1. Patchew
  2. linux
  3. View series

[PATCH v2] remoteproc: imx_rproc: Not report loaded resource table when none

Peng Fan (OSS) posted 1 patch 1 week, 3 days ago 
drivers/remoteproc/imx_rproc.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH v2] remoteproc: imx_rproc: Not report loaded resource table when none
Posted by Peng Fan (OSS) 1 week, 3 days ago 
From: Peng Fan <peng.fan@nxp.com>

priv->rsc_table is not NULL if the DT has a "rsc-table" entry, indicating
that _if_ there is a resource table in memory, that's where it should be.
Function imx_rproc_elf_find_loaded_rsc_table() is buggy so the narrative
about a previously running FW with a valid resource table can be dropped.

In this case rproc->table_ptr is NULL because the current firmware does
not contain a resource table, but the remoteproc core still interprets the
non-NULL return value as a loaded resource table and attempts to memcpy()
from rproc->cached_table, leading to a NULL pointer dereference and kernel
panic.

Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when
there is no cached resource table for the current firmware. This ensures
that a loaded resource table is only reported when a valid table_ptr
exists, which matches the remoteproc core expectations.

This issue can be reproduced by:
  1) start a firmware with a resource table
  2) stop the remote processor
  3) start a firmware without a resource table

With this change, starting a firmware without a resource table no longer
causes kernel dump.

Fixes: e954a1bd1610 ("remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table")
Cc: stable@vger.kernel.org
Signed-off-by: Peng Fan <peng.fan@nxp.com>
---
Changes in v2:
- Per Mathieu, Check rproc->table_ptr, update commit log
- Include R-b from Frank
- Link to v1: https://lore.kernel.org/r/20260122-imx-rproc-fix-v1-1-36cc64369a40@nxp.com
---
 drivers/remoteproc/imx_rproc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
index 375de79168a1c8d11b87ac1bd63774a3feac106d..f5f916d6790519360f446f063e09d018c5654953 100644
--- a/drivers/remoteproc/imx_rproc.c
+++ b/drivers/remoteproc/imx_rproc.c
@@ -729,6 +729,10 @@ imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *
 {
 	struct imx_rproc *priv = rproc->priv;
 
+	/* No resource table in the firmware */
+	if (!rproc->table_ptr)
+		return NULL;
+
 	if (priv->rsc_table)
 		return (struct resource_table *)priv->rsc_table;
 

---
base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574
change-id: 20260122-imx-rproc-fix-e206f8e6e477

Best regards,
-- 
Peng Fan <peng.fan@nxp.com>
Re: [PATCH v2] remoteproc: imx_rproc: Not report loaded resource table when none
Posted by Mathieu Poirier 1 week, 3 days ago 
On Mon, 26 Jan 2026 at 23:51, Peng Fan (OSS) <peng.fan@oss.nxp.com> wrote:
>
> From: Peng Fan <peng.fan@nxp.com>
>
> priv->rsc_table is not NULL if the DT has a "rsc-table" entry, indicating
> that _if_ there is a resource table in memory, that's where it should be.
> Function imx_rproc_elf_find_loaded_rsc_table() is buggy so the narrative
> about a previously running FW with a valid resource table can be dropped.
>

(sigh)

You apparently did not understand my last comment.

> In this case rproc->table_ptr is NULL because the current firmware does
> not contain a resource table, but the remoteproc core still interprets the
> non-NULL return value as a loaded resource table and attempts to memcpy()
> from rproc->cached_table, leading to a NULL pointer dereference and kernel
> panic.
>
> Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when
> there is no cached resource table for the current firmware. This ensures
> that a loaded resource table is only reported when a valid table_ptr
> exists, which matches the remoteproc core expectations.
>
> This issue can be reproduced by:
>   1) start a firmware with a resource table
>   2) stop the remote processor
>   3) start a firmware without a resource table
>

Another sign you did not understand my last comment.

I had hopes of merging this patch but the changelog is too garbled to
be salvageable.  I suggest you ask Daniel or Iuliana for help.

> With this change, starting a firmware without a resource table no longer
> causes kernel dump.
>
> Fixes: e954a1bd1610 ("remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table")
> Cc: stable@vger.kernel.org
> Signed-off-by: Peng Fan <peng.fan@nxp.com>
> ---
> Changes in v2:
> - Per Mathieu, Check rproc->table_ptr, update commit log
> - Include R-b from Frank
> - Link to v1: https://lore.kernel.org/r/20260122-imx-rproc-fix-v1-1-36cc64369a40@nxp.com
> ---
>  drivers/remoteproc/imx_rproc.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
> index 375de79168a1c8d11b87ac1bd63774a3feac106d..f5f916d6790519360f446f063e09d018c5654953 100644
> --- a/drivers/remoteproc/imx_rproc.c
> +++ b/drivers/remoteproc/imx_rproc.c
> @@ -729,6 +729,10 @@ imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *
>  {
>         struct imx_rproc *priv = rproc->priv;
>
> +       /* No resource table in the firmware */
> +       if (!rproc->table_ptr)
> +               return NULL;
> +
>         if (priv->rsc_table)
>                 return (struct resource_table *)priv->rsc_table;
>
>
> ---
> base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574
> change-id: 20260122-imx-rproc-fix-e206f8e6e477
>
> Best regards,
> --
> Peng Fan <peng.fan@nxp.com>
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.