net: ipc_router: Flush xprt workqueue before removing routing table entry

During SSR removing the routing table entry before flushing the xprt
reader workqueue is allowing to add a duplicate routing table entry
again with removed xprt pointer and causing a xprt access after free.

Flush the xprt reader workqueue and free all pending packets from
the list before removing the routing table entry.

CRs-Fixed: 874846
Change-Id: I2f858252bb5f7a7b6382b42011ad524da3fffe87
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>

net/ipc_router/ipc_router_core.c

@@ -3818,6 +3818,7 @@ static int msm_ipc_router_add_xprt(struct msm_ipc_router_xprt *xprt)
 static void msm_ipc_router_remove_xprt(struct msm_ipc_router_xprt *xprt)
 {
 	struct msm_ipc_router_xprt_info *xprt_info;
+	struct rr_packet *temp_pkt, *pkt;
 
 	if (xprt && xprt->priv) {
 		xprt_info = xprt->priv;
@@ -3827,6 +3828,15 @@ static void msm_ipc_router_remove_xprt(struct msm_ipc_router_xprt *xprt)
 		mutex_lock(&xprt_info->rx_lock_lhb2);
 		xprt_info->abort_data_read = 1;
 		mutex_unlock(&xprt_info->rx_lock_lhb2);
+		flush_workqueue(xprt_info->workqueue);
+		destroy_workqueue(xprt_info->workqueue);
+		mutex_lock(&xprt_info->rx_lock_lhb2);
+		list_for_each_entry_safe(pkt, temp_pkt,
+					 &xprt_info->pkt_list, list) {
+			list_del(&pkt->list);
+			release_pkt(pkt);
+		}
+		mutex_unlock(&xprt_info->rx_lock_lhb2);
 
 		down_write(&xprt_info_list_lock_lha5);
 		list_del(&xprt_info->list);
@@ -3834,8 +3844,6 @@ static void msm_ipc_router_remove_xprt(struct msm_ipc_router_xprt *xprt)
 
 		msm_ipc_cleanup_routing_table(xprt_info);
 
-		flush_workqueue(xprt_info->workqueue);
-		destroy_workqueue(xprt_info->workqueue);
 		wakeup_source_trash(&xprt_info->ws);
 
 		xprt->priv = 0;