From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 741D8FD0048 for ; Sun, 1 Mar 2026 01:59:34 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [127.0.0.1]) by lists.ozlabs.org (Postfix) with ESMTP id 4fNlcN6MtSz2yFK; Sun, 01 Mar 2026 12:59:32 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; arc=none smtp.remote-ip="2600:3c0a:e001:78e:0:1991:8:25" ARC-Seal: i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1772330372; cv=none; b=SnSPpzHPUSIa47KVELbS2/8ulEbqJ25B5X/p+IttC82ZeoSN/A1dpD+/BlWj3VAahLl0OdjvN/LSA4Qy+odI384i3Hrk89+vtxtm0SYd0+XzicL27X7YY/blxcEmiybYxvQI2VaI1XbQNd0znrEiyK/sVMZieKMu0ohRGNCuFDzNUauFvIQ7vRJPQ7baVB7m2Z/9tlzIcNYvebkdtktA2EPlRRYgWhda+NvInmipAC1RpXxAQe4+IpPjs/FXGOQLl9mN6d/AFhMbblnxUfnicw61jfQaQ3FES+iJXRNTagcxmKuZELJhMqyj+Aky01NhXMk6HGmjm7yXxl4BlcqTnQ== ARC-Message-Signature: i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1772330372; c=relaxed/relaxed; bh=aZxIldQscEcx96LdrpFIQTUN9Nr6E3CuNWMYbvAM5g0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IXVDBD6n82qnMybWRXaWpsJEs9YyVe4dFbQDvWP5Nq0xeefLTpX+qDJsUZ08BH4lJ2VIXys0h5g8zOLXtoMum1g5Mr5hdaYa5c9HbRbUaH7pE3xKeUpEkfqDeUfr9wTfhXrX6f0x4cuKSjyXghZLrQWObGZOaLVFl0WZmeuDqwdXID3wMdm1hl2lDnFitkzeWqcFOHBQVuniUaeQ8WA8ri565p21LXn+80Ynn/X5NWo3safQP1vjRWf03wyqbroxU2dtgqvAkz+Hodldkg1QS77kByC9BA5yPzuVTwx373bZfW6Yk7weiLZct+3+rmq3/AQ8nbD6YavMKuNWCZhVjg== ARC-Authentication-Results: i=1; lists.ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=kernel.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=DYP38pu+; dkim-atps=neutral; spf=pass (client-ip=2600:3c0a:e001:78e:0:1991:8:25; helo=sea.source.kernel.org; envelope-from=sashal@kernel.org; receiver=lists.ozlabs.org) smtp.mailfrom=kernel.org Authentication-Results: lists.ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=kernel.org Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=DYP38pu+; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=kernel.org (client-ip=2600:3c0a:e001:78e:0:1991:8:25; helo=sea.source.kernel.org; envelope-from=sashal@kernel.org; receiver=lists.ozlabs.org) Received: from sea.source.kernel.org (sea.source.kernel.org [IPv6:2600:3c0a:e001:78e:0:1991:8:25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4fNlcN16C5z2yF1 for ; Sun, 01 Mar 2026 12:59:32 +1100 (AEDT) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 7E1C142DCA; Sun, 1 Mar 2026 01:59:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B413FC2BC86; Sun, 1 Mar 2026 01:59:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772330370; bh=CMqus3ITimaUBp6Um8u0hwBq1NnGJYegILemxlcDbBg=; h=From:To:Cc:Subject:Date:From; b=DYP38pu+g2BX0r4x4BlFuwAyy1biSSLK56M5C2irsc5jHL0ThEk9WYpdvXlxAT0bp 6iNrD8vv/AKQmdnyf0c80SxlfARb63ecVzxbAaBtRUSm3CKjin2dRGq2Sr1nUgHaCy gHw2axNh2TTIlHcCUSiDCvBlx04y/ufahZ84BuqjxDcrLjkBvSdbdOxyGJZ/wUjhoV htuy63tMbMkujOSwXihNRu8kYXAUIiMBirtngKFd3yT1vAAWziSHrWphGryTmoU/8v X21N9oiR5btcSbSeOJYhgZvvqNEyor97yTcLxiHlqppXi4KdzrxGWrsApCnA5iEbJZ dyP8zD1EAyokg== From: Sasha Levin To: stable@vger.kernel.org, hanguidong02@gmail.com Cc: Ioana Ciornei , "Christophe Leroy (CS GROUP)" , linuxppc-dev@lists.ozlabs.org Subject: FAILED: Patch "bus: fsl-mc: fix use-after-free in driver_override_show()" failed to apply to 5.10-stable tree Date: Sat, 28 Feb 2026 20:59:28 -0500 Message-ID: <20260301015928.1725195-1-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 X-Mailing-List: linuxppc-dev@lists.ozlabs.org List-Id: List-Help: List-Owner: List-Post: List-Archive: , List-Subscribe: , , List-Unsubscribe: Precedence: list MIME-Version: 1.0 X-Patchwork-Hint: ignore X-stable: review Content-Transfer-Encoding: 8bit The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . Thanks, Sasha ------------------ original commit in Linus's tree ------------------ >From 148891e95014b5dc5878acefa57f1940c281c431 Mon Sep 17 00:00:00 2001 From: Gui-Dong Han Date: Wed, 3 Dec 2025 01:44:38 +0800 Subject: [PATCH] bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation. Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han Reviewed-by: Ioana Ciornei Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com Signed-off-by: Christophe Leroy (CS GROUP) --- drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c index c08c04047ae2c..08b99b0b342f3 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -231,8 +231,12 @@ static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr, char *buf) { struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + ssize_t len; - return sysfs_emit(buf, "%s\n", mc_dev->driver_override); + device_lock(dev); + len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); + device_unlock(dev); + return len; } static DEVICE_ATTR_RW(driver_override); -- 2.51.0