From: Linus Walleij <linus.walleij@linaro.org>
To: Tzung-Bi Shih <tzungbi@kernel.org>
Cc: ksummit@lists.linux.dev,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Subject: Re: [TECH TOPIC] Revocable: a mechanism for preventing "classic" use-after-free bugs
Date: Tue, 16 Sep 2025 08:56:28 +0200 [thread overview]
Message-ID: <CACRpkdb-m0mRJNvh+54jQrcQr2b7zLdrk9k2kpAiJPpRr-yYcA@mail.gmail.com> (raw)
In-Reply-To: <aMWEhqia_jpl12uI@tzungbi-laptop>
On Sat, Sep 13, 2025 at 4:49 PM Tzung-Bi Shih <tzungbi@kernel.org> wrote:
> We will present "revocable"[2], a new kernel mechanism for resource
> management. A revocable allows a resource provider (e.g., a device driver)
> to invalidate access to a resource from a consumer (e.g., a character device)
> when the underlying device is no longer available. Once a resource is
> revoked, any further attempts to use it will fail gracefully, thus preventing
> the UAF.
I looked at it and it looks very interesting.
We have faced this problem in the GPIO subsystem because a lot
of GPIO expanders are on pluggable buses such as USB, while
there may still be consumers not only in kernelspace but also
in userspace.
We remove the underlying device driver and irqchip etc in
gpiochip_remove() with:
/* Numb the device, cancelling all outstanding operations */
rcu_assign_pointer(gdev->chip, NULL);
but any userspace consumers are
"dangling", which in practice means that e.g.
linehandle_ioctl() gets called and then:
if (!rcu_access_pointer(lh->gdev->chip))
return -ENODEV;
This seems to be using a similar idea or the same idea and using
RCU as well because you have:
void *revocable_try_access(struct revocable *rev) __acquires(&rev->rp->srcu)
{
struct revocable_provider *rp = rev->rp;
rev->idx = srcu_read_lock(&rp->srcu);
return rcu_dereference(rp->res);
}
AFAICT this is pretty much the same, but more bells and whistles and
more elegantly designed as a slot-in solution :)
So we would probably be able to move over to this API very easily.
Yours,
Linus Walleij
prev parent reply other threads:[~2025-09-16 6:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-13 14:49 Tzung-Bi Shih
2025-09-13 22:19 ` Jiri Kosina
2025-09-14 6:45 ` Greg KH
2025-09-17 5:17 ` Tzung-Bi Shih
2025-09-16 6:56 ` Linus Walleij [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACRpkdb-m0mRJNvh+54jQrcQr2b7zLdrk9k2kpAiJPpRr-yYcA@mail.gmail.com \
--to=linus.walleij@linaro.org \
--cc=bartosz.golaszewski@linaro.org \
--cc=ksummit@lists.linux.dev \
--cc=tzungbi@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox