diff options
| author | Danilo Krummrich <dakr@kernel.org> | 2026-03-24 01:59:14 +0100 |
|---|---|---|
| committer | Danilo Krummrich <dakr@kernel.org> | 2026-04-04 00:49:22 +0200 |
| commit | 81d6f7c3a70b10ff757ee8b5f8114a190871cf1e (patch) | |
| tree | 4db70c019bceab03fc360d011750f71cbc47c5d0 /drivers/char/drm/git@git.tavy.me:linux.git | |
| parent | ac4d8bb6e2e13e8684a76ea48d13ebaaaf5c24c4 (diff) | |
s390/ap: use generic driver_override infrastructure
When the AP masks are updated via apmask_store() or aqmask_store(),
ap_bus_revise_bindings() is called after ap_attr_mutex has been
released.
This calls __ap_revise_reserved(), which accesses the driver_override
field without holding any lock, racing against a concurrent
driver_override_store() that may free the old string, resulting in a
potential UAF.
Fix this by using the driver-core driver_override infrastructure, which
protects all accesses with an internal spinlock.
Note that unlike most other buses, the AP bus does not check
driver_override in its match() callback; the override is checked in
ap_device_probe() and __ap_revise_reserved() instead.
Also note that we do not enable the driver_override feature of struct
bus_type, as AP - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".
Additionally, AP has a custom counter that is modified in the
corresponding custom driver_override_store().
Fixes: d38a87d7c064 ("s390/ap: Support driver_override for AP queue devices")
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Link: https://patch.msgid.link/20260324005919.2408620-11-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Diffstat (limited to 'drivers/char/drm/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions