There is no mutex protection for rpmsg_eptdev_open(),
especially for eptdev->ept read and write operation.
It may cause issues when multiple instances call
rpmsg_eptdev_open() in parallel,the return state
may be success or EBUGY.
Fixes: 964e8bedd5a1 ("rpmsg: char: Return an error if device already open")
Signed-off-by: Shengjiu Wang <[email protected]>
---
changes in resend:
- add fixes tag
drivers/rpmsg/rpmsg_char.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index b6183d4f62a2..4f2189111494 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -120,8 +120,11 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
struct rpmsg_device *rpdev = eptdev->rpdev;
struct device *dev = &eptdev->dev;
- if (eptdev->ept)
+ mutex_lock(&eptdev->ept_lock);
+ if (eptdev->ept) {
+ mutex_unlock(&eptdev->ept_lock);
return -EBUSY;
+ }
get_device(dev);
@@ -137,11 +140,13 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
if (!ept) {
dev_err(dev, "failed to open %s\n", eptdev->chinfo.name);
put_device(dev);
+ mutex_unlock(&eptdev->ept_lock);
return -EINVAL;
}
eptdev->ept = ept;
filp->private_data = eptdev;
+ mutex_unlock(&eptdev->ept_lock);
return 0;
}
--
2.17.1
On Sat, May 21, 2022 at 11:35:05AM +0800, Shengjiu Wang wrote:
> There is no mutex protection for rpmsg_eptdev_open(),
> especially for eptdev->ept read and write operation.
> It may cause issues when multiple instances call
> rpmsg_eptdev_open() in parallel,the return state
> may be success or EBUGY.
>
> Fixes: 964e8bedd5a1 ("rpmsg: char: Return an error if device already open")
> Signed-off-by: Shengjiu Wang <[email protected]>
This looks good. I will fix the above typo and apply the patch when the 5.19 cycle
starts.
Thanks,
Mathieu
> ---
> changes in resend:
> - add fixes tag
>
> drivers/rpmsg/rpmsg_char.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
> index b6183d4f62a2..4f2189111494 100644
> --- a/drivers/rpmsg/rpmsg_char.c
> +++ b/drivers/rpmsg/rpmsg_char.c
> @@ -120,8 +120,11 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
> struct rpmsg_device *rpdev = eptdev->rpdev;
> struct device *dev = &eptdev->dev;
>
> - if (eptdev->ept)
> + mutex_lock(&eptdev->ept_lock);
> + if (eptdev->ept) {
> + mutex_unlock(&eptdev->ept_lock);
> return -EBUSY;
> + }
>
> get_device(dev);
>
> @@ -137,11 +140,13 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
> if (!ept) {
> dev_err(dev, "failed to open %s\n", eptdev->chinfo.name);
> put_device(dev);
> + mutex_unlock(&eptdev->ept_lock);
> return -EINVAL;
> }
>
> eptdev->ept = ept;
> filp->private_data = eptdev;
> + mutex_unlock(&eptdev->ept_lock);
>
> return 0;
> }
> --
> 2.17.1
>
On Sat, May 21, 2022 at 11:35:05AM +0800, Shengjiu Wang wrote:
> There is no mutex protection for rpmsg_eptdev_open(),
> especially for eptdev->ept read and write operation.
> It may cause issues when multiple instances call
> rpmsg_eptdev_open() in parallel,the return state
> may be success or EBUGY.
>
> Fixes: 964e8bedd5a1 ("rpmsg: char: Return an error if device already open")
> Signed-off-by: Shengjiu Wang <[email protected]>
> ---
> changes in resend:
> - add fixes tag
>
> drivers/rpmsg/rpmsg_char.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
I have applied your patch.
Thanks,
Mathieu
>
> diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
> index b6183d4f62a2..4f2189111494 100644
> --- a/drivers/rpmsg/rpmsg_char.c
> +++ b/drivers/rpmsg/rpmsg_char.c
> @@ -120,8 +120,11 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
> struct rpmsg_device *rpdev = eptdev->rpdev;
> struct device *dev = &eptdev->dev;
>
> - if (eptdev->ept)
> + mutex_lock(&eptdev->ept_lock);
> + if (eptdev->ept) {
> + mutex_unlock(&eptdev->ept_lock);
> return -EBUSY;
> + }
>
> get_device(dev);
>
> @@ -137,11 +140,13 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
> if (!ept) {
> dev_err(dev, "failed to open %s\n", eptdev->chinfo.name);
> put_device(dev);
> + mutex_unlock(&eptdev->ept_lock);
> return -EINVAL;
> }
>
> eptdev->ept = ept;
> filp->private_data = eptdev;
> + mutex_unlock(&eptdev->ept_lock);
>
> return 0;
> }
> --
> 2.17.1
>