Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi

Next message: Rob Herring (Arm): "Re: [PATCH v3] dt-bindings: interrupt-controller: ti,irq-crossbar: Convert to DT schema"
Previous message: Tyrel Datwyler: "Re: [PATCH v2 6/7] ibmvfc: register and use asynchronous sub-queue"
In reply to: Armin Wolf: "Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi"
Next in thread: Armin Wolf: "Re: [BUG] KASAN: slab-use-after-free in _copy_to_user from platform/x86/dell-smbios-wmi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnd Bergmann

Date: Mon Jun 15 2026 - 17:00:59 EST

On Mon, Jun 15, 2026, at 22:21, Armin Wolf wrote:
> Am 15.06.26 um 15:30 schrieb gregkh@xxxxxxxxxxxxxxxxxxx:
>
> Its a "unbind" operation, either from sysfs or started by the WMI driver core.
>
> I do not think that this has something to do with the module reference counter,

The misc_device reference count. The module reference count is
protected by the wmi_driver object.

> because the UAF is triggered by the device state container being freed:
>
> 1. devm_kzalloc() + misc_register()
> 2. open(), uses data previously allocated with devm_kzalloc()
> 3. unbind, misc_unregister() + freeing of state container data.
> 4. read(), access to already freed state container data.
>
> I assume that misc_unregister() does not prevent read(), write() and ioctl()
> on already opened file descriptors? If yes then i think a RW-lock inside the
> driver would be necessary to synchronize the removal of the misc device with
> any outstanding read()/ioctl() operations.

A get_device() in ->open() should prevent the misc_device from
going away during read() and ioctl(). You need to put_device() in
->release() then.

If the driver->probe() function takes a reference on the wmi_device,
that prevents it from going away underneath the misc_device.

Arnd