From patchwork Wed Jan 26 19:04:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Kumar Singh X-Patchwork-Id: 537696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5C20C63684 for ; Wed, 26 Jan 2022 19:05:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244269AbiAZTFZ (ORCPT ); Wed, 26 Jan 2022 14:05:25 -0500 Received: from alexa-out.qualcomm.com ([129.46.98.28]:3535 "EHLO alexa-out.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232340AbiAZTFY (ORCPT ); Wed, 26 Jan 2022 14:05:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim; t=1643223925; x=1674759925; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=BFnNnWm8CqHcN1xPTfMOYp7u2KkoUPz+bESKbjmA/fM=; b=sQa8hEYd7KSYEqmU4iBvAARI8rkJG4dFtc07EpLvIt7YGsAu1pMrgp1+ 6grWiuTnaJI/pAEhiL3q/wz24xF2qwPQQA23HXwDjFVTj4zZaj8Co3rSZ 4hgTzRql0JJs1lat2PZmLtwZRVe/582umopvjDC+a/e+6p0q4yYTS62zQ M=; Received: from ironmsg-lv-alpha.qualcomm.com ([10.47.202.13]) by alexa-out.qualcomm.com with ESMTP; 26 Jan 2022 11:05:24 -0800 X-QCInternal: smtphost Received: from nasanex01c.na.qualcomm.com ([10.47.97.222]) by ironmsg-lv-alpha.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jan 2022 11:05:24 -0800 Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.19; Wed, 26 Jan 2022 11:05:23 -0800 Received: from deesin-linux.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.19; Wed, 26 Jan 2022 11:05:20 -0800 From: Deepak Kumar Singh To: , , , CC: , , , Deepak Kumar Singh , Ohad Ben-Cohen Subject: [PATCH V1 1/3] rpmsg: glink: Free device context only when cdev not in use Date: Thu, 27 Jan 2022 00:34:44 +0530 Message-ID: <1643223886-28170-2-git-send-email-quic_deesin@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com> References: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org Struct device holding cdev should not be freed unless cdev is not in use. It is possible that user space has opened char device while kernel has freed the associated struct device context. Mark dev kobj as parent of cdev, so that chardev_add gets an extra reference to dev. This ensures device context is not freed until cdev is is not in uses. --- drivers/rpmsg/rpmsg_char.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index c03a118..72ee101 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -417,6 +417,7 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, dev->id = ret; dev_set_name(dev, "rpmsg%d", ret); + cdev_set_parent(&eptdev->cdev, &dev->kobj); ret = cdev_add(&eptdev->cdev, dev->devt, 1); if (ret) goto free_ept_ida; @@ -533,6 +534,7 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev) dev->id = ret; dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret); + cdev_set_parent(&ctrldev->cdev, &dev->kobj); ret = cdev_add(&ctrldev->cdev, dev->devt, 1); if (ret) goto free_ctrl_ida; From patchwork Wed Jan 26 19:04:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Kumar Singh X-Patchwork-Id: 536814 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D499C2BA4C for ; Wed, 26 Jan 2022 19:05:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244337AbiAZTF3 (ORCPT ); Wed, 26 Jan 2022 14:05:29 -0500 Received: from alexa-out-sd-02.qualcomm.com ([199.106.114.39]:7088 "EHLO alexa-out-sd-02.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244330AbiAZTF2 (ORCPT ); Wed, 26 Jan 2022 14:05:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim; t=1643223928; x=1674759928; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=bvwTeXXCVgoKK6tip4OQOfBePiolT20pRdbUv6gGlkw=; b=l0EvEkUtxbKQKaiWKV1erDDA/wg2kJl9gfN7rsSta3kf5iQiqNDQHMD6 kgfsa6jidQXEa1gJkpy1ndb3dyck8eJxjyBjZFWkEM3gt/CftJNRzdsw/ RV3jJ6eLW3Ql+vFN/GG98VMFc1MH69Uzx58f9ade+ogHPB5GjrErJ9Oph A=; Received: from unknown (HELO ironmsg04-sd.qualcomm.com) ([10.53.140.144]) by alexa-out-sd-02.qualcomm.com with ESMTP; 26 Jan 2022 11:05:27 -0800 X-QCInternal: smtphost Received: from nasanex01c.na.qualcomm.com ([10.47.97.222]) by ironmsg04-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jan 2022 11:05:27 -0800 Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.19; Wed, 26 Jan 2022 11:05:27 -0800 Received: from deesin-linux.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.19; Wed, 26 Jan 2022 11:05:24 -0800 From: Deepak Kumar Singh To: , , , CC: , , , Deepak Kumar Singh , Ohad Ben-Cohen Subject: [PATCH V1 2/3] rpmsg: glink: Add lock to avoid race when rpmsg device is released Date: Thu, 27 Jan 2022 00:34:45 +0530 Message-ID: <1643223886-28170-3-git-send-email-quic_deesin@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com> References: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org When remote host goes down glink char device channel is freed, At the same time user space apps can still try to open rpmsg_char device which will result in calling rpmsg_create_ept. This may cause reference to already freed context of glink chardev channel. Use per ept lock to avoid race between rpmsg_destroy_ept and rpmsg_destory_ept. --- drivers/rpmsg/rpmsg_char.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index 72ee101..2108ef8 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -85,6 +85,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data) struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev); mutex_lock(&eptdev->ept_lock); + eptdev->rpdev = NULL; if (eptdev->ept) { rpmsg_destroy_ept(eptdev->ept); eptdev->ept = NULL; @@ -145,15 +146,24 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp) get_device(dev); + mutex_lock(&eptdev->ept_lock); + if (!eptdev->rpdev) { + put_device(dev); + mutex_unlock(&eptdev->ept_lock); + return -ENETRESET; + } + ept = rpmsg_create_ept(rpdev, rpmsg_ept_cb, eptdev, eptdev->chinfo); if (!ept) { dev_err(dev, "failed to open %s\n", eptdev->chinfo.name); + mutex_unlock(&eptdev->ept_lock); put_device(dev); return -EINVAL; } ept->sig_cb = rpmsg_sigs_cb; eptdev->ept = ept; + mutex_unlock(&eptdev->ept_lock); filp->private_data = eptdev; return 0; @@ -285,7 +295,9 @@ static __poll_t rpmsg_eptdev_poll(struct file *filp, poll_table *wait) if (eptdev->sig_pending) mask |= EPOLLPRI; + mutex_lock(&eptdev->ept_lock); mask |= rpmsg_poll(eptdev->ept, filp, wait); + mutex_unlock(&eptdev->ept_lock); return mask; } From patchwork Wed Jan 26 19:04:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Kumar Singh X-Patchwork-Id: 537695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E611C63682 for ; Wed, 26 Jan 2022 19:05:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244359AbiAZTFf (ORCPT ); Wed, 26 Jan 2022 14:05:35 -0500 Received: from alexa-out-sd-01.qualcomm.com ([199.106.114.38]:42425 "EHLO alexa-out-sd-01.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244338AbiAZTFb (ORCPT ); Wed, 26 Jan 2022 14:05:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim; t=1643223931; x=1674759931; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=LFRE4HwPeuPzOCaR80UUEjsVA+y4mxNn65JRwX9K7fY=; b=vd7evSiHlLgyzx8/iS9pn3kEXxYWcMdqr5DtYK3TX17CmNTAlYsooMbv v/+9d1Qu5l4nRJojFziOdU4y2tAJHWXQev8HlrBDvx4isWgcaU9mysyZk OVlWV6R+gV80LidOqjTv6nO/0Ptcp5uPxgnqn7cFqYTAFTMnh22ZtPOmf o=; Received: from unknown (HELO ironmsg05-sd.qualcomm.com) ([10.53.140.145]) by alexa-out-sd-01.qualcomm.com with ESMTP; 26 Jan 2022 11:05:31 -0800 X-QCInternal: smtphost Received: from nasanex01c.na.qualcomm.com ([10.47.97.222]) by ironmsg05-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jan 2022 11:05:30 -0800 Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.19; Wed, 26 Jan 2022 11:05:30 -0800 Received: from deesin-linux.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.19; Wed, 26 Jan 2022 11:05:27 -0800 From: Deepak Kumar Singh To: , , , CC: , , , Deepak Kumar Singh , Ohad Ben-Cohen Subject: [PATCH V1 3/3] rpmsg: glink: Add lock for ctrl device Date: Thu, 27 Jan 2022 00:34:46 +0530 Message-ID: <1643223886-28170-4-git-send-email-quic_deesin@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com> References: <1643223886-28170-1-git-send-email-quic_deesin@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org Race between rpmsg_eptdev_create and rpmsg_chrdev_remove can sometime casue crash while accessing rpdev while new endpoint is being created. Using lock ensure no new eptdev is created after rpmsg_chrdev_remove has been completed. --- drivers/rpmsg/rpmsg_char.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index 2108ef8..3e5b85d 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -27,6 +27,7 @@ static dev_t rpmsg_major; static struct class *rpmsg_class; +struct mutex ctrl_lock; static DEFINE_IDA(rpmsg_ctrl_ida); static DEFINE_IDA(rpmsg_ept_ida); @@ -396,9 +397,12 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, struct device *dev; int ret; + mutex_lock(&ctrl_lock); eptdev = kzalloc(sizeof(*eptdev), GFP_KERNEL); - if (!eptdev) + if (!eptdev) { + mutex_unlock(&ctrl_lock); return -ENOMEM; + } dev = &eptdev->dev; eptdev->rpdev = rpdev; @@ -443,6 +447,7 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, put_device(dev); } + mutex_unlock(&ctrl_lock); return ret; free_ept_ida: @@ -453,6 +458,7 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, put_device(dev); kfree(eptdev); + mutex_unlock(&ctrl_lock); return ret; } @@ -525,6 +531,7 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev) if (!ctrldev) return -ENOMEM; + mutex_init(&ctrl_lock); ctrldev->rpdev = rpdev; dev = &ctrldev->dev; @@ -581,12 +588,14 @@ static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev) int ret; /* Destroy all endpoints */ + mutex_lock(&ctrl_lock); ret = device_for_each_child(&ctrldev->dev, NULL, rpmsg_eptdev_destroy); if (ret) dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret); device_del(&ctrldev->dev); put_device(&ctrldev->dev); + mutex_unlock(&ctrl_lock); } static struct rpmsg_driver rpmsg_chrdev_driver = {