summaryrefslogtreecommitdiffstats
path: root/drivers/rpmsg (follow)
Commit message (Collapse)AuthorAgeFilesLines
* rpmsg: glink: Avoid -Wflex-array-member-not-at-end warningsGustavo A. R. Silva2024-09-131-19/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. So, in order to avoid ending up with a flexible-array member in the middle of multiple other structs, we use the `__struct_group()` helper to create a new tagged `struct glink_msg_hdr`. This structure groups together all the members of the flexible `struct glink_msg` except the flexible array. As a result, the array is effectively separated from the rest of the members without modifying the memory layout of the flexible structure. We then change the type of the middle struct members currently causing trouble from `struct glink_msg` to `struct glink_msg_hdr`. We also want to ensure that when new members need to be added to the flexible structure, they are always included within the newly created tagged struct. For this, we use `static_assert()`. This ensures that the memory layout for both the flexible structure and the new tagged struct is the same after any changes. This approach avoids having to implement `struct glink_msg_hdr` as a completely separate structure, thus preventing having to maintain two independent but basically identical structures, closing the door to potential bugs in the future. We also use `container_of()` whenever we need to retrieve a pointer to the flexible structure, through which we can access the flexible-array member, if necessary. Additionally, we use the `DEFINE_RAW_FLEX()` helper for an on-stack definition of a flexible structure where the size for the flexible-array member is known at compile-time. So, with these changes, fix the following warnings: drivers/rpmsg/qcom_glink_native.c:51:26: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] drivers/rpmsg/qcom_glink_native.c:459:34: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] drivers/rpmsg/qcom_glink_native.c:846:34: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] drivers/rpmsg/qcom_glink_native.c:968:34: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] drivers/rpmsg/qcom_glink_native.c:1380:34: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Kees Cook <kees@kernel.org> Link: https://lore.kernel.org/r/ZrOQa2gew5yadyt3@cute Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* rpmsg: glink: Introduce packet tracepointsBjorn Andersson2024-08-133-2/+501
| | | | | | | | | | | | | | | | | | Introduce tracepoints to allow tracing the GLINK packets being exchanged with other subsystems. This is useful for debugging both interaction with remote processors and client driver issues, as well as tracking latency through the communication stack. Channel events are traced with both local and remote channel ids, as well as the textual representation when possible. The channel ids are useful when matching traces with traces from the firmware side logs, while the textual representation is necessary to identify channels when we're starting to trace an already running system. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Link: https://lore.kernel.org/r/20240805-glink-tracepoints-v1-3-a5f3293fb09e@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* rpmsg: glink: Pass channel to qcom_glink_send_close_ack()Bjorn Andersson2024-08-131-3/+3
| | | | | | | | | | | Align the qcom_glink_send_close_ack() arguments with other functions to take the struct glink_channel, so that the upcoming tracepoint patch can access the channel attributes. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Link: https://lore.kernel.org/r/20240805-glink-tracepoints-v1-2-a5f3293fb09e@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* rpmsg: glink: Tidy up RX advance handlingBjorn Andersson2024-08-131-7/+15
| | | | | | | | | | | | | The operation of advancing the FIFO receive pointer is sprinkled between the interrupt handler itself, and functions being called from this. Push all the RX advancement operations to the individual handlers, to unify the style across the handling of the various messages. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Link: https://lore.kernel.org/r/20240805-glink-tracepoints-v1-1-a5f3293fb09e@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* Merge tag 'driver-core-6.11-rc1' of ↵Linus Torvalds2024-07-252-3/+3
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core updates from Greg KH: "Here is the big set of driver core changes for 6.11-rc1. Lots of stuff in here, with not a huge diffstat, but apis are evolving which required lots of files to be touched. Highlights of the changes in here are: - platform remove callback api final fixups (Uwe took many releases to get here, finally!) - Rust bindings for basic firmware apis and initial driver-core interactions. It's not all that useful for a "write a whole driver in rust" type of thing, but the firmware bindings do help out the phy rust drivers, and the driver core bindings give a solid base on which others can start their work. There is still a long way to go here before we have a multitude of rust drivers being added, but it's a great first step. - driver core const api changes. This reached across all bus types, and there are some fix-ups for some not-common bus types that linux-next and 0-day testing shook out. This work is being done to help make the rust bindings more safe, as well as the C code, moving toward the end-goal of allowing us to put driver structures into read-only memory. We aren't there yet, but are getting closer. - minor devres cleanups and fixes found by code inspection - arch_topology minor changes - other minor driver core cleanups All of these have been in linux-next for a very long time with no reported problems" * tag 'driver-core-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (55 commits) ARM: sa1100: make match function take a const pointer sysfs/cpu: Make crash_hotplug attribute world-readable dio: Have dio_bus_match() callback take a const * zorro: make match function take a const pointer driver core: module: make module_[add|remove]_driver take a const * driver core: make driver_find_device() take a const * driver core: make driver_[create|remove]_file take a const * firmware_loader: fix soundness issue in `request_internal` firmware_loader: annotate doctests as `no_run` devres: Correct code style for functions that return a pointer type devres: Initialize an uninitialized struct member devres: Fix memory leakage caused by driver API devm_free_percpu() devres: Fix devm_krealloc() wasting memory driver core: platform: Switch to use kmemdup_array() driver core: have match() callback in struct bus_type take a const * MAINTAINERS: add Rust device abstractions to DRIVER CORE device: rust: improve safety comments MAINTAINERS: add Danilo as FIRMWARE LOADER maintainer MAINTAINERS: add Rust FW abstractions to FIRMWARE LOADER firmware: rust: improve safety comments ...
| * driver core: have match() callback in struct bus_type take a const *Greg Kroah-Hartman2024-07-032-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the match() callback, the struct device_driver * should not be changed, so change the function callback to be a const *. This is one step of many towards making the driver core safe to have struct device_driver in read-only memory. Because the match() callback is in all busses, all busses are modified to handle this properly. This does entail switching some container_of() calls to container_of_const() to properly handle the constant *. For some busses, like PCI and USB and HV, the const * is cast away in the match callback as those busses do want to modify those structures at this point in time (they have a local lock in the driver structure.) That will have to be changed in the future if they wish to have their struct device * in read-only-memory. Cc: Rafael J. Wysocki <rafael@kernel.org> Reviewed-by: Alex Elder <elder@kernel.org> Acked-by: Sumit Garg <sumit.garg@linaro.org> Link: https://lore.kernel.org/r/2024070136-wrongdoer-busily-01e8@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge tag 'rpmsg-v6.11' of ↵Linus Torvalds2024-07-231-2/+3
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull rpmsg updates from Bjorn Andersson: - fix interrupt handling in the stm32 remoteproc driver when being attached to an already running remote processor - fix invalid kernel-doc and add missing MODULE_DESCRIPTION() in the rpmsg char driver * tag 'rpmsg-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: rpmsg: char: add missing MODULE_DESCRIPTION() macro remoteproc: stm32_rproc: Fix mailbox interrupts queuing rpmsg: char: Fix rpmsg_eptdev structure documentation
| * | rpmsg: char: add missing MODULE_DESCRIPTION() macroJeff Johnson2024-06-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | make allmodconfig && make W=1 C=1 reports: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/rpmsg/rpmsg_char.o Add the missing invocation of the MODULE_DESCRIPTION() macro. Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com> Link: https://lore.kernel.org/r/20240604-md-drivers-rpmsg_char-v1-1-675453267fc6@quicinc.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
| * | rpmsg: char: Fix rpmsg_eptdev structure documentationArnaud Pouliquen2024-05-281-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | Add missing @ tags for some rpmsg_eptdev structure parameters. This fixes warning messages on build: drivers/rpmsg/rpmsg_char.c:75: warning: Function parameter or struct member 'remote_flow_restricted' not described in 'rpmsg_eptdev' drivers/rpmsg/rpmsg_char.c:75: warning: Function parameter or struct member 'remote_flow_updated' not described in 'rpmsg_eptdev' Fixes: 5550201c0fe2 ("rpmsg: char: Add RPMSG GET/SET FLOWCONTROL IOCTL support") Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/20240517165654.427746-1-arnaud.pouliquen@foss.st.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* | virtio: rename virtio_find_vqs_info() to virtio_find_vqs()Jiri Pirko2024-07-171-1/+1
| | | | | | | | | | | | | | | | | | Since the original virtio_find_vqs() is no longer present, rename virtio_find_vqs_info() back to virtio_find_vqs(). Signed-off-by: Jiri Pirko <jiri@nvidia.com> Message-Id: <20240708074814.1739223-20-jiri@resnulli.us> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* | virtio: convert the rest virtio_find_vqs() users to virtio_find_vqs_info()Jiri Pirko2024-07-171-3/+5
|/ | | | | | | | | | | Instead of passing separate names and callbacks arrays to virtio_find_vqs(), have one of virtual_queue_info structs and pass it to virtio_find_vqs_info(). Suggested-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com> Signed-off-by: Jiri Pirko <jiri@nvidia.com> Message-Id: <20240708074814.1739223-18-jiri@resnulli.us> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhostLinus Torvalds2024-05-231-1/+0
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull virtio updates from Michael Tsirkin: "Several new features here: - virtio-net is finally supported in vduse - virtio (balloon and mem) interaction with suspend is improved - vhost-scsi now handles signals better/faster And fixes, cleanups all over the place" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: (48 commits) virtio-pci: Check if is_avq is NULL virtio: delete vq in vp_find_vqs_msix() when request_irq() fails MAINTAINERS: add Eugenio Pérez as reviewer vhost-vdpa: Remove usage of the deprecated ida_simple_xx() API vp_vdpa: don't allocate unused msix vectors sound: virtio: drop owner assignment fuse: virtio: drop owner assignment scsi: virtio: drop owner assignment rpmsg: virtio: drop owner assignment nvdimm: virtio_pmem: drop owner assignment wifi: mac80211_hwsim: drop owner assignment vsock/virtio: drop owner assignment net: 9p: virtio: drop owner assignment net: virtio: drop owner assignment net: caif: virtio: drop owner assignment misc: nsm: drop owner assignment iommu: virtio: drop owner assignment drm/virtio: drop owner assignment gpio: virtio: drop owner assignment firmware: arm_scmi: virtio: drop owner assignment ...
| * rpmsg: virtio: drop owner assignmentKrzysztof Kozlowski2024-05-221-1/+0
| | | | | | | | | | | | | | | | | | virtio core already sets the .owner, so driver does not need to. Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Message-Id: <20240331-module-owner-virtio-v2-22-98f04bfaf46a@linaro.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* | rpmsg: qcom_glink_ssr: fix module autoloadingKrzysztof Kozlowski2024-05-071-0/+1
| | | | | | | | | | | | | | | | | | | | Add MODULE_DEVICE_TABLE(), so the module could be properly autoloaded based on the alias from of_device_id table. Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org> Link: https://lore.kernel.org/r/20240410164058.233280-1-krzk@kernel.org Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* | rpmsg: core: Make rpmsg_class constantRicardo B. Marliere2024-03-264-10/+12
|/ | | | | | | | | | | | | | Since commit 43a7206b0963 ("driver core: class: make class_register() take a const *"), the driver core allows for struct class to be in read-only memory, so move the rpmsg_class structure to be declared at build time placing it into read-only memory, instead of having to be dynamically allocated at boot time. Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net> Link: https://lore.kernel.org/r/20240305-class_cleanup-remoteproc-v1-1-19373374e003@marliere.net Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* rpmsg: core: Make rpmsg_bus constRicardo B. Marliere2024-02-051-1/+1
| | | | | | | | | | | | | Now that the driver core can properly handle constant struct bus_type, move the rpmsg_bus variable to be a constant structure as well, placing it into read-only memory which can not be modified at runtime. Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20240204-bus_cleanup-rpmsg-v1-1-1703508c23b7@marliere.net Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* rpmsg: Remove usage of the deprecated ida_simple_xx() APIChristophe JAILLET2024-01-232-12/+12
| | | | | | | | | | | | ida_alloc() and ida_free() should be preferred to the deprecated ida_simple_get() and ida_simple_remove(). Note that the upper limit of ida_simple_get() is exclusive, but the one of ida_alloc_max() is inclusive. So a -1 has been added when needed. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/c09ee5b66d451bf97d14c167048549aa0824ee06.1705225049.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* rpmsg: virtio: Free driver_override when rpmsg_remove()Xiaolei Wang2023-12-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Free driver_override when rpmsg_remove(), otherwise the following memory leak will occur: unreferenced object 0xffff0000d55d7080 (size 128): comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) hex dump (first 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] really_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 [<000000003c999637>] bus_probe_device+0xa0/0xac Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com> Fixes: b0b03b811963 ("rpmsg: Release rpmsg devices in backends") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20231215020049.78750-1-xiaolei.wang@windriver.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* rpmsg: virtio: Replace deprecated strncpy with strscpy/_padJustin Stitt2023-10-231-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. This patch replaces 3 callsites of strncpy(). The first two populate the destination buffer `nsm.name` -- which we expect to be NUL-terminated based on their use with format strings. Firstly, as I understand it, virtio_rpmsg_announce_create() creates an rpmsg_ns_msg and sends via: virtio_rpmsg_bus.c: 336: err = rpmsg_sendto(rpdev->ept, &nsm, sizeof(nsm), RPMSG_NS_ADDR); ... which uses: virtio_rpmsg_sendto() -> rpmsg_send_offchannel_raw() ... which copies its data into an rpmsg_hdr `msg` in virtio_rpmsg_bus.c 618: memcpy(msg->data, data, len); This callback is invoked when a message is received from the remote processor: rpmsg_ns.c: 30: /* invoked when a name service announcement arrives */ 31: static int rpmsg_ns_cb(struct rpmsg_device *rpdev, void *data, int len, 32: void *priv, u32 src) 33: { 34: struct rpmsg_ns_msg *msg = data; ... 50: /* don't trust the remote processor for null terminating the name */ 51: msg->name[RPMSG_NAME_SIZE - 1] = '\0'; ... which leads into the use of `name` within a format string: rpmsg_ns.c: 57: dev_info(dev, "%sing channel %s addr 0x%x\n", 58: rpmsg32_to_cpu(rpdev, msg->flags) & RPMSG_NS_DESTROY ? 59: "destroy" : "creat", msg->name, chinfo.dst); We can also observe that `nsm` is not zero-initialized and as such we should maintain the NUL-padding behavior that strncpy() provides: virtio_rpmsg_bus.c: 330: struct rpmsg_ns_msg nsm; Considering the above, a suitable replacement is `strscpy_pad` due to the fact that it guarantees both NUL-termination and NUL-padding on the destination buffer. Now, for the third and final destination buffer rpdev->id.name we can just go for strscpy() (not _pad()) as rpdev points to &vch->rpdev: | rpdev = &vch->rpdev; ... and vch is zero-allocated: | vch = kzalloc(sizeof(*vch), GFP_KERNEL); ... this renders any additional NUL-byte assignments (like the ones strncpy() or strscpy_pad() does) redundant. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20231023-strncpy-drivers-rpmsg-virtio_rpmsg_bus-c-v2-1-dc591c36f5ed@google.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* rpmsg: Replace deprecated strncpy with strscpy_padJustin Stitt2023-10-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. We expect chinfo.name to be NUL-terminated based on its use with format strings: | dev_err(&ctrldev->dev, "failed to create %s channel\n", chinfo.name); Since chinfo is not default initialized, we should NUL-pad the `name` field so that the behavior is consistent with what strncpy() provides: | struct rpmsg_channel_info chinfo; Considering the above, a suitable replacement is `strscpy_pad` due to the fact that it guarantees both NUL-termination and NUL-padding on the destination buffer. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20231020-strncpy-drivers-rpmsg-rpmsg_ns-c-v1-1-99b16b00c36c@google.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* rpmsg: core: Replace deprecated strncpy with strscpyJustin Stitt2023-10-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. We expect chinfo.name to be NUL-terminated based on its usage with strncmp(): rpmsg_core.c: 389: if (strncmp(chinfo->name, rpdev->id.name, RPMSG_NAME_SIZE)) Moreover, NUL-padding is not required as chinfo has stack default initialized all fields to zero: rpmsg_core.c: 539: struct rpmsg_channel_info chinfo = {}; Considering the above, a suitable replacement is `strscpy` [2] due to the fact that it guarantees NUL-termination on the destination buffer without unnecessarily NUL-padding. Also, favor the more idiomatic strscpy() usage of: (dest, src, sizeof(dest)). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20231020-strncpy-drivers-rpmsg-rpmsg_core-c-v1-1-a86b7930c1cf@google.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
* Merge tag 'rpmsg-v6.6' of ↵Linus Torvalds2023-09-054-6/+132
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull rpmsg updates from Bjorn Andersson: "Add support for the GLINK flow control signals, and expose this to the user through the rpmsg_char interface. Add missing kstrdup() failure handling during allocation of GLINK channel objects" * tag 'rpmsg-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: rpmsg: glink: Avoid dereferencing NULL channel rpmsg: glink: Add check for kstrdup rpmsg: char: Add RPMSG GET/SET FLOWCONTROL IOCTL support rpmsg: glink: Add support to handle signals command rpmsg: core: Add signal API support
| * rpmsg: glink: Avoid dereferencing NULL channelBjorn Andersson2023-07-181-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly introduced signal command handler checks for non-existing channel and print an error message, but then continues on to dereference that same channel. Instead abort the handler when no channel is found. Fixes: a2b73aa512a4 ("rpmsg: glink: Add support to handle signals command") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/r/202307160800.sb7gMnL6-lkp@intel.com/ Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Link: https://lore.kernel.org/r/20230717165538.1542034-1-quic_bjorande@quicinc.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
| * rpmsg: glink: Add check for kstrdupJiasheng Jiang2023-07-151-0/+4
| | | | | | | | | | | | | | | | | | | | Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Link: https://lore.kernel.org/r/20230619030631.12361-1-jiasheng@iscas.ac.cn Signed-off-by: Bjorn Andersson <andersson@kernel.org>
| * rpmsg: char: Add RPMSG GET/SET FLOWCONTROL IOCTL supportChris Lew2023-07-151-6/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | Add RPMSG_GET_OUTGOING_FLOWCONTROL and RPMSG_SET_INCOMING_FLOWCONTROL IOCTL support for rpmsg char device nodes to get/set the low level transport signals. Signed-off-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> Signed-off-by: Sarannya S <quic_sarannya@quicinc.com> Acked-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/1688679698-31274-4-git-send-email-quic_sarannya@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
| * rpmsg: glink: Add support to handle signals commandChris Lew2023-07-151-0/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Remote peripherals send signal notifications over glink with commandID 15. Add support to send and receive the signal command and based signals enable or disable flow control with remote host. Signed-off-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> Signed-off-by: Sarannya S <quic_sarannya@quicinc.com> Acked-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/1688679698-31274-3-git-send-email-quic_sarannya@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
| * rpmsg: core: Add signal API supportDeepak Kumar Singh2023-07-152-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some transports like Glink support the state notifications between clients using flow control signals similar to serial protocol signals. Local glink client drivers can send and receive flow control status to glink clients running on remote processors. Add APIs to support sending and receiving of flow control status by rpmsg clients. Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> Signed-off-by: Sarannya S <quic_sarannya@quicinc.com> Acked-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/1688679698-31274-2-git-send-email-quic_sarannya@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* | rpmsg: qcom_smd: Use qcom_smem_is_available()Stephan Gerhold2023-07-141-5/+5
|/ | | | | | | | | | | | | | | | Rather than looking up a dummy item from SMEM, use the new qcom_smem_is_available() function to make the code more clear (and reduce the overhead slightly). Add the same check to qcom_smd_register_edge() as well to ensure that it only succeeds if SMEM is already available - if a driver calls the function and SMEM is not available yet then the initial state will be read incorrectly and the RPMSG devices might never become available. Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org> Signed-off-by: Stephan Gerhold <stephan@gerhold.net> Link: https://lore.kernel.org/r/20230531-rpm-rproc-v3-8-a07dcdefd918@gerhold.net Signed-off-by: Bjorn Andersson <andersson@kernel.org>
* Merge tag 'driver-core-6.4-rc1' of ↵Linus Torvalds2023-04-271-1/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core updates from Greg KH: "Here is the large set of driver core changes for 6.4-rc1. Once again, a busy development cycle, with lots of changes happening in the driver core in the quest to be able to move "struct bus" and "struct class" into read-only memory, a task now complete with these changes. This will make the future rust interactions with the driver core more "provably correct" as well as providing more obvious lifetime rules for all busses and classes in the kernel. The changes required for this did touch many individual classes and busses as many callbacks were changed to take const * parameters instead. All of these changes have been submitted to the various subsystem maintainers, giving them plenty of time to review, and most of them actually did so. Other than those changes, included in here are a small set of other things: - kobject logging improvements - cacheinfo improvements and updates - obligatory fw_devlink updates and fixes - documentation updates - device property cleanups and const * changes - firwmare loader dependency fixes. All of these have been in linux-next for a while with no reported problems" * tag 'driver-core-6.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (120 commits) device property: make device_property functions take const device * driver core: update comments in device_rename() driver core: Don't require dynamic_debug for initcall_debug probe timing firmware_loader: rework crypto dependencies firmware_loader: Strip off \n from customized path zram: fix up permission for the hot_add sysfs file cacheinfo: Add use_arch[|_cache]_info field/function arch_topology: Remove early cacheinfo error message if -ENOENT cacheinfo: Check cache properties are present in DT cacheinfo: Check sib_leaf in cache_leaves_are_shared() cacheinfo: Allow early level detection when DT/ACPI info is missing/broken cacheinfo: Add arm64 early level initializer implementation cacheinfo: Add arch specific early level initializer tty: make tty_class a static const structure driver core: class: remove struct class_interface * from callbacks driver core: class: mark the struct class in struct class_interface constant driver core: class: make class_register() take a const * driver core: class: mark class_release() as taking a const * driver core: remove incorrect comment for device_create* MIPS: vpe-cmp: remove module owner pointer from struct class usage. ...
| * driver core: class: remove module * from class_create()Greg Kroah-Hartman2023-03-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The module pointer in class_create() never actually did anything, and it shouldn't have been requred to be set as a parameter even if it did something. So just remove it and fix up all callers of the function in the kernel tree at the same time. Cc: "Rafael J. Wysocki" <rafael@kernel.org> Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Link: https://lore.kernel.org/r/20230313181843.1207845-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | rpmsg: glink: Consolidate TX_DATA and TX_DATA_CONTBjorn Andersson2023-04-191-33/+13
| | | | | | | | | | | | | | | | | | | | | | Rather than duplicating most of the code for constructing the initial TX_DATA and subsequent TX_DATA_CONT packets, roll them into a single loop. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230418163018.785524-3-quic_bjorande@quicinc.com
* | rpmsg: glink: Propagate TX failures in intentless mode as wellBjorn Andersson2023-04-191-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As support for splitting transmission over several messages using TX_DATA_CONT was introduced it does not immediately return the return value of qcom_glink_tx(). The result is that in the intentless case (i.e. intent == NULL), the code will continue to send all additional chunks. This is wasteful, and it's possible that the send operation could incorrectly indicate success, if the last chunk fits in the TX fifo. Fix the condition. Fixes: 8956927faed3 ("rpmsg: glink: Add TX_DATA_CONT command while sending") Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230418163018.785524-2-quic_bjorande@quicinc.com
* | rpmsg: glink: Wait for intent, not just request ackBjorn Andersson2023-04-191-3/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In some implementations of the remote firmware, an intent request acknowledgment is sent when it's determined if the intent allocation will be fulfilled, but then the intent is queued after the acknowledgment. The result is that upon receiving a granted allocation request, the search for the newly allocated intent will fail and an additional request will be made. This will at best waste memory, but if the second request is rejected the transaction will be incorrectly rejected. Take the incoming intent into account in the wait to mitigate this problem. The above scenario can still happen, in the case that, on that same channel, an unrelated intent is delivered prior to the request acknowledgment and a separate process enters the send path and picks up the intent. Given that there's no relationship between the acknowledgment and the delivered (or to be delivered intent), there doesn't seem to be a solution to this problem. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> [bjorn: Fixed spelling issues pointed out by checkpatch in commit message] Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230327144617.3134175-3-quic_bjorande@quicinc.com
* | rpmsg: glink: Transition intent request signaling to wait queueBjorn Andersson2023-04-191-9/+12
| | | | | | | | | | | | | | | | | | | | | | Transition the intent request acknowledgement to use a wait queue so that it's possible, in the next commit, to extend the wait to also wait for an incoming intent. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230327144617.3134175-2-quic_bjorande@quicinc.com
* | rpmsg: qcom_smd: Convert to platform remove callback returning voidUwe Kleine-König2023-04-061-9/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The .remove() callback for a platform driver returns an int which makes many driver authors wrongly assume it's possible to do error handling by returning an error code. However the value returned is (mostly) ignored and this typically results in resource leaks. To improve here there is a quest to make the remove callback return void. In the first step of this quest all drivers are converted to .remove_new() which already returns void. qcom_smd_remove() always returned zero, though that isn't completely trivial to see. So explain that in a comment and convert to .remove_new(). Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230321154039.355098-4-u.kleine-koenig@pengutronix.de
* | rpmsg: qcom_glink_rpm: Convert to platform remove callback returning voidUwe Kleine-König2023-04-061-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The .remove() callback for a platform driver returns an int which makes many driver authors wrongly assume it's possible to do error handling by returning an error code. However the value returned is (mostly) ignored and this typically results in resource leaks. To improve here there is a quest to make the remove callback return void. In the first step of this quest all drivers are converted to .remove_new() which already returns void. Trivially convert this driver from always returning zero in the remove callback to the void returning variant. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230321154039.355098-3-u.kleine-koenig@pengutronix.de
* | rpmsg: qcom_smd: Make qcom_smd_unregister_edge() return voidUwe Kleine-König2023-04-061-4/+4
|/ | | | | | | | | | | | | This function returned zero unconditionally. Convert it to return no value instead. This makes it more obvious what happens in the callers. One caller is converted to return zero explicitly. The only other caller (smd_subdev_stop() in drivers/remoteproc/qcom_common.c) already ignored the return value before. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230321154039.355098-2-u.kleine-koenig@pengutronix.de
* Merge tag 'rpmsg-v6.3' of ↵Linus Torvalds2023-02-267-145/+281
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull rpmsg updates from Bjorn Andersson: - rpmsg ctrl and char driver locking is ensure ordering in cases where the communication link is being torn down in parallel with calls to open(2) or poll(2) - The glink driver is refactored, to move rpm/smem-specifics out of the common logic and better suite further improvements, such as transports without a mailbox controller. The handling of remoteproc shutdown is improved, to fail clients immediately instead of having them to wait for timeouts. A driver_override memory leak is corrected and a few spelling improvements are introduced - glink_ssr is transitioned off strlcpy() and "gpr" is added as a valid child node of the glink-edge DT binding * tag 'rpmsg-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: rpmsg: glink: Release driver_override rpmsg: glink: Avoid infinite loop on intent for missing channel rpmsg: glink: Fix GLINK command prefix rpmsg: glink: Fix spelling of peek rpmsg: glink: Cancel pending intent requests at removal rpmsg: glink: Fail qcom_glink_tx() once remove has been initiated rpmsg: glink: Move irq and mbox handling to transports rpmsg: glink: rpm: Wrap driver context rpmsg: glink: smem: Wrap driver context rpmsg: glink: Extract tx kick operation rpmsg: glink: Include types in qcom_glink_native.h rpmsg: ctrl: Add lock to rpmsg_ctrldev_remove rpmsg: char: Add lock to avoid race when rpmsg device is released rpmsg: move from strlcpy with unused retval to strscpy dt-bindings: remoteproc: qcom,glink-edge: add GPR node
| * rpmsg: glink: Release driver_overrideBjorn Andersson2023-02-151-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Upon termination of the rpmsg_device, driver_override needs to be freed to avoid leaking the potentially assigned string. Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override") Fixes: 39e47767ec9b ("rpmsg: Add driver_override device attribute for rpmsg_device") Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230109223931.1706429-1-quic_bjorande@quicinc.com
| * rpmsg: glink: Avoid infinite loop on intent for missing channelBjorn Andersson2023-02-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | In the event that an intent advertisement arrives on an unknown channel the fifo is not advanced, resulting in the same message being handled over and over. Fixes: dacbb35e930f ("rpmsg: glink: Receive and store the remote intent buffers") Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230214234231.2069751-1-quic_bjorande@quicinc.com
| * rpmsg: glink: Fix GLINK command prefixBjorn Andersson2023-02-151-49/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | The upstream GLINK driver was first introduced to communicate with the RPM on MSM8996, presumably as an artifact from that era the command defines was prefixed RPM_CMD, while they actually are GLINK_CMDs. Let's rename these, to keep things tidy. No functional change. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230214225933.2025595-1-quic_bjorande@quicinc.com
| * rpmsg: glink: Fix spelling of peekBjorn Andersson2023-02-154-12/+12
| | | | | | | | | | | | | | | | | | | | The code is peeking into the buffers, not peaking. Fix this throughout the glink drivers. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230214224746.1996130-1-quic_bjorande@quicinc.com
| * rpmsg: glink: Cancel pending intent requests at removalBjorn Andersson2023-02-141-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During removal of the glink edge interrupts are disabled and no more incoming messages are being serviced. In addition to the remote endpoint being defunct that means that any outstanding requests for intents will not be serviced, and qcom_glink_request_intent() will blindly wait for up to 10 seconds. Mark the intent request as not granted and complete the intent request completion to fail the waiting client immediately. Once the current intent request is failed, any potential clients waiting for the intent request mutex will not enter the same wait, as the qcom_glink_tx() call will fail fast. Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230213155215.1237059-7-quic_bjorande@quicinc.com
| * rpmsg: glink: Fail qcom_glink_tx() once remove has been initiatedBjorn Andersson2023-02-141-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upon removing the glink edge, communication is at best one-way. This means that the very common scenario of glink requesting intents will not be possible to serve. Typically a successful transmission results in the client waiting for a response, with some timeout and a mechanism for aborting that timeout. Because of this, once the glink edge is defunct once removal is commenced it's better to fail transmissions fast. Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230213155215.1237059-6-quic_bjorande@quicinc.com
| * rpmsg: glink: Move irq and mbox handling to transportsBjorn Andersson2023-02-144-49/+107
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Not all GLINK transports uses an interrupt and a mailbox instance. The interrupt for RPM needs to be IRQF_NOSUSPEND, while it seems reasonable for the SMEM interrupt to use irq_set_wake. The glink struct device is constructed in the SMEM and RPM drivers but torn down in the core driver. Move the interrupt and kick handling into the SMEM and RPM driver, to improve this and facilitate further improvements. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230213155215.1237059-5-quic_bjorande@quicinc.com
| * rpmsg: glink: rpm: Wrap driver contextBjorn Andersson2023-02-141-18/+26
| | | | | | | | | | | | | | | | | | | | | | As with the SMEM driver update, wrap the RPM context in a struct to facilitate the upcoming changes of moving IRQ and mailbox registration to the driver. Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230213155215.1237059-4-quic_bjorande@quicinc.com
| * rpmsg: glink: smem: Wrap driver contextBjorn Andersson2023-02-141-11/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Glink SMEM driver allocates a struct device and hangs two devres-allocated pipe objects thereon. To facilitate the move of interrupt and mailbox handling to the driver, introduce a wrapper object capturing the device, glink reference and remote processor id. The type of the remoteproc reference is updated, as these are specifically targeting the SMEM implementation. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230213155215.1237059-3-quic_bjorande@quicinc.com
| * rpmsg: glink: Extract tx kick operationBjorn Andersson2023-02-141-8/+9
| | | | | | | | | | | | | | | | | | | | Refactor out the tx kick operations to its own function, in preparation for pushing the details to the individual transports. Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230213155215.1237059-2-quic_bjorande@quicinc.com
| * rpmsg: glink: Include types in qcom_glink_native.hBjorn Andersson2023-01-181-0/+3
| | | | | | | | | | | | | | | | | | | | Ensure that the used data types are available in qcom_glink_native.h, to silence LSP warnings. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/20230109223745.1706152-1-quic_bjorande@quicinc.com
| * rpmsg: ctrl: Add lock to rpmsg_ctrldev_removeDeepak Kumar Singh2022-12-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Call to rpmsg_ctrldev_ioctl() and rpmsg_ctrldev_remove() must be synchronized. In present code rpmsg_ctrldev_remove() is not protected with lock, therefore new char device creation can succeed through rpmsg_ctrldev_ioctl() call. At the same time call to rpmsg_ctrldev_remove() function for ctrl device removal will free associated rpdev device. As char device creation already succeeded, user space is free to issue open() call which maps to rpmsg_create_ept() in kernel. rpmsg_create_ept() function tries to reference rpdev which has already been freed through rpmsg_ctrldev_remove(). Issue is predominantly seen in aggressive reboot tests where rpmsg_ctrldev_ioctl() and rpmsg_ctrldev_remove() can race with each other. Adding lock in rpmsg_ctrldev_remove() avoids any new char device creation through rpmsg_ctrldev_ioctl() while remove call is already in progress. Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com> Signed-off-by: Bjorn Andersson <andersson@kernel.org> Link: https://lore.kernel.org/r/1663584840-15762-3-git-send-email-quic_deesin@quicinc.com