summaryrefslogtreecommitdiffstats
path: root/drivers/rpmsg
diff options
context:
space:
mode:
authorChris Lew <clew@codeaurora.org>2019-10-05 00:26:59 +0200
committerBjorn Andersson <bjorn.andersson@linaro.org>2019-10-16 18:38:22 +0200
commitb646293e272816dd0719529dcebbd659de0722f7 (patch)
treeda9bb7cf2ed1eb4761cd9f019414cc9ebed72972 /drivers/rpmsg
parentrpmsg: glink: Fix use after free in open_ack TIMEOUT case (diff)
downloadlinux-b646293e272816dd0719529dcebbd659de0722f7.tar.xz
linux-b646293e272816dd0719529dcebbd659de0722f7.zip
rpmsg: glink: Put an extra reference during cleanup
In a remote processor crash scenario, there is no guarantee the remote processor sent close requests before it went into a bad state. Remove the reference that is normally handled by the close command in the so channel resources can be released. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Signed-off-by: Chris Lew <clew@codeaurora.org> Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Diffstat (limited to 'drivers/rpmsg')
-rw-r--r--drivers/rpmsg/qcom_glink_native.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 72ed671f5dcd..21fd2ae5f7f1 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1641,6 +1641,10 @@ void qcom_glink_native_remove(struct qcom_glink *glink)
idr_for_each_entry(&glink->lcids, channel, cid)
kref_put(&channel->refcount, qcom_glink_channel_release);
+ /* Release any defunct local channels, waiting for close-req */
+ idr_for_each_entry(&glink->rcids, channel, cid)
+ kref_put(&channel->refcount, qcom_glink_channel_release);
+
idr_destroy(&glink->lcids);
idr_destroy(&glink->rcids);
spin_unlock_irqrestore(&glink->idr_lock, flags);