[PATCH v1] misc: fastrpc: fix channel ctx ref leak when session alloc fails

[PATCH v1] misc: fastrpc: fix channel ctx ref leak when session alloc fails

[Anandu Krishnan E]

fastrpc_channel_ctx_get() is called in fastrpc_device_open() before
fastrpc_session_alloc(). If session alloc fails, the error path
returns -EBUSY without calling fastrpc_channel_ctx_put(), leaking
the reference. Fix by adding the missing put.

Fixes: 278d56f970ae ("misc: fastrpc: Reference count channel context")
Cc: stable@kernel.org
Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
---
 drivers/misc/fastrpc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 1080f9acf70a..9442db2c7aec 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1648,7 +1648,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp)
 		dev_err(&cctx->rpdev->dev, "No session available\n");
 		mutex_destroy(&fl->mutex);
 		kfree(fl);
-
+		fastrpc_channel_ctx_put(cctx);
 		return -EBUSY;
 	}
 
-- 
2.34.1

Re: [PATCH v1] misc: fastrpc: fix channel ctx ref leak when session alloc fails

[Dmitry Baryshkov]

On Mon, May 25, 2026 at 02:23:40PM +0530, Anandu Krishnan E wrote:
> fastrpc_channel_ctx_get() is called in fastrpc_device_open() before
> fastrpc_session_alloc(). If session alloc fails, the error path
> returns -EBUSY without calling fastrpc_channel_ctx_put(), leaking
> the reference. Fix by adding the missing put.
> 
> Fixes: 278d56f970ae ("misc: fastrpc: Reference count channel context")
> Cc: stable@kernel.org
> Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
> ---
>  drivers/misc/fastrpc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>


-- 
With best wishes
Dmitry

Claude review: misc: fastrpc: fix channel ctx ref leak when session alloc fails

[Claude Code Review Bot]

Overall Series Review

Subject: misc: fastrpc: fix channel ctx ref leak when session alloc fails
Author: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
Patches: 2
Reviewed: 2026-05-26T07:21:41.793346

---

This is a single-patch fix for a genuine reference count leak in the fastrpc driver. The analysis is correct: `fastrpc_channel_ctx_get()` is called at line 1634 of `fastrpc_device_open()`, but if `fastrpc_session_alloc()` fails at line 1646, the error path at lines 1648-1652 returns without calling `fastrpc_channel_ctx_put()`. The normal release path in `fastrpc_device_release()` (line 1610) does call the put, but that path is never reached when session alloc fails because the file was never fully opened.

The fix is correct and minimal. The Fixes tag and stable CC are appropriate.

**Verdict: Patch looks good.**

---
Generated by Claude Code Patch Reviewer

Claude review: misc: fastrpc: fix channel ctx ref leak when session alloc fails

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The flow is clear:

1. `fastrpc_channel_ctx_get(cctx)` at line 1634 increments the refcount.
2. On success, `fastrpc_device_release()` eventually calls `fastrpc_channel_ctx_put(cctx)` at line 1610.
3. On failure of `fastrpc_session_alloc()`, the early return at line 1652 skips the release path entirely, leaking the reference. The added `fastrpc_channel_ctx_put(cctx)` before the return fixes this.

**One minor style nit:** The patch removes a blank line that existed between `kfree(fl)` and `return -EBUSY`:

```c
-
+		fastrpc_channel_ctx_put(cctx);
 		return -EBUSY;
```

This is fine — the blank line was arguably unnecessary, and inserting the put call there is the logical place (after freeing `fl`, before returning). The ordering is correct: `mutex_destroy` then `kfree` then `put` — the `cctx` doesn't depend on `fl` being alive, so the put can safely go after the free.

**No issues found.** The commit message accurately describes the problem, the Fixes tag references the correct commit that introduced the refcounting, and the stable CC is warranted since this is a resource leak that could prevent channel context cleanup.

---
Generated by Claude Code Patch Reviewer