Re: [PATCH v3 1/2] greybus: raw: fix use-after-free on cdev close

Next message: Ionut Nechita (Sunlight Linux): "Re: [PATCH v2 6.12.y 2/7] timers/migration: Annotate accesses to ignore flag"
Previous message: ChenXiaoSong: "Re: [RFC PATCH 17/17] netfs: Combine prepare and issue ops and grab the buffers on request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Tue Mar 24 2026 - 03:46:01 EST

On Mon, Mar 23, 2026 at 10:25:09PM -0400, Damien Riégel wrote:
> This addresses a use-after-free bug when a raw bundle is disconnected
> but its chardev is still opened by an application. When the application
> releases the cdev, it causes the following panic when init on free is
> enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

> Fixes: e806c7fb8e9b ("greybus: raw: add raw greybus kernel driver")
> Reviewed-by: Johan Hovold <johan@xxxxxxxxxx>
> Signed-off-by: Damien Riégel <damien.riegel@xxxxxxxxxx>
> ---
> Changes in v3:
> - move assignment of raw->dev.parent
> - add Reviewed-By: Johan Hovold
>
> Changes in v2:
> - trim down trace in commit message to keep only the essential part
> - rework error paths in probe function to ensure device is always freed
> (set device release callback before any call to put_device)
> - move ida_free to release callback

Thanks for the update all looks good now, except one thing.

I noticed now that you did not base this on 7.0-rc so it will need
another respin due to a treewide allocation change in 7.0-rc1.

> @@ -164,15 +172,30 @@ static int gb_raw_probe(struct gb_bundle *bundle,
> if (cport_desc->protocol_id != GREYBUS_PROTOCOL_RAW)
> return -ENODEV;
>
> + minor = ida_alloc(&minors, GFP_KERNEL);
> + if (minor < 0)
> + return minor;
> +
> raw = kzalloc(sizeof(*raw), GFP_KERNEL);

This line is now

raw = kzalloc_obj(*raw);

in mainline so the patch would not apply cleanly.

Could you rebase these on rc4 (which is the current staging base)?

Johan