[PR] drivers/rpmsg_router: multiple fixes and improvements for multi-core stability [nuttx]

Wed, 21 Jan 2026 05:53:52 -0800 


CV-Bowen opened a new pull request, #18085:
URL: https://github.com/apache/nuttx/pull/18085

   ## Summary
   
   This PR includes a series of critical fixes and improvements for the 
rpmsg_router driver to enhance multi-core communication stability and 
reliability. The changes address several race conditions, memory management 
issues, and edge cases that could cause system crashes or hangs in production 
environments.
   
   ### Key Changes
   
   1. **Fix race condition and use-after-free** - Prevents concurrent endpoint 
destruction from causing use-after-free errors
   2. **Fix double free issue** - Resolves double free vulnerability in 
`rpmsg_router_hub_unbind`
   3. **Avoid blocking when remote destroys endpoint** - Uses 
`rpmsg_send_offchannel_raw` to prevent deadlock scenarios
   4. **Improve NS message handling** - Properly distinguishes between 
NS_CREATE and NS_ACK messages
   5. **Fix binding failures** - Prevents rpmsg:cpu from failing to bind to 
destination
   6. **Improve endpoint state management** - Correctly sets `dst_addr` to 
`RPMSG_ADDR_ANY` when receiving NS_DESTROY
   7. **Add readiness checks** - Verifies hub endpoint is ready before sending 
power management messages
   8. **Fix return value handling** - Corrects return value when receiving 
DESTROY command
   9. **Code readability improvement** - Renames `dst_ept` to `peer_ept` for 
better clarity
   
   These fixes have been validated in production environments and resolve 
critical stability issues in multi-core communication scenarios.
   
   ## Impact
   
   ### Stability
   - **High impact**: Fixes multiple critical bugs that could cause system 
crashes
   - Resolves race conditions that lead to use-after-free and double free errors
   - Prevents deadlock scenarios during endpoint destruction
   - Improves overall system reliability in multi-core configurations
   
   ### Compatibility
   - **No breaking changes**: External API and interfaces remain unchanged
   - All fixes are internal to the rpmsg_router driver
   - Existing applications will continue to work without modification
   
   ### Code Quality
   - **Improved**: Better code readability with consistent naming conventions
   - Enhanced error handling and state management
   - More robust endpoint lifecycle management
   
   ## Testing
   
   ### Test Environment
   - **Platform**: QEMU ARMv8A (qemu-armv8a:v8a_server and 
qemu-armv8a:v8a_proxy)
   - **Configuration**: Multi-core setup with rpmsg_router enabled
   - **Test Date**: January 21, 2026
   - **Test Scenarios**: Normal operation, endpoint creation/destruction, 
concurrent operations, power management
   
   ### Test Steps
   
   1. **Build the system**:
      ```bash
      cmake -B cmake_out/v8a_server -DBOARD_CONFIG=qemu-armv8a:v8a_server 
-GNinja
      cmake --build cmake_out/v8a_server
      
      cmake -B cmake_out/v8a_proxy -DBOARD_CONFIG=qemu-armv8a:v8a_proxy -GNinja
      cmake --build cmake_out/v8a_proxy
      ```
   
   2. **Run**:
   ```c
   ❯ qemu-system-aarch64 -cpu cortex-a53 -nographic \
   -machine virt,virtualization=on,gic-version=3 \
   -chardev stdio,id=con,mux=on -serial chardev:con \
   -object 
memory-backend-file,discard-data=on,id=shmmem-shmem0,mem-path=/dev/shm/my_shmem0,size=4194304,share=yes
 \
   -device ivshmem-plain,id=shmem0,memdev=shmmem-shmem0,addr=0xb \
   -device virtio-serial-device,bus=virtio-mmio-bus.0 \
   -chardev socket,path=/tmp/rpmsg_port_uart_socket,server=on,wait=off,id=foo \
   -device virtconsole,chardev=foo \
   -mon chardev=con,mode=readline -kernel ./nuttx/cmake_out/v8a_server/nuttx \
   -gdb tcp::7775
   [    0.000000] [ 0] [  INFO] [server] pci_register_rptun_ivshmem_driver: 
Register ivshmem driver, id=0, cpuname=proxy, master=1
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: pci_scan_bus for bus 0
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: class = 00000600, 
hdr_type = 00000000
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: 00:00 [1b36:0008]
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar0 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar1 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar2 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar3 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar4 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar5 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: class = 00000200, 
hdr_type = 00000000
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: 00:08 [1af4:1000]
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar0: 
mask64=fffffffe 32bytes
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar1: 
mask64=fffffff0 4096bytes
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar2 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar3 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar4: 
mask64=fffffffffffffff0 16384bytes
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: class = 00000500, 
hdr_type = 00000000
   [    0.000000] [ 3] [  INFO] [server] pci_scan_bus: 00:58 [1af4:1110]
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar0: 
mask64=fffffff0 256bytes
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar1 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar2: 
mask64=fffffffffffffff0 4194304bytes
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar4 set bad mask
   [    0.000000] [ 3] [  INFO] [server] pci_setup_device: pbar5 set bad mask
   [    0.000000] [ 3] [  INFO] [server] ivshmem_probe: shmem addr=0x10400000 
size=4194304 reg=0x10008000
   [    0.000000] [ 3] [  INFO] [server] rptun_ivshmem_probe: shmem 
addr=0x10400000 size=4194304
   
   NuttShell (NSH) NuttX-12.10.0
   server> 
   server> 
   server> [    0.000000] [ 0] [  INFO] [proxy] 
pci_register_rptun_ivshmem_driver: Register ivshmem driver, id=0, 
cpuname=server, master=0
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: pci_scan_bus for bus 0
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: class = 00000600, 
hdr_type = 00000000
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: 00:00 [1b36:0008]
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar0 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar1 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar2 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar3 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar4 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar5 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: class = 00000200, 
hdr_type = 00000000
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: 00:08 [1af4:1000]
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar0: 
mask64=fffffffe 32bytes
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar1: 
mask64=fffffff0 4096bytes
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar2 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar3 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar4: 
mask64=fffffffffffffff0 16384bytes
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: class = 00000500, 
hdr_type = 00000000
   [    0.000000] [ 3] [  INFO] [proxy] pci_scan_bus: 00:58 [1af4:1110]
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar0: 
mask64=fffffff0 256bytes
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar1 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar2: 
mask64=fffffffffffffff0 4194304bytes
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar4 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] pci_setup_device: pbar5 set bad mask
   [    0.000000] [ 3] [  INFO] [proxy] ivshmem_probe: shmem addr=0x10400000 
size=4194304 reg=0x10008000
   [    0.000000] [ 3] [  INFO] [proxy] rptun_ivshmem_probe: shmem 
addr=0x10400000 size=4194304
   [    0.000000] [ 3] [  INFO] [proxy] rptun_ivshmem_probe: Start the wdog
   
   server> 
   server> 
   server> ps
     TID   PID  PPID PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK        
    STACK    USED FILLED COMMAND
       0     0     0   0 FIFO     Kthread   - Ready              
0000000000000000 0008160 0001792  21.9%  Idle_Task
       1     0     0 192 FIFO     Kthread   - Waiting  Semaphore 
0000000000000000 0008096 0001344  16.6%  hpwork 0x40478c60 0x40478ce0
       2     0     0 100 FIFO     Kthread   - Waiting  Semaphore 
0000000000000000 0008096 0001344  16.6%  lpwork 0x40478d10 0x40478d90
       5     0     0 224 FIFO     Kthread   - Waiting  Semaphore 
0000000000000000 0008096 0002016  24.9%  rpmsg-uart-rx proxy2 0x404a4080
       6     0     0 224 FIFO     Kthread   - Waiting  Semaphore 
0000000000000000 0008096 0001968  24.3%  rpmsg-uart-tx proxy2 0x404a4080
       7     7     0 100 FIFO     Task      - Running            
0000000000000000 0008128 0004224  51.9%  nsh_main
       8     0     0 224 FIFO     Kthread   - Waiting  Semaphore 
0000000000000000 0008096 0001824  22.5%  rpmsg-virtio proxy 0x40492ef8
   server> 
   server> 
   server> uname -a
   NuttX server 12.10.0 04a9df8e34f Jan 21 2026 21:05:59 arm64 qemu-armv8a
   server> rpmsg dump all
   [    0.000000] [ 7] [ EMERG] [server] Dump rpmsg info between cpu (master: 
yes)server <==> proxy:
   [    0.000000] [ 7] [ EMERG] [server] rpmsg vq RX:
   [    0.000000] [ 7] [ EMERG] [server] rpmsg vq TX:
   [    0.000000] [ 7] [ EMERG] [server]   rpmsg ept list:
   [    0.000000] [ 7] [ EMERG] [server]     ept NS
   [    0.000000] [ 7] [ EMERG] [server]     ept rpmsg-sensor
   [    0.000000] [ 7] [ EMERG] [server]     ept rpmsg-ping
   [    0.000000] [ 7] [ EMERG] [server]     ept rpmsg-syslog
   [    0.000000] [ 7] [ EMERG] [server]   rpmsg buffer list:
   [    0.000000] [ 7] [ EMERG] [server]     RX buffer, total 8, pending 0
   [    0.000000] [ 7] [ EMERG] [server]     TX buffer, total 8, pending 0
   [    0.000000] [ 7] [ EMERG] [server] Remote: proxy2 state: 1
   [    0.000000] [ 7] [ EMERG] [server] ept NS
   [    0.000000] [ 7] [ EMERG] [server] ept rpmsg-sensor
   [    0.000000] [ 7] [ EMERG] [server] ept rpmsg-ping
   [    0.000000] [ 7] [ EMERG] [server] rpmsg_port queue RX: {used: 0, avail: 
8}
   [    0.000000] [ 7] [ EMERG] [server] rpmsg buffer list:
   [    0.000000] [ 7] [ EMERG] [server] rpmsg_port queue TX: {used: 0, avail: 
8}
   [    0.000000] [ 7] [ EMERG] [server] rpmsg buffer list:
   server> rpmsg ping all 1 1 1 1
   [    0.000000] [ 7] [ EMERG] [server] ping times: 1
   [    0.000000] [ 7] [ EMERG] [server] buffer_len: 1520, send_len: 17
   [    0.000000] [ 7] [ EMERG] [server] avg: 0 s, 17090352 ns
   [    0.000000] [ 7] [ EMERG] [server] min: 0 s, 17090352 ns
   [    0.000000] [ 7] [ EMERG] [server] max: 0 s, 17090352 ns
   [    0.000000] [ 7] [ EMERG] [server] rate: 0.007957 Mbits/sec
   [    0.000000] [ 7] [ EMERG] [server] ping times: 1
   [    0.000000] [ 7] [ EMERG] [server] buffer_len: 2024, send_len: 17
   [    0.000000] [ 7] [ EMERG] [server] avg: 0 s, 7277024 ns
   [    0.000000] [ 7] [ EMERG] [server] min: 0 s, 7277024 ns
   [    0.000000] [ 7] [ EMERG] [server] max: 0 s, 7277024 ns
   [    0.000000] [ 7] [ EMERG] [server] rate: 0.018688 Mbits/sec
   server>
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to