Currently, the code flow bails out without releasing the spin lock,
leading to spin lock recursion. Additionally, the free function is
called during this bail, which is a sleep function. To address this
issue, ensure that the spin lock is released before proceeding to the
bail.
Change-Id: I57884049d7799c3c69eccb4fa2db043b073d5312
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Currently, remote heap maps get added to the global list before the
fastrpc_internal_mmap function completes the mapping. Meanwhile, the
fastrpc_internal_munmap function accesses the map, starts unmapping, and
frees the map before the fastrpc_internal_mmap function completes,
resulting in a use-after-free (UAF) issue. Add the map to the list after
the fastrpc_internal_mmap function completes the mapping.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: I8aa23cf215e53d0613774c2b2657954bca6c72f4
Add krefs reference counters to fastrpc process objects.
Process structures are used in multiple places and passed
around. Maintaining krefs helps ensure that the release routine
for structure is called after last reference to the pointer
is done.
Co-developed-by: Abhinav Parihar <quic_parihar@quicinc.com>
Change-Id: I5fd35af3c5581bf69ebfddf56951d76d9a2d10fb
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently, after audio PDR, all invoke calls are discarded in pd status
check, due to this kill does not reach to DSP to clean up the ftq
group in guestOS. Fix is to discard only audio pd attachment and allow
kill message to clean DSP GuestOS resources.
Change-Id: Ica8bff6ed6e81eab4119c59c46fb6be9c0b79704
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
The current code collects RAM dumps for both DSP SSR and PDR, but not
required during PDR. Fix is to collect it for SSR and skip it for PDR.
Change-Id: Ibcc9c7291488b67fa0570e86eef5867ba7fcb2ed
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
The `fastrpc_dspsignal_wait` function currently checks the
signal state before waiting for a signal from the DSP. However,
if the signal is already received before the check, it results
in an infinite loop, causing excessive resource usage.
This change addresses the race condition by checking both the
pending and signaled states. If the signal is not in the pending
state, it directly checks for the signaled state, resets the states,
and returns to avoid looping.
Change-Id: I00f80780cccf5a7b0e95f961607042efe62d9d30
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Thread1 can free up the fl->init memory in
fastrpc_init_create_dynamic_process with fl spin lock, same time thread2
adding fl->init_mem to chan->initmems list with global spin lock in
fastrpc_update_ramdump_status can lead to use after free in
fastrpc_ramdump_collection. Fix is to use global spin lock while
handling fl->init_mem.
Change-Id: I7a497dc962b6967a4d594a3acce55f8ce0eb3a55
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
Currently unlocking the spinlock during maps list iteration
can lead to use after free. Fix is to lock, read one map
from list, stop iteration and unlock, repeate same for all
the maps complete in the list.
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Change-Id: I834bdcb9dd55a33f6308188ec1f844b7d81cb30e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Add -ve value check for index to prevent the array out of bound access.
Change-Id: I0d23e2cb258227ef76779d82ec2c8f6b9cf7f95f
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
Currently, memory allocated for status notification is only
freed by the notif thread. If notif thread exits, notif entries
will not be freed. Free the notif entries while closing
the fastrpc file.
Change-Id: I8e715a4c449a595ce492379bfc50eaf456bbccf6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Customer is seeing issue when sharing buffer to secure PD.
Buffer is being set to 'secure buffer type' by trusted driver which
is invalid in TVM.
There are no 'secure' buffers on TVM. All buffers in TVM need to be
marked as 'non-secure'.
Fix is to explicitly mark buffers as 'non-secure' for TVM only.
Change-Id: I80c70bc59dcbd78be4119c1855fd4e5fa2e7d5cb
Currently, only pd status is checked before sending any request
to DSP. On pd down notification all the pending contexts are
completed with connection reset error. But, if context gets
created after the pd down callback, it is not returned with
connection reset error. If the context is regarding pd attach,
daemon will get attached to DSP pd. And in this scenario, if
daemon gets killed and reconnection happens, ownership of init
memory will be assigned back to HLOS, which will cause SMMU fault.
Check pdr count for audioPD before sending any request to DSP.
Change-Id: Iadf1c9ca718659086fcd6dc8db105f48337933f6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.
Change-Id: Iae758752c0d3c296f155f3200adb783c92100a70
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Currently driver is passing session id as zero when SSR notification
is queued. This will cause issues in case of multisession, only
default session will get the notification. Add a change to pass
proper session ID to make sure all the sessions are getting notified.
Change-Id: I1f3bb7169ff9c7b725e3a69dc098c56197e4cbaf
Signed-off-by: ANANDU KRISHNAN E <quic_anane@quicinc.com>
In fastrpc_print_debug_data accessing fl will cause
UAF condition if is_ramdump_enable is not set. In this
case, there won't be any wait condition in fastrpc_file_free
so fl will be freed in between accessing data. To fix this,
check is_ramdump_enable before accessing fl data.
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Change-Id: Ia4670a73f887e17afae3cfeb7e6c6457b3337ae9
Add proper return path to ensure that allocated memory for gmsglog
variables is freed before exiting. In error cases when returning
from the function without proper exit handling, not freeing allocated
memory leads to memory leak.
Change-Id: I718a6a3d1fef8598cb67e7d627bde00a8b009324
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
In fastrpc_file_free tgid_frpc is marked as unused before device
unregister. And current tgid_frpc can be used by to other sessions
from same process, which will lead to device register failures. To
avoid this scenario, mark tgid_frpc available after device unregister.
Change-Id: I6ba77af3a2b6d0d9aa961459dfe2bf163d5aede2
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
Add condition to enable driver for non GVM target.
Virtual fastrpc driver is used for target based on
hypervisor, skipping driver compilation.
Signed-off-by: Anvesh Jain P <quic_ajainp@quicinc.com>
Change-Id: I1ac5c0e29f259cbd05f426ca51cd945b695078c9
Thread 1 can make a to call fastrpc_mmap_create under internal mem map
and release fl->map_mutex. Thread 2 can make call to internal mem unmap,
acquire fl->map_mutex and get same map though fastrpc_mmap_remove.
Thread 1 fail in fastrpc_mem_map_to_dsp jumps to bail and do map free.
Thread 2 still holds same map which can lead use after free. Serialize
fastrpc internal mem map and unmap.
Change-Id: I54a3602914b43fc67635c0de193bd21aa13daaa3
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
This reverts commit 49d8960d0c.
Reason for revert: This change will block applications which will create
multiple sessions with different pd type. Hence need to revert the change.
Keeping 3rd party app to create multiple session intact.
Signed-off-by: Krishna Dogney <quic_kdogney@quicinc.com>
Change-Id: I1bef85d37bd003b752db05d42530d3ddfad0f726
To avoid queueing of a duplicate job that may belong to a freed ctx,
update async queue type from LIST to HLIST to avoid appending unhashed
nodes back to queue. Thread race can occur between thread undergoing
SSR routine and invoke response thread for FASTRPC_INVOKE2_ASYNC_RESPONSE
to queue job to the async queue.
Change-Id: Iebcd0e82f22ceb64d0f89e8458d6329c08c62bdc
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currenty in case where CMA alloc fails in fastrpc_device_init,
a warning is issued. But the error code is not reset. With this
change, above issue is handled properly and if CMA allocation is
successful, then only add the information to the channel structure.
Change-Id: I15aa32e82cecedaf4e2da7275cef13369b3429bc
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Print non-ion buffer details as warning to help in size issues debugging.
Change-Id: Ib96af6d202620e06cd9ed15f2698f6eac5c3a444
Signed-off-by: Ramesh Nallagopu <quic_rnallago@quicinc.com>
Query buffer's attributes to determine if buffer should be mapped to secure
context bank.
Query buffer's HLOS access and return error from TVM driver if HLOS has
access to buffer.
Change-Id: Ia6d02b28929e1126a01c69a8425b6797fbee3506
Currently, a single process can create multiple sessions of different pd types.
Now, force all sessions of a process to be of same pd type on same dsp. Also,
allow untrusted apps to create multiple sessions on dsp.
Signed-off-by: Krishna Dogney <quic_kdogney@quicinc.com>
Change-Id:I98c97c1ceeefa303cee4909ccca280a2430da908
Setting flag to true in TVM to force TVM driver to use APIs
adsp_process_group_mmap64 and adsp_process_group_munmap64 instead
of adsp_process_group_mmap and adsp_process_group_munmap.
Change-Id: Ibbeb7f4177f11e75b1150e011090347219f04806
Define new ftrace to log dspsignal events like signalling, waiting,
waking up, completing and cancelling wait. These ftraces can be
used in performance debugging of dspqueue overheads.
Change-Id: Iaf5f3df0f7ba3bd3da94f7614724b8f63ca09ed6
Signed-off-by: Thyagarajan Venkatanarayanan <quic_venkatan@quicinc.com>
If process is exiting and pm wakelock is not released, cpu
can't go to sleep. Relax wakeup source during file_free to
allow cpu to go to sleep.
Change-Id: Ie6161edbd43f1fb11f36fbb8f913ceaf92e89736
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently we send custom tgid instead of original tgid to DSP.
It is difficult to debug issues only with DSP logs, dumps and
logcat. Add original tgid to custom tgid conversion log to help
in debug.
Change-Id: If05bae05bce69cf513cef0bd1672f78856c11ea8
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently the error code from hype assign failure is over writing by
fastrpc_unmap_on_dsp success and returning the false success. So added
separate variable to capture the error from fastrpc_unmap_on_dsp.
Change-Id: I6444635925416d8ef96800a02e8a1e3e550fa011
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
When dma attachment fails during mmap_create, status
of HLOS memory is logged with sizes occupied by heap and
non heap buffers mapped in fl maps. The purpose of this
data is to get a snapshot of memory usage.
Change-Id: Ie913702a743a8572d9f68c9b58233d28541167b9
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
