From ee6fbe3a25ff94cf062f18dad4c78ed14f7924a1 Mon Sep 17 00:00:00 2001 From: Michael Ryleev Date: Wed, 21 Mar 2018 10:21:03 -0700 Subject: trusty-ipc: Fix a race condition in tipc_release Under certain conditions it is possible that an instance of tipc_dn_chan structure will be freed in context of tipc_release call while still be referenced and in use by corresponding instance of tipc_chan struct. In order to fix that, we will need to make sure that corresponding tipc_chan struct is not in use before freeing tipc_dn_chan struct. This CL introduces and implements a new callback in tipc_chan_ops struct, called handle_release, that when specified will be called while an instance of tipc_chan object is getting destroyed. This is only possible when the last reference to tipc_chan struct goes away so it is not in use anymore. Change-Id: I93849aab08e09374a9f8ca9fa00351839519027d Signed-off-by: Michael Ryleev Reviewed-on: https://git-master.nvidia.com/r/1679989 Tested-by: Stephen Wolfe Reviewed-by: Mihir Joshi Reviewed-by: Mahesh Lagadapati Reviewed-by: svc-mobile-coverity GVS: Gerrit_Virtual_Submit Reviewed-by: Bharat Nihalani Reviewed-by: mobile promotions Tested-by: mobile promotions --- include/linux/trusty/trusty_ipc.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux') diff --git a/include/linux/trusty/trusty_ipc.h b/include/linux/trusty/trusty_ipc.h index da785e98d..e76e252e4 100644 --- a/include/linux/trusty/trusty_ipc.h +++ b/include/linux/trusty/trusty_ipc.h @@ -44,6 +44,7 @@ struct tipc_chan_ops { void (*handle_event)(void *cb_arg, int event); struct tipc_msg_buf *(*handle_msg)(void *cb_arg, struct tipc_msg_buf *mb); + void (*handle_release)(void *cb_arg); }; struct tipc_chan *tipc_create_channel(struct device *dev, -- cgit v1.2.2