CVE-2025-71274

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: core: fix race in driver override show() and use core helper

The driver override show function reads the driver override string without holding the device lock. However, the store function modifies and frees the string while holding the device lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free.

To fix this, replace the rpmsg string attr macro with explicit show and store functions. The new driver override store uses the standard driver set override helper. Since the introduction of driver set override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver override, but the implementation was not updated until now.

Because driver set override modifies and frees the string while holding the device lock, the new driver override show now correctly holds the device lock during the read operation to prevent the race.

Additionally, since rpmsg string attr has only ever been used for driver override, removing the macro simplifies the code.