From: "Danilo Krummrich" <dakr@kernel.org>
To: "Gui-Dong Han" <hanguidong02@gmail.com>
Cc: <gregkh@linuxfoundation.org>, <rafael@kernel.org>,
<linux-kernel@vger.kernel.org>, <baijiaju1990@gmail.com>,
"Qiu-ji Chen" <chenqiuji666@gmail.com>
Subject: Re: [PATCH v3] driver core: fix use-after-free of driver_override via driver_match_device()
Date: Tue, 13 Jan 2026 10:55:38 +0100 [thread overview]
Message-ID: <DFNDDIDN1RP0.169QKL6P2WU77@kernel.org> (raw)
In-Reply-To: <20251127145753.13080-1-hanguidong02@gmail.com>
On Thu Nov 27, 2025 at 3:57 PM CET, Gui-Dong Han wrote:
> diff --git a/drivers/base/base.h b/drivers/base/base.h
> index 86fa7fbb3548..72791125de91 100644
> --- a/drivers/base/base.h
> +++ b/drivers/base/base.h
> @@ -166,6 +166,9 @@ void device_set_deferred_probe_reason(const struct device *dev, struct va_format
> static inline int driver_match_device(const struct device_driver *drv,
> struct device *dev)
> {
> + /* Protects against driver_set_override() races */
> + device_lock_assert(dev);
> +
> return drv->bus->match ? drv->bus->match(dev, drv) : 1;
> }
I am not convinced that this is the correct fix, since
1. Not all match() callbacks access the driver_override field,
2. driver_override is accessed in other places as well,
3. driver_override is a bus device specific field (with a common
helper admittedly).
I think it would be better to make driver_override a field in the base
struct device. This way we can not only provide driver_set_override(), but also
driver_get_override(), which should contain the device_lock_assert() instead.
While not all devices require the driver_override field, an additional pointer
in struct device does not hurt and it clarifies ownership and hence locking.
- Danilo
next prev parent reply other threads:[~2026-01-13 9:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 14:57 [PATCH v3] driver core: fix use-after-free of driver_override via driver_match_device() Gui-Dong Han
2026-01-13 9:55 ` Danilo Krummrich [this message]
2026-01-13 11:08 ` Danilo Krummrich
2026-01-13 12:42 ` Gui-Dong Han
2026-01-13 13:34 ` Danilo Krummrich
2026-01-13 13:43 ` Rafael J. Wysocki
2026-01-13 14:05 ` Gui-Dong Han
2026-01-13 14:20 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFNDDIDN1RP0.169QKL6P2WU77@kernel.org \
--to=dakr@kernel.org \
--cc=baijiaju1990@gmail.com \
--cc=chenqiuji666@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hanguidong02@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.