From: Dawei Li <dawei.li@linux.dev>
To: andersson@kernel.org, mathieu.poirier@linaro.org
Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org,
dawei.li@linux.dev, set_pte_at@outlook.com,
Dan Carpenter <dan.carpenter@linaro.org>
Subject: [PATCH v3 3/3] rpmsg: char: Rework exception handling of rpmsg_eptdev_add()
Date: Thu, 13 Nov 2025 23:39:09 +0800 [thread overview]
Message-ID: <20251113153909.3789-4-dawei.li@linux.dev> (raw)
In-Reply-To: <20251113153909.3789-1-dawei.li@linux.dev>
Rework error handling of rpmsg_eptdev_add() and its callers, following
rule of "release resource where it's allocated".
Fixes: 2410558f5f11 ("rpmsg: char: Implement eptdev based on anonymous inode")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aPi6gPZE2_ztOjIW@stanley.mountain/
Signed-off-by: Dawei Li <dawei.li@linux.dev>
---
drivers/rpmsg/rpmsg_char.c | 60 +++++++++++++++++++++-----------------
1 file changed, 33 insertions(+), 27 deletions(-)
diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 0919ad0a19df..92c176e9b0e4 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -460,44 +460,34 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
eptdev->chinfo = chinfo;
- if (cdev) {
- ret = ida_alloc_max(&rpmsg_minor_ida, RPMSG_DEV_MAX - 1, GFP_KERNEL);
- if (ret < 0)
- goto free_eptdev;
-
- dev->devt = MKDEV(MAJOR(rpmsg_major), ret);
- }
-
/* Anonymous inode device still need device name for dev_err() and friends */
ret = ida_alloc(&rpmsg_ept_ida, GFP_KERNEL);
if (ret < 0)
- goto free_minor_ida;
+ return ret;
dev->id = ret;
dev_set_name(dev, "rpmsg%d", ret);
- ret = 0;
-
if (cdev) {
+ ret = ida_alloc_max(&rpmsg_minor_ida, RPMSG_DEV_MAX - 1, GFP_KERNEL);
+ if (ret < 0) {
+ ida_free(&rpmsg_ept_ida, dev->id);
+ return ret;
+ }
+
+ dev->devt = MKDEV(MAJOR(rpmsg_major), ret);
+
ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
- if (ret)
- goto free_ept_ida;
+ if (ret) {
+ ida_free(&rpmsg_ept_ida, dev->id);
+ ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
+ return ret;
+ }
}
/* We can now rely on the release function for cleanup */
dev->release = rpmsg_eptdev_release_device;
- return ret;
-
-free_ept_ida:
- ida_free(&rpmsg_ept_ida, dev->id);
-free_minor_ida:
- if (cdev)
- ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
-free_eptdev:
- dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
- kfree(eptdev);
-
- return ret;
+ return 0;
}
static int rpmsg_chrdev_eptdev_add(struct rpmsg_eptdev *eptdev, struct rpmsg_channel_info chinfo)
@@ -509,12 +499,17 @@ int rpmsg_chrdev_eptdev_create(struct rpmsg_device *rpdev, struct device *parent
struct rpmsg_channel_info chinfo)
{
struct rpmsg_eptdev *eptdev;
+ int ret;
eptdev = rpmsg_chrdev_eptdev_alloc(rpdev, parent);
if (IS_ERR(eptdev))
return PTR_ERR(eptdev);
- return rpmsg_chrdev_eptdev_add(eptdev, chinfo);
+ ret = rpmsg_chrdev_eptdev_add(eptdev, chinfo);
+ if (ret)
+ kfree(eptdev);
+
+ return ret;
}
EXPORT_SYMBOL(rpmsg_chrdev_eptdev_create);
@@ -545,6 +540,12 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
ret = rpmsg_eptdev_add(eptdev, chinfo, false);
if (ret) {
+ dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
+ /*
+ * Avoid put_device() or WARN() will be triggered due to absence of
+ * device::release(), refer to device_release().
+ */
+ kfree(eptdev);
return ret;
}
@@ -572,6 +573,7 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev)
struct rpmsg_channel_info chinfo;
struct rpmsg_eptdev *eptdev;
struct device *dev = &rpdev->dev;
+ int ret;
memcpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE);
chinfo.src = rpdev->src;
@@ -590,7 +592,11 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev)
*/
eptdev->default_ept->priv = eptdev;
- return rpmsg_chrdev_eptdev_add(eptdev, chinfo);
+ ret = rpmsg_chrdev_eptdev_add(eptdev, chinfo);
+ if (ret)
+ kfree(eptdev);
+
+ return ret;
}
static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev)
--
2.25.1
next prev parent reply other threads:[~2025-11-13 15:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 15:39 [PATCH v3 0/3] Fix and rework of rpmsg_eptdev_add() Dawei Li
2025-11-13 15:39 ` [PATCH v3 1/3] rpmsg: char: Remove put_device() in rpmsg_eptdev_add() Dawei Li
2025-11-14 9:53 ` Zhongqiu Han
2025-11-14 13:40 ` Zhongqiu Han
2025-11-14 14:23 ` Dawei Li
2025-11-13 15:39 ` [PATCH v3 2/3] rpmsg: char: Fix UAF and memory leak in rpmsg_anonymous_eptdev_create() Dawei Li
2025-11-14 19:01 ` Mathieu Poirier
2025-11-13 15:39 ` Dawei Li [this message]
2025-11-14 9:53 ` [PATCH v3 3/3] rpmsg: char: Rework exception handling of rpmsg_eptdev_add() Zhongqiu Han
2025-11-14 19:04 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113153909.3789-4-dawei.li@linux.dev \
--to=dawei.li@linux.dev \
--cc=andersson@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=set_pte_at@outlook.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.