[PATCH] remoteproc: qcom_q6v5_pas: Release dtb_firmware on stop

[Sailesh Nandanavanam]

qcom_pas_load() acquires a reference to pas->dtb_firmware via
request_firmware() whenever the platform defines dtb_pas_id. This
reference is only released on the error path inside qcom_pas_load()
itself, when qcom_mdt_pas_load() fails.

On the success path, pas->dtb_firmware is never released by
qcom_pas_start(), qcom_pas_stop(), qcom_pas_unprepare(), or
qcom_pas_remove(). Since qcom_pas_load() runs on every load/reload
cycle, including subsystem-restart recovery, this leaks a firmware
reference on every successful boot of remoteprocs that use a DTB
co-firmware image (e.g. ADSP/CDSP/MPSS on SM8550, SM8650, SM8750,
X1E80100).

A second, narrower leak window exists if qcom_pas_start() itself
fails after the DTB carveout has been mapped: the remoteproc core
does not invoke .stop for a remoteproc that failed to start, so
qcom_pas_stop() never runs to release the reference in that case.

Release pas->dtb_firmware in both qcom_pas_stop() and at the
unmap_dtb_carveout label in qcom_pas_start(), alongside the existing
teardown of the DTB carveout mapping, and clear the pointer to avoid
holding a stale reference into the next load cycle.

Fixes: 29814986b82e ("remoteproc: qcom_q6v5_pas: add support for dtb 
co-firmware loading")

Signed-off-by: Sailesh Nandanavanam <saileshnandanava...@gmail.com>
---
 drivers/remoteproc/qcom_q6v5_pas.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/remoteproc/qcom_q6v5_pas.c 
b/drivers/remoteproc/qcom_q6v5_pas.c
index da27d1d3c9da..040aabbe5860 100644
--- a/drivers/remoteproc/qcom_q6v5_pas.c
+++ b/drivers/remoteproc/qcom_q6v5_pas.c
@@ -360,8 +360,11 @@ static int qcom_pas_start(struct rproc *rproc)
                qcom_scm_pas_metadata_release(pas->dtb_pas_ctx);
 
 unmap_dtb_carveout:
-       if (pas->dtb_pas_id)
+       if (pas->dtb_pas_id) {
                qcom_pas_unmap_carveout(rproc, pas->dtb_mem_phys, 
pas->dtb_mem_size);
+               release_firmware(pas->dtb_firmware);
+               pas->dtb_firmware = NULL;
+       }
 disable_px_supply:
        if (pas->px_supply)
                regulator_disable(pas->px_supply);
@@ -419,6 +422,8 @@ static int qcom_pas_stop(struct rproc *rproc)
                        dev_err(pas->dev, "failed to shutdown dtb: %d\n", ret);
 
                qcom_pas_unmap_carveout(rproc, pas->dtb_mem_phys, 
pas->dtb_mem_size);
+               release_firmware(pas->dtb_firmware);
+               pas->dtb_firmware = NULL;
        }
 
        qcom_pas_unmap_carveout(rproc, pas->mem_phys, pas->mem_size);
-- 
2.34.1