[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 02/12] bus: fsl-mc: use generic driver_override infrastructure
- To: Ioana Ciornei <ioana.ciornei@xxxxxxx>, Danilo Krummrich <dakr@xxxxxxxxxx>
- From: "Christophe Leroy (CS GROUP)" <chleroy@xxxxxxxxxx>
- Date: Sat, 28 Mar 2026 13:10:25 +0100
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=k20201202 header.d=kernel.org header.i="@kernel.org" header.h="Date:Subject:To:Cc:References:From:In-Reply-To"
- Cc: Russell King <linux@xxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, "Rafael J. Wysocki" <rafael@xxxxxxxxxx>, Nipun Gupta <nipun.gupta@xxxxxxx>, Nikhil Agarwal <nikhil.agarwal@xxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, Wei Liu <wei.liu@xxxxxxxxxx>, Dexuan Cui <decui@xxxxxxxxxxxxx>, Long Li <longli@xxxxxxxxxxxxx>, Bjorn Helgaas <bhelgaas@xxxxxxxxxx>, Armin Wolf <W_Armin@xxxxxx>, Bjorn Andersson <andersson@xxxxxxxxxx>, Mathieu Poirier <mathieu.poirier@xxxxxxxxxx>, Vineeth Vijayan <vneethv@xxxxxxxxxxxxx>, Peter Oberparleiter <oberpar@xxxxxxxxxxxxx>, Heiko Carstens <hca@xxxxxxxxxxxxx>, Vasily Gorbik <gor@xxxxxxxxxxxxx>, Alexander Gordeev <agordeev@xxxxxxxxxxxxx>, Christian Borntraeger <borntraeger@xxxxxxxxxxxxx>, Sven Schnelle <svens@xxxxxxxxxxxxx>, Harald Freudenberger <freude@xxxxxxxxxxxxx>, Holger Dengler <dengler@xxxxxxxxxxxxx>, Mark Brown <broonie@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, Jason Wang <jasowang@xxxxxxxxxx>, Xuan Zhuo <xuanzhuo@xxxxxxxxxxxxxxxxx>, Eugenio PĂ©rez <eperezma@xxxxxxxxxx>, Alex Williamson <alex@xxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, driver-core@xxxxxxxxxxxxxxx, linuxppc-dev@xxxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-pci@xxxxxxxxxxxxxxx, platform-driver-x86@xxxxxxxxxxxxxxx, linux-arm-msm@xxxxxxxxxxxxxxx, linux-remoteproc@xxxxxxxxxxxxxxx, linux-s390@xxxxxxxxxxxxxxx, linux-spi@xxxxxxxxxxxxxxx, virtualization@xxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, Gui-Dong Han <hanguidong02@xxxxxxxxx>
- Delivery-date: Sat, 28 Mar 2026 13:17:01 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Le 25/03/2026 à 13:01, Ioana Ciornei a écrit :
On Tue, Mar 24, 2026 at 01:59:06AM +0100, Danilo Krummrich wrote:
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fdriver-core%2FDGRGTIRHA62X.3RY09D9SOK77P%40kernel.org%2F&data=05%7C02%7Cchristophe.leroy%40csgroup.eu%7C4b9262ddecdd4ce29f9808de8a66485e%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639100369055903282%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2BRfjlUkq7oWV%2F0v2S2B%2BEuxCY%2FLRQv6qHiEWiupd6kc%3D&reserved=0
[1]
Reported-by: Gui-Dong Han <hanguidong02@xxxxxxxxx>
Closes:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.kernel.org%2Fshow_bug.cgi%3Fid%3D220789&data=05%7C02%7Cchristophe.leroy%40csgroup.eu%7C4b9262ddecdd4ce29f9808de8a66485e%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639100369055936232%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=XL1K1ICiygOZnlvDUbQFe192KnLsBQms0HFNGCuyz%2Fw%3D&reserved=0
Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the
mc-bus")
Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
Tested-by: Ioana Ciornei <ioana.ciornei@xxxxxxx>
Signed-off-by: Ioana Ciornei <ioana.ciornei@xxxxxxx>
Applied, thanks
|
