[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 10/12] s390/ap: use generic driver_override infrastructure
- To: Danilo Krummrich <dakr@xxxxxxxxxx>, Russell King <linux@xxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, "Rafael J. Wysocki" <rafael@xxxxxxxxxx>, Ioana Ciornei <ioana.ciornei@xxxxxxx>, Nipun Gupta <nipun.gupta@xxxxxxx>, Nikhil Agarwal <nikhil.agarwal@xxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, Wei Liu <wei.liu@xxxxxxxxxx>, Dexuan Cui <decui@xxxxxxxxxxxxx>, Long Li <longli@xxxxxxxxxxxxx>, Bjorn Helgaas <bhelgaas@xxxxxxxxxx>, Armin Wolf <W_Armin@xxxxxx>, Bjorn Andersson <andersson@xxxxxxxxxx>, Mathieu Poirier <mathieu.poirier@xxxxxxxxxx>, Vineeth Vijayan <vneethv@xxxxxxxxxxxxx>, Peter Oberparleiter <oberpar@xxxxxxxxxxxxx>, Heiko Carstens <hca@xxxxxxxxxxxxx>, Vasily Gorbik <gor@xxxxxxxxxxxxx>, Alexander Gordeev <agordeev@xxxxxxxxxxxxx>, Christian Borntraeger <borntraeger@xxxxxxxxxxxxx>, Sven Schnelle <svens@xxxxxxxxxxxxx>, Harald Freudenberger <freude@xxxxxxxxxxxxx>, Mark Brown <broonie@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, Jason Wang <jasowang@xxxxxxxxxx>, Xuan Zhuo <xuanzhuo@xxxxxxxxxxxxxxxxx>, Eugenio Pérez <eperezma@xxxxxxxxxx>, Alex Williamson <alex@xxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, "Christophe Leroy (CS GROUP)" <chleroy@xxxxxxxxxx>
- From: Holger Dengler <dengler@xxxxxxxxxxxxx>
- Date: Tue, 24 Mar 2026 13:58:54 +0100
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=pp1 header.d=ibm.com header.i="@ibm.com" header.h="Cc:Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To:Message-ID:MIME-Version:References:Subject:To"
- Cc: linux-kernel@xxxxxxxxxxxxxxx, driver-core@xxxxxxxxxxxxxxx, linuxppc-dev@xxxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-pci@xxxxxxxxxxxxxxx, platform-driver-x86@xxxxxxxxxxxxxxx, linux-arm-msm@xxxxxxxxxxxxxxx, linux-remoteproc@xxxxxxxxxxxxxxx, linux-s390@xxxxxxxxxxxxxxx, linux-spi@xxxxxxxxxxxxxxx, virtualization@xxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx
- Delivery-date: Wed, 25 Mar 2026 05:49:02 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 24/03/2026 01:59, Danilo Krummrich wrote:
> When the AP masks are updated via apmask_store() or aqmask_store(),
> ap_bus_revise_bindings() is called after ap_attr_mutex has been
> released.
>
> This calls __ap_revise_reserved(), which accesses the driver_override
> field without holding any lock, racing against a concurrent
> driver_override_store() that may free the old string, resulting in a
> potential UAF.
>
> Fix this by using the driver-core driver_override infrastructure, which
> protects all accesses with an internal spinlock.
>
> Note that unlike most other buses, the AP bus does not check
> driver_override in its match() callback; the override is checked in
> ap_device_probe() and __ap_revise_reserved() instead.
>
> Also note that we do not enable the driver_override feature of struct
> bus_type, as AP - in contrast to most other buses - passes "" to
> sysfs_emit() when the driver_override pointer is NULL. Thus, printing
> "\n" instead of "(null)\n".
>
> Additionally, AP has a custom counter that is modified in the
> corresponding custom driver_override_store().
>
> Fixes: d38a87d7c064 ("s390/ap: Support driver_override for AP queue devices")
> Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
Tested-by: Holger Dengler <dengler@xxxxxxxxxxxxx>
Reviewed-by: Holger Dengler <dengler@xxxxxxxxxxxxx>
--
Mit freundlichen Grüßen / Kind regards
Holger Dengler
--
IBM Systems, Linux on IBM Z Development
dengler@xxxxxxxxxxxxx
|
