7 Nov
2025
7 Nov
'25
2:12 p.m.
On Fri, Nov 07, 2025 at 04:11:40AM +0000, Tzung-Bi Shih wrote:
Realized the approach doesn't work for the issue I'm looking into.
- All misc devices share the same cdev[1]. If misc_deregister() calls cdev_sync_revoke(), the misc stop working due to one of the miscdevice deregistered.
[1] https://elixir.bootlin.com/linux/v6.17/source/drivers/char/misc.c#L299
That's not a "cdev" in this context, but yes, misc doesn't use struct cdev at all.. Instead you have a struct miscdevice which has a similar lifecycle as cdev. Indeed you can't use what I showed above at the cdev layer exactly as is, but there is not a fundamental issue here.
- The context (struct cdev_sync_data) should be the same lifecycle with the opening file (e.g. struct file). Otherwise, when accessing the context in the fops wrappers, it results an UAF. For example, the sturct cdev is likely freed after cdev_sync_revoke().
Yes, it should be tied to the memory lifecycle of the struct device under the cdev which would then by tied to the file lifecycle. It is not hard.
Jason