From nobody Fri Dec 19 20:10:11 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99C8E26D4F6; Thu, 6 Nov 2025 15:26:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762442784; cv=none; b=ff7q/+ThqTRI30e1QHxnlCiOhD5k3Peq8CcCQB0m2sDO8wm3VQzX95jL6ES3ivVkYuDKhfpoyFdPeZ2qx2lMiP+s3qDtYld5N0IUAw+lxU87nkPZ1+aAgP25xb3rKQe3VRdEhTu8OEIKswKSPZYgKhWqgitRkLylgu9JBR63p1s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762442784; c=relaxed/simple; bh=P0chS0ZP7pD2W1uEk1d7ykfQfFOgqFn2PUOuI4DCx8E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Qnqw/5yDAEhNFEHy1tLOd4ZjTWTieEBhIxaFJFxkOgeLNcicCLURqtCKhaDLVazhK2UofH/ufQ16IJ+rmzMJlqrs3bEU6twnRc5cxxS5eukqJB2kzkKpBu5a6bk/5iX+O+7rF5+orefnCCPSkucQ1za+s4MhuBLmdTYI0cawoLI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PorfN4Yj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PorfN4Yj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 319B0C4CEF7; Thu, 6 Nov 2025 15:26:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1762442784; bh=P0chS0ZP7pD2W1uEk1d7ykfQfFOgqFn2PUOuI4DCx8E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PorfN4YjDfa9dbSNb5rlzDcmGb+67C1iqBMn4/T6YpOodX9KywWT4YiWuipxgOakn g8cQqep65dRv4bw7LUeteTAIM1s4k/k44/aAlgTMToc6usasoKKKaMhdQzh4v7y5q0 ti9HkQggjJskw+8uxMSqI5Hhixi3rh3YAZAdo+RFgAu42Az/as+HllRVC311/pusdX +KaOTB+uWCuPYawD5KO8nrLZATFye6gyXRfTMb8BWo3Vxkn0xdU2sLpYRsotiyn4BB yXFRzbc7M6vLAXu593d+FgU37rQXLL5iMQuuNzUlIplgoNsnDJKYgzawBls5H26yHo qqAOAnAXqfD9g== From: Tzung-Bi Shih To: Benson Leung , Greg Kroah-Hartman , "Rafael J . Wysocki" , Danilo Krummrich Cc: Jonathan Corbet , Shuah Khan , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, chrome-platform@lists.linux.dev, linux-kselftest@vger.kernel.org, tzungbi@kernel.org, Laurent Pinchart , Bartosz Golaszewski , Wolfram Sang , Simona Vetter , Dan Williams , Jason Gunthorpe Subject: [PATCH v6 1/2] platform/chrome: Protect cros_ec_device lifecycle with revocable Date: Thu, 6 Nov 2025 23:26:01 +0800 Message-ID: <20251106152602.11814-2-tzungbi@kernel.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20251106152602.11814-1-tzungbi@kernel.org> References: <20251106152602.11814-1-tzungbi@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The cros_ec_device can be unregistered when the underlying device is removed. Other kernel drivers that interact with the EC may hold a pointer to the cros_ec_device, creating a risk of a use-after-free error if the EC device is removed while still being referenced. To prevent this, leverage the revocable and convert the underlying device drivers to resource providers of cros_ec_device. Signed-off-by: Tzung-Bi Shih --- v6: - No changes. v5: https://lore.kernel.org/chrome-platform/20251016054204.1523139-5-tzungb= i@kernel.org - No changes. v4: https://lore.kernel.org/chrome-platform/20250923075302.591026-5-tzungbi= @kernel.org - No changes. v3: https://lore.kernel.org/chrome-platform/20250912081718.3827390-5-tzungb= i@kernel.org - Initialize the revocable provider in cros_ec_device_alloc() instead of spreading in protocol device drivers. v2: https://lore.kernel.org/chrome-platform/20250820081645.847919-5-tzungbi= @kernel.org - Rename "ref_proxy" -> "revocable". v1: https://lore.kernel.org/chrome-platform/20250814091020.1302888-3-tzungb= i@kernel.org drivers/platform/chrome/cros_ec.c | 5 +++++ include/linux/platform_data/cros_ec_proto.h | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/drivers/platform/chrome/cros_ec.c b/drivers/platform/chrome/cr= os_ec.c index 1da79e3d215b..95e3e898e3da 100644 --- a/drivers/platform/chrome/cros_ec.c +++ b/drivers/platform/chrome/cros_ec.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include =20 @@ -47,6 +48,10 @@ struct cros_ec_device *cros_ec_device_alloc(struct devic= e *dev) if (!ec_dev) return NULL; =20 + ec_dev->revocable_provider =3D devm_revocable_provider_alloc(dev, ec_dev); + if (!ec_dev->revocable_provider) + return NULL; + ec_dev->din_size =3D sizeof(struct ec_host_response) + sizeof(struct ec_response_get_protocol_info) + EC_MAX_RESPONSE_OVERHEAD; diff --git a/include/linux/platform_data/cros_ec_proto.h b/include/linux/pl= atform_data/cros_ec_proto.h index de14923720a5..fbb6ca34a40f 100644 --- a/include/linux/platform_data/cros_ec_proto.h +++ b/include/linux/platform_data/cros_ec_proto.h @@ -12,6 +12,7 @@ #include #include #include +#include =20 #include =20 @@ -165,6 +166,7 @@ struct cros_ec_command { * @pd: The platform_device used by the mfd driver to interface with the * PD behind an EC. * @panic_notifier: EC panic notifier. + * @revocable_provider: The revocable_provider to this device. */ struct cros_ec_device { /* These are used by other drivers that want to talk to the EC */ @@ -211,6 +213,8 @@ struct cros_ec_device { struct platform_device *pd; =20 struct blocking_notifier_head panic_notifier; + + struct revocable_provider *revocable_provider; }; =20 /** --=20 2.48.1 From nobody Fri Dec 19 20:10:11 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D28F326D4F6; Thu, 6 Nov 2025 15:26:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762442787; cv=none; b=F+WLiPoVtV42PYEHbBMxUJmyzlCdqFvIVL9X9QPsa+O4GOYkXzFUmTfozf126b+wudu0jDtfllcaJoLWabZUzLJA2TvHoq0H4L2IlkKdPaS1TYAYtysymj4m4xXshDyV05yDeNhilMkEFZNGl2ZabEo76jiMIJU9h9LAlG90JmA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762442787; c=relaxed/simple; bh=p7sejcywyy/r5IDan3tCtEBgPygiAM+/bmvc/ybEIVM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mgkPOoM2aYW+BzdfIQXpCTAYqooQtHb75/4lrx6d9cPxJo4dczdDd4OLN1Iy9O4z6e0+wbjmhmpi7uGQtTXPVT3Rl2C0vRqm6D6w/BW6+BnhCaTn7wM9/VZSV5Fh4Qj0MoGxlVme6XvsIDox0ZwQIpUM/ZUZdHlGCL82S8Tsb3c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ni/wX+SP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ni/wX+SP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4EFAC116C6; Thu, 6 Nov 2025 15:26:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1762442787; bh=p7sejcywyy/r5IDan3tCtEBgPygiAM+/bmvc/ybEIVM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ni/wX+SPYsJPgLp51f/fvtVrM5Qyeho44HXTrH+se/0E7pZTn/4rkYCGv662Xnf4a cJfOrOgeQ9d5OsOuL5epYWYrZvUCCJKngmRC2WtETouroTDuh9GisUPwDsRPrpGVBn j9SYEKQhInTwm2v2uUMyvmxEw7jkA/w3Qg3HoXQCZlQMLL9H6vnRzUg8jUR/I3zmJ4 nXn7NhhGqCFIgzOx5jyb2Jdh3S9dsBGqETAvjHZCkM6wTXJv8yrcnD8XhTjostxLZK VPnZxw9hpxvK7+ovXs8AJRzbEogz2SQZpQcVjywS5zd4EUeBMNbg/SUqvs5Sz7gGJ4 slyWcfzpVWPuw== From: Tzung-Bi Shih To: Benson Leung , Greg Kroah-Hartman , "Rafael J . Wysocki" , Danilo Krummrich Cc: Jonathan Corbet , Shuah Khan , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, chrome-platform@lists.linux.dev, linux-kselftest@vger.kernel.org, tzungbi@kernel.org, Laurent Pinchart , Bartosz Golaszewski , Wolfram Sang , Simona Vetter , Dan Williams , Jason Gunthorpe Subject: [PATCH v6 2/2] platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable Date: Thu, 6 Nov 2025 23:26:02 +0800 Message-ID: <20251106152602.11814-3-tzungbi@kernel.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20251106152602.11814-1-tzungbi@kernel.org> References: <20251106152602.11814-1-tzungbi@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The cros_ec_chardev driver provides a character device interface to the ChromeOS EC. A file handle to this device can remain open in userspace even if the underlying EC device is removed. This creates a classic use-after-free vulnerability. Any file operation (ioctl, release, etc.) on the open handle after the EC device has gone would access a stale pointer, leading to a system crash. To prevent this, leverage the revocable and convert cros_ec_chardev to a resource consumer of cros_ec_device. Signed-off-by: Tzung-Bi Shih --- v6: - Rename REVOCABLE_TRY_ACCESS_WITH() -> REVOCABLE_TRY_ACCESS_SCOPED(). - Use new REVOCABLE_TRY_ACCESS_WITH() if applicable. v4-v5: - Doesn't exist. v3: https://lore.kernel.org/chrome-platform/20250912081718.3827390-6-tzungb= i@kernel.org/ - Use specific labels for different cleanup in cros_ec_chardev_open(). v2: https://lore.kernel.org/chrome-platform/20250820081645.847919-6-tzungbi= @kernel.org - Rename "ref_proxy" -> "revocable". - Fix a sparse warning by removing the redundant __rcu annotation. v1: https://lore.kernel.org/chrome-platform/20250814091020.1302888-4-tzungb= i@kernel.org drivers/platform/chrome/cros_ec_chardev.c | 71 ++++++++++++++++++----- 1 file changed, 56 insertions(+), 15 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/c= hrome/cros_ec_chardev.c index c9d80ad5b57e..bc152c206fb8 100644 --- a/drivers/platform/chrome/cros_ec_chardev.c +++ b/drivers/platform/chrome/cros_ec_chardev.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include #include @@ -32,7 +33,7 @@ #define CROS_MAX_EVENT_LEN PAGE_SIZE =20 struct chardev_priv { - struct cros_ec_device *ec_dev; + struct revocable *ec_dev_rev; struct notifier_block notifier; wait_queue_head_t wait_event; unsigned long event_mask; @@ -55,6 +56,7 @@ static int ec_get_version(struct chardev_priv *priv, char= *str, int maxlen) }; struct ec_response_get_version *resp; struct cros_ec_command *msg; + struct cros_ec_device *ec_dev; int ret; =20 msg =3D kzalloc(sizeof(*msg) + sizeof(*resp), GFP_KERNEL); @@ -64,7 +66,13 @@ static int ec_get_version(struct chardev_priv *priv, cha= r *str, int maxlen) msg->command =3D EC_CMD_GET_VERSION + priv->cmd_offset; msg->insize =3D sizeof(*resp); =20 - ret =3D cros_ec_cmd_xfer_status(priv->ec_dev, msg); + REVOCABLE_TRY_ACCESS_WITH(priv->ec_dev_rev, ec_dev); + if (!ec_dev) { + ret =3D -ENODEV; + goto exit; + } + + ret =3D cros_ec_cmd_xfer_status(ec_dev, msg); if (ret < 0) { snprintf(str, maxlen, "Unknown EC version, returned error: %d\n", @@ -92,10 +100,17 @@ static int cros_ec_chardev_mkbp_event(struct notifier_= block *nb, { struct chardev_priv *priv =3D container_of(nb, struct chardev_priv, notifier); - struct cros_ec_device *ec_dev =3D priv->ec_dev; + struct cros_ec_device *ec_dev; struct ec_event *event; - unsigned long event_bit =3D 1 << ec_dev->event_data.event_type; - int total_size =3D sizeof(*event) + ec_dev->event_size; + unsigned long event_bit; + int total_size; + + REVOCABLE_TRY_ACCESS_WITH(priv->ec_dev_rev, ec_dev); + if (!ec_dev) + return NOTIFY_DONE; + + event_bit =3D 1 << ec_dev->event_data.event_type; + total_size =3D sizeof(*event) + ec_dev->event_size; =20 if (!(event_bit & priv->event_mask) || (priv->event_len + total_size) > CROS_MAX_EVENT_LEN) @@ -166,7 +181,12 @@ static int cros_ec_chardev_open(struct inode *inode, s= truct file *filp) if (!priv) return -ENOMEM; =20 - priv->ec_dev =3D ec_dev; + priv->ec_dev_rev =3D revocable_alloc(ec_dev->revocable_provider); + if (!priv->ec_dev_rev) { + ret =3D -ENOMEM; + goto free_priv; + } + priv->cmd_offset =3D ec->cmd_offset; filp->private_data =3D priv; INIT_LIST_HEAD(&priv->events); @@ -178,9 +198,14 @@ static int cros_ec_chardev_open(struct inode *inode, s= truct file *filp) &priv->notifier); if (ret) { dev_err(ec_dev->dev, "failed to register event notifier\n"); - kfree(priv); + goto free_revocable; } =20 + return 0; +free_revocable: + revocable_free(priv->ec_dev_rev); +free_priv: + kfree(priv); return ret; } =20 @@ -251,11 +276,15 @@ static ssize_t cros_ec_chardev_read(struct file *filp= , char __user *buffer, static int cros_ec_chardev_release(struct inode *inode, struct file *filp) { struct chardev_priv *priv =3D filp->private_data; - struct cros_ec_device *ec_dev =3D priv->ec_dev; + struct cros_ec_device *ec_dev; struct ec_event *event, *e; =20 - blocking_notifier_chain_unregister(&ec_dev->event_notifier, - &priv->notifier); + REVOCABLE_TRY_ACCESS_SCOPED(priv->ec_dev_rev, ec_dev) { + if (ec_dev) + blocking_notifier_chain_unregister(&ec_dev->event_notifier, + &priv->notifier); + } + revocable_free(priv->ec_dev_rev); =20 list_for_each_entry_safe(event, e, &priv->events, node) { list_del(&event->node); @@ -273,6 +302,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct chardev_p= riv *priv, void __user *a { struct cros_ec_command *s_cmd; struct cros_ec_command u_cmd; + struct cros_ec_device *ec_dev; long ret; =20 if (copy_from_user(&u_cmd, arg, sizeof(u_cmd))) @@ -299,10 +329,17 @@ static long cros_ec_chardev_ioctl_xcmd(struct chardev= _priv *priv, void __user *a } =20 s_cmd->command +=3D priv->cmd_offset; - ret =3D cros_ec_cmd_xfer(priv->ec_dev, s_cmd); - /* Only copy data to userland if data was received. */ - if (ret < 0) - goto exit; + REVOCABLE_TRY_ACCESS_SCOPED(priv->ec_dev_rev, ec_dev) { + if (!ec_dev) { + ret =3D -ENODEV; + goto exit; + } + + ret =3D cros_ec_cmd_xfer(ec_dev, s_cmd); + /* Only copy data to userland if data was received. */ + if (ret < 0) + goto exit; + } =20 if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize)) ret =3D -EFAULT; @@ -313,10 +350,14 @@ static long cros_ec_chardev_ioctl_xcmd(struct chardev= _priv *priv, void __user *a =20 static long cros_ec_chardev_ioctl_readmem(struct chardev_priv *priv, void = __user *arg) { - struct cros_ec_device *ec_dev =3D priv->ec_dev; + struct cros_ec_device *ec_dev; struct cros_ec_readmem s_mem =3D { }; long num; =20 + REVOCABLE_TRY_ACCESS_WITH(priv->ec_dev_rev, ec_dev); + if (!ec_dev) + return -ENODEV; + /* Not every platform supports direct reads */ if (!ec_dev->cmd_readmem) return -ENOTTY; --=20 2.48.1