From: Dawei Li <dawei.li@linux.dev>
To: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Dan Carpenter <dan.carpenter@linaro.org>,
linux-remoteproc@vger.kernel.org, andersson@kernel.org,
dawei.li@linux.dev
Subject: Re: [bug report] rpmsg: char: Implement eptdev based on anonymous inode
Date: Tue, 11 Nov 2025 20:53:02 +0800 [thread overview]
Message-ID: <20251111125302.GA183476@wendao-VirtualBox> (raw)
In-Reply-To: <CANLsYkxTqz3QnuO3MEJoDx=ad43YbUNKiU_xtEzfiV+XAaGbdA@mail.gmail.com>
Hi Mathieu,
On Mon, Nov 10, 2025 at 10:05:44AM -0700, Mathieu Poirier wrote:
> On Wed, 22 Oct 2025 at 10:41, Mathieu Poirier
> <mathieu.poirier@linaro.org> wrote:
> >
> > On Wed, 22 Oct 2025 at 09:54, Dawei Li <dawei.li@linux.dev> wrote:
[...]
> > > > 546 ret = rpmsg_eptdev_add(eptdev, chinfo, false);
> > > > 547 if (ret) {
> > > > --> 548 dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
> > > > ^^^^^^ ^^^^^^
> > > > The rpmsg_eptdev_add() function frees "eptdev" on error.
> > > >
> > > > 549 return ret;
> > > > 550 }
[...]
> > > > 558 mutex_lock(&eptdev->ept_lock);
> > > > 559 ret = __rpmsg_eptdev_open(eptdev);
> > > >
> > > > Should we free eptdev if __rpmsg_eptdev_open() fails?
> > > >
> > > > 560 mutex_unlock(&eptdev->ept_lock);
> > >
> > > Diff below should do the trick.
> > >
> > > diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
> > > index 34b35ea74aab..c322df56394f 100644
> > > --- a/drivers/rpmsg/rpmsg_char.c
> > > +++ b/drivers/rpmsg/rpmsg_char.c
> > > @@ -494,6 +494,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
> > > if (cdev)
> > > ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
> > > free_eptdev:
> > > + dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
> > > put_device(dev);
> > > kfree(eptdev);
> > >
> > > @@ -545,7 +546,6 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
> > >
> > > ret = rpmsg_eptdev_add(eptdev, chinfo, false);
> > > if (ret) {
> > > - dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
> > > return ret;
> > > }
> > >
> > > @@ -561,6 +561,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
> > >
> > > if (!ret)
> > > *pfd = fd;
> > > + else
> > > + put_device(&eptdev->dev);
> > >
> > > return ret;
> > > }
> > >
[...]
> >
> > Please send another patch I can apply on top.
>
> I haven't received a fix for this yet. After looking into this bug
Sorry about the late response.
> report with more scrutiny I am of the opinion that @eptdev should be
> free'd in rpmsg_anonymous_eptdev_create() where it was allocated.
Yes, and it's exactly what diff above is doing.
> Furthermore, if function anon_inode_getfd() in
> rpmsg_anonymous_eptdev_create() fails, function
> rpmsg_eptdev_release_device() will be called but I don't see a call to
> cdev_device_del() in there. Am I missing something?
1. rpmsg_anonymous_eptdev_create() does _not_ create cdev, so it's not
supposed to call cdev_device_del().
https://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux.git/tree/drivers/rpmsg/rpmsg_char.c?h=rpmsg-next#n546
2. So I assume you mean "what about epdev based on chardev?". It's
simply because cdev cleanup job is on rpmsg_chrdev_eptdev_destroy(),
_not_ rpmsg_eptdev_release_device().
So my proposed fix patch still holds, IIUC:
Author: Dawei Li <dawei.li@linux.dev>
Date: Sun Oct 26 23:18:06 2025 +0800
rpmsg: char: Fix UAF and memory leak
Potential UAF and memory leak exsit in exception handling paths for
rpmsg_anonymous_eptdev_create(), fix them.
Fixes: 2410558f5f11 ("rpmsg: char: Implement eptdev based on anonymous inode")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aPi6gPZE2_ztOjIW@stanley.mountain/
Signed-off-by: Dawei Li <dawei.li@linux.dev>
diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 34b35ea74aab..c322df56394f 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -494,6 +494,7 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev,
if (cdev)
ida_free(&rpmsg_minor_ida, MINOR(dev->devt));
free_eptdev:
+ dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
put_device(dev);
kfree(eptdev);
@@ -545,7 +546,6 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
ret = rpmsg_eptdev_add(eptdev, chinfo, false);
if (ret) {
- dev_err(&eptdev->dev, "failed to add %s\n", eptdev->chinfo.name);
return ret;
}
@@ -561,6 +561,8 @@ int rpmsg_anonymous_eptdev_create(struct rpmsg_device *rpdev, struct device *par
if (!ret)
*pfd = fd;
+ else
+ put_device(&eptdev->dev);
return ret;
}
I will send the fix patch if you find it not offending.
Thanks,
Dawei
next prev parent reply other threads:[~2025-11-11 12:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-22 11:05 [bug report] rpmsg: char: Implement eptdev based on anonymous inode Dan Carpenter
2025-10-22 15:53 ` Dawei Li
2025-10-22 16:41 ` Mathieu Poirier
2025-11-10 17:05 ` Mathieu Poirier
2025-11-11 12:53 ` Dawei Li [this message]
2025-11-11 16:41 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251111125302.GA183476@wendao-VirtualBox \
--to=dawei.li@linux.dev \
--cc=andersson@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox