File-scope "__pmic_glink_lock" mutex protects the file-scope "__pmic_glink", thus reference to it should be obtained under the lock, just like pmic_glink_rpmsg_remove() is doing. Otherwise we have a race during if PMIC GLINK device removal: the pmic_glink_rpmsg_probe() function could store local reference before mutex in driver removal is acquired.

Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") Cc: stable@vger.kernel.org Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@linaro.org

---

Changes in v3: 1. None

Changes in v2: 1. None --- drivers/soc/qcom/pmic_glink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c index caf3f63d940e..11e88053cc11 100644 --- a/drivers/soc/qcom/pmic_glink.c +++ b/drivers/soc/qcom/pmic_glink.c @@ -236,10 +236,11 @@ static void pmic_glink_pdr_callback(int state, char *svc_path, void *priv)

static int pmic_glink_rpmsg_probe(struct rpmsg_device *rpdev) { - struct pmic_glink *pg = __pmic_glink; + struct pmic_glink *pg; int ret = 0;

mutex_lock(&__pmic_glink_lock); + pg = __pmic_glink; if (!pg) { ret = dev_err_probe(&rpdev->dev, -ENODEV, "no pmic_glink device to attach to\n"); goto out_unlock;