Currently, the DSP updates header buffers with unused DMA handle fds.
In the put_args section, if any DMA handle FDs are present in the
header buffer, the corresponding map is freed. However, since the
header buffer is exposed to users in unsigned PD, users can update
invalid FDs. If this invalid FD matches with any FD that is already
in use, it could lead to a use-after-free (UAF) vulnerability.
As a solution,add DMA handle references for DMA FDs, and the map for
the FD will be freed only when a reference is found.
Change-Id: Ie4d19dc0ef0ebdda5ed2fe6f7b64598ef661a63f
Signed-off-by: quic_anane <quic_anane@quicinc.com>
Currently, the compat ioctl call distinguishes itself using a global
flag. If a user sends a compat ioctl call followed by a normal ioctl
call, it may result in using a user passed address as a kernel address
in the fastrpcdriver. To address this issue, consider localizing the
compat flag for the ioctl call.
Change-Id: Ie8fc724424534102736b8c0bc594720547ab6ff6
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
Currently, in print_debug_data, kref_put is being called inside the
global lock, and the same lock is taken in the release callback of
kref_put, leading to spinlock recursion. There is no need to get and
put the reference for the fastrpce file inside this function because
we have already taken the reference inside the update_ramdump_status
while adding the init memory entry to the chan->initmems list.
Moreover, the same list will be used in print_debug_data.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ifdc8b3e0c2bbc5cc4237eedaa24c8cd766262dfe
The fastrpc driver supports 4 remoteproc. There are some
products such as automotive which support cdsp1 remoteproc.
Add changes to support cdsp1 remoteproc.
Change-Id: I3a9b221c53ccd4331de089ab38ccd6d715db4bf4
Signed-off-by: Anvesh Jain P <quic_ajainp@quicinc.com>
Currently, the CMA mini dump node is not being dequeued, leading to an
infinite loop. Dequeue the CMA mini dump node as well along with all
the init mems.
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ie5c24ee4ce43c798ed40a8d766371449bcf27b68
Add krefs reference counters to fastrpc process objects.
Process structures are used in multiple places and passed
around. Maintaining krefs helps ensure that the release routine
for structure is called after last reference to the pointer
is done.
Co-developed-by: Abhinav Parihar <quic_parihar@quicinc.com>
Change-Id: I5fd35af3c5581bf69ebfddf56951d76d9a2d10fb
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently unlocking the spinlock during maps list iteration
can lead to use after free. Fix is to lock, read one map
from list, stop iteration and unlock, repeate same for all
the maps complete in the list.
Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Change-Id: I834bdcb9dd55a33f6308188ec1f844b7d81cb30e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
To avoid queueing of a duplicate job that may belong to a freed ctx,
update async queue type from LIST to HLIST to avoid appending unhashed
nodes back to queue. Thread race can occur between thread undergoing
SSR routine and invoke response thread for FASTRPC_INVOKE2_ASYNC_RESPONSE
to queue job to the async queue.
Change-Id: Iebcd0e82f22ceb64d0f89e8458d6329c08c62bdc
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
When dma attachment fails during mmap_create, status
of HLOS memory is logged with sizes occupied by heap and
non heap buffers mapped in fl maps. The purpose of this
data is to get a snapshot of memory usage.
Change-Id: Ie913702a743a8572d9f68c9b58233d28541167b9
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Currently there is no check if set session info is invoked
multiple times. Multiple calls to session info leaks memory
and process identifiers. Fail set session info on subsequent
calls.
Change-Id: I2072add44ce2a9c4c4ff544f8e568eeccc1220cf
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
(cherry picked from commit 1a5889127e7b0ff6974e50d762708bc2ef2d3a6c)
Currently a process is limited to create only 2 sessions, by toggling
the 30th bit of tgid of the process, to create different process IDs on DSP
remote sybsystem. This approach is not scalable to create unique process
IDs to DSP, by using bits within the tgid of the process. Add support to
allow a process to create multiple sessions by choosing and sending unique
dsp process IDs on DSP remote sub system, instead of tgid of HLOS process.
Change-Id: I33f52c68453301bdbb83dfb9a10df16143098a49
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Compilation was failing with new header on LE HY11 build.
Adding compile time flags to fix the issue.
Change-Id: Ia51e54f6b18e4d7195f47294b88f39ed2d52c4e8
Signed-off-by: Anirudh Raghavendra <quic_araghave@quicinc.com>
NSP device status is exposed via SOC API.
On cat to this sys fs node, NSP status will be
returned. NSP status flag renamed to maintain
backward compatibility.
Change-Id: I67ae19e51fd58e02d78a40b30563f147bef5b20e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
Include new header fastrpc_shared.h in existing header
(adsprpc_shared.h) and remove all ioctl definitions
from the existing header.
Change-Id: I5c5a08de0a077ec2717683134a0ec31466c34047
Signed-off-by: Anirudh Raghavendra <quic_araghave@quicinc.com>
Currently, QoS core count is probed from dtsi property.
Instead, update it at run-time by counting number of
lowest capacity cores. Probe DT to check if latency
voting for only a single-core is enabled, update count then.
Change-Id: I8eaddc382a4929d28a60db8d351eb8ca9793e82e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>
A dynamic SMMU mapping created as part of an RPC call can potentially
be removed by a parallel munmap ioctl call before the RPC call is
complete, leading to SMMU faults.
Maintain a ref-count that indicates that the mapping is being used by
a pending RPC call and allow the mapping to be removed only if this
count is 0.
Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442
Acked-by: Santosh Sakore <ssakore@qti.qualcomm.com>
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
When secure PD exits in case of SSR or another scenario, notify
all rpc threads waiting on kernel. This should allow rpc threads
to return failure to TVM clients.
Change-Id: Ie0e97d2cb0e378b9b1c1e558f8ed642710690d1f
Signed-off-by: Edgar Flores <quic_edgarf@quicinc.com>
Currently SMMU context banks are chosen dynamically based on
available context bank. Few use cases requires context banks to
be fixed to retain SMMU mappings even after process exits and resumes
again. Few other use cases requires to use multiple context banks of
similar remote subsystem process types. Allocate designated context
bank session with process type matching with remote subsystem
process type.
Change-Id: Ie8ccad2fde4e2e21aaf8c6ede0ab31645cdf350c
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
This change enables sharing of a new page to DSP.
New page will contain inital debug parameters which we
need to pass to the DSP during the process initiation.
Change-Id: I8ae12cb364811a97eca3f15e70106b36bcec3f54
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Currently async job is first added to pending context list and later
job is send to remote sub system. After the job is added to pending
context list, if any SSR happens, all the async pending job contexts are
responded and freed in async response thread. Original thread that added
job to pending context list might not have sent the job, as there is SSR and can
free the context again in same thread. Queue response in SSR only when
the job is sent to remote sub system.
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Change-Id: I1f880316f327a8345433d5d22b619ef0a50d7240
In current code fastrpc_file_free and bus driver invoke call are in
parallel, we would see corruption as both try to access fastrpc_mmap
list. To resolve this issue added signaling mechanism between
fastrpc_file_free and bus driver invoke call. If bus driver invoke
call is running in parallel with fastrpc_file_free, it would wait
until the invoke call is completed. Also added locks in bus driver API
to protect fastrpc_mmap's.
To improve code readablity created separate API for bus driver map
and unmap.
Change-Id: I5fd6f331febdecb319b168b36590a73e4532038a
Signed-off-by: Anirudh Raghavendra <quic_araghave@quicinc.com>
If pd is down, new device ioctls wait for pdup before
copying ioctl params and saving ctx information.
Shift logic to check pdup from device_ioctl to after
context creation and before invoke send to allow
current ioctl information to be store in pending ctx.
Change-Id: Ia9747394020fd35b02f4074a82edecace72f87db
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Fixes to fastrpc trusted driver to run on TVM.
Added a workqueue for receiving kernel packets.
Changed array allocation of kernel sockets to save space.
Original design was allocating static 2-d array glist_session_ctrl
for all possible subsystems and domains.
New implementation is allocating staic 2-d reference array.
Each entry in the array will only be allocated if remote domain
is supported.
Change-Id: I303375822714aa6f8eadf525b09326aa05714fd7
Signed-off-by: Edgar Flores <quic_edgarf@quicinc.com>
Increasing number of allowed sessions from 13 to 14 to accomodate
the shared context banks for CPZ.
Change-Id: Ie0757dae9d0876f5e827daab4fe9e9a661fc0680
Signed-off-by: Anirudh Raghavendra <quic_araghave@quicinc.com>
Current subsystem state flag cannot define all state of the subsystem.
Different handling might be needed for different subsystem states.
Add multiple subsystem state support.
Change-Id: Id091dfded583c8cd7e95c0d306de6dd34b03485d
Acked-by: Santosh Sakore <ssakore@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Currently no debug information of when ctx interrupted,
restored. This make ioctl hang/high invoke time issues
hard to debug. Add variables to store interrupted, restore
timestamp in pending ctx and gmsg_log.
Change-Id: I32226e96c54acb5878f2b8d37110bae7f65d49f3
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Add ioctl control support to exit notif and async
threads.
Change-Id: Ifc7212fd84bdba46724252e00e1d479865cefc64
Signed-off-by: nishant chaubey <quic_chaubey@quicinc.com>
Currently PD type is getting updated with some magic numbers. Add
enum with different PD type information and use these types instead
of magic numbers for better code readability.
Change-Id: I20eb03726cabfcc88589be215c3c967b608a9cdb
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Currently CPZ secure context banks are not shared on CDSP. Share
CP secure context banks among applications that use secure memory,
so that many CPZ applications can be spawned and offloaded to DSP.
Change-Id: I77d95bab86ef527e41c9fe79058742615f4adb0e
Signed-off-by: Himateja Reddy <quic_hmreddy@quicinc.com>
Number of parameters in print statement was less than number of
format specifiers. This was causing an error with the new kernel
compiler.
Change-Id: Iad4ed0ad373559ecd64e8d9bfb1da37532f443c9
Signed-off-by: Anirudh Raghavendra <quic_araghave@quicinc.com>
