The `fastrpc_dspsignal_wait` function currently checks the
signal state before waiting for a signal from the DSP. However,
if the signal is already received before the check, it results
in an infinite loop, causing excessive resource usage.
This change addresses the race condition by checking both the
pending and signaled states. If the signal is not in the pending
state, it directly checks for the signaled state, resets the states,
and returns to avoid looping.
Change-Id: I00f80780cccf5a7b0e95f961607042efe62d9d30
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Currently unlocking the spinlock during maps list iteration
can lead to use after free. Fix is to lock, read one map
from list, stop iteration and unlock, repeate same for all
the maps complete in the list.
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Change-Id: I834bdcb9dd55a33f6308188ec1f844b7d81cb30e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently, memory allocated for status notification is only
freed by the notif thread. If notif thread exits, notif entries
will not be freed. Free the notif entries while closing
the fastrpc file.
Change-Id: I8e715a4c449a595ce492379bfc50eaf456bbccf6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Customer is seeing issue when sharing buffer to secure PD.
Buffer is being set to 'secure buffer type' by trusted driver which
is invalid in TVM.
There are no 'secure' buffers on TVM. All buffers in TVM need to be
marked as 'non-secure'.
Fix is to explicitly mark buffers as 'non-secure' for TVM only.
Change-Id: I80c70bc59dcbd78be4119c1855fd4e5fa2e7d5cb
Currently, only pd status is checked before sending any request
to DSP. On pd down notification all the pending contexts are
completed with connection reset error. But, if context gets
created after the pd down callback, it is not returned with
connection reset error. If the context is regarding pd attach,
daemon will get attached to DSP pd. And in this scenario, if
daemon gets killed and reconnection happens, ownership of init
memory will be assigned back to HLOS, which will cause SMMU fault.
Check pdr count for audioPD before sending any request to DSP.
Change-Id: Iadf1c9ca718659086fcd6dc8db105f48337933f6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.
Change-Id: Iae758752c0d3c296f155f3200adb783c92100a70
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Currently driver is passing session id as zero when SSR notification
is queued. This will cause issues in case of multisession, only
default session will get the notification. Add a change to pass
proper session ID to make sure all the sessions are getting notified.
Change-Id: I1f3bb7169ff9c7b725e3a69dc098c56197e4cbaf
Signed-off-by: ANANDU KRISHNAN E <quic_anane@quicinc.com>
In fastrpc_print_debug_data accessing fl will cause
UAF condition if is_ramdump_enable is not set. In this
case, there won't be any wait condition in fastrpc_file_free
so fl will be freed in between accessing data. To fix this,
check is_ramdump_enable before accessing fl data.
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Change-Id: Ia4670a73f887e17afae3cfeb7e6c6457b3337ae9
Add proper return path to ensure that allocated memory for gmsglog
variables is freed before exiting. In error cases when returning
from the function without proper exit handling, not freeing allocated
memory leads to memory leak.
Change-Id: I718a6a3d1fef8598cb67e7d627bde00a8b009324
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
In fastrpc_file_free tgid_frpc is marked as unused before device
unregister. And current tgid_frpc can be used by to other sessions
from same process, which will lead to device register failures. To
avoid this scenario, mark tgid_frpc available after device unregister.
Change-Id: I6ba77af3a2b6d0d9aa961459dfe2bf163d5aede2
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
Thread 1 can make a to call fastrpc_mmap_create under internal mem map
and release fl->map_mutex. Thread 2 can make call to internal mem unmap,
acquire fl->map_mutex and get same map though fastrpc_mmap_remove.
Thread 1 fail in fastrpc_mem_map_to_dsp jumps to bail and do map free.
Thread 2 still holds same map which can lead use after free. Serialize
fastrpc internal mem map and unmap.
Change-Id: I54a3602914b43fc67635c0de193bd21aa13daaa3
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
This reverts commit 49d8960d0c.
Reason for revert: This change will block applications which will create
multiple sessions with different pd type. Hence need to revert the change.
Keeping 3rd party app to create multiple session intact.
Signed-off-by: Krishna Dogney <quic_kdogney@quicinc.com>
Change-Id: I1bef85d37bd003b752db05d42530d3ddfad0f726
To avoid queueing of a duplicate job that may belong to a freed ctx,
update async queue type from LIST to HLIST to avoid appending unhashed
nodes back to queue. Thread race can occur between thread undergoing
SSR routine and invoke response thread for FASTRPC_INVOKE2_ASYNC_RESPONSE
to queue job to the async queue.
Change-Id: Iebcd0e82f22ceb64d0f89e8458d6329c08c62bdc
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currenty in case where CMA alloc fails in fastrpc_device_init,
a warning is issued. But the error code is not reset. With this
change, above issue is handled properly and if CMA allocation is
successful, then only add the information to the channel structure.
Change-Id: I15aa32e82cecedaf4e2da7275cef13369b3429bc
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Print non-ion buffer details as warning to help in size issues debugging.
Change-Id: Ib96af6d202620e06cd9ed15f2698f6eac5c3a444
Signed-off-by: Ramesh Nallagopu <quic_rnallago@quicinc.com>
Query buffer's attributes to determine if buffer should be mapped to secure
context bank.
Query buffer's HLOS access and return error from TVM driver if HLOS has
access to buffer.
Change-Id: Ia6d02b28929e1126a01c69a8425b6797fbee3506
Currently, a single process can create multiple sessions of different pd types.
Now, force all sessions of a process to be of same pd type on same dsp. Also,
allow untrusted apps to create multiple sessions on dsp.
Signed-off-by: Krishna Dogney <quic_kdogney@quicinc.com>
Change-Id:I98c97c1ceeefa303cee4909ccca280a2430da908
Setting flag to true in TVM to force TVM driver to use APIs
adsp_process_group_mmap64 and adsp_process_group_munmap64 instead
of adsp_process_group_mmap and adsp_process_group_munmap.
Change-Id: Ibbeb7f4177f11e75b1150e011090347219f04806
Define new ftrace to log dspsignal events like signalling, waiting,
waking up, completing and cancelling wait. These ftraces can be
used in performance debugging of dspqueue overheads.
Change-Id: Iaf5f3df0f7ba3bd3da94f7614724b8f63ca09ed6
Signed-off-by: Thyagarajan Venkatanarayanan <quic_venkatan@quicinc.com>
If process is exiting and pm wakelock is not released, cpu
can't go to sleep. Relax wakeup source during file_free to
allow cpu to go to sleep.
Change-Id: Ie6161edbd43f1fb11f36fbb8f913ceaf92e89736
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently we send custom tgid instead of original tgid to DSP.
It is difficult to debug issues only with DSP logs, dumps and
logcat. Add original tgid to custom tgid conversion log to help
in debug.
Change-Id: If05bae05bce69cf513cef0bd1672f78856c11ea8
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently the error code from hype assign failure is over writing by
fastrpc_unmap_on_dsp success and returning the false success. So added
separate variable to capture the error from fastrpc_unmap_on_dsp.
Change-Id: I6444635925416d8ef96800a02e8a1e3e550fa011
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
When dma attachment fails during mmap_create, status
of HLOS memory is logged with sizes occupied by heap and
non heap buffers mapped in fl maps. The purpose of this
data is to get a snapshot of memory usage.
Change-Id: Ie913702a743a8572d9f68c9b58233d28541167b9
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
In case of IO Coherence disabled, to simulate
cache clean and invalidate for output buffers,
used dma_buf_end_cpu_access(DMA_TO_DEVICE)
and dma_buf_begin_cpu_access(DMA_FROM_DEVICE).
Change-Id: Id176a26cb740d168a1a28240874434c626e48d75
Signed-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>
Currently handles are unique only for a particular sub systems,
but they are not unique across all remote sub systems. Assign
unique handle to each session of the remote sub system.
Change-Id: I5cf0e82d87283006e719a3b24ae01a1fcb97c392
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Spinlock in current scenario can be interrupted thus during ongoing
ISR. If callback received from dsp, attempt to acquire same lock
again will result into recursive spinlock with wait on queue to
acquire lock again. Modify spinlocks with global variable gfa to
non interruptible spinlocks in order to avoid this scenario.
Change-Id: I5ae4864370d94ae0e0e19d3d4939ada41d609234
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently there is no check if set session info is invoked
multiple times. Multiple calls to session info leaks memory
and process identifiers. Fail set session info on subsequent
calls.
Change-Id: I2072add44ce2a9c4c4ff544f8e568eeccc1220cf
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
(cherry picked from commit 1a5889127e7b0ff6974e50d762708bc2ef2d3a6c)
Currently, on SSR notification connection reset
error is returned even if invoke send completes
successfully. So, if there is invoke call for PD
spawn, init memory gets freed after receiving the
error. Currently, if init memory is accessed on DSP,
SMMU fault occurs. If internal invoke is successfully
completed, return the connection reset error only
for non-kernel handles.
Change-Id: I2f35a22562fac14a410815df6121cb1df80982a4
Acked-by: Abhishek Singh<abhishes@qti.qualcomm.com>
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently a process is limited to create only 2 sessions, by toggling
the 30th bit of tgid of the process, to create different process IDs on DSP
remote sybsystem. This approach is not scalable to create unique process
IDs to DSP, by using bits within the tgid of the process. Add support to
allow a process to create multiple sessions by choosing and sending unique
dsp process IDs on DSP remote sub system, instead of tgid of HLOS process.
Change-Id: I33f52c68453301bdbb83dfb9a10df16143098a49
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
NSP device status is exposed via SOC API.
On cat to this sys fs node, NSP status will be
returned. NSP status flag renamed to maintain
backward compatibility.
Change-Id: I67ae19e51fd58e02d78a40b30563f147bef5b20e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently probe is failing if device is closed. Driver registration
with device might already be finished, if match is successful, even
though probe fails. Fail the bus match when device is closed, so
driver does not gets registered with device.
Change-Id: I0511c7b3a27ddd4c2cd30d4aea9f961d1f4355d9
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Currently, spinlock is acquired and wait state
is entered for dma_invoke to complete. This scenario
leads to watchdog bark for threads waiting to acquire
spinlock. This change is to avoid waiting for dma_invoke
completion after acquiring spinlock.
Change-Id: I9443fd8bfda77194103a871e4ad0295f79cf3034
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently, QoS core count is probed from dtsi property.
Instead, update it at run-time by counting number of
lowest capacity cores. Probe DT to check if latency
voting for only a single-core is enabled, update count then.
Change-Id: I8eaddc382a4929d28a60db8d351eb8ca9793e82e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
A dynamic SMMU mapping created as part of an RPC call can potentially
be removed by a parallel munmap ioctl call before the RPC call is
complete, leading to SMMU faults.
Maintain a ref-count that indicates that the mapping is being used by
a pending RPC call and allow the mapping to be removed only if this
count is 0.
Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442
Acked-by: Santosh Sakore <ssakore@qti.qualcomm.com>
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
When secure PD exits in case of SSR or another scenario, notify
all rpc threads waiting on kernel. This should allow rpc threads
to return failure to TVM clients.
Change-Id: Ie0e97d2cb0e378b9b1c1e558f8ed642710690d1f
Signed-off-by: Edgar Flores <quic_edgarf@quicinc.com>
After message is sent to DSP, async response thread
could immediately get the response and free context,
which will result in a use-after-free in invoke send.
To fix this, add local copy of ctx to trace and gmsg
logging. To fix async response and SSR race, we rely
on is_job_sent_to_remote_ss of ctx, now check valid
ctx from ctxtable to set is_job_sent_to_remote_ss.
Change-Id: I1ebbed61443beda7b5ffcbe858481a54cca96acb
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently SMMU context banks are chosen dynamically based on
available context bank. Few use cases requires context banks to
be fixed to retain SMMU mappings even after process exits and resumes
again. Few other use cases requires to use multiple context banks of
similar remote subsystem process types. Allocate designated context
bank session with process type matching with remote subsystem
process type.
Change-Id: Ie8ccad2fde4e2e21aaf8c6ede0ab31645cdf350c
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Multiple sessions were being allocated from ADSP using
the shared context bank. Remove second for loop which was
not checking for the sharedcb variable.
Change-Id: Ie5831eb9454b909dfea62cffbdaf66d94b200b3b
Signed-off-by: Anirudh Raghavendra <quic_araghave@quicinc.com>
Currently there is no interface request to get HLOS PID of
the device attached to FastRPC bus driver. Add new request
FASTRPC_DEV_GET_HLOS_PID, to get HLOS PID of the attached
device.
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
The remote argument array size is more than the utilized.
Add fix to have proper array size to accommodate the
arguments for remote invocation.
Change-Id: Id0b290eebae850765f24e22918166d7e9d8827c4
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
When DSP process successfully spawned on the ADSP ,
the APPS side init memory is getting unmapped due to an error in driver,
by the time error printing in user space logs the SMMU fault is happening in ADSP.
So add the error log in fastrpc_init_create_dynamic_process.
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Change-Id: I6df8000e9e34fa0916947528a52793b164ab3acb
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
This change enables sharing of a new page to DSP.
New page will contain inital debug parameters which we
need to pass to the DSP during the process initiation.
Change-Id: I8ae12cb364811a97eca3f15e70106b36bcec3f54
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
