net/rpmsg: fix a potential NULL pointer dereference in bind()

The rpmsg proto driver creates a rpmsg channel device per remote
processor through the socket's bind() interface (a Rx socket) for
receiving messages from remote processors. The rpmsg channel device
is created using a rpmsg_create_channel() API, which creates and
registers a rpmsg device. The endpoint associated for this device
is allocated during the rpmsg bus probe. In the rare case, the rpmsg
bus probe can fail either to create an endpoint or return a failure
from the corresponding rpmsg driver probe, and this failure status
is not returned back to the callers of rpmsg_create_channel()
function with no endpoint associated with the created rpmsg device.
This can result in a potential NULL pointer panic in the
rpmsg_sock_bind() function.

Fix this by adding an additional check for a valid endpoint. The
rpmsg_sock_bind() creates a rpmsg device tied to the rpmsg_proto
driver itself, so the endpoint creation sequence is guaranteed to
be executed in the rpmsg bus probe because of a guaranteed driver
match for the device. The rpmsg device is also unregistered upon
an endpoint allocation failure as part of the cleanup.

Reported-by: Angela Stegmaier <angelabaker@ti.com>
Signed-off-by: Angela Stegmaier <angelabaker@ti.com>
[s-anna@ti.com: add the rpmsg_destroy_channel() call for cleanup]
Signed-off-by: Suman Anna <s-anna@ti.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/net/rpmsg/rpmsg_proto.c b/net/rpmsg/rpmsg_proto.c
index ffc3cd007355..60032195f2e4 100644
--- a/net/rpmsg/rpmsg_proto.c
+++ b/net/rpmsg/rpmsg_proto.c
@@ -459,6 +459,11 @@ rpmsg_sock_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 	if (!rpdev)
 		return -EINVAL;
 
+	if (!rpdev->ept) {
+		rpmsg_destroy_channel(rpdev);
+		return -EINVAL;
+	}
+
 	rpsk->rpdev = rpdev;
 	rpsk->unregister_rpdev = true;
 	rpsk->rproc_id = sa->vproc_id;