| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251118154107.3100-2-dawei.li@linux.dev>
Date: Tue, 18 Nov 2025 23:41:05 +0800
From: Dawei Li <dawei.li@...ux.dev>
To: andersson@...nel.org,
mathieu.poirier@...aro.org
Cc: linux-remoteproc@...r.kernel.org,
linux-kernel@...r.kernel.org,
dawei.li@...ux.dev,
set_pte_at@...look.com
Subject: [PATCH v4 1/3] rpmsg: char: Fix WARN() in error path of rpmsg_eptdev_add()
put_device() is called on error path of rpmsg_eptdev_add() to cleanup
resource attached to eptdev->dev, unfortunately it's bogus cause
dev->release() is not set yet.
When a struct device instance is destroyed, driver core framework checks
the possible release() callback from candidates below:
- struct device::release()
- dev->type->release()
- dev->class->dev_release()
Rpmsg eptdev owns none of them so WARN() will complain the absence of
release().
Fix it by:
- Pre-assign dev->release() before potential error path.
- Check before ida_free() in dev->release().
By fixing error path of rpmsg_eptdev_add() and fixing potential memory
leak in rpmsg_anonymous_eptdev_create(), this work paves the way of rework
of rpmsg_eptdev_add() and its callers.
Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
Signed-off-by: Dawei Li <dawei.li@...ux.dev>
---
drivers/rpmsg/rpmsg_char.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 34b35ea74aab..373b627581e8 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -408,8 +408,13 @@ static void rpmsg_eptdev_release_device(struct device *dev)
{
struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
- ida_free(&rpmsg_ept_ida, dev->id);
- if (eptdev->dev.devt)
+ /*
+ * release() can be invoked from error path of rpmsg_eptdev_add(),
+ * WARN() will be fired if ida_free() is feed with invalid ID.
+ */
+ if (likely(ida_exists(&rpmsg_ept_ida, dev->id)))
+ ida_free(&rpmsg_ept_ida, dev->id);
+ if (eptdev->dev.devt && likely(ida_exists(&rpmsg_minor_ida, MINOR(eptdev->dev.devt))))
ida_free(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
kfree(eptdev);
}
@@ -458,6 +463,8 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
struct device *dev = &eptdev->dev;
int ret;
+ dev->release = rpmsg_eptdev_release_device;
+
eptdev->chinfo = chinfo;
if (cdev) {
@@ -471,7 +478,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
/* Anonymous inode device still need device name for dev_err() and friends */
ret = ida_alloc(&rpmsg_ept_ida, GFP_KERNEL);
if (ret < 0)
- goto free_minor_ida;
+ goto free_eptdev;
dev->id = ret;
dev_set_name(dev, "rpmsg%d", ret);
@@ -480,22 +487,13 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
if (cdev) {
ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
if (ret)
- goto free_ept_ida;
+ goto free_eptdev;
}
- /* We can now rely on the release function for cleanup */
- dev->release = rpmsg_eptdev_release_device;
-
return ret;
-free_ept_ida:
- ida_free(&rpmsg_ept_ida, dev->id);
-free_minor_ida:
- if (cdev)
- ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
free_eptdev:
put_device(dev);
- kfree(eptdev);
return ret;
}
@@ -561,6 +559,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
if (!ret)
*pfd = fd;
+ else
+ put_device(&eptdev->dev);
return ret;
}
--
2.25.1
Powered by blists - more mailing lists