Re: [PATCH v2] misc: pci_endpoint_test: fix use-after-free after device unbind

[Greg KH]

On Sat, Jun 27, 2026 at 06:29:07PM +0530, Manivannan Sadhasivam wrote:
> On Mon, Jun 22, 2026 at 03:40:43PM -0500, Frank Li wrote:
> > On Mon, Jun 22, 2026 at 12:52:49PM -0400, Shuangpeng Bai wrote:
> > > [You don't often get email from shuangpeng.kernel@xxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> > >
> > > An open miscdevice file descriptor can outlive the PCI driver binding.
> > > misc_deregister() removes the device node and prevents new opens, but it
> > > does not revoke file descriptors that are already open.
> > >
> > > Before this change, pci_endpoint_test stored the miscdevice inside struct
> > > pci_endpoint_test, and ioctl() recovered the test object from
> > > file->private_data with container_of(). Since the test object was allocated
> > > with devm_kzalloc(), it was freed when the PCI device was unbound. A
> > > process could therefore open /dev/pci-endpoint-test.N, unbind the PCI
> > > device through sysfs, and then issue an ioctl on the stale file descriptor,
> > > causing a use-after-free of struct pci_endpoint_test.
> > 
> > Anyways to provent unbound when still open? This driver is only for test
> > ednpoint funciton, it is not worth to make complex for this unusual case.
> > 
> 
> I disagree here. Even though this is a simple test driver, this is exposing an
> IOCTL to userspace. So the driver should take all necessary steps to prevent
> security issues like UAF.

That UAF can ONLY happen if root causes it to happen :)