From bf8fd0be9478b46351bf7f1b806f3e9c89465bc1 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 30 Jan 2022 15:48:11 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch
	rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch
---
 ...he-release-of-rpmsg_ctrldev-and-cdev.patch | 112 ++++++++++++++++++
 ...the-release-of-rpmsg_eptdev-and-cdev.patch |  71 +++++++++++
 queue-5.15/series                             |   2 +
 3 files changed, 185 insertions(+)
 create mode 100644 queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch
 create mode 100644 queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch

diff --git a/queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch b/queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch
new file mode 100644
index 00000000000..55d427a934a
--- /dev/null
+++ b/queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch
@@ -0,0 +1,112 @@
+From b7fb2dad571d1e21173c06cef0bced77b323990a Mon Sep 17 00:00:00 2001
+From: Sujit Kautkar <sujitka@chromium.org>
+Date: Mon, 10 Jan 2022 10:47:36 -0800
+Subject: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
+
+From: Sujit Kautkar <sujitka@chromium.org>
+
+commit b7fb2dad571d1e21173c06cef0bced77b323990a upstream.
+
+struct rpmsg_ctrldev contains a struct cdev. The current code frees
+the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the
+cdev is a managed object, therefore its release is not predictable
+and the rpmsg_ctrldev could be freed before the cdev is entirely
+released, as in the backtrace below.
+
+[   93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
+[   93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
+[   93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
+[   93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.4.163-lockdep #26
+[   93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
+[   93.730055] Workqueue: events kobject_delayed_cleanup
+[   93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
+[   93.740216] pc : debug_print_object+0x13c/0x1b0
+[   93.744890] lr : debug_print_object+0x13c/0x1b0
+[   93.749555] sp : ffffffacf5bc7940
+[   93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
+[   93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
+[   93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
+[   93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
+[   93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
+[   93.780338] x19: ffffffd075199100 x18: 00000000000276e0
+[   93.785814] x17: 0000000000000000 x16: dfffffd000000000
+[   93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
+[   93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
+[   93.802244] x11: 0000000000000001 x10: 0000000000000000
+[   93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
+[   93.813200] x7 : 0000000000000000 x6 : 0000000000000000
+[   93.818676] x5 : 0000000000000080 x4 : 0000000000000000
+[   93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
+[   93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
+[   93.835104] Call trace:
+[   93.837644]  debug_print_object+0x13c/0x1b0
+[   93.841963]  __debug_check_no_obj_freed+0x25c/0x3c0
+[   93.846987]  debug_check_no_obj_freed+0x18/0x20
+[   93.851669]  slab_free_freelist_hook+0xbc/0x1e4
+[   93.856346]  kfree+0xfc/0x2f4
+[   93.859416]  rpmsg_ctrldev_release_device+0x78/0xb8
+[   93.864445]  device_release+0x84/0x168
+[   93.868310]  kobject_cleanup+0x12c/0x298
+[   93.872356]  kobject_delayed_cleanup+0x10/0x18
+[   93.876948]  process_one_work+0x578/0x92c
+[   93.881086]  worker_thread+0x804/0xcf8
+[   93.884963]  kthread+0x2a8/0x314
+[   93.888303]  ret_from_fork+0x10/0x18
+
+The cdev_device_add/del() API was created to address this issue (see
+commit '233ed09d7fda ("chardev: add helper function to register char
+devs with a struct device")'), use it instead of cdev add/del().
+
+Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
+Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/rpmsg_char.c |   11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/rpmsg/rpmsg_char.c
++++ b/drivers/rpmsg/rpmsg_char.c
+@@ -461,7 +461,6 @@ static void rpmsg_ctrldev_release_device
+ 
+ 	ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
+ 	ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
+-	cdev_del(&ctrldev->cdev);
+ 	kfree(ctrldev);
+ }
+ 
+@@ -496,19 +495,13 @@ static int rpmsg_chrdev_probe(struct rpm
+ 	dev->id = ret;
+ 	dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret);
+ 
+-	ret = cdev_add(&ctrldev->cdev, dev->devt, 1);
++	ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev);
+ 	if (ret)
+ 		goto free_ctrl_ida;
+ 
+ 	/* We can now rely on the release function for cleanup */
+ 	dev->release = rpmsg_ctrldev_release_device;
+ 
+-	ret = device_add(dev);
+-	if (ret) {
+-		dev_err(&rpdev->dev, "device_add failed: %d\n", ret);
+-		put_device(dev);
+-	}
+-
+ 	dev_set_drvdata(&rpdev->dev, ctrldev);
+ 
+ 	return ret;
+@@ -534,7 +527,7 @@ static void rpmsg_chrdev_remove(struct r
+ 	if (ret)
+ 		dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret);
+ 
+-	device_del(&ctrldev->dev);
++	cdev_device_del(&ctrldev->cdev, &ctrldev->dev);
+ 	put_device(&ctrldev->dev);
+ }
+ 
diff --git a/queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch b/queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch
new file mode 100644
index 00000000000..24a8572736b
--- /dev/null
+++ b/queue-5.15/rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch
@@ -0,0 +1,71 @@
+From 7a534ae89e34e9b51acb5a63dd0f88308178b46a Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Mon, 10 Jan 2022 10:47:37 -0800
+Subject: rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+commit 7a534ae89e34e9b51acb5a63dd0f88308178b46a upstream.
+
+struct rpmsg_eptdev contains a struct cdev. The current code frees
+the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is
+a managed object, therefore its release is not predictable and the
+rpmsg_eptdev could be freed before the cdev is entirely released.
+
+The cdev_device_add/del() API was created to address this issue
+(see commit '233ed09d7fda ("chardev: add helper function to register
+char devs with a struct device")'), use it instead of cdev add/del().
+
+Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
+Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220110104706.v6.2.Idde68b05b88d4a2e6e54766c653f3a6d9e419ce6@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/rpmsg_char.c |   11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/rpmsg/rpmsg_char.c
++++ b/drivers/rpmsg/rpmsg_char.c
+@@ -92,7 +92,7 @@ static int rpmsg_eptdev_destroy(struct d
+ 	/* wake up any blocked readers */
+ 	wake_up_interruptible(&eptdev->readq);
+ 
+-	device_del(&eptdev->dev);
++	cdev_device_del(&eptdev->cdev, &eptdev->dev);
+ 	put_device(&eptdev->dev);
+ 
+ 	return 0;
+@@ -335,7 +335,6 @@ static void rpmsg_eptdev_release_device(
+ 
+ 	ida_simple_remove(&rpmsg_ept_ida, dev->id);
+ 	ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
+-	cdev_del(&eptdev->cdev);
+ 	kfree(eptdev);
+ }
+ 
+@@ -380,19 +379,13 @@ static int rpmsg_eptdev_create(struct rp
+ 	dev->id = ret;
+ 	dev_set_name(dev, "rpmsg%d", ret);
+ 
+-	ret = cdev_add(&eptdev->cdev, dev->devt, 1);
++	ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
+ 	if (ret)
+ 		goto free_ept_ida;
+ 
+ 	/* We can now rely on the release function for cleanup */
+ 	dev->release = rpmsg_eptdev_release_device;
+ 
+-	ret = device_add(dev);
+-	if (ret) {
+-		dev_err(dev, "device_add failed: %d\n", ret);
+-		put_device(dev);
+-	}
+-
+ 	return ret;
+ 
+ free_ept_ida:
diff --git a/queue-5.15/series b/queue-5.15/series
index 574c2a7bec0..94012962e5c 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -79,3 +79,5 @@ i40e-fix-queues-reservation-for-xdp.patch
 i40e-fix-for-failed-to-init-adminq-while-vf-reset.patch
 i40e-fix-unsigned-stat-widths.patch
 usb-roles-fix-include-linux-usb-role.h-compile-issue.patch
+rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch
+rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch
-- 
2.47.2