From 93617f8527dcdefbd6588acdd7fcebeb015c6398 Mon Sep 17 00:00:00 2001
From: Sivaji Boddupilli <quic_boddupil@quicinc.com>
Date: Fri, 1 Dec 2023 15:45:26 +0530
Subject: [PATCH] rpmsg: glink_pkt: Fix NULL pointer dereference in glink read

There is a chance to dereference the null pointer in glink_pkt_kfree_skb
when glink_pkt_read and glink_pkt_release executing parallelly.

Protect the dequeued rskb with rskb_read_lock mutex during
glink_pkt_release.

Change-Id: I27b800a2414555f4684d05e2b8e5a3022b450daf
Signed-off-by: Sivaji Boddupilli <quic_boddupil@quicinc.com>
---
 drivers/rpmsg/glink_pkt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/rpmsg/glink_pkt.c b/drivers/rpmsg/glink_pkt.c
index 4c67a304c259..ae1648209dbd 100644
--- a/drivers/rpmsg/glink_pkt.c
+++ b/drivers/rpmsg/glink_pkt.c
@@ -185,6 +185,7 @@ static void glink_pkt_clear_queues(struct glink_pkt_device *gpdev)
 	struct sk_buff *skb;
 	unsigned long flags;
 
+	mutex_lock(&gpdev->rskb_read_lock);
 	spin_lock_irqsave(&gpdev->queue_lock, flags);
 	if (gpdev->rskb) {
 		glink_pkt_kfree_skb(gpdev, gpdev->rskb);
@@ -199,6 +200,7 @@ static void glink_pkt_clear_queues(struct glink_pkt_device *gpdev)
 		glink_pkt_kfree_skb(gpdev, skb);
 
 	spin_unlock_irqrestore(&gpdev->queue_lock, flags);
+	mutex_unlock(&gpdev->rskb_read_lock);
 }
 
 static int glink_pkt_rpdev_no_copy_cb(struct rpmsg_device *rpdev, void *buf,