git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Danilo Krummrich <dakr@kernel.org>
	Tue, 24 Mar 2026 00:59:14 +0000 (01:59 +0100)
committer	Danilo Krummrich <dakr@kernel.org>
	Fri, 3 Apr 2026 22:49:22 +0000 (00:49 +0200)
commit	81d6f7c3a70b10ff757ee8b5f8114a190871cf1e
tree	4db70c019bceab03fc360d011750f71cbc47c5d0	tree \| snapshot
parent	ac4d8bb6e2e13e8684a76ea48d13ebaaaf5c24c4	commit \| diff

s390/ap: use generic driver_override infrastructure

When the AP masks are updated via apmask_store() or aqmask_store(),
ap_bus_revise_bindings() is called after ap_attr_mutex has been
released.

This calls __ap_revise_reserved(), which accesses the driver_override
field without holding any lock, racing against a concurrent
driver_override_store() that may free the old string, resulting in a
potential UAF.

Fix this by using the driver-core driver_override infrastructure, which
protects all accesses with an internal spinlock.

Note that unlike most other buses, the AP bus does not check
driver_override in its match() callback; the override is checked in
ap_device_probe() and __ap_revise_reserved() instead.

Also note that we do not enable the driver_override feature of struct
bus_type, as AP - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".

Additionally, AP has a custom counter that is modified in the
corresponding custom driver_override_store().

Fixes: d38a87d7c064 ("s390/ap: Support driver_override for AP queue devices")
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Link: https://patch.msgid.link/20260324005919.2408620-11-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>

drivers/s390/crypto/ap_bus.c		diff \| blob \| blame \| history
drivers/s390/crypto/ap_bus.h		diff \| blob \| blame \| history
drivers/s390/crypto/ap_queue.c		diff \| blob \| blame \| history