CVE-2025-71274

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rpmsg: core: fix race in driver_override_show() and use core helper<br /> <br /> The driver_override_show function reads the driver_override string<br /> without holding the device_lock. However, the store function modifies<br /> and frees the string while holding the device_lock. This creates a race<br /> condition where the string can be freed by the store function while<br /> being read by the show function, leading to a use-after-free.<br /> <br /> To fix this, replace the rpmsg_string_attr macro with explicit show and<br /> store functions. The new driver_override_store uses the standard<br /> driver_set_override helper. Since the introduction of<br /> driver_set_override, the comments in include/linux/rpmsg.h have stated<br /> that this helper must be used to set or clear driver_override, but the<br /> implementation was not updated until now.<br /> <br /> Because driver_set_override modifies and frees the string while holding<br /> the device_lock, the new driver_override_show now correctly holds the<br /> device_lock during the read operation to prevent the race.<br /> <br /> Additionally, since rpmsg_string_attr has only ever been used for<br /> driver_override, removing the macro simplifies the code.