[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 05/12] PCI: use generic driver_override infrastructure
- To: "Bjorn Helgaas" <helgaas@xxxxxxxxxx>
- From: "Danilo Krummrich" <dakr@xxxxxxxxxx>
- Date: Mon, 30 Mar 2026 18:28:48 +0200
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=k20201202 header.d=kernel.org header.i="@kernel.org" header.h="Date:Subject:Cc:To:From:References:In-Reply-To"
- Cc: "Russell King" <linux@xxxxxxxxxxxxxxx>, "Greg Kroah-Hartman" <gregkh@xxxxxxxxxxxxxxxxxxx>, "Rafael J. Wysocki" <rafael@xxxxxxxxxx>, "Ioana Ciornei" <ioana.ciornei@xxxxxxx>, "Nipun Gupta" <nipun.gupta@xxxxxxx>, "Nikhil Agarwal" <nikhil.agarwal@xxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, "Haiyang Zhang" <haiyangz@xxxxxxxxxxxxx>, "Wei Liu" <wei.liu@xxxxxxxxxx>, "Dexuan Cui" <decui@xxxxxxxxxxxxx>, "Long Li" <longli@xxxxxxxxxxxxx>, "Bjorn Helgaas" <bhelgaas@xxxxxxxxxx>, "Armin Wolf" <W_Armin@xxxxxx>, "Bjorn Andersson" <andersson@xxxxxxxxxx>, "Mathieu Poirier" <mathieu.poirier@xxxxxxxxxx>, "Vineeth Vijayan" <vneethv@xxxxxxxxxxxxx>, "Peter Oberparleiter" <oberpar@xxxxxxxxxxxxx>, "Heiko Carstens" <hca@xxxxxxxxxxxxx>, "Vasily Gorbik" <gor@xxxxxxxxxxxxx>, "Alexander Gordeev" <agordeev@xxxxxxxxxxxxx>, "Christian Borntraeger" <borntraeger@xxxxxxxxxxxxx>, "Sven Schnelle" <svens@xxxxxxxxxxxxx>, "Harald Freudenberger" <freude@xxxxxxxxxxxxx>, "Holger Dengler" <dengler@xxxxxxxxxxxxx>, "Mark Brown" <broonie@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, "Jason Wang" <jasowang@xxxxxxxxxx>, "Xuan Zhuo" <xuanzhuo@xxxxxxxxxxxxxxxxx>, Eugenio Pérez <eperezma@xxxxxxxxxx>, "Alex Williamson" <alex@xxxxxxxxxxx>, "Juergen Gross" <jgross@xxxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, "Oleksandr Tyshchenko" <oleksandr_tyshchenko@xxxxxxxx>, "Christophe Leroy (CS GROUP)" <chleroy@xxxxxxxxxx>, <linux-kernel@xxxxxxxxxxxxxxx>, <driver-core@xxxxxxxxxxxxxxx>, <linuxppc-dev@xxxxxxxxxxxxxxxx>, <linux-hyperv@xxxxxxxxxxxxxxx>, <linux-pci@xxxxxxxxxxxxxxx>, <platform-driver-x86@xxxxxxxxxxxxxxx>, <linux-arm-msm@xxxxxxxxxxxxxxx>, <linux-remoteproc@xxxxxxxxxxxxxxx>, <linux-s390@xxxxxxxxxxxxxxx>, <linux-spi@xxxxxxxxxxxxxxx>, <virtualization@xxxxxxxxxxxxxxx>, <kvm@xxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>, <linux-arm-kernel@xxxxxxxxxxxxxxxxxxx>, "Gui-Dong Han" <hanguidong02@xxxxxxxxx>
- Delivery-date: Mon, 30 Mar 2026 16:29:09 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu Mar 26, 2026 at 7:08 PM CET, Bjorn Helgaas wrote:
> On Tue, Mar 24, 2026 at 01:59:09AM +0100, Danilo Krummrich wrote:
>> When a driver is probed through __driver_attach(), the bus' match()
>> callback is called without the device lock held, thus accessing the
>> driver_override field without a lock, which can cause a UAF.
>>
>> Fix this by using the driver-core driver_override infrastructure taking
>> care of proper locking internally.
>>
>> Note that calling match() from __driver_attach() without the device lock
>> held is intentional. [1]
>>
>> Link:
>> https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@xxxxxxxxxx/
>> [1]
>> Reported-by: Gui-Dong Han <hanguidong02@xxxxxxxxx>
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
>> Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using
>> pci_dev.driver_override")
>> Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
>> ---
>> drivers/pci/pci-driver.c | 11 +++++++----
>> drivers/pci/pci-sysfs.c | 28 ----------------------------
>> drivers/pci/probe.c | 1 -
>> include/linux/pci.h | 6 ------
>
> For the above:
>
> Acked-by: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
>
> "driver_override" is mentioned several places in
> Documentation/ABI/testing/sysfs-bus-*. I assume this series doesn't
> change the behavior documented there?
Correct, none of this is altered.
|
