From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Benson Leung <bleung@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
chrome-platform@lists.linux.dev, linux-kselftest@vger.kernel.org,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Bartosz Golaszewski <brgl@bgdev.pl>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Simona Vetter <simona.vetter@ffwll.ch>,
Dan Williams <dan.j.williams@intel.com>
Subject: Re: [PATCH v6 2/2] platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable
Date: Wed, 26 Nov 2025 04:16:29 +0000 [thread overview]
Message-ID: <aSZ_HXjTVbf1HKWr@google.com> (raw)
In-Reply-To: <20251106155951.GC1732817@nvidia.com>
On Thu, Nov 06, 2025 at 11:59:51AM -0400, Jason Gunthorpe wrote:
> On Thu, Nov 06, 2025 at 11:26:02PM +0800, Tzung-Bi Shih wrote:
> > @@ -166,7 +181,12 @@ static int cros_ec_chardev_open(struct inode *inode, struct file *filp)
> > if (!priv)
> > return -ENOMEM;
> >
> > - priv->ec_dev = ec_dev;
> > + priv->ec_dev_rev = revocable_alloc(ec_dev->revocable_provider);
> > + if (!priv->ec_dev_rev) {
> > + ret = -ENOMEM;
> > + goto free_priv;
> > + }
>
> The lifecyle of ec_dev->ec_dev->revocable_provider memory is
> controlled by dev:
>
> + ec_dev->revocable_provider = devm_revocable_provider_alloc(dev, ec_dev);
>
> Under the lifecycle of some other driver.
>
> The above only works because misc calls open under the misc_mtx so it
> open has "sync" behavior during misc_unregister, and other rules
My understanding is that the file is available to be opened if and only if
the miscdevice is registered. Are there any other exceptions or scenarios
I might be unaware of?
> ensure that ec_dev is valid during the full lifecycle of this driver.
To clarify, ec_dev is only required to be valid during the .open() call
itself, not for the entire lifecycle of the driver. Since ec_dev can
become invalid at any other time, the driver uses ec_dev_rev to ensure
safe access.
> So, I think this cross-driver design an abusive use of the revocable
> idea.
>
> It should not be allocated by the parent driver, it should be fully
> contained to this driver alone and used only to synchronize the
> fops. This would make it clear that the ec_dev pointer must be valid
^^^^
ec_dev_rev serves this purpose, not revocable_provider.
> during the *entire* lifecycle of this driver.
>
> What you have here by putting the providing in another driver is too
> magic and obfuscates what the actual lifetime rules are while
> providing a giant foot gun for someone to think that just because it
> is marked revocable it is fully safe to touch revocable_provider at
> any time.
>
> Broadly I think embedding a revocable in the memory that it is trying
> to protect is probably an anti-pattern as you must somehow already
> have a valid pointer to thing to get the revocable in the first place.
> This severely muddies the whole notion of when it can actually be
> revoked nor not.
ec_dev->revocable_provider should only be accessed directly within the
.open(), as ec_dev is guaranteed to be valid there. For all other cases,
it uses ec_dev_rev and checks the validity with revocable_try_access()
to determine if ec_dev has been revoked.
next prev parent reply other threads:[~2025-11-26 4:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 15:26 [PATCH v6 0/2] platform/chrome: Fix an UAF via revocable primitive APIs Tzung-Bi Shih
2025-11-06 15:26 ` [PATCH v6 1/2] platform/chrome: Protect cros_ec_device lifecycle with revocable Tzung-Bi Shih
2025-11-07 7:07 ` kernel test robot
2025-11-07 7:39 ` kernel test robot
2025-11-06 15:26 ` [PATCH v6 2/2] platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable Tzung-Bi Shih
2025-11-06 15:59 ` Jason Gunthorpe
2025-11-26 4:16 ` Tzung-Bi Shih [this message]
2025-11-26 15:33 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aSZ_HXjTVbf1HKWr@google.com \
--to=tzungbi@kernel.org \
--cc=bleung@chromium.org \
--cc=brgl@bgdev.pl \
--cc=chrome-platform@lists.linux.dev \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=simona.vetter@ffwll.ch \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).