From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Gui-Dong Han <hanguidong02@gmail.com>,
Ioana Ciornei <ioana.ciornei@nxp.com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 05/42] bus: fsl-mc: fix use-after-free in driver_override_show()
Date: Tue, 17 Feb 2026 21:31:56 +0100 [thread overview]
Message-ID: <20260217200006.210964332@linuxfoundation.org> (raw)
In-Reply-To: <20260217200005.998240758@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ]
The driver_override_show() function reads the driver_override string
without holding the device_lock. However, driver_override_store() uses
driver_set_override(), which modifies and frees the string while holding
the device_lock.
This can result in a concurrent use-after-free if the string is freed
by the store function while being read by the show function.
Fix this by holding the device_lock around the read operation.
Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com
Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru
struct device_attribute *attr, char *buf)
{
struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+ ssize_t len;
- return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
+ device_lock(dev);
+ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override);
+ device_unlock(dev);
+ return len;
}
static DEVICE_ATTR_RW(driver_override);
next prev parent reply other threads:[~2026-02-17 20:53 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:31 [PATCH 6.12 00/42] 6.12.74-rc1 review Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 01/42] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 02/42] bnxt_en: Change FW message timeout warning Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 03/42] bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 04/42] bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 6.12 06/42] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 07/42] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 08/42] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 09/42] ALSA: hda/realtek: Add quirk for Inspur S14-G1 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 10/42] ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 11/42] ALSA: hda/realtek - fixed speaker no sound Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 12/42] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 13/42] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 14/42] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 15/42] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 16/42] ASoC: amd: yc: Add quirk for HP 200 G2a 16 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 17/42] ALSA: hda/realtek: Enable headset mic for Acer Nitro 5 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 18/42] platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 19/42] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 20/42] ASoC: cs42l43: Correct handling of 3-pole jack load detection Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 21/42] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 22/42] drm/amd/display: extend delta clamping logic to CM3 LUT helper Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 23/42] drm/amd/display: remove assert around dpp_base replacement Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 24/42] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 25/42] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 26/42] mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 27/42] mm/hugetlb: fix hugetlb_pmd_shared() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 28/42] mm/hugetlb: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 29/42] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 30/42] LoongArch: Rework KASAN initialization for PTW-enabled systems Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 31/42] Revert "wireguard: device: enable threaded NAPI" Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 32/42] cpuset: Fix missing adaptation for cpuset_is_populated Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 33/42] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 34/42] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 35/42] f2fs: fix to add gc count stat in f2fs_gc_range Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 36/42] f2fs: fix to check sysfs filename w/ gc_pin_file_thresh correctly Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 37/42] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 38/42] f2fs: fix to avoid mapping wrong physical block for swapfile Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 39/42] iommu/arm-smmu-qcom: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 40/42] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 41/42] f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 42/42] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 22:51 ` [PATCH 6.12 00/42] 6.12.74-rc1 review Florian Fainelli
2026-02-18 3:02 ` Peter Schneider
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 9:11 ` Pavel Machek
2026-02-18 12:51 ` Francesco Dolcini
2026-02-18 23:43 ` Mark Brown
2026-02-19 6:33 ` Ron Economos
2026-02-19 9:20 ` Harshit Mogalapalli
2026-02-19 12:36 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200006.210964332@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chleroy@kernel.org \
--cc=hanguidong02@gmail.com \
--cc=ioana.ciornei@nxp.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox