Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb98158f authored by Arun Kumar Neelakantam's avatar Arun Kumar Neelakantam
Browse files

rpmsg: glink: Fix use after free in open_ack TIMEOUT case 



Extra channel reference put when remote sending OPEN_ACK after timeout
causes use-after-free while handling next remote CLOSE command.

Remove extra reference put in timeout case to avoid use-after-free.

CRs-Fixed: 2303487
Change-Id: If5698ab01da266f31094d17f7aee5a8d2ef11d82
Signed-off-by: default avatarArun Kumar Neelakantam <aneela@codeaurora.org>
parent 489b3ff4

drivers/rpmsg/qcom_glink_native.c

+8 −7
Original line number Diff line number Diff line
@@ -1232,13 +1232,12 @@ static int qcom_glink_create_remote(struct qcom_glink *glink, 


	/*

	 * Send a close request to "undo" our open-ack. The close-ack will

	 * release the last reference.

	 * release qcom_glink_send_open_req() reference and the last reference

	 * will be relesed after receiving remote_close or transport unregister

	 * by calling qcom_glink_native_remove().

	 */

	qcom_glink_send_close_req(glink, channel);



	/* Release qcom_glink_send_open_req() reference */

	kref_put(&channel->refcount, qcom_glink_channel_release);



	return ret;

}
@@ -1869,13 +1868,15 @@ void qcom_glink_native_remove(struct qcom_glink *glink) 
	spin_lock_irqsave(&glink->idr_lock, flags);

	/* Release any defunct local channels, waiting for close-ack */

	idr_for_each_entry(&glink->lcids, channel, cid) {

		if (kref_put(&channel->refcount, qcom_glink_channel_release))

		kref_put(&channel->refcount, qcom_glink_channel_release);

		idr_remove(&glink->lcids, cid);

	}



	/* Release any defunct local channels, waiting for close-req */

	idr_for_each_entry(&glink->lcids, channel, cid)

	idr_for_each_entry(&glink->rcids, channel, cid) {

		kref_put(&channel->refcount, qcom_glink_channel_release);

		idr_remove(&glink->rcids, cid);

	}



	idr_destroy(&glink->lcids);

	idr_destroy(&glink->rcids);