From nobody Sun Feb 8 11:26:42 2026 Received: from out-179.mta1.migadu.com (out-179.mta1.migadu.com [95.215.58.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7488A346A0F for ; Thu, 13 Nov 2025 15:39:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763048392; cv=none; b=j/IA5m1Ie2k/7WuOd3plGELCK/Itpxt8o6kADLW6pvygeELJOH38JNM+CEP4iHPmMFnjTKouCpUF0dwTZ43H/WiNFIs3bsuyAvEPUBvgXRBfpAgu0bKAxq/RTHyzOS3oZ8gC2JIZAi1qURtXGJjMzUj9JzHDVowIFuOsKQmyXTc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763048392; c=relaxed/simple; bh=IAwkvPGN1J6/ndtGV/PbZPfm2JVOjdVPyim6gdQtW9A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=kJoHxPzMSdCjv0xdTta+316+SO+Fp623RMCeEJeQb7+TzXMbyCMVbj27SpKDk0/ikTj7AGhwaSirjRz+DMtDReYxHVEaVFptVFrg6bI7I/lIlucAsKs3/XTwK1SDCgcu1SaPDyv5/G6tPR9fp+k0j0E9vzLlHhlvFU8uqOWCd+4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=QFhRljHR; arc=none smtp.client-ip=95.215.58.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="QFhRljHR" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1763048388; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gE+3sRbPyHtFVg+iv45yjGoy/qm9/uVMyd8LB7zMmwc=; b=QFhRljHRmtIGs223E59VPERVczvN2nHQAZk8qZV5OgPZgVtwzjez+vinkcRX9sBdKFUyOi gsIxw0nqty75c4NLgYc08QFgtLph1EoUtBEBKtxgXPPVXeIqxGAJZRVcR6SgCShaRzxSbR c+wLs+NVMI97YHz8Tha5UIAk6ExPYYg= From: Dawei Li To: andersson@kernel.org, mathieu.poirier@linaro.org Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, dawei.li@linux.dev, set_pte_at@outlook.com, stable@vger.kernel.org Subject: [PATCH v3 1/3] rpmsg: char: Remove put_device() in rpmsg_eptdev_add() Date: Thu, 13 Nov 2025 23:39:07 +0800 Message-Id: <20251113153909.3789-2-dawei.li@linux.dev> In-Reply-To: <20251113153909.3789-1-dawei.li@linux.dev> References: <20251113153909.3789-1-dawei.li@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" put_device() is called on error path of rpmsg_eptdev_add() to cleanup resource attached to eptdev->dev, unfortunately it's bogus cause dev->release() is not set yet. When a struct device instance is destroyed, driver core framework checks the possible release() callback from candidates below: - struct device::release() - dev->type->release() - dev->class->dev_release() Rpmsg eptdev owns none of them so WARN() will complaint the absence of release(): [ 159.112182] ------------[ cut here ]------------ [ 159.112188] Device '(null)' does not have a release() function, it is br= oken and must be fixed. See Documentation/core-api/kobject.rst. [ 159.112205] WARNING: CPU: 2 PID: 1975 at drivers/base/core.c:2567 device= _release+0x7a/0x90 Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") Cc: stable@vger.kernel.org Signed-off-by: Dawei Li --- drivers/rpmsg/rpmsg_char.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index 34b35ea74aab..1b8297b373f0 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -494,7 +494,6 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev, if (cdev) ida_free(&rpmsg_minor_ida, MINOR(dev->devt)); free_eptdev: - put_device(dev); kfree(eptdev); =20 return ret; --=20 2.25.1 From nobody Sun Feb 8 11:26:42 2026 Received: from out-181.mta1.migadu.com (out-181.mta1.migadu.com [95.215.58.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EAC1350A0F for ; Thu, 13 Nov 2025 15:39:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763048401; cv=none; b=aZxtIp/UovOq6ktWoEClQdq9OE60jtLoyMjgg33KKKGQZntrgOErZm1eJ3TtytpXEjtJMhPTS5aLi/ywFDuYZeVxOXqRJzWlmeDQLft6qpOMrBil24fsv/twpNhwD/f1f8E3zewJBJuf/5dmdLXeuvYEQTj/q2EfNWR3bPU0xlM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763048401; c=relaxed/simple; bh=k/3j30RiPjrV6HchzSgQ0ZjsE+rLhctlRzqsQqGONOY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QSxKFBwJ1Za+qB6y3n+V6cMM/nkcTJEAGriRHYa2aXJEqA1iD8Xgjt9waB+pVANqIvd1QZuq484ZZ3YX8tvWCUCCf0h8V0LCeLxQLlqkOHSZf6PbCygBrx4cMCqMUyFPnQ1U/wiN70dZVEiJRUrIA4nrqOAhv1XIc2xvKo9Txa0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=BZeapJhh; arc=none smtp.client-ip=95.215.58.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="BZeapJhh" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1763048398; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vtlmeFphp/i7U8mLzlyr4l2G6yo0wDJjtrAydxQNNXs=; b=BZeapJhh6cQANvQ3/4cMS19q29SXv1zzRtGPssvm/Y/XVy/8G5fYPfE7RCTKwpjycejS4v VQXxjfT/v2bx3ivBAH4bZFNXTabJbXdDOaNJlhxy3XZF0yyI7whZbDLQkLWZoaBs2cjpf0 cbpCN87ZRM9IaPeaCPczeSxAbYyn5mQ= From: Dawei Li To: andersson@kernel.org, mathieu.poirier@linaro.org Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, dawei.li@linux.dev, set_pte_at@outlook.com, Dan Carpenter Subject: [PATCH v3 2/3] rpmsg: char: Fix UAF and memory leak in rpmsg_anonymous_eptdev_create() Date: Thu, 13 Nov 2025 23:39:08 +0800 Message-Id: <20251113153909.3789-3-dawei.li@linux.dev> In-Reply-To: <20251113153909.3789-1-dawei.li@linux.dev> References: <20251113153909.3789-1-dawei.li@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Potential UAF and memory leak exsit in exception handling paths for rpmsg_anonymous_eptdev_create(), fix them. - If rpmsg_add_eptdev() failes, eptdev is freed in it. Subsequent call of dev_err(&eptdev->device) triggers a UAF. - If __rpmsg_eptdev_open() fails, eptdev is supposed to be freed by put_device(). Fixes: 2410558f5f11 ("rpmsg: char: Implement eptdev based on anonymous inod= e") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/aPi6gPZE2_ztOjIW@stanley.mountain/ Signed-off-by: Dawei Li --- drivers/rpmsg/rpmsg_char.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index 1b8297b373f0..0919ad0a19df 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -494,6 +494,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev, if (cdev) ida_free(&rpmsg_minor_ida, MINOR(dev->devt)); free_eptdev: + dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name); kfree(eptdev); =20 return ret; @@ -544,7 +545,6 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *= rpdev, struct device *par =20 ret =3D rpmsg_eptdev_add(eptdev, chinfo, false); if (ret) { - dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name); return ret; } =20 @@ -560,6 +560,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *= rpdev, struct device *par =20 if (!ret) *pfd =3D fd; + else + put_device(&eptdev->dev); =20 return ret; } --=20 2.25.1 From nobody Sun Feb 8 11:26:42 2026 Received: from out-189.mta0.migadu.com (out-189.mta0.migadu.com [91.218.175.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C723235292A for ; Thu, 13 Nov 2025 15:40:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.189 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763048408; cv=none; b=foQhurbcKzIaCVp9ico6huiUXSAGrFyhbCe3jPDKzVU/4vEvh1ED779ovfRPvmaEwgVEDyHWuOKWPMEC1OzKLfhvRrSk/PghbKfcEJoZv9mS1/H2p43ctgi/jVMojWVPE1UUeHz5iGmxJcs7zccvKNKoJVE6HAReo+c8bIbqezM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763048408; c=relaxed/simple; bh=ySJ3Uw/C+Sp36BKE5wBmEZ7l8GO7vzVoDDbnX9U4zjM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=U493z1Z4vOOvyqFViLMB7KfHxox4IZk0PNkbJtkq7M6SaLj1Cd1jh92hd+IXB1OwnX7xEZi45Eeb10Fq9xZ5wJWMVQzHQcCO4MgCdseMx/0OABRjp/VkqhXET+TrDUNGi+s8Qp+tPV9Eg9QpN7q6UjjUMB6/6WMTrzM5yQma2RY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=B3Xs9nHp; arc=none smtp.client-ip=91.218.175.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="B3Xs9nHp" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1763048404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0l9GVobIiEBn4MKLKhEtp6ycgP49YnylFS2/m8/fMf4=; b=B3Xs9nHpJHYCK2793e3NaaWGuc+DE2BZHqsnJ8Lg2r7I9fFOs3Fgg/SHT2+Tz2BDHSNPjm dn8HIvieEFVLoiTUSVSiZX4h6Js+rTfjvcQtIpDV9onGjDxaF1yme3wWvDgevLowwdQdvU gsBGQKzoRR9cQcOGt0nKXjsGU3vs8G8= From: Dawei Li To: andersson@kernel.org, mathieu.poirier@linaro.org Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, dawei.li@linux.dev, set_pte_at@outlook.com, Dan Carpenter Subject: [PATCH v3 3/3] rpmsg: char: Rework exception handling of rpmsg_eptdev_add() Date: Thu, 13 Nov 2025 23:39:09 +0800 Message-Id: <20251113153909.3789-4-dawei.li@linux.dev> In-Reply-To: <20251113153909.3789-1-dawei.li@linux.dev> References: <20251113153909.3789-1-dawei.li@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Rework error handling of rpmsg_eptdev_add() and its callers, following rule of "release resource where it's allocated". Fixes: 2410558f5f11 ("rpmsg: char: Implement eptdev based on anonymous inod= e") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/aPi6gPZE2_ztOjIW@stanley.mountain/ Signed-off-by: Dawei Li --- drivers/rpmsg/rpmsg_char.c | 60 +++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index 0919ad0a19df..92c176e9b0e4 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -460,44 +460,34 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptd= ev, =20 eptdev->chinfo =3D chinfo; =20 - if (cdev) { - ret =3D ida_alloc_max(&rpmsg_minor_ida, RPMSG_DEV_MAX - 1, GFP_KERNEL); - if (ret < 0) - goto free_eptdev; - - dev->devt =3D MKDEV(MAJOR(rpmsg_major), ret); - } - /* Anonymous inode device still need device name for dev_err() and friend= s */ ret =3D ida_alloc(&rpmsg_ept_ida, GFP_KERNEL); if (ret < 0) - goto free_minor_ida; + return ret; dev->id =3D ret; dev_set_name(dev, "rpmsg%d", ret); =20 - ret =3D 0; - if (cdev) { + ret =3D ida_alloc_max(&rpmsg_minor_ida, RPMSG_DEV_MAX - 1, GFP_KERNEL); + if (ret < 0) { + ida_free(&rpmsg_ept_ida, dev->id); + return ret; + } + + dev->devt =3D MKDEV(MAJOR(rpmsg_major), ret); + ret =3D cdev_device_add(&eptdev->cdev, &eptdev->dev); - if (ret) - goto free_ept_ida; + if (ret) { + ida_free(&rpmsg_ept_ida, dev->id); + ida_free(&rpmsg_minor_ida, MINOR(dev->devt)); + return ret; + } } =20 /* We can now rely on the release function for cleanup */ dev->release =3D rpmsg_eptdev_release_device; =20 - return ret; - -free_ept_ida: - ida_free(&rpmsg_ept_ida, dev->id); -free_minor_ida: - if (cdev) - ida_free(&rpmsg_minor_ida, MINOR(dev->devt)); -free_eptdev: - dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name); - kfree(eptdev); - - return ret; + return 0; } =20 static int rpmsg_chrdev_eptdev_add(struct rpmsg_eptdev *eptdev, struct rpm= sg_channel_info chinfo) @@ -509,12 +499,17 @@ int rpmsg_chrdev_eptdev_create(struct rpmsg_device *r= pdev, struct device *parent struct rpmsg_channel_info chinfo) { struct rpmsg_eptdev *eptdev; + int ret; =20 eptdev =3D rpmsg_chrdev_eptdev_alloc(rpdev, parent); if (IS_ERR(eptdev)) return PTR_ERR(eptdev); =20 - return rpmsg_chrdev_eptdev_add(eptdev, chinfo); + ret =3D rpmsg_chrdev_eptdev_add(eptdev, chinfo); + if (ret) + kfree(eptdev); + + return ret; } EXPORT_SYMBOL(rpmsg_chrdev_eptdev_create); =20 @@ -545,6 +540,12 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device = *rpdev, struct device *par =20 ret =3D rpmsg_eptdev_add(eptdev, chinfo, false); if (ret) { + dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name); + /* + * Avoid put_device() or WARN() will be triggered due to absence of + * device::release(), refer to device_release(). + */ + kfree(eptdev); return ret; } =20 @@ -572,6 +573,7 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpde= v) struct rpmsg_channel_info chinfo; struct rpmsg_eptdev *eptdev; struct device *dev =3D &rpdev->dev; + int ret; =20 memcpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE); chinfo.src =3D rpdev->src; @@ -590,7 +592,11 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpd= ev) */ eptdev->default_ept->priv =3D eptdev; =20 - return rpmsg_chrdev_eptdev_add(eptdev, chinfo); + ret =3D rpmsg_chrdev_eptdev_add(eptdev, chinfo); + if (ret) + kfree(eptdev); + + return ret; } =20 static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev) --=20 2.25.1