On Mon, Jan 12, 2026 at 04:15:01PM +0800, Xingjing Deng wrote: > While reviewing drivers/misc/fastrpc.c, I noticed a potential lifetime > issue around struct fastrpc_buf *remote_heap; > In fastrpc_init_create_static_process(), the error path err_map: frees > fl->cctx->remote_heap but does not clear the pointer(set to NULL). > Later, in fastrpc_rpmsg_remove(), the code frees cctx->remote_heap > again if it is non-NULL. > > Call paths (as I understand them) > > 1) First free (ioctl error path): > > fastrpc_fops.unlocked_ioctl → fastrpc_device_ioctl() > FASTRPC_IOCTL_INIT_CREATE_STATIC → fastrpc_init_create_static_process() > err_map: → fastrpc_buf_free(fl->cctx->remote_heap) (pointer not cleared) > > 2) Second free (rpmsg remove path): > > rpmsg driver .remove → fastrpc_rpmsg_remove() > if (cctx->remote_heap) fastrpc_buf_free(cctx->remote_heap); >
Hi, Please note, stable@vger is not the email address to be asking about this, it is only for stable kernel release stuff. Andn do you have a potential patch to resolve this issue? That's the simplest way to get it fixed up and to show what you are discussing. thanks, greg k-h
