| Message ID | 1662404120-24338-2-git-send-email-quic_deesin@quicinc.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [V2,1/2] rpmsg: glink: Add lock to avoid race when rpmsg device is released | expand |
Quoting Deepak Kumar Singh (2022-09-05 11:55:20) > Hold ctrl device lock in rpmsg_ctrldev_remove to avoid any > new create ept call to proceed, otherwise new ept creation > and associted char device may suceed. Any further call from s/associted/associated/ s/suceed/succeed/ > user space for rpmsg_eptdev_open will reference already freed rpmsg_eptdev_open() > rpdev and will result in crash. Below crash signature was > observed - > > rpmsg_create_ept+0x40/0xa0 > rpmsg_eptdev_open+0x88/0x138 > chrdev_open+0xc4/0x1c8 > do_dentry_open+0x230/0x378 > vfs_open+0x3c/0x48 > path_openat+0x93c/0xa78 > do_filp_open+0x98/0x118 > do_sys_openat2+0x90/0x220 > do_sys_open+0x64/0x8c Again, can you show a CPU diagram for what you're fixing? I think the problem is device is going away, but chrdev_open() is being called and that's accessing a device that's on the way out?
diff --git a/drivers/rpmsg/rpmsg_ctrl.c b/drivers/rpmsg/rpmsg_ctrl.c index 107da70..4332538 100644 --- a/drivers/rpmsg/rpmsg_ctrl.c +++ b/drivers/rpmsg/rpmsg_ctrl.c @@ -194,10 +194,12 @@ static void rpmsg_ctrldev_remove(struct rpmsg_device *rpdev) struct rpmsg_ctrldev *ctrldev = dev_get_drvdata(&rpdev->dev); int ret; + mutex_lock(&ctrldev->ctrl_lock); /* Destroy all endpoints */ ret = device_for_each_child(&ctrldev->dev, NULL, rpmsg_chrdev_eptdev_destroy); if (ret) dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret); + mutex_unlock(&ctrldev->ctrl_lock); cdev_device_del(&ctrldev->cdev, &ctrldev->dev); put_device(&ctrldev->dev);
Hold ctrl device lock in rpmsg_ctrldev_remove to avoid any new create ept call to proceed, otherwise new ept creation and associted char device may suceed. Any further call from user space for rpmsg_eptdev_open will reference already freed rpdev and will result in crash. Below crash signature was observed - rpmsg_create_ept+0x40/0xa0 rpmsg_eptdev_open+0x88/0x138 chrdev_open+0xc4/0x1c8 do_dentry_open+0x230/0x378 vfs_open+0x3c/0x48 path_openat+0x93c/0xa78 do_filp_open+0x98/0x118 do_sys_openat2+0x90/0x220 do_sys_open+0x64/0x8c Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> --- drivers/rpmsg/rpmsg_ctrl.c | 2 ++ 1 file changed, 2 insertions(+)