From nobody Sun Feb 8 00:49:35 2026 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3316B2D838E for ; Tue, 13 Jan 2026 15:05:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768316712; cv=none; b=QZ1Cl4Aqs5kubqHRpR7gpGf8XZbKp/MHgFVR3yVLjCoS7xSIxICtsXr+4/iiMLrblJbWTSgm5QUkMKpMMqbmkuFwqNU4Vy+h9L1hFsT70Ob18dllRfLNnM8PxiIEQZeOBxF/XnmHCUdZ1G7JXYXgiFacNI+N+zX0tj8wZvUANus= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768316712; c=relaxed/simple; bh=6Snf+Yoq1kq/z8oJVXkY6eHQSLcSHdwALNfjd+DJkco=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=m6SwM+xFUyAHIqANA7YbeA45vujGtj8mBffRbqAY7iIZVmlYNyDO512e+Xh5R8z7y3UEvLzHraCNSo0qgcCttLyMVsVikDWhTty15lmQqjSnaKiECwcFR7LIPtDrWw6yzM1IYT3WaC0fYJ7vZxobfYzjQL7zThpTCraiprvgs4o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=L4jOeR9Y; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="L4jOeR9Y" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-81345800791so3883626b3a.0 for ; Tue, 13 Jan 2026 07:05:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768316710; x=1768921510; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=hcmnfMzDnoPROXMA+lg7loGY4LzJQhlFaUPRcUPgFQU=; b=L4jOeR9Y9gFoIhu87XJrZI3RelTcudkzlKfHLAQnT/PVEbMVF+vsegxTGTvipgzeTn a6fkv9eMwkn7jODepWaKXXVn1VdaxFbDseVH2eAzJgWr2d9pJof4hVz/tZ3JvBa7lioo xALnPPl6prQ/y4mjw/sOg4B6MY6xrRYjylc7/kMPWEya3nqwRD75AKQ1goqikFqo3xqA eCL4PD78fKgHPWIsdGUU2GmyBWIGf7WyxEQ7FfnSgkR0qGpvjopkQy19NCqIL52J/+l2 aH6JeZB7zpSQaQGOWL4jWU28Z2HT1x5kH5HjDiRzUAPUYUQDVCiEOzFjsMkMudbc6tH/ PkKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768316710; x=1768921510; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hcmnfMzDnoPROXMA+lg7loGY4LzJQhlFaUPRcUPgFQU=; b=tEgedAT/cE0K6vdeu1Y7JaKOdgsRKbLa9MmdjsOIQpUT2Siy0J6HM7TnORRrYMg5il TkOLvEuqCjt30Yhjb8SZeYcO0CTIJ4vW/NMeKgx2uG7cBR+NZO3uHoV0daGrEi0PBeA8 1WJvyzNvyFUrmOFl+E0Dnexr2eA40auqEKLqMabReM7tD+Uwti9K5KgUxqK4Ipy1TeBB NVqwl5B6hdyAkwY2Igy1bDj6Pe9pvwWGQ09fQXqr9/fW41ZONQ8iEMrda7M+z6VbYl4P iwaIWMcwXNHtwgHRyzzSpGZv99D6YQyTD6XpNGo96IWoh+pbhoD/IEAqrbtHaVZztGG8 Pbvg== X-Gm-Message-State: AOJu0YzofULmYL+HJe3BSfcBZe4sVPk+SgECPv90pCrUrYAexTU/fIIP KbPicaKs0rVc6o+jUpGwnJ+5GCfD8JWPd/JRjTPX+tNMOm/3AQ0jiwIP X-Gm-Gg: AY/fxX6Rv8Gs+f2KqIAJye9Cb8hYnC/ZUWp/GC9+8kfQftF1zFNACDkeUcIoPUhNXTZ yre/WKXcLQs7YhSgbuJfhtLXQwYe3BtSQVIDHDHNADUnsVtbl9CxjhufJxq2Nitu8CHO1wtZWWl r/Q2iIZIzaC0Th6y6v1z/SyvGkCopJq0OVFg8Li6kqDsZTCFJxLA5w33tzUChkHaMX+R6CPatyt CWk9+wbFwye11tYtuwMTN5OL3G2puKh3Zb4RUobaU4pKV75hfxWf22lTSayJjy3OrwRAXIerAyG etTdUB6+rOdu10jIAr4uvv1/NsfSbYb8pRcuAnz2oVzofdnoIv8cvw1DwpQ6knVi/8Oc/Ml5ZBA stW2shMvtdWMo+fkHW03iZfROkrx4+3IbSwdONMcwm4FbaXk/8ZloZRhTyz+t9Xc3tZ7xfpJVr1 BZLW/MUzUOPS8uPPd1O3E/Ug77ZR4chzBCoZbXJ8djNdyAfKjwh0htOpeUKYjyLbMfRUUeFM2u2 7eyjYKV7eHf60vLRLMn2dmMDOf8YIYWxwrhMv5hCTtMkA9HY/GjMPG70A== X-Google-Smtp-Source: AGHT+IHznth+fFmkNrb7GrotOLRpdXMdBPnetVd+7VpAIOh8xNlZQr7Eyr3RGfRfJuvhSnXpiXokzA== X-Received: by 2002:aa7:9e82:0:b0:81c:717b:9d37 with SMTP id d2e1a72fcca58-81c717ba741mr11019457b3a.65.1768316710193; Tue, 13 Jan 2026 07:05:10 -0800 (PST) Received: from 2045D.localdomain (88.sub-72-110-105.myvzw.com. [72.110.105.88]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81dcc5c3793sm12754267b3a.8.2026.01.13.07.05.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Jan 2026 07:05:09 -0800 (PST) From: Gui-Dong Han To: gregkh@linuxfoundation.org, rafael@kernel.org, dakr@kernel.org Cc: linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, Gui-Dong Han , Qiu-ji Chen Subject: [PATCH v4] driver core: enforce device_lock for driver_match_device() Date: Tue, 13 Jan 2026 23:04:47 +0800 Message-ID: <20260113150447.9077-1-hanguidong02@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by holding device_lock(dev) around the driver_match_device() calls in bind_store() and __driver_attach(). This ensures consistent locking for all match() callbacks. Also add a lock assertion to driver_match_device() to enforce this guarantee. This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field. Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D220789 Suggested-by: Qiu-ji Chen Signed-off-by: Gui-Dong Han --- v4: * Remove the misleading comment above device_lock_assert(), and update subject and commit message to focus on enforcing consistent locking, as discussed with Danilo Krummrich. v3: * Remove redundant locking comments at call sites and add a blank line after the lock assertion in driver_match_device(), as suggested by Greg KH. v2: * Add device_lock_assert() in driver_match_device() to enforce locking requirement, as suggested by Greg KH. v1: * The Bugzilla entry contains full KASAN reports and two PoCs that reliably reproduce the UAF on both unlocked paths using a standard QEMU setup (default e1000 device at 0000:00:03.0). --- drivers/base/base.h | 2 ++ drivers/base/bus.c | 16 +++++++++++----- drivers/base/dd.c | 2 ++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/base/base.h b/drivers/base/base.h index 430cbefbc97f..aa701878c6e3 100644 --- a/drivers/base/base.h +++ b/drivers/base/base.h @@ -182,6 +182,8 @@ void device_set_deferred_probe_reason(const struct devi= ce *dev, struct va_format static inline int driver_match_device(const struct device_driver *drv, struct device *dev) { + device_lock_assert(dev); + return drv->bus->match ? drv->bus->match(dev, drv) : 1; } =20 diff --git a/drivers/base/bus.c b/drivers/base/bus.c index 9eb7771706f0..5cbcf9f5bd6e 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -261,13 +261,19 @@ static ssize_t bind_store(struct device_driver *drv, = const char *buf, const struct bus_type *bus =3D bus_get(drv->bus); struct device *dev; int err =3D -ENODEV; + int ret; =20 dev =3D bus_find_device_by_name(bus, NULL, buf); - if (dev && driver_match_device(drv, dev)) { - err =3D device_driver_attach(drv, dev); - if (!err) { - /* success */ - err =3D count; + if (dev) { + device_lock(dev); + ret =3D driver_match_device(drv, dev); + device_unlock(dev); + if (ret) { + err =3D device_driver_attach(drv, dev); + if (!err) { + /* success */ + err =3D count; + } } } put_device(dev); diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 349f31bedfa1..e79c732a56e4 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -1178,7 +1178,9 @@ static int __driver_attach(struct device *dev, void *= data) * is an error. */ =20 + device_lock(dev); ret =3D driver_match_device(drv, dev); + device_unlock(dev); if (ret =3D=3D 0) { /* no match */ return 0; --=20 2.43.0