[PATCH v3 2/3] remoteproc: qcom: Check subdev start status in rproc_stop()

From: Jingyi Wang

Date: Tue Jun 23 2026 - 05:09:57 EST


For rproc that doing attach, rproc_start_subdevices() is called only when
attach successfully. If rproc_report_crash() is called in the attach
function, rproc_boot_recovery()->rproc_stop()->rproc_stop_subdevices()->
glink_subdev_stop() could be called and cause NULL pointer dereference:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000300
Mem abort info:
...
pc : qcom_glink_smem_unregister+0x14/0x48 [qcom_glink_smem]
lr : glink_subdev_stop+0x1c/0x30 [qcom_common]
...
Call trace:
qcom_glink_smem_unregister+0x14/0x48 [qcom_glink_smem] (P)
glink_subdev_stop+0x1c/0x30 [qcom_common]
rproc_stop+0x58/0x17c
rproc_trigger_recovery+0xb0/0x150
rproc_crash_handler_work+0xa4/0xc4
process_scheduled_works+0x18c/0x2d8
worker_thread+0x144/0x280
kthread+0x124/0x138
ret_from_fork+0x10/0x20
Code: a9be7bfd 910003fd a90153f3 aa0003f3 (b9430000)
---[ end trace 0000000000000000 ]---

Introduce "subdevs_started" flag to indicate rproc_start_subdevices() has
been called successfully. Ensure subdevices are only stopped if they have
been started.

Signed-off-by: Jingyi Wang <jingyi.wang@xxxxxxxxxxxxxxxx>
---
drivers/remoteproc/remoteproc_core.c | 7 +++++++
include/linux/remoteproc.h | 2 ++
2 files changed, 9 insertions(+)

diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index 50f754e27d1a..71a7be7c1e9f 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -1099,6 +1099,8 @@ static int rproc_start_subdevices(struct rproc *rproc)
}
}

+ rproc->subdevs_started = true;
+
return 0;

unroll_registration:
@@ -1114,10 +1116,15 @@ static void rproc_stop_subdevices(struct rproc *rproc, bool crashed)
{
struct rproc_subdev *subdev;

+ if (!rproc->subdevs_started)
+ return;
+
list_for_each_entry_reverse(subdev, &rproc->subdevs, node) {
if (subdev->stop)
subdev->stop(subdev, crashed);
}
+
+ rproc->subdevs_started = false;
}

static void rproc_unprepare_subdevices(struct rproc *rproc)
diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
index f1d14d075bf3..17ed75a11e15 100644
--- a/include/linux/remoteproc.h
+++ b/include/linux/remoteproc.h
@@ -272,6 +272,7 @@ enum rproc_features {
* @has_iommu: flag to indicate if remote processor is behind an MMU
* @auto_boot: flag to indicate if remote processor should be auto-started
* @sysfs_read_only: flag to make remoteproc sysfs files read only
+ * @subdevs_started: flag to indicate if subdevs have started
* @dump_segments: list of segments in the firmware
* @nb_vdev: number of vdev currently handled by rproc
* @elf_class: firmware ELF class
@@ -314,6 +315,7 @@ struct rproc {
bool has_iommu;
bool auto_boot;
bool sysfs_read_only;
+ bool subdevs_started;
struct list_head dump_segments;
int nb_vdev;
u8 elf_class;

--
2.34.1