drivers/rptun: fix rptun stop related deadlock and crash bugs #17787
+50
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Area: Drivers
CV-Bowen
changed the title
jerpelea
approved these changes
Jan 7, 2026
xiaoxiang781216
approved these changes
Jan 7, 2026
return -EAGAIN will cause rpmsg_virtio_get_tx_payload_buffer() in OpenAMP break immediately, but should return to the sleep() logic to wait buffer is return. Signed-off-by: Bowen Wang <wangbowen6@xiaomi.com> Signed-off-by: Yongrong Wang <wangyongrong@xiaomi.com>
When execute 'rptun stop /dev/rptun/proxy' in the nsh, rpmsg_deinit_vdev(&priv->rvdev) will set rvdev->vdev = NULL, then the remoteproc_remove_virtio(priv->rvdev.vdev) input is NULL, which will cause crash, the backtrace as follow, so we save the rvdev->vdev pointer on vdev to solve this problem. (gdb) bt 0 _assert (filename=0x4002aecc <nxrmutex_destroy+8> "\005D\220\v", linenum=1038, msg=0x400a26a8 "tx_vq", regs=0x400a2768) at misc/assert.c:827 1 0x4002a1db in __assert (filename=0x400a2204 "open-amp/lib/remoteproc/remoteproc.c", linenum=1038, msg=0x0) at assert/lib_assert.c:38 2 0x4006fd83 in remoteproc_remove_virtio (rproc=0xf3ea1880, vdev=0x0) at open-amp/lib/remoteproc/remoteproc.c:1038 3 0x4001b01d in rptun_dev_stop (rproc=0xf3ea1880, stop_ns=true) at rptun/rptun.c:979 4 0x4001a45e in rptun_ioctl (rpmsg=0xf3ea16d0, cmd=11109, arg=0) at rptun/rptun.c:661 5 0x40017246 in rpmsg_dev_ioctl_ (rpmsg=0xf3ea16d0, cmd=11109, arg=0) at rpmsg/rpmsg.c:138 6 0x4001728e in rpmsg_dev_ioctl (filep=0xf3d70a14, cmd=11109, arg=0) at rpmsg/rpmsg.c:153 7 0x4005ef51 in file_vioctl (filep=0xf3d70a14, req=11109, ap=0xf3d80f2c "\352\r\004@F\023\004@\230\020\330\363\353;\354\363(7\354", <incomplete sequence \363>) at vfs/fs_ioctl.c:70 8 0x4005f2ff in ioctl (fd=3, req=11109) at vfs/fs_ioctl.c:294 9 0x40041049 in cmd_rpmsg_once (vtbl=0xf3ec3728, path=0xf3ec3beb "/dev/rptun/proxy", argv=0xf3d81098, rpmsg_cb=0x40041346 <cmd_rptun_cb>) at nsh_syscmds.c:616 10 0x400415c8 in cmd_rptun (vtbl=0xf3ec3728, argc=3, argv=0xf3d81098) at nsh_syscmds.c:766 11 0x40036024 in nsh_command (vtbl=0xf3ec3728, argc=3, argv=0xf3d81098) at nsh_command.c:1275 12 0x4003d044 in nsh_execute (vtbl=0xf3ec3728, argc=3, argv=0xf3d81098, param=0xf3d81078) at nsh_parse.c:716 13 0x4003efcc in nsh_parse_command (vtbl=0xf3ec3728, cmdline=0xf3ec3be0 "rptun") at nsh_parse.c:2809 14 0x4003f129 in nsh_parse (vtbl=0xf3ec3728, cmdline=0xf3ec3be0 "rptun") at nsh_parse.c:2919 15 0x40033ca4 in nsh_session (pstate=0xf3ec3728, login=1, argc=1, argv=0xf3d70ae0) at nsh_session.c:246 16 0x400338ea in nsh_consolemain (argc=1, argv=0xf3d70ae0) at nsh_consolemain.c:75 17 0x40033845 in nsh_main (argc=1, argv=0xf3d70ae0) at nsh_main.c:74 18 0x4002bc9f in nxtask_startup (entrypt=0x400337d0 <nsh_main>, argc=1, argv=0xf3d70ae0) at sched/task_startup.c:72 19 0x400077cc in nxtask_start () at task/task_start.c:116 20 0x40031d2f in pre_start () at sim/sim_initialstate.c:53 21 0x00000000 in ?? () Signed-off-by: mazhuang <mazhuang@xiaomi.com>
The rpmsg_ioctl() function will first obtain the read lock before traversing g_rpmsg, then the rpmsg_dev_destory function will try to obtain the write lock. At this time, rpmsg_ioctl does not release the read lock, resulting in a deadlock. To solve this problem, add a standardalone list for the rptun instance to avoid hold the rpmsg lock when execute rptun_poweroff() Backtrace: Thread 14 nsh_main 0 0x4412b9da in up_switch_context (tcb=0xeac03380, rtcb=0xe7f02480) at sim/sim_switchcontext.c:95 1 0x43fbe5e4 in nxsem_wait_slow (sem=0x5179d570 <g_rpmsg_lock+16>) at semaphore/sem_wait.c:170 2 0x43fbeacf in nxsem_wait (sem=0x5179d570 <g_rpmsg_lock+16>) at semaphore/sem_wait.c:272 3 0x44671a26 in down_write (rwsem=0x5179d560 <g_rpmsg_lock>) at semaphore/sem_rw.c:248 4 0x4401e255 in rpmsg_device_destory (rpmsg=0xe7b03280) at rpmsg/rpmsg.c:469 5 0x4402f5fe in rptun_dev_stop (rproc=0xe7b033e4, stop_ns=true) at rptun/rptun.c:973 6 0x4402aa28 in rptun_ioctl (rpmsg=0xe7b03280, cmd=11109, arg=0) at rptun/rptun.c:661 7 0x4401ba1e in rpmsg_dev_ioctl_ (rpmsg=0xe7b03280, cmd=11109, arg=0) at rpmsg/rpmsg.c:137 8 0x4401ee88 in rpmsg_ioctl (cpuname=0x0, cmd=11109, arg=0) at rpmsg/rpmsg.c:562 9 0x44030cb0 in rptun_poweroff (cpuname=0x0) at rptun/rptun.c:1183 10 0x43f27be2 in board_power_off (status=0) at sim/sim_head.c:211 11 0x446fd933 in boardctl (cmd=65283, arg=0) at boardctl.c:401 12 0x44313b95 in cmd_poweroff (vtbl=0xe7600e80, argc=1, argv=0xe7824350) at nsh_syscmds.c:368 13 0x442d148c in nsh_command (vtbl=0xe7600e80, argc=1, argv=0xe7824350) at nsh_command.c:1275 14 0x442f65f5 in nsh_execute (vtbl=0xe7600e80, argc=1, argv=0xe7824350, param=0xe78242b0) at nsh_parse.c:716 15 0x44304fb4 in nsh_parse_command (vtbl=0xe7600e80, cmdline=0xe7601338 "poweroff") at nsh_parse.c:2809 16 0x44305a50 in nsh_parse (vtbl=0xe7600e80, cmdline=0xe7601338 "poweroff") at nsh_parse.c:2919 17 0x442bdc91 in nsh_session (pstate=0xe7600e80, login=1, argc=1, argv=0xe7814870) at nsh_session.c:246 18 0x442bbbe5 in nsh_consolemain (argc=1, argv=0xe7814870) at nsh_consolemain.c:75 19 0x4422b4bb in nsh_main (argc=1, argv=0xe7814870) at nsh_main.c:74 20 0x440ee098 in nxtask_startup (entrypt=0x4422b39a <nsh_main>, argc=1, argv=0xe7814870) at sched/task_startup.c:72 21 0x43fa1d6e in nxtask_start () at task/task_start.c:116 22 0x4412982c in pre_start () at sim/sim_initialstate.c:53 23 0x00000000 in ?? () Signed-off-by: wangshaoxin <wangshaoxin@xiaomi.com>
Contributor
Author
|
CI failed but seems is not related to this patch Get:29 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [60.9 kB]
Get:30 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [6205 kB]
Ign:31 http://security.ubuntu.com/ubuntu jammy-security/main i386 Packages
Ign:32 http://security.ubuntu.com/ubuntu jammy-security/universe i386 Packages
Get:28 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1287 kB]
Err:28 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
File has unexpected size (1286951 != 1287345). Mirror sync in progress? [IP: 91.189.92.24 80]
Hashes of expected file:
- Filesize:1287345 [weak]
- SHA256:e95b93510db370a322d03134935e297b44aea8a1c5c2a46c31d2f3876ea75cf6
- SHA1:d322dc11114f3f4e522059144bb6f90f8b0d451d [weak]
- MD5Sum:5605397a660439b926855743f5b33aee [weak]
Release file created at: Wed, 07 Jan 2026 13:35:09 +0000
Get:31 http://security.ubuntu.com/ubuntu jammy-security/main i386 Packages [927 kB]
Err:31 http://security.ubuntu.com/ubuntu jammy-security/main i386 Packages
Get:32 http://security.ubuntu.com/ubuntu jammy-security/universe i386 Packages [846 kB]
Err:32 http://security.ubuntu.com/ubuntu jammy-security/universe i386 Packages
Fetched 55.7 MB in 5s (12.0 MB/s)
Reading package lists...
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/universe/binary-amd64/Packages.gz File has unexpected size (1286951 != 1287345). Mirror sync in progress? [IP: 91.189.92.24 80]
Hashes of expected file:
- Filesize:1287345 [weak]
- SHA256:e95b93510db370a322d03134935e297b44aea8a1c5c2a46c31d2f3876ea75cf6
- SHA1:d322dc11114f3f4e522059144bb6f90f8b0d451d [weak]
- MD5Sum:5605397a660439b926855743f5b33aee [weak]
Release file created at: Wed, 07 Jan 2026 13:35:09 +0000
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/main/binary-i386/Packages.gz
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/universe/binary-i386/Packages.gz
E: Some index files failed to download. They have been ignored, or old ones used instead. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR includes three commits that fix critical issues in the RPMSG/RPTUN driver subsystem:
Fix notify wait return type after OpenAMP upgrade (commit 4779fab)
rpmsg_virtio_get_tx_payload_buffer()functionFix rptun_dev_stop crash in simulator (commit ee1b988)
rptun stop /dev/rptun/proxycommand in NSHrpmsg_deinit_vdev()settingrvdev->vdevto NULL beforeremoteproc_remove_virtio()attempted to use itrvdev->vdevpointer to a local variable before deinitializingFix poweroff deadlock issue (commit 17521d3)
rpmsg_ioctl()holding a read lock whilerpmsg_dev_destroy()tried to acquire a write lockrptun_poweroff()executionImpact
rptun/rpmsg_virtio_lite and rpmsg services
Testing
qemu-armv8a:rpserver, rpproxy and sim:rpserver, rpproxy