On Tue, May 05, 2026 at 03:37:20PM +0200, Danilo Krummrich wrote: > This is the follow-up of the driver_override generalization in [1], converting > the remaining 4 busses and removing the now-unused driver_set_override() > helper. > > All of them are prone to the potential UAF described in [2], caused by > accessing > the driver_override field from their corresponding match() callback. > > In order to address this, the generalized driver_override field in struct > device > is protected with a spinlock. The driver-core provides accessors, such as > device_match_driver_override(), device_has_driver_override() and > device_set_driver_override(), which all ensure proper locking internally. > > Additionally, the driver-core provides a driver_override flag in struct > bus_type, which, once enabled, automatically registers generic sysfs > callbacks, > allowing userspace to modify the driver_override field. > > This series is based on v7.1-rc1 with no additional dependencies, hence those > patches can be picked up by subsystems individually. > > [1] > https://lore.kernel.org/driver-core/[email protected]/ > [2] https://bugzilla.kernel.org/show_bug.cgi?id=220789 > [3] > https://gitlab.com/driverctl/driverctl/-/blob/0.121/driverctl?ref_type=tags#L99
Reviewed-by: Greg Kroah-Hartman <[email protected]>
