[PATCH 1/1] misc: Prevent double registration and deregistration of miscdevice

Tue Aug 26 05:54:10 PDT 2025

On Tue, Aug 26, 2025 at 12:09:01PM +0000, Xion Wang (王鑫) wrote:
> On Tue, 2025-08-26 at 12:40 +0200, gregkh at linuxfoundation.org wrote:
> > External email : Please do not click links or open attachments until
> > you have verified the sender or the content.
> > 
> > 
> > On Tue, Aug 26, 2025 at 07:58:47AM +0000, Xion Wang (王鑫) wrote:
> > > > Again, this shouldn't be something that any driver should hit as
> > > > this
> > > > usage is not in the kernel tree that I can see.  Attempting to
> > > > re-register a device multiple times is normally never a good
> > > > idea.
> > > 
> > > Thank you for your comments.
> > > 
> > > I am not the owner of the WiFi driver and do not have full details
> > > of
> > > its internal logic. However, during internal integration and stress
> > > testing, we observed an issue where repeated registration and
> > > deregistration of a misc device by the WiFi module led to
> > > corruption of
> > > the misc_list. While I cannot provide the exact reasoning behind
> > > the
> > > WiFi driver's design, I wanted to report the problem and share our
> > > findings with the community in case similar patterns exist
> > > elsewhere,
> > > including in vendor or out-of-tree drivers.
> > 
> > We do not "harden" our internal apis for external drivers, we fix
> > drivers to not do foolish things :)
> > 
> > Please fix your out-of-tree code, it should not be even touching the
> > miscdev api, as that is not something a wifi driver should be
> > interacting with.  Please use the correct one instead, and then you
> > will
> > not have this type of issue.
> 
> Thank you for your feedback.
> 
> I agree that the kernel should not be hardened for out-of-tree drivers
> misusing internal APIs. We will update our internal code to follow best
> practices and avoid improper use of the miscdevice API.
> 
> On a related note, the current 'WARN_ON(list_empty(&misc->list))' check
> in misc_deregister() does not catch any practical error conditions:
> 
> For statically allocated miscdevice structs, the list pointers are
> zero-initialized, so list_empty() will return false, not true.
> After list_del(), the pointers are set to LIST_POISON1/2, so repeated
> deregistration also fails to trigger the check.
> 
> Since this condition does not protect in-tree drivers or catch real
> errors, would it be reasonable to remove it?

Yes, if it can never be hit, we should remove it.

> I can submit a patch if the community agrees.

That would be great, thank you!

greg k-h