In the early stages of fastrpc_internal_invoke, we validate the user CID
and handle failure cases. However, in the error scenario, an invalid CID
can lead to issues when accessing the channel mutex. To prevent this, we
should validate the CID before accessing the channel mutex via fastrpc
user structure.
Change-Id: Ic1f7ae01a749b57c9b9e69210314d694ebcf300b
Signed-off-by: Santosh <quic_ssakore@quicinc.com>
Currently, in print_debug_data, kref_put is being called inside the
global lock, and the same lock is taken in the release callback of
kref_put, leading to spinlock recursion. There is no need to get and
put the reference for the fastrpce file inside this function because
we have already taken the reference inside the update_ramdump_status
while adding the init memory entry to the chan->initmems list.
Moreover, the same list will be used in print_debug_data.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ifdc8b3e0c2bbc5cc4237eedaa24c8cd766262dfe
(cherry picked from commit 3463a894b8)
The fastrpc driver supports 4 remoteproc. There are some
products such as automotive which support cdsp1 remoteproc.
Add changes to support cdsp1 remoteproc.
Change-Id: I3a9b221c53ccd4331de089ab38ccd6d715db4bf4
Signed-off-by: Anvesh Jain P <quic_ajainp@quicinc.com>
Add locking mechanism while printing file map and cma map in print
debug data.
Change-Id: I36484d763b56ec88413ca9394c08ff30d85e664a
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently, the CMA mini dump node is not being dequeued, leading to an
infinite loop. Dequeue the CMA mini dump node as well along with all
the init mems.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ie5c24ee4ce43c798ed40a8d766371449bcf27b68
(cherry picked from commit 74775598d4)
Currently, dsp signal waits definite timeout even though
time out set to indefinite wait and returns timeout error.
Fix is added proper check for waiting indefinitely and
returned proper error code.
Change-Id: Ib4d8835cee6c686dae45f8b5ddf128d24c28cdad
Signed-off-by: Minghao Xue <quic_mingxue@quicinc.com>
The subsystem ssrcount is write-protected with a channel mutex. In a
few places, the code accesses it outside the critical section, which
can result in false reads during a race condition. To address this,
move the ssrcount access within a critical section.
Change-Id: I7df1e05fd892277a10514e3759f7ea67c51bac3b
Signed-off-by: Santosh <quic_ssakore@quicinc.com>
Currently, the CMA mini dump node is not being dequeued, leading to an
infinite loop. Dequeue the CMA mini dump node as well along with all
the init mems.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ie5c24ee4ce43c798ed40a8d766371449bcf27b68
Add locking mechanism while printing file map and cma map in print
debug data.
Change-Id: I36484d763b56ec88413ca9394c08ff30d85e664a
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently, the code flow bails out without releasing the spin lock,
leading to spin lock recursion. Additionally, the free function is
called during this bail, which is a sleep function. To address this
issue, ensure that the spin lock is released before proceeding to the
bail.
Change-Id: I57884049d7799c3c69eccb4fa2db043b073d5312
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Currently, the code flow bails out without releasing the spin lock,
leading to spin lock recursion. Additionally, the free function is
called during this bail, which is a sleep function. To address this
issue, ensure that the spin lock is released before proceeding to the
bail.
Change-Id: I57884049d7799c3c69eccb4fa2db043b073d5312
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Currently, remote heap maps get added to the global list before the
fastrpc_internal_mmap function completes the mapping. Meanwhile, the
fastrpc_internal_munmap function accesses the map, starts unmapping, and
frees the map before the fastrpc_internal_mmap function completes,
resulting in a use-after-free (UAF) issue. Add the map to the list after
the fastrpc_internal_mmap function completes the mapping.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: I8aa23cf215e53d0613774c2b2657954bca6c72f4
Add krefs reference counters to fastrpc process objects.
Process structures are used in multiple places and passed
around. Maintaining krefs helps ensure that the release routine
for structure is called after last reference to the pointer
is done.
Co-developed-by: Abhinav Parihar <quic_parihar@quicinc.com>
Change-Id: I5fd35af3c5581bf69ebfddf56951d76d9a2d10fb
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently, after audio PDR, all invoke calls are discarded in pd status
check, due to this kill does not reach to DSP to clean up the ftq
group in guestOS. Fix is to discard only audio pd attachment and allow
kill message to clean DSP GuestOS resources.
Change-Id: Ica8bff6ed6e81eab4119c59c46fb6be9c0b79704
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
The current code collects RAM dumps for both DSP SSR and PDR, but not
required during PDR. Fix is to collect it for SSR and skip it for PDR.
Change-Id: Ibcc9c7291488b67fa0570e86eef5867ba7fcb2ed
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
The `fastrpc_dspsignal_wait` function currently checks the
signal state before waiting for a signal from the DSP. However,
if the signal is already received before the check, it results
in an infinite loop, causing excessive resource usage.
This change addresses the race condition by checking both the
pending and signaled states. If the signal is not in the pending
state, it directly checks for the signaled state, resets the states,
and returns to avoid looping.
Change-Id: I00f80780cccf5a7b0e95f961607042efe62d9d30
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Thread1 can free up the fl->init memory in
fastrpc_init_create_dynamic_process with fl spin lock, same time thread2
adding fl->init_mem to chan->initmems list with global spin lock in
fastrpc_update_ramdump_status can lead to use after free in
fastrpc_ramdump_collection. Fix is to use global spin lock while
handling fl->init_mem.
Change-Id: I7a497dc962b6967a4d594a3acce55f8ce0eb3a55
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
Currently unlocking the spinlock during maps list iteration
can lead to use after free. Fix is to lock, read one map
from list, stop iteration and unlock, repeate same for all
the maps complete in the list.
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Change-Id: I834bdcb9dd55a33f6308188ec1f844b7d81cb30e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Add -ve value check for index to prevent the array out of bound access.
Change-Id: I0d23e2cb258227ef76779d82ec2c8f6b9cf7f95f
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
Add check for user input buffer to fix improper access.
Signed-off-by: quic_anane <quic_anane@quicinc.com>
(cherry picked from commit 23611a1626)
Change-Id: I888ba99d81ca4659858193abfdb16706c989d1c3
Currently, memory allocated for status notification is only
freed by the notif thread. If notif thread exits, notif entries
will not be freed. Free the notif entries while closing
the fastrpc file.
Change-Id: I8e715a4c449a595ce492379bfc50eaf456bbccf6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Customer is seeing issue when sharing buffer to secure PD.
Buffer is being set to 'secure buffer type' by trusted driver which
is invalid in TVM.
There are no 'secure' buffers on TVM. All buffers in TVM need to be
marked as 'non-secure'.
Fix is to explicitly mark buffers as 'non-secure' for TVM only.
Change-Id: I80c70bc59dcbd78be4119c1855fd4e5fa2e7d5cb
Currently, only pd status is checked before sending any request
to DSP. On pd down notification all the pending contexts are
completed with connection reset error. But, if context gets
created after the pd down callback, it is not returned with
connection reset error. If the context is regarding pd attach,
daemon will get attached to DSP pd. And in this scenario, if
daemon gets killed and reconnection happens, ownership of init
memory will be assigned back to HLOS, which will cause SMMU fault.
Check pdr count for audioPD before sending any request to DSP.
Change-Id: Iadf1c9ca718659086fcd6dc8db105f48337933f6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.
Change-Id: Iae758752c0d3c296f155f3200adb783c92100a70
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Currently driver is passing session id as zero when SSR notification
is queued. This will cause issues in case of multisession, only
default session will get the notification. Add a change to pass
proper session ID to make sure all the sessions are getting notified.
Change-Id: I1f3bb7169ff9c7b725e3a69dc098c56197e4cbaf
Signed-off-by: ANANDU KRISHNAN E <quic_anane@quicinc.com>
