From nobody Sun Feb 8 19:25:51 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A303C1D435F for ; Sat, 17 Jan 2026 14:10:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768659012; cv=none; b=E2nNKWXyNAKaCFuCZKb6/9U/vKA2cMlg8bGCgxcOgy4zKsmuj2QyVjRdcmAofjoqOKRE7DI1Ns9x+5T4w7mdnbBx+mraCo/tsHnhE2iGcLUC+OXJIPc37tPJc4N4AYDqygNOT2C2qCcXEKSMuxQYDM0tRQlr4TxMEGlgSOfmlSM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768659012; c=relaxed/simple; bh=QAIEr0P+YLPaShZQagznwIHykJGkUBoI8g4SE0BgWRU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Ys/qarljAVFg722M7e9/UzCmmhwM1EvkT+/TML1WF0qbFWdGmbRG6S+MamFNol85xBSF9SJt6XRdCIewGqy7JwoRPm9Hvu5H8dcgSt6SNPnaKjqEca+77EGzFWFYK86TmVtZzeTRRCY9yKsdadf+0zmyj7N9e5RkkPwpyiASmzs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZwMMfcZZ; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZwMMfcZZ" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-81f4a1a3181so1654124b3a.3 for ; Sat, 17 Jan 2026 06:10:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768659011; x=1769263811; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1YsjaSB9aIQokwOFTN0Ov8qKUwyht65twzNGrMEevb0=; b=ZwMMfcZZNCj5942+F7urbmHUqbJtL3JcjVWOC0s3ndieZ+mwPCjX7MfsVaQgp9aP9O xePVkeJV6AlrIgsPj4qqywx9v0p+XBw1Dk3tu/zD6xkuNHmxglNKiTG6MkxyXPqS1IF1 w5kMyhLP8AdNR78h9rlUfomfn/VpSQGmnUtDhuNSAuXuuYa/78jj+6NtsxdHfsCVJyaH UC3fXUrKMduZH3ymloKdLdOZsKmTZiGTfBcPo50CZNrYzWlBicp8aFiKhea1tVE2HRfU tn5OSsIEc7GSE7PqLctWNkFxaL2Pcxx8PqrqIVTC/355SszVQoiifFbSB5nAs+txHkqK WbPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768659011; x=1769263811; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1YsjaSB9aIQokwOFTN0Ov8qKUwyht65twzNGrMEevb0=; b=s5ULvYfeyliST3jSfBmm3DjWlHbPSH7qqRIUfy7Vg4Z6AOuHZDoRbpmuDJCY87a0/y YsIWGScPFfiY5S8YGeb6bt7Rlxv5g5JA1BRLHxpW2zsNxxdgR47g66m8V0LwHol3aGXt rtmIozlohHFHDFmczi4HO6JLm4iwW8bM3t2tTW0EdQRmIYT9hVnbF++UK9QPIFBJSPxR KgEBsvaSDS9NqZJRBBf29h011qkWh2w8Nb3qAqOIf8om5wU0/RZWCmBlF55c0o9ub8Ys 0NBOI1xDNd0Pjw6SeWf6nmIkMIVo7UfkQCdW6DgJQHhd4o/nj1LhyE62IsZwi+EYmjtS 6XZQ== X-Forwarded-Encrypted: i=1; AJvYcCWNFU6uGqFDY+QpaKhBtM4tGlHPxHU26TT2g9fXnLMRkr2yFz47uXM+74WYpBX6QbuUJa0o/jG/Owq6fkI=@vger.kernel.org X-Gm-Message-State: AOJu0YwdkV8XtiZaI2yoTLUFrGesMFSCJIZAY5ZFrDmzRuTg4l4JIr90 YZDBQ6uhd+Cxubygt1dOZezJot4+0Z6UAOtIaarX01kbl/mOz5WL9Fnl X-Gm-Gg: AY/fxX4+d1BPqEWV6HQLVJmscak4X2NQxcCVEDUgg9EUMSPWt0n/RaZnXECYFigtiA9 iVv7TEa/G0v9eIhD94+co2tHSt1i6Ido/HLGWsHXb1iUgSffVYlObYInXwtFZ4Kt8fUFguKuheR vo1/fhVqGfRTrIzVFDX0KIIT3x0BAmci/RLa7RgY+QCueRWD3wusxjvyyJGuQ7t3MhQLvNsU8PT 21FHTMqxFXWejpYcq6jLOCX8pxbzeNtrBc+0x7zQNwvf2zNYIi10n0nVwxyHUXH0HGzPzHNn7U/ 43SyfQGwGFQCg8kFUER00zmItY1V9GQdLx4tFIEKn3aUKHLSkf8ym3+NDKQBpRtfq9/UAKJ6lsr 3cYuAFZSN0MKZu1QxGf1QaBNvGuvtW+0lmHmzO4mezeu4jpiA55lZFdFNYaPKkUrRHm3XRHrwH4 8W8lbDaTv9a3f9rcJHMQY1BUJer8KgInhGyQ== X-Received: by 2002:a05:6a21:1506:b0:364:1332:54ca with SMTP id adf61e73a8af0-38dfe7b7580mr5929841637.59.1768659011011; Sat, 17 Jan 2026 06:10:11 -0800 (PST) Received: from localhost.localdomain ([111.202.170.108]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c5edf32dbc1sm4834519a12.21.2026.01.17.06.10.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 06:10:10 -0800 (PST) From: Xingjing Deng X-Google-Original-From: Xingjing Deng To: srini@kernel.org, amahesh@qti.qualcomm.com, arnd@arndb.de, gregkh@linuxfoundation.org Cc: dri-devel@lists.freedesktop.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Xingjing Deng , stable@vger.kernel.org Subject: [PATCH v3] misc: fastrpc: possible double-free of cctx->remote_heap Date: Sat, 17 Jan 2026 22:09:59 +0800 Message-Id: <20260117140959.879035-1-xjdeng@buaa.edu.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap again if it is non-NULL, which can lead to a double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpm= sg device is subsequently removed/unbound. Clear cctx->remote_heap after freeing it in the error path to prevent the later cleanup from freeing it again. Fixes: 0871561055e66 ("misc: fastrpc: Add support for audiopd") Cc: stable@vger.kernel.org # 6.2+ Signed-off-by: Xingjing Deng --- v3: - Adjust the email format. - Link to v2: https://lore.kernel.org/linux-arm-msm/2026011650-gravitate-ha= ppily-5d0c@gregkh/T/#t v2: - Add Fixes: and Cc: stable@vger.kernel.org. - Link to v1: https://lore.kernel.org/linux-arm-msm/2026011227-casualty-rep= hrase-9381@gregkh/T/#t drivers/misc/fastrpc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index ee652ef01534..fb3b54e05928 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1370,6 +1370,7 @@ static int fastrpc_init_create_static_process(struct = fastrpc_user *fl, } err_map: fastrpc_buf_free(fl->cctx->remote_heap); + fl->cctx->remote_heap =3D NULL; err_name: kfree(name); err: --=20 2.25.1