All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 0/3] rpmsg: virtio: fix posseble double free
@ 2022-04-26  6:05 Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 1/3] rpmsg: virtio: fix possible double free in rpmsg_probe() Hangyu Hua
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Hangyu Hua @ 2022-04-26  6:05 UTC (permalink / raw)
  To: bjorn.andersson, mathieu.poirier, arnaud.pouliquen
  Cc: linux-remoteproc, linux-kernel, Hangyu Hua

There are double free in rpmsg_probe() and rpmsg_virtio_add_ctrl_dev().
In addition, rpmsg_virtio_del_ctrl_dev() didn't use correct function
to free the object.

v2:
Use a cover letter to integrate the three patches.
Add comments in rpmsg_probe() and rpmsg_virtio_add_ctrl_dev().


Hangyu Hua (2):
  rpmsg: virtio: fix possible double free in rpmsg_probe()
  rpmsg: virtio: fix possible double free in rpmsg_virtio_add_ctrl_dev()
Arnaud Pouliquen (1):
  rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl

 drivers/rpmsg/virtio_rpmsg_bus.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread
* [PATCH v2 1/3] rpmsg: virtio: fix possible double free in rpmsg_probe()
  2022-04-26  6:05 [PATCH v2 0/3] rpmsg: virtio: fix posseble double free Hangyu Hua
@ 2022-04-26  6:05 ` Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 2/3] rpmsg: virtio: fix possible double free in rpmsg_virtio_add_ctrl_dev() Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl Hangyu Hua
  2 siblings, 0 replies; 7+ messages in thread
From: Hangyu Hua @ 2022-04-26  6:05 UTC (permalink / raw)
  To: bjorn.andersson, mathieu.poirier, arnaud.pouliquen
  Cc: linux-remoteproc, linux-kernel, Hangyu Hua

vch will be free in virtio_rpmsg_release_device() when
rpmsg_ns_register_device() fails. There is no need to call kfree() again.

Fix this by changing error path from free_vch to free_ctrldev.

Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Tested-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
---
 drivers/rpmsg/virtio_rpmsg_bus.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
index 3ede25b1f2e4..0130d0ba548c 100644
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -973,7 +973,8 @@ static int rpmsg_probe(struct virtio_device *vdev)
 
 		err = rpmsg_ns_register_device(rpdev_ns);
 		if (err)
-			goto free_vch;
+			/* vch will be free in virtio_rpmsg_release_device() */
+			goto free_ctrldev;
 	}
 
 	/*
@@ -997,8 +998,6 @@ static int rpmsg_probe(struct virtio_device *vdev)
 
 	return 0;
 
-free_vch:
-	kfree(vch);
 free_ctrldev:
 	rpmsg_virtio_del_ctrl_dev(rpdev_ctrl);
 free_coherent:
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread
* [PATCH v2 2/3] rpmsg: virtio: fix possible double free in rpmsg_virtio_add_ctrl_dev()
  2022-04-26  6:05 [PATCH v2 0/3] rpmsg: virtio: fix posseble double free Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 1/3] rpmsg: virtio: fix possible double free in rpmsg_probe() Hangyu Hua
@ 2022-04-26  6:05 ` Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl Hangyu Hua
  2 siblings, 0 replies; 7+ messages in thread
From: Hangyu Hua @ 2022-04-26  6:05 UTC (permalink / raw)
  To: bjorn.andersson, mathieu.poirier, arnaud.pouliquen
  Cc: linux-remoteproc, linux-kernel, Hangyu Hua

vch will be free in virtio_rpmsg_release_device() when
rpmsg_ctrldev_register_device() fails. There is no need to call
kfree() again.

Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Tested-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
---
 drivers/rpmsg/virtio_rpmsg_bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
index 0130d0ba548c..291fc1cfab7f 100644
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -851,7 +851,7 @@ static struct rpmsg_device *rpmsg_virtio_add_ctrl_dev(struct virtio_device *vdev
 
 	err = rpmsg_ctrldev_register_device(rpdev_ctrl);
 	if (err) {
-		kfree(vch);
+		/* vch will be free in virtio_rpmsg_release_device() */
 		return ERR_PTR(err);
 	}
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread
* [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl
  2022-04-26  6:05 [PATCH v2 0/3] rpmsg: virtio: fix posseble double free Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 1/3] rpmsg: virtio: fix possible double free in rpmsg_probe() Hangyu Hua
  2022-04-26  6:05 ` [PATCH v2 2/3] rpmsg: virtio: fix possible double free in rpmsg_virtio_add_ctrl_dev() Hangyu Hua
@ 2022-04-26  6:05 ` Hangyu Hua
  2022-04-26 16:56   ` Mathieu Poirier
  2 siblings, 1 reply; 7+ messages in thread
From: Hangyu Hua @ 2022-04-26  6:05 UTC (permalink / raw)
  To: bjorn.andersson, mathieu.poirier, arnaud.pouliquen
  Cc: linux-remoteproc, linux-kernel, Hangyu Hua

Unregister the rpmsg_ctrl device instead of just freeing the
the virtio_rpmsg_channel structure.
This will properly unregister the device and call
virtio_rpmsg_release_device() that frees the structure.

Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device")
Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Cc: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/rpmsg/virtio_rpmsg_bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
index 291fc1cfab7f..485e95f506df 100644
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -862,7 +862,7 @@ static void rpmsg_virtio_del_ctrl_dev(struct rpmsg_device *rpdev_ctrl)
 {
 	if (!rpdev_ctrl)
 		return;
-	kfree(to_virtio_rpmsg_channel(rpdev_ctrl));
+	device_unregister(&rpdev_ctrl->dev);
 }
 
 static int rpmsg_probe(struct virtio_device *vdev)
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl
  2022-04-26  6:05 ` [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl Hangyu Hua
@ 2022-04-26 16:56   ` Mathieu Poirier
  2022-04-27  2:50     ` Hangyu Hua
  0 siblings, 1 reply; 7+ messages in thread
From: Mathieu Poirier @ 2022-04-26 16:56 UTC (permalink / raw)
  To: Hangyu Hua
  Cc: bjorn.andersson, arnaud.pouliquen, linux-remoteproc, linux-kernel

On Tue, Apr 26, 2022 at 02:05:36PM +0800, Hangyu Hua wrote:
> Unregister the rpmsg_ctrl device instead of just freeing the
> the virtio_rpmsg_channel structure.
> This will properly unregister the device and call
> virtio_rpmsg_release_device() that frees the structure.
> 
> Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device")
> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
> Cc: Hangyu Hua <hbh25y@gmail.com>
> Reviewed-by: Hangyu Hua <hbh25y@gmail.com>
> ---
>  drivers/rpmsg/virtio_rpmsg_bus.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
> index 291fc1cfab7f..485e95f506df 100644
> --- a/drivers/rpmsg/virtio_rpmsg_bus.c
> +++ b/drivers/rpmsg/virtio_rpmsg_bus.c
> @@ -862,7 +862,7 @@ static void rpmsg_virtio_del_ctrl_dev(struct rpmsg_device *rpdev_ctrl)
>  {
>  	if (!rpdev_ctrl)
>  		return;
> -	kfree(to_virtio_rpmsg_channel(rpdev_ctrl));
> +	device_unregister(&rpdev_ctrl->dev);

The author of this patch should have been Arnaud, something I have fixed before
applying this set.

Thanks,
Mathieu

>  }
>  
>  static int rpmsg_probe(struct virtio_device *vdev)
> -- 
> 2.25.1
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl
  2022-04-26 16:56   ` Mathieu Poirier
@ 2022-04-27  2:50     ` Hangyu Hua
  2022-04-27 14:37       ` Mathieu Poirier
  0 siblings, 1 reply; 7+ messages in thread
From: Hangyu Hua @ 2022-04-27  2:50 UTC (permalink / raw)
  To: Mathieu Poirier
  Cc: bjorn.andersson, arnaud.pouliquen, linux-remoteproc, linux-kernel

On 2022/4/27 00:56, Mathieu Poirier wrote:
> On Tue, Apr 26, 2022 at 02:05:36PM +0800, Hangyu Hua wrote:
>> Unregister the rpmsg_ctrl device instead of just freeing the
>> the virtio_rpmsg_channel structure.
>> This will properly unregister the device and call
>> virtio_rpmsg_release_device() that frees the structure.
>>
>> Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device")
>> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
>> Cc: Hangyu Hua <hbh25y@gmail.com>
>> Reviewed-by: Hangyu Hua <hbh25y@gmail.com>
>> ---
>>   drivers/rpmsg/virtio_rpmsg_bus.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
>> index 291fc1cfab7f..485e95f506df 100644
>> --- a/drivers/rpmsg/virtio_rpmsg_bus.c
>> +++ b/drivers/rpmsg/virtio_rpmsg_bus.c
>> @@ -862,7 +862,7 @@ static void rpmsg_virtio_del_ctrl_dev(struct rpmsg_device *rpdev_ctrl)
>>   {
>>   	if (!rpdev_ctrl)
>>   		return;
>> -	kfree(to_virtio_rpmsg_channel(rpdev_ctrl));
>> +	device_unregister(&rpdev_ctrl->dev);
> 
> The author of this patch should have been Arnaud, something I have fixed before
> applying this set.
> 
> Thanks,
> Mathieu
> 

I get it. I'm sorry i thought Signed-off-by and a description in cover 
letter are enough to express. Do i need to do anything else?

Thanks,
Hangyu
>>   }
>>   
>>   static int rpmsg_probe(struct virtio_device *vdev)
>> -- 
>> 2.25.1
>>

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl
  2022-04-27  2:50     ` Hangyu Hua
@ 2022-04-27 14:37       ` Mathieu Poirier
  0 siblings, 0 replies; 7+ messages in thread
From: Mathieu Poirier @ 2022-04-27 14:37 UTC (permalink / raw)
  To: Hangyu Hua
  Cc: bjorn.andersson, arnaud.pouliquen, linux-remoteproc, linux-kernel

On Tue, 26 Apr 2022 at 20:50, Hangyu Hua <hbh25y@gmail.com> wrote:
>
> On 2022/4/27 00:56, Mathieu Poirier wrote:
> > On Tue, Apr 26, 2022 at 02:05:36PM +0800, Hangyu Hua wrote:
> >> Unregister the rpmsg_ctrl device instead of just freeing the
> >> the virtio_rpmsg_channel structure.
> >> This will properly unregister the device and call
> >> virtio_rpmsg_release_device() that frees the structure.
> >>
> >> Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device")
> >> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
> >> Cc: Hangyu Hua <hbh25y@gmail.com>
> >> Reviewed-by: Hangyu Hua <hbh25y@gmail.com>
> >> ---
> >>   drivers/rpmsg/virtio_rpmsg_bus.c | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
> >> index 291fc1cfab7f..485e95f506df 100644
> >> --- a/drivers/rpmsg/virtio_rpmsg_bus.c
> >> +++ b/drivers/rpmsg/virtio_rpmsg_bus.c
> >> @@ -862,7 +862,7 @@ static void rpmsg_virtio_del_ctrl_dev(struct rpmsg_device *rpdev_ctrl)
> >>   {
> >>      if (!rpdev_ctrl)
> >>              return;
> >> -    kfree(to_virtio_rpmsg_channel(rpdev_ctrl));
> >> +    device_unregister(&rpdev_ctrl->dev);
> >
> > The author of this patch should have been Arnaud, something I have fixed before
> > applying this set.
> >
> > Thanks,
> > Mathieu
> >
>
> I get it. I'm sorry i thought Signed-off-by and a description in cover
> letter are enough to express. Do i need to do anything else?

I don't.

>
> Thanks,
> Hangyu
> >>   }
> >>
> >>   static int rpmsg_probe(struct virtio_device *vdev)
> >> --
> >> 2.25.1
> >>

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-04-27 14:38 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-26  6:05 [PATCH v2 0/3] rpmsg: virtio: fix posseble double free Hangyu Hua
2022-04-26  6:05 ` [PATCH v2 1/3] rpmsg: virtio: fix possible double free in rpmsg_probe() Hangyu Hua
2022-04-26  6:05 ` [PATCH v2 2/3] rpmsg: virtio: fix possible double free in rpmsg_virtio_add_ctrl_dev() Hangyu Hua
2022-04-26  6:05 ` [PATCH v2 3/3] rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl Hangyu Hua
2022-04-26 16:56   ` Mathieu Poirier
2022-04-27  2:50     ` Hangyu Hua
2022-04-27 14:37       ` Mathieu Poirier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.