Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5540883pxb;
        Wed, 26 Jan 2022 14:33:26 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxbZdkq6rIHe2ZpzbWifLdxZBALIeKx6ppkwwSFxEGBn7pCX/FaOb/dTOCYY/ktEm3RMEv/
X-Received: by 2002:aa7:d1cd:: with SMTP id g13mr1117666edp.70.1643236406143;
        Wed, 26 Jan 2022 14:33:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643236406; cv=none;
        d=google.com; s=arc-20160816;
        b=hRxEf/sgw9Q8nfMIKD/kI77sXb9giuPtPOG5EXszWXz1EzqeKdF1/5y9AlFyMJn25v
         2/PZmRC99qwPPnMvPL4bfJUafv5yt+2vFD0/2CB5+D4POmhFv8Z5eTL3/am3mTV3XJrP
         H1jNqzi+U2wQAebdMTdMzK8P8XE38j7dBc4b37Qw4bXftGhGlcR7voWjiBEUwClpXRf7
         guLyQ67VCl2WWlCKqIt9QhZ9OaggKx3Ku5vtlPMLVmwo1niEOgLw9223lnFV/le0q6xv
         POSXJaNntHw/AtWsw/YmJk+0AjwZcPgBUbgFXtE1E/QXW/G3AKk7H0ponhWwOvNWMaOH
         TOAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=bvwTeXXCVgoKK6tip4OQOfBePiolT20pRdbUv6gGlkw=;
        b=Vx69cWdzVgF54IBLmpYCpDxI/YkoYYDBbQkfOIoTcTS2JYsg5Lbin+iEDhZEsZ6OkG
         G76LV0W8oXPRjr3zfxeW5GB0LnHwwOT6UgvpkVMO+Pf9YZ9XwV3Nn1bKuOBIAwMqqF5f
         P+UmNA9pt6cCpnT9WrrsNjAe977xA9ncW+NFXLtfOV6t2EvpCMj4n89Z0TPEfWxxSOvU
         qJJnfcurJTBMoNc4JR1krVrlwy1doXTpDZWgZyGTkwzMl05781+kpcQwklyWDkWQveIS
         8jhaLOIJtTTMgbJsWgz8K4kKZ2zoTCFquSGnO1NHBlEB6yl1OW8Wc9Dg/WOdyjKYQ6cr
         2Rzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=l0EvEkUt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h3si309496ejt.402.2022.01.26.14.33.00;
        Wed, 26 Jan 2022 14:33:26 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=l0EvEkUt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244331AbiAZTFa (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Wed, 26 Jan 2022 14:05:30 -0500
Received: from alexa-out-sd-02.qualcomm.com ([199.106.114.39]:7088 "EHLO
        alexa-out-sd-02.qualcomm.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S244330AbiAZTF2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Jan 2022 14:05:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim;
  t=1643223928; x=1674759928;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version;
  bh=bvwTeXXCVgoKK6tip4OQOfBePiolT20pRdbUv6gGlkw=;
  b=l0EvEkUtxbKQKaiWKV1erDDA/wg2kJl9gfN7rsSta3kf5iQiqNDQHMD6
   kgfsa6jidQXEa1gJkpy1ndb3dyck8eJxjyBjZFWkEM3gt/CftJNRzdsw/
   RV3jJ6eLW3Ql+vFN/GG98VMFc1MH69Uzx58f9ade+ogHPB5GjrErJ9Oph
   A=;
Received: from unknown (HELO ironmsg04-sd.qualcomm.com) ([10.53.140.144])
  by alexa-out-sd-02.qualcomm.com with ESMTP; 26 Jan 2022 11:05:27 -0800
X-QCInternal: smtphost
Received: from nasanex01c.na.qualcomm.com ([10.47.97.222])
  by ironmsg04-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jan 2022 11:05:27 -0800
Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by
 nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.922.19; Wed, 26 Jan 2022 11:05:27 -0800
Received: from deesin-linux.qualcomm.com (10.80.80.8) by
 nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.922.19; Wed, 26 Jan 2022 11:05:24 -0800
From:   Deepak Kumar Singh <quic_deesin@quicinc.com>
To:     <bjorn.andersson@linaro.org>, <swboyd@chromium.org>,
        <quic_clew@quicinc.com>, <mathieu.poirier@linaro.org>
CC:     <linux-kernel@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-remoteproc@vger.kernel.org>,
        Deepak Kumar Singh <quic_deesin@quicinc.com>,
        Ohad Ben-Cohen <ohad@wizery.com>
Subject: [PATCH V1 2/3] rpmsg: glink: Add lock to avoid race when rpmsg device is released
Date:   Thu, 27 Jan 2022 00:34:45 +0530
Message-ID: <1643223886-28170-3-git-send-email-quic_deesin@quicinc.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com>
References: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To
 nalasex01a.na.qualcomm.com (10.47.209.196)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When remote host goes down glink char device channel is freed,
At the same time user space apps can still try to open rpmsg_char
device which will result in calling rpmsg_create_ept. This may cause
reference to already freed context of glink chardev channel.

Use per ept lock to avoid race between rpmsg_destroy_ept and
rpmsg_destory_ept.
---
 drivers/rpmsg/rpmsg_char.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
index 72ee101..2108ef8 100644
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -85,6 +85,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data)
 	struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
 
 	mutex_lock(&eptdev->ept_lock);
+	eptdev->rpdev = NULL;
 	if (eptdev->ept) {
 		rpmsg_destroy_ept(eptdev->ept);
 		eptdev->ept = NULL;
@@ -145,15 +146,24 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
 
 	get_device(dev);
 
+	mutex_lock(&eptdev->ept_lock);
+	if (!eptdev->rpdev) {
+		put_device(dev);
+		mutex_unlock(&eptdev->ept_lock);
+		return -ENETRESET;
+	}
+
 	ept = rpmsg_create_ept(rpdev, rpmsg_ept_cb, eptdev, eptdev->chinfo);
 	if (!ept) {
 		dev_err(dev, "failed to open %s\n", eptdev->chinfo.name);
+		mutex_unlock(&eptdev->ept_lock);
 		put_device(dev);
 		return -EINVAL;
 	}
 
 	ept->sig_cb = rpmsg_sigs_cb;
 	eptdev->ept = ept;
+	mutex_unlock(&eptdev->ept_lock);
 	filp->private_data = eptdev;
 
 	return 0;
@@ -285,7 +295,9 @@ static __poll_t rpmsg_eptdev_poll(struct file *filp, poll_table *wait)
 	if (eptdev->sig_pending)
 		mask |= EPOLLPRI;
 
+	mutex_lock(&eptdev->ept_lock);
 	mask |= rpmsg_poll(eptdev->ept, filp, wait);
+	mutex_unlock(&eptdev->ept_lock);
 
 	return mask;
 }
-- 
2.7.4