drivers: rmnet_shs: Remove rmnet ep access
Rmnet driver allocates rmnet_endpoint which rmnet_shs was using to keep track of endpoints that needed. However rmnet driver frees the memory before endpoint unregistration so this leaves a potential race condition where the wq can run after freeing. Change is to instead use net_dev refrerences we keep track of from net_dev_cb and no longer use rmnet_endpoints allocated by rmnet driver. Rmnet_shs was only using netdev references in rmnet_endpoint so no impact should be expected. This use-after-free would cause the following crash-signature. <6> Unable to handle kernel paging request at virtual address 00005000 <6> Mem abort info: <6> Exception class = DABT (current EL), IL = 32 bits <6> SET = 0, FnV = 0 <6> EA = 0, S1PTW = 0 <6> FSC = 5 <6> Data abort info: <6> ISV = 0, ISS = 0x00000005 <6> CM = 0, WnR = 0 <6> user pgtable: 4k pages, 39-bit VAs, pgd = 0000000070b0b425 <6> Internal error: Oops: 96000005 [#1] PREEMPT SMP <6> Workqueue: rmnet_shs_wq rmnet_shs_wq_process_wq [rmnet_shs] <6> task: 00000000deaad59d task.stack: 00000000053e0949 <2> pc : rmnet_shs_wq_update_ep_rps_msk+0x3c/0xd8 [rmnet_shs] <2> lr : rmnet_shs_wq_update_ep_rps_msk+0x28/0xd8 [rmnet_shs] <2> Call trace: <2> rmnet_shs_wq_update_ep_rps_msk+0x3c/0xd8 [rmnet_shs] <2> rmnet_shs_wq_update_stats+0x98/0x928 [rmnet_shs] <2> rmnet_shs_wq_process_wq+0x10c/0x248 [rmnet_shs] <2> process_one_work+0x1f0/0x458 <2> worker_thread+0x2ec/0x450 <2> kthread+0x11c/0x130 <2> ret_from_fork+0x10/0x1c CRs-Fixed: 2541604 Change-Id: I7026f2564c463f4ca989af97572e2a8fe5652087 Acked-by:Raul Martinez <mraul@qti.qualcomm.com> Signed-off-by:
Loading
Please register or sign in to comment