24 Mar
2026
24 Mar
'26
7:52 a.m.
On Mon, Mar 23, 2026 at 10:25:10PM -0400, Damien Riégel wrote:
If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace (with CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
Fixes: e806c7fb8e9b ("greybus: raw: add raw greybus kernel driver") Signed-off-by: Damien Riégel damien.riegel@silabs.com
Changes in v3:
- rename "connected" flag to "disconnected"
- acquire/release of write semaphore acquire/release were in gb_raw_send, move them to the caller instead (raw_write)
Changes in v2:
- trim down trace in commit message to keep only the essential part
- convert the mutex that protected the connection to a rw_semaphore
- use a "connected" flag instead of relying on the connection pointer being NULL or not
@@ -277,11 +285,20 @@ static ssize_t raw_write(struct file *file, const char __user *buf, if (count > MAX_PACKET_SIZE) return -E2BIG;
- retval = gb_raw_send(raw, count, buf);
- if (retval)
return retval;
- down_read(&raw->disconnect_lock);
- return count;
- if (raw->disconnected) {
retval = -ENODEV;goto exit;- }
- retval = gb_raw_send(raw, count, buf);
- if (!retval)
retval = count;
I'd invert this so that we test for errors consistently:
if (retval) goto exit;
retval = count;
+exit:
- up_read(&raw->disconnect_lock);
- return retval;
} static ssize_t raw_read(struct file *file, char __user *buf, size_t count,
Johan