Hi Greg, On Wed, Apr 25, 2018 at 6:07 PM, <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > This is a note to let you know that I've just added the patch titled > > ARM: amba: Fix race condition with driver_override > > to my char-misc git tree which can be found at > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git > in the char-misc-linus branch. > > The patch will show up in the next release of the linux-next tree > (usually sometime within the next 24 hours during the week.) > > The patch will hopefully also be merged in Linus's tree for the > next -rc kernel release. > > If you have any questions about this process, please let me know. Doh, I hadn't noticed you modified my patch, and introduced a bug... > From 6b614a87f3f477571e319281e84dba11e0ea0a76 Mon Sep 17 00:00:00 2001 > From: Geert Uytterhoeven <geert+renesas@xxxxxxxxx> > Date: Tue, 10 Apr 2018 15:21:44 +0200 > Subject: ARM: amba: Fix race condition with driver_override > > The driver_override implementation is susceptible to a race condition > when different threads are reading vs storing a different driver > override. Add locking to avoid this race condition. > > Cfr. commits 6265539776a0810b ("driver core: platform: fix race > condition with driver_override") and 9561475db680f714 ("PCI: Fix race > condition with driver_override"). > > Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'") > Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx> > Reviewed-by: Todd Kjos <tkjos@xxxxxxxxxx> > Cc: stable <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > --- > drivers/amba/bus.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c > index 594c228d2f02..c77eb6e65646 100644 > --- a/drivers/amba/bus.c > +++ b/drivers/amba/bus.c > @@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev, > struct device_attribute *attr, char *buf) > { > struct amba_device *dev = to_amba_device(_dev); > + ssize_t len; > > if (!dev->driver_override) > return 0; With the above still present, it should be covered by the lock below, too. Else the output is still subject to the race condition. > > - return sprintf(buf, "%s\n", dev->driver_override); > + device_lock(_dev); > + len = sprintf(buf, "%s\n", dev->driver_override); > + device_unlock(_dev); > + return len; > } > > static ssize_t driver_override_store(struct device *_dev, > @@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev, > const char *buf, size_t count) > { > struct amba_device *dev = to_amba_device(_dev); > - char *driver_override, *old = dev->driver_override, *cp; > + char *driver_override, *old, *cp; > > if (count > PATH_MAX) > return -EINVAL; > @@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev, > if (cp) > *cp = '\0'; > > + device_lock(_dev); > + old = dev->driver_override; > if (strlen(driver_override)) { > dev->driver_override = driver_override; > } else { > kfree(driver_override); > dev->driver_override = NULL; > } > + device_unlock(_dev); > > kfree(old); > > -- > 2.17.0 > > -- Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds