On Fri, Nov 07, 2025 at 04:11:40AM +0000, Tzung-Bi Shih wrote: > Realized the approach doesn't work for the issue I'm looking into. > > - All misc devices share the same cdev[1]. If misc_deregister() calls > cdev_sync_revoke(), the misc stop working due to one of the miscdevice > deregistered.
> [1] https://elixir.bootlin.com/linux/v6.17/source/drivers/char/misc.c#L299 That's not a "cdev" in this context, but yes, misc doesn't use struct cdev at all.. Instead you have a struct miscdevice which has a similar lifecycle as cdev. Indeed you can't use what I showed above at the cdev layer exactly as is, but there is not a fundamental issue here. > - The context (struct cdev_sync_data) should be the same lifecycle with > the opening file (e.g. struct file). Otherwise, when accessing the > context in the fops wrappers, it results an UAF. For example, the > sturct cdev is likely freed after cdev_sync_revoke(). Yes, it should be tied to the memory lifecycle of the struct device under the cdev which would then by tied to the file lifecycle. It is not hard. Jason
