* [PATCH] scsi: ufs: core: Fix UFS RPMB device teardown order
@ 2026-06-23 12:05 Ao Sun
2026-06-23 12:18 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Ao Sun @ 2026-06-23 12:05 UTC (permalink / raw)
To: James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com,
beanhuo@micron.com
Cc: alim.akhtar@samsung.com, avri.altman@wdc.com, bvanassche@acm.org,
can.guo@oss.qualcomm.com, linux-scsi@vger.kernel.org, Jiazi Li,
Hongyan Xia, Ao Sun, sashiko-bot@kernel.org
From: Ao Sun <ao.sun@transsion.com>
The child RPMB device holds a reference to its parent, so the parent's
release callback cannot be invoked if the child device is still registered.
Remove the rpmb_dev_unregister() from the parent release handler.
Unregister the child RPMB device ahead of the parent device in the
remove path to allow the parent release callback to execute.
Free the memory allocated for ufs_rpmb within the parent release
callback to avoid memory leaks on probe failure.
Reported-by: sashiko-bot@kernel.org
Closes: https://lore.kernel.org/all/20260618064142.8C30E1F000E9@smtp.kernel.org/
Signed-off-by: Jiazi Li <jiazi.li@transsion.com>
Signed-off-by: Ao Sun <ao.sun@transsion.com>
---
drivers/ufs/core/ufs-rpmb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufs-rpmb.c b/drivers/ufs/core/ufs-rpmb.c
index ffad049872b9..dcb7e521284f 100644
--- a/drivers/ufs/core/ufs-rpmb.c
+++ b/drivers/ufs/core/ufs-rpmb.c
@@ -128,7 +128,7 @@ static void ufs_rpmb_device_release(struct device *dev)
{
struct ufs_rpmb_dev *ufs_rpmb = dev_get_drvdata(dev);
- rpmb_dev_unregister(ufs_rpmb->rdev);
+ devm_kfree(ufs_rpmb->hba->dev, ufs_rpmb);
}
/* UFS RPMB device registration */
@@ -224,6 +224,7 @@ int ufs_rpmb_probe(struct ufs_hba *hba)
kfree(cid);
list_for_each_entry_safe(it, tmp, &hba->rpmbs, node) {
list_del(&it->node);
+ rpmb_dev_unregister(it->rdev);
device_unregister(&it->dev);
}
@@ -244,6 +245,7 @@ void ufs_rpmb_remove(struct ufs_hba *hba)
/* Remove from list first */
list_del(&ufs_rpmb->node);
/* Unregister device */
+ rpmb_dev_unregister(ufs_rpmb->rdev);
device_unregister(&ufs_rpmb->dev);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] scsi: ufs: core: Fix UFS RPMB device teardown order
2026-06-23 12:05 [PATCH] scsi: ufs: core: Fix UFS RPMB device teardown order Ao Sun
@ 2026-06-23 12:18 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-23 12:18 UTC (permalink / raw)
To: Ao Sun; +Cc: linux-scsi
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Allocating a structure embedding a `struct device` via `devm_kzalloc()` creates a fundamental lifetime mismatch. The patch exacerbates this by adding `devm_kfree()` to the `release` callback, triggering a fatal Use-After-Free if the device release is delayed.
- [High] If `ufs_rpmb_probe()` exits early, `hba->rpmbs` is never initialized, leading to a guaranteed NULL-pointer dereference in `ufs_rpmb_remove()` during driver teardown.
--
commit 79815281175f9750b2f8b1eccd86223bc783c72a
Author: Ao Sun <ao.sun@transsion.com>
scsi: ufs: core: Fix UFS RPMB device teardown order
This commit modifies the teardown order of the UFS RPMB device by
unregistering the child RPMB device ahead of the parent device in the
remove path. It also moves the memory deallocation for the ufs_rpmb
structure to the parent release callback.
Link: https://lore.kernel.org/all/20260618064142.8C30E1F000E9@smtp.kernel.org/
> diff --git a/drivers/ufs/core/ufs-rpmb.c b/drivers/ufs/core/ufs-rpmb.c
> index ffad049872b9a..dcb7e521284f1 100644
> --- a/drivers/ufs/core/ufs-rpmb.c
> +++ b/drivers/ufs/core/ufs-rpmb.c
> @@ -128,7 +128,7 @@ static void ufs_rpmb_device_release(struct device *dev)
> {
> struct ufs_rpmb_dev *ufs_rpmb = dev_get_drvdata(dev);
>
> - rpmb_dev_unregister(ufs_rpmb->rdev);
> + devm_kfree(ufs_rpmb->hba->dev, ufs_rpmb);
[Severity: High]
This is a pre-existing issue, but does allocating a structure embedding a
struct device via devm_kzalloc() create a lifetime mismatch?
This patch exacerbates the issue by adding devm_kfree() to the release
callback. If a user holds a sysfs attribute open during driver unbind,
devres will automatically free ufs_rpmb. Later, when the sysfs file is
closed and the final kobject reference is dropped, ufs_rpmb_device_release()
executes and dereferences the already-freed ufs_rpmb pointer to read
ufs_rpmb->hba->dev, leading to a use-after-free.
> }
[ ... ]
> @@ -244,6 +245,7 @@ void ufs_rpmb_remove(struct ufs_hba *hba)
> /* Remove from list first */
> list_del(&ufs_rpmb->node);
> /* Unregister device */
> + rpmb_dev_unregister(ufs_rpmb->rdev);
> device_unregister(&ufs_rpmb->dev);
> }
[Severity: High]
This isn't a bug introduced by this patch, but if ufs_rpmb_probe() exits
early before calling INIT_LIST_HEAD(&hba->rpmbs), won't hba->rpmbs remain
zero-initialized?
If the driver is unbound later, ufs_rpmb_remove() is called on that
zero-initialized list:
drivers/ufs/core/ufs-rpmb.c:ufs_rpmb_remove() {
if (list_empty(&hba->rpmbs))
return;
list_for_each_entry_safe(ufs_rpmb, tmp, &hba->rpmbs, node) {
...
Since head->next is NULL on a zero-initialized list, list_empty()
evaluates to false. This means list_for_each_entry_safe() will dereference
NULL->next during initialization, causing an immediate kernel panic.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623120440.13883-1-ao.sun@transsion.com?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-23 12:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 12:05 [PATCH] scsi: ufs: core: Fix UFS RPMB device teardown order Ao Sun
2026-06-23 12:18 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox