soc: qcom: service-notifier: fix object corruption

Below object corruption observed from service-notifier while executing
WLAN PDR tests. While executing WLAN PDR tests, Modem crashed, which
resulted into use after free condition. Add mutex lock to fix the issue.

   ===============================================
   BUG kmalloc-1024 (Tainted: G        W  O   ): \
                              Poison overwritten
   -----------------------------------------------

   INFO: 0xffffffc0ba5c4d30-0xffffffc0ba5c4d3a. \
                   First byte 0xff instead of 0x6b
   INFO: Allocated in qmi_handle_create+0x4c/0x320 \
                      age=80203 cpu=0 pid=27134
        alloc_debug_processing+0x124/0x178
        ___slab_alloc.constprop.62+0x4ec/0x5d0
        __slab_alloc.isra.59.constprop.61+0x48/0x74
        kmem_cache_alloc_trace+0xd4/0x25c
        qmi_handle_create+0x4c/0x320
        root_service_service_arrive+0x3c/0x1e8
        process_one_work+0x234/0x40c
        worker_thread+0x2e0/0x410
        kthread+0xf4/0xfc
        ret_from_fork+0x10/0x40
   INFO: Freed in qmi_handle_destroy+0x154/0x16c \
                              age=50 cpu=1 pid=22765
        free_debug_processing+0x27c/0x354
        __slab_free+0x74/0x3ac
        kfree+0x21c/0x290
        qmi_handle_destroy+0x154/0x16c
        root_service_service_exit+0xf0/0x110
        ssr_event_notify+0x74/0x84
        notifier_call_chain+0x58/0x8c
        __srcu_notifier_call_chain+0x9c/0xc0
        srcu_notifier_call_chain+0x38/0x44
        subsys_notif_queue_notification+0x40/0x54
        notify_each_subsys_device.isra.9+0x18c/0x1b0
        subsystem_restart_wq_func+0x2f4/0x5a8
        process_one_work+0x234/0x40c
        worker_thread+0x2e0/0x410
        kthread+0xf4/0xfc
        ret_from_fork+0x10/0x40

Change-Id: Iebc0871220547c2d6f026db1dffafe30b854b199
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>

diff --git a/drivers/soc/qcom/service-notifier.c b/drivers/soc/qcom/service-notifier.c
index 84a2aee..e7307c4 100644 (file)
--- a/drivers/soc/qcom/service-notifier.c
+++ b/drivers/soc/qcom/service-notifier.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -336,11 +336,13 @@ static void root_service_service_arrive(struct work_struct *work)
        int rc;
        int curr_state;
 
+       mutex_lock(&qmi_client_release_lock);
        /* Create a Local client port for QMI communication */
        data->clnt_handle = qmi_handle_create(root_service_clnt_notify, work);
        if (!data->clnt_handle) {
                pr_err("QMI client handle alloc failed (instance-id: %d)\n",
                                                        data->instance_id);
+               mutex_unlock(&qmi_client_release_lock);
                return;
        }
 
@@ -353,9 +355,11 @@ static void root_service_service_arrive(struct work_struct *work)
                                                        data->instance_id, rc);
                qmi_handle_destroy(data->clnt_handle);
                data->clnt_handle = NULL;
+               mutex_unlock(&qmi_client_release_lock);
                return;
        }
        data->service_connected = true;
+       mutex_unlock(&qmi_client_release_lock);
        pr_info("Connection established between QMI handle and %d service\n",
                                                        data->instance_id);
        /* Register for indication messages about service */