From nobody Sat Feb 7 07:25:42 2026 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33B75A92E for ; Mon, 26 Jan 2026 04:03:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769400238; cv=none; b=CajgWuAVMg4QCe3AtWgMlYqX+vpfa7pmrFkkHyAeh3PU1VYZwpy4YncSNUdDH+2toU7ftoB0KS9FXzzSAndoQfI9XLqK5WaCF+2qakGZLdFL6F0qDfELvbM31nNQK84A2+uHkFhH3rC8lnOH8xsoourFJ8Kb5bDYO6N2KuXHvBs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769400238; c=relaxed/simple; bh=u5ggP3SaLsBZ5fNtGAK69mMRVxGb/2HufTJafqtumgo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=prdrOTq38BrhLRcPIJvnEYgabVh2EWXPqZKQBO/xZ67805MH+RpZ0o7KAke/XoAeDsOokmsB+TmCh1D2S7e1dlLrJLrY33sMeEl3E3kv7Yqes0uWOlAGZjKE6a5xzuncfKn6GoG1Wz1vSR6I2ZrZ/v+XWTf9nV8spQn6bnx+F78= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DjKVlQn2; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DjKVlQn2" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2a7b23dd036so20933375ad.3 for ; Sun, 25 Jan 2026 20:03:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769400236; x=1770005036; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ToUPMBAe8KF/3v+CFujmR6mZU+BDeOfE0AmdHr1dMFg=; b=DjKVlQn2XjY7gtZbPIFduzC0rDweeMKPeNWhRAj/SeN0A9/TreOqDxpuXbj5Viesh7 iD/WAkCOHv8XCOTed8unQtQo8Z+dD9SgyvNac/hA6jrszOitFXCpteFiSJ6RNwr+P1e5 9vIS3xBNVQbMn36gQ6YUgdDTV2v3bSVHjXfZ7Yxe56lsSmAfy9dWhAluaLsUqHofKNqb mIVIiX/BfNxBQRSVW9qUilzfbyIqqVTVCG7tReDtJN6bNLGo2kCNcyzau0Ja0wwcH7ZZ b3/hAWz65io5MtDtJ1rmUhBzYwhS3grBKWAKnQcWhSsdjmHolU7x2bswG9k2WelJx9qb avaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769400236; x=1770005036; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ToUPMBAe8KF/3v+CFujmR6mZU+BDeOfE0AmdHr1dMFg=; b=Ab33ugZcf2fbE4VH+l+Kv5UdY6nDwMfiLvHkSg1RUUVpV4rBOcllxBOq973pH/lC1J 53oXxJ9r5xJNuRCr+wVCQlHiX9dInVrY+O5jODVly191MCVJ++e8yGgBdl4wgP4mn+6O E/WCA0jjoq7NCyTL6qOXXdd7rrzP2yHWNxQHRDaDbIIm146dPfkPdeAc2BjkRVuEim0M q2tGah+9YOqzFMQHdDdM3o7HYX8bniW8tXOlpC/DSAdlsrisC9IiQp4AoS0ftTlIU3VR byHwkIvJ3ZKKd9jCn/ZhqXjehBJKhTW6VNPiZtB8zGk6tNTTEUvfxMSjT6lV3F4EwHed 4exg== X-Forwarded-Encrypted: i=1; AJvYcCVnmezfMu0NEoz78o6QRheYCkDeJYaQ1BiV8VmA9paaLgIi6++ynqyNeBimVngq6RkCh6h79dl46+Pdhgk=@vger.kernel.org X-Gm-Message-State: AOJu0YzgD4XCZ2o7uIVEFJSGt1a1TD/GaGr6Pal9TVg9+F1Qc2ibScF0 FEX87jaNRYXP6ih58xS536aWmpLkUjL5AoBW+gsxaLTdYm3xIioC9JvRY7qoYIZEpGYd X-Gm-Gg: AZuq6aLtYq5TdgbGjpVoTPTg1aFcrX9qza79B0UGjqxoruNzF99Plje+B+kynwHynMN 0kELnAnudbPcFgXsRcmtuS/AcNMW4kzSXQSJL0FvCcJXyY0+WPFvjHr0m8WKZe47pao6CxHrOBz f7pzwr1D46f+qmEa8DM2EcRNuREWbA62/oiZIr/u5kFbe2ZHofyBvUBNg9daDxYTaKOOSrqgMv0 6BUQAjuEy25hl7VpA7LMEu9uPMJQPsLnGCl1WFUlZnRoGlICIg5YHyeWjCAUfSedzz3+B0Jr93F fKEFpmwNxVllUzuvUBDeKtC6iYfhMsvT5qM6tk5FWifvzpXI83d+6JJtiZkNJ/CaY6LO0M6e8z9 5jqAEROa/DyqgrWharcjEO3977hyE41nS9vXs2nLY6duLRgbcKN7RZ0R0zu2hY83aoOeYOtLFzy qb2mU5+jHlhVSonzOqCxY0zuD9bOBYheZ2J1Lj2TzMIkXtaLtRtD+VH5mZO1PX X-Received: by 2002:a17:903:40cc:b0:297:df4e:fdd5 with SMTP id d9443c01a7336-2a84523bcb6mr35639525ad.23.1769400236411; Sun, 25 Jan 2026 20:03:56 -0800 (PST) Received: from localhost.localdomain ([115.156.144.176]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a802fb0262sm77563835ad.70.2026.01.25.20.03.54 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Sun, 25 Jan 2026 20:03:56 -0800 (PST) From: Yuhao Huang X-Google-Original-From: Yuhao Huang To: linux-gpio@vger.kernel.org Cc: linus.walleij@linaro.org, brgl@bgdev.pl, linux-kernel@vger.kernel.org, Yuhao Huang Subject: [PATCH v2] gpio: virtuser: fix UAF in configfs release path Date: Mon, 26 Jan 2026 12:03:48 +0800 Message-ID: <20260126040348.11167-1-yuhaohuang@YuhaodeMacBook-Pro.local> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260124162111.3945666-1-nekowong743@gmail.com> References: <20260124162111.3945666-1-nekowong743@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Yuhao Huang The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_device_config_group_release() destroys the mutex and frees the device while still inside the guard(mutex) scope. When the function returns, the guard cleanup invokes mutex_unlock(&dev->lock), resulting in a slab use-after-free. Limit the mutex lifetime by using a scoped_guard() only around the activation check, so that the lock is released before mutex_destroy() and kfree() are called. Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GP= IO API") Signed-off-by: Yuhao Huang --- Changes in v2: - Fix indentation to match kernel coding style --- drivers/gpio/gpio-virtuser.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c index 37f2ce20f1ae7..098e67d70ffa5 100644 --- a/drivers/gpio/gpio-virtuser.c +++ b/drivers/gpio/gpio-virtuser.c @@ -1682,10 +1682,10 @@ static void gpio_virtuser_device_config_group_relea= se(struct config_item *item) { struct gpio_virtuser_device *dev =3D to_gpio_virtuser_device(item); =20 - guard(mutex)(&dev->lock); - - if (gpio_virtuser_device_is_live(dev)) - gpio_virtuser_device_deactivate(dev); + scoped_guard(mutex, &dev->lock) { + if (gpio_virtuser_device_is_live(dev)) + gpio_virtuser_device_deactivate(dev); + } =20 mutex_destroy(&dev->lock); ida_free(&gpio_virtuser_ida, dev->id); --=20 2.43.0