rpmsg: glink_pkt: Fix NULL pointer dereference in glink read

There is a chance to dereference the null pointer in glink_pkt_kfree_skb when glink_pkt_read and glink_pkt_release executing parallelly. Protect the dequeued rskb with rskb_read_lock mutex during glink_pkt_release. Change-Id: I27b800a2414555f4684d05e2b8e5a3022b450daf Signed-off-by: Sivaji Boddupilli <quic_boddupil@quicinc.com>
2023-12-01 15:45:26 +05:30 · 2023-12-01 15:45:26 +05:30 · 93617f8527
commit 93617f8527
parent bb197460ee
1 changed files with 2 additions and 0 deletions
--- a/drivers/rpmsg/glink_pkt.c
+++ b/drivers/rpmsg/glink_pkt.c
@ -185,6 +185,7 @@ static void glink_pkt_clear_queues(struct glink_pkt_device *gpdev)
 	struct sk_buff *skb;
 	unsigned long flags;

+	mutex_lock(&gpdev->rskb_read_lock);
 	spin_lock_irqsave(&gpdev->queue_lock, flags);
 	if (gpdev->rskb) {
 		glink_pkt_kfree_skb(gpdev, gpdev->rskb);
@ -199,6 +200,7 @@ static void glink_pkt_clear_queues(struct glink_pkt_device *gpdev)
 		glink_pkt_kfree_skb(gpdev, skb);

 	spin_unlock_irqrestore(&gpdev->queue_lock, flags);
+	mutex_unlock(&gpdev->rskb_read_lock);
 }

 static int glink_pkt_rpdev_no_copy_cb(struct rpmsg_device *rpdev, void *buf,