From: sashiko-bot@kernel.org
To: "Vinayak Katoch" <vinayak.katoch@oss.qualcomm.com>
Cc: dri-devel@lists.freedesktop.org, conor+dt@kernel.org,
devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v2 2/2] misc: fastrpc: create duplicate sessions after all CB probing
Date: Wed, 08 Jul 2026 04:13:12 +0000 [thread overview]
Message-ID: <20260708041312.ACF681F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708-dup-sessions-v2-2-da40f9c98a2b@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] Concurrent `open()` calls during the unprotected gap after child probing permanently leak duplicated sessions.
Pre-existing issues:
- [Critical] The misc device is exposed to userspace before crucial synchronization primitives and lists are initialized, leading to uninitialized spinlock usage and NULL pointer dereferences.
- [High] Missing `of_platform_depopulate()` on the `of_platform_populate()` error path causes dangling child devices with freed drvdata.
- [High] On the error path of `fastrpc_rpmsg_probe()`, `kfree(data)` unconditionally frees memory while a userspace file descriptor may hold a reference.
--
--- Patch [2]: [PATCH v2 2/2] misc: fastrpc: create duplicate sessions after all CB probing ---
commit 56303754fdfc0beae4b68e60fa9dc54ca7e73396
Author: Vinayak Katoch <vinayak.katoch@oss.qualcomm.com>
misc: fastrpc: create duplicate sessions after all CB probing
Instead of duplicating sessions inline during fastrpc_cb_probe() using
the qcom,nsessions DT property, defer duplication until after
of_platform_populate() returns in fastrpc_rpmsg_probe(), at which point
all compute-CB child nodes have been probed and the session array is
fully populated.
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
[ ... ]
> @@ -2352,6 +2352,6 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
[ ... ]
> switch (domain_id) {
> case ADSP_DOMAIN_ID:
> case MDSP_DOMAIN_ID:
> case SDSP_DOMAIN_ID:
> /* Unsigned PD offloading is only supported on CDSP and GDSP */
> data->unsigned_support = false;
> err = fastrpc_device_register(rdev, data, secure_dsp, domain);
[Severity: Critical]
This isn't a bug introduced by this patch, but does registering the misc
device here expose it to userspace before crucial synchronization primitives
are initialized?
A concurrent userspace process could immediately call open(), which would
attempt to use data->refcount and data->lock before they are initialized
further down in this function.
> if (err)
> goto err_free_data;
> break;
[ ... ]
> spin_lock_init(&data->lock);
> idr_init(&data->ctx_idr);
> data->domain_id = domain_id;
> data->rpdev = rpdev;
> dev_set_drvdata(&rpdev->dev, data);
>
> err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
> if (err)
> goto err_deregister_fdev;
[Severity: High]
This is a pre-existing issue, but if of_platform_populate() fails halfway
through, does the error path miss a call to of_platform_depopulate()?
Since the channel context data is freed on the error path, this could leave
dangling child devices that might dereference freed drvdata when they are
later unbound.
> + if (data->domain_id == ADSP_DOMAIN_ID && data->sesscount > 0) {
> + struct fastrpc_session_ctx *last_sess;
> + struct fastrpc_session_ctx *dup_sess;
> + unsigned long flags;
> +
> + spin_lock_irqsave(&data->lock, flags);
> + last_sess = &data->session[data->sesscount - 1];
> + for (i = 0; i < FASTRPC_DUP_SESSIONS; i++) {
> + if (data->sesscount >= FASTRPC_MAX_SESSIONS)
> + break;
> + dup_sess = &data->session[data->sesscount++];
> + memcpy(dup_sess, last_sess, sizeof(*dup_sess));
[Severity: High]
Can this loop permanently leak session capacity if userspace calls open()
concurrently?
Since the lock is dropped in fastrpc_cb_probe() long before we get here,
could a concurrent open() claim last_sess and set its used flag to true?
If so, this memcpy() would blindly duplicate the used=true state into all
new sessions, making them permanently unavailable to subsequent users.
> + }
> + spin_unlock_irqrestore(&data->lock, flags);
> + }
> +
> return 0;
>
> err_deregister_fdev:
> if (data->fdevice)
> misc_deregister(&data->fdevice->miscdev);
> if (data->secure_fdevice)
> misc_deregister(&data->secure_fdevice->miscdev);
>
> err_free_data:
> kfree(data);
[Severity: High]
This is a pre-existing issue, but does calling kfree(data) here
unconditionally cause a use-after-free if userspace has already opened
the misc device?
Because the misc device is registered earlier in this function, a userspace
process might already hold an open file descriptor. If we free the channel
context here upon a probe failure, any subsequent ioctls or close
operations by that process will access freed memory.
> return err;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260708-dup-sessions-v2-0-da40f9c98a2b@oss.qualcomm.com?part=2
next prev parent reply other threads:[~2026-07-08 4:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 3:58 [PATCH v2 0/2] misc: fastrpc: move ADSP duplicate session creation to the driver Vinayak Katoch
2026-07-08 3:58 ` [PATCH v2 1/2] dt-bindings: misc: qcom,fastrpc: deprecate qcom,nsessions Vinayak Katoch
2026-07-08 7:11 ` Krzysztof Kozlowski
2026-07-08 3:58 ` [PATCH v2 2/2] misc: fastrpc: create duplicate sessions after all CB probing Vinayak Katoch
2026-07-08 4:13 ` sashiko-bot [this message]
2026-07-08 6:11 ` Dmitry Baryshkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708041312.ACF681F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vinayak.katoch@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.