@@ -75,6 +75,7 @@ int rpmsg_chrdev_eptdev_destroy(struct device *dev, void *data)
struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
mutex_lock(&eptdev->ept_lock);
+ eptdev->rpdev = NULL;
if (eptdev->ept) {
rpmsg_destroy_ept(eptdev->ept);
eptdev->ept = NULL;
@@ -126,6 +127,11 @@ static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
return -EBUSY;
}
+ if (!eptdev->rpdev) {
+ mutex_unlock(&eptdev->ept_lock);
+ return -ENETRESET;
+ }
+
get_device(dev);
/*
@@ -277,7 +283,9 @@ static __poll_t rpmsg_eptdev_poll(struct file *filp, poll_table *wait)
if (!skb_queue_empty(&eptdev->queue))
mask |= EPOLLIN | EPOLLRDNORM;
+ mutex_lock(&eptdev->ept_lock);
mask |= rpmsg_poll(eptdev->ept, filp, wait);
+ mutex_unlock(&eptdev->ept_lock);
return mask;
}
When remote host goes down glink char device channel is freed, At the same time user space apps can still try to open/poll rpmsg char device which will result in calling rpmsg_create_ept. This may cause reference to already freed context of glink chardev channel and result in below crash signatures - 1) rpmsg_create_ept+0x40/0xa0 rpmsg_eptdev_open+0x88/0x138 chrdev_open+0xc4/0x1c8 do_dentry_open+0x230/0x378 2) rpmsg_poll+0x5c/0x80 rpmsg_eptdev_poll+0x84/0xa4 do_sys_poll+0x22c/0x5c8 This patch adds proper lock and check condition to avoid such crash. Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> --- drivers/rpmsg/rpmsg_char.c | 8 ++++++++ 1 file changed, 8 insertions(+)