Re: [PATCH v4 1/3] rpmsg: char: Fix WARN() in error path of rpmsg_eptdev_add()

[Mathieu Poirier <mathieu.poirier@linaro.org>]

On Tue, Nov 18, 2025 at 11:41:05PM +0800, Dawei Li wrote:
> put_device() is called on error path of rpmsg_eptdev_add() to cleanup
> resource attached to eptdev->dev, unfortunately it's bogus cause
> dev->release() is not set yet.
> 
> When a struct device instance is destroyed, driver core framework checks
> the possible release() callback from candidates below:
> - struct device::release()
> - dev->type->release()
> - dev->class->dev_release()
> 
> Rpmsg eptdev owns none of them so WARN() will complain the absence of
> release().
> 
> Fix it by:
> - Pre-assign dev->release() before potential error path.
> - Check before ida_free() in dev->release().
> 
> By fixing error path of rpmsg_eptdev_add() and fixing potential memory
> leak in rpmsg_anonymous_eptdev_create(), this work paves the way of rework
> of rpmsg_eptdev_add() and its callers.
> 
> Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
> Signed-off-by: Dawei Li <dawei.li@linux.dev>
> ---
>  drivers/rpmsg/rpmsg_char.c | 26 +++++++++++++-------------
>  1 file changed, 13 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
> index 34b35ea74aab..373b627581e8 100644
> --- a/drivers/rpmsg/rpmsg_char.c
> +++ b/drivers/rpmsg/rpmsg_char.c
> @@ -408,8 +408,13 @@ static void rpmsg_eptdev_release_device(struct device *dev)
>  {
>  	struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
>  
> -	ida_free(&rpmsg_ept_ida, dev->id);
> -	if (eptdev->dev.devt)
> +	/*
> +	 * release() can be invoked from error path of rpmsg_eptdev_add(),
> +	 * WARN() will be fired if ida_free() is feed with invalid ID.
> +	 */
> +	if (likely(ida_exists(&rpmsg_ept_ida, dev->id)))
> +		ida_free(&rpmsg_ept_ida, dev->id);
> +	if (eptdev->dev.devt && likely(ida_exists(&rpmsg_minor_ida, MINOR(eptdev->dev.devt))))
>  		ida_free(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
>  	kfree(eptdev);
>  }
> @@ -458,6 +463,8 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
>  	struct device *dev = &eptdev->dev;
>  	int ret;
>  
> +	dev->release = rpmsg_eptdev_release_device;
> +

A device's release function if for an allocated device, not to address an error
path.  This should have been left where it was.

>  	eptdev->chinfo = chinfo;
>  
>  	if (cdev) {
> @@ -471,7 +478,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
>  	/* Anonymous inode device still need device name for dev_err() and friends */
>  	ret = ida_alloc(&rpmsg_ept_ida, GFP_KERNEL);
>  	if (ret < 0)
> -		goto free_minor_ida;
> +		goto free_eptdev;
>  	dev->id = ret;
>  	dev_set_name(dev, "rpmsg%d", ret);
>  
> @@ -480,22 +487,13 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
>  	if (cdev) {
>  		ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
>  		if (ret)
> -			goto free_ept_ida;
> +			goto free_eptdev;
>  	}
>  
> -	/* We can now rely on the release function for cleanup */
> -	dev->release = rpmsg_eptdev_release_device;
> -
>  	return ret;
>  
> -free_ept_ida:
> -	ida_free(&rpmsg_ept_ida, dev->id);
> -free_minor_ida:
> -	if (cdev)
> -		ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
>  free_eptdev:
>  	put_device(dev);
> -	kfree(eptdev);

You're doing two things at the same time, i.e dealing with the kfree() _and_
put_device().  As indicated before, if this function fails the kfree() needs to
happend in the error handling of rpmsg_eptdev_add() in
rpmsg_anonymous_eptdev_create() and not in rpmsg_eptdev_release_device().

I am now at a point where I have spent too much time on this patchet -
continuing to work on it would be unfair to other people waiting for their
patches to be reviewed.  As such I have backed-out this feature from the
rpmsg-next tree.  

Thanks,
Mathieu

>  
>  	return ret;
>  }
> @@ -561,6 +559,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
>  
>  	if (!ret)
>  		*pfd = fd;
> +	else
> +		put_device(&eptdev->dev);
>  
>  	return ret;
>  }
> -- 
> 2.25.1
>