On Mon, Jun 22, 2026 at 09:31:14AM +0530, Sailesh Nandanavanam wrote:
> qcom_pas_load() acquires a reference to pas->dtb_firmware via
> request_firmware() whenever the platform defines dtb_pas_id. This
> reference is only released on the error path inside qcom_pas_load()
> itself, when qcom_mdt_pas_load() fails.
>
> On the success path, pas->dtb_firmware is never released by
> qcom_pas_start(), qcom_pas_stop(), qcom_pas_unprepare(), or
> qcom_pas_remove(). Since qcom_pas_load() runs on every load/reload
> cycle, including subsystem-restart recovery, this leaks a firmware
> reference on every successful boot of remoteprocs that use a DTB
> co-firmware image (e.g. ADSP/CDSP/MPSS on SM8550, SM8650, SM8750,
> X1E80100).
>
> A second, narrower leak window exists if qcom_pas_start() itself
> fails after the DTB carveout has been mapped: the remoteproc core
> does not invoke .stop for a remoteproc that failed to start, so
> qcom_pas_stop() never runs to release the reference in that case.
>
> Release pas->dtb_firmware in both qcom_pas_stop() and at the
> unmap_dtb_carveout label in qcom_pas_start(), alongside the existing
> teardown of the DTB carveout mapping, and clear the pointer to avoid
> holding a stale reference into the next load cycle.
>
> Fixes: 29814986b82e ("remoteproc: qcom_q6v5_pas: add support for dtb
> co-firmware loading")
>
Remove the line feed from here..
> Signed-off-by: Sailesh Nandanavanam <[email protected]>
> ---
> drivers/remoteproc/qcom_q6v5_pas.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/remoteproc/qcom_q6v5_pas.c
> b/drivers/remoteproc/qcom_q6v5_pas.c
> index da27d1d3c9da..040aabbe5860 100644
> --- a/drivers/remoteproc/qcom_q6v5_pas.c
> +++ b/drivers/remoteproc/qcom_q6v5_pas.c
> @@ -360,8 +360,11 @@ static int qcom_pas_start(struct rproc *rproc)
> qcom_scm_pas_metadata_release(pas->dtb_pas_ctx);
>
> unmap_dtb_carveout:
> - if (pas->dtb_pas_id)
> + if (pas->dtb_pas_id) {
> qcom_pas_unmap_carveout(rproc, pas->dtb_mem_phys,
> pas->dtb_mem_size);
> + release_firmware(pas->dtb_firmware);
This is still not solving the issue. What if you have failed just after
the first function qcom_q6v5_prepare() in qcom_pas_start()?
would it be better to move dtb_firmware loading to qcom_pas_start() ?
> + pas->dtb_firmware = NULL;
> + }
> disable_px_supply:
> if (pas->px_supply)
> regulator_disable(pas->px_supply);
> @@ -419,6 +422,8 @@ static int qcom_pas_stop(struct rproc *rproc)
> dev_err(pas->dev, "failed to shutdown dtb: %d\n", ret);
>
> qcom_pas_unmap_carveout(rproc, pas->dtb_mem_phys,
> pas->dtb_mem_size);
> + release_firmware(pas->dtb_firmware);
> + pas->dtb_firmware = NULL;
> }
>
> qcom_pas_unmap_carveout(rproc, pas->mem_phys, pas->mem_size);
> --
> 2.34.1
>
--
-Mukesh Ojha
