Skip to content

fastrpc: Add reference counting for fastrpc_user structure#317

Open
quic-anane wants to merge 1 commit intoqualcomm-linux:qcom-6.18.yfrom
quic-anane:refcount-fix
Open

fastrpc: Add reference counting for fastrpc_user structure#317
quic-anane wants to merge 1 commit intoqualcomm-linux:qcom-6.18.yfrom
quic-anane:refcount-fix

Conversation

@quic-anane
Copy link

@quic-anane quic-anane commented Mar 2, 2026
edited
Loading

Patch1: Add reference counting using kref to the fastrpc_user structure to prevent use-after-free issues when contexts are freed from workqueue after device release.

Link: https://lore.kernel.org/all/20260226151121.818852-1-anandu.e@oss.qualcomm.com/#

CRs-Fixed: 4448282

FROMLIST: misc: fastrpc: Add reference counting for fastrpc_user stru…
14e526a 
…cture

Add reference counting using kref to the fastrpc_user structure to
prevent use-after-free issues when contexts are freed from workqueue
after device release.

The issue occurs when fastrpc_device_release() frees the user structure
while invoke contexts are still pending in the workqueue. When the
workqueue later calls fastrpc_context_free(), it attempts to access
buf->fl->cctx in fastrpc_buf_free(), leading to a use-after-free:

  pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
  lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
  ...
  fastrpc_context_free+0xa8/0x1b0 [fastrpc]
  fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
  process_one_work+0x180/0x450
  worker_thread+0x26c/0x388

Implement proper reference counting to fix this:
- Initialize kref in fastrpc_device_open()
- Take a reference in fastrpc_context_alloc() for each context
- Release the reference in fastrpc_context_free() when context is freed
- Release the initial reference in fastrpc_device_release()

This ensures the user structure remains valid as long as there are
contexts holding references to it, preventing the race condition.

Link: https://lore.kernel.org/all/20260226151121.818852-1-anandu.e@oss.qualcomm.com/
Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
@qcomlnxci
Copy link

qcomlnxci commented Mar 2, 2026

Test jobs on 14e526a

@qcomlnxci
Copy link

qcomlnxci commented Mar 2, 2026

Test Matrix

Test Case kaanapali-mtp lemans-evk monaco-evk qcs615-ride qcs6490-rb3gen2 qcs8300-ride qcs9100-ride-r3 sm8750-mtp x1e80100-crd
0_qcom-next-ci-premerge-tests ◻️ ◻️ ◻️ ◻️ ◻️ ◻️ ◻️ ❌ Fail ◻️
BT_FW_KMD_Service ◻️ ❌ Fail ❌ Fail ◻️ ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
BT_ON_OFF ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ⚠️ skip ◻️
BT_SCAN ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ⚠️ skip ◻️
CPUFreq_Validation ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
CPU_affinity ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
DSP_AudioPD ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
Ethernet ◻️ ⚠️ skip ⚠️ skip ◻️ ⚠️ skip ⚠️ skip ⚠️ skip ⚠️ skip ◻️
Freq_Scaling ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
GIC ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
IPA ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
Interrupts ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
OpenCV ◻️ ⚠️ skip ⚠️ skip ◻️ ⚠️ skip ⚠️ skip ⚠️ skip ◻️ ◻️
PCIe ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
Probe_Failure_Check ◻️ ❌ Fail ❌ Fail ◻️ ✅ Pass ❌ Fail ✅ Pass ❌ Fail ◻️
RMNET ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
UFS_Validation ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
USBHost ◻️ ❌ Fail ❌ Fail ◻️ ❌ Fail ✅ Pass ✅ Pass ❌ Fail ◻️
WiFi_Firmware_Driver ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
WiFi_OnOff ◻️ ⚠️ skip ⚠️ skip ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
cdsp_remoteproc ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
hotplug ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
irq ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
kaslr ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
pinctrl ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
qcom_hwrng ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
remoteproc ◻️ ✅ Pass ❌ Fail ◻️ ✅ Pass ❌ Fail ✅ Pass ❌ Fail ◻️
rngtest ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
shmbridge ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
smmu ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
watchdog ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
wpss_remoteproc ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️

@qcomlnxci
Copy link

qcomlnxci commented Mar 2, 2026

Test jobs on 14e526a

@qcomlnxci
Copy link

qcomlnxci commented Mar 2, 2026

Test Matrix

Test Case kaanapali-mtp lemans-evk monaco-evk qcs615-ride qcs6490-rb3gen2 qcs8300-ride qcs9100-ride-r3 sm8750-mtp x1e80100-crd
0_qcom-next-ci-premerge-tests ◻️ ◻️ ◻️ ◻️ ◻️ ◻️ ◻️ ❌ Fail ◻️
BT_FW_KMD_Service ◻️ ❌ Fail ❌ Fail ◻️ ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
BT_ON_OFF ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ⚠️ skip ◻️
BT_SCAN ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ⚠️ skip ◻️
CPUFreq_Validation ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
CPU_affinity ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
DSP_AudioPD ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
Ethernet ◻️ ⚠️ skip ⚠️ skip ◻️ ⚠️ skip ⚠️ skip ⚠️ skip ⚠️ skip ◻️
Freq_Scaling ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
GIC ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
IPA ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
Interrupts ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
OpenCV ◻️ ⚠️ skip ⚠️ skip ◻️ ⚠️ skip ⚠️ skip ⚠️ skip ◻️ ◻️
PCIe ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
Probe_Failure_Check ◻️ ❌ Fail ❌ Fail ◻️ ✅ Pass ❌ Fail ✅ Pass ❌ Fail ◻️
RMNET ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
UFS_Validation ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
USBHost ◻️ ❌ Fail ❌ Fail ◻️ ❌ Fail ✅ Pass ✅ Pass ❌ Fail ◻️
WiFi_Firmware_Driver ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
WiFi_OnOff ◻️ ⚠️ skip ⚠️ skip ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
cdsp_remoteproc ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
hotplug ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
irq ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
kaslr ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
pinctrl ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
qcom_hwrng ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
remoteproc ◻️ ✅ Pass ❌ Fail ◻️ ✅ Pass ❌ Fail ✅ Pass ❌ Fail ◻️
rngtest ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
shmbridge ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
smmu ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
watchdog ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ◻️ ◻️
wpss_remoteproc ◻️ ✅ Pass ✅ Pass ◻️ ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️

@sgaud-quic
Copy link
Contributor

sgaud-quic commented Mar 2, 2026

@quic-anane please add CR to the PR

@quic-anane quic-anane mentioned this pull request Mar 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shashim-quic shashim-quic shashim-quic approved these changes

+1 more reviewer

@ekanshibu ekanshibu ekanshibu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@quic-anane @qcomlnxci @sgaud-quic @shashim-quic @ekanshibu