From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Benson Leung <bleung@chromium.org>,
linux-kernel@vger.kernel.org, chrome-platform@lists.linux.dev,
"Rafael J. Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Johan Hovold <johan@kernel.org>,
"Paul E . McKenney" <paulmck@kernel.org>,
Dan Williams <dan.j.williams@intel.com>
Subject: Re: [PATCH 3/8] char: misc: Introduce misc_sync_register()
Date: Fri, 8 May 2026 09:38:38 +0000 [thread overview]
Message-ID: <af2vHu9AiSeGyp01@google.com> (raw)
In-Reply-To: <20260428160956.GC718365@nvidia.com>
On Tue, Apr 28, 2026 at 01:09:56PM -0300, Jason Gunthorpe wrote:
> On Mon, Apr 27, 2026 at 09:46:54PM +0800, Tzung-Bi Shih wrote:
> > Introduce misc_sync_register() to support synchronous file operations
> > for misc devices. This aims to prevent Use-After-Free errors when a
> > device is deregistered while file operations are still in progress or
> > files are open.
> >
> > It creates a synchronization context that wraps supported file
> > operations and ensures the device is still registered before invoking
> > the file operations.
> >
> > The minor number is deferred from being freed immediately on
> > deregistration and is used as a primary key to search for the
> > synchronization context in `misc_sync_ctx_list` after the device is
> > unregistered.
> >
> > Performance impact:
> > - All file operations are serialized by a global lock.
> > - All file operations perform a linear search to find the corresponding
> > miscdevice.
>
> This doesn't seem like a serious proposal, this is too much
> performance cost.
Thank you for the feedback. I understand your concerns about the performance
cost, particularly regarding the global lock and linear search.
This is indeed a serious proposal, and I've dedicated time to developing and
testing it. Our primary goal is to address a real-world UAF issue we've
encountered on our platforms by integrating a solution upstream, whether it
uses revocable mechanism[1] or not, rather than carrying downstream patches.
I see this as the cost for synchronizing file operations with misc driver
registration, as previously mentioned in [2], which I believe is necessary
to prevent the race conditions. I'm open to discussing potential
optimizations or alternative approaches if you have suggestions.
[1] https://lore.kernel.org/all/20260427135841.96266-10-tzungbi@kernel.org
[2] https://lore.kernel.org/all/aTvTLpFmyVxanvYC@google.com
next prev parent reply other threads:[~2026-05-08 9:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 13:46 [PATCH 0/8] char: misc: Introduce misc_sync to fix UAF Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 1/8] char: misc: Simplify locking with guard() Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 2/8] char: misc: Introduce misc_find() helper Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 3/8] char: misc: Introduce misc_sync_register() Tzung-Bi Shih
2026-04-28 16:09 ` Jason Gunthorpe
2026-05-08 9:38 ` Tzung-Bi Shih [this message]
2026-05-08 11:54 ` Jason Gunthorpe
2026-05-09 9:40 ` Tzung-Bi Shih
2026-05-09 16:32 ` Jason Gunthorpe
2026-04-27 13:46 ` [PATCH 4/8] char: misc: Use SRCU to protect list traversal Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 5/8] platform/chrome: cros_ec_chardev: Introduce chardev_data Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 6/8] platform/chrome: cros_ec_chardev: Move data to chardev_pdata Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 7/8] platform/chrome: cros_ec_chardev: Add event relayer Tzung-Bi Shih
2026-04-27 13:46 ` [PATCH 8/8] platform/chrome: cros_ec_chardev: Use misc_sync_register() Tzung-Bi Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af2vHu9AiSeGyp01@google.com \
--to=tzungbi@kernel.org \
--cc=arnd@arndb.de \
--cc=bleung@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=johan@kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.