]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.1-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 14:27:03 +0000 (16:27 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 14:27:03 +0000 (16:27 +0200)
added patches:
rpmsg-char-add-lock-to-avoid-race-when-rpmsg-device-is-released.patch

queue-6.1/rpmsg-char-add-lock-to-avoid-race-when-rpmsg-device-is-released.patch [new file with mode: 0644]
queue-6.1/series

diff --git a/queue-6.1/rpmsg-char-add-lock-to-avoid-race-when-rpmsg-device-is-released.patch b/queue-6.1/rpmsg-char-add-lock-to-avoid-race-when-rpmsg-device-is-released.patch
new file mode 100644 (file)
index 0000000..4b009c8
--- /dev/null
@@ -0,0 +1,60 @@
+From 17b88a2050e9d1f89a53562f2adb709a8959e763 Mon Sep 17 00:00:00 2001
+From: Deepak Kumar Singh <quic_deesin@quicinc.com>
+Date: Mon, 19 Sep 2022 16:23:59 +0530
+Subject: rpmsg: char: Add lock to avoid race when rpmsg device is released
+
+From: Deepak Kumar Singh <quic_deesin@quicinc.com>
+
+commit 17b88a2050e9d1f89a53562f2adb709a8959e763 upstream.
+
+When remote host goes down glink char device channel is freed and
+associated rpdev is destroyed through rpmsg_chrdev_eptdev_destroy(),
+At the same time user space apps can still try to open/poll rpmsg
+char device which will result in calling rpmsg_create_ept()/rpmsg_poll().
+These functions will try to reference rpdev which has already been freed
+through rpmsg_chrdev_eptdev_destroy().
+
+File operation functions and device removal function must be protected
+with lock. This patch adds existing ept lock in remove function as well.
+
+Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1663584840-15762-2-git-send-email-quic_deesin@quicinc.com
+Signed-off-by: Wen Yang <wen.yang@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/rpmsg_char.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/rpmsg/rpmsg_char.c
++++ b/drivers/rpmsg/rpmsg_char.c
+@@ -75,6 +75,7 @@ int rpmsg_chrdev_eptdev_destroy(struct d
+       struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
+       mutex_lock(&eptdev->ept_lock);
++      eptdev->rpdev = NULL;
+       if (eptdev->ept) {
+               /* The default endpoint is released by the rpmsg core */
+               if (!eptdev->default_ept)
+@@ -128,6 +129,11 @@ static int rpmsg_eptdev_open(struct inod
+               return -EBUSY;
+       }
++      if (!eptdev->rpdev) {
++              mutex_unlock(&eptdev->ept_lock);
++              return -ENETRESET;
++      }
++
+       get_device(dev);
+       /*
+@@ -279,7 +285,9 @@ static __poll_t rpmsg_eptdev_poll(struct
+       if (!skb_queue_empty(&eptdev->queue))
+               mask |= EPOLLIN | EPOLLRDNORM;
++      mutex_lock(&eptdev->ept_lock);
+       mask |= rpmsg_poll(eptdev->ept, filp, wait);
++      mutex_unlock(&eptdev->ept_lock);
+       return mask;
+ }
index 6f1aa16872e2c085902e321ae254d89ac0c2db44..0923629c9f71fc9f594a62d076e82cdf35fdb398 100644 (file)
@@ -108,3 +108,4 @@ nfsd-fix-posix_acl-leak-on-setacl-decode-failure.patch
 nfsd-check-get_user-return-when-reading-princhashlen.patch
 nfsv4-pnfs-reject-zero-length-r_addr-in-nfs4_decode_mp_ds_addr.patch
 ksmbd-fix-out-of-bounds-read-in-smb_check_perm_dacl.patch
+rpmsg-char-add-lock-to-avoid-race-when-rpmsg-device-is-released.patch