On Thu Mar 26, 2026 at 7:08 PM CET, Bjorn Helgaas wrote: > On Tue, Mar 24, 2026 at 01:59:09AM +0100, Danilo Krummrich wrote: >> When a driver is probed through __driver_attach(), the bus' match() >> callback is called without the device lock held, thus accessing the >> driver_override field without a lock, which can cause a UAF. >> >> Fix this by using the driver-core driver_override infrastructure taking >> care of proper locking internally. >> >> Note that calling match() from __driver_attach() without the device lock >> held is intentional. [1] >> >> Link: >> https://lore.kernel.org/driver-core/[email protected]/ >> [1] >> Reported-by: Gui-Dong Han <[email protected]> >> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 >> Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using >> pci_dev.driver_override") >> Signed-off-by: Danilo Krummrich <[email protected]> >> --- >> drivers/pci/pci-driver.c | 11 +++++++---- >> drivers/pci/pci-sysfs.c | 28 ---------------------------- >> drivers/pci/probe.c | 1 - >> include/linux/pci.h | 6 ------ > > For the above: > > Acked-by: Bjorn Helgaas <[email protected]> > > "driver_override" is mentioned several places in > Documentation/ABI/testing/sysfs-bus-*. I assume this series doesn't > change the behavior documented there?
Correct, none of this is altered.
