linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/6] rpmsg: glink stability fixes
@ 2019-09-18 17:19 Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 1/6] rpmsg: glink: Fix reuse intents memory leak issue Bjorn Andersson
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel

Fixes for issues found in GLINK during reboot testing of a remoteproc.

Arun Kumar Neelakantam (2):
  rpmsg: glink: Fix reuse intents memory leak issue
  rpmsg: glink: Fix use after free in open_ack TIMEOUT case

Bjorn Andersson (2):
  rpmsg: glink: Don't send pending rx_done during remove
  rpmsg: glink: Free pending deferred work on remove

Chris Lew (2):
  rpmsg: glink: Put an extra reference during cleanup
  rpmsg: glink: Fix rpmsg_register_device err handling

 drivers/rpmsg/qcom_glink_native.c | 50 ++++++++++++++++++++++++++-----
 1 file changed, 42 insertions(+), 8 deletions(-)

-- 
2.18.0


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [PATCH 1/6] rpmsg: glink: Fix reuse intents memory leak issue
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
@ 2019-09-18 17:19 ` Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 2/6] rpmsg: glink: Fix use after free in open_ack TIMEOUT case Bjorn Andersson
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel, stable

From: Arun Kumar Neelakantam <aneela@codeaurora.org>

Memory allocated for re-usable intents are not freed during channel
cleanup which causes memory leak in system.

Check and free all re-usable memory to avoid memory leak.

Fixes: 933b45da5d1d ("rpmsg: glink: Add support for TX intents")
Cc: stable@vger.kernel.org
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 drivers/rpmsg/qcom_glink_native.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 621f1afd4d6b..9355ce26fd98 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -241,10 +241,19 @@ static void qcom_glink_channel_release(struct kref *ref)
 {
 	struct glink_channel *channel = container_of(ref, struct glink_channel,
 						     refcount);
+	struct glink_core_rx_intent *tmp;
 	unsigned long flags;
+	int iid;
 
 	spin_lock_irqsave(&channel->intent_lock, flags);
+	idr_for_each_entry(&channel->liids, tmp, iid) {
+		kfree(tmp->data);
+		kfree(tmp);
+	}
 	idr_destroy(&channel->liids);
+
+	idr_for_each_entry(&channel->riids, tmp, iid)
+		kfree(tmp);
 	idr_destroy(&channel->riids);
 	spin_unlock_irqrestore(&channel->intent_lock, flags);
 
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [PATCH 2/6] rpmsg: glink: Fix use after free in open_ack TIMEOUT case
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 1/6] rpmsg: glink: Fix reuse intents memory leak issue Bjorn Andersson
@ 2019-09-18 17:19 ` Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 3/6] rpmsg: glink: Put an extra reference during cleanup Bjorn Andersson
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel, stable

From: Arun Kumar Neelakantam <aneela@codeaurora.org>

Extra channel reference put when remote sending OPEN_ACK after timeout
causes use-after-free while handling next remote CLOSE command.

Remove extra reference put in timeout case to avoid use-after-free.

Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: stable@vger.kernel.org
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 drivers/rpmsg/qcom_glink_native.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 9355ce26fd98..72ed671f5dcd 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1103,13 +1103,12 @@ static int qcom_glink_create_remote(struct qcom_glink *glink,
 close_link:
 	/*
 	 * Send a close request to "undo" our open-ack. The close-ack will
-	 * release the last reference.
+	 * release qcom_glink_send_open_req() reference and the last reference
+	 * will be relesed after receiving remote_close or transport unregister
+	 * by calling qcom_glink_native_remove().
 	 */
 	qcom_glink_send_close_req(glink, channel);
 
-	/* Release qcom_glink_send_open_req() reference */
-	kref_put(&channel->refcount, qcom_glink_channel_release);
-
 	return ret;
 }
 
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [PATCH 3/6] rpmsg: glink: Put an extra reference during cleanup
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 1/6] rpmsg: glink: Fix reuse intents memory leak issue Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 2/6] rpmsg: glink: Fix use after free in open_ack TIMEOUT case Bjorn Andersson
@ 2019-09-18 17:19 ` Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 4/6] rpmsg: glink: Fix rpmsg_register_device err handling Bjorn Andersson
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel, stable

From: Chris Lew <clew@codeaurora.org>

In a remote processor crash scenario, there is no guarantee the remote
processor sent close requests before it went into a bad state. Remove
the reference that is normally handled by the close command in the
so channel resources can be released.

Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: stable@vger.kernel.org
Signed-off-by: Chris Lew <clew@codeaurora.org>
Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 drivers/rpmsg/qcom_glink_native.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 72ed671f5dcd..21fd2ae5f7f1 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1641,6 +1641,10 @@ void qcom_glink_native_remove(struct qcom_glink *glink)
 	idr_for_each_entry(&glink->lcids, channel, cid)
 		kref_put(&channel->refcount, qcom_glink_channel_release);
 
+	/* Release any defunct local channels, waiting for close-req */
+	idr_for_each_entry(&glink->rcids, channel, cid)
+		kref_put(&channel->refcount, qcom_glink_channel_release);
+
 	idr_destroy(&glink->lcids);
 	idr_destroy(&glink->rcids);
 	spin_unlock_irqrestore(&glink->idr_lock, flags);
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [PATCH 4/6] rpmsg: glink: Fix rpmsg_register_device err handling
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
                   ` (2 preceding siblings ...)
  2019-09-18 17:19 ` [PATCH 3/6] rpmsg: glink: Put an extra reference during cleanup Bjorn Andersson
@ 2019-09-18 17:19 ` Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 5/6] rpmsg: glink: Don't send pending rx_done during remove Bjorn Andersson
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel, stable

From: Chris Lew <clew@codeaurora.org>

The device release function is set before registering with rpmsg. If
rpmsg registration fails, the framework will call device_put(), which
invokes the release function. The channel create logic does not need to
free rpdev if rpmsg_register_device() fails and release is called.

Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: stable@vger.kernel.org
Signed-off-by: Chris Lew <clew@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 drivers/rpmsg/qcom_glink_native.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 21fd2ae5f7f1..89e02baea2d0 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1423,15 +1423,13 @@ static int qcom_glink_rx_open(struct qcom_glink *glink, unsigned int rcid,
 
 		ret = rpmsg_register_device(rpdev);
 		if (ret)
-			goto free_rpdev;
+			goto rcid_remove;
 
 		channel->rpdev = rpdev;
 	}
 
 	return 0;
 
-free_rpdev:
-	kfree(rpdev);
 rcid_remove:
 	spin_lock_irqsave(&glink->idr_lock, flags);
 	idr_remove(&glink->rcids, channel->rcid);
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [PATCH 5/6] rpmsg: glink: Don't send pending rx_done during remove
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
                   ` (3 preceding siblings ...)
  2019-09-18 17:19 ` [PATCH 4/6] rpmsg: glink: Fix rpmsg_register_device err handling Bjorn Andersson
@ 2019-09-18 17:19 ` Bjorn Andersson
  2019-09-18 17:19 ` [PATCH 6/6] rpmsg: glink: Free pending deferred work on remove Bjorn Andersson
  2019-09-19 16:50 ` [PATCH 0/6] rpmsg: glink stability fixes Srinivas Kandagatla
  6 siblings, 0 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel, stable

Attempting to transmit rx_done messages after the GLINK instance is
being torn down will cause use after free and memory leaks. So cancel
the intent_work and free up the pending intents.

Fixes: 1d2ea36eead9 ("rpmsg: glink: Add rx done command")
Cc: stable@vger.kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 drivers/rpmsg/qcom_glink_native.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 89e02baea2d0..0d7518a6ebf0 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -241,11 +241,23 @@ static void qcom_glink_channel_release(struct kref *ref)
 {
 	struct glink_channel *channel = container_of(ref, struct glink_channel,
 						     refcount);
+	struct glink_core_rx_intent *intent;
 	struct glink_core_rx_intent *tmp;
 	unsigned long flags;
 	int iid;
 
+	/* cancel pending rx_done work */
+	cancel_work_sync(&channel->intent_work);
+
 	spin_lock_irqsave(&channel->intent_lock, flags);
+	/* Free all non-reuse intents pending rx_done work */
+	list_for_each_entry_safe(intent, tmp, &channel->done_intents, node) {
+		if (!intent->reuse) {
+			kfree(intent->data);
+			kfree(intent);
+		}
+	}
+
 	idr_for_each_entry(&channel->liids, tmp, iid) {
 		kfree(tmp->data);
 		kfree(tmp);
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [PATCH 6/6] rpmsg: glink: Free pending deferred work on remove
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
                   ` (4 preceding siblings ...)
  2019-09-18 17:19 ` [PATCH 5/6] rpmsg: glink: Don't send pending rx_done during remove Bjorn Andersson
@ 2019-09-18 17:19 ` Bjorn Andersson
  2019-09-19 16:50 ` [PATCH 0/6] rpmsg: glink stability fixes Srinivas Kandagatla
  6 siblings, 0 replies; 8+ messages in thread
From: Bjorn Andersson @ 2019-09-18 17:19 UTC (permalink / raw)
  To: Ohad Ben-Cohen, Bjorn Andersson, Srinivas Kandagatla, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel, stable

By just cancelling the deferred rx worker during GLINK instance teardown
any pending deferred commands are leaked, so free them.

Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: stable@vger.kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 drivers/rpmsg/qcom_glink_native.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 0d7518a6ebf0..5920432e697a 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1562,6 +1562,18 @@ static void qcom_glink_work(struct work_struct *work)
 	}
 }
 
+static void qcom_glink_cancel_rx_work(struct qcom_glink *glink)
+{
+	struct glink_defer_cmd *dcmd;
+	struct glink_defer_cmd *tmp;
+
+	/* cancel any pending deferred rx_work */
+	cancel_work_sync(&glink->rx_work);
+
+	list_for_each_entry_safe(dcmd, tmp, &glink->rx_queue, node)
+		kfree(dcmd);
+}
+
 struct qcom_glink *qcom_glink_native_probe(struct device *dev,
 					   unsigned long features,
 					   struct qcom_glink_pipe *rx,
@@ -1640,7 +1652,7 @@ void qcom_glink_native_remove(struct qcom_glink *glink)
 	unsigned long flags;
 
 	disable_irq(glink->irq);
-	cancel_work_sync(&glink->rx_work);
+	qcom_glink_cancel_rx_work(glink);
 
 	ret = device_for_each_child(glink->dev, NULL, qcom_glink_remove_device);
 	if (ret)
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: [PATCH 0/6] rpmsg: glink stability fixes
  2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
                   ` (5 preceding siblings ...)
  2019-09-18 17:19 ` [PATCH 6/6] rpmsg: glink: Free pending deferred work on remove Bjorn Andersson
@ 2019-09-19 16:50 ` Srinivas Kandagatla
  6 siblings, 0 replies; 8+ messages in thread
From: Srinivas Kandagatla @ 2019-09-19 16:50 UTC (permalink / raw)
  To: Bjorn Andersson, Ohad Ben-Cohen, Jorge Ramirez
  Cc: linux-arm-msm, linux-remoteproc, linux-kernel



On 18/09/2019 18:19, Bjorn Andersson wrote:
> Fixes for issues found in GLINK during reboot testing of a remoteproc.
> 
> Arun Kumar Neelakantam (2):
>    rpmsg: glink: Fix reuse intents memory leak issue
>    rpmsg: glink: Fix use after free in open_ack TIMEOUT case
> 
> Bjorn Andersson (2):
>    rpmsg: glink: Don't send pending rx_done during remove
>    rpmsg: glink: Free pending deferred work on remove
> 
> Chris Lew (2):
>    rpmsg: glink: Put an extra reference during cleanup
>    rpmsg: glink: Fix rpmsg_register_device err handling
> 
>   drivers/rpmsg/qcom_glink_native.c | 50 ++++++++++++++++++++++++++-----
>   1 file changed, 42 insertions(+), 8 deletions(-)
> 

Thanks for the fixes.

Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>


--srini

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-09-19 16:50 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-18 17:19 [PATCH 0/6] rpmsg: glink stability fixes Bjorn Andersson
2019-09-18 17:19 ` [PATCH 1/6] rpmsg: glink: Fix reuse intents memory leak issue Bjorn Andersson
2019-09-18 17:19 ` [PATCH 2/6] rpmsg: glink: Fix use after free in open_ack TIMEOUT case Bjorn Andersson
2019-09-18 17:19 ` [PATCH 3/6] rpmsg: glink: Put an extra reference during cleanup Bjorn Andersson
2019-09-18 17:19 ` [PATCH 4/6] rpmsg: glink: Fix rpmsg_register_device err handling Bjorn Andersson
2019-09-18 17:19 ` [PATCH 5/6] rpmsg: glink: Don't send pending rx_done during remove Bjorn Andersson
2019-09-18 17:19 ` [PATCH 6/6] rpmsg: glink: Free pending deferred work on remove Bjorn Andersson
2019-09-19 16:50 ` [PATCH 0/6] rpmsg: glink stability fixes Srinivas Kandagatla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).