[PATCH] remoteproc: imx_rproc: Not report loaded resource table when none

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] remoteproc: imx_rproc: Not report loaded resource table when none
@ 2026-01-22  3:24 Peng Fan (OSS)
  2026-01-22 15:00 ` Frank Li
  2026-01-26 16:49 ` Mathieu Poirier
  0 siblings, 2 replies; 3+ messages in thread
From: Peng Fan (OSS) @ 2026-01-22  3:24 UTC (permalink / raw)
  To: Bjorn Andersson, Mathieu Poirier, Shawn Guo, Sascha Hauer,
	Pengutronix Kernel Team, Fabio Estevam, Iuliana Prodan,
	Daniel Baluta, Frank Li
  Cc: linux-remoteproc, imx, linux-arm-kernel, linux-kernel, Peng Fan,
	stable

From: Peng Fan <peng.fan@nxp.com>

When starting a firmware without a resource table after previously running
one that had a resource table, imx_rproc_elf_find_loaded_rsc_table() may
incorrectly return a valid device memory pointer (priv->rsc_table).

In this case rproc->cached_table is NULL because the current firmware does
not contain a resource table, but the remoteproc core still interprets the
non-NULL return value as a loaded resource table and attempts to memcpy()
from rproc->cached_table, leading to a NULL pointer dereference and kernel
panic.

Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when
there is no cached resource table for the current firmware. This ensures
that a loaded resource table is only reported when a valid cached_table
exists, which matches the remoteproc core expectations.

This issue can be reproduced by:
  1) start a firmware with a resource table
  2) stop the remote processor
  3) start a firmware without a resource table

With this change, starting a firmware without a resource table no longer
causes kernel dump.

Fixes: e954a1bd1610 ("remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table")
Cc: stable@vger.kernel.org
Signed-off-by: Peng Fan <peng.fan@nxp.com>
---
 drivers/remoteproc/imx_rproc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
index 375de79168a1c8d11b87ac1bd63774a3feac106d..cf044b385b58fe1e17d0fc440c243d76ecf020ae 100644
--- a/drivers/remoteproc/imx_rproc.c
+++ b/drivers/remoteproc/imx_rproc.c
@@ -729,6 +729,10 @@ imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *
 {
 	struct imx_rproc *priv = rproc->priv;

+	/* No resource table in the firmware */
+	if (!rproc->cached_table)
+		return NULL;
+
 	if (priv->rsc_table)
 		return (struct resource_table *)priv->rsc_table;

---
base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574
change-id: 20260122-imx-rproc-fix-e206f8e6e477

Best regards,
-- 
Peng Fan <peng.fan@nxp.com>

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] remoteproc: imx_rproc: Not report loaded resource table when none
  2026-01-22  3:24 [PATCH] remoteproc: imx_rproc: Not report loaded resource table when none Peng Fan (OSS)
@ 2026-01-22 15:00 ` Frank Li
  2026-01-26 16:49 ` Mathieu Poirier
  1 sibling, 0 replies; 3+ messages in thread
From: Frank Li @ 2026-01-22 15:00 UTC (permalink / raw)
  To: Peng Fan (OSS)
  Cc: Bjorn Andersson, Mathieu Poirier, Shawn Guo, Sascha Hauer,
	Pengutronix Kernel Team, Fabio Estevam, Iuliana Prodan,
	Daniel Baluta, linux-remoteproc, imx, linux-arm-kernel,
	linux-kernel, Peng Fan, stable

On Thu, Jan 22, 2026 at 11:24:43AM +0800, Peng Fan (OSS) wrote:
> From: Peng Fan <peng.fan@nxp.com>
>
> When starting a firmware without a resource table after previously running
> one that had a resource table, imx_rproc_elf_find_loaded_rsc_table() may
> incorrectly return a valid device memory pointer (priv->rsc_table).
>
> In this case rproc->cached_table is NULL because the current firmware does
> not contain a resource table, but the remoteproc core still interprets the
> non-NULL return value as a loaded resource table and attempts to memcpy()
> from rproc->cached_table, leading to a NULL pointer dereference and kernel
> panic.
>
> Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when
> there is no cached resource table for the current firmware. This ensures
> that a loaded resource table is only reported when a valid cached_table
> exists, which matches the remoteproc core expectations.
>
> This issue can be reproduced by:
>   1) start a firmware with a resource table
>   2) stop the remote processor
>   3) start a firmware without a resource table
>
> With this change, starting a firmware without a resource table no longer
> causes kernel dump.
>
> Fixes: e954a1bd1610 ("remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table")
> Cc: stable@vger.kernel.org
> Signed-off-by: Peng Fan <peng.fan@nxp.com>
> ---

Reviewed-by: Frank Li <Frank.Li@nxp.com>

>  drivers/remoteproc/imx_rproc.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
> index 375de79168a1c8d11b87ac1bd63774a3feac106d..cf044b385b58fe1e17d0fc440c243d76ecf020ae 100644
> --- a/drivers/remoteproc/imx_rproc.c
> +++ b/drivers/remoteproc/imx_rproc.c
> @@ -729,6 +729,10 @@ imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *
>  {
>  	struct imx_rproc *priv = rproc->priv;
>
> +	/* No resource table in the firmware */
> +	if (!rproc->cached_table)
> +		return NULL;
> +
>  	if (priv->rsc_table)
>  		return (struct resource_table *)priv->rsc_table;
>
>
> ---
> base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574
> change-id: 20260122-imx-rproc-fix-e206f8e6e477
>
> Best regards,
> --
> Peng Fan <peng.fan@nxp.com>
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] remoteproc: imx_rproc: Not report loaded resource table when none
  2026-01-22  3:24 [PATCH] remoteproc: imx_rproc: Not report loaded resource table when none Peng Fan (OSS)
  2026-01-22 15:00 ` Frank Li
@ 2026-01-26 16:49 ` Mathieu Poirier
  1 sibling, 0 replies; 3+ messages in thread
From: Mathieu Poirier @ 2026-01-26 16:49 UTC (permalink / raw)
  To: Peng Fan (OSS)
  Cc: Bjorn Andersson, Shawn Guo, Sascha Hauer, Pengutronix Kernel Team,
	Fabio Estevam, Iuliana Prodan, Daniel Baluta, Frank Li,
	linux-remoteproc, imx, linux-arm-kernel, linux-kernel, Peng Fan,
	stable

Good day,

On Thu, Jan 22, 2026 at 11:24:43AM +0800, Peng Fan (OSS) wrote:
> From: Peng Fan <peng.fan@nxp.com>
> 
> When starting a firmware without a resource table after previously running
> one that had a resource table, imx_rproc_elf_find_loaded_rsc_table() may
> incorrectly return a valid device memory pointer (priv->rsc_table).

priv->rsc_table is not NULL if the DT has a "rsc-table" entry, indicating that
_if_ there is a resource table in memory, that's where it should be.  Function
imx_rproc_elf_find_loaded_rsc_table() is buggy so the narrative about a
previously running FW with a valid resource table can be dropped.

> 
> In this case rproc->cached_table is NULL because the current firmware does
> not contain a resource table, but the remoteproc core still interprets the
> non-NULL return value as a loaded resource table and attempts to memcpy()
> from rproc->cached_table, leading to a NULL pointer dereference and kernel
> panic.
> 
> Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when
> there is no cached resource table for the current firmware. This ensures
> that a loaded resource table is only reported when a valid cached_table
> exists, which matches the remoteproc core expectations.
> 
> This issue can be reproduced by:
>   1) start a firmware with a resource table
>   2) stop the remote processor
>   3) start a firmware without a resource table
> 
> With this change, starting a firmware without a resource table no longer
> causes kernel dump.
> 
> Fixes: e954a1bd1610 ("remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table")
> Cc: stable@vger.kernel.org
> Signed-off-by: Peng Fan <peng.fan@nxp.com>
> ---
>  drivers/remoteproc/imx_rproc.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
> index 375de79168a1c8d11b87ac1bd63774a3feac106d..cf044b385b58fe1e17d0fc440c243d76ecf020ae 100644
> --- a/drivers/remoteproc/imx_rproc.c
> +++ b/drivers/remoteproc/imx_rproc.c
> @@ -729,6 +729,10 @@ imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *
>  {
>  	struct imx_rproc *priv = rproc->priv;
>  
> +	/* No resource table in the firmware */
> +	if (!rproc->cached_table)
> +		return NULL;
> +

I think rproc->cached_table should be kept for internal remoteproc core usage
only.  Please use rproc->table_ptr.

Thanks,
Mathieu

>  	if (priv->rsc_table)
>  		return (struct resource_table *)priv->rsc_table;
>  
> 
> ---
> base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574
> change-id: 20260122-imx-rproc-fix-e206f8e6e477
> 
> Best regards,
> -- 
> Peng Fan <peng.fan@nxp.com>
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-01-26 16:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-22  3:24 [PATCH] remoteproc: imx_rproc: Not report loaded resource table when none Peng Fan (OSS)
2026-01-22 15:00 ` Frank Li
2026-01-26 16:49 ` Mathieu Poirier

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox