[PATCH 1/1] misc: Prevent double registration and deregistration of miscdevice

Xion Wang (王鑫) Xion.Wang at mediatek.com
Tue Aug 26 05:09:01 PDT 2025 

On Tue, 2025-08-26 at 12:40 +0200, gregkh at linuxfoundation.org wrote:
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
> 
> 
> On Tue, Aug 26, 2025 at 07:58:47AM +0000, Xion Wang (王鑫) wrote:
> > > Again, this shouldn't be something that any driver should hit as
> > > this
> > > usage is not in the kernel tree that I can see.  Attempting to
> > > re-register a device multiple times is normally never a good
> > > idea.
> > 
> > Thank you for your comments.
> > 
> > I am not the owner of the WiFi driver and do not have full details
> > of
> > its internal logic. However, during internal integration and stress
> > testing, we observed an issue where repeated registration and
> > deregistration of a misc device by the WiFi module led to
> > corruption of
> > the misc_list. While I cannot provide the exact reasoning behind
> > the
> > WiFi driver's design, I wanted to report the problem and share our
> > findings with the community in case similar patterns exist
> > elsewhere,
> > including in vendor or out-of-tree drivers.
> 
> We do not "harden" our internal apis for external drivers, we fix
> drivers to not do foolish things :)
> 
> Please fix your out-of-tree code, it should not be even touching the
> miscdev api, as that is not something a wifi driver should be
> interacting with.  Please use the correct one instead, and then you
> will
> not have this type of issue.

Thank you for your feedback.

I agree that the kernel should not be hardened for out-of-tree drivers
misusing internal APIs. We will update our internal code to follow best
practices and avoid improper use of the miscdevice API.

On a related note, the current 'WARN_ON(list_empty(&misc->list))' check
in misc_deregister() does not catch any practical error conditions:

For statically allocated miscdevice structs, the list pointers are
zero-initialized, so list_empty() will return false, not true.
After list_del(), the pointers are set to LIST_POISON1/2, so repeated
deregistration also fails to trigger the check.

Since this condition does not protect in-tree drivers or catch real
errors, would it be reasonable to remove it?

I can submit a patch if the community agrees.

thanks,

xion wang

More information about the Linux-mediatek mailing list