[PATCH OLK-5.10 0/2] spi: Adapt downstream drivers to generic driver_override infrastructure
The SPI subsystem fixed a Use-After-Free vulnerability by switching to the generic bus-level driver_override infrastructure and removing the driver_override field from struct spi_device. As a result, downstream drivers can no longer access this field directly. Danilo Krummrich (1): spi: use generic driver_override infrastructure Krzysztof Kozlowski (1): spi: Use helper for safer setting of driver_override drivers/spi/spi.c | 43 ++++++++++------------------------------- include/linux/spi/spi.h | 4 +--- 2 files changed, 11 insertions(+), 36 deletions(-) -- 2.22.0
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> mainline inclusion from mainline-v5.19-rc1 commit 19368f0f23e80929691dd5b1354832c0e0494419 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14224 CVE: CVE-2026-31487 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Use a helper to set driver_override to the reduce amount of duplicated code. Reviewed-by: Mark Brown <broonie@kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220419113435.246203-8-krzysztof.kozlowski@linaro... Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: include/linux/spi/spi.h drivers/spi/spi.c [Comment conflict with no functional impact] Signed-off-by: Zhang Yuwei <zhangyuwei20@huawei.com> --- drivers/spi/spi.c | 26 ++++---------------------- include/linux/spi/spi.h | 2 ++ 2 files changed, 6 insertions(+), 22 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index a3a54240eaf5..891a44b2c59f 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -71,29 +71,11 @@ static ssize_t driver_override_store(struct device *dev, const char *buf, size_t count) { struct spi_device *spi = to_spi_device(dev); - const char *end = memchr(buf, '\n', count); - const size_t len = end ? end - buf : count; - const char *driver_override, *old; - - /* We need to keep extra room for a newline when displaying value */ - if (len >= (PAGE_SIZE - 1)) - return -EINVAL; - - driver_override = kstrndup(buf, len, GFP_KERNEL); - if (!driver_override) - return -ENOMEM; + int ret; - device_lock(dev); - old = spi->driver_override; - if (len) { - spi->driver_override = driver_override; - } else { - /* Empty string, disable driver override */ - spi->driver_override = NULL; - kfree(driver_override); - } - device_unlock(dev); - kfree(old); + ret = driver_set_override(dev, (char **)&spi->driver_override, buf, count); + if (ret) + return ret; return count; } diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index ab7747549d23..96070247ba4c 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -137,6 +137,8 @@ extern int spi_delay_exec(struct spi_delay *_delay, struct spi_transfer *xfer); * for driver coldplugging, and in uevents used for hotplugging * @driver_override: If the name of a driver is written to this attribute, then * the device will bind to the named driver and only the named driver. + * Do not set directly, because core frees it; use driver_set_override() to + * set or clear it. * @cs_gpio: LEGACY: gpio number of the chipselect line (optional, -ENOENT when * not using a GPIO line) use cs_gpiod in new drivers by opting in on * the spi_master. -- 2.22.0
From: Danilo Krummrich <dakr@kernel.org> mainline inclusion from mainline-v7.0-rc6 commit cc34d77dd48708d810c12bfd6f5bf03304f6c824 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14224 CVE: CVE-2026-31487 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1] Also note that we do not enable the driver_override feature of struct bus_type, as SPI - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1] Reported-by: Gui-Dong Han <hanguidong02@gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 Fixes: 5039563e7c25 ("spi: Add driver_override SPI device attribute") Signed-off-by: Danilo Krummrich <dakr@kernel.org> Link: https://patch.msgid.link/20260324005919.2408620-12-dakr@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org> Conflicts: include/linux/spi/spi.h drivers/spi/spi.c [Context Conflicts] Signed-off-by: Zhang Yuwei <zhangyuwei20@huawei.com> --- drivers/spi/spi.c | 18 +++++++++--------- include/linux/spi/spi.h | 6 +----- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 891a44b2c59f..00239f84dd32 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -48,7 +48,6 @@ static void spidev_release(struct device *dev) struct spi_device *spi = to_spi_device(dev); spi_controller_put(spi->controller); - kfree(spi->driver_override); kfree(spi); } @@ -70,10 +69,9 @@ static ssize_t driver_override_store(struct device *dev, struct device_attribute *a, const char *buf, size_t count) { - struct spi_device *spi = to_spi_device(dev); int ret; - ret = driver_set_override(dev, (char **)&spi->driver_override, buf, count); + ret = __device_set_driver_override(dev, buf, count); if (ret) return ret; @@ -83,12 +81,12 @@ static ssize_t driver_override_store(struct device *dev, static ssize_t driver_override_show(struct device *dev, struct device_attribute *a, char *buf) { - const struct spi_device *spi = to_spi_device(dev); ssize_t len; - device_lock(dev); - len = snprintf(buf, PAGE_SIZE, "%s\n", spi->driver_override ? : ""); - device_unlock(dev); + spin_lock(&dev->driver_override.lock); + len = sysfs_emit(buf, "%s\n", dev->driver_override.name ?: ""); + spin_unlock(&dev->driver_override.lock); + return len; } static DEVICE_ATTR_RW(driver_override); @@ -321,10 +319,12 @@ static int spi_match_device(struct device *dev, struct device_driver *drv) { const struct spi_device *spi = to_spi_device(dev); const struct spi_driver *sdrv = to_spi_driver(drv); + int ret; /* Check override first, and if set, only use the named driver */ - if (spi->driver_override) - return strcmp(spi->driver_override, drv->name) == 0; + ret = device_match_driver_override(dev, drv); + if (ret >= 0) + return ret; /* Attempt an OF style match */ if (of_driver_match_device(dev, drv)) diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index 96070247ba4c..7c46dd5c28f7 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -135,10 +135,6 @@ extern int spi_delay_exec(struct spi_delay *_delay, struct spi_transfer *xfer); * @modalias: Name of the driver to use with this device, or an alias * for that name. This appears in the sysfs "modalias" attribute * for driver coldplugging, and in uevents used for hotplugging - * @driver_override: If the name of a driver is written to this attribute, then - * the device will bind to the named driver and only the named driver. - * Do not set directly, because core frees it; use driver_set_override() to - * set or clear it. * @cs_gpio: LEGACY: gpio number of the chipselect line (optional, -ENOENT when * not using a GPIO line) use cs_gpiod in new drivers by opting in on * the spi_master. @@ -192,7 +188,7 @@ struct spi_device { void *controller_state; void *controller_data; char modalias[SPI_NAME_SIZE]; - const char *driver_override; + KABI_DEPRECATE(const char *, driver_override) int cs_gpio; /* LEGACY: chip select gpio */ struct gpio_desc *cs_gpiod; /* chip select gpio desc */ struct spi_delay word_delay; /* inter-word delay */ -- 2.22.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/22444 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/5XY... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/22444 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/5XY...
participants (2)
-
patchwork bot -
Zhang Yuwei