On Mon, Mar 23, 2026 at 10:25:09PM -0400, Damien Riégel wrote:
This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
Fixes: e806c7fb8e9b ("greybus: raw: add raw greybus kernel driver") Reviewed-by: Johan Hovold johan@kernel.org Signed-off-by: Damien Riégel damien.riegel@silabs.com
Changes in v3:
- move assignment of raw->dev.parent
- add Reviewed-By: Johan Hovold
Changes in v2:
- trim down trace in commit message to keep only the essential part
- rework error paths in probe function to ensure device is always freed (set device release callback before any call to put_device)
- move ida_free to release callback
Thanks for the update all looks good now, except one thing.
I noticed now that you did not base this on 7.0-rc so it will need another respin due to a treewide allocation change in 7.0-rc1.
@@ -164,15 +172,30 @@ static int gb_raw_probe(struct gb_bundle *bundle, if (cport_desc->protocol_id != GREYBUS_PROTOCOL_RAW) return -ENODEV;
- minor = ida_alloc(&minors, GFP_KERNEL);
- if (minor < 0)
return minor;- raw = kzalloc(sizeof(*raw), GFP_KERNEL);
This line is now
raw = kzalloc_obj(*raw);
in mainline so the patch would not apply cleanly.
Could you rebase these on rc4 (which is the current staging base)?
Johan