Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dbbf47b8 authored by Arun Kumar Neelakantam's avatar Arun Kumar Neelakantam
Browse files

rpmsg: glink: Fix use after free of channel refcount 



Channel reference count is used after free in case of channel
is not fully opened due to errors and SSR happens.

Remove the channel ID from glink LCID list for last reference to
avoid re-using the stale pointer from LCID list.

CRs-Fixed: 2272962
Change-Id: Ibe2627444d42ef12860bdec36f147b01128cdf11
Signed-off-by: default avatarArun Kumar Neelakantam <aneela@codeaurora.org>
parent 1c4c840c

drivers/rpmsg/qcom_glink_native.c

+4 −2
Original line number Diff line number Diff line
@@ -1851,8 +1851,10 @@ void qcom_glink_native_remove(struct qcom_glink *glink) 


	spin_lock_irqsave(&glink->idr_lock, flags);

	/* Release any defunct local channels, waiting for close-ack */

	idr_for_each_entry(&glink->lcids, channel, cid)

		kref_put(&channel->refcount, qcom_glink_channel_release);

	idr_for_each_entry(&glink->lcids, channel, cid) {

		if (kref_put(&channel->refcount, qcom_glink_channel_release))

			idr_remove(&glink->lcids, cid);

	}



	/* Release any defunct local channels, waiting for close-req */

	idr_for_each_entry(&glink->lcids, channel, cid)