Re: Patch "driver core: enforce device_lock for driver_match_device()" has been added to the 6.1-stable tree

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* Re: Patch "driver core: enforce device_lock for driver_match_device()" has been added to the 6.1-stable tree
       [not found] <20260308164617.27847-1-sashal@kernel.org>
@ 2026-03-09  1:44 ` Gui-Dong Han
  2026-03-09  7:33   ` Greg Kroah-Hartman
  0 siblings, 1 reply; 2+ messages in thread
From: Gui-Dong Han @ 2026-03-09  1:44 UTC (permalink / raw)
  To: stable, sashal
  Cc: stable-commits, Greg Kroah-Hartman, Rafael J. Wysocki,
	Danilo Krummrich

On Mon, Mar 9, 2026 at 12:46 AM Sasha Levin <sashal@kernel.org> wrote:
>
> This is a note to let you know that I've just added the patch titled
>
>     driver core: enforce device_lock for driver_match_device()
>
> to the 6.1-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
>      driver-core-enforce-device_lock-for-driver_match_dev.patch
> and it can be found in the queue-6.1 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.

Hi Sasha,

Please drop this patch from 6.1 and all other stable queues.

This commit was reverted upstream. Enforcing the device_lock here
introduced side effects [1]. We are currently developing a new
approach to fix the original issue [2].

Thanks.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9de68394a615
[2] https://lore.kernel.org/driver-core/20260303115720.48783-1-dakr@kernel.org/

>
>
>
> commit 43fcab97a217ccdc2da2d8644f88398dc061e1e9
> Author: Gui-Dong Han <hanguidong02@gmail.com>
> Date:   Wed Jan 14 00:28:43 2026 +0800
>
>     driver core: enforce device_lock for driver_match_device()
>
>     [ Upstream commit dc23806a7c47ec5f1293aba407fb69519f976ee0 ]
>
>     Currently, driver_match_device() is called from three sites. One site
>     (__device_attach_driver) holds device_lock(dev), but the other two
>     (bind_store and __driver_attach) do not. This inconsistency means that
>     bus match() callbacks are not guaranteed to be called with the lock
>     held.
>
>     Fix this by introducing driver_match_device_locked(), which guarantees
>     holding the device lock using a scoped guard. Replace the unlocked calls
>     in bind_store() and __driver_attach() with this new helper. Also add a
>     lock assertion to driver_match_device() to enforce this guarantee.
>
>     This consistency also fixes a known race condition. The driver_override
>     implementation relies on the device_lock, so the missing lock led to the
>     use-after-free (UAF) reported in Bugzilla for buses using this field.
>
>     Stress testing the two newly locked paths for 24 hours with
>     CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence
>     and no lockdep warnings.
>
>     Cc: stable@vger.kernel.org
>     Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
>     Suggested-by: Qiu-ji Chen <chenqiuji666@gmail.com>
>     Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
>     Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock")
>     Reviewed-by: Danilo Krummrich <dakr@kernel.org>
>     Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>     Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
>     Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com
>     Signed-off-by: Danilo Krummrich <dakr@kernel.org>
>     Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> diff --git a/drivers/base/base.h b/drivers/base/base.h
> index 2a6cf004dedc3..4e06810efe3e0 100644
> --- a/drivers/base/base.h
> +++ b/drivers/base/base.h
> @@ -144,10 +144,19 @@ extern void device_set_deferred_probe_reason(const struct device *dev,
>  static inline int driver_match_device(struct device_driver *drv,
>                                       struct device *dev)
>  {
> +       device_lock_assert(dev);
> +
>         return drv->bus->match ? drv->bus->match(dev, drv) : 1;
>  }
>  extern bool driver_allows_async_probing(struct device_driver *drv);
>
> +static inline int driver_match_device_locked(const struct device_driver *drv,
> +                                            struct device *dev)
> +{
> +       guard(device)(dev);
> +       return driver_match_device(drv, dev);
> +}
> +
>  static inline void dev_sync_state(struct device *dev)
>  {
>         if (dev->bus->sync_state)
> diff --git a/drivers/base/bus.c b/drivers/base/bus.c
> index 941532ddfdc68..78a64f2784d05 100644
> --- a/drivers/base/bus.c
> +++ b/drivers/base/bus.c
> @@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_driver *drv, const char *buf,
>         int err = -ENODEV;
>
>         dev = bus_find_device_by_name(bus, NULL, buf);
> -       if (dev && driver_match_device(drv, dev)) {
> +       if (dev && driver_match_device_locked(drv, dev)) {
>                 err = device_driver_attach(drv, dev);
>                 if (!err) {
>                         /* success */
> diff --git a/drivers/base/dd.c b/drivers/base/dd.c
> index 6ad1b6eae65d6..02c846be7b174 100644
> --- a/drivers/base/dd.c
> +++ b/drivers/base/dd.c
> @@ -1175,7 +1175,7 @@ static int __driver_attach(struct device *dev, void *data)
>          * is an error.
>          */
>
> -       ret = driver_match_device(drv, dev);
> +       ret = driver_match_device_locked(drv, dev);
>         if (ret == 0) {
>                 /* no match */
>                 return 0;

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Patch "driver core: enforce device_lock for driver_match_device()" has been added to the 6.1-stable tree
  2026-03-09  1:44 ` Patch "driver core: enforce device_lock for driver_match_device()" has been added to the 6.1-stable tree Gui-Dong Han
@ 2026-03-09  7:33   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-09  7:33 UTC (permalink / raw)
  To: Gui-Dong Han
  Cc: stable, sashal, stable-commits, Rafael J. Wysocki,
	Danilo Krummrich

On Mon, Mar 09, 2026 at 09:44:54AM +0800, Gui-Dong Han wrote:
> On Mon, Mar 9, 2026 at 12:46 AM Sasha Levin <sashal@kernel.org> wrote:
> >
> > This is a note to let you know that I've just added the patch titled
> >
> >     driver core: enforce device_lock for driver_match_device()
> >
> > to the 6.1-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >
> > The filename of the patch is:
> >      driver-core-enforce-device_lock-for-driver_match_dev.patch
> > and it can be found in the queue-6.1 subdirectory.
> >
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> 
> Hi Sasha,
> 
> Please drop this patch from 6.1 and all other stable queues.
> 
> This commit was reverted upstream. Enforcing the device_lock here
> introduced side effects [1]. We are currently developing a new
> approach to fix the original issue [2].
> 
> Thanks.
> 
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9de68394a615
> [2] https://lore.kernel.org/driver-core/20260303115720.48783-1-dakr@kernel.org/

Now dropped from everywhere, thanks for catching this again.

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-09  7:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260308164617.27847-1-sashal@kernel.org>
2026-03-09  1:44 ` Patch "driver core: enforce device_lock for driver_match_device()" has been added to the 6.1-stable tree Gui-Dong Han
2026-03-09  7:33   ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox