+++ /dev/null
-From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001
-From: Gui-Dong Han <hanguidong02@gmail.com>
-Date: Wed, 14 Jan 2026 00:28:43 +0800
-Subject: driver core: enforce device_lock for driver_match_device()
-
-From: Gui-Dong Han <hanguidong02@gmail.com>
-
-commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
-
-Currently, driver_match_device() is called from three sites. One site
-(__device_attach_driver) holds device_lock(dev), but the other two
-(bind_store and __driver_attach) do not. This inconsistency means that
-bus match() callbacks are not guaranteed to be called with the lock
-held.
-
-Fix this by introducing driver_match_device_locked(), which guarantees
-holding the device lock using a scoped guard. Replace the unlocked calls
-in bind_store() and __driver_attach() with this new helper. Also add a
-lock assertion to driver_match_device() to enforce this guarantee.
-
-This consistency also fixes a known race condition. The driver_override
-implementation relies on the device_lock, so the missing lock led to the
-use-after-free (UAF) reported in Bugzilla for buses using this field.
-
-Stress testing the two newly locked paths for 24 hours with
-CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence
-and no lockdep warnings.
-
-Cc: stable@vger.kernel.org
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
-Suggested-by: Qiu-ji Chen <chenqiuji666@gmail.com>
-Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
-Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock")
-Reviewed-by: Danilo Krummrich <dakr@kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
-Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com
-Signed-off-by: Danilo Krummrich <dakr@kernel.org>
-[ backport to 5.10.y - gregkh ]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/base/base.h | 14 ++++++++++++++
- drivers/base/bus.c | 2 +-
- drivers/base/dd.c | 2 +-
- 3 files changed, 16 insertions(+), 2 deletions(-)
-
---- a/drivers/base/base.h
-+++ b/drivers/base/base.h
-@@ -140,8 +140,22 @@ extern void device_set_deferred_probe_re
- static inline int driver_match_device(struct device_driver *drv,
- struct device *dev)
- {
-+ device_lock_assert(dev);
-+
- return drv->bus->match ? drv->bus->match(dev, drv) : 1;
- }
-+
-+static inline int driver_match_device_locked(struct device_driver *drv,
-+ struct device *dev)
-+{
-+ int ret;
-+
-+ device_lock(dev);
-+ ret = driver_match_device(drv, dev);
-+ device_unlock(dev);
-+ return ret;
-+}
-+
- extern bool driver_allows_async_probing(struct device_driver *drv);
-
- extern int driver_add_groups(struct device_driver *drv,
---- a/drivers/base/bus.c
-+++ b/drivers/base/bus.c
-@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_
- int err = -ENODEV;
-
- dev = bus_find_device_by_name(bus, NULL, buf);
-- if (dev && dev->driver == NULL && driver_match_device(drv, dev)) {
-+ if (dev && dev->driver == NULL && driver_match_device_locked(drv, dev)) {
- err = device_driver_attach(drv, dev);
-
- if (err > 0) {
---- a/drivers/base/dd.c
-+++ b/drivers/base/dd.c
-@@ -1079,7 +1079,7 @@ static int __driver_attach(struct device
- * is an error.
- */
-
-- ret = driver_match_device(drv, dev);
-+ ret = driver_match_device_locked(drv, dev);
- if (ret == 0) {
- /* no match */
- return 0;
-driver-core-enforce-device_lock-for-driver_match_device.patch
crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch
crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch
crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch
+++ /dev/null
-From 134c6eaa6087d78c0e289931ca15ae7a5007670d Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Wed, 13 Dec 2023 15:02:35 -0800
-Subject: driver core: Add a guard() definition for the device_lock()
-
-From: Dan Williams <dan.j.williams@intel.com>
-
-commit 134c6eaa6087d78c0e289931ca15ae7a5007670d upstream.
-
-At present there are ~200 usages of device_lock() in the kernel. Some of
-those usages lead to "goto unlock;" patterns which have proven to be
-error prone. Define a "device" guard() definition to allow for those to
-be cleaned up and prevent new ones from appearing.
-
-Link: http://lore.kernel.org/r/657897453dda8_269bd29492@dwillia2-mobl3.amr.corp.intel.com.notmuch
-Link: http://lore.kernel.org/r/6577b0c2a02df_a04c5294bb@dwillia2-xfh.jf.intel.com.notmuch
-Cc: Vishal Verma <vishal.l.verma@intel.com>
-Cc: Ira Weiny <ira.weiny@intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Reviewed-by: Ira Weiny <ira.weiny@intel.com>
-Reviewed-by: Dave Jiang <dave.jiang@intel.com>
-Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
-Link: https://lore.kernel.org/r/170250854466.1522182.17555361077409628655.stgit@dwillia2-xfh.jf.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/device.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/include/linux/device.h
-+++ b/include/linux/device.h
-@@ -779,6 +779,8 @@ static inline void device_unlock(struct
- mutex_unlock(&dev->mutex);
- }
-
-+DEFINE_GUARD(device, struct device *, device_lock(_T), device_unlock(_T))
-+
- static inline void device_lock_assert(struct device *dev)
- {
- lockdep_assert_held(&dev->mutex);
+++ /dev/null
-From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001
-From: Gui-Dong Han <hanguidong02@gmail.com>
-Date: Wed, 14 Jan 2026 00:28:43 +0800
-Subject: driver core: enforce device_lock for driver_match_device()
-
-From: Gui-Dong Han <hanguidong02@gmail.com>
-
-commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
-
-Currently, driver_match_device() is called from three sites. One site
-(__device_attach_driver) holds device_lock(dev), but the other two
-(bind_store and __driver_attach) do not. This inconsistency means that
-bus match() callbacks are not guaranteed to be called with the lock
-held.
-
-Fix this by introducing driver_match_device_locked(), which guarantees
-holding the device lock using a scoped guard. Replace the unlocked calls
-in bind_store() and __driver_attach() with this new helper. Also add a
-lock assertion to driver_match_device() to enforce this guarantee.
-
-This consistency also fixes a known race condition. The driver_override
-implementation relies on the device_lock, so the missing lock led to the
-use-after-free (UAF) reported in Bugzilla for buses using this field.
-
-Stress testing the two newly locked paths for 24 hours with
-CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence
-and no lockdep warnings.
-
-Cc: stable@vger.kernel.org
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
-Suggested-by: Qiu-ji Chen <chenqiuji666@gmail.com>
-Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
-Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock")
-Reviewed-by: Danilo Krummrich <dakr@kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
-Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com
-Signed-off-by: Danilo Krummrich <dakr@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/base/base.h | 10 ++++++++++
- drivers/base/bus.c | 2 +-
- drivers/base/dd.c | 2 +-
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
---- a/drivers/base/base.h
-+++ b/drivers/base/base.h
-@@ -144,8 +144,18 @@ extern void device_set_deferred_probe_re
- static inline int driver_match_device(struct device_driver *drv,
- struct device *dev)
- {
-+ device_lock_assert(dev);
-+
- return drv->bus->match ? drv->bus->match(dev, drv) : 1;
- }
-+
-+static inline int driver_match_device_locked(struct device_driver *drv,
-+ struct device *dev)
-+{
-+ guard(device)(dev);
-+ return driver_match_device(drv, dev);
-+}
-+
- extern bool driver_allows_async_probing(struct device_driver *drv);
-
- extern int driver_add_groups(struct device_driver *drv,
---- a/drivers/base/bus.c
-+++ b/drivers/base/bus.c
-@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_
- int err = -ENODEV;
-
- dev = bus_find_device_by_name(bus, NULL, buf);
-- if (dev && driver_match_device(drv, dev)) {
-+ if (dev && driver_match_device_locked(drv, dev)) {
- err = device_driver_attach(drv, dev);
- if (!err) {
- /* success */
---- a/drivers/base/dd.c
-+++ b/drivers/base/dd.c
-@@ -1117,7 +1117,7 @@ static int __driver_attach(struct device
- * is an error.
- */
-
-- ret = driver_match_device(drv, dev);
-+ ret = driver_match_device_locked(drv, dev);
- if (ret == 0) {
- /* no match */
- return 0;
-driver-core-add-a-guard-definition-for-the-device_lock.patch
-driver-core-enforce-device_lock-for-driver_match_device.patch
crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch
crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch
crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch
+++ /dev/null
-From 134c6eaa6087d78c0e289931ca15ae7a5007670d Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Wed, 13 Dec 2023 15:02:35 -0800
-Subject: driver core: Add a guard() definition for the device_lock()
-
-From: Dan Williams <dan.j.williams@intel.com>
-
-commit 134c6eaa6087d78c0e289931ca15ae7a5007670d upstream.
-
-At present there are ~200 usages of device_lock() in the kernel. Some of
-those usages lead to "goto unlock;" patterns which have proven to be
-error prone. Define a "device" guard() definition to allow for those to
-be cleaned up and prevent new ones from appearing.
-
-Link: http://lore.kernel.org/r/657897453dda8_269bd29492@dwillia2-mobl3.amr.corp.intel.com.notmuch
-Link: http://lore.kernel.org/r/6577b0c2a02df_a04c5294bb@dwillia2-xfh.jf.intel.com.notmuch
-Cc: Vishal Verma <vishal.l.verma@intel.com>
-Cc: Ira Weiny <ira.weiny@intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Reviewed-by: Ira Weiny <ira.weiny@intel.com>
-Reviewed-by: Dave Jiang <dave.jiang@intel.com>
-Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
-Link: https://lore.kernel.org/r/170250854466.1522182.17555361077409628655.stgit@dwillia2-xfh.jf.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/device.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/include/linux/device.h
-+++ b/include/linux/device.h
-@@ -855,6 +855,8 @@ static inline void device_unlock(struct
- mutex_unlock(&dev->mutex);
- }
-
-+DEFINE_GUARD(device, struct device *, device_lock(_T), device_unlock(_T))
-+
- static inline void device_lock_assert(struct device *dev)
- {
- lockdep_assert_held(&dev->mutex);
+++ /dev/null
-From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001
-From: Gui-Dong Han <hanguidong02@gmail.com>
-Date: Wed, 14 Jan 2026 00:28:43 +0800
-Subject: driver core: enforce device_lock for driver_match_device()
-
-From: Gui-Dong Han <hanguidong02@gmail.com>
-
-commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
-
-Currently, driver_match_device() is called from three sites. One site
-(__device_attach_driver) holds device_lock(dev), but the other two
-(bind_store and __driver_attach) do not. This inconsistency means that
-bus match() callbacks are not guaranteed to be called with the lock
-held.
-
-Fix this by introducing driver_match_device_locked(), which guarantees
-holding the device lock using a scoped guard. Replace the unlocked calls
-in bind_store() and __driver_attach() with this new helper. Also add a
-lock assertion to driver_match_device() to enforce this guarantee.
-
-This consistency also fixes a known race condition. The driver_override
-implementation relies on the device_lock, so the missing lock led to the
-use-after-free (UAF) reported in Bugzilla for buses using this field.
-
-Stress testing the two newly locked paths for 24 hours with
-CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence
-and no lockdep warnings.
-
-Cc: stable@vger.kernel.org
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
-Suggested-by: Qiu-ji Chen <chenqiuji666@gmail.com>
-Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
-Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock")
-Reviewed-by: Danilo Krummrich <dakr@kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
-Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com
-Signed-off-by: Danilo Krummrich <dakr@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/base/base.h | 10 ++++++++++
- drivers/base/bus.c | 2 +-
- drivers/base/dd.c | 2 +-
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
---- a/drivers/base/base.h
-+++ b/drivers/base/base.h
-@@ -144,8 +144,18 @@ extern void device_set_deferred_probe_re
- static inline int driver_match_device(struct device_driver *drv,
- struct device *dev)
- {
-+ device_lock_assert(dev);
-+
- return drv->bus->match ? drv->bus->match(dev, drv) : 1;
- }
-+
-+static inline int driver_match_device_locked(struct device_driver *drv,
-+ struct device *dev)
-+{
-+ guard(device)(dev);
-+ return driver_match_device(drv, dev);
-+}
-+
- extern bool driver_allows_async_probing(struct device_driver *drv);
-
- extern int driver_add_groups(struct device_driver *drv,
---- a/drivers/base/bus.c
-+++ b/drivers/base/bus.c
-@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_
- int err = -ENODEV;
-
- dev = bus_find_device_by_name(bus, NULL, buf);
-- if (dev && driver_match_device(drv, dev)) {
-+ if (dev && driver_match_device_locked(drv, dev)) {
- err = device_driver_attach(drv, dev);
- if (!err) {
- /* success */
---- a/drivers/base/dd.c
-+++ b/drivers/base/dd.c
-@@ -1154,7 +1154,7 @@ static int __driver_attach(struct device
- * is an error.
- */
-
-- ret = driver_match_device(drv, dev);
-+ ret = driver_match_device_locked(drv, dev);
- if (ret == 0) {
- /* no match */
- return 0;
smb-client-split-cached_fid-bitfields-to-avoid-shared-byte-rmw-races.patch
ksmbd-fix-infinite-loop-caused-by-next_smb2_rcv_hdr_off-reset-in-error-paths.patch
smb-server-fix-leak-of-active_num_conn-in-ksmbd_tcp_new_connection.patch
-driver-core-add-a-guard-definition-for-the-device_lock.patch
-driver-core-enforce-device_lock-for-driver_match_device.patch
crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch
crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch
crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
