Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6da83f9d authored by Chris Lew's avatar Chris Lew
Browse files

rpmsg: glink: spi: Fix use after free of channel refcount 



Channel reference count is used after free in case of channel
is not fully opened due to errors and SSR happens.

Remove the channel ID from glink LCID list for last reference to
avoid re-using the stale pointer from LCID list.

Change-Id: If038dd4d09440b925537ef2dab86fc80a07b203c
Signed-off-by: default avatarChris Lew <clew@codeaurora.org>
parent f961f2e6

drivers/rpmsg/qcom_glink_spi.c

+4 −2
Original line number Diff line number Diff line
@@ -2443,8 +2443,10 @@ static void glink_spi_remove(struct glink_spi *glink) 


	spin_lock_irqsave(&glink->idr_lock, flags);

	/* Release any defunct local channels, waiting for close-ack */

	idr_for_each_entry(&glink->lcids, channel, cid)

		kref_put(&channel->refcount, glink_spi_channel_release);

	idr_for_each_entry(&glink->lcids, channel, cid) {

		if (kref_put(&channel->refcount, glink_spi_channel_release))

			idr_remove(&glink->lcids, cid);

	}



	/* Release any defunct local channels, waiting for close-req */

	idr_for_each_entry(&glink->lcids, channel, cid)