diff options
author | Chris Lew <clew@codeaurora.org> | 2019-10-05 00:26:59 +0200 |
---|---|---|
committer | Bjorn Andersson <bjorn.andersson@linaro.org> | 2019-10-16 18:38:22 +0200 |
commit | b646293e272816dd0719529dcebbd659de0722f7 (patch) | |
tree | da9bb7cf2ed1eb4761cd9f019414cc9ebed72972 /drivers/rpmsg | |
parent | rpmsg: glink: Fix use after free in open_ack TIMEOUT case (diff) | |
download | linux-b646293e272816dd0719529dcebbd659de0722f7.tar.xz linux-b646293e272816dd0719529dcebbd659de0722f7.zip |
rpmsg: glink: Put an extra reference during cleanup
In a remote processor crash scenario, there is no guarantee the remote
processor sent close requests before it went into a bad state. Remove
the reference that is normally handled by the close command in the
so channel resources can be released.
Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: stable@vger.kernel.org
Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Chris Lew <clew@codeaurora.org>
Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Diffstat (limited to 'drivers/rpmsg')
-rw-r--r-- | drivers/rpmsg/qcom_glink_native.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 72ed671f5dcd..21fd2ae5f7f1 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1641,6 +1641,10 @@ void qcom_glink_native_remove(struct qcom_glink *glink) idr_for_each_entry(&glink->lcids, channel, cid) kref_put(&channel->refcount, qcom_glink_channel_release); + /* Release any defunct local channels, waiting for close-req */ + idr_for_each_entry(&glink->rcids, channel, cid) + kref_put(&channel->refcount, qcom_glink_channel_release); + idr_destroy(&glink->lcids); idr_destroy(&glink->rcids); spin_unlock_irqrestore(&glink->idr_lock, flags); |