The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock.
This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function.
Fix this by holding the device_lock around the read operation.
Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han hanguidong02@gmail.com --- I verified this with a stress test that continuously writes/reads the attribute. It triggered KASAN and leaked bytes like a0 f4 81 9f a3 ff ff (likely kernel pointers). Since driver_override is world-readable (0644), this allows unprivileged users to leak kernel pointers and bypass KASLR. Similar races were fixed in other buses (e.g., commits 9561475db680 and 91d44c1afc61). Currently, 9 of 11 buses handle this correctly; this patch fixes one of the remaining two. --- drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c index 25845c04e562..a97baf2cbcdd 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -202,8 +202,12 @@ static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr, char *buf) { struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + ssize_t len;
- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); + device_lock(dev); + len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); + device_unlock(dev); + return len; } static DEVICE_ATTR_RW(driver_override);
Hi Ioana,
This is a gentle ping regarding the patch above.
I understand you are likely very busy, but I wanted to check if this might have been missed.
For additional context, I have audited the kernel subsystems that implement the driver_override attribute. Out of the 11 buses that use this feature, 10 already hold the device lock during the show operation to prevent the use-after-free race.
It appears that fsl-mc is currently the only remaining subsystem that does not have this protection. It would be great to align it with the rest of the kernel to close this gap.
Please let me know if there are any concerns or if any changes are needed.
Thanks, Gui-Dong Han
On Tue, Dec 16, 2025 at 03:31:43PM +0800, Gui-Dong Han wrote:
Hi Ioana,
This is a gentle ping regarding the patch above.
I understand you are likely very busy, but I wanted to check if this might have been missed.
Really sorry for missing this patch and not responding in time. And thanks a lot for the ping.
Ioana
On Wed, Dec 03, 2025 at 01:44:38AM +0800, Gui-Dong Han wrote:
The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock.
This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function.
Fix this by holding the device_lock around the read operation.
Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han hanguidong02@gmail.com
Reviewed-by: Ioana Ciornei ioana.ciornei@nxp.com
Thanks!
On Wed, 03 Dec 2025 01:44:38 +0800, Gui-Dong Han wrote:
The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock.
This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function.
[...]
Applied, thanks!
[1/1] bus: fsl-mc: fix use-after-free in driver_override_show() commit: 148891e95014b5dc5878acefa57f1940c281c431
Best regards,
linux-stable-mirror@lists.linaro.org
-
Christophe Leroy (CS GROUP) -
Gui-Dong Han -
Ioana Ciornei