Re: [PATCH v4 3/4] misc: fastrpc: Allocate entire reserved memory for Audio PD in probe

[Jianping Li]

On 4/18/2026 2:31 AM, Dmitry Baryshkov wrote:
> On Thu, Apr 09, 2026 at 02:26:16PM +0800, Jianping Li wrote:
> > Allocating and freeing Audio PD memory from userspace is unsafe because
> > the kernel cannot reliably determine when the DSP has finished using the
> > memory. Userspace may free buffers while they are still in use by the DSP,
> > and remote free requests cannot be safely trusted.
> >
> > Allocate the entire Audio PD reserved-memory region upfront during rpmsg
> > probe and tie its lifetime to the rpmsg channel. This avoids userspace-
> > controlled alloc/free and ensures memory is reclaimed only when the DSP
> > shuts down.
> >
> > Signed-off-by: Jianping Li <jianping.li@xxxxxxxxxxxxxxxx>
> > ---
> >   drivers/misc/fastrpc.c | 104 +++++++++++++++++++++--------------------
> >   1 file changed, 53 insertions(+), 51 deletions(-)
> >
> > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> > index 148085c3b61a..a67ae991c0b0 100644
> > --- a/drivers/misc/fastrpc.c
> > +++ b/drivers/misc/fastrpc.c
> > @@ -276,6 +276,8 @@ struct fastrpc_channel_ctx {
> >   	struct kref refcount;
> >   	/* Flag if dsp attributes are cached */
> >   	bool valid_attributes;
> > +	/* Flag if audio PD init mem was allocated */
> > +	bool audio_init_mem;
> >   	u32 dsp_attributes[FASTRPC_MAX_DSP_ATTRIBUTES];
> >   	struct fastrpc_device *secure_fdevice;
> >   	struct fastrpc_device *fdevice;
> > @@ -1295,15 +1297,16 @@ static int fastrpc_init_create_static_process(struct fastrpc_user *fl,
> >   	struct fastrpc_init_create_static init;
> >   	struct fastrpc_invoke_args *args;
> >   	struct fastrpc_phy_page pages[1];
> > +	struct fastrpc_channel_ctx *cctx = fl->cctx;
> What was the base for this series? It doesn't apply to linux-next. The
> code here is different.

This series is based on the patch submitted last month. I will redo the next version of
the patch based on the latest linux-next submission.

Thanks,
Jianping.

> >   	char *name;
> >   	int err;
> > -	bool scm_done = false;
> >   	struct {
> >   		int client_id;
> >   		u32 namelen;
> >   		u32 pageslen;
> This struct is way bigger.

In the fastrpc_init_create_static_process function, the
inbuf structure has only three members; it only becomes bigger in the
fastrpc_init_create_process function.

> >   	} inbuf;
> >   	u32 sc;
> > +	unsigned long flags;
> >   
> >   	args = kzalloc_objs(*args, FASTRPC_CREATE_STATIC_PROCESS_NARGS);
> >   	if (!args)