Hi Greg,
On Wed, Apr 25, 2018 at 6:07 PM, gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
ARM: amba: Fix race condition with driver_overrideto my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch.
The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.)
The patch will hopefully also be merged in Linus's tree for the next -rc kernel release.
If you have any questions about this process, please let me know.
Doh, I hadn't noticed you modified my patch, and introduced a bug...
From 6b614a87f3f477571e319281e84dba11e0ea0a76 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven geert+renesas@glider.be Date: Tue, 10 Apr 2018 15:21:44 +0200 Subject: ARM: amba: Fix race condition with driver_override
The driver_override implementation is susceptible to a race condition when different threads are reading vs storing a different driver override. Add locking to avoid this race condition.
Cfr. commits 6265539776a0810b ("driver core: platform: fix race condition with driver_override") and 9561475db680f714 ("PCI: Fix race condition with driver_override").
Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reviewed-by: Todd Kjos tkjos@google.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/amba/bus.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c index 594c228d2f02..c77eb6e65646 100644 --- a/drivers/amba/bus.c +++ b/drivers/amba/bus.c @@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev, struct device_attribute *attr, char *buf) { struct amba_device *dev = to_amba_device(_dev);
ssize_t len; if (!dev->driver_override) return 0;
With the above still present, it should be covered by the lock below, too. Else the output is still subject to the race condition.
return sprintf(buf, "%s\n", dev->driver_override);
device_lock(_dev);len = sprintf(buf, "%s\n", dev->driver_override);device_unlock(_dev);return len;}
static ssize_t driver_override_store(struct device *_dev, @@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev, const char *buf, size_t count) { struct amba_device *dev = to_amba_device(_dev);
char *driver_override, *old = dev->driver_override, *cp;
char *driver_override, *old, *cp; if (count > PATH_MAX) return -EINVAL;@@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev, if (cp) *cp = '\0';
device_lock(_dev);old = dev->driver_override; if (strlen(driver_override)) { dev->driver_override = driver_override; } else { kfree(driver_override); dev->driver_override = NULL; }device_unlock(_dev); kfree(old);-- 2.17.0