[v4] uio: fix unregister_device

[PATCH v4] uio: fix unregister_device

Posted by Igor Klochko (Nokia) 2 months, 1 week ago

uio: mirrored uio_register/unregister_device

When uio devices are created end removed in parallel, then we sometimes
encounter kernel traces along the following lines:

  sysfs: cannot create duplicate filename '/class/uio/uio899'

which stem from:

  sysfs_create_link+0x24/0x50
  device_add+0x2f0/0x780
  __uio_register_device+0x18c/0x550

The sysfs directory creation is performed synchronously as part of the
device_add call. The high level sequence for uio registration is:

  1. uio_get_minor (idr call, in critical section)
  2. device_add (leads to sysfs directory)
  3. manage attributes (popuplates part of the sysfs directory)

For unregistration we have by default the following flow:

  1. clean-up attributes
  2. uio_free_minor (idr call, in critical section)
  3. device_unregister (cleans up sysfs directory)

This creates a racing problem when we are in parallel creating and
removing uio devices.
The uio-minor that is freed when calling uio_free_minor can be
claimed by a subsequent uio_get_minor call.
The problem is that the device_add flow can end up triggered,
leading to a sysfs directory creation; while the
device_unregister flow has not yet cleaned up the sysfs directory.

This patch cleans up this problem by mirroring the registration and
Unregistration flow correctly.
After this patch, the unregistration flow becomes:

  1. clean-up attributes
  2. device_unregister
  3. uio_free_minor

Fixes: 0c9ae0b86050 ("uio: Fix use-after-free in uio_open")
Cc: stable@vger.kernel.org
Signed-off-by: Philippe Belet <philippe.belet@nokia.com>
Reviewed-by: Igor Klochko <igor.klochko@nokia.com>
---
 v4:
  - reformat the patch
 v3:
  - Updated email subject
 v2:
   - Fixed commit message wrapping
   - Placed 12 char sha1 in "fixes"
   - cc'd stable
 v1:
 https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore
 .kernel.org%2Flkml%2FAM9PR07MB720434A2B0CC99BC0BDCD74E8D61A%40AM9PR07M
 B7204.eurprd07.prod.outlook.com%2F%23&data=05%7C02%7Cigor.klochko%40no
 kia.com%7C065fe0dc34a742a815d208de90bee494%7C5d4717519675428d917b70f44
 f9630b0%7C0%7C0%7C639107346738079714%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0e
 U1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIld
 UIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2h7wcsPPy0iiFG0jCYCTgl3iRzan%2FSIP2F5
 xDJrzHc4%3D&reserved=0
---
 drivers/uio/uio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index 5a4998e2caf8..10e265c49035 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -1125,8 +1125,8 @@ void uio_unregister_device(struct uio_info *info)
 	wake_up_interruptible(&idev->wait);
 	kill_fasync(&idev->async_queue, SIGIO, POLL_HUP);

-	uio_free_minor(minor);
 	device_unregister(&idev->dev);
+	uio_free_minor(minor);

 	return;
 }
--
2.43.7

Re: [PATCH v4] uio: fix unregister_device

Posted by gregkh@linuxfoundation.org 2 months, 1 week ago

On Thu, Apr 02, 2026 at 04:19:09PM +0000, Igor Klochko (Nokia) wrote:
> uio: mirrored uio_register/unregister_device
> 
> When uio devices are created end removed in parallel, then we sometimes
> encounter kernel traces along the following lines:
> 
>   sysfs: cannot create duplicate filename '/class/uio/uio899'
> 
> which stem from:
> 
>   sysfs_create_link+0x24/0x50
>   device_add+0x2f0/0x780
>   __uio_register_device+0x18c/0x550
> 
> The sysfs directory creation is performed synchronously as part of the
> device_add call. The high level sequence for uio registration is:
> 
>   1. uio_get_minor (idr call, in critical section)
>   2. device_add (leads to sysfs directory)
>   3. manage attributes (popuplates part of the sysfs directory)
> 
> For unregistration we have by default the following flow:
> 
>   1. clean-up attributes
>   2. uio_free_minor (idr call, in critical section)
>   3. device_unregister (cleans up sysfs directory)
> 
> This creates a racing problem when we are in parallel creating and
> removing uio devices.
> The uio-minor that is freed when calling uio_free_minor can be
> claimed by a subsequent uio_get_minor call.
> The problem is that the device_add flow can end up triggered,
> leading to a sysfs directory creation; while the
> device_unregister flow has not yet cleaned up the sysfs directory.
> 
> This patch cleans up this problem by mirroring the registration and
> Unregistration flow correctly.
> After this patch, the unregistration flow becomes:
> 
>   1. clean-up attributes
>   2. device_unregister
>   3. uio_free_minor
> 
> Fixes: 0c9ae0b86050 ("uio: Fix use-after-free in uio_open")
> Cc: stable@vger.kernel.org
> Signed-off-by: Philippe Belet <philippe.belet@nokia.com>
> Reviewed-by: Igor Klochko <igor.klochko@nokia.com>

You sent this patch, so you too must sign off on it.

> ---
>  v4:
>   - reformat the patch
>  v3:
>   - Updated email subject
>  v2:
>    - Fixed commit message wrapping
>    - Placed 12 char sha1 in "fixes"
>    - cc'd stable
>  v1:
>  https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore
>  .kernel.org%2Flkml%2FAM9PR07MB720434A2B0CC99BC0BDCD74E8D61A%40AM9PR07M
>  B7204.eurprd07.prod.outlook.com%2F%23&data=05%7C02%7Cigor.klochko%40no
>  kia.com%7C065fe0dc34a742a815d208de90bee494%7C5d4717519675428d917b70f44
>  f9630b0%7C0%7C0%7C639107346738079714%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0e
>  U1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIld
>  UIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2h7wcsPPy0iiFG0jCYCTgl3iRzan%2FSIP2F5
>  xDJrzHc4%3D&reserved=0

Not really a valid url :(

thanks,

greg k-h