From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 348933E557B for ; Wed, 25 Mar 2026 15:49:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.208.53 ARC-Seal:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774453786; cv=pass; b=GVhckYf3XXFfZx2EQPMsO85kKmrAfZpJhHg5wHQbuDEyQrq6qPvZpES/eS7q8Bkc1PCjuf+rGDMjNkm1rmLoIElmRDHwOq5GC8qtxh8g6rBvU7VIPTkQGvI/yaSLjX5HxxJfthE8tutWLNAAfxLQq9l6wGhhg0QYItObe6Ky06I= ARC-Message-Signature:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774453786; c=relaxed/simple; bh=SMw1jlxrpubfTnHEDlbO4rziVId8vc4wQCntfT4i+lU=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=GIvbLrslfjZAqgo1b0WMniDqCkM199KVjFtfa9B7s1FGAQy6xLkTAcvi2OOuHkNq6d+3seBJbvGGfAhG3RCpkEOSmpB1swjvdeALI3aueFgzvwPl52VHdIefi2+pmf/rXyWYrP0qllERCSBKHlR/hzRVb6572hM9Ev9KqGnTR/U= ARC-Authentication-Results:i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=ugLqosko; arc=pass smtp.client-ip=209.85.208.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="ugLqosko" Received: by mail-ed1-f53.google.com with SMTP id 4fb4d7f45d1cf-66970715adbso7740878a12.3 for ; Wed, 25 Mar 2026 08:49:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774453782; cv=none; d=google.com; s=arc-20240605; b=ikziRRdeUmFyHAk0x0EhBVkyaygob16vmJaagZH5S5mCinK7LIl/nz6JoMx5N99FW9 ivPtzKkpaE3ls8EoZdUkzDLanrp+TFvbIjRePJVF0ySiY0Yw23PqYz8UKgKYXQEYFY9x TE5wLLLi6vPJjAzTinklqwN5sJkDlFPyerf34J9scL5lmPxYcUAYQNUJ3AEngM+T3KtA X3s0/vSUNoFS8e+5aZ3fwUHGu5cpU+r7RZVEfBtCVpkknnJ+ogNrZN7/JRNNrPcJ8qaP kWDvGlqhrBsVBzZcAH0NQg6I8jazcrxVnb8ax7lH72ssLW5kPnY7vC29wDTTTug5LOis 1vYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=PetZC3qxgw91I7G4PL1kgiG97oaIIgIA0g2FQ1jwb8M=; fh=9QPVg6v8rGhdlVn5dlksHw9IAtqG0ZC3y/oJFW3GLwM=; b=VvfbJXdpCjhD4qUB2u4op/lotdhqMqhY3OIPXx6Skyhvqaa3WYhGfQATNQnNx9YCoW ni5e7ViRYSL+T+mrr6d+h1YfR7sXHAsouvuLV/LOM/0TA2uuo1PMX2w0XwTtd8c7xNOV zpqwtmML5TC6axHcnlc+9a3wIb5z2QBBOhgRokNNX41i+PsD7Leqgr1Iy5a3lV6AbPFV uyDgPglTxGNTKioFL5sY4/bPklJ9pplilK1mcjY7BuwXKfgs4uqhd2MHOmb1dRPI/t8Y D5COSlFhApkcN7J7NbfEqbnb74ZcUf2rrWpm+55FGiYrRhMBy6amOumIoQveKZDV0EL5 gLRA==; darn=lists.linux.dev ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1774453782; x=1775058582; darn=lists.linux.dev; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PetZC3qxgw91I7G4PL1kgiG97oaIIgIA0g2FQ1jwb8M=; b=ugLqoskoC3I4voiTSCjtBEbL8Z6Hkqhb0iMmRDRsdj/CZI31GalLzPFvrTuPoxmfua BGiBPgh3w5Y7sgUeqlyiu+oGG7k9EWooEAjLT5zCiAOnamjejb7uOHos+9r8+6qG2NM5 G6q4fMkkzw5Dx24pmfJCINe/Wnavx11DB7MHYBiO08vl8rNSPpWkn8p5ZX+xC6CTVnhg LNd6ExcGLsFxOAPFc+lNQNrH8h2oo3c5RSb9xphL0plbTKl+hlIYu8sbT5aH6WbOal5E pfGeC1V2u17LOuAHqJYDIZPITiCjgk2uaIoSAdwmQU7umnig3oMircklxBU2ZqZPxBrq UPHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774453782; x=1775058582; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PetZC3qxgw91I7G4PL1kgiG97oaIIgIA0g2FQ1jwb8M=; b=ptVuK6qtfWRJYxTKZdR/bOvCFS01MGu235zJxmLy9WLGsAUa5oqYcb1n4KAL8uKDs/ CEZCOP7zVLemBW/32zmCvxbB7mQLElnSamBI1UgPXIP2nuOgWFUfKNgsIdXKfgFyj+qA 211xtA3xRip/vSNK7xjfUeBeBSa5/ufmm8+25lV4HINO6J5sL7T3KpdTUWn0cpnNaMO+ 5zUD7m8DpF3I3cynsJKLE7vJ481rIWiWrjiirjPGtsR1Yq5EYERO6kxoS8L0PsEcC2ht Zller7g91uT3iNV1Vi/yikHOhti/0vup/HXNmQJ/grZvuP5UtlSgwsBs8CPq+/Xiu3al S2KA== X-Forwarded-Encrypted: i=1; AJvYcCUYI0tlK0oGkwUOdXkJvZDDch7Ix7oU1rOfZQZof3eOIrNvzavoixX9s7/DV+XeFzfbPjcTw1ytBzQQar5jOw==@lists.linux.dev X-Gm-Message-State: AOJu0YyhX7CQUOfJstgDNY1JswsJZGs0GWh5Vzh7GzKPR4BK7X4U05lP 6VpAlhnyy9vKEK8HXiKHXIQxT+ffvKJoOqKGXJtVgnzzISkSFlZy1064qGWIM91ww7GsEDurNw8 kY7jmOJAXh/xT+BR6rKB6QxdDCK9V+qaz5KSHK1xAqQ== X-Gm-Gg: ATEYQzwgLHB9C9UxG9PQLqm51TiWisvJGZ8ofIlzOxdyFVeNdOr0n19UajiBy7f50vo 5eoyHJU+LRes68nZmh/1jlFM2VOyadPyqw88I73R3HaE11DZc7BoAWw36DeiPS0i2rWUxrv0oUH 6SRrNdqqmNXOJTEkyqpXOCGDV2aajbpZpOzoxfK83kRYoYs1kKD+7dLG0qzFA0n915HZbzLsYEE kWIU70xu91qTIHLKHvEtwrdjufCDH6y+tPI4i/C92xRq1rK9BhwwU8Bye4aJK1+oBe5+cb3jWky OBQjSejPfMyhSBWP0NqBGmpnBefLeBb9eJwQP2iSJA== X-Received: by 2002:a05:6402:3251:b0:668:368b:38d3 with SMTP id 4fb4d7f45d1cf-66a82634560mr2196905a12.12.1774453782373; Wed, 25 Mar 2026 08:49:42 -0700 (PDT) Precedence: bulk X-Mailing-List: virtualization@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20260324005919.2408620-1-dakr@kernel.org> <20260324005919.2408620-8-dakr@kernel.org> In-Reply-To: <20260324005919.2408620-8-dakr@kernel.org> From: Mathieu Poirier Date: Wed, 25 Mar 2026 09:49:31 -0600 X-Gm-Features: AQROBzDaUkN0ZNcFR8HLoPUZ0UwwRolGugOyW2ifJVz-O5YTothUc8ZwonnT9P8 Message-ID: Subject: Re: [PATCH 07/12] rpmsg: use generic driver_override infrastructure To: Danilo Krummrich Cc: Russell King , Greg Kroah-Hartman , "Rafael J. Wysocki" , Ioana Ciornei , Nipun Gupta , Nikhil Agarwal , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Long Li , Bjorn Helgaas , Armin Wolf , Bjorn Andersson , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Harald Freudenberger , Holger Dengler , Mark Brown , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?UTF-8?Q?Eugenio_P=C3=A9rez?= , Alex Williamson , Juergen Gross , Stefano Stabellini , Oleksandr Tyshchenko , "Christophe Leroy (CS GROUP)" , linux-kernel@vger.kernel.org, driver-core@lists.linux.dev, linuxppc-dev@lists.ozlabs.org, linux-hyperv@vger.kernel.org, linux-pci@vger.kernel.org, platform-driver-x86@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-s390@vger.kernel.org, linux-spi@vger.kernel.org, virtualization@lists.linux.dev, kvm@vger.kernel.org, xen-devel@lists.xenproject.org, linux-arm-kernel@lists.infradead.org, Gui-Dong Han Content-Type: text/plain; charset="UTF-8" On Mon, 23 Mar 2026 at 19:00, Danilo Krummrich wrote: > > When a driver is probed through __driver_attach(), the bus' match() > callback is called without the device lock held, thus accessing the > driver_override field without a lock, which can cause a UAF. > > Fix this by using the driver-core driver_override infrastructure taking > care of proper locking internally. > > Note that calling match() from __driver_attach() without the device lock > held is intentional. [1] > > Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1] > Reported-by: Gui-Dong Han > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 > Fixes: e95060478244 ("rpmsg: Introduce a driver override mechanism") > Signed-off-by: Danilo Krummrich > --- > drivers/rpmsg/qcom_glink_native.c | 2 -- For the below files: Reviewed-by: Mathieu Poirier > drivers/rpmsg/rpmsg_core.c | 43 +++++-------------------------- > drivers/rpmsg/virtio_rpmsg_bus.c | 1 - > include/linux/rpmsg.h | 4 --- > 4 files changed, 7 insertions(+), 43 deletions(-) > > diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c > index 9ef17c2e45b0..e9d1b2082477 100644 > --- a/drivers/rpmsg/qcom_glink_native.c > +++ b/drivers/rpmsg/qcom_glink_native.c > @@ -1623,7 +1623,6 @@ static void qcom_glink_rpdev_release(struct device *dev) > { > struct rpmsg_device *rpdev = to_rpmsg_device(dev); > > - kfree(rpdev->driver_override); > kfree(rpdev); > } > > @@ -1859,7 +1858,6 @@ static void qcom_glink_device_release(struct device *dev) > > /* Release qcom_glink_alloc_channel() reference */ > kref_put(&channel->refcount, qcom_glink_channel_release); > - kfree(rpdev->driver_override); > kfree(rpdev); > } > > diff --git a/drivers/rpmsg/rpmsg_core.c b/drivers/rpmsg/rpmsg_core.c > index 96964745065b..2b9f6d5a9a4f 100644 > --- a/drivers/rpmsg/rpmsg_core.c > +++ b/drivers/rpmsg/rpmsg_core.c > @@ -358,33 +358,6 @@ rpmsg_show_attr(src, src, "0x%x\n"); > rpmsg_show_attr(dst, dst, "0x%x\n"); > rpmsg_show_attr(announce, announce ? "true" : "false", "%s\n"); > > -static ssize_t driver_override_store(struct device *dev, > - struct device_attribute *attr, > - const char *buf, size_t count) > -{ > - struct rpmsg_device *rpdev = to_rpmsg_device(dev); > - int ret; > - > - ret = driver_set_override(dev, &rpdev->driver_override, buf, count); > - if (ret) > - return ret; > - > - return count; > -} > - > -static ssize_t driver_override_show(struct device *dev, > - struct device_attribute *attr, char *buf) > -{ > - struct rpmsg_device *rpdev = to_rpmsg_device(dev); > - ssize_t len; > - > - device_lock(dev); > - len = sysfs_emit(buf, "%s\n", rpdev->driver_override); > - device_unlock(dev); > - return len; > -} > -static DEVICE_ATTR_RW(driver_override); > - > static ssize_t modalias_show(struct device *dev, > struct device_attribute *attr, char *buf) > { > @@ -405,7 +378,6 @@ static struct attribute *rpmsg_dev_attrs[] = { > &dev_attr_dst.attr, > &dev_attr_src.attr, > &dev_attr_announce.attr, > - &dev_attr_driver_override.attr, > NULL, > }; > ATTRIBUTE_GROUPS(rpmsg_dev); > @@ -424,9 +396,11 @@ static int rpmsg_dev_match(struct device *dev, const struct device_driver *drv) > const struct rpmsg_driver *rpdrv = to_rpmsg_driver(drv); > const struct rpmsg_device_id *ids = rpdrv->id_table; > unsigned int i; > + int ret; > > - if (rpdev->driver_override) > - return !strcmp(rpdev->driver_override, drv->name); > + ret = device_match_driver_override(dev, drv); > + if (ret >= 0) > + return ret; > > if (ids) > for (i = 0; ids[i].name[0]; i++) > @@ -535,6 +509,7 @@ static const struct bus_type rpmsg_bus = { > .name = "rpmsg", > .match = rpmsg_dev_match, > .dev_groups = rpmsg_dev_groups, > + .driver_override = true, > .uevent = rpmsg_uevent, > .probe = rpmsg_dev_probe, > .remove = rpmsg_dev_remove, > @@ -560,11 +535,9 @@ int rpmsg_register_device_override(struct rpmsg_device *rpdev, > > device_initialize(dev); > if (driver_override) { > - ret = driver_set_override(dev, &rpdev->driver_override, > - driver_override, > - strlen(driver_override)); > + ret = device_set_driver_override(dev, driver_override); > if (ret) { > - dev_err(dev, "device_set_override failed: %d\n", ret); > + dev_err(dev, "device_set_driver_override() failed: %d\n", ret); > put_device(dev); > return ret; > } > @@ -573,8 +546,6 @@ int rpmsg_register_device_override(struct rpmsg_device *rpdev, > ret = device_add(dev); > if (ret) { > dev_err(dev, "device_add failed: %d\n", ret); > - kfree(rpdev->driver_override); > - rpdev->driver_override = NULL; > put_device(dev); > } > > diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c > index 8d9e2b4dc7c1..e0dacb736ef9 100644 > --- a/drivers/rpmsg/virtio_rpmsg_bus.c > +++ b/drivers/rpmsg/virtio_rpmsg_bus.c > @@ -373,7 +373,6 @@ static void virtio_rpmsg_release_device(struct device *dev) > struct rpmsg_device *rpdev = to_rpmsg_device(dev); > struct virtio_rpmsg_channel *vch = to_virtio_rpmsg_channel(rpdev); > > - kfree(rpdev->driver_override); > kfree(vch); > } > > diff --git a/include/linux/rpmsg.h b/include/linux/rpmsg.h > index fb7ab9165645..c2e3ef8480d5 100644 > --- a/include/linux/rpmsg.h > +++ b/include/linux/rpmsg.h > @@ -41,9 +41,6 @@ struct rpmsg_channel_info { > * rpmsg_device - device that belong to the rpmsg bus > * @dev: the device struct > * @id: device id (used to match between rpmsg drivers and devices) > - * @driver_override: driver name to force a match; do not set directly, > - * because core frees it; use driver_set_override() to > - * set or clear it. > * @src: local address > * @dst: destination address > * @ept: the rpmsg endpoint of this channel > @@ -53,7 +50,6 @@ struct rpmsg_channel_info { > struct rpmsg_device { > struct device dev; > struct rpmsg_device_id id; > - const char *driver_override; > u32 src; > u32 dst; > struct rpmsg_endpoint *ept; > -- > 2.53.0 >