From nobody Mon Jun 8 05:24:57 2026 Received: from mail-qk1-f172.google.com (mail-qk1-f172.google.com [209.85.222.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C04B33E5A0B for ; Mon, 1 Jun 2026 18:32:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780338775; cv=none; b=fcDNr4CXRq3VbklcNZYMKa1M5EIasul85cj73hjwZVw9cNV8N/F14gnyl02+QE5nwDxFxQC5fO4POwbUQLA0pm74qEyeq129sjQdSXiqOdKyWQ4vwYrOilBqEV5SAoLM+zT3P5/wZ1n5pSmX98SlqWpnDP3iarYpnz424ooT3Ro= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780338775; c=relaxed/simple; bh=Y7RUPn+bAvsmJ/8/BG0ZaBGJijmKLA+fSDhd8Z8WAVc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=TMU3mvWDJSqF4yR+ATMLTJBs2C45PlGltVTrlN3fc78Ur3JCmBB5ilPAPx72jOZPdIXOmb+cHcrFVrsZmT1+czT1mRriLC3jUoNdjOME/MY7PiraGmPbr6BB3rzzd1IrgACem5AuE4BD8mk3m+zz0pxQC5QJoehymr54KuCA/pc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Mj+fMJJL; arc=none smtp.client-ip=209.85.222.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mj+fMJJL" Received: by mail-qk1-f172.google.com with SMTP id af79cd13be357-914bfa75911so1119149285a.1 for ; Mon, 01 Jun 2026 11:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780338774; x=1780943574; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tDSNkPnmmQDSy+EDLfUh0gYRkI6FbvhYsuUIdnXlfv4=; b=Mj+fMJJL2e1wBG1Nt/cJW/4Z+iVrPBR+JngnZ1+kOrOIzTkG5jceEbVrVjZV5P04lB NkZxnd27sX+L29/htWIIh0DAvCx8yoXjdEcnUFr7PiyiPaW50UMZ24xV8kfIzDpPm0bU ntr1S/IiTyBSgnlyOw/u7gezVi9SiAHlWi6wdH1cXF7uS5gt0V5y0yv5gYmJoWvSRA0m nIdxHmUDIqLCicfylIIFg8b0yiESZRc9qKMmflAMemZ1ESyJTMJlZgU2P1SS+P8jaFQe aiR8f5cSh0dkbEuMhQehgzJy1JgXSKq+2U4KiWBmp3QxE+l5trpKCAG0ORlxu8XJh9EP FH4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780338774; x=1780943574; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tDSNkPnmmQDSy+EDLfUh0gYRkI6FbvhYsuUIdnXlfv4=; b=tKU0pj6/qCDYEMhyg4Aq3UR7HTOVCql9sAaZYbaiSoeaimu3b85DR5rEkOXn6+hESk g1Jrx9XrxolVVcG9PoZW2cYLSwxcgxMv66x/ogR/lvYJ6iKagjVOGsujyAtTTWibR3Av JnQ1v7ngD+cmQPeZC5gMByBY+dr6PoVqWWQXm6VYsZJNh+0AwaOAXi9RNHDZXtJwVnMK ltlpun9/zX5BPAwKGSPs9isRpZvgMQfs+DZXo1VdGCrJP00guRJDM8kNeBlKzpuQMakq xB8m+kWicXrmZyLbT0t4tDWlOpzt/xOTfqF6LZajlZi/zCpaYeUml2AaMP1sKZBYYiWM dhlQ== X-Forwarded-Encrypted: i=1; AFNElJ8UUtgmptLDL3fCTlzyun+SIKvk7xKcFQbyZPai+hizwO0p5h2JRSu3IDME1jJPUMj/PRMHWTqKkKr9GZk=@vger.kernel.org X-Gm-Message-State: AOJu0Yw6MTJMGMycc6RpD8y+/nsKfuevkNOwW22cxPwWC782s/YFUbCe wjPE6YXXP5iuVuxnvMqhmhk5yLBot3pX4NLNjcQwBLZfqkOipw1nUQAV X-Gm-Gg: Acq92OH5Ykr9bFvt0sgdjucZz/GRuc7gcDTpt4VKJkFtQR9OKG/kbpHyAOaVsuR9Bkq CaPypFNpVHeaYXzKj9D6RYefe2sytGyY2cA4QETaeaf/TX5VJv0iQ1JESb98hvJhwUhBQlB8Ci0 20RAkf57bYyjpYDA1pUOGtH8p1Rk/Jbya4bflRZvezLxN135r91obctqrrNgrIdSR+fnLeh3FqU SO8/X8yxOjcydUPFDQ3DYS6EqRI07gjk/rKlCb6IYzPLXNFdPTpIcruChCOEMVxmopJuY6OFidc ej6AE4EniHrsUyco6aZQgTyhVuczC97HWrcQkIZPnXo4Xpsm3HypV1pFY0MkWTemsnt4DBVmpa6 xipjFZO5I6r7MnAq52O/ES9HwVIbqyk2dVgwTC64PRYaXqhYaKz1xkuAUDExftE6rq0QsbiCf9c ow7Yj+nJCWeKQXjUOjS89jNA5w8clOXy4lhxaZ+RCIcRlHdRYkThM= X-Received: by 2002:a05:620a:254a:b0:90f:9d1d:7031 with SMTP id af79cd13be357-91577e80441mr118173285a.17.1780338773559; Mon, 01 Jun 2026 11:32:53 -0700 (PDT) Received: from i4-gl-tmk5904.ad.psu.edu ([130.203.156.186]) by smtp.gmail.com with ESMTPSA id af79cd13be357-915721f7d75sm141863385a.18.2026.06.01.11.32.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 11:32:53 -0700 (PDT) From: Yuho Choi To: Bjorn Andersson , Mathieu Poirier Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, Yuho Choi Subject: [PATCH v2] rpmsg: char: fix use-after-free on probe error path Date: Mon, 1 Jun 2026 14:32:47 -0400 Message-ID: <20260601183247.1962010-1-dbgh9129@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rpmsg_chrdev_probe() stores the newly allocated eptdev in the default endpoint's priv pointer before calling rpmsg_chrdev_eptdev_add(). If rpmsg_chrdev_eptdev_add() then fails, its error path frees eptdev while the default endpoint may still dispatch callbacks with the stale priv pointer. Avoid publishing eptdev through the default endpoint until rpmsg_chrdev_eptdev_add() succeeds. Messages received before the priv pointer is published should be ignored by rpmsg_ept_cb(). Flow-control updates can hit rpmsg_ept_flow_cb() in the same window, so make both callbacks return success when priv is NULL. Fixes: bc69d1066569 ("rpmsg: char: Introduce the "rpmsg-raw" channel") Signed-off-by: Yuho Choi --- Changes in v2: - Use a 12-character Fixes SHA. - Drop the unnecessary asm-generic/rwonce.h include. - Handle NULL priv in rpmsg_ept_flow_cb() as well. drivers/rpmsg/rpmsg_char.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index ca9cf8858a5e..bff5aefee212 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -104,6 +104,9 @@ static int rpmsg_ept_cb(struct rpmsg_device *rpdev, voi= d *buf, int len, struct rpmsg_eptdev *eptdev =3D priv; struct sk_buff *skb; =20 + if (!eptdev) + return 0; + skb =3D alloc_skb(len, GFP_ATOMIC); if (!skb) return -ENOMEM; @@ -124,6 +127,9 @@ static int rpmsg_ept_flow_cb(struct rpmsg_device *rpdev= , void *priv, bool enable { struct rpmsg_eptdev *eptdev =3D priv; =20 + if (!eptdev) + return 0; + eptdev->remote_flow_restricted =3D enable; eptdev->remote_flow_updated =3D true; =20 @@ -490,6 +496,7 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpde= v) struct rpmsg_channel_info chinfo; struct rpmsg_eptdev *eptdev; struct device *dev =3D &rpdev->dev; + int ret; =20 memcpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE); chinfo.src =3D rpdev->src; @@ -502,13 +509,17 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rp= dev) /* Set the default_ept to the rpmsg device endpoint */ eptdev->default_ept =3D rpdev->ept; =20 + ret =3D rpmsg_chrdev_eptdev_add(eptdev, chinfo); + + if (ret) + return ret; /* * The rpmsg_ept_cb uses *priv parameter to get its rpmsg_eptdev context. - * Storedit in default_ept *priv field. + * Stored it in default_ept *priv field. */ eptdev->default_ept->priv =3D eptdev; =20 - return rpmsg_chrdev_eptdev_add(eptdev, chinfo); + return 0; } =20 static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev) --=20 2.43.0