Hi Greg,
On Wed, Apr 25, 2018 at 6:07 PM, <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> This is a note to let you know that I've just added the patch titled
>
> ARM: amba: Fix race condition with driver_override
>
> to my char-misc git tree which can be found at
> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
> in the char-misc-linus branch.
>
> The patch will show up in the next release of the linux-next tree
> (usually sometime within the next 24 hours during the week.)
>
> The patch will hopefully also be merged in Linus's tree for the
> next -rc kernel release.
>
> If you have any questions about this process, please let me know.
Doh, I hadn't noticed you modified my patch, and introduced a bug...
> From 6b614a87f3f477571e319281e84dba11e0ea0a76 Mon Sep 17 00:00:00 2001
> From: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
> Date: Tue, 10 Apr 2018 15:21:44 +0200
> Subject: ARM: amba: Fix race condition with driver_override
>
> The driver_override implementation is susceptible to a race condition
> when different threads are reading vs storing a different driver
> override. Add locking to avoid this race condition.
>
> Cfr. commits 6265539776a0810b ("driver core: platform: fix race
> condition with driver_override") and 9561475db680f714 ("PCI: Fix race
> condition with driver_override").
>
> Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
> Reviewed-by: Todd Kjos <tkjos@xxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/amba/bus.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
> index 594c228d2f02..c77eb6e65646 100644
> --- a/drivers/amba/bus.c
> +++ b/drivers/amba/bus.c
> @@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev,
> struct device_attribute *attr, char *buf)
> {
> struct amba_device *dev = to_amba_device(_dev);
> + ssize_t len;
>
> if (!dev->driver_override)
> return 0;
With the above still present, it should be covered by the lock below, too.
Else the output is still subject to the race condition.
>
> - return sprintf(buf, "%s\n", dev->driver_override);
> + device_lock(_dev);
> + len = sprintf(buf, "%s\n", dev->driver_override);
> + device_unlock(_dev);
> + return len;
> }
>
> static ssize_t driver_override_store(struct device *_dev,
> @@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev,
> const char *buf, size_t count)
> {
> struct amba_device *dev = to_amba_device(_dev);
> - char *driver_override, *old = dev->driver_override, *cp;
> + char *driver_override, *old, *cp;
>
> if (count > PATH_MAX)
> return -EINVAL;
> @@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev,
> if (cp)
> *cp = '\0';
>
> + device_lock(_dev);
> + old = dev->driver_override;
> if (strlen(driver_override)) {
> dev->driver_override = driver_override;
> } else {
> kfree(driver_override);
> dev->driver_override = NULL;
> }
> + device_unlock(_dev);
>
> kfree(old);
>
> --
> 2.17.0
>
>
--
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds