driver core: platform: fix race condition with driver_override

The driver_override implementation is susceptible to race condition when
different threads are reading vs storing a different driver override.
Add locking to avoid race condition.

Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Salido <salidoa@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 6265539776a0810b7ce6398c27866ddb9c6bd154)

Orabug: 27897874
CVE: CVE-2017-12146

Signed-off-by: Tim Tianyang Chen <tianyang.chen@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/drivers/base/platform.c b/drivers/base/platform.c
index 7403de94832c007d7187ffe0f6b65ca77ef4d8f1..29a4ef08e051e8147861d2342dbaff121f0f17cc 100644 (file)
--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -729,7 +729,7 @@ static ssize_t driver_override_store(struct device *dev,
                                     const char *buf, size_t count)
 {
        struct platform_device *pdev = to_platform_device(dev);
-       char *driver_override, *old = pdev->driver_override, *cp;
+       char *driver_override, *old, *cp;
 
        if (count > PATH_MAX)
                return -EINVAL;
@@ -742,12 +742,15 @@ static ssize_t driver_override_store(struct device *dev,
        if (cp)
                *cp = '\0';
 
+       device_lock(dev);
+       old = pdev->driver_override;
        if (strlen(driver_override)) {
                pdev->driver_override = driver_override;
        } else {
                kfree(driver_override);
                pdev->driver_override = NULL;
        }
+       device_unlock(dev);
 
        kfree(old);
 
@@ -758,8 +761,12 @@ static ssize_t driver_override_show(struct device *dev,
                                    struct device_attribute *attr, char *buf)
 {
        struct platform_device *pdev = to_platform_device(dev);
+       ssize_t len;
 
-       return sprintf(buf, "%s\n", pdev->driver_override);
+       device_lock(dev);
+       len = sprintf(buf, "%s\n", pdev->driver_override);
+       device_unlock(dev);
+       return len;
 }
 static DEVICE_ATTR_RW(driver_override);