From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ADE0637FF79
	for <linux-kernel@vger.kernel.org>; Tue, 13 Jan 2026 09:55:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768298141; cv=none; b=fksDcmXMdeNVejq5P4d8A1QHA+P2TozWKYLBDuaVNEKybsEL4EgTdTSassE5m7C37G9ky63z3NqYwNrMWVEPgFVfcSt5mbuzKTJGPlW5/EvNDcNAbyBv/M2VkrOOdyy+8h5oJIb2kgCKVELy4ZvTQSGra0gl2V2wzem58jQsOpM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768298141; c=relaxed/simple;
	bh=LhBAI0ZxxCpVnXSHAcJpXttglXzX1SyQIW9rRdgkIq0=;
	h=Mime-Version:Content-Type:Date:Message-Id:From:Subject:Cc:To:
	 References:In-Reply-To; b=qgMSh46BCvnsCqcYdzajxLon0P5fjqxy9tHxIxLMmUEFhL9tTnR54m4C6MyiaTQIvx/pNCgzA9oy8BdcCRrrtBP+8D8Tc1ic9kFcy0ntdqYoSosXT2RUphfNgrKSjd6CkBNMxGX2LKcz0Lgy6yvM8XFB22i8khAvoHmQDV4/7xM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Xbn/21bi; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Xbn/21bi"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF077C116C6;
	Tue, 13 Jan 2026 09:55:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1768298141;
	bh=LhBAI0ZxxCpVnXSHAcJpXttglXzX1SyQIW9rRdgkIq0=;
	h=Date:From:Subject:Cc:To:References:In-Reply-To:From;
	b=Xbn/21bi9WQdaM7GGaII4uwrOjEcEOb59hhLP7oZUZVQyv7nGduUmPPGpQZX+h2kz
	 ywkg5xByJHOfzRrbYKEfafzJT8oH0ToBEzhxmSufIJi0Lke7EMxDK5ThqdOQIGR9qs
	 IJHVsJI1cgmIVtVU58jodDE7z8aHsrC67xiHtGgbQ4PjUAumo8VCp+xwZvHTWb6RKd
	 I8axb/jRXQkr8mbrdTmKOZ+QL1tJcwcuvaLeDl1sHtsHIMeAtOkim+zQ3X1tc9uPgV
	 AXiIVqsdugj6dBJWAq4a+VMdS47IW84mRsNUIlBBPEQYfsf97bOptB7+ZpmuGyP5Jp
	 u1fVQxCoyuuLg==
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Tue, 13 Jan 2026 10:55:38 +0100
Message-Id: <DFNDDIDN1RP0.169QKL6P2WU77@kernel.org>
From: "Danilo Krummrich" <dakr@kernel.org>
Subject: Re: [PATCH v3] driver core: fix use-after-free of driver_override
 via driver_match_device()
Cc: <gregkh@linuxfoundation.org>, <rafael@kernel.org>,
 <linux-kernel@vger.kernel.org>, <baijiaju1990@gmail.com>, "Qiu-ji Chen"
 <chenqiuji666@gmail.com>
To: "Gui-Dong Han" <hanguidong02@gmail.com>
References: <20251127145753.13080-1-hanguidong02@gmail.com>
In-Reply-To: <20251127145753.13080-1-hanguidong02@gmail.com>

On Thu Nov 27, 2025 at 3:57 PM CET, Gui-Dong Han wrote:
> diff --git a/drivers/base/base.h b/drivers/base/base.h
> index 86fa7fbb3548..72791125de91 100644
> --- a/drivers/base/base.h
> +++ b/drivers/base/base.h
> @@ -166,6 +166,9 @@ void device_set_deferred_probe_reason(const struct de=
vice *dev, struct va_format
>  static inline int driver_match_device(const struct device_driver *drv,
>  				      struct device *dev)
>  {
> +	/* Protects against driver_set_override() races */
> +	device_lock_assert(dev);
> +
>  	return drv->bus->match ? drv->bus->match(dev, drv) : 1;
>  }

I am not convinced that this is the correct fix, since

  1. Not all match() callbacks access the driver_override field,

  2. driver_override is accessed in other places as well,

  3. driver_override is a bus device specific field (with a common
     helper admittedly).

I think it would be better to make driver_override a field in the base
struct device. This way we can not only provide driver_set_override(), but =
also
driver_get_override(), which should contain the device_lock_assert() instea=
d.

While not all devices require the driver_override field, an additional poin=
ter
in struct device does not hurt and it clarifies ownership and hence locking=
.

- Danilo