From d4246bc9b635709821099807a6bb4e327d8737ea Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Feb 2026 16:44:36 +0100 Subject: [PATCH] drop driver core patches from all queues --- ...-device_lock-for-driver_match_device.patch | 93 ------------------- queue-5.10/series | 1 - ...guard-definition-for-the-device_lock.patch | 43 --------- ...-device_lock-for-driver_match_device.patch | 88 ------------------ queue-5.15/series | 2 - ...guard-definition-for-the-device_lock.patch | 43 --------- ...-device_lock-for-driver_match_device.patch | 88 ------------------ queue-6.1/series | 2 - 8 files changed, 360 deletions(-) delete mode 100644 queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch delete mode 100644 queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch delete mode 100644 queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch delete mode 100644 queue-6.1/driver-core-add-a-guard-definition-for-the-device_lock.patch delete mode 100644 queue-6.1/driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch b/queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch deleted file mode 100644 index 4c33d307de..0000000000 --- a/queue-5.10/driver-core-enforce-device_lock-for-driver_match_device.patch +++ /dev/null @@ -1,93 +0,0 @@ -From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001 -From: Gui-Dong Han -Date: Wed, 14 Jan 2026 00:28:43 +0800 -Subject: driver core: enforce device_lock for driver_match_device() - -From: Gui-Dong Han - -commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. - -Currently, driver_match_device() is called from three sites. One site -(__device_attach_driver) holds device_lock(dev), but the other two -(bind_store and __driver_attach) do not. This inconsistency means that -bus match() callbacks are not guaranteed to be called with the lock -held. - -Fix this by introducing driver_match_device_locked(), which guarantees -holding the device lock using a scoped guard. Replace the unlocked calls -in bind_store() and __driver_attach() with this new helper. Also add a -lock assertion to driver_match_device() to enforce this guarantee. - -This consistency also fixes a known race condition. The driver_override -implementation relies on the device_lock, so the missing lock led to the -use-after-free (UAF) reported in Bugzilla for buses using this field. - -Stress testing the two newly locked paths for 24 hours with -CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence -and no lockdep warnings. - -Cc: stable@vger.kernel.org -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 -Suggested-by: Qiu-ji Chen -Signed-off-by: Gui-Dong Han -Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock") -Reviewed-by: Danilo Krummrich -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Rafael J. Wysocki (Intel) -Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com -Signed-off-by: Danilo Krummrich -[ backport to 5.10.y - gregkh ] -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/base.h | 14 ++++++++++++++ - drivers/base/bus.c | 2 +- - drivers/base/dd.c | 2 +- - 3 files changed, 16 insertions(+), 2 deletions(-) - ---- a/drivers/base/base.h -+++ b/drivers/base/base.h -@@ -140,8 +140,22 @@ extern void device_set_deferred_probe_re - static inline int driver_match_device(struct device_driver *drv, - struct device *dev) - { -+ device_lock_assert(dev); -+ - return drv->bus->match ? drv->bus->match(dev, drv) : 1; - } -+ -+static inline int driver_match_device_locked(struct device_driver *drv, -+ struct device *dev) -+{ -+ int ret; -+ -+ device_lock(dev); -+ ret = driver_match_device(drv, dev); -+ device_unlock(dev); -+ return ret; -+} -+ - extern bool driver_allows_async_probing(struct device_driver *drv); - - extern int driver_add_groups(struct device_driver *drv, ---- a/drivers/base/bus.c -+++ b/drivers/base/bus.c -@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_ - int err = -ENODEV; - - dev = bus_find_device_by_name(bus, NULL, buf); -- if (dev && dev->driver == NULL && driver_match_device(drv, dev)) { -+ if (dev && dev->driver == NULL && driver_match_device_locked(drv, dev)) { - err = device_driver_attach(drv, dev); - - if (err > 0) { ---- a/drivers/base/dd.c -+++ b/drivers/base/dd.c -@@ -1079,7 +1079,7 @@ static int __driver_attach(struct device - * is an error. - */ - -- ret = driver_match_device(drv, dev); -+ ret = driver_match_device_locked(drv, dev); - if (ret == 0) { - /* no match */ - return 0; diff --git a/queue-5.10/series b/queue-5.10/series index 1ae5aa4c3b..a9bf60a460 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,4 +1,3 @@ -driver-core-enforce-device_lock-for-driver_match_device.patch crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch diff --git a/queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch b/queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch deleted file mode 100644 index dd609658d6..0000000000 --- a/queue-5.15/driver-core-add-a-guard-definition-for-the-device_lock.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 134c6eaa6087d78c0e289931ca15ae7a5007670d Mon Sep 17 00:00:00 2001 -From: Dan Williams -Date: Wed, 13 Dec 2023 15:02:35 -0800 -Subject: driver core: Add a guard() definition for the device_lock() - -From: Dan Williams - -commit 134c6eaa6087d78c0e289931ca15ae7a5007670d upstream. - -At present there are ~200 usages of device_lock() in the kernel. Some of -those usages lead to "goto unlock;" patterns which have proven to be -error prone. Define a "device" guard() definition to allow for those to -be cleaned up and prevent new ones from appearing. - -Link: http://lore.kernel.org/r/657897453dda8_269bd29492@dwillia2-mobl3.amr.corp.intel.com.notmuch -Link: http://lore.kernel.org/r/6577b0c2a02df_a04c5294bb@dwillia2-xfh.jf.intel.com.notmuch -Cc: Vishal Verma -Cc: Ira Weiny -Cc: Peter Zijlstra -Cc: Greg Kroah-Hartman -Cc: Andrew Morton -Signed-off-by: Dan Williams -Reviewed-by: Ira Weiny -Reviewed-by: Dave Jiang -Reviewed-by: Vishal Verma -Link: https://lore.kernel.org/r/170250854466.1522182.17555361077409628655.stgit@dwillia2-xfh.jf.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/device.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/include/linux/device.h -+++ b/include/linux/device.h -@@ -779,6 +779,8 @@ static inline void device_unlock(struct - mutex_unlock(&dev->mutex); - } - -+DEFINE_GUARD(device, struct device *, device_lock(_T), device_unlock(_T)) -+ - static inline void device_lock_assert(struct device *dev) - { - lockdep_assert_held(&dev->mutex); diff --git a/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch b/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch deleted file mode 100644 index 30e1dba6a0..0000000000 --- a/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch +++ /dev/null @@ -1,88 +0,0 @@ -From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001 -From: Gui-Dong Han -Date: Wed, 14 Jan 2026 00:28:43 +0800 -Subject: driver core: enforce device_lock for driver_match_device() - -From: Gui-Dong Han - -commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. - -Currently, driver_match_device() is called from three sites. One site -(__device_attach_driver) holds device_lock(dev), but the other two -(bind_store and __driver_attach) do not. This inconsistency means that -bus match() callbacks are not guaranteed to be called with the lock -held. - -Fix this by introducing driver_match_device_locked(), which guarantees -holding the device lock using a scoped guard. Replace the unlocked calls -in bind_store() and __driver_attach() with this new helper. Also add a -lock assertion to driver_match_device() to enforce this guarantee. - -This consistency also fixes a known race condition. The driver_override -implementation relies on the device_lock, so the missing lock led to the -use-after-free (UAF) reported in Bugzilla for buses using this field. - -Stress testing the two newly locked paths for 24 hours with -CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence -and no lockdep warnings. - -Cc: stable@vger.kernel.org -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 -Suggested-by: Qiu-ji Chen -Signed-off-by: Gui-Dong Han -Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock") -Reviewed-by: Danilo Krummrich -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Rafael J. Wysocki (Intel) -Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com -Signed-off-by: Danilo Krummrich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/base.h | 10 ++++++++++ - drivers/base/bus.c | 2 +- - drivers/base/dd.c | 2 +- - 3 files changed, 12 insertions(+), 2 deletions(-) - ---- a/drivers/base/base.h -+++ b/drivers/base/base.h -@@ -144,8 +144,18 @@ extern void device_set_deferred_probe_re - static inline int driver_match_device(struct device_driver *drv, - struct device *dev) - { -+ device_lock_assert(dev); -+ - return drv->bus->match ? drv->bus->match(dev, drv) : 1; - } -+ -+static inline int driver_match_device_locked(struct device_driver *drv, -+ struct device *dev) -+{ -+ guard(device)(dev); -+ return driver_match_device(drv, dev); -+} -+ - extern bool driver_allows_async_probing(struct device_driver *drv); - - extern int driver_add_groups(struct device_driver *drv, ---- a/drivers/base/bus.c -+++ b/drivers/base/bus.c -@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_ - int err = -ENODEV; - - dev = bus_find_device_by_name(bus, NULL, buf); -- if (dev && driver_match_device(drv, dev)) { -+ if (dev && driver_match_device_locked(drv, dev)) { - err = device_driver_attach(drv, dev); - if (!err) { - /* success */ ---- a/drivers/base/dd.c -+++ b/drivers/base/dd.c -@@ -1117,7 +1117,7 @@ static int __driver_attach(struct device - * is an error. - */ - -- ret = driver_match_device(drv, dev); -+ ret = driver_match_device_locked(drv, dev); - if (ret == 0) { - /* no match */ - return 0; diff --git a/queue-5.15/series b/queue-5.15/series index 281678e78c..5572bd4e2e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,5 +1,3 @@ -driver-core-add-a-guard-definition-for-the-device_lock.patch -driver-core-enforce-device_lock-for-driver_match_device.patch crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch diff --git a/queue-6.1/driver-core-add-a-guard-definition-for-the-device_lock.patch b/queue-6.1/driver-core-add-a-guard-definition-for-the-device_lock.patch deleted file mode 100644 index 28b77c134b..0000000000 --- a/queue-6.1/driver-core-add-a-guard-definition-for-the-device_lock.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 134c6eaa6087d78c0e289931ca15ae7a5007670d Mon Sep 17 00:00:00 2001 -From: Dan Williams -Date: Wed, 13 Dec 2023 15:02:35 -0800 -Subject: driver core: Add a guard() definition for the device_lock() - -From: Dan Williams - -commit 134c6eaa6087d78c0e289931ca15ae7a5007670d upstream. - -At present there are ~200 usages of device_lock() in the kernel. Some of -those usages lead to "goto unlock;" patterns which have proven to be -error prone. Define a "device" guard() definition to allow for those to -be cleaned up and prevent new ones from appearing. - -Link: http://lore.kernel.org/r/657897453dda8_269bd29492@dwillia2-mobl3.amr.corp.intel.com.notmuch -Link: http://lore.kernel.org/r/6577b0c2a02df_a04c5294bb@dwillia2-xfh.jf.intel.com.notmuch -Cc: Vishal Verma -Cc: Ira Weiny -Cc: Peter Zijlstra -Cc: Greg Kroah-Hartman -Cc: Andrew Morton -Signed-off-by: Dan Williams -Reviewed-by: Ira Weiny -Reviewed-by: Dave Jiang -Reviewed-by: Vishal Verma -Link: https://lore.kernel.org/r/170250854466.1522182.17555361077409628655.stgit@dwillia2-xfh.jf.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/device.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/include/linux/device.h -+++ b/include/linux/device.h -@@ -855,6 +855,8 @@ static inline void device_unlock(struct - mutex_unlock(&dev->mutex); - } - -+DEFINE_GUARD(device, struct device *, device_lock(_T), device_unlock(_T)) -+ - static inline void device_lock_assert(struct device *dev) - { - lockdep_assert_held(&dev->mutex); diff --git a/queue-6.1/driver-core-enforce-device_lock-for-driver_match_device.patch b/queue-6.1/driver-core-enforce-device_lock-for-driver_match_device.patch deleted file mode 100644 index 8edd0d521a..0000000000 --- a/queue-6.1/driver-core-enforce-device_lock-for-driver_match_device.patch +++ /dev/null @@ -1,88 +0,0 @@ -From dc23806a7c47ec5f1293aba407fb69519f976ee0 Mon Sep 17 00:00:00 2001 -From: Gui-Dong Han -Date: Wed, 14 Jan 2026 00:28:43 +0800 -Subject: driver core: enforce device_lock for driver_match_device() - -From: Gui-Dong Han - -commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. - -Currently, driver_match_device() is called from three sites. One site -(__device_attach_driver) holds device_lock(dev), but the other two -(bind_store and __driver_attach) do not. This inconsistency means that -bus match() callbacks are not guaranteed to be called with the lock -held. - -Fix this by introducing driver_match_device_locked(), which guarantees -holding the device lock using a scoped guard. Replace the unlocked calls -in bind_store() and __driver_attach() with this new helper. Also add a -lock assertion to driver_match_device() to enforce this guarantee. - -This consistency also fixes a known race condition. The driver_override -implementation relies on the device_lock, so the missing lock led to the -use-after-free (UAF) reported in Bugzilla for buses using this field. - -Stress testing the two newly locked paths for 24 hours with -CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence -and no lockdep warnings. - -Cc: stable@vger.kernel.org -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 -Suggested-by: Qiu-ji Chen -Signed-off-by: Gui-Dong Han -Fixes: 49b420a13ff9 ("driver core: check bus->match without holding device lock") -Reviewed-by: Danilo Krummrich -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Rafael J. Wysocki (Intel) -Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com -Signed-off-by: Danilo Krummrich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/base.h | 10 ++++++++++ - drivers/base/bus.c | 2 +- - drivers/base/dd.c | 2 +- - 3 files changed, 12 insertions(+), 2 deletions(-) - ---- a/drivers/base/base.h -+++ b/drivers/base/base.h -@@ -144,8 +144,18 @@ extern void device_set_deferred_probe_re - static inline int driver_match_device(struct device_driver *drv, - struct device *dev) - { -+ device_lock_assert(dev); -+ - return drv->bus->match ? drv->bus->match(dev, drv) : 1; - } -+ -+static inline int driver_match_device_locked(struct device_driver *drv, -+ struct device *dev) -+{ -+ guard(device)(dev); -+ return driver_match_device(drv, dev); -+} -+ - extern bool driver_allows_async_probing(struct device_driver *drv); - - extern int driver_add_groups(struct device_driver *drv, ---- a/drivers/base/bus.c -+++ b/drivers/base/bus.c -@@ -212,7 +212,7 @@ static ssize_t bind_store(struct device_ - int err = -ENODEV; - - dev = bus_find_device_by_name(bus, NULL, buf); -- if (dev && driver_match_device(drv, dev)) { -+ if (dev && driver_match_device_locked(drv, dev)) { - err = device_driver_attach(drv, dev); - if (!err) { - /* success */ ---- a/drivers/base/dd.c -+++ b/drivers/base/dd.c -@@ -1154,7 +1154,7 @@ static int __driver_attach(struct device - * is an error. - */ - -- ret = driver_match_device(drv, dev); -+ ret = driver_match_device_locked(drv, dev); - if (ret == 0) { - /* no match */ - return 0; diff --git a/queue-6.1/series b/queue-6.1/series index 7b05e373fa..69c467a62f 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -1,8 +1,6 @@ smb-client-split-cached_fid-bitfields-to-avoid-shared-byte-rmw-races.patch ksmbd-fix-infinite-loop-caused-by-next_smb2_rcv_hdr_off-reset-in-error-paths.patch smb-server-fix-leak-of-active_num_conn-in-ksmbd_tcp_new_connection.patch -driver-core-add-a-guard-definition-for-the-device_lock.patch -driver-core-enforce-device_lock-for-driver_match_device.patch crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch -- 2.47.3