From b6bd6d1a3c8d4140a1bb9c1011a4c52bf42e46dd Mon Sep 17 00:00:00 2001 From: Avaneesh Kumar Dwivedi Date: Mon, 24 Apr 2017 21:51:42 +0530 Subject: [PATCH 1/2] soc: qcom: Clear the memory before freeing it up It is a case of write after free, this is causing page allocation failure due to corruption. This is due to freeing up of segments allocated for venus subsystem, when venus fw loading fail midway. Change-Id: I0019a05b1d1336dcf361264607597430e5f1625a Signed-off-by: Avaneesh Kumar Dwivedi --- drivers/soc/qcom/peripheral-loader.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/soc/qcom/peripheral-loader.c b/drivers/soc/qcom/peripheral-loader.c index 6e5ddc4a3a7d..3415338a1294 100644 --- a/drivers/soc/qcom/peripheral-loader.c +++ b/drivers/soc/qcom/peripheral-loader.c @@ -917,13 +917,13 @@ out: priv->region_start), VMID_HLOS); } + if (desc->clear_fw_region && priv->region_start) + pil_clear_segment(desc); dma_free_attrs(desc->dev, priv->region_size, priv->region, priv->region_start, &desc->attrs); priv->region = NULL; } - if (desc->clear_fw_region && priv->region_start) - pil_clear_segment(desc); pil_release_mmap(desc); } return ret; From 635cd0dd76c55f7f3a9bd0128b0514353f3bcc36 Mon Sep 17 00:00:00 2001 From: Avaneesh Kumar Dwivedi Date: Fri, 21 Apr 2017 21:15:03 +0530 Subject: [PATCH 2/2] soc: qcom: Register for indication cb after obtaining state of remote pd This change moves the registration of indication call back after inquiring the state of remote PD, this is logical flow since in any case just after registration we are inquiring the state and doing client notification. With existing arrangement of code, sometime there is occurring a race condition between inquiring the remote pd state and indication call back. Change-Id: I2d4d5e0dc7afde9dfb89747b878c26862532bec4 Signed-off-by: Avaneesh Kumar Dwivedi --- drivers/soc/qcom/service-notifier.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/soc/qcom/service-notifier.c b/drivers/soc/qcom/service-notifier.c index 68592feccb33..b5681a5c6817 100644 --- a/drivers/soc/qcom/service-notifier.c +++ b/drivers/soc/qcom/service-notifier.c @@ -376,13 +376,6 @@ static void root_service_service_arrive(struct work_struct *work) mutex_unlock(&qmi_client_release_lock); pr_info("Connection established between QMI handle and %d service\n", data->instance_id); - /* Register for indication messages about service */ - rc = qmi_register_ind_cb(data->clnt_handle, root_service_service_ind_cb, - (void *)data); - if (rc < 0) - pr_err("Indication callback register failed(instance-id: %d) rc:%d\n", - data->instance_id, rc); - mutex_lock(¬if_add_lock); mutex_lock(&service_list_lock); list_for_each_entry(service_notif, &service_list, list) { @@ -405,6 +398,12 @@ static void root_service_service_arrive(struct work_struct *work) } mutex_unlock(&service_list_lock); mutex_unlock(¬if_add_lock); + /* Register for indication messages about service */ + rc = qmi_register_ind_cb(data->clnt_handle, + root_service_service_ind_cb, (void *)data); + if (rc < 0) + pr_err("Indication callback register failed(instance-id: %d) rc:%d\n", + data->instance_id, rc); } static void root_service_service_exit(struct qmi_client_info *data,