Re: [PATCH v2] misc: pci_endpoint_test: fix use-after-free after device unbind

Next message: Doruk Tan Ozturk: "Re: [PATCH v2 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths"
Previous message: Mathieu Desnoyers: "Re: [RFC PATCH v5 1/2] hazptr: Implement Hazard Pointers"
In reply to: Shuangpeng: "Re: [PATCH v2] misc: pci_endpoint_test: fix use-after-free after device unbind"
Next in thread: Greg KH: "Re: [PATCH v2] misc: pci_endpoint_test: fix use-after-free after device unbind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Manivannan Sadhasivam

Date: Sat Jun 27 2026 - 08:59:34 EST

On Mon, Jun 22, 2026 at 03:40:43PM -0500, Frank Li wrote:
> On Mon, Jun 22, 2026 at 12:52:49PM -0400, Shuangpeng Bai wrote:
> > [You don't often get email from shuangpeng.kernel@xxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> >
> > An open miscdevice file descriptor can outlive the PCI driver binding.
> > misc_deregister() removes the device node and prevents new opens, but it
> > does not revoke file descriptors that are already open.
> >
> > Before this change, pci_endpoint_test stored the miscdevice inside struct
> > pci_endpoint_test, and ioctl() recovered the test object from
> > file->private_data with container_of(). Since the test object was allocated
> > with devm_kzalloc(), it was freed when the PCI device was unbound. A
> > process could therefore open /dev/pci-endpoint-test.N, unbind the PCI
> > device through sysfs, and then issue an ioctl on the stale file descriptor,
> > causing a use-after-free of struct pci_endpoint_test.
>
> Anyways to provent unbound when still open? This driver is only for test
> ednpoint funciton, it is not worth to make complex for this unusual case.
>

I disagree here. Even though this is a simple test driver, this is exposing an
IOCTL to userspace. So the driver should take all necessary steps to prevent
security issues like UAF.

- Mani

--
மணிவண்ணன் சதாசிவம்