| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250714-rfc_miscdev-v6-5-2ed949665bde@oss.qualcomm.com> Date: Mon, 14 Jul 2025 23:34:16 +0800 From: Zijun Hu <zijun_hu@...oud.com> To: Arnd Bergmann <arnd@...db.de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "James E.J. Bottomley" <James.Bottomley@...senPartnership.com>, Helge Deller <deller@....de>, "David S. Miller" <davem@...emloft.net>, Andreas Larsson <andreas@...sler.com> Cc: Thadeu Lima de Souza Cascardo <cascardo@...lia.com>, Zijun Hu <zijun_hu@...oud.com>, linux-kernel@...r.kernel.org, linux-parisc@...r.kernel.org, sparclinux@...r.kernel.org, Zijun Hu <zijun.hu@....qualcomm.com> Subject: [PATCH v6 5/8] char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor From: Zijun Hu <zijun.hu@....qualcomm.com> For miscdevice who wants dynamic minor, it may fail to be registered again without reinitialization after being de-registered, which is illustrated by kunit test case miscdev_test_dynamic_reentry() newly added. There is a real case found by cascardo when a part of minor range were contained by range [0, 255): 1) wmi/dell-smbios registered minor 122, and acpi_thermal_rel registered minor 123 2) unbind "int3400 thermal" driver from its device, this will de-register acpi_thermal_rel 3) rmmod then insmod dell_smbios again, now wmi/dell-smbios is using minor 123 4) bind the device to "int3400 thermal" driver again, acpi_thermal_rel fails to register. Some drivers may reuse the miscdevice structure after they are deregistered If the intention is to allocate a dynamic minor, if the minor number is not reset to MISC_DYNAMIC_MINOR before calling misc_register(), it will try to register a previously dynamically allocated minor number, which may have been registered by a different driver. One such case is the acpi_thermal_rel misc device, registered by the int3400 thermal driver. If the device is unbound from the driver and later bound, if there was another dynamic misc device registered in between, it would fail to register the acpi_thermal_rel misc device. Other drivers behave similarly. Actually, this kind of issue is prone to happen if APIs misc_register()/misc_deregister() are invoked by driver's probe()/remove() separately. Instead of fixing all the drivers, just reset the minor member to MISC_DYNAMIC_MINOR in misc_deregister() in case it was a dynamically allocated minor number, as error handling of misc_register() does. Cc: Thadeu Lima de Souza Cascardo <cascardo@...lia.com> Signed-off-by: Zijun Hu <zijun.hu@....qualcomm.com> --- Thank you cascardo for sharing a real case and help to rework commit message. (^^)(^^) --- drivers/char/misc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/misc.c b/drivers/char/misc.c index b8e66466184fa21fb66d968db7950e0b5669ac43..96ed343cf5c8509a09855020049a9af82a3ede95 100644 --- a/drivers/char/misc.c +++ b/drivers/char/misc.c @@ -288,6 +288,8 @@ void misc_deregister(struct miscdevice *misc) list_del(&misc->list); device_destroy(&misc_class, MKDEV(MISC_MAJOR, misc->minor)); misc_minor_free(misc->minor); + if (misc->minor > MISC_DYNAMIC_MINOR) + misc->minor = MISC_DYNAMIC_MINOR; mutex_unlock(&misc_mtx); } EXPORT_SYMBOL(misc_deregister); -- 2.34.1
Powered by blists - more mailing lists