From: Johan Hovold <johan@kernel.org>
To: "Damien Riégel" <damien.riegel@silabs.com>
Cc: Alex Elder <elder@kernel.org>,
Dan Carpenter <dan.carpenter@linaro.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 1/2] greybus: raw: fix use-after-free on cdev close
Date: Tue, 24 Mar 2026 08:45:41 +0100 [thread overview]
Message-ID: <acJBJVB9ZfGrmPrg@hovoldconsulting.com> (raw)
In-Reply-To: <20260324022510.28596-1-damien.riegel@silabs.com>
On Mon, Mar 23, 2026 at 10:25:09PM -0400, Damien Riégel wrote:
> This addresses a use-after-free bug when a raw bundle is disconnected
> but its chardev is still opened by an application. When the application
> releases the cdev, it causes the following panic when init on free is
> enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
> Fixes: e806c7fb8e9b ("greybus: raw: add raw greybus kernel driver")
> Reviewed-by: Johan Hovold <johan@kernel.org>
> Signed-off-by: Damien Riégel <damien.riegel@silabs.com>
> ---
> Changes in v3:
> - move assignment of raw->dev.parent
> - add Reviewed-By: Johan Hovold
>
> Changes in v2:
> - trim down trace in commit message to keep only the essential part
> - rework error paths in probe function to ensure device is always freed
> (set device release callback before any call to put_device)
> - move ida_free to release callback
Thanks for the update all looks good now, except one thing.
I noticed now that you did not base this on 7.0-rc so it will need
another respin due to a treewide allocation change in 7.0-rc1.
> @@ -164,15 +172,30 @@ static int gb_raw_probe(struct gb_bundle *bundle,
> if (cport_desc->protocol_id != GREYBUS_PROTOCOL_RAW)
> return -ENODEV;
>
> + minor = ida_alloc(&minors, GFP_KERNEL);
> + if (minor < 0)
> + return minor;
> +
> raw = kzalloc(sizeof(*raw), GFP_KERNEL);
This line is now
raw = kzalloc_obj(*raw);
in mainline so the patch would not apply cleanly.
Could you rebase these on rc4 (which is the current staging base)?
Johan
prev parent reply other threads:[~2026-03-24 7:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 2:25 [PATCH v3 1/2] greybus: raw: fix use-after-free on cdev close Damien Riégel
2026-03-24 2:25 ` [PATCH v3 2/2] greybus: raw: fix use-after-free if write is called after disconnect Damien Riégel
2026-03-24 7:52 ` Johan Hovold
2026-03-24 8:03 ` Johan Hovold
2026-03-24 7:45 ` Johan Hovold [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acJBJVB9ZfGrmPrg@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=damien.riegel@silabs.com \
--cc=dan.carpenter@linaro.org \
--cc=elder@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=greybus-dev@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.