| Message ID | 20191009013345.17192-1-clew@codeaurora.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | rpmsg: glink: Remove channel decouple from rpdev release | expand |
Quoting Chris Lew (2019-10-08 18:33:45) > If a channel is being rapidly restarted and the kobj release worker is > busy, there is a chance the the rpdev_release function will run after > the channel struct itself has been released. > > There should not be a need to decouple the channel from rpdev in the > rpdev release since that should only happen from the channel close > commands. > > Signed-off-by: Chris Lew <clew@codeaurora.org> Fixes tag? The whole thing sounds broken and probably is still racy in the face of SMP given that channel->rpdev is tested for "published" or not. Can you describe the race that you're closing more?
On 10/9/2019 10:04 PM, Stephen Boyd wrote: > Quoting Chris Lew (2019-10-08 18:33:45) >> If a channel is being rapidly restarted and the kobj release worker is >> busy, there is a chance the the rpdev_release function will run after >> the channel struct itself has been released. >> >> There should not be a need to decouple the channel from rpdev in the >> rpdev release since that should only happen from the channel close >> commands. >> >> Signed-off-by: Chris Lew <clew@codeaurora.org> > > Fixes tag? The whole thing sounds broken and probably is still racy in > the face of SMP given that channel->rpdev is tested for "published" or > not. Can you describe the race that you're closing more? > Thanks Stephen, will add Fixes tag and try to describe the race better. I agree that the whole thing sounds broken, the glink channel cleanup code has a couple bugs that need to be addressed in a more extensive patch. This patch is more to address the immediate issue of a use-after-free from one of the races.
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 621f1afd4d6b..836a0bd99d11 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1350,9 +1350,7 @@ static const struct rpmsg_endpoint_ops glink_endpoint_ops = { static void qcom_glink_rpdev_release(struct device *dev) { struct rpmsg_device *rpdev = to_rpmsg_device(dev); - struct glink_channel *channel = to_glink_channel(rpdev->ept); - channel->rpdev = NULL; kfree(rpdev); }
If a channel is being rapidly restarted and the kobj release worker is busy, there is a chance the the rpdev_release function will run after the channel struct itself has been released. There should not be a need to decouple the channel from rpdev in the rpdev release since that should only happen from the channel close commands. Signed-off-by: Chris Lew <clew@codeaurora.org> --- drivers/rpmsg/qcom_glink_native.c | 2 -- 1 file changed, 2 deletions(-)