On Mon, Jan 12, 2026 at 05:02:21PM +0800, Xingjing Deng wrote: > fastrpc_init_create_static_process() may free cctx->remote_heap on the > err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() > frees cctx->remote_heap again if it is non-NULL, which can lead to a > double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg > device is subsequently removed/unbound. > Clear cctx->remote_heap after freeing it in the error path to prevent the > later cleanup from freeing it again. > > Signed-off-by: Xingjing Deng <[email protected]> > --- > drivers/misc/fastrpc.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index ee652ef01534..fb3b54e05928 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -1370,6 +1370,7 @@ static int fastrpc_init_create_static_process(struct > fastrpc_user *fl, > } > err_map: > fastrpc_buf_free(fl->cctx->remote_heap); > + fl->cctx->remote_heap = NULL; > err_name: > kfree(name); > err: > -- > 2.25.1 >
What commit id does this fix? Should it go to stable kernels? thanks, greg k-h
