From: Dawei Li <dawei.li@linux.dev>
To: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Dan Carpenter <dan.carpenter@linaro.org>,
linux-remoteproc@vger.kernel.org, andersson@kernel.org,
dawei.li@linux.dev
Subject: Re: [bug report] rpmsg: char: Implement eptdev based on anonymous inode
Date: Tue, 11 Nov 2025 20:53:02 +0800 [thread overview]
Message-ID: <20251111125302.GA183476@wendao-VirtualBox> (raw)
In-Reply-To: <CANLsYkxTqz3QnuO3MEJoDx=ad43YbUNKiU_xtEzfiV+XAaGbdA@mail.gmail.com>
Hi Mathieu,
On Mon, Nov 10, 2025 at 10:05:44AM -0700, Mathieu Poirier wrote:
> On Wed, 22 Oct 2025 at 10:41, Mathieu Poirier
> <mathieu.poirier@linaro.org> wrote:
> >
> > On Wed, 22 Oct 2025 at 09:54, Dawei Li <dawei.li@linux.dev> wrote:
[...]
> > > > 546 ret = rpmsg_eptdev_add(eptdev, chinfo, false);
> > > > 547 if (ret) {
> > > > --> 548 dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
> > > > ^^^^^^ ^^^^^^
> > > > The rpmsg_eptdev_add() function frees "eptdev" on error.
> > > >
> > > > 549 return ret;
> > > > 550 }
[...]
> > > > 558 mutex_lock(&eptdev->ept_lock);
> > > > 559 ret = __rpmsg_eptdev_open(eptdev);
> > > >
> > > > Should we free eptdev if __rpmsg_eptdev_open() fails?
> > > >
> > > > 560 mutex_unlock(&eptdev->ept_lock);
> > >
> > > Diff below should do the trick.
> > >
> > > diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
> > > index 34b35ea74aab..c322df56394f 100644
> > > --- a/drivers/rpmsg/rpmsg_char.c
> > > +++ b/drivers/rpmsg/rpmsg_char.c
> > > @@ -494,6 +494,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
> > > if (cdev)
> > > ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
> > > free_eptdev:
> > > + dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
> > > put_device(dev);
> > > kfree(eptdev);
> > >
> > > @@ -545,7 +546,6 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
> > >
> > > ret = rpmsg_eptdev_add(eptdev, chinfo, false);
> > > if (ret) {
> > > - dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
> > > return ret;
> > > }
> > >
> > > @@ -561,6 +561,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
> > >
> > > if (!ret)
> > > *pfd = fd;
> > > + else
> > > + put_device(&eptdev->dev);
> > >
> > > return ret;
> > > }
> > >
[...]
> >
> > Please send another patch I can apply on top.
>
> I haven't received a fix for this yet. After looking into this bug
Sorry about the late response.
> report with more scrutiny I am of the opinion that @eptdev should be
> free'd in rpmsg_anonymous_eptdev_create() where it was allocated.
Yes, and it's exactly what diff above is doing.
> Furthermore, if function anon_inode_getfd() in
> rpmsg_anonymous_eptdev_create() fails, function
> rpmsg_eptdev_release_device() will be called but I don't see a call to
> cdev_device_del() in there. Am I missing something?
1. rpmsg_anonymous_eptdev_create() does _not_ create cdev, so it's not
supposed to call cdev_device_del().
https://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux.git/tree/drivers/rpmsg/rpmsg_char.c?h=rpmsg-next#n546
2. So I assume you mean "what about epdev based on chardev?". It's
simply because cdev cleanup job is on rpmsg_chrdev_eptdev_destroy(),
_not_ rpmsg_eptdev_release_device().
So my proposed fix patch still holds, IIUC:
Author: Dawei Li <dawei.li@linux.dev>
Date: Sun Oct 26 23:18:06 2025 +0800
rpmsg: char: Fix UAF and memory leak
Potential UAF and memory leak exsit in exception handling paths for
rpmsg_anonymous_eptdev_create(), fix them.
Fixes: 2410558f5f11 ("rpmsg: char: Implement eptdev based on anonymous inode")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aPi6gPZE2_ztOjIW@stanley.mountain/
Signed-off-by: Dawei Li <dawei.li@linux.dev>
diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 34b35ea74aab..c322df56394f 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -494,6 +494,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
if (cdev)
ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
free_eptdev:
+ dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
put_device(dev);
kfree(eptdev);
@@ -545,7 +546,6 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
ret = rpmsg_eptdev_add(eptdev, chinfo, false);
if (ret) {
- dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
return ret;
}
@@ -561,6 +561,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
if (!ret)
*pfd = fd;
+ else
+ put_device(&eptdev->dev);
return ret;
}
I will send the fix patch if you find it not offending.
Thanks,
Dawei
next prev parent reply other threads:[~2025-11-11 12:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-22 11:05 [bug report] rpmsg: char: Implement eptdev based on anonymous inode Dan Carpenter
2025-10-22 15:53 ` Dawei Li
2025-10-22 16:41 ` Mathieu Poirier
2025-11-10 17:05 ` Mathieu Poirier
2025-11-11 12:53 ` Dawei Li [this message]
2025-11-11 16:41 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251111125302.GA183476@wendao-VirtualBox \
--to=dawei.li@linux.dev \
--cc=andersson@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.