Fixes for issues found in GLINK during reboot testing of a remoteproc.
Arun Kumar Neelakantam (2):
rpmsg: glink: Fix reuse intents memory leak issue
rpmsg: glink: Fix use after free in open_ack TIMEOUT case
Bjorn Andersson (2):
rpmsg: glink: Don't send pending rx_done during remove
rpmsg: glink: Free pending deferred work on remove
Chris Lew (2):
rpmsg: glink: Put an extra reference during cleanup
rpmsg: glink: Fix rpmsg_register_device err handling
drivers/rpmsg/qcom_glink_native.c | 52 +++++++++++++++++++++++++------
1 file changed, 42 insertions(+), 10 deletions(-)
--
2.18.0
From: Arun Kumar Neelakantam <[email protected]>
Memory allocated for re-usable intents are not freed during channel
cleanup which causes memory leak in system.
Check and free all re-usable memory to avoid memory leak.
Fixes: 933b45da5d1d ("rpmsg: glink: Add support for TX intents")
Cc: [email protected]
Tested-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Arun Kumar Neelakantam <[email protected]>
Reported-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Bjorn Andersson <[email protected]>
---
Changes since v1:
- None
drivers/rpmsg/qcom_glink_native.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 621f1afd4d6b..9355ce26fd98 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -241,10 +241,19 @@ static void qcom_glink_channel_release(struct kref *ref)
{
struct glink_channel *channel = container_of(ref, struct glink_channel,
refcount);
+ struct glink_core_rx_intent *tmp;
unsigned long flags;
+ int iid;
spin_lock_irqsave(&channel->intent_lock, flags);
+ idr_for_each_entry(&channel->liids, tmp, iid) {
+ kfree(tmp->data);
+ kfree(tmp);
+ }
idr_destroy(&channel->liids);
+
+ idr_for_each_entry(&channel->riids, tmp, iid)
+ kfree(tmp);
idr_destroy(&channel->riids);
spin_unlock_irqrestore(&channel->intent_lock, flags);
--
2.18.0
From: Chris Lew <[email protected]>
The device release function is set before registering with rpmsg. If
rpmsg registration fails, the framework will call device_put(), which
invokes the release function. The channel create logic does not need to
free rpdev if rpmsg_register_device() fails and release is called.
Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: [email protected]
Tested-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Chris Lew <[email protected]>
Signed-off-by: Bjorn Andersson <[email protected]>
---
Changes since v1:
- None
drivers/rpmsg/qcom_glink_native.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 21fd2ae5f7f1..89e02baea2d0 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1423,15 +1423,13 @@ static int qcom_glink_rx_open(struct qcom_glink *glink, unsigned int rcid,
ret = rpmsg_register_device(rpdev);
if (ret)
- goto free_rpdev;
+ goto rcid_remove;
channel->rpdev = rpdev;
}
return 0;
-free_rpdev:
- kfree(rpdev);
rcid_remove:
spin_lock_irqsave(&glink->idr_lock, flags);
idr_remove(&glink->rcids, channel->rcid);
--
2.18.0
From: Arun Kumar Neelakantam <[email protected]>
Extra channel reference put when remote sending OPEN_ACK after timeout
causes use-after-free while handling next remote CLOSE command.
Remove extra reference put in timeout case to avoid use-after-free.
Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: [email protected]
Tested-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Arun Kumar Neelakantam <[email protected]>
Signed-off-by: Bjorn Andersson <[email protected]>
---
Changes since v1:
- None
drivers/rpmsg/qcom_glink_native.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 9355ce26fd98..72ed671f5dcd 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1103,13 +1103,12 @@ static int qcom_glink_create_remote(struct qcom_glink *glink,
close_link:
/*
* Send a close request to "undo" our open-ack. The close-ack will
- * release the last reference.
+ * release qcom_glink_send_open_req() reference and the last reference
+ * will be relesed after receiving remote_close or transport unregister
+ * by calling qcom_glink_native_remove().
*/
qcom_glink_send_close_req(glink, channel);
- /* Release qcom_glink_send_open_req() reference */
- kref_put(&channel->refcount, qcom_glink_channel_release);
-
return ret;
}
--
2.18.0
From: Chris Lew <[email protected]>
In a remote processor crash scenario, there is no guarantee the remote
processor sent close requests before it went into a bad state. Remove
the reference that is normally handled by the close command in the
so channel resources can be released.
Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: [email protected]
Tested-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Chris Lew <[email protected]>
Reported-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Bjorn Andersson <[email protected]>
---
Changes since v1:
- None
drivers/rpmsg/qcom_glink_native.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 72ed671f5dcd..21fd2ae5f7f1 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1641,6 +1641,10 @@ void qcom_glink_native_remove(struct qcom_glink *glink)
idr_for_each_entry(&glink->lcids, channel, cid)
kref_put(&channel->refcount, qcom_glink_channel_release);
+ /* Release any defunct local channels, waiting for close-req */
+ idr_for_each_entry(&glink->rcids, channel, cid)
+ kref_put(&channel->refcount, qcom_glink_channel_release);
+
idr_destroy(&glink->lcids);
idr_destroy(&glink->rcids);
spin_unlock_irqrestore(&glink->idr_lock, flags);
--
2.18.0
On 10/4/2019 3:26 PM, Bjorn Andersson wrote:
> From: Arun Kumar Neelakantam <[email protected]>
>
> Memory allocated for re-usable intents are not freed during channel
> cleanup which causes memory leak in system.
>
> Check and free all re-usable memory to avoid memory leak.
>
> Fixes: 933b45da5d1d ("rpmsg: glink: Add support for TX intents")
> Cc: [email protected]
> Tested-by: Srinivas Kandagatla <[email protected]>
> Signed-off-by: Arun Kumar Neelakantam <[email protected]>
> Reported-by: Srinivas Kandagatla <[email protected]>
> Signed-off-by: Bjorn Andersson <[email protected]>
> ---
Acked-By: Chris Lew <[email protected]>
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
On 10/4/2019 3:26 PM, Bjorn Andersson wrote:
> From: Arun Kumar Neelakantam <[email protected]>
>
> Extra channel reference put when remote sending OPEN_ACK after timeout
> causes use-after-free while handling next remote CLOSE command.
>
> Remove extra reference put in timeout case to avoid use-after-free.
>
> Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
> Cc: [email protected]
> Tested-by: Srinivas Kandagatla <[email protected]>
> Signed-off-by: Arun Kumar Neelakantam <[email protected]>
> Signed-off-by: Bjorn Andersson <[email protected]>
> ---
Acked-By: Chris Lew <[email protected]>
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project