rpmsg: smd: do not use mananged resources for endpoints and channels

commit 4a2e84c6ed85434ce7843e4844b4d3263f7e233b upstream.

All the managed resources would be freed by the time release function
is invoked. Handling such memory in qcom_smd_edge_release() would do
bad things.

Found this issue while testing Audio usecase where the dsp is started up
and shutdown in a loop.

This patch fixes this issue by using simple kzalloc for allocating
channel->name and channel which is then freed in qcom_smd_edge_release().

Without this patch restarting a remoteproc would crash the system.
Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
Cc: <stable@vger.kernel.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
index 1d4770c..fd3d941 100644 (file)
--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -1006,12 +1006,12 @@ static struct qcom_smd_channel *qcom_smd_create_channel(struct qcom_smd_edge *ed
        void *info;
        int ret;
 
-       channel = devm_kzalloc(&edge->dev, sizeof(*channel), GFP_KERNEL);
+       channel = kzalloc(sizeof(*channel), GFP_KERNEL);
        if (!channel)
                return ERR_PTR(-ENOMEM);
 
        channel->edge = edge;
-       channel->name = devm_kstrdup(&edge->dev, name, GFP_KERNEL);
+       channel->name = kstrdup(name, GFP_KERNEL);
        if (!channel->name)
                return ERR_PTR(-ENOMEM);
 
@@ -1061,8 +1061,8 @@ static struct qcom_smd_channel *qcom_smd_create_channel(struct qcom_smd_edge *ed
        return channel;
 
 free_name_and_channel:
-       devm_kfree(&edge->dev, channel->name);
-       devm_kfree(&edge->dev, channel);
+       kfree(channel->name);
+       kfree(channel);
 
        return ERR_PTR(ret);
 }
@@ -1279,13 +1279,13 @@ static int qcom_smd_parse_edge(struct device *dev,
  */
 static void qcom_smd_edge_release(struct device *dev)
 {
-       struct qcom_smd_channel *channel;
+       struct qcom_smd_channel *channel, *tmp;
        struct qcom_smd_edge *edge = to_smd_edge(dev);
 
-       list_for_each_entry(channel, &edge->channels, list) {
-               SET_RX_CHANNEL_INFO(channel, state, SMD_CHANNEL_CLOSED);
-               SET_RX_CHANNEL_INFO(channel, head, 0);
-               SET_RX_CHANNEL_INFO(channel, tail, 0);
+       list_for_each_entry_safe(channel, tmp, &edge->channels, list) {
+               list_del(&channel->list);
+               kfree(channel->name);
+               kfree(channel);
        }
 
        kfree(edge);