[PATCH v4 1/3] rpmsg: char: Fix WARN() in error path of rpmsg_eptdev_add()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dawei Li <dawei.li@linux.dev>
To: andersson@kernel.org, mathieu.poirier@linaro.org
Cc: linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org,
	dawei.li@linux.dev, set_pte_at@outlook.com
Subject: [PATCH v4 1/3] rpmsg: char: Fix WARN() in error path of rpmsg_eptdev_add()
Date: Tue, 18 Nov 2025 23:41:05 +0800	[thread overview]
Message-ID: <20251118154107.3100-2-dawei.li@linux.dev> (raw)
In-Reply-To: <20251118154107.3100-1-dawei.li@linux.dev>

put_device() is called on error path of rpmsg_eptdev_add() to cleanup
resource attached to eptdev->dev, unfortunately it's bogus cause
dev->release() is not set yet.

When a struct device instance is destroyed, driver core framework checks
the possible release() callback from candidates below:
- struct device::release()
- dev->type->release()
- dev->class->dev_release()

Rpmsg eptdev owns none of them so WARN() will complain the absence of
release().

Fix it by:
- Pre-assign dev->release() before potential error path.
- Check before ida_free() in dev->release().

By fixing error path of rpmsg_eptdev_add() and fixing potential memory
leak in rpmsg_anonymous_eptdev_create(), this work paves the way of rework
of rpmsg_eptdev_add() and its callers.

Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
Signed-off-by: Dawei Li <dawei.li@linux.dev>
---
 drivers/rpmsg/rpmsg_char.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 34b35ea74aab..373b627581e8 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -408,8 +408,13 @@ static void rpmsg_eptdev_release_device(struct device *dev)
 {
 	struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
 
-	ida_free(&rpmsg_ept_ida, dev->id);
-	if (eptdev->dev.devt)
+	/*
+	 * release() can be invoked from error path of rpmsg_eptdev_add(),
+	 * WARN() will be fired if ida_free() is feed with invalid ID.
+	 */
+	if (likely(ida_exists(&rpmsg_ept_ida, dev->id)))
+		ida_free(&rpmsg_ept_ida, dev->id);
+	if (eptdev->dev.devt && likely(ida_exists(&rpmsg_minor_ida, MINOR(eptdev->dev.devt))))
 		ida_free(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
 	kfree(eptdev);
 }
@@ -458,6 +463,8 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
 	struct device *dev = &eptdev->dev;
 	int ret;
 
+	dev->release = rpmsg_eptdev_release_device;
+
 	eptdev->chinfo = chinfo;
 
 	if (cdev) {
@@ -471,7 +478,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
 	/* Anonymous inode device still need device name for dev_err() and friends */
 	ret = ida_alloc(&rpmsg_ept_ida, GFP_KERNEL);
 	if (ret < 0)
-		goto free_minor_ida;
+		goto free_eptdev;
 	dev->id = ret;
 	dev_set_name(dev, "rpmsg%d", ret);
 
@@ -480,22 +487,13 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
 	if (cdev) {
 		ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
 		if (ret)
-			goto free_ept_ida;
+			goto free_eptdev;
 	}
 
-	/* We can now rely on the release function for cleanup */
-	dev->release = rpmsg_eptdev_release_device;
-
 	return ret;
 
-free_ept_ida:
-	ida_free(&rpmsg_ept_ida, dev->id);
-free_minor_ida:
-	if (cdev)
-		ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
 free_eptdev:
 	put_device(dev);
-	kfree(eptdev);
 
 	return ret;
 }
@@ -561,6 +559,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
 
 	if (!ret)
 		*pfd = fd;
+	else
+		put_device(&eptdev->dev);
 
 	return ret;
 }
-- 
2.25.1

next prev parent reply	other threads:[~2025-11-18 15:41 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-18 15:41 [PATCH v4 0/3] Fixes and rework of rpmsg_eptdev_add() Dawei Li
2025-11-18 15:41 ` Dawei Li [this message]
2025-11-19  4:07   ` [PATCH v4 1/3] rpmsg: char: Fix WARN() in error path " Zhongqiu Han
2025-11-19 10:56     ` Dawei Li
2025-11-19 12:26       ` Zhongqiu Han
2025-11-19 17:14   ` Mathieu Poirier
2025-11-18 15:41 ` [PATCH v4 2/3] rpmsg: char: Rework of rpmsg_eptdev_add() and its callers Dawei Li
2025-11-19 13:03   ` Zhongqiu Han
2025-11-18 15:41 ` [PATCH v4 3/3] rpmsg: char: Merge cdev branches in rpmsg_eptdev_add() Dawei Li

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:34b35ea74aa dfblob:373b627581e )
 OR (
bs:"[PATCH v4 1/3] rpmsg: char: Fix WARN() in error path of rpmsg_eptdev_add()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251118154107.3100-2-dawei.li@linux.dev \
    --to=dawei.li@linux.dev \
    --cc=andersson@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-remoteproc@vger.kernel.org \
    --cc=mathieu.poirier@linaro.org \
    --cc=set_pte_at@outlook.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.