From 0f0c4be7aa89d72ea6f747c5fac8005264eec27a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Feb 2026 11:40:29 +0100 Subject: [PATCH] 5.15-stable patches added patches: driver-core-add-a-guard-definition-for-the-device_lock.patch driver-core-enforce-device_lock-for-driver_match_device.patch series --- ...guard-definition-for-the-device_lock.patch | 43 +++++++++ ...-device_lock-for-driver_match_device.patch | 88 +++++++++++++++++++ queue-5.15/series | 2 + 3 files changed, 133 insertions(+) create mode 100644 queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch create mode 100644 queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch create mode 100644 queue-5.15/series diff --git a/queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch b/queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch new file mode 100644 index 0000000000..dd609658d6 --- /dev/null +++ b/queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch @@ -0,0 +1,43 @@ +From 134c6eaa6087d78c0e289931ca15ae7a5007670d Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 13 Dec 2023 15:02:35 -0800 +Subject: driver core: Add a guard() definition for the device_lock() + +From: Dan Williams + +commit 134c6eaa6087d78c0e289931ca15ae7a5007670d upstream. + +At present there are ~200 usages of device_lock() in the kernel. Some of +those usages lead to "goto unlock;" patterns which have proven to be +error prone. Define a "device" guard() definition to allow for those to +be cleaned up and prevent new ones from appearing. + +Link: http://lore.kernel.org/r/657897453dda8_269bd29492@dwillia2-mobl3.amr.corp.intel.com.notmuch +Link: http://lore.kernel.org/r/6577b0c2a02df_a04c5294bb@dwillia2-xfh.jf.intel.com.notmuch +Cc: Vishal Verma +Cc: Ira Weiny +Cc: Peter Zijlstra +Cc: Greg Kroah-Hartman +Cc: Andrew Morton +Signed-off-by: Dan Williams +Reviewed-by: Ira Weiny +Reviewed-by: Dave Jiang +Reviewed-by: Vishal Verma +Link: https://lore.kernel.org/r/170250854466.1522182.17555361077409628655.stgit@dwillia2-xfh.jf.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/device.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/device.h ++++ b/include/linux/device.h +@@ -779,6 +779,8 @@ static inline void device_unlock(struct + mutex_unlock(&dev->mutex); + } + ++DEFINE_GUARD(device, struct device *, device_lock(_T), device_unlock(_T)) ++ + static inline void device_lock_assert(struct device *dev) + { + lockdep_assert_held(&dev->mutex); diff --git a/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch b/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch new file mode 100644 index 0000000000..59fdedab82 --- /dev/null +++ b/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch @@ -0,0 +1,88 @@ +From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Wed, 14 Jan 2026 00:28:43 +0800 +Subject: driver core: enforce device_lock for driver_match_device() + +From: Gui-Dong Han + +commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. + +Currently, driver_match_device() is called from three sites. One site +(__device_attach_driver) holds device_lock(dev), but the other two +(bind_store and __driver_attach) do not. This inconsistency means that +bus match() callbacks are not guaranteed to be called with the lock +held. + +Fix this by introducing driver_match_device_locked(), which guarantees +holding the device lock using a scoped guard. Replace the unlocked calls +in bind_store() and __driver_attach() with this new helper. Also add a +lock assertion to driver_match_device() to enforce this guarantee. + +This consistency also fixes a known race condition. The driver_override +implementation relies on the device_lock, so the missing lock led to the +use-after-free (UAF) reported in Bugzilla for buses using this field. + +Stress testing the two newly locked paths for 24 hours with +CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence +and no lockdep warnings. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 +Suggested-by: Qiu-ji Chen +Signed-off-by: Gui-Dong Han +Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock") +Reviewed-by: Danilo Krummrich +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Rafael J. Wysocki (Intel) +Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/base.h | 10 ++++++++++ + drivers/base/bus.c | 2 +- + drivers/base/dd.c | 2 +- + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -144,8 +144,18 @@ extern void device_set_deferred_probe_re + static inline int driver_match_device(struct device_driver *drv, + struct device *dev) + { ++ device_lock_assert(dev); ++ + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } ++ ++static inline int driver_match_device_locked(const struct device_driver *drv, ++ struct device *dev) ++{ ++ guard(device)(dev); ++ return driver_match_device(drv, dev); ++} ++ + extern bool driver_allows_async_probing(struct device_driver *drv); + + extern int driver_add_groups(struct device_driver *drv, +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_ + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device(drv, dev)) { ++ if (dev && driver_match_device_locked(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1117,7 +1117,7 @@ static int __driver_attach(struct device + * is an error. + */ + +- ret = driver_match_device(drv, dev); ++ ret = driver_match_device_locked(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..595f04bdc7 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,2 @@ +driver-core-add-a-guard-definition-for-the-device_lock.patch +driver-core-enforce-device_lock-for-driver_match_device.patch -- 2.47.3