Re: [PATCH v3] driver core: fix use-after-free of driver_override via driver_match_device()

Next message: Ratheesh Kannoth: "Re: [net-next,v3,05/13] octeontx2-af: npc: cn20k: Allocate default MCAM indexes"
Previous message: Ratheesh Kannoth: "Re: [net-next,v3,11/13] octeontx2-pf: cn20k: Add TC rules support"
Next in thread: Danilo Krummrich: "Re: [PATCH v3] driver core: fix use-after-free of driver_override via driver_match_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Danilo Krummrich

Date: Tue Jan 13 2026 - 04:55:41 EST

On Thu Nov 27, 2025 at 3:57 PM CET, Gui-Dong Han wrote:
> diff --git a/drivers/base/base.h b/drivers/base/base.h
> index 86fa7fbb3548..72791125de91 100644
> --- a/drivers/base/base.h
> +++ b/drivers/base/base.h
> @@ -166,6 +166,9 @@ void device_set_deferred_probe_reason(const struct device *dev, struct va_format
> static inline int driver_match_device(const struct device_driver *drv,
> struct device *dev)
> {
> + /* Protects against driver_set_override() races */
> + device_lock_assert(dev);
> +
> return drv->bus->match ? drv->bus->match(dev, drv) : 1;
> }

I am not convinced that this is the correct fix, since

1. Not all match() callbacks access the driver_override field,

2. driver_override is accessed in other places as well,

3. driver_override is a bus device specific field (with a common
helper admittedly).

I think it would be better to make driver_override a field in the base
struct device. This way we can not only provide driver_set_override(), but also
driver_get_override(), which should contain the device_lock_assert() instead.

While not all devices require the driver_override field, an additional pointer
in struct device does not hurt and it clarifies ownership and hence locking.

- Danilo