Re: [PATCH] driver core: enforce device_lock for driver_match_device()

Next message: Conor Dooley: "Re: [PATCH] dt-bindings: pinctrl: mediatek: mt6795: document the slew-rate property"
Previous message: Rodrigo Alencar via B4 Relay: "[PATCH 07/12] iio: dac: ad5686: add ldac gpio"
In reply to: Runyu Xiao: "[PATCH] driver core: enforce device_lock for driver_match_device()"
Next in thread: Danilo Krummrich: "Re: [PATCH] driver core: enforce device_lock for driver_match_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Tue Jun 02 2026 - 12:47:28 EST

On Wed, Jun 03, 2026 at 12:08:29AM +0800, Runyu Xiao wrote:
> Currently driver_match_device() is called from three sites. The
> __device_attach_driver() path already runs under device_lock(dev), but
> bind_store() and __driver_attach() can still enter bus match()
> callbacks without that lock held.
>
> That inconsistency leaves bus-private driver_override readers exposed.
> Several buses still read private driver_override strings from their
> match callbacks while the write side relies on driver_set_override()
> under device_lock(dev). If bind_store() or __driver_attach() reaches
> such a match callback without that lock, it can race with
> driver_override replacement and old-string free.
>
> This issue was first flagged by our static analysis tool while auditing
> driver_override match paths, then manually confirmed on Linux v6.18.21.

That is very old, please test on the latest 7.1-rc release as things
have changed in this area recently.

thanks,

greg k-h