Re: [PATCH v5 5/7] revocable: Add fops replacement

Next message: John Ogness: "Re: [PATCH printk v2 1/1] printk: nbcon: Allow unsafe write_atomic() for panic"
Previous message: Marco Crivellari: "[PATCH] media: ddbridge: add WQ_PERCPU to alloc_workqueue users"
In reply to: Tzung-Bi Shih: "Re: [PATCH v5 5/7] revocable: Add fops replacement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Fri Nov 07 2025 - 09:12:14 EST

On Fri, Nov 07, 2025 at 04:11:40AM +0000, Tzung-Bi Shih wrote:
> Realized the approach doesn't work for the issue I'm looking into.
>
> - All misc devices share the same cdev[1]. If misc_deregister() calls
> cdev_sync_revoke(), the misc stop working due to one of the miscdevice
> deregistered.

> [1] https://elixir.bootlin.com/linux/v6.17/source/drivers/char/misc.c#L299

That's not a "cdev" in this context, but yes, misc doesn't use
struct cdev at all.. Instead you have a struct miscdevice which has a
similar lifecycle as cdev. Indeed you can't use what I showed above at
the cdev layer exactly as is, but there is not a fundamental issue
here.

> - The context (struct cdev_sync_data) should be the same lifecycle with
> the opening file (e.g. struct file). Otherwise, when accessing the
> context in the fops wrappers, it results an UAF. For example, the
> sturct cdev is likely freed after cdev_sync_revoke().

Yes, it should be tied to the memory lifecycle of the struct device
under the cdev which would then by tied to the file lifecycle. It is
not hard.

Jason