On probe error, free the previously obtained channels. This not only
prevents a leak, but also UAF scenarios because the client structure
will be removed nonetheless because it was allocated with devm.

Link: https://sashiko.dev/#/patchset/20260327151217.5327-2-wsa%2Brenesas%40sang-engineering.com
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
---

This fixes an issue spotted by Sashiko while reviewing a previous patch.
I confirmed the UAF by hacking some error injection to the drivers.

 drivers/mailbox/mailbox-test.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 058c0fe4b9c2..e7cae11780c3 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -409,18 +409,27 @@ static int mbox_test_probe(struct platform_device *pdev)
 	if (tdev->rx_channel) {
 		tdev->rx_buffer = devm_kzalloc(&pdev->dev,
 					       MBOX_MAX_MSG_LEN, GFP_KERNEL);
-		if (!tdev->rx_buffer)
-			return -ENOMEM;
+		if (!tdev->rx_buffer) {
+			ret = -ENOMEM;
+			goto err_unreg_chan;
+		}
 	}
 
 	ret = mbox_test_add_debugfs(pdev, tdev);
 	if (ret)
-		return ret;
+		goto err_unreg_chan;
 
 	init_waitqueue_head(&tdev->waitq);
 	dev_info(&pdev->dev, "Successfully registered\n");
 
 	return 0;
+
+ err_unreg_chan:
+	if (tdev->tx_channel)
+		mbox_free_channel(tdev->tx_channel);
+	if (tdev->rx_channel)
+		mbox_free_channel(tdev->rx_channel);
+	return ret;
 }
 
 static void mbox_test_remove(struct platform_device *pdev)
-- 
2.51.0

On Fri, Apr 10, 2026 at 7:56 AM Wolfram Sang
<wsa+renesas@sang-engineering.com> wrote:
>
> On probe error, free the previously obtained channels. This not only
> prevents a leak, but also UAF scenarios because the client structure
> will be removed nonetheless because it was allocated with devm.
>
> Link: https://sashiko.dev/#/patchset/20260327151217.5327-2-wsa%2Brenesas%40sang-engineering.com
> Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
> Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
> ---
>
> This fixes an issue spotted by Sashiko while reviewing a previous patch.
> I confirmed the UAF by hacking some error injection to the drivers.
>
>  drivers/mailbox/mailbox-test.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
> index 058c0fe4b9c2..e7cae11780c3 100644
> --- a/drivers/mailbox/mailbox-test.c
> +++ b/drivers/mailbox/mailbox-test.c
> @@ -409,18 +409,27 @@ static int mbox_test_probe(struct platform_device *pdev)
>         if (tdev->rx_channel) {
>                 tdev->rx_buffer = devm_kzalloc(&pdev->dev,
>                                                MBOX_MAX_MSG_LEN, GFP_KERNEL);
> -               if (!tdev->rx_buffer)
> -                       return -ENOMEM;
> +               if (!tdev->rx_buffer) {
> +                       ret = -ENOMEM;
> +                       goto err_unreg_chan;
> +               }
>         }
>
>         ret = mbox_test_add_debugfs(pdev, tdev);
>         if (ret)
> -               return ret;
> +               goto err_unreg_chan;
>
>         init_waitqueue_head(&tdev->waitq);
>         dev_info(&pdev->dev, "Successfully registered\n");
>
>         return 0;
> +
> + err_unreg_chan:
> +       if (tdev->tx_channel)
> +               mbox_free_channel(tdev->tx_channel);
> +       if (tdev->rx_channel)
> +               mbox_free_channel(tdev->rx_channel);
> +       return ret;
>  }
>
>  static void mbox_test_remove(struct platform_device *pdev)
> --
> 2.51.0
>
With trivial cosmetic changes  s/err_unreg_chan/err_free_chans/
Applied to mailbox/for-next
Thanks
Jassi