From patchwork Fri Oct 4 22:26:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 11175413 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4243E13B1 for ; Fri, 4 Oct 2019 22:27:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 21258222C0 for ; Fri, 4 Oct 2019 22:27:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="F5uG1Agm" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729291AbfJDW1L (ORCPT ); Fri, 4 Oct 2019 18:27:11 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:38560 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728172AbfJDW1K (ORCPT ); Fri, 4 Oct 2019 18:27:10 -0400 Received: by mail-pl1-f196.google.com with SMTP id w8so3770715plq.5 for ; Fri, 04 Oct 2019 15:27:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DB10pg/WIJaO+aJTgK4OR+kGpHxX86yfhLw/UszwpCo=; b=F5uG1Agmj1h9uJUlUsYaVzT9Nk4sqGpyY9EGmbmREWfkyCLX2Jypf/Vry8EYBqlg6y +5mmeuhecQk1H+/FUJ58m8WKZSUIoDROJ8cXuO1cXJvn/DtQTX99y99UNqV/CUfGWq8C SLXTxvc6qPmiBMbAvEABZWldwZ1/NsRYGGkdCpPAC6bXZkrlGLpbaVIa2KJrd/ryeSUT XXIocsOg0tgXtlaZzEHywwXICMIe9YedFnHjO/H7IocH1cuUcRViUrK4sRCS4QF4iFGg WyQKekfWYrwKHwUU39tkpVTyLDxjY9zrGkI6vCGtwxbHZyG1TjIYCAIyJ/jk6sDNyRf9 mTiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DB10pg/WIJaO+aJTgK4OR+kGpHxX86yfhLw/UszwpCo=; b=gZPbwG/SPTFF1/z9lHXhJXGi59kcBX9xseGdad28f39erTWu5kiOQizfb6sWCexXBB ymH6FXxcStCXDi/GczXO3SZBa4vqEKJShCfo6Ng22yYclV13z8Abc6rcAO1b9jdwK61U wP5Mmt99oY2/mpUjqF78Jx0aU7S5O2eFeZnx8TnWAHMGqIMlYBSfgjuG3GbphQ82t9AU ieYKPifM2KNi+n/sJO80gQG79xUpNNjqm/km2BlLsi07OwfY3Fko5mW0s3Ua2JeIEA3s WJfnqs36rukjgP1DgZ9XLQKq/Q3EgJ2h+QIa/VQtcGMeks1rSL4L7IrOo+3zqqujUdLx bW5w== X-Gm-Message-State: APjAAAUwlSyASWylMkq6rN6NIZ0s1KogV6BeGIU+yW6fuIWmHIVveeaj Apgv6bVXxPpT+7anksEy7NecgA== X-Google-Smtp-Source: APXvYqzCVLSpk4OE/L2LUrTXd1xxgCf0fxLXYqqbD9oR0XvRr6RzlVdImC6SxgRlG2DIsUN1EbXjmQ== X-Received: by 2002:a17:902:aa08:: with SMTP id be8mr3333013plb.317.1570228029737; Fri, 04 Oct 2019 15:27:09 -0700 (PDT) Received: from localhost.localdomain (104-188-17-28.lightspeed.sndgca.sbcglobal.net. [104.188.17.28]) by smtp.gmail.com with ESMTPSA id x37sm6328136pgl.18.2019.10.04.15.27.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Oct 2019 15:27:08 -0700 (PDT) From: Bjorn Andersson To: Ohad Ben-Cohen , Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 1/6] rpmsg: glink: Fix reuse intents memory leak issue Date: Fri, 4 Oct 2019 15:26:57 -0700 Message-Id: <20191004222702.8632-2-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20191004222702.8632-1-bjorn.andersson@linaro.org> References: <20191004222702.8632-1-bjorn.andersson@linaro.org> Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org From: Arun Kumar Neelakantam Memory allocated for re-usable intents are not freed during channel cleanup which causes memory leak in system. Check and free all re-usable memory to avoid memory leak. Fixes: 933b45da5d1d ("rpmsg: glink: Add support for TX intents") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla Signed-off-by: Arun Kumar Neelakantam Reported-by: Srinivas Kandagatla Signed-off-by: Bjorn Andersson Acked-By: Chris Lew --- Changes since v1: - None drivers/rpmsg/qcom_glink_native.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 621f1afd4d6b..9355ce26fd98 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -241,10 +241,19 @@ static void qcom_glink_channel_release(struct kref *ref) { struct glink_channel *channel = container_of(ref, struct glink_channel, refcount); + struct glink_core_rx_intent *tmp; unsigned long flags; + int iid; spin_lock_irqsave(&channel->intent_lock, flags); + idr_for_each_entry(&channel->liids, tmp, iid) { + kfree(tmp->data); + kfree(tmp); + } idr_destroy(&channel->liids); + + idr_for_each_entry(&channel->riids, tmp, iid) + kfree(tmp); idr_destroy(&channel->riids); spin_unlock_irqrestore(&channel->intent_lock, flags); From patchwork Fri Oct 4 22:26:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 11175433 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2F34F13B1 for ; Fri, 4 Oct 2019 22:27:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0DEE2222C0 for ; Fri, 4 Oct 2019 22:27:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="N1pFmJEh" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388115AbfJDW1N (ORCPT ); Fri, 4 Oct 2019 18:27:13 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:41539 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730497AbfJDW1M (ORCPT ); Fri, 4 Oct 2019 18:27:12 -0400 Received: by mail-pg1-f193.google.com with SMTP id s1so4522927pgv.8 for ; Fri, 04 Oct 2019 15:27:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QoZQF1YbSGqv09dK0KDHECoZ26zQGdAXMaDDkqK/sak=; b=N1pFmJEh2KW227rJpCbD4242buzzbOIiY6ERrMQ9gsicebzcXfJT8NECywRZ0N5/si Tgj4n3z6k0mSjwaGIY0Sb9m/zLKF/BcICGuTagr4Zg+Au/njphRbjvNov33jKsA/Vf7Q WJF7/x1LoGppiW4Sq9F1hFhlPoIgmJwkPdEhKkhquJh7jCC02RvlcZ/+T+2suX+sWsQ8 0Q8AeMHZ0ScKasmjlFy/MbZh+z5Sjc/tD3uKcmfU+yPdrkHQHmMgRhn7Z+AutgO8kms7 M657x4K//+keOT+lxrB83va5DmkQtIz+fN8gUJr1lTqf+wsnRlzemkuwmS866ClQ9M6O 2XDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QoZQF1YbSGqv09dK0KDHECoZ26zQGdAXMaDDkqK/sak=; b=qgJTQVSVfFphHjg2CaV0f0KvszZwRKjWHzl8VFt6HfAV+/jWdS+KR1EOPpq7PcTbkv hEH8zwRJatZkaQb8gezwEvcTBGqu+5IxiexJIlpGVy3gJ4BvVYav028BdDYcvac1Z1Hp yJEgIGOL1W3QQRERQ2o9HmdwEzO97ZNmCb/OkR3Xi0+WxZ5GHb9l3o3rS5MnN2LzdCyB FpI87GWNa9iiT4b9VkSU/oa0xdPj4W39FGCX74ty1uOOo3TTQeY/ZHvu3ccTrOq1DzS7 5hrxrixSfYCfVwZEGO1oIYCULTFj6cljhwdYNeoQPlSzAPn6LeQCbj2bkR0MD3MTXRcw Bxrg== X-Gm-Message-State: APjAAAXl6PA0+VfCqJVPZalZRtL/Z1sHfnGjr72aRgTU6J28ss5lAFye JWpr9ztyBzSR9zkr+3wYs5IY2A== X-Google-Smtp-Source: APXvYqx4xJ8Wtupkhwv6dK4c8+ZLjIxa9GbmQKmw3sJuGnsohr/0eA2ZNw37OxsBRy7204cKjdQ11w== X-Received: by 2002:a63:1420:: with SMTP id u32mr2589745pgl.62.1570228031137; Fri, 04 Oct 2019 15:27:11 -0700 (PDT) Received: from localhost.localdomain (104-188-17-28.lightspeed.sndgca.sbcglobal.net. [104.188.17.28]) by smtp.gmail.com with ESMTPSA id x37sm6328136pgl.18.2019.10.04.15.27.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Oct 2019 15:27:10 -0700 (PDT) From: Bjorn Andersson To: Ohad Ben-Cohen , Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 2/6] rpmsg: glink: Fix use after free in open_ack TIMEOUT case Date: Fri, 4 Oct 2019 15:26:58 -0700 Message-Id: <20191004222702.8632-3-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20191004222702.8632-1-bjorn.andersson@linaro.org> References: <20191004222702.8632-1-bjorn.andersson@linaro.org> Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org From: Arun Kumar Neelakantam Extra channel reference put when remote sending OPEN_ACK after timeout causes use-after-free while handling next remote CLOSE command. Remove extra reference put in timeout case to avoid use-after-free. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla Signed-off-by: Arun Kumar Neelakantam Signed-off-by: Bjorn Andersson Acked-By: Chris Lew --- Changes since v1: - None drivers/rpmsg/qcom_glink_native.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 9355ce26fd98..72ed671f5dcd 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1103,13 +1103,12 @@ static int qcom_glink_create_remote(struct qcom_glink *glink, close_link: /* * Send a close request to "undo" our open-ack. The close-ack will - * release the last reference. + * release qcom_glink_send_open_req() reference and the last reference + * will be relesed after receiving remote_close or transport unregister + * by calling qcom_glink_native_remove(). */ qcom_glink_send_close_req(glink, channel); - /* Release qcom_glink_send_open_req() reference */ - kref_put(&channel->refcount, qcom_glink_channel_release); - return ret; } From patchwork Fri Oct 4 22:26:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 11175435 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C92851747 for ; Fri, 4 Oct 2019 22:27:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A6F96222C7 for ; Fri, 4 Oct 2019 22:27:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="FHrs101s" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728812AbfJDW1q (ORCPT ); Fri, 4 Oct 2019 18:27:46 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:37114 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388081AbfJDW1N (ORCPT ); Fri, 4 Oct 2019 18:27:13 -0400 Received: by mail-pf1-f196.google.com with SMTP id y5so4741209pfo.4 for ; Fri, 04 Oct 2019 15:27:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=tgp/FeB2xBiOrdWqd66mmTH1EYf2q2e7GgKZ4PEeOIY=; b=FHrs101ssw/11oKSgeFbq+imwHggSoDWpMnD0XoJoGXLDG/DMQVKPS1SAt/7Dlb+jH JR4tbGd6OB7SxAvznNvOb94ShM/oM0QF5d8qI5f2T/sYyJsjAE4B4XDsXOPQ6sonOp9D U9zOwol2bbZakyvNAhVndhWwvqwwSPukMSDkCYis8Q3vdYKsMCjl/1pH8gI6VAzTyu5o NNMJaAGpMm1l5ySndZHzAySTeHWF+t2r2lzOfNybRl5Nm/Ltnl3oDjYSpMtPf5tfDbdP sT/kZkxgMZjvR1ShM9y5mC3EjNH5OJ8AZWS7D0ypKcEWw8VsvrIr3K2Snxpyyh2Crwn7 GQNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=tgp/FeB2xBiOrdWqd66mmTH1EYf2q2e7GgKZ4PEeOIY=; b=kFC1jYmGSb3hPRZ+maFg1t8XPOpv7t2qQKnEszTOy/RhkFEem8Ng6ToURUFBEAWQxX Uq1N7rWFW9RmvFcJvJUYq4F/bkfm5irIAgbUjF1FQYWjeFyGhpA12vrlnuRB52nkz6Ie f1il0JEK5VWO1bmCgXB49uvT3n7Hh0uAPxqm5Ra0D0HSF8SpIr4a6CbIG3wFlSIcCqJg YlR0pVujFyCkSRryPeLnN8E6le0whvTnKYRXua28j9IfjoS7QBZvUKGb1FulLCvC6T3e /SRG9ckZzjJ6O98wMSdLx4rQcfzvNOLBbmDodTh/Vd/eql2JBgcIwml0b7ilPWWNwPJ6 FrwQ== X-Gm-Message-State: APjAAAX+3E3xgAm6vTUq79OCuNC+iBmRXyPsaJZldgbuHzWYUHl94XZc iAwjfRpm4aQYFCSO76PvEYfrnC2pPFs= X-Google-Smtp-Source: APXvYqyl4USr2pI1tvW9hNGMGl74FlDuzskNacHLv+8mdd57yjumXhsLj97i5VBCiJe7su2dKbiBeg== X-Received: by 2002:aa7:9210:: with SMTP id 16mr19733167pfo.19.1570228032393; Fri, 04 Oct 2019 15:27:12 -0700 (PDT) Received: from localhost.localdomain (104-188-17-28.lightspeed.sndgca.sbcglobal.net. [104.188.17.28]) by smtp.gmail.com with ESMTPSA id x37sm6328136pgl.18.2019.10.04.15.27.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Oct 2019 15:27:11 -0700 (PDT) From: Bjorn Andersson To: Ohad Ben-Cohen , Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 3/6] rpmsg: glink: Put an extra reference during cleanup Date: Fri, 4 Oct 2019 15:26:59 -0700 Message-Id: <20191004222702.8632-4-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20191004222702.8632-1-bjorn.andersson@linaro.org> References: <20191004222702.8632-1-bjorn.andersson@linaro.org> Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org From: Chris Lew In a remote processor crash scenario, there is no guarantee the remote processor sent close requests before it went into a bad state. Remove the reference that is normally handled by the close command in the so channel resources can be released. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla Signed-off-by: Chris Lew Reported-by: Srinivas Kandagatla Signed-off-by: Bjorn Andersson --- Changes since v1: - None drivers/rpmsg/qcom_glink_native.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 72ed671f5dcd..21fd2ae5f7f1 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1641,6 +1641,10 @@ void qcom_glink_native_remove(struct qcom_glink *glink) idr_for_each_entry(&glink->lcids, channel, cid) kref_put(&channel->refcount, qcom_glink_channel_release); + /* Release any defunct local channels, waiting for close-req */ + idr_for_each_entry(&glink->rcids, channel, cid) + kref_put(&channel->refcount, qcom_glink_channel_release); + idr_destroy(&glink->lcids); idr_destroy(&glink->rcids); spin_unlock_irqrestore(&glink->idr_lock, flags); From patchwork Fri Oct 4 22:27:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 11175425 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F3BD613B1 for ; Fri, 4 Oct 2019 22:27:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D1AD6222C0 for ; Fri, 4 Oct 2019 22:27:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="br7cGTb8" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388752AbfJDW1a (ORCPT ); Fri, 4 Oct 2019 18:27:30 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:45313 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388358AbfJDW1Q (ORCPT ); Fri, 4 Oct 2019 18:27:16 -0400 Received: by mail-pg1-f196.google.com with SMTP id q7so4507594pgi.12 for ; Fri, 04 Oct 2019 15:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=eTUNCaOOSGwA+ig+a2CKta3BFk73Lmp2ve0uszPOGFc=; b=br7cGTb8FH/qLzSnTzorqurt95SrUFywuFB5Jl8nSZ7AiRZhJKECx1dlOZkzMPQ2de TI1tjqQbCkW9EHXKfKG7xkzTJMC/7Qy6nJJL98/o+m//yicGc2lAl7axy70kmOlCuoAi 8y0cNXf8U+jYYxIync3074I2CzZAIS81DVyhRRzRBsFn4cqEQxUnAphdR9CKenTeBiKE Da76fC7/0+PavmPZSpvRvz7wGQHMcf15iQfAoREnVjNpN2syvrWojYJvp8kReVwph+HW wpiCnrI0daqKIORVVW6qp8rF8XZy1UwRNwB8jlmE2X4H7Yt3Ek4Z0i7WEHj6VSswUeki 7FSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=eTUNCaOOSGwA+ig+a2CKta3BFk73Lmp2ve0uszPOGFc=; b=cvXXeVKibTXY9xh20UxSvb/p/rA5hMLB1ZvmqXq4+gKeUEAQP/2arcJCjTXGCe+211 YlIl6YnrCI9rGJVF6qW7mXzpbWDKwXPHiGGL8JoJ3JSm0KDmisiTwhanpE53BI6kUzzd yWzEetY9nMy/Ttm4dvhkLGZZKaWbGpz4XVYLqO8v4fExXGxDcDLxC1N7S3BjSaFgJDxU spkAF0XTXK475qlmCwer0JW1VfbYD4LSim3xc+8drW8zPkoMWKYX2WBjqeUjfyiMs/fO 8JCVnJJSVC6hCHQZOhpXg39LvxN5+1w6XcS4Uc4wB4kcHXREIQpSy2q/+i/IFCk1t257 nDQw== X-Gm-Message-State: APjAAAVLEf5dlH+sbIAz3igo0pBhtqfUD2+skP7eU6aue70rVcog9RPR JXtmIloDYjMXYpA90JFvqvKfQQ== X-Google-Smtp-Source: APXvYqztxqw61a4Nv7hxanL7+0PPCWg7dFcRWKaXzKZi+YVENH+DI3r7XNAlz+VlWXgVpUqJ9ACV5A== X-Received: by 2002:a17:90a:3847:: with SMTP id l7mr19708014pjf.118.1570228033776; Fri, 04 Oct 2019 15:27:13 -0700 (PDT) Received: from localhost.localdomain (104-188-17-28.lightspeed.sndgca.sbcglobal.net. [104.188.17.28]) by smtp.gmail.com with ESMTPSA id x37sm6328136pgl.18.2019.10.04.15.27.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Oct 2019 15:27:13 -0700 (PDT) From: Bjorn Andersson To: Ohad Ben-Cohen , Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 4/6] rpmsg: glink: Fix rpmsg_register_device err handling Date: Fri, 4 Oct 2019 15:27:00 -0700 Message-Id: <20191004222702.8632-5-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20191004222702.8632-1-bjorn.andersson@linaro.org> References: <20191004222702.8632-1-bjorn.andersson@linaro.org> Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org From: Chris Lew The device release function is set before registering with rpmsg. If rpmsg registration fails, the framework will call device_put(), which invokes the release function. The channel create logic does not need to free rpdev if rpmsg_register_device() fails and release is called. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla Signed-off-by: Chris Lew Signed-off-by: Bjorn Andersson --- Changes since v1: - None drivers/rpmsg/qcom_glink_native.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 21fd2ae5f7f1..89e02baea2d0 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1423,15 +1423,13 @@ static int qcom_glink_rx_open(struct qcom_glink *glink, unsigned int rcid, ret = rpmsg_register_device(rpdev); if (ret) - goto free_rpdev; + goto rcid_remove; channel->rpdev = rpdev; } return 0; -free_rpdev: - kfree(rpdev); rcid_remove: spin_lock_irqsave(&glink->idr_lock, flags); idr_remove(&glink->rcids, channel->rcid); From patchwork Fri Oct 4 22:27:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 11175427 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3E9AC13BD for ; Fri, 4 Oct 2019 22:27:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1DA45222CA for ; Fri, 4 Oct 2019 22:27:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="RelufgZ+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388810AbfJDW1f (ORCPT ); Fri, 4 Oct 2019 18:27:35 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:34836 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388342AbfJDW1P (ORCPT ); Fri, 4 Oct 2019 18:27:15 -0400 Received: by mail-pf1-f193.google.com with SMTP id 205so4751377pfw.2 for ; Fri, 04 Oct 2019 15:27:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DC2A5jSQG+hIe1l9YvJxvxOzUl1uERA8bQ7DMTBdthc=; b=RelufgZ+B/odeePAnM4e87bM9EabciKjaV6lHM4VYkTp/XFzlnEDyH2DNRxjXQF10u Y1cX00PxAOrVJXOMVI4Jz5pH6HZB8i2ZgTpxobzNvMAVib5gLlNe5A3fpFX+wEjHeLbj Nwnh722lDXKm7pVrndqojqo39nvS0EPkjZmnbvzWXqEcvUUc81j573I2IRNppESFcZ5F YSsMlhPDFhMcmTAgawV0PwlSpiD2yzwuqvqvF30LNcae/Vv3w+SsylmXVOuc0gAqGnuJ Ngr4Zw88cfUi/DX9COsC/+pNYS9s4O5KBXOW30BztAa/0l7uBPKY/Lp/6wr1WndjPEPK Uubw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DC2A5jSQG+hIe1l9YvJxvxOzUl1uERA8bQ7DMTBdthc=; b=mbWgciDo8mLIL0uEW2NRNUFZ3FbUO8J87pp8tOll0r1mQMQ5SN2cm/pgxS3GDN9atN ZpfovM6yas4M2ax/7/KNiRuk2KTD3E2hWMTYnyit/hyMuwe0zDwVGuQKA+klGSeS312G ZTh9oO6fOOvZfWYxmA6TdJS2yoi2LzxPIt2sTDcfbuq2pX+L9cUtsF52StizHLgKIYTj FMXQvnPOurd8bwfrqz+TLmrLxSxim13sGNd8rEtf0nC952H8aU839KMCOkbD8IauyV+3 WKc57LTEW15UBZkbXDL505KOB4ws8uXfhRGwgZ4q4a9W6fkrc9PeoZlxNhhcwXsGquiw obFQ== X-Gm-Message-State: APjAAAUWfK5ug7QI1Y/8Rt5yda7AeZhtVVl8RXtVey7YUWtzmAMyswa2 9hUHwdtTqymYxewq+IQiPlewEQ== X-Google-Smtp-Source: APXvYqz5VK7pAGKA+8WpcMWMpMSCUhGcTozeLZuaV4L7KWEhbWBn6UuWfKMxTtVNaxJjYJpr5Vwh8g== X-Received: by 2002:a17:90a:e38f:: with SMTP id b15mr18969878pjz.140.1570228035009; Fri, 04 Oct 2019 15:27:15 -0700 (PDT) Received: from localhost.localdomain (104-188-17-28.lightspeed.sndgca.sbcglobal.net. [104.188.17.28]) by smtp.gmail.com with ESMTPSA id x37sm6328136pgl.18.2019.10.04.15.27.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Oct 2019 15:27:14 -0700 (PDT) From: Bjorn Andersson To: Ohad Ben-Cohen , Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 5/6] rpmsg: glink: Don't send pending rx_done during remove Date: Fri, 4 Oct 2019 15:27:01 -0700 Message-Id: <20191004222702.8632-6-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20191004222702.8632-1-bjorn.andersson@linaro.org> References: <20191004222702.8632-1-bjorn.andersson@linaro.org> Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org Attempting to transmit rx_done messages after the GLINK instance is being torn down will cause use after free and memory leaks. So cancel the intent_work and free up the pending intents. With this there are no concurrent accessors of the channel left during qcom_glink_native_remove() and there is therefor no need to hold the spinlock during this operation - which would prohibit the use of cancel_work_sync() in the release function. So remove this. Fixes: 1d2ea36eead9 ("rpmsg: glink: Add rx done command") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla Signed-off-by: Bjorn Andersson Acked-By: Chris Lew --- Changes since v1: - Drop the locking of idr_lock in qcom_glink_native_remove() drivers/rpmsg/qcom_glink_native.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 89e02baea2d0..4117818db6a1 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -241,11 +241,23 @@ static void qcom_glink_channel_release(struct kref *ref) { struct glink_channel *channel = container_of(ref, struct glink_channel, refcount); + struct glink_core_rx_intent *intent; struct glink_core_rx_intent *tmp; unsigned long flags; int iid; + /* cancel pending rx_done work */ + cancel_work_sync(&channel->intent_work); + spin_lock_irqsave(&channel->intent_lock, flags); + /* Free all non-reuse intents pending rx_done work */ + list_for_each_entry_safe(intent, tmp, &channel->done_intents, node) { + if (!intent->reuse) { + kfree(intent->data); + kfree(intent); + } + } + idr_for_each_entry(&channel->liids, tmp, iid) { kfree(tmp->data); kfree(tmp); @@ -1634,7 +1646,6 @@ void qcom_glink_native_remove(struct qcom_glink *glink) if (ret) dev_warn(glink->dev, "Can't remove GLINK devices: %d\n", ret); - spin_lock_irqsave(&glink->idr_lock, flags); /* Release any defunct local channels, waiting for close-ack */ idr_for_each_entry(&glink->lcids, channel, cid) kref_put(&channel->refcount, qcom_glink_channel_release); @@ -1645,7 +1656,6 @@ void qcom_glink_native_remove(struct qcom_glink *glink) idr_destroy(&glink->lcids); idr_destroy(&glink->rcids); - spin_unlock_irqrestore(&glink->idr_lock, flags); mbox_free_channel(glink->mbox_chan); } EXPORT_SYMBOL_GPL(qcom_glink_native_remove); From patchwork Fri Oct 4 22:27:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 11175423 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E2CBE13B1 for ; Fri, 4 Oct 2019 22:27:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C161A222C0 for ; Fri, 4 Oct 2019 22:27:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="eMDlZ5C4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388673AbfJDW1a (ORCPT ); Fri, 4 Oct 2019 18:27:30 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:37048 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388462AbfJDW1R (ORCPT ); Fri, 4 Oct 2019 18:27:17 -0400 Received: by mail-pl1-f193.google.com with SMTP id u20so3766118plq.4 for ; Fri, 04 Oct 2019 15:27:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=GFLy/0NyLkAXTIQiU1ce2NkpxRNc39jMeEi2th9+Q/o=; b=eMDlZ5C4geR0qxdtOA7FQXHpGKcU764pJI+ckB/wRPRbnEdzquTg+GeL1UgEUsmnk0 jeSsXMD1cn1W6BUxFWgqVS9IbdqQe/yRGbtgFA5kPzZh/c09SFslyvmFKvlSFAtnJUJK yQ/O1ntAwl4AxLX/8GBUDX3qSznBkuf9hy9852LB2Bt34HdrHe1RPEMpTbLBJztA2Rwq Bhkg8N5Ma4UtUDVaOJhBdTy/ZL+CSAMS0Vc4pJggWaKhY/7ZFA229MdQnDpH/vwvWnxs 5BIrmixZiqVBMO3Hcu29/Akw1P2MiGQvNo08ChJ61GndxQw8ivpAbbaUl7S5kVAuMM2a gU0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=GFLy/0NyLkAXTIQiU1ce2NkpxRNc39jMeEi2th9+Q/o=; b=XeDUnxBplELt3SukTJaLw77wfm1qYFBPiaJhKEbJQKNTobcC7pJw1onvSDOchIqhbI FU2vKwIizXkrvSjnOxu4lUkxUZTQFc1yiOUdg17tMc5ncl4k9LTnNGMmCG8zQ/z7t2gk g55Dxe3rvonXp4E2CP85lmmyiCQ0jMxxIiFFdzydAVNzuvPJGKHdCmK+5N2SxcfZPS+s 4/5K5dLluKSIZil+qJh4f2ZVryH58iS4NXDy+4kXpidyIVRkUqRyOLWc+IapllZLOGnf QIbMnKL3q9PtHPDNkfmbZC2hi868YaF7/gQbRZXc2k/oHOC+KW6vTjihzwLxO3Dh4WkT b65w== X-Gm-Message-State: APjAAAXqgut5+ze5Z/CYc7KPkvHeUlYrlxHnjs5iFYNRQUJL36qpINhO upVB+QpzhU6aiRrcojnVKY+NCA== X-Google-Smtp-Source: APXvYqw1y1k1dQjfISY8Rlcv8/TXflrZEIvSua9hRpUEkHIzv5roMO4L0pRE+8eTT3CbNrOsb8lBCA== X-Received: by 2002:a17:902:d916:: with SMTP id c22mr17525848plz.101.1570228036266; Fri, 04 Oct 2019 15:27:16 -0700 (PDT) Received: from localhost.localdomain (104-188-17-28.lightspeed.sndgca.sbcglobal.net. [104.188.17.28]) by smtp.gmail.com with ESMTPSA id x37sm6328136pgl.18.2019.10.04.15.27.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Oct 2019 15:27:15 -0700 (PDT) From: Bjorn Andersson To: Ohad Ben-Cohen , Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 6/6] rpmsg: glink: Free pending deferred work on remove Date: Fri, 4 Oct 2019 15:27:02 -0700 Message-Id: <20191004222702.8632-7-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20191004222702.8632-1-bjorn.andersson@linaro.org> References: <20191004222702.8632-1-bjorn.andersson@linaro.org> Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org By just cancelling the deferred rx worker during GLINK instance teardown any pending deferred commands are leaked, so free them. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Cc: stable@vger.kernel.org Tested-by: Srinivas Kandagatla Signed-off-by: Bjorn Andersson Acked-By: Chris Lew --- Changes since v1: - None drivers/rpmsg/qcom_glink_native.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 4117818db6a1..862f89c128a0 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1562,6 +1562,18 @@ static void qcom_glink_work(struct work_struct *work) } } +static void qcom_glink_cancel_rx_work(struct qcom_glink *glink) +{ + struct glink_defer_cmd *dcmd; + struct glink_defer_cmd *tmp; + + /* cancel any pending deferred rx_work */ + cancel_work_sync(&glink->rx_work); + + list_for_each_entry_safe(dcmd, tmp, &glink->rx_queue, node) + kfree(dcmd); +} + struct qcom_glink *qcom_glink_native_probe(struct device *dev, unsigned long features, struct qcom_glink_pipe *rx, @@ -1640,7 +1652,7 @@ void qcom_glink_native_remove(struct qcom_glink *glink) unsigned long flags; disable_irq(glink->irq); - cancel_work_sync(&glink->rx_work); + qcom_glink_cancel_rx_work(glink); ret = device_for_each_child(glink->dev, NULL, qcom_glink_remove_device); if (ret)