Re: [PATCH 10/12] s390/ap: use generic driver_override infrastructure

Next message: Bryan O'Donoghue: "Re: [RFC PATCH 0/3] media: qcom: camss: CAMSS Offline Processing Engine support"
Previous message: Jay Liu: "[PATCH v4 5/6] drm/mediatek: Support multiple CCORR component"
In reply to: Harald Freudenberger: "Re: [PATCH 10/12] s390/ap: use generic driver_override infrastructure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Holger Dengler

Date: Tue Mar 24 2026 - 09:06:17 EST

On 24/03/2026 01:59, Danilo Krummrich wrote:
> When the AP masks are updated via apmask_store() or aqmask_store(),
> ap_bus_revise_bindings() is called after ap_attr_mutex has been
> released.
>
> This calls __ap_revise_reserved(), which accesses the driver_override
> field without holding any lock, racing against a concurrent
> driver_override_store() that may free the old string, resulting in a
> potential UAF.
>
> Fix this by using the driver-core driver_override infrastructure, which
> protects all accesses with an internal spinlock.
>
> Note that unlike most other buses, the AP bus does not check
> driver_override in its match() callback; the override is checked in
> ap_device_probe() and __ap_revise_reserved() instead.
>
> Also note that we do not enable the driver_override feature of struct
> bus_type, as AP - in contrast to most other buses - passes "" to
> sysfs_emit() when the driver_override pointer is NULL. Thus, printing
> "\n" instead of "(null)\n".
>
> Additionally, AP has a custom counter that is modified in the
> corresponding custom driver_override_store().
>
> Fixes: d38a87d7c064 ("s390/ap: Support driver_override for AP queue devices")
> Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>

Tested-by: Holger Dengler <dengler@xxxxxxxxxxxxx>
Reviewed-by: Holger Dengler <dengler@xxxxxxxxxxxxx>

--
Mit freundlichen Grüßen / Kind regards
Holger Dengler
--
IBM Systems, Linux on IBM Z Development
dengler@xxxxxxxxxxxxx