From: Greg KH <gregkh@linuxfoundation.org>
To: Runyu Xiao <runyu.xiao@seu.edu.cn>
Cc: rafael@kernel.org, dakr@kernel.org, cornelia.huck@de.ibm.com,
tom.leiming@gmail.com, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, jianhao.xu@seu.edu.cn
Subject: Re: [PATCH] driver core: enforce device_lock for driver_match_device()
Date: Tue, 2 Jun 2026 18:39:35 +0200 [thread overview]
Message-ID: <2026060209-virtual-sabotage-bbd1@gregkh> (raw)
In-Reply-To: <20260602160829.560904-1-runyu.xiao@seu.edu.cn>
On Wed, Jun 03, 2026 at 12:08:29AM +0800, Runyu Xiao wrote:
> Currently driver_match_device() is called from three sites. The
> __device_attach_driver() path already runs under device_lock(dev), but
> bind_store() and __driver_attach() can still enter bus match()
> callbacks without that lock held.
>
> That inconsistency leaves bus-private driver_override readers exposed.
> Several buses still read private driver_override strings from their
> match callbacks while the write side relies on driver_set_override()
> under device_lock(dev). If bind_store() or __driver_attach() reaches
> such a match callback without that lock, it can race with
> driver_override replacement and old-string free.
>
> This issue was first flagged by our static analysis tool while auditing
> driver_override match paths, then manually confirmed on Linux v6.18.21.
That is very old, please test on the latest 7.1-rc release as things
have changed in this area recently.
thanks,
greg k-h
next prev parent reply other threads:[~2026-06-02 16:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 16:08 [PATCH] driver core: enforce device_lock for driver_match_device() Runyu Xiao
2026-06-02 16:39 ` Greg KH [this message]
2026-06-02 16:44 ` Danilo Krummrich
2026-06-03 3:36 ` Runyu Xiao
2026-06-04 3:52 ` [PATCH v2 0/4] Convert remaining buses to generic driver_override handling Runyu Xiao
2026-06-04 3:52 ` [PATCH v2 1/4] amba: use generic driver_override infrastructure Runyu Xiao
2026-06-04 3:52 ` [PATCH v2 2/4] rpmsg: core: " Runyu Xiao
2026-06-08 17:47 ` Mathieu Poirier
2026-06-04 3:52 ` [PATCH v2 3/4] vmbus: " Runyu Xiao
2026-06-04 3:52 ` [PATCH v2 4/4] cdx: " Runyu Xiao
2026-06-08 18:09 ` [PATCH v2 0/4] Convert remaining buses to generic driver_override handling Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026060209-virtual-sabotage-bbd1@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cornelia.huck@de.ibm.com \
--cc=dakr@kernel.org \
--cc=jianhao.xu@seu.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=runyu.xiao@seu.edu.cn \
--cc=stable@vger.kernel.org \
--cc=tom.leiming@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox