From nobody Sat Feb 7 08:45:25 2026 Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F0CF2AE8D for ; Sat, 24 Jan 2026 16:22:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769271750; cv=none; b=rw6giedCh5RaoPh94IGkv+EQgSL5fJ50KaASzLqZUUfrD1CH9e1dHB3PdvlAScmk24XUy6KFdfHMBKkRzkOaCTTwxnSMXzAPtQPk7WBrkvLZ8GIPiyBKMueF2nP/biSdzcPfAiNV3vDZ145MIV4foXBQZOk8+zUyGe4zZXC0XKo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769271750; c=relaxed/simple; bh=TvT+65Txm4un20WFBIxb++POx0lG1dCNvUcsKeW1Aug=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WlVWEDInfNxx8Rk5aoJI1nHhVCDuFtORnEGQWv9QWhk7mL57D/IBRYxLKaOSHNy8/YqC7Pcr0dC5bmgT/wmRLO8BxGlAMLnKXqEBeNHFEOd+KqwcNVj23XqEgkzLbqzLDL2w022g1ZV60BDyNC/vmjZZWEtGuzIaTnEs8nYvG6A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gQHxelOW; arc=none smtp.client-ip=209.85.215.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gQHxelOW" Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-bc17d39ccd2so1160891a12.3 for ; Sat, 24 Jan 2026 08:22:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769271749; x=1769876549; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Xzqbs1GrytgzSMOd8OeslWj9jW5D/SjS+sxstTepNpk=; b=gQHxelOW8zgzNh1l4VVekEMGZ+vP2wF4SARDx/F+fYxOS3dSTknwo6mm1oUsqFzgFt GDRZKirl7oJmdBorbQ5JIXVNUypYapOCuIx7i20kmq7PMorr575GCJhW8qzvpTCeLTJX V+jHr+Vvm/suhIuYpC4RAcK15VLjox2a/zDk8Y8Lxx4IoqhB4WgdFsuq+zu4EyN7yvvc 0RTAjVP6MrYZLRrQa/CtWEpJ3csFEI2Ock7+aPhFLOXxzo9TuOmFMqcs0p9gKyKtTvc9 uQG0aiagbI+rChtCT6sH+Rrh+EBR5FUAPtIODBoei62IJ1sYmxSjiO5sXkBXKx5xtU1Q 2Ntg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769271749; x=1769876549; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Xzqbs1GrytgzSMOd8OeslWj9jW5D/SjS+sxstTepNpk=; b=SuT6p4NqgriY+L34yrEHi9BGNuHg2ieBOhJXN8wrD5rsPXvvjD9PY5atdekAFceUvs K01AuklhY7Xr3dH4zJ/KuTUjMcgZmQzLj6b3cOZUTr8ZAGdDg9G6F6tbzSc1ZFi+nHZx /2f68kImrdeiLzYc+WiPG7cFbiBdj5bJ9JXyKl5RcUN00qHkjCMRqzb90pJOoaPxJqh3 66hi6I7dQilVijyCq3t5BwfKwTVcENJixgZDoyC0dwdpn9ZYnqHMxFWu/pF0uHj8SpEi CKSG0vWj/lbU84dJacacirP0C+lYFyKo6mjtQSMzMJJt/VT0GOWoCbNKXesk2e0CJH/2 dklQ== X-Forwarded-Encrypted: i=1; AJvYcCW2l5MJmfjKrt0BA7GSiaPUFWK34kotV3xMbURyWwuhtacuAvrvOp+d8PDadvCeWKUbG0No4eFHGRXG1Q8=@vger.kernel.org X-Gm-Message-State: AOJu0Yz+0f0AL9GTzemzPxlBDMfN6fb7YddYsyxK5abNDWEzWPsFfxaE R1CfOPmGBJQGl3D0OhhilDhvqKdhfkRlkM7M0PG+ygmGSsy9MQUUcog= X-Gm-Gg: AZuq6aKorc55Db0B/iD0hTF8Yxgp0arfdImt81MXqSS6HPKtGkjdXwpsVBDtXo58Rxx qWoMDahgjMLcTNI43B9bKgvTkFhVrLXXtcaMCV/vjb0SIl63S9v3sxUlM2zA9ohcYH39CqZeTun SpYuPIx/uUWpXpv8KZqH0/YNhKPcnIUyNQL/jbUQjykem4PFWLunokyVl7Iko3llSLsnQdrfaD9 bceP4PylNciYeTqbhGA0X2NwSY2pYGc84SrXUVpHrcBP5EFTgjlX9Y2W76OCHtgkut11PJeykdA JXuk0glboOKSqhSaWbz2i/99+T5E5yIc4UsN+tQMxTi7Iv+I0aLbxbpTMz1+RlnuSyu7sDRAt1m a7gFlc2ZqfixJ0KSNh6rZHdiMgwvipqOEff6GctSNn5euPmL2qyy2bchBjd4hnN2t3zZ5X/3yW4 NeN7KMZopoTgI3OZDpCuPTzmEda8wIx7v1HCnCIG/1TZ+fzxIaKs6bwj2UDH4= X-Received: by 2002:a17:90b:2ecc:b0:34a:adf1:677d with SMTP id 98e67ed59e1d1-35367027f06mr5738533a91.9.1769271748592; Sat, 24 Jan 2026 08:22:28 -0800 (PST) Received: from pride-PowerEdge-R740.tailb307d0.ts.net ([115.156.141.150]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82318662de5sm5160184b3a.18.2026.01.24.08.22.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 24 Jan 2026 08:22:28 -0800 (PST) From: Yuhao Huang To: linux-gpio@vger.kernel.org Cc: linus.walleij@linaro.org, brgl@bgdev.pl, linux-kernel@vger.kernel.org, Yuhao Huang Subject: [PATCH] gpio: virtuser: fix UAF in configfs release path Date: Sun, 25 Jan 2026 00:21:11 +0800 Message-ID: <20260124162111.3945666-1-nekowong743@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_device_config_group_release() destroys the mutex and frees the device while still inside the guard(mutex) scope. When the function returns, the guard cleanup invokes mutex_unlock(&dev->lock), resulting in a slab use-after-free. Limit the mutex lifetime by using a scoped_guard() only around the activation check, so that the lock is released before mutex_destroy() and kfree() are called. Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GP= IO API") Signed-off-by: Yuhao Huang --- drivers/gpio/gpio-virtuser.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c index 37f2ce20f..6de5dcc97 100644 --- a/drivers/gpio/gpio-virtuser.c +++ b/drivers/gpio/gpio-virtuser.c @@ -1682,10 +1682,10 @@ static void gpio_virtuser_device_config_group_relea= se(struct config_item *item) { struct gpio_virtuser_device *dev =3D to_gpio_virtuser_device(item); =20 - guard(mutex)(&dev->lock); - - if (gpio_virtuser_device_is_live(dev)) - gpio_virtuser_device_deactivate(dev); + scoped_guard(mutex, &dev->lock) { + if (gpio_virtuser_device_is_live(dev)) + gpio_virtuser_device_deactivate(dev); + } =20 mutex_destroy(&dev->lock); ida_free(&gpio_virtuser_ida, dev->id); --=20 2.43.0