Currently, the DSP updates header buffers with unused DMA handle fds.
In the put_args section, if any DMA handle FDs are present in the
header buffer, the corresponding map is freed. However, since the
header buffer is exposed to users in unsigned PD, users can update
invalid FDs. If this invalid FD matches with any FD that is already
in use, it could lead to a use-after-free (UAF) vulnerability.
As a solution,add DMA handle references for DMA FDs, and the map for
the FD will be freed only when a reference is found.

Change-Id: Ie4d19dc0ef0ebdda5ed2fe6f7b64598ef661a63f
Signed-off-by: quic_anane <quic_anane@quicinc.com>

Currently, compact fastrpc ioctl functions allocate memory dynamically
and return without freeing this memory. Do memory free before return.

Change-Id: I4591ccc951e7e43362a4c2d9e0265c89ab8582f8
Signed-off-by: rnallago <quic_rnallago@quicinc.com>

Currently, the compat ioctl call distinguishes itself using a global
flag. If a user sends a compat ioctl call followed by a normal ioctl
call, it may result in using a user passed address as a kernel address
in the fastrpcdriver. To address this issue, consider localizing the
compat flag for the ioctl call.

Change-Id: Ie8fc724424534102736b8c0bc594720547ab6ff6
Signed-off-by: rnallago <quic_rnallago@quicinc.com>

If a user makes the ioctl call for the fastrpc_internal_mmap with the
global map flag, fd, and va corresponding to some map already present
in the process-specific list, then this map present in the process-
specific list could be added to the global list. Because global maps
are also searched in the process-specific list. If a map gets removed
from the global list and another concurrent thread is using the same
map for a process-specific use case, it could lead to a use-after-free.
Avoid searching the global map in the process-specific list.

Change-Id: I59c820eb984945d39cd6e4b163307ea43ee4d2f4
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>

Currently, different error codes are returned if remote subsystem
is not up when client tries to open dynamic PD. Need to unify them
to -ECONNREFUSED.

Change-Id: Iee6925724a29a4ab265c50f68baa267150b4058d
Signed-off-by: Minghao Xue <quic_mingxue@quicinc.com>

In the early stages of fastrpc_internal_invoke, we validate the user CID
and handle failure cases. However, in the error scenario, an invalid CID
can lead to issues when accessing the channel mutex. To prevent this, we
should validate the CID before accessing the channel mutex via fastrpc
user structure.

Change-Id: Ic1f7ae01a749b57c9b9e69210314d694ebcf300b
Signed-off-by: Santosh <quic_ssakore@quicinc.com>

Currently, in print_debug_data, kref_put is being called inside the
global lock, and the same lock is taken in the release callback of
kref_put, leading to spinlock recursion. There is no need to get and
put the reference for the fastrpce file inside this function because
we have already taken the reference inside the update_ramdump_status
while adding the init memory entry to the chan->initmems list.
Moreover, the same list will be used in print_debug_data.

Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ifdc8b3e0c2bbc5cc4237eedaa24c8cd766262dfe

The fastrpc driver supports 4 remoteproc. There are some
products such as automotive which support cdsp1 remoteproc.
Add changes to support cdsp1 remoteproc.

Change-Id: I3a9b221c53ccd4331de089ab38ccd6d715db4bf4
Signed-off-by: Anvesh Jain P <quic_ajainp@quicinc.com>

Currently, dsp signal waits definite timeout even though
time out set to indefinite wait and returns timeout error.
Fix is added proper check for waiting indefinitely and
returned proper error code.

Change-Id: Ib4d8835cee6c686dae45f8b5ddf128d24c28cdad
Signed-off-by: Minghao Xue <quic_mingxue@quicinc.com>

The subsystem ssrcount is write-protected with a channel mutex. In a
few places, the code accesses it outside the critical section, which
can result in false reads during a race condition. To address this,
move the ssrcount access within a critical section.

Change-Id: I7df1e05fd892277a10514e3759f7ea67c51bac3b
Signed-off-by: Santosh <quic_ssakore@quicinc.com>

Currently, the CMA mini dump node is not being dequeued, leading to an
infinite loop. Dequeue the CMA mini dump node as well along with all
the init mems.

Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: Ie5c24ee4ce43c798ed40a8d766371449bcf27b68

Add locking mechanism while printing file map and cma map in print
debug data.

Change-Id: I36484d763b56ec88413ca9394c08ff30d85e664a
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>

Add anorak module to support anorak target

Change-Id: Ifc81c5c4b02c40eaa7d2281c5a4c374657457514
Signed-off-by: Sudheer Gummalla <quic_gummalla@quicinc.com>

Currently, the code flow bails out without releasing the spin lock,
leading to spin lock recursion. Additionally, the free function is
called during this bail, which is a sleep function. To address this
issue, ensure that the spin lock is released before proceeding to the
bail.

Change-Id: I57884049d7799c3c69eccb4fa2db043b073d5312
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>

Currently, remote heap maps get added to the global list before the
fastrpc_internal_mmap function completes the mapping. Meanwhile, the
fastrpc_internal_munmap function accesses the map, starts unmapping, and
frees the map before the fastrpc_internal_mmap function completes,
resulting in a use-after-free (UAF) issue. Add the map to the list after
the fastrpc_internal_mmap function completes the mapping.

Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: I8aa23cf215e53d0613774c2b2657954bca6c72f4

Add krefs reference counters to fastrpc process objects.
Process structures are used in multiple places and passed
around. Maintaining krefs helps ensure that the release routine
for structure is called after last reference to the pointer
is done.

Co-developed-by: Abhinav Parihar <quic_parihar@quicinc.com>
Change-Id: I5fd35af3c5581bf69ebfddf56951d76d9a2d10fb
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>

Currently, after audio PDR, all invoke calls are discarded in pd status
check, due to this kill does not reach to DSP to clean up the ftq
group in guestOS. Fix is to discard only audio pd attachment and allow
kill message to clean DSP GuestOS resources.

Change-Id: Ica8bff6ed6e81eab4119c59c46fb6be9c0b79704
Signed-off-by: rnallago <quic_rnallago@quicinc.com>

The current code collects RAM dumps for both DSP SSR and PDR, but not
required during PDR. Fix is to collect it for SSR and skip it for PDR.

Change-Id: Ibcc9c7291488b67fa0570e86eef5867ba7fcb2ed
Signed-off-by: rnallago <quic_rnallago@quicinc.com>

The `fastrpc_dspsignal_wait` function currently checks the
signal state before waiting for a signal from the DSP. However,
if the signal is already received before the check, it results
in an infinite loop, causing excessive resource usage.

This change addresses the race condition by checking both the
pending and signaled states. If the signal is not in the pending
state, it directly checks for the signaled state, resets the states,
and returns to avoid looping.

Change-Id: I00f80780cccf5a7b0e95f961607042efe62d9d30
Signed-off-by: quic_anane <quic_anane@quicinc.com>

Thread1 can free up the fl->init memory in
fastrpc_init_create_dynamic_process  with fl spin lock, same time thread2
adding fl->init_mem to chan->initmems list with global spin lock in
fastrpc_update_ramdump_status can lead to use after free in
fastrpc_ramdump_collection. Fix is to use global spin lock while
handling fl->init_mem.

Change-Id: I7a497dc962b6967a4d594a3acce55f8ce0eb3a55
Signed-off-by: rnallago <quic_rnallago@quicinc.com>

Currently unlocking the spinlock during maps list iteration
can lead to use after free. Fix is to lock, read one map
from list, stop iteration and unlock, repeate same for all
the maps complete in the list.

Acked-by: Ramesh Nallagopu <rnallago@qti.qualcomm.com>
Change-Id: I834bdcb9dd55a33f6308188ec1f844b7d81cb30e
Signed-off-by: Ansa Ahmed <quic_ansa@quicinc.com>

Add -ve value check for index to prevent the array out of bound access.

Change-Id: I0d23e2cb258227ef76779d82ec2c8f6b9cf7f95f
Signed-off-by: rnallago <quic_rnallago@quicinc.com>

Currently, memory allocated for status notification is only
freed by the notif thread. If notif thread exits, notif entries
will not be freed. Free the notif entries while closing
the fastrpc file.

Change-Id: I8e715a4c449a595ce492379bfc50eaf456bbccf6
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>

Add volcano module to support volcano target

Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Change-Id: I02b1c9a14370ceb5bf2ae495e15be7c54f1a3bb6

Add check for user input buffer to fix improper access.

Signed-off-by: quic_anane <quic_anane@quicinc.com>

Customer is seeing issue when sharing buffer to secure PD.
Buffer is being set to 'secure buffer type' by trusted driver which
is invalid in TVM.
There are no 'secure' buffers on TVM. All buffers in TVM need to be
marked as 'non-secure'.

Fix is to explicitly mark buffers as 'non-secure' for TVM only.

Change-Id: I80c70bc59dcbd78be4119c1855fd4e5fa2e7d5cb