On Thu, Mar 19, 2026 at 12:20:48PM -0400, Damien Riégel wrote:
This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
Fixes: e806c7fb8e9b ("greybus: raw: add raw greybus kernel driver") Signed-off-by: Damien Riégel damien.riegel@silabs.com
Changes in v2:
- trim down trace in commit message to keep only the essential part
- rework error paths in probe function to ensure device is always freed (set device release callback before any call to put_device)
- move ida_free to release callback
@@ -164,63 +172,58 @@ static int gb_raw_probe(struct gb_bundle *bundle, if (cport_desc->protocol_id != GREYBUS_PROTOCOL_RAW) return -ENODEV;
- minor = ida_alloc(&minors, GFP_KERNEL);
- if (minor < 0)
return minor;- raw = kzalloc(sizeof(*raw), GFP_KERNEL);
- if (!raw)
- if (!raw) {
ida_free(&minors, minor);- }
- device_initialize(&raw->dev);
- raw->dev.devt = MKDEV(raw_major, minor);
- raw->dev.class = &raw_class;
- raw->dev.release = raw_dev_release;
- retval = dev_set_name(&raw->dev, "gb!raw%d", minor);
- if (retval)
goto error_put_device;connection = gb_connection_create(bundle, le16_to_cpu(cport_desc->id), gb_raw_request_handler); if (IS_ERR(connection)) { retval = PTR_ERR(connection);
goto error_free;
goto error_put_device;INIT_LIST_HEAD(&raw->list); mutex_init(&raw->list_lock); raw->connection = connection;
- raw->dev.parent = &connection->bundle->dev;
You can set the parent above where you initialise dev since the probe function is called with a pointer to the bundle (that is being bound).
greybus_set_drvdata(bundle, raw);
Looks good otherwise:
Reviewed-by: Johan Hovold johan@kernel.org
Johan