In the Linux kernel, the following vulnerability has been resolved:

s390/ap: use generic driver_override infrastructure

When the AP masks are updated via apmask_store() or aqmask_store(),
ap_bus_revise_bindings() is called after ap_attr_mutex has been
released.

This calls __ap_revise_reserved(), which accesses the driver_override
field without holding any lock, racing against a concurrent
driver_override_store() that may free the old string, resulting in a
potential UAF.

Fix this by using the driver-core driver_override infrastructure, which
protects all accesses with an internal spinlock.

Note that unlike most other buses, the AP bus does not check
driver_override in its match() callback; the override is checked in
ap_device_probe() and __ap_revise_reserved() instead.

Also note that we do not enable the driver_override feature of struct
bus_type, as AP - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".

Additionally, AP has a custom counter that is modified in the
corresponding custom driver_override_store().

https://git.kernel.org/stable/c/81d6f7c3a70b10ff757ee8b5f8114a190871cf1e

https://git.kernel.org/stable/c/8f2eca0570438b94602da1297353eb7b10dcb6cb

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/s390/crypto/ap_bus.c","drivers/s390/crypto/ap_bus.h","drivers/s390/crypto/ap_queue.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d38a87d7c0643db61e7a3bfc3ebeea2dc2568f7e","lessThan":"8f2eca0570438b94602da1297353eb7b10dcb6cb","versionType":"git","status":"affected"},{"version":"d38a87d7c0643db61e7a3bfc3ebeea2dc2568f7e","lessThan":"81d6f7c3a70b10ff757ee8b5f8114a190871cf1e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/s390/crypto/ap_bus.c","drivers/s390/crypto/ap_bus.h","drivers/s390/crypto/ap_queue.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]