[RESEND PATCH] uio: fix uio_unregister

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [RESEND PATCH] uio: fix uio_unregister_device
@ 2026-02-13 13:01 Igor Klochko (Nokia)
  2026-02-13 13:19 ` gregkh
  0 siblings, 1 reply; 2+ messages in thread
From: Igor Klochko (Nokia) @ 2026-02-13 13:01 UTC (permalink / raw)
  To: stable@vger.kernel.org, gregkh@linuxfoundation.org,
	linux-kernel@vger.kernel.org
  Cc: Philippe Belet (Nokia)

When uio devices are created end removed in parallel, then we sometimes
encounter kernel traces along the following lines:

  sysfs: cannot create duplicate filename '/class/uio/uio899'

which stem from:

  sysfs_create_link+0x24/0x50
  device_add+0x2f0/0x780
  __uio_register_device+0x18c/0x550

The sysfs directory creation is performed synchronously as part of the
device_add call. The high level sequence for uio registration is:

  1. uio_get_minor (idr call, in critical section)
  2. device_add (leads to sysfs directory)
  3. manage attributes (popuplates part of the sysfs directory)

For unregistration we have by default the following flow:

  1. clean-up attributes
  2. uio_free_minor (idr call, in critical section)
  3. device_unregister (cleans up sysfs directory)

This creates a racing problem when we are in parallel creating and removing uio
devices. The uio-minor that is freed when calling uio_free_minor can be claimed
by a subsequent uio_get_minor call. The problem is that the device_addi flow
can end up triggered, leading to a sysfs directory creation; while the
device_unregister flow has not yet cleaned up the sysfs directory.

This patch cleans up this problem by mirroring the registration and
unregistration flow correctly.
After this patch, the unregistration flow becomes:

  1. clean-up attributes
  2. device_unregister
  3. uio_free_minor

Fixes: 0c9ae0b86050 ("uio: Fix use-after-free in uio_open")
Cc: stable@vger.kernel.org
Signed-off-by: Philippe Belet <philippe.belet@nokia.com>
Reviewed-by: Igor Klochko <igor.klochko@nokia.com>

diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index fa0d4e6aee16..5dd137a85576 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -1125,8 +1125,8 @@ void uio_unregister_device(struct uio_info *info)
        wake_up_interruptible(&idev->wait);
        kill_fasync(&idev->async_queue, SIGIO, POLL_HUP);

-       uio_free_minor(minor);
        device_unregister(&idev->dev);
+       uio_free_minor(minor);

        return;
 }

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [RESEND PATCH] uio: fix uio_unregister_device
  2026-02-13 13:01 [RESEND PATCH] uio: fix uio_unregister_device Igor Klochko (Nokia)
@ 2026-02-13 13:19 ` gregkh
  0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2026-02-13 13:19 UTC (permalink / raw)
  To: Igor Klochko (Nokia)
  Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
	Philippe Belet (Nokia)

On Fri, Feb 13, 2026 at 01:01:45PM +0000, Igor Klochko (Nokia) wrote:
> When uio devices are created end removed in parallel, then we sometimes
> encounter kernel traces along the following lines:
> 
>   sysfs: cannot create duplicate filename '/class/uio/uio899'
> 
> which stem from:
> 
>   sysfs_create_link+0x24/0x50
>   device_add+0x2f0/0x780
>   __uio_register_device+0x18c/0x550
> 
> The sysfs directory creation is performed synchronously as part of the
> device_add call. The high level sequence for uio registration is:
> 
>   1. uio_get_minor (idr call, in critical section)
>   2. device_add (leads to sysfs directory)
>   3. manage attributes (popuplates part of the sysfs directory)
> 
> For unregistration we have by default the following flow:
> 
>   1. clean-up attributes
>   2. uio_free_minor (idr call, in critical section)
>   3. device_unregister (cleans up sysfs directory)
> 
> This creates a racing problem when we are in parallel creating and removing uio
> devices. The uio-minor that is freed when calling uio_free_minor can be claimed
> by a subsequent uio_get_minor call. The problem is that the device_addi flow
> can end up triggered, leading to a sysfs directory creation; while the
> device_unregister flow has not yet cleaned up the sysfs directory.
> 
> This patch cleans up this problem by mirroring the registration and
> unregistration flow correctly.
> After this patch, the unregistration flow becomes:
> 
>   1. clean-up attributes
>   2. device_unregister
>   3. uio_free_minor
> 
> Fixes: 0c9ae0b86050 ("uio: Fix use-after-free in uio_open")
> Cc: stable@vger.kernel.org
> Signed-off-by: Philippe Belet <philippe.belet@nokia.com>
> Reviewed-by: Igor Klochko <igor.klochko@nokia.com>
> 
> diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
> index fa0d4e6aee16..5dd137a85576 100644
> --- a/drivers/uio/uio.c
> +++ b/drivers/uio/uio.c
> @@ -1125,8 +1125,8 @@ void uio_unregister_device(struct uio_info *info)
>         wake_up_interruptible(&idev->wait);
>         kill_fasync(&idev->async_queue, SIGIO, POLL_HUP);
> 
> -       uio_free_minor(minor);
>         device_unregister(&idev->dev);
> +       uio_free_minor(minor);
> 
>         return;
>  }
> 

This is not a [RESEND] but rather a v2.

Please document what changed from the previous version below the ---
line.

Try again as a v3?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-13 13:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-13 13:01 [RESEND PATCH] uio: fix uio_unregister_device Igor Klochko (Nokia)
2026-02-13 13:19 ` gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox