damien Riégel <damien.riegel@xxxxxxxxxx>
> ---
> Changes in v2:
> - trim down trace in commit message to keep only the essential part
> - rework error paths in probe function to ensure device is always
> freed (set device release callback before any call to put_device)
> - move ida_free to release callback
> @@ -164,63 +172,58 @@ static int gb_raw_probe(struct gb_bundle *bundle,
> if (cport_desc->protocol_id != GREYBUS_PROTOCOL_RAW)
> return -ENODEV;
>
> + minor = ida_alloc(&minors, GFP_KERNEL);
> + if (minor < 0)
> + return minor;
> +
> raw = kzalloc(sizeof(*raw), GFP_KERNEL);
> - if (!raw)
> + if (!raw) {
> + ida_free(&minors, minor);
> return -ENOMEM;
> + }
> +
> + device_initialize(&raw->dev);
> + raw->dev.devt = MKDEV(raw_major, minor);
> + raw->dev.class = &raw_class;
> + raw->dev.release = raw_dev_release;
> + retval = dev_set_name(&raw->dev, "gb!raw%d", minor);
> + if (retval)
> + goto error_put_device;
>
> connection = gb_connection_create(bundle, le16_to_cpu(cport_desc->id),
> gb_raw_request_handler);
> if (IS_ERR(connection)) {
> retval = PTR_ERR(connection);
> - goto error_free;
> + goto error_put_device;
> }
>
> INIT_LIST_HEAD(&raw->list);
> mutex_init(&raw->list_lock);
>
> raw->connection = connection;
> + raw->dev.parent = &connection->bundle->dev;
You can set the parent above where you initialise dev since the probe
function is called with a pointer to the bundle (that is being bound).
> greybus_set_drvdata(bundle, raw);
Looks good otherwise:
Reviewed-by: Johan Hovold <johan@xxxxxxxxxx>
Johan