From 323d2b2c6668d6e76cf45ccb0062066f08c354fe Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Feb 2026 11:40:14 +0100 Subject: [PATCH] 5.10-stable patches added patches: driver-core-enforce-device_lock-for-driver_match_device.patch series --- ...-device_lock-for-driver_match_device.patch | 93 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 94 insertions(+) create mode 100644 queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch create mode 100644 queue-5.10/series diff --git a/queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch b/queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch new file mode 100644 index 0000000000..4c33d307de --- /dev/null +++ b/queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch @@ -0,0 +1,93 @@ +From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Wed, 14 Jan 2026 00:28:43 +0800 +Subject: driver core: enforce device_lock for driver_match_device() + +From: Gui-Dong Han + +commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. + +Currently, driver_match_device() is called from three sites. One site +(__device_attach_driver) holds device_lock(dev), but the other two +(bind_store and __driver_attach) do not. This inconsistency means that +bus match() callbacks are not guaranteed to be called with the lock +held. + +Fix this by introducing driver_match_device_locked(), which guarantees +holding the device lock using a scoped guard. Replace the unlocked calls +in bind_store() and __driver_attach() with this new helper. Also add a +lock assertion to driver_match_device() to enforce this guarantee. + +This consistency also fixes a known race condition. The driver_override +implementation relies on the device_lock, so the missing lock led to the +use-after-free (UAF) reported in Bugzilla for buses using this field. + +Stress testing the two newly locked paths for 24 hours with +CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence +and no lockdep warnings. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 +Suggested-by: Qiu-ji Chen +Signed-off-by: Gui-Dong Han +Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock") +Reviewed-by: Danilo Krummrich +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Rafael J. Wysocki (Intel) +Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com +Signed-off-by: Danilo Krummrich +[ backport to 5.10.y - gregkh ] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/base.h | 14 ++++++++++++++ + drivers/base/bus.c | 2 +- + drivers/base/dd.c | 2 +- + 3 files changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -140,8 +140,22 @@ extern void device_set_deferred_probe_re + static inline int driver_match_device(struct device_driver *drv, + struct device *dev) + { ++ device_lock_assert(dev); ++ + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } ++ ++static inline int driver_match_device_locked(struct device_driver *drv, ++ struct device *dev) ++{ ++ int ret; ++ ++ device_lock(dev); ++ ret = driver_match_device(drv, dev); ++ device_unlock(dev); ++ return ret; ++} ++ + extern bool driver_allows_async_probing(struct device_driver *drv); + + extern int driver_add_groups(struct device_driver *drv, +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_ + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && dev->driver == NULL && driver_match_device(drv, dev)) { ++ if (dev && dev->driver == NULL && driver_match_device_locked(drv, dev)) { + err = device_driver_attach(drv, dev); + + if (err > 0) { +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1079,7 +1079,7 @@ static int __driver_attach(struct device + * is an error. + */ + +- ret = driver_match_device(drv, dev); ++ ret = driver_match_device_locked(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..d92b87ba3f --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1 @@ +driver-core-enforce-device_lock-for-driver_match_device.patch -- 2.47.3