--- /dev/null
+From 134c6eaa6087d78c0e289931ca15ae7a5007670d Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Dec 2023 15:02:35 -0800
+Subject: driver core: Add a guard() definition for the device_lock()
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 134c6eaa6087d78c0e289931ca15ae7a5007670d upstream.
+
+At present there are ~200 usages of device_lock() in the kernel. Some of
+those usages lead to "goto unlock;" patterns which have proven to be
+error prone. Define a "device" guard() definition to allow for those to
+be cleaned up and prevent new ones from appearing.
+
+Link: http://lore.kernel.org/r/657897453dda8_269bd29492@dwillia2-mobl3.amr.corp.intel.com.notmuch
+Link: http://lore.kernel.org/r/6577b0c2a02df_a04c5294bb@dwillia2-xfh.jf.intel.com.notmuch
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Link: https://lore.kernel.org/r/170250854466.1522182.17555361077409628655.stgit@dwillia2-xfh.jf.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/device.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/device.h
++++ b/include/linux/device.h
+@@ -779,6 +779,8 @@ static inline void device_unlock(struct
+ mutex_unlock(&dev->mutex);
+ }
+
++DEFINE_GUARD(device, struct device *, device_lock(_T), device_unlock(_T))
++
+ static inline void device_lock_assert(struct device *dev)
+ {
+ lockdep_assert_held(&dev->mutex);
--- /dev/null
+From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Wed, 14 Jan 2026 00:28:43 +0800
+Subject: driver core: enforce device_lock for driver_match_device()
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
+
+Currently, driver_match_device() is called from three sites. One site
+(__device_attach_driver) holds device_lock(dev), but the other two
+(bind_store and __driver_attach) do not. This inconsistency means that
+bus match() callbacks are not guaranteed to be called with the lock
+held.
+
+Fix this by introducing driver_match_device_locked(), which guarantees
+holding the device lock using a scoped guard. Replace the unlocked calls
+in bind_store() and __driver_attach() with this new helper. Also add a
+lock assertion to driver_match_device() to enforce this guarantee.
+
+This consistency also fixes a known race condition. The driver_override
+implementation relies on the device_lock, so the missing lock led to the
+use-after-free (UAF) reported in Bugzilla for buses using this field.
+
+Stress testing the two newly locked paths for 24 hours with
+CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence
+and no lockdep warnings.
+
+Cc: stable@vger.kernel.org
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
+Suggested-by: Qiu-ji Chen <chenqiuji666@gmail.com>
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock")
+Reviewed-by: Danilo Krummrich <dakr@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
+Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/base.h | 10 ++++++++++
+ drivers/base/bus.c | 2 +-
+ drivers/base/dd.c | 2 +-
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@ -144,8 +144,18 @@ extern void device_set_deferred_probe_re
+ static inline int driver_match_device(struct device_driver *drv,
+ struct device *dev)
+ {
++ device_lock_assert(dev);
++
+ return drv->bus->match ? drv->bus->match(dev, drv) : 1;
+ }
++
++static inline int driver_match_device_locked(const struct device_driver *drv,
++ struct device *dev)
++{
++ guard(device)(dev);
++ return driver_match_device(drv, dev);
++}
++
+ extern bool driver_allows_async_probing(struct device_driver *drv);
+
+ extern int driver_add_groups(struct device_driver *drv,
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_
+ int err = -ENODEV;
+
+ dev = bus_find_device_by_name(bus, NULL, buf);
+- if (dev && driver_match_device(drv, dev)) {
++ if (dev && driver_match_device_locked(drv, dev)) {
+ err = device_driver_attach(drv, dev);
+ if (!err) {
+ /* success */
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1117,7 +1117,7 @@ static int __driver_attach(struct device
+ * is an error.
+ */
+
+- ret = driver_match_device(drv, dev);
++ ret = driver_match_device_locked(drv, dev);
+ if (ret == 0) {
+ /* no match */
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
