In fastrpc_print_debug_data accessing fl will cause
UAF condition if is_ramdump_enable is not set. In this
case, there won't be any wait condition in fastrpc_file_free
so fl will be freed in between accessing data. To fix this,
check is_ramdump_enable before accessing fl data.
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Change-Id: Ia4670a73f887e17afae3cfeb7e6c6457b3337ae9
(cherry picked from commit b18ae2cb6b)
In fastrpc_print_debug_data accessing fl will cause
UAF condition if is_ramdump_enable is not set. In this
case, there won't be any wait condition in fastrpc_file_free
so fl will be freed in between accessing data. To fix this,
check is_ramdump_enable before accessing fl data.
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Change-Id: Ia4670a73f887e17afae3cfeb7e6c6457b3337ae9
Add proper return path to ensure that allocated memory for gmsglog
variables is freed before exiting. In error cases when returning
from the function without proper exit handling, not freeing allocated
memory leads to memory leak.
Change-Id: I718a6a3d1fef8598cb67e7d627bde00a8b009324
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
In fastrpc_file_free tgid_frpc is marked as unused before device
unregister. And current tgid_frpc can be used by to other sessions
from same process, which will lead to device register failures. To
avoid this scenario, mark tgid_frpc available after device unregister.
Change-Id: I6ba77af3a2b6d0d9aa961459dfe2bf163d5aede2
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
Add condition to enable driver for non GVM target.
Virtual fastrpc driver is used for target based on
hypervisor, skipping driver compilation.
Signed-off-by: Anvesh Jain P <quic_ajainp@quicinc.com>
Change-Id: I1ac5c0e29f259cbd05f426ca51cd945b695078c9
Thread 1 can make a to call fastrpc_mmap_create under internal mem map
and release fl->map_mutex. Thread 2 can make call to internal mem unmap,
acquire fl->map_mutex and get same map though fastrpc_mmap_remove.
Thread 1 fail in fastrpc_mem_map_to_dsp jumps to bail and do map free.
Thread 2 still holds same map which can lead use after free. Serialize
fastrpc internal mem map and unmap.
Change-Id: I54a3602914b43fc67635c0de193bd21aa13daaa3
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
Thread 1 can make a to call fastrpc_mmap_create under internal mem map
and release fl->map_mutex. Thread 2 can make call to internal mem unmap,
acquire fl->map_mutex and get same map though fastrpc_mmap_remove.
Thread 1 fail in fastrpc_mem_map_to_dsp jumps to bail and do map free.
Thread 2 still holds same map which can lead use after free. Serialize
fastrpc internal mem map and unmap.
Change-Id: I54a3602914b43fc67635c0de193bd21aa13daaa3
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
This reverts commit 49d8960d0c.
Reason for revert: This change will block applications which will create
multiple sessions with different pd type. Hence need to revert the change.
Keeping 3rd party app to create multiple session intact.
Signed-off-by: Krishna Dogney <quic_kdogney@quicinc.com>
Change-Id: I1bef85d37bd003b752db05d42530d3ddfad0f726
To avoid queueing of a duplicate job that may belong to a freed ctx,
update async queue type from LIST to HLIST to avoid appending unhashed
nodes back to queue. Thread race can occur between thread undergoing
SSR routine and invoke response thread for FASTRPC_INVOKE2_ASYNC_RESPONSE
to queue job to the async queue.
Change-Id: Iebcd0e82f22ceb64d0f89e8458d6329c08c62bdc
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currenty in case where CMA alloc fails in fastrpc_device_init,
a warning is issued. But the error code is not reset. With this
change, above issue is handled properly and if CMA allocation is
successful, then only add the information to the channel structure.
Change-Id: I15aa32e82cecedaf4e2da7275cef13369b3429bc
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Print non-ion buffer details as warning to help in size issues debugging.
Change-Id: Ib96af6d202620e06cd9ed15f2698f6eac5c3a444
Signed-off-by: Ramesh Nallagopu <quic_rnallago@quicinc.com>
Query buffer's attributes to determine if buffer should be mapped to secure
context bank.
Query buffer's HLOS access and return error from TVM driver if HLOS has
access to buffer.
Change-Id: Ia6d02b28929e1126a01c69a8425b6797fbee3506
Currently, a single process can create multiple sessions of different pd types.
Now, force all sessions of a process to be of same pd type on same dsp. Also,
allow untrusted apps to create multiple sessions on dsp.
Signed-off-by: Krishna Dogney <quic_kdogney@quicinc.com>
Change-Id:I98c97c1ceeefa303cee4909ccca280a2430da908
Setting flag to true in TVM to force TVM driver to use APIs
adsp_process_group_mmap64 and adsp_process_group_munmap64 instead
of adsp_process_group_mmap and adsp_process_group_munmap.
Change-Id: Ibbeb7f4177f11e75b1150e011090347219f04806
Define new ftrace to log dspsignal events like signalling, waiting,
waking up, completing and cancelling wait. These ftraces can be
used in performance debugging of dspqueue overheads.
Change-Id: Iaf5f3df0f7ba3bd3da94f7614724b8f63ca09ed6
Signed-off-by: Thyagarajan Venkatanarayanan <quic_venkatan@quicinc.com>
If process is exiting and pm wakelock is not released, cpu
can't go to sleep. Relax wakeup source during file_free to
allow cpu to go to sleep.
Change-Id: I1be9d6b295c123e657dac90ba7fa013cd2f42bae
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Signed-off-by: Linux Image Build Automation <quic_ibautomat@quicinc.com>
If process is exiting and pm wakelock is not released, cpu
can't go to sleep. Relax wakeup source during file_free to
allow cpu to go to sleep.
Change-Id: Ie6161edbd43f1fb11f36fbb8f913ceaf92e89736
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently we send custom tgid instead of original tgid to DSP.
It is difficult to debug issues only with DSP logs, dumps and
logcat. Add original tgid to custom tgid conversion log to help
in debug.
Change-Id: If05bae05bce69cf513cef0bd1672f78856c11ea8
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently the error code from hype assign failure is over writing by
fastrpc_unmap_on_dsp success and returning the false success. So added
separate variable to capture the error from fastrpc_unmap_on_dsp.
Change-Id: I6444635925416d8ef96800a02e8a1e3e550fa011
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
Currently handles are unique only for a particular sub systems,
but they are not unique across all remote sub systems. Assign
unique handle to each session of the remote sub system.
Change-Id: Ie246f80c440d684c8fcb30ad0103da069c82ab6e
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Signed-off-by: Linux Image Build Automation <quic_ibautomat@quicinc.com>
Currently there is no check if set session info is invoked
multiple times. Multiple calls to session info leaks memory
and process identifiers. Fail set session info on subsequent
calls.
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
(cherry picked from commit 1a5889127e7b0ff6974e50d762708bc2ef2d3a6c)
Signed-off-by: Linux Image Build Automation <quic_ibautomat@quicinc.com>
Change-Id: Id3512263274b86f0534fc5fd45bdf62783859ad5
When dma attachment fails during mmap_create, status
of HLOS memory is logged with sizes occupied by heap and
non heap buffers mapped in fl maps. The purpose of this
data is to get a snapshot of memory usage.
Change-Id: Ie913702a743a8572d9f68c9b58233d28541167b9
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
In case of IO Coherence disabled, to simulate
cache clean and invalidate for output buffers,
used dma_buf_end_cpu_access(DMA_TO_DEVICE)
and dma_buf_begin_cpu_access(DMA_FROM_DEVICE).
Change-Id: Id176a26cb740d168a1a28240874434c626e48d75
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
Check proper index before access glist_session_ctrl
to fix out of bound access.
Change-Id: Id942b0add1bcc99f0c2f8b22ce631a11685ab340
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently handles are unique only for a particular sub systems,
but they are not unique across all remote sub systems. Assign
unique handle to each session of the remote sub system.
Change-Id: I5cf0e82d87283006e719a3b24ae01a1fcb97c392
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Spinlock in current scenario can be interrupted thus during ongoing
ISR. If callback received from dsp, attempt to acquire same lock
again will result into recursive spinlock with wait on queue to
acquire lock again. Modify spinlocks with global variable gfa to
non interruptible spinlocks in order to avoid this scenario.
Change-Id: I5ae4864370d94ae0e0e19d3d4939ada41d609234
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently there is no check if set session info is invoked
multiple times. Multiple calls to session info leaks memory
and process identifiers. Fail set session info on subsequent
calls.
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
(cherry picked from commit 1a5889127e7b0ff6974e50d762708bc2ef2d3a6c)
Signed-off-by: Linux Image Build Automation <quic_ibautomat@quicinc.com>
Change-Id: I3b281a6892d8ab1cc1adbb5b9296485ed2738050
