From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Benson Leung <bleung@chromium.org>,
tzungbi@kernel.org, linux-kernel@vger.kernel.org,
chrome-platform@lists.linux.dev,
"Rafael J. Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Jason Gunthorpe <jgg@nvidia.com>, Johan Hovold <johan@kernel.org>,
"Paul E . McKenney" <paulmck@kernel.org>,
Dan Williams <dan.j.williams@intel.com>
Subject: [PATCH 0/8] char: misc: Introduce misc_sync to fix UAF
Date: Mon, 27 Apr 2026 21:46:51 +0800 [thread overview]
Message-ID: <20260427134659.95181-1-tzungbi@kernel.org> (raw)
This series introduces misc_sync to address potential Use-After-Free
errors when a device is deregistered while file operations are still in
progress or files remain open. It then adopts the mechanism in
cros_ec_chardev driver.
- Patches 1 and 2 are independent refactors in the misc subsystem.
These are safe cleanups and should be fine to apply.
- Patch 3 is the initial Proof-of-Concept for misc_sync. It uses a
global lock to serialize file operations, so a performance downgrade
is expected.
- Patch 4 is an improvement over the PoC that replaces the global lock
with SRCU for list traversal in the file operations, avoiding
performance bottlenecks.
- Patches 5 to 7 are preparation steps in cros_ec_chardev driver. They
introduce reference counting for platform driver data and an event
relayer. This removes the direct access to `ec_dev->event_notifier`
in `cros_ec_chardev_release()`, which is a prerequisite for using
misc_sync safely in this driver.
- Patch 8 switches cros_ec_chardev driver to use misc_sync.
Tzung-Bi Shih (8):
char: misc: Simplify locking with guard()
char: misc: Introduce misc_find() helper
char: misc: Introduce misc_sync_register()
char: misc: Use SRCU to protect list traversal
platform/chrome: cros_ec_chardev: Introduce chardev_data
platform/chrome: cros_ec_chardev: Move data to chardev_pdata
platform/chrome: cros_ec_chardev: Add event relayer
platform/chrome: cros_ec_chardev: Use misc_sync_register()
drivers/char/misc.c | 228 +++++++++++++++++-----
drivers/platform/chrome/cros_ec_chardev.c | 113 ++++++++---
include/linux/miscdevice.h | 10 +
3 files changed, 272 insertions(+), 79 deletions(-)
--
2.51.0
next reply other threads:[~2026-04-27 13:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 13:46 Tzung-Bi Shih [this message]
2026-04-27 13:46 ` [PATCH 1/8] char: misc: Simplify locking with guard() Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 2/8] char: misc: Introduce misc_find() helper Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 3/8] char: misc: Introduce misc_sync_register() Tzung-Bi Shih
2026-04-28 16:09 ` Jason Gunthorpe
2026-05-08 9:38 ` Tzung-Bi Shih
2026-05-08 11:54 ` Jason Gunthorpe
2026-05-09 9:40 ` Tzung-Bi Shih
2026-05-09 16:32 ` Jason Gunthorpe
2026-04-27 13:46 ` [PATCH 4/8] char: misc: Use SRCU to protect list traversal Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 5/8] platform/chrome: cros_ec_chardev: Introduce chardev_data Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 6/8] platform/chrome: cros_ec_chardev: Move data to chardev_pdata Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 7/8] platform/chrome: cros_ec_chardev: Add event relayer Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 8/8] platform/chrome: cros_ec_chardev: Use misc_sync_register() Tzung-Bi Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260427134659.95181-1-tzungbi@kernel.org \
--to=tzungbi@kernel.org \
--cc=arnd@arndb.de \
--cc=bleung@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=johan@kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.