From nobody Mon Feb 9 07:56:13 2026 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62965330320 for ; Wed, 28 Jan 2026 04:26:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769574368; cv=none; b=J/XKGy14SVAczUQ5ZX4c284YJa+uVN50PKHABhMu0oN3zOCyw7NL4IgbXs+WcjOC595UhF9O1+auO7VmPBZyFsTvcuE3VIUUded1gflAVQ+0wHB/T/EyrZqeXcwg/dEzJafW+qz71bGkQM5Hvh/QyYVuIXRfP2a9rb7X7iuClkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769574368; c=relaxed/simple; bh=+nhvf9VJGB3rMOQrfwfaHbp/0AStjgC3+BDQirmfu3M=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=FPt6ixP2Lo0Ml1UkdNPzszvc45FcVoHLbjZzXjVsatdp1aEy+7u9dlYR9M+g73uKVZbZLUzPwIROJmp6i6jA8WRjkLwuZkntLiN3FriKZ00QZrjafWCyKx8hCkI0UZgiQvSbzcqMSVi9FKNqZqXP/aWTczX1jdDZB1SOduV7g2E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ESlOEIx+; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ESlOEIx+" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2a0834769f0so42220715ad.2 for ; Tue, 27 Jan 2026 20:26:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769574367; x=1770179167; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qewCajV2v8f+DolPwnEJpeH0aZGojL2p90D4oi4jTS0=; b=ESlOEIx+DmUZFOUJyAXQ2K2D/RL6NZQ0n0iPodvsMKAoQYCYxuia5t7a6OBhfDhgNM GwYIt52H0Aj13V59DsHBH8k/AbPEqt28oqJfRw3mQyw+r5/hKqWdwkQ1R2viHyKF9naP qkRO2GrgBdGpHJyo7n8c7jRA0CT7e04mBo1pZcRed+w88XhspnzSi8WhDiQz1YGY3WuL 8XEv75hYTqrrB9l0M7SOldMOp9N/CaopGWrAvYpui04BbXdvBYQ3FG+hFYmbzvehcu3/ 0yy6VrAtm+rKp8zhKbE943HqyrM1PhurkQ7hFaDejsSLd/qUDv1zAJri6bSf8bGlhRRL +3qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769574367; x=1770179167; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qewCajV2v8f+DolPwnEJpeH0aZGojL2p90D4oi4jTS0=; b=jsOdAQnjupnF9+qYTNmZTuHCDtJEtFG4b4mamF84GBQ+J/zcM8RSUe6VPrha2NEQXA 9DEzUqVKcOYAcqUQKJXKGxoX330Gw7rbw6MaK3ZzLGPYhHJ52ceT4LrBDEk2h//H2TKX NiJswAzyy8cMB9RDq0PhLRSVDqkiAuzK3aSg7oLSHI0Xql3Rt847+C4oJjbCqv2moOJh 5i1WGIFf2HJbb1v7OVFZ5wM7dDm8mzdqh7aIB7eTIbF1aMoTEWpwr7zqjzIBePfe7vGi HBcVeBw1jp2cHDZ6b8PgDIfYHbWwDk6vuHjD7ojouQd7s+voaVtxqWuKVWqeo8HfCCaz nvQA== X-Forwarded-Encrypted: i=1; AJvYcCUe4FvS5KKtoSq/ueYyUwDLiuxVxeanXy6Tnk2mkEzNrdhIbrlTgkA6GRUVVwdCHUp8VT7CZQvLNG/BXCI=@vger.kernel.org X-Gm-Message-State: AOJu0Yzsq/7z6IgUASrdCxyCwhQ5gvsHLMHUTuchASCMiqZ6d7mOdxJC e0vz1z8bJuFCwOk8sSazDb5wANBaw1uOR2v8yeOHQOZEFfu0pJvGU0L7 X-Gm-Gg: AZuq6aIgBdf66LX/BO+kGYb1t5V+7BkCOlW9Vn6h51kXNa7H2jd2p9zM7owaSmqSeiT 6UNl5O4Fpm1hKo9bN71n6r5gZVvVFjNXBUg0/SmwGHc8J/pkIRO9A+XLL54vB/Fv8+oZOzFTROs shKXz8VTVOrFXt/O8MDBdKFlPjR/yBmK9RDMBxaOlOfmpLElVdA/2ebKeV1Ck8FqsnJM8bu5oGv h6QU4zKtOtNEgctRFTw09lbzH3U7W9yOitmWPE0c1NZLOQvgZtz3C8zNF0cxbR7X8SkkTDT8UtY g5uOq0uZLdBT+zK7m3I0f2SloDWZxUHCG3ra1IOBYsU3V/eTKKunHtHczKgsBOJSsEd1GHZ0059 Ze5SZq0sh4Uwnv6HKJlxHJy9rTLHiRGbRbwXYCXPfvw61WNR2aX5mQptIwlRsdm2SI+jLGZYZ0A cucj7UcEpFlpsODuDekPCX1uMGDw+oMGU= X-Received: by 2002:a17:903:350d:b0:2a7:b8f9:5a5e with SMTP id d9443c01a7336-2a870e00597mr43973195ad.46.1769574366709; Tue, 27 Jan 2026 20:26:06 -0800 (PST) Received: from localhost.localdomain ([1.203.169.108]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a88b414cc7sm8455115ad.33.2026.01.27.20.26.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 20:26:06 -0800 (PST) From: Xingjing Deng X-Google-Original-From: Xingjing Deng To: srini@kernel.org, amahesh@qti.qualcomm.com, arnd@arndb.de, gregkh@linuxfoundation.org Cc: dri-devel@lists.freedesktop.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Xingjing Deng , stable@vger.kernel.org Subject: [PATCH v4] misc: fastrpc: possible double-free of cctx->remote_heap Date: Wed, 28 Jan 2026 12:26:00 +0800 Message-Id: <20260128042600.2641857-1-xjdeng@buaa.edu.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap again if it is non-NULL, which can lead to a double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpm= sg device is subsequently removed/unbound. Clear cctx->remote_heap after freeing it in the error path to prevent the later cleanup from freeing it again. This issue was detected by a private static analysis tool. No actual hardware testing was performed as the issue is purely code-level and verified via static analysis. Fixes: 0871561055e66 ("misc: fastrpc: Add support for audiopd") Cc: stable@vger.kernel.org # 6.2+ Signed-off-by: Xingjing Deng --- v4: - Add description of the detection tool. - Link to v3: https://lore.kernel.org/linux-arm-msm/20260117140959.879035-1= -xjdeng@buaa.edu.cn/T/#u v3: - Adjust the email format. - Link to v2: https://lore.kernel.org/linux-arm-msm/2026011650-gravitate-ha= ppily-5d0c@gregkh/T/#t v2: - Add Fixes: and Cc: stable@vger.kernel.org. - Link to v1: https://lore.kernel.org/linux-arm-msm/2026011227-casualty-rep= hrase-9381@gregkh/T/#t drivers/misc/fastrpc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index ee652ef01534..fb3b54e05928 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1370,6 +1370,7 @@ static int fastrpc_init_create_static_process(struct = fastrpc_user *fl, } err_map: fastrpc_buf_free(fl->cctx->remote_heap); + fl->cctx->remote_heap =3D NULL; err_name: kfree(name); err: --=20 2.25.1