Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2026-03-04T12:21:02+00:00 2026-03-04T12:21:02+00:00 Gui-Dong Han hanguidong02@gmail.com 2025-12-02T17:49:48+00:00 urn:sha1:90c8353f471821d7ccd4fe573a2402e056192494 [ Upstream commit 42023d4b6d2661a40ee2dcf7e1a3528a35c638ca ] The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. Fixes: 39e47767ec9b ("rpmsg: Add driver_override device attribute for rpmsg_device") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Link: https://lore.kernel.org/r/20251202174948.12693-1-hanguidong02@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-15T18:34:49+00:00 Deepak Kumar Singh quic_deesin@quicinc.com 2023-07-06T21:41:36+00:00 urn:sha1:8ce49c2a2aa53afde9a20a8ce02b069d3b262af0 Some transports like Glink support the state notifications between clients using flow control signals similar to serial protocol signals. Local glink client drivers can send and receive flow control status to glink clients running on remote processors. Add APIs to support sending and receiving of flow control status by rpmsg clients. Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> Signed-off-by: Sarannya S <quic_sarannya@quicinc.com> Acked-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/1688679698-31274-2-git-send-email-quic_sarannya@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> 2023-03-17T14:16:33+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-03-13T18:18:35+00:00 urn:sha1:1aaba11da9aa7d7d6b52a74d45b31cac118295a1 The module pointer in class_create() never actually did anything, and it shouldn't have been requred to be set as a parameter even if it did something. So just remove it and fix up all callers of the function in the kernel tree at the same time. Cc: "Rafael J. Wysocki" <rafael@kernel.org> Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Link: https://lore.kernel.org/r/20230313181843.1207845-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-27T12:45:52+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-01-11T11:30:17+00:00 urn:sha1:2a81ada32f0e584fc0c943e0d3a8c9f4fae411d6 The uevent() callback in struct bus_type should not be modifying the device that is passed into it, so mark it as a const * and propagate the function signature changes out into all relevant subsystems that use this callback. Acked-by: Rafael J. Wysocki <rafael@kernel.org> Acked-by: Hans de Goede <hdegoede@redhat.com> Link: https://lore.kernel.org/r/20230111113018.459199-16-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-06-24T17:37:00+00:00 Saud Farooqui farooqui_saud@hotmail.com 2022-06-23T09:20:47+00:00 urn:sha1:99de6509c4135f1d1ceb98c42fa02d249b28b40f Replace strcpy() with strscpy_pad() for copying the rpmsg device name in rpmsg_register_device_override(). Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Saud Farooqui <farooqui_saud@hotmail.com> Link: https://lore.kernel.org/r/PA4P189MB14210AA95DCA3715AFA7F4A68BB59@PA4P189MB1421.EURP189.PROD.OUTLOOK.COM Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> 2022-06-24T17:34:00+00:00 Hangyu Hua hbh25y@gmail.com 2022-06-24T02:41:20+00:00 urn:sha1:d7bd416d35121c95fe47330e09a5c04adbc5f928 rpmsg_register_device_override need to call put_device to free vch when driver_set_override fails. Fix this by adding a put_device() to the error path. Fixes: bb17d110cbf2 ("rpmsg: Fix calling device_lock() on non-initialized device") Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20220624024120.11576-1-hbh25y@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> 2022-05-06T07:51:54+00:00 Krzysztof Kozlowski krzysztof.kozlowski@linaro.org 2022-04-29T19:59:46+00:00 urn:sha1:38ea74eb8fc1b82b39e13a6527095a0036539117 '&rpdev->dev' is already cached as local variable, so use it to simplify the code. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220429195946.1061725-3-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-06T07:51:33+00:00 Krzysztof Kozlowski krzysztof.kozlowski@linaro.org 2022-04-29T19:59:45+00:00 urn:sha1:bb17d110cbf270d5247a6e261c5ad50e362d1675 driver_set_override() helper uses device_lock() so it should not be called before rpmsg_register_device() (which calls device_register()). Effect can be seen with CONFIG_DEBUG_MUTEXES: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 57 at kernel/locking/mutex.c:582 __mutex_lock+0x1ec/0x430 ... Call trace: __mutex_lock+0x1ec/0x430 mutex_lock_nested+0x44/0x50 driver_set_override+0x124/0x150 qcom_glink_native_probe+0x30c/0x3b0 glink_rpm_probe+0x274/0x350 platform_probe+0x6c/0xe0 really_probe+0x17c/0x3d0 __driver_probe_device+0x114/0x190 driver_probe_device+0x3c/0xf0 ... Refactor the rpmsg_register_device() function to use two-step device registering (initialization + add) and call driver_set_override() in proper moment. This moves the code around, so while at it also NULL-ify the rpdev->driver_override in error path to be sure it won't be kfree() second time. Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override") Reported-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Tested-by: Marek Szyprowski <m.szyprowski@samsung.com> Link: https://lore.kernel.org/r/20220429195946.1061725-2-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-04-22T15:13:54+00:00 Krzysztof Kozlowski krzysztof.kozlowski@linaro.org 2022-04-19T11:34:34+00:00 urn:sha1:e5f89131a06142e91073b6959d91cea73861d40e Memory pointed by variable 'old' in field store macro is not modified, so it can be made a pointer to const. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220419113435.246203-12-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-13T16:49:53+00:00 Arnaud Pouliquen arnaud.pouliquen@foss.st.com 2022-01-24T10:25:15+00:00 urn:sha1:608edd96049b142de7944413cd7c24cb3f203d37 Migrate the creation of the rpmsg class from the rpmsg_char to the core that the class is usable by the rpmsg_char and the future rpmsg_ctrl module. Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20220124102524.295783-3-arnaud.pouliquen@foss.st.com