rpmsg: rpc: fix potential memory leak of unprocessed skbs

A user thread sends a request for a remote function execution
on the remote processor through a write() fop. All the responses
from the remote service are queued using allocated skbs in the
driver's rpmsg callback. The allocated skbs are processed and
freed in a read() fop. An error recovery causes a blocked user
thread to bail out immediately and any in-flight queued skbs
are left unprocessed. These in-flight skbs are never freed and
can result in a memory leak.

Fix the memory leak by checking for the presence of any of these
unprocessed skbs in the read queue, and freeing them during the
file descriptor's release() function. This also ensures no memory
is leaked for user applications with bugs and not using matching
write() and read() fops.

Signed-off-by: Suman Anna <s-anna@ti.com>

drivers/rpmsg/rpmsg_rpc.c

@@ -597,6 +597,7 @@ static int rppc_release(struct inode *inode, struct file *filp)
 {
 	struct rppc_instance *rpc = filp->private_data;
 	struct rppc_device *rppcdev = rpc->rppcdev;
+	struct sk_buff *skb = NULL;
 
 	dev_dbg(rpc->dev, "releasing Instance %p, in state %d\n", rpc,
 		rpc->state);
@@ -611,6 +612,11 @@ static int rppc_release(struct inode *inode, struct file *filp)
 
 	rppc_delete_fxns(rpc);
 
+	while (!skb_queue_empty(&rpc->queue)) {
+		skb = skb_dequeue(&rpc->queue);
+		kfree_skb(skb);
+	}
+
 	mutex_lock(&rpc->lock);
 	idr_for_each(&rpc->dma_idr, rppc_free_dmabuf, rpc);
 	idr_destroy(&rpc->dma_idr);