From: Shengjiu Wang shengjiu.wang@nxp.com
commit 47e6ab07018edebf94ce873cf50a05ec76ff2dde upstream.
The workqueue may execute late even after remoteproc is stopped or stopping, some resources (rpmsg device and endpoint) have been released in rproc_stop_subdevices(), then rproc_vq_interrupt() accessing these resources will cause kennel dump.
Call trace: virtqueue_add_split+0x1ac/0x560 virtqueue_add_inbuf+0x4c/0x60 rpmsg_recv_done+0x15c/0x294 vring_interrupt+0x6c/0xa4 rproc_vq_interrupt+0x30/0x50 imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc] process_one_work+0x1d0/0x354 worker_thread+0x13c/0x470 kthread+0x154/0x160 ret_from_fork+0x10/0x20
Add mutex protection in imx_dsp_rproc_vq_work(), if the state is not running, then just skip calling rproc_vq_interrupt().
Also the flush workqueue operation can't be added in rproc stop for the same reason. The call sequence is
rproc_shutdown -> rproc_stop ->rproc_stop_subdevices ->rproc->ops->stop() ->imx_dsp_rproc_stop ->flush_work -> rproc_vq_interrupt
The resource needed by rproc_vq_interrupt has been released in rproc_stop_subdevices, so flush_work is not safe to be called in imx_dsp_rproc_stop.
Fixes: ec0e5549f358 ("remoteproc: imx_dsp_rproc: Add remoteproc driver for DSP on i.MX") Signed-off-by: Shengjiu Wang shengjiu.wang@nxp.com Reviewed-by: Peng Fan peng.fan@nxp.com Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/1664524216-19949-1-git-send-email-shengjiu.wang@nx... Signed-off-by: Mathieu Poirier mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/remoteproc/imx_dsp_rproc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/remoteproc/imx_dsp_rproc.c +++ b/drivers/remoteproc/imx_dsp_rproc.c @@ -347,9 +347,6 @@ static int imx_dsp_rproc_stop(struct rpr struct device *dev = rproc->dev.parent; int ret = 0;
- /* Make sure work is finished */ - flush_work(&priv->rproc_work); - if (rproc->state == RPROC_CRASHED) { priv->flags &= ~REMOTE_IS_READY; return 0; @@ -432,9 +429,18 @@ static void imx_dsp_rproc_vq_work(struct { struct imx_dsp_rproc *priv = container_of(work, struct imx_dsp_rproc, rproc_work); + struct rproc *rproc = priv->rproc; + + mutex_lock(&rproc->lock); + + if (rproc->state != RPROC_RUNNING) + goto unlock_mutex;
rproc_vq_interrupt(priv->rproc, 0); rproc_vq_interrupt(priv->rproc, 1); + +unlock_mutex: + mutex_unlock(&rproc->lock); }
/**