On Mon, Nov 17, 2025 at 11:48:15PM +0530, Ayaan Mirza Baig wrote:
diff --git a/drivers/staging/greybus/raw.c b/drivers/staging/greybus/raw.c index 71de6776739c..74818ca829c2 100644 --- a/drivers/staging/greybus/raw.c +++ b/drivers/staging/greybus/raw.c @@ -24,6 +24,7 @@ struct gb_raw { dev_t dev; struct cdev cdev; struct device *device;
- bool disconnected;
}; struct raw_data { @@ -231,10 +232,14 @@ static void gb_raw_disconnect(struct gb_bundle *bundle) struct raw_data *raw_data; struct raw_data *temp;
- // FIXME - handle removing a connection when the char device node is open.
- /* Mark device as disconnected so file operations fail gracefully */
- raw->disconnected = true;
- /* Disable Greybus connection before destroying the chardev */
- gb_connection_disable(connection);
- device_destroy(&raw_class, raw->dev); cdev_del(&raw->cdev);
- gb_connection_disable(connection); ida_free(&minors, MINOR(raw->dev)); gb_connection_destroy(connection);
At the end of gb_raw_disconnect(), the raw structure is freed using kfree, and so subsequent reads to raw->disconnected from other entrypoints would be a use after free.
In addition to adding the disconnected flag which you have done, you also have to convert raw to use reference counting, ensuring that the raw structure is alive till the last file is closed. Please have a look at drivers/staging/greybus/authentication.c where the same issue of files being open during disconnection is handled for the gb_cap structure in gb_cap_connection_exit() using reference counting.
Regards, Nihaal