Commit 42cd402b authored by Krzysztof Kozlowski's avatar Krzysztof Kozlowski Committed by Greg Kroah-Hartman
Browse files

rpmsg: Fix kfree() of static memory on setting driver_override 



The driver_override field from platform driver should not be initialized
from static memory (string literal) because the core later kfree() it,
for example when driver_override is set via sysfs.

Use dedicated helper to set driver_override properly.

Fixes: 950a7388 ("rpmsg: Turn name service into a stand alone driver")
Fixes: c0cdc19f ("rpmsg: Driver for user space endpoint interface")
Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20220419113435.246203-13-krzysztof.kozlowski@linaro.org


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e5f89131

drivers/rpmsg/rpmsg_internal.h

+11 −2
Original line number Diff line number Diff line
@@ -94,10 +94,19 @@ int rpmsg_release_channel(struct rpmsg_device *rpdev, 
 */

static inline int rpmsg_ctrldev_register_device(struct rpmsg_device *rpdev)

{

	int ret;



	strcpy(rpdev->id.name, "rpmsg_ctrl");

	rpdev->driver_override = "rpmsg_ctrl";

	ret = driver_set_override(&rpdev->dev, &rpdev->driver_override,

				  rpdev->id.name, strlen(rpdev->id.name));

	if (ret)

		return ret;



	ret = rpmsg_register_device(rpdev);

	if (ret)

		kfree(rpdev->driver_override);



	return rpmsg_register_device(rpdev);

	return ret;

}



#endif

drivers/rpmsg/rpmsg_ns.c

+12 −2
Original line number Diff line number Diff line
@@ -20,12 +20,22 @@ 
 */

int rpmsg_ns_register_device(struct rpmsg_device *rpdev)

{

	int ret;



	strcpy(rpdev->id.name, "rpmsg_ns");

	rpdev->driver_override = "rpmsg_ns";

	ret = driver_set_override(&rpdev->dev, &rpdev->driver_override,

				  rpdev->id.name, strlen(rpdev->id.name));

	if (ret)

		return ret;



	rpdev->src = RPMSG_NS_ADDR;

	rpdev->dst = RPMSG_NS_ADDR;



	return rpmsg_register_device(rpdev);

	ret = rpmsg_register_device(rpdev);

	if (ret)

		kfree(rpdev->driver_override);



	return ret;

}

EXPORT_SYMBOL(rpmsg_ns_register_device);

include/linux/rpmsg.h

+4 −2
Original line number Diff line number Diff line
@@ -41,7 +41,9 @@ struct rpmsg_channel_info { 
 * rpmsg_device - device that belong to the rpmsg bus

 * @dev: the device struct

 * @id: device id (used to match between rpmsg drivers and devices)

 * @driver_override: driver name to force a match

 * @driver_override: driver name to force a match; do not set directly,

 *                   because core frees it; use driver_set_override() to

 *                   set or clear it.

 * @src: local address

 * @dst: destination address

 * @ept: the rpmsg endpoint of this channel
@@ -51,7 +53,7 @@ struct rpmsg_channel_info { 
struct rpmsg_device {

	struct device dev;

	struct rpmsg_device_id id;

	char *driver_override;

	const char *driver_override;

	u32 src;

	u32 dst;

	struct rpmsg_endpoint *ept;