[PATCH v5.10.y 3/6] rpmsg: Fix kfree() of static memory on setting driver_override

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lee Jones <lee@kernel.org>
To: lee@kernel.org
Cc: stable@vger.kernel.org,
	Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
	Bjorn Andersson <bjorn.andersson@linaro.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH v5.10.y 3/6] rpmsg: Fix kfree() of static memory on setting driver_override
Date: Tue, 31 Oct 2023 09:22:58 +0000	[thread overview]
Message-ID: <20231031092308.2227611-3-lee@kernel.org> (raw)
In-Reply-To: <20231031092308.2227611-1-lee@kernel.org>

From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

commit 42cd402b8fd4672b692400fe5f9eecd55d2794ac upstream.

The driver_override field from platform driver should not be initialized
from static memory (string literal) because the core later kfree() it,
for example when driver_override is set via sysfs.

Use dedicated helper to set driver_override properly.

Fixes: 950a7388f02b ("rpmsg: Turn name service into a stand alone driver")
Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20220419113435.246203-13-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Change-Id: I33ae2cbad4c0ab679c340de236fb028b3f87c3dc
---
 drivers/rpmsg/rpmsg_internal.h | 13 +++++++++++--
 include/linux/rpmsg.h          |  6 ++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/rpmsg/rpmsg_internal.h b/drivers/rpmsg/rpmsg_internal.h
index 3fc83cd50e98f..9165e3c811be4 100644
--- a/drivers/rpmsg/rpmsg_internal.h
+++ b/drivers/rpmsg/rpmsg_internal.h
@@ -84,10 +84,19 @@ struct device *rpmsg_find_device(struct device *parent,
  */
 static inline int rpmsg_chrdev_register_device(struct rpmsg_device *rpdev)
 {
+	int ret;
+
 	strcpy(rpdev->id.name, "rpmsg_chrdev");
-	rpdev->driver_override = "rpmsg_chrdev";
+	ret = driver_set_override(&rpdev->dev, &rpdev->driver_override,
+				  rpdev->id.name, strlen(rpdev->id.name));
+	if (ret)
+		return ret;
+
+	ret = rpmsg_register_device(rpdev);
+	if (ret)
+		kfree(rpdev->driver_override);
 
-	return rpmsg_register_device(rpdev);
+	return ret;
 }
 
 #endif
diff --git a/include/linux/rpmsg.h b/include/linux/rpmsg.h
index a68972b097b72..6e7690e20dc51 100644
--- a/include/linux/rpmsg.h
+++ b/include/linux/rpmsg.h
@@ -41,7 +41,9 @@ struct rpmsg_channel_info {
  * rpmsg_device - device that belong to the rpmsg bus
  * @dev: the device struct
  * @id: device id (used to match between rpmsg drivers and devices)
- * @driver_override: driver name to force a match
+ * @driver_override: driver name to force a match; do not set directly,
+ *                   because core frees it; use driver_set_override() to
+ *                   set or clear it.
  * @src: local address
  * @dst: destination address
  * @ept: the rpmsg endpoint of this channel
@@ -50,7 +52,7 @@ struct rpmsg_channel_info {
 struct rpmsg_device {
 	struct device dev;
 	struct rpmsg_device_id id;
-	char *driver_override;
+	const char *driver_override;
 	u32 src;
 	u32 dst;
 	struct rpmsg_endpoint *ept;
-- 
2.42.0.820.g83a721a137-goog

next prev parent reply	other threads:[~2023-10-31  9:23 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-31  9:22 [PATCH v5.10.y 1/6] driver: platform: Add helper for safer setting of driver_override Lee Jones
2023-10-31  9:22 ` [PATCH v5.10.y 2/6] rpmsg: Constify local variable in field store macro Lee Jones
2023-10-31  9:22 ` Lee Jones [this message]
2023-10-31  9:22 ` [PATCH v5.10.y 4/6] rpmsg: Fix calling device_lock() on non-initialized device Lee Jones
2023-10-31  9:23 ` [PATCH v5.10.y 5/6] rpmsg: glink: Release driver_override Lee Jones
2023-10-31  9:23 ` [PATCH v5.10.y 6/6] rpmsg: Fix possible refcount leak in rpmsg_register_device_override() Lee Jones
2023-10-31  9:37 ` [PATCH v5.10.y 1/6] driver: platform: Add helper for safer setting of driver_override Lee Jones
  -- strict thread matches above, loose matches on Subject: below --
2023-10-31 11:33 Lee Jones
2023-10-31 11:33 ` [PATCH v5.10.y 3/6] rpmsg: Fix kfree() of static memory on setting driver_override Lee Jones

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3fc83cd50e98 dfblob:9165e3c811be dfblob:a68972b097b7
dfblob:6e7690e20dc5 )
 OR (
bs:"[PATCH v5.10.y 3/6] rpmsg: Fix kfree() of static memory on setting driver_override" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231031092308.2227611-3-lee@kernel.org \
    --to=lee@kernel.org \
    --cc=bjorn.andersson@linaro.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=krzysztof.kozlowski@linaro.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.