From nobody Sun Feb 8 01:42:16 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF9D62C0F78 for ; Tue, 2 Dec 2025 17:50:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764697812; cv=none; b=qjHHVp2Whijm7ekchnk5m/7iswD33OZkhMjVPxnsviWqn+LZAduyfbIlPdVOTNDPbER5d/hzM1Cd7VfVKr958qMxEnU0uXpYhHy9OoemnJDoQnIu7UaYay509+Qx6KRDtl2R/e2BOaqq+NYhLrFDLSEXkteEAtA+IgFFNK3Oa5s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764697812; c=relaxed/simple; bh=fGgGupyGdkiAbJJxOHlB00nj3L0BF35EE8H1fBe8JsI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ASJzRJGChw6VvS5LGz9Wo/0iDfB6YhMpqThDx7px2k/0EvwLp/Ci8kCZ1s2VuOOgtfyVqwIU7rjNHjcSdYE0BfkwwjYXwEkx4AFxOoUX13kvPPBojKN3XFp0MdeUUP5EPWFiSWa2b+Wad2cXycSWvenrtB+XUIUsoNb+OLwRQo4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z8YYLq0C; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z8YYLq0C" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-7b8e49d8b35so6452740b3a.3 for ; Tue, 02 Dec 2025 09:50:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764697810; x=1765302610; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WgAz6fNpn7JpYrJAea4NdVMHK+GyJh0YTa0tvhxNdVs=; b=Z8YYLq0CLoc+6wduod4C7NbVvGiCzB919WYxQTVmYkqDdPJrA7pLhhk00TDOSDLSFW 8Woq/EimnsFFhFhaIYw7xDAiTkwij0UhBF1oQd3oSe4jdFf5ceNBUTCxEyinAwhSzI2d NqaDUgxWJUPLuKo8BZOrMQx0GH7pi3hE4lgzoRrnfn2jDZd8jtG+r99vtteVusoGQRJV 5wysOoID2D2Brv2Y9zTjE+AvMFHQWAsPhhot6RR/TX4RMJTGAr5wG9sn4XeYaew2a++o BW1ns1aQHsMKzmxafrKGzAa8ogP3ysm5v4lYmJ6D3gHVaKY1rCdo76/TlDQ+VhipfYF2 nkzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764697810; x=1765302610; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WgAz6fNpn7JpYrJAea4NdVMHK+GyJh0YTa0tvhxNdVs=; b=MCHy+AG8MFV/WsYuU8CpGkb++P7buY98rtapbGeM2tCON9twHZzeoD+j1QQQh9P0a+ CzpM/uEtOukMHo1MCIT8lH3UQxGcvtdqQD+53xLFfJefE3ifqrp3tKphTgnyIGnDn2f6 GDgnTL+uiMmRCrDHeU/h4AOkk9lcfBAlwzWlX1LFAiWyALy+18dltqVBtF77UA+seXUz 5xaV5MOoz4j+DwtxL0p991W3e0OS/ZJiLKFSDXGCjV0GNdJSVRoOXKqOjayCx3Bn+IKG 4OXpjPq74V7O8gVK3fXZnEH+E/JGDmSpY40Eu94L4/eggfZ/jU/y1VlyrmMXpFYE6+5U 3YMQ== X-Forwarded-Encrypted: i=1; AJvYcCUyjKETEkdcDKmf/lt2UfNlGIk5gAZznZJ24B+IbqosebkNHjqa6yWKKqE8MBBOLteccpX++J1wTx1PLTM=@vger.kernel.org X-Gm-Message-State: AOJu0Ywr1IgsSaTMVmWM7pS1eYR050z0Pmu5QV9RuCzPl88vL3ZyoX3n 3jGk8lpV/EePGSs3fCcEy6r0PWODXQvN/EzIXRHAB17YiTqy8XqyZps/ X-Gm-Gg: ASbGnctxZyc7av9SD+HPgoiqjOrtDtYadM6aiTKAuQPtVQTCcVWqv7bsqzrpdviMobz TiHcf94ty3su03jnldpx2SM4bXfkaeUi7swdFw25Xo0c0Cy2jHS9tbnH7VZMndjYB0IpEY3S5Po kV10oXiqNoodT08QhwhUpwIO9cQ6V1VzqKmkGuOdz2mjzzlIFlGO86Ec93AyA7S5eGoKE23W+8u uJofabJPKSwN5U7HB/URGp7kxL/9RsZaKJ50hEPBLATRb4mzkklFaD9KbD+eEci7eovGsCiQXAa phiR185b8TXqZ4w+U7Oa3r2chkYURMDhY+i8p9XH03aB9TuUeNGH7MXLlgV285fOZAjKs36h+/M F5+w8vWPwGYQ4kh/tI8Wl26XEjxBRAPda/C/hQ71ZJgHijddVknXrmd9PylpS58TO6N1jlPB0Jc BHSoE+lBy8P5qa1Kzdz/FNPGfurVRNdH/j6OOvH30NArwYD/yirKWYvIIOBHEzN4hzbhnNu4Vqp n4a/1FVvIINSsM4aKjHo79iueM/vAPHSEvmqCr/fqX+T+l+kItgfnvV1VCI X-Google-Smtp-Source: AGHT+IGa8ZrBi4DESVwwOj/HbcYUlgQEUuY0LmUJKkeDLld+M3KAFoKpoFTN+IjT7Ot0d0aynbO53g== X-Received: by 2002:a05:6a00:2309:b0:7ab:21ca:a3be with SMTP id d2e1a72fcca58-7df918bba97mr91507b3a.12.1764697809906; Tue, 02 Dec 2025 09:50:09 -0800 (PST) Received: from 2045D.localdomain (191.sub-75-229-198.myvzw.com. [75.229.198.191]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d15f26f11fsm17487023b3a.50.2025.12.02.09.50.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 09:50:09 -0800 (PST) From: Gui-Dong Han To: andersson@kernel.org, mathieu.poirier@linaro.org Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, Gui-Dong Han , stable@vger.kernel.org Subject: [PATCH] rpmsg: core: fix race in driver_override_show() and use core helper Date: Wed, 3 Dec 2025 01:49:48 +0800 Message-ID: <20251202174948.12693-1-hanguidong02@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. Fixes: 39e47767ec9b ("rpmsg: Add driver_override device attribute for rpmsg= _device") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han Reviewed-by: Zhongqiu Han --- I verified this with a stress test that continuously writes/reads the attribute. It triggered KASAN and leaked bytes like a0 f4 81 9f a3 ff ff (likely kernel pointers). Since driver_override is world-readable (0644), this allows unprivileged users to leak kernel pointers and bypass KASLR. Similar races were fixed in other buses (e.g., commits 9561475db680 and 91d44c1afc61). Currently, 9 of 11 buses handle this correctly; this patch fixes one of the remaining two. --- drivers/rpmsg/rpmsg_core.c | 66 ++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 39 deletions(-) diff --git a/drivers/rpmsg/rpmsg_core.c b/drivers/rpmsg/rpmsg_core.c index 5d661681a9b6..96964745065b 100644 --- a/drivers/rpmsg/rpmsg_core.c +++ b/drivers/rpmsg/rpmsg_core.c @@ -352,50 +352,38 @@ field##_show(struct device *dev, \ } \ static DEVICE_ATTR_RO(field); =20 -#define rpmsg_string_attr(field, member) \ -static ssize_t \ -field##_store(struct device *dev, struct device_attribute *attr, \ - const char *buf, size_t sz) \ -{ \ - struct rpmsg_device *rpdev =3D to_rpmsg_device(dev); \ - const char *old; \ - char *new; \ - \ - new =3D kstrndup(buf, sz, GFP_KERNEL); \ - if (!new) \ - return -ENOMEM; \ - new[strcspn(new, "\n")] =3D '\0'; \ - \ - device_lock(dev); \ - old =3D rpdev->member; \ - if (strlen(new)) { \ - rpdev->member =3D new; \ - } else { \ - kfree(new); \ - rpdev->member =3D NULL; \ - } \ - device_unlock(dev); \ - \ - kfree(old); \ - \ - return sz; \ -} \ -static ssize_t \ -field##_show(struct device *dev, \ - struct device_attribute *attr, char *buf) \ -{ \ - struct rpmsg_device *rpdev =3D to_rpmsg_device(dev); \ - \ - return sprintf(buf, "%s\n", rpdev->member); \ -} \ -static DEVICE_ATTR_RW(field) - /* for more info, see Documentation/ABI/testing/sysfs-bus-rpmsg */ rpmsg_show_attr(name, id.name, "%s\n"); rpmsg_show_attr(src, src, "0x%x\n"); rpmsg_show_attr(dst, dst, "0x%x\n"); rpmsg_show_attr(announce, announce ? "true" : "false", "%s\n"); -rpmsg_string_attr(driver_override, driver_override); + +static ssize_t driver_override_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) +{ + struct rpmsg_device *rpdev =3D to_rpmsg_device(dev); + int ret; + + ret =3D driver_set_override(dev, &rpdev->driver_override, buf, count); + if (ret) + return ret; + + return count; +} + +static ssize_t driver_override_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + struct rpmsg_device *rpdev =3D to_rpmsg_device(dev); + ssize_t len; + + device_lock(dev); + len =3D sysfs_emit(buf, "%s\n", rpdev->driver_override); + device_unlock(dev); + return len; +} +static DEVICE_ATTR_RW(driver_override); =20 static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, char *buf) --=20 2.43.0