driver core: fix potential NULL pointer dereference in dev_uevent()

jira LE-3587
Rebuild_History Non-Buildable kernel-4.18.0-553.62.1.el8_10
commit-author Dmitry Torokhov <[email protected]>
commit 18daa52
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-4.18.0-553.62.1.el8_10/18daa524.failed

If userspace reads "uevent" device attribute at the same time as another
threads unbinds the device from its driver, change to dev->driver from a
valid pointer to NULL may result in crash. Fix this by using READ_ONCE()
when fetching the pointer, and take bus' drivers klist lock to make sure
driver instance will not disappear while we access it.

Use WRITE_ONCE() when setting the driver pointer to ensure there is no
tearing.

	Signed-off-by: Dmitry Torokhov <[email protected]>
	Reviewed-by: Masami Hiramatsu (Google) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit 18daa52)
	Signed-off-by: Jonathan Maple <[email protected]>

# Conflicts:
#	drivers/base/base.h
#	drivers/base/core.c

Author: PlaidCat

ciq/ciq_backports/kernel-4.18.0-553.62.1.el8_10/18daa524.failed

@@ -0,0 +1,156 @@
+driver core: fix potential NULL pointer dereference in dev_uevent()
+
+jira LE-3587
+Rebuild_History Non-Buildable kernel-4.18.0-553.62.1.el8_10
+commit-author Dmitry Torokhov <[email protected]>
+commit 18daa52418e7e4629ed1703b64777294209d2622
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.62.1.el8_10/18daa524.failed
+
+If userspace reads "uevent" device attribute at the same time as another
+threads unbinds the device from its driver, change to dev->driver from a
+valid pointer to NULL may result in crash. Fix this by using READ_ONCE()
+when fetching the pointer, and take bus' drivers klist lock to make sure
+driver instance will not disappear while we access it.
+
+Use WRITE_ONCE() when setting the driver pointer to ensure there is no
+tearing.
+
+	Signed-off-by: Dmitry Torokhov <[email protected]>
+	Reviewed-by: Masami Hiramatsu (Google) <[email protected]>
+Link: https://lore.kernel.org/r/[email protected]
+	Signed-off-by: Greg Kroah-Hartman <[email protected]>
+(cherry picked from commit 18daa52418e7e4629ed1703b64777294209d2622)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	drivers/base/base.h
+#	drivers/base/core.c
+diff --cc drivers/base/base.h
+index f1ca94ed4ea3,123031a757d9..000000000000
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@@ -60,6 -73,9 +60,12 @@@ static inline void subsys_put(struct su
+  		kset_put(&sp->subsys);
+  }
+  
+++<<<<<<< HEAD
+++=======
++ struct subsys_private *bus_to_subsys(const struct bus_type *bus);
++ struct subsys_private *class_to_subsys(const struct class *class);
++ 
+++>>>>>>> 18daa52418e7 (driver core: fix potential NULL pointer dereference in dev_uevent())
+  struct driver_private {
+  	struct kobject kobj;
+  	struct klist klist_devices;
+@@@ -161,19 -177,33 +167,43 @@@ static inline void dev_sync_state(struc
+  		dev->driver->sync_state(dev);
+  }
+  
+ -int driver_add_groups(const struct device_driver *drv, const struct attribute_group **groups);
+ -void driver_remove_groups(const struct device_driver *drv, const struct attribute_group **groups);
+ +extern int driver_add_groups(struct device_driver *drv,
+ +			     const struct attribute_group **groups);
+ +extern void driver_remove_groups(struct device_driver *drv,
+ +				 const struct attribute_group **groups);
+  void device_driver_detach(struct device *dev);
+  
+++<<<<<<< HEAD
+ +extern int devres_release_all(struct device *dev);
+ +extern void device_block_probing(void);
+ +extern void device_unblock_probing(void);
+++=======
++ static inline void device_set_driver(struct device *dev, const struct device_driver *drv)
++ {
++ 	/*
++ 	 * Majority (all?) read accesses to dev->driver happens either
++ 	 * while holding device lock or in bus/driver code that is only
++ 	 * invoked when the device is bound to a driver and there is no
++ 	 * concern of the pointer being changed while it is being read.
++ 	 * However when reading device's uevent file we read driver pointer
++ 	 * without taking device lock (so we do not block there for
++ 	 * arbitrary amount of time). We use WRITE_ONCE() here to prevent
++ 	 * tearing so that READ_ONCE() can safely be used in uevent code.
++ 	 */
++ 	// FIXME - this cast should not be needed "soon"
++ 	WRITE_ONCE(dev->driver, (struct device_driver *)drv);
++ }
++ 
++ int devres_release_all(struct device *dev);
++ void device_block_probing(void);
++ void device_unblock_probing(void);
++ void deferred_probe_extend_timeout(void);
++ void driver_deferred_probe_trigger(void);
+++>>>>>>> 18daa52418e7 (driver core: fix potential NULL pointer dereference in dev_uevent())
+  const char *device_get_devnode(const struct device *dev, umode_t *mode,
+  			       kuid_t *uid, kgid_t *gid, const char **tmp);
+ +extern void deferred_probe_extend_timeout(void);
+ +extern void driver_deferred_probe_trigger(void);
+  
+  /* /sys/devices directory */
+  extern struct kset *devices_kset;
+diff --cc drivers/base/core.c
+index 85168dc6be18,cbc0099d8ef2..000000000000
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@@ -2469,10 -2624,38 +2469,43 @@@ static const char *dev_uevent_name(stru
+  	return NULL;
+  }
+  
+++<<<<<<< HEAD
+ +static int dev_uevent(struct kset *kset, struct kobject *kobj,
+ +		      struct kobj_uevent_env *env)
+++=======
++ /*
++  * Try filling "DRIVER=<name>" uevent variable for a device. Because this
++  * function may race with binding and unbinding the device from a driver,
++  * we need to be careful. Binding is generally safe, at worst we miss the
++  * fact that the device is already bound to a driver (but the driver
++  * information that is delivered through uevents is best-effort, it may
++  * become obsolete as soon as it is generated anyways). Unbinding is more
++  * risky as driver pointer is transitioning to NULL, so READ_ONCE() should
++  * be used to make sure we are dealing with the same pointer, and to
++  * ensure that driver structure is not going to disappear from under us
++  * we take bus' drivers klist lock. The assumption that only registered
++  * driver can be bound to a device, and to unregister a driver bus code
++  * will take the same lock.
++  */
++ static void dev_driver_uevent(const struct device *dev, struct kobj_uevent_env *env)
++ {
++ 	struct subsys_private *sp = bus_to_subsys(dev->bus);
++ 
++ 	if (sp) {
++ 		scoped_guard(spinlock, &sp->klist_drivers.k_lock) {
++ 			struct device_driver *drv = READ_ONCE(dev->driver);
++ 			if (drv)
++ 				add_uevent_var(env, "DRIVER=%s", drv->name);
++ 		}
++ 
++ 		subsys_put(sp);
++ 	}
++ }
++ 
++ static int dev_uevent(const struct kobject *kobj, struct kobj_uevent_env *env)
+++>>>>>>> 18daa52418e7 (driver core: fix potential NULL pointer dereference in dev_uevent())
+  {
+ -	const struct device *dev = kobj_to_dev(kobj);
+ +	struct device *dev = kobj_to_dev(kobj);
+  	int retval = 0;
+  
+  	/* add device node properties if present */
+* Unmerged path drivers/base/base.h
+diff --git a/drivers/base/bus.c b/drivers/base/bus.c
+index cca569e4d734..443c008fdfca 100644
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -56,7 +56,7 @@ static int __must_check bus_rescan_devices_helper(struct device *dev,
+  * NULL.  A call to subsys_put() must be done when finished with the pointer in
+  * order for it to be properly freed.
+  */
+-static struct subsys_private *bus_to_subsys(const struct bus_type *bus)
++struct subsys_private *bus_to_subsys(const struct bus_type *bus)
+ {
+ 	struct subsys_private *sp = NULL;
+ 	struct kobject *kobj;
+* Unmerged path drivers/base/core.c