Re: [bug report] rpmsg: char: Implement eptdev based on anonymous inode

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dawei Li <dawei.li@linux.dev>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: linux-remoteproc@vger.kernel.org, andersson@kernel.org,
	mathieu.poirier@linaro.org
Subject: Re: [bug report] rpmsg: char: Implement eptdev based on anonymous inode
Date: Wed, 22 Oct 2025 23:53:51 +0800	[thread overview]
Message-ID: <20251022155351.GA59635@wendao-VirtualBox> (raw)
In-Reply-To: <aPi6gPZE2_ztOjIW@stanley.mountain>

Hi Dan,

Thanks for the report.

On Wed, Oct 22, 2025 at 02:05:36PM +0300, Dan Carpenter wrote:
> Hello Dawei Li,
> 
> Commit 2410558f5f11 ("rpmsg: char: Implement eptdev based on
> anonymous inode") from Oct 15, 2025 (linux-next), leads to the
> following Smatch static checker warning:
> 
> 	drivers/rpmsg/rpmsg_char.c:548 rpmsg_anonymous_eptdev_create()
> 	error: dereferencing freed memory 'eptdev' (line 546)
> 
> drivers/rpmsg/rpmsg_char.c
>     538         /* Anonymous inode only supports these file flags */
>     539         if (flags & ~(O_ACCMODE | O_NONBLOCK | O_CLOEXEC))
>     540                 return -EINVAL;
>     541 
>     542         eptdev = rpmsg_eptdev_alloc(rpdev, parent, false);
>     543         if (IS_ERR(eptdev))
>     544                 return PTR_ERR(eptdev);
>     545 
>     546         ret =  rpmsg_eptdev_add(eptdev, chinfo, false);
>     547         if (ret) {
> --> 548                 dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
>                                  ^^^^^^                             ^^^^^^
> The rpmsg_eptdev_add() function frees "eptdev" on error.
> 
>     549                 return ret;
>     550         }
>     551 
>     552         fd = anon_inode_getfd("rpmsg-eptdev", &rpmsg_anonymous_eptdev_fops, eptdev, flags);
>     553         if (fd < 0) {
>     554                 put_device(&eptdev->dev);
>     555                 return fd;
>     556         }
>     557 
>     558         mutex_lock(&eptdev->ept_lock);
>     559         ret = __rpmsg_eptdev_open(eptdev);
> 
> Should we free eptdev if __rpmsg_eptdev_open() fails?
> 
>     560         mutex_unlock(&eptdev->ept_lock);
>     561 
>     562         if (!ret)
>     563                 *pfd = fd;
>     564 
>     565         return ret;
>     566 }
> 
> regards,
> dan carpenter

Diff below should do the trick.

diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 34b35ea74aab..c322df56394f 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -494,6 +494,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
        if (cdev)
                ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
 free_eptdev:
+       dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
        put_device(dev);
        kfree(eptdev);

@@ -545,7 +546,6 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par

        ret =  rpmsg_eptdev_add(eptdev, chinfo, false);
        if (ret) {
-               dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
                return ret;
        }

@@ -561,6 +561,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par

        if (!ret)
                *pfd = fd;
+       else
+               put_device(&eptdev->dev);

        return ret;
 }

Mathieu, Bjorn,

What do you expect me to do about it?
1. Send an independent fix patch.
2. Squash the fix patch into previous ones and resend series again.
3. Wait for other (if any) bug reports and fix them in a whole.

I am fine with all of them.

Thanks,

	Dawei

next prev parent reply	other threads:[~2025-10-22 15:54 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-22 11:05 [bug report] rpmsg: char: Implement eptdev based on anonymous inode Dan Carpenter
2025-10-22 15:53 ` Dawei Li [this message]
2025-10-22 16:41   ` Mathieu Poirier
2025-11-10 17:05     ` Mathieu Poirier
2025-11-11 12:53       ` Dawei Li
2025-11-11 16:41         ` Mathieu Poirier

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:34b35ea74aa dfblob:c322df56394 )
 OR (
bs:"Re: [bug report] rpmsg: char: Implement eptdev based on anonymous inode" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251022155351.GA59635@wendao-VirtualBox \
    --to=dawei.li@linux.dev \
    --cc=andersson@kernel.org \
    --cc=dan.carpenter@linaro.org \
    --cc=linux-remoteproc@vger.kernel.org \
    --cc=mathieu.poirier@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.