Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2026-03-04T12:20:42+00:00 2026-03-04T12:20:42+00:00 Gui-Dong Han hanguidong02@gmail.com 2025-12-02T17:49:48+00:00 urn:sha1:47615557447185917afa432b7958f87583c417cb [ Upstream commit 42023d4b6d2661a40ee2dcf7e1a3528a35c638ca ] The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. Fixes: 39e47767ec9b ("rpmsg: Add driver_override device attribute for rpmsg_device") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Link: https://lore.kernel.org/r/20251202174948.12693-1-hanguidong02@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-24T17:37:00+00:00 Saud Farooqui farooqui_saud@hotmail.com 2022-06-23T09:20:47+00:00 urn:sha1:99de6509c4135f1d1ceb98c42fa02d249b28b40f Replace strcpy() with strscpy_pad() for copying the rpmsg device name in rpmsg_register_device_override(). Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Saud Farooqui <farooqui_saud@hotmail.com> Link: https://lore.kernel.org/r/PA4P189MB14210AA95DCA3715AFA7F4A68BB59@PA4P189MB1421.EURP189.PROD.OUTLOOK.COM Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> 2022-06-24T17:34:00+00:00 Hangyu Hua hbh25y@gmail.com 2022-06-24T02:41:20+00:00 urn:sha1:d7bd416d35121c95fe47330e09a5c04adbc5f928 rpmsg_register_device_override need to call put_device to free vch when driver_set_override fails. Fix this by adding a put_device() to the error path. Fixes: bb17d110cbf2 ("rpmsg: Fix calling device_lock() on non-initialized device") Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20220624024120.11576-1-hbh25y@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> 2022-05-06T07:51:54+00:00 Krzysztof Kozlowski krzysztof.kozlowski@linaro.org 2022-04-29T19:59:46+00:00 urn:sha1:38ea74eb8fc1b82b39e13a6527095a0036539117 '&rpdev->dev' is already cached as local variable, so use it to simplify the code. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220429195946.1061725-3-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-06T07:51:33+00:00 Krzysztof Kozlowski krzysztof.kozlowski@linaro.org 2022-04-29T19:59:45+00:00 urn:sha1:bb17d110cbf270d5247a6e261c5ad50e362d1675 driver_set_override() helper uses device_lock() so it should not be called before rpmsg_register_device() (which calls device_register()). Effect can be seen with CONFIG_DEBUG_MUTEXES: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 57 at kernel/locking/mutex.c:582 __mutex_lock+0x1ec/0x430 ... Call trace: __mutex_lock+0x1ec/0x430 mutex_lock_nested+0x44/0x50 driver_set_override+0x124/0x150 qcom_glink_native_probe+0x30c/0x3b0 glink_rpm_probe+0x274/0x350 platform_probe+0x6c/0xe0 really_probe+0x17c/0x3d0 __driver_probe_device+0x114/0x190 driver_probe_device+0x3c/0xf0 ... Refactor the rpmsg_register_device() function to use two-step device registering (initialization + add) and call driver_set_override() in proper moment. This moves the code around, so while at it also NULL-ify the rpdev->driver_override in error path to be sure it won't be kfree() second time. Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override") Reported-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Tested-by: Marek Szyprowski <m.szyprowski@samsung.com> Link: https://lore.kernel.org/r/20220429195946.1061725-2-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-04-22T15:13:54+00:00 Krzysztof Kozlowski krzysztof.kozlowski@linaro.org 2022-04-19T11:34:34+00:00 urn:sha1:e5f89131a06142e91073b6959d91cea73861d40e Memory pointed by variable 'old' in field store macro is not modified, so it can be made a pointer to const. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220419113435.246203-12-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-13T16:49:53+00:00 Arnaud Pouliquen arnaud.pouliquen@foss.st.com 2022-01-24T10:25:15+00:00 urn:sha1:608edd96049b142de7944413cd7c24cb3f203d37 Migrate the creation of the rpmsg class from the rpmsg_char to the core that the class is usable by the rpmsg_char and the future rpmsg_ctrl module. Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20220124102524.295783-3-arnaud.pouliquen@foss.st.com 2021-12-08T17:16:50+00:00 Arnaud Pouliquen arnaud.pouliquen@foss.st.com 2021-12-06T19:07:58+00:00 urn:sha1:8066c615cb69b7da8a94f59379847b037b3a5e46 During the rpmsg_dev_probe, if rpdev->ops->announce_create returns an error, the rpmsg device and default endpoint should be freed before exiting the function. Fixes: 5e619b48677c ("rpmsg: Split rpmsg core and virtio backend") Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20211206190758.10004-1-arnaud.pouliquen@foss.st.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> 2021-11-18T17:36:05+00:00 Arnaud Pouliquen arnaud.pouliquen@foss.st.com 2021-11-08T14:01:26+00:00 urn:sha1:631af6e0f41002dc63504efd2f6c3e1ab5f931c5 kernel documentation specification: "The return value, if any, should be described in a dedicated section named Return." Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/20211108140126.3530-1-arnaud.pouliquen@foss.st.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> 2021-10-21T10:35:35+00:00 Arnaud Pouliquen arnaud.pouliquen@foss.st.com 2021-10-15T09:47:00+00:00 urn:sha1:e279317e9aeb11d8670e0a5acb10d50566eea9c9 Return the rpmsg buffer MTU for sending message, so rpmsg users can split a long message in several sub rpmsg buffers. Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Acked-by: Suman Anna <s-anna@ti.com> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/20211015094701.5732-2-arnaud.pouliquen@foss.st.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>