* Nokia N900: refcount_t underflow, use after free
@ 2018-03-08 14:30 ` Pavel Machek
0 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-08 14:30 UTC (permalink / raw)
To: pali.rohar, sre, kernel list, linux-arm-kernel, linux-omap, tony,
khilman, aaro.koskinen, ivo.g.dimitrov.75, patrikbachan, serge,
abcloriens, clayton, martijn, sakari.ailus, Filip Matijević
[-- Attachment #1: Type: text/plain, Size: 3425 bytes --]
Hi!
I'm getting this warning... Has anyone seen/debugged that before?
Unfortunately the backtrace does not seem to be too useful :-(.
Pavel
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.16.0-rc3-next-20180302 (pavel@duo) (gcc
version 4.7.2 (GC
C)) #70 Fri Mar 2 10:16:00 CET 2018
[ 0.000000] CPU: ARMv7 Processor [411fc083] revision 3 (ARMv7),
cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT
nonaliasing instruction cac
...
[ 1.244140] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
not found, using d
ummy regulator
[ 1.254089] omap3isp 480bc000.isp: Revision 2.0 found
[ 1.260009] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
[ 1.266693] ------------[ cut here ]------------
[ 1.271606] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
refcount_sub_and_test+0x94/0xa8
[ 1.280181] refcount_t: underflow; use-after-free.
[ 1.285247] Modules linked in:
[ 1.288482] CPU: 0 PID: 1 Comm: swapper Not tainted
4.16.0-rc3-next-20180302 #70
[ 1.296295] Hardware name: Nokia RX-51 board
[ 1.300811] [<c010d6cc>] (unwind_backtrace) from [<c010b560>]
(show_stack+0x10/0x14)
[ 1.309020] [<c010b560>] (show_stack) from [<c0127dec>]
(__warn+0xe8/0x110)
[ 1.316375] [<c0127dec>] (__warn) from [<c0127edc>]
(warn_slowpath_fmt+0x38/0x48)
[ 1.324310] [<c0127edc>] (warn_slowpath_fmt) from [<c034e630>]
(refcount_sub_and_test+0x94/0xa8)
[ 1.333557] [<c034e630>] (refcount_sub_and_test) from [<c01109a8>]
(arm_iommu_release_mapping+0x18/0x2c)
[ 1.343597] [<c01109a8>] (arm_iommu_release_mapping) from
[<c041752c>] (driver_probe_device+0x24c/0x314)
[ 1.353637] [<c041752c>] (driver_probe_device) from [<c04176a0>]
(__driver_attach+0xac/0xb0)
[ 1.362548] [<c04176a0>] (__driver_attach) from [<c0415b94>]
(bus_for_each_dev+0x58/0x7c)
[ 1.371185] [<c0415b94>] (bus_for_each_dev) from [<c0416a14>]
(bus_add_driver+0xe0/0x1f0)
[ 1.379852] [<c0416a14>] (bus_add_driver) from [<c0417f10>]
(driver_register+0x78/0xf4)
[ 1.388305] [<c0417f10>] (driver_register) from [<c010257c>]
(do_one_initcall+0x3c/0x16c)
[ 1.396972] [<c010257c>] (do_one_initcall) from [<c0b00d5c>]
(kernel_init_freeable+0xf8/0x1c4)
[ 1.406066] [<c0b00d5c>] (kernel_init_freeable) from [<c071640c>]
(kernel_init+0x8/0x108)
[ 1.414703] [<c071640c>] (kernel_init) from [<c01010e8>]
(ret_from_fork+0x14/0x2c)
[ 1.422698] Exception stack(0xce049fb0 to 0xce049ff8)
[ 1.428039] 9fa0: 00000000
00000000 00000000 00000000
[ 1.436676] 9fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 1.445312] 9fe0: 00000000 00000000 00000000 00000000 00000013
00000000
[ 1.452270] ---[ end trace dcb3a72772bbfe7a ]---
[ 1.459045] ti-soc-thermal 48002524.bandgap: This OMAP thermal
sensor is unreliable. You've been warned
[ 1.469055] ti-soc-thermal 48002524.bandgap: Non-trimmed BGAP, Temp
not accurate
[ 1.476898] ti-soc-thermal 48002524.bandgap: thermal zone device is
NULL
[ 1.485198] omap_wdt: OMAP Watchdog Timer Rev 0x31: initial timeout
60 sec
[ 1.495208] omap_hsmmc 4809c000.mmc: GPIO lookup for consumer cd
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-08 14:30 ` Pavel Machek
0 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-08 14:30 UTC (permalink / raw)
To: linux-arm-kernel
Hi!
I'm getting this warning... Has anyone seen/debugged that before?
Unfortunately the backtrace does not seem to be too useful :-(.
Pavel
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.16.0-rc3-next-20180302 (pavel at duo) (gcc
version 4.7.2 (GC
C)) #70 Fri Mar 2 10:16:00 CET 2018
[ 0.000000] CPU: ARMv7 Processor [411fc083] revision 3 (ARMv7),
cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT
nonaliasing instruction cac
...
[ 1.244140] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
not found, using d
ummy regulator
[ 1.254089] omap3isp 480bc000.isp: Revision 2.0 found
[ 1.260009] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
[ 1.266693] ------------[ cut here ]------------
[ 1.271606] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
refcount_sub_and_test+0x94/0xa8
[ 1.280181] refcount_t: underflow; use-after-free.
[ 1.285247] Modules linked in:
[ 1.288482] CPU: 0 PID: 1 Comm: swapper Not tainted
4.16.0-rc3-next-20180302 #70
[ 1.296295] Hardware name: Nokia RX-51 board
[ 1.300811] [<c010d6cc>] (unwind_backtrace) from [<c010b560>]
(show_stack+0x10/0x14)
[ 1.309020] [<c010b560>] (show_stack) from [<c0127dec>]
(__warn+0xe8/0x110)
[ 1.316375] [<c0127dec>] (__warn) from [<c0127edc>]
(warn_slowpath_fmt+0x38/0x48)
[ 1.324310] [<c0127edc>] (warn_slowpath_fmt) from [<c034e630>]
(refcount_sub_and_test+0x94/0xa8)
[ 1.333557] [<c034e630>] (refcount_sub_and_test) from [<c01109a8>]
(arm_iommu_release_mapping+0x18/0x2c)
[ 1.343597] [<c01109a8>] (arm_iommu_release_mapping) from
[<c041752c>] (driver_probe_device+0x24c/0x314)
[ 1.353637] [<c041752c>] (driver_probe_device) from [<c04176a0>]
(__driver_attach+0xac/0xb0)
[ 1.362548] [<c04176a0>] (__driver_attach) from [<c0415b94>]
(bus_for_each_dev+0x58/0x7c)
[ 1.371185] [<c0415b94>] (bus_for_each_dev) from [<c0416a14>]
(bus_add_driver+0xe0/0x1f0)
[ 1.379852] [<c0416a14>] (bus_add_driver) from [<c0417f10>]
(driver_register+0x78/0xf4)
[ 1.388305] [<c0417f10>] (driver_register) from [<c010257c>]
(do_one_initcall+0x3c/0x16c)
[ 1.396972] [<c010257c>] (do_one_initcall) from [<c0b00d5c>]
(kernel_init_freeable+0xf8/0x1c4)
[ 1.406066] [<c0b00d5c>] (kernel_init_freeable) from [<c071640c>]
(kernel_init+0x8/0x108)
[ 1.414703] [<c071640c>] (kernel_init) from [<c01010e8>]
(ret_from_fork+0x14/0x2c)
[ 1.422698] Exception stack(0xce049fb0 to 0xce049ff8)
[ 1.428039] 9fa0: 00000000
00000000 00000000 00000000
[ 1.436676] 9fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 1.445312] 9fe0: 00000000 00000000 00000000 00000000 00000013
00000000
[ 1.452270] ---[ end trace dcb3a72772bbfe7a ]---
[ 1.459045] ti-soc-thermal 48002524.bandgap: This OMAP thermal
sensor is unreliable. You've been warned
[ 1.469055] ti-soc-thermal 48002524.bandgap: Non-trimmed BGAP, Temp
not accurate
[ 1.476898] ti-soc-thermal 48002524.bandgap: thermal zone device is
NULL
[ 1.485198] omap_wdt: OMAP Watchdog Timer Rev 0x31: initial timeout
60 sec
[ 1.495208] omap_hsmmc 4809c000.mmc: GPIO lookup for consumer cd
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180308/e88afd0f/attachment.sig>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-08 14:30 ` Pavel Machek
@ 2018-03-08 16:59 ` Tony Lindgren
-1 siblings, 0 replies; 26+ messages in thread
From: Tony Lindgren @ 2018-03-08 16:59 UTC (permalink / raw)
To: Pavel Machek
Cc: pali.rohar, sre, kernel list, linux-arm-kernel, linux-omap,
khilman, aaro.koskinen, ivo.g.dimitrov.75, patrikbachan, serge,
abcloriens, clayton, martijn, sakari.ailus, Filip Matijević,
Suman Anna
* Pavel Machek <pavel@ucw.cz> [180308 14:31]:
> Hi!
>
> I'm getting this warning... Has anyone seen/debugged that before?
> Unfortunately the backtrace does not seem to be too useful :-(.
Adding Suman to Cc, as it points to arm_iommu_release_mapping().
Regards,
Tony
> [ 0.000000] Booting Linux on physical CPU 0x0
> [ 0.000000] Linux version 4.16.0-rc3-next-20180302 (pavel@duo) (gcc
> version 4.7.2 (GC
> C)) #70 Fri Mar 2 10:16:00 CET 2018
> [ 0.000000] CPU: ARMv7 Processor [411fc083] revision 3 (ARMv7),
> cr=10c5387d
> [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT
> nonaliasing instruction cac
> ...
> [ 1.244140] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
> not found, using d
> ummy regulator
> [ 1.254089] omap3isp 480bc000.isp: Revision 2.0 found
> [ 1.260009] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
> [ 1.266693] ------------[ cut here ]------------
> [ 1.271606] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
> refcount_sub_and_test+0x94/0xa8
> [ 1.280181] refcount_t: underflow; use-after-free.
> [ 1.285247] Modules linked in:
> [ 1.288482] CPU: 0 PID: 1 Comm: swapper Not tainted
> 4.16.0-rc3-next-20180302 #70
> [ 1.296295] Hardware name: Nokia RX-51 board
> [ 1.300811] [<c010d6cc>] (unwind_backtrace) from [<c010b560>]
> (show_stack+0x10/0x14)
> [ 1.309020] [<c010b560>] (show_stack) from [<c0127dec>]
> (__warn+0xe8/0x110)
> [ 1.316375] [<c0127dec>] (__warn) from [<c0127edc>]
> (warn_slowpath_fmt+0x38/0x48)
> [ 1.324310] [<c0127edc>] (warn_slowpath_fmt) from [<c034e630>]
> (refcount_sub_and_test+0x94/0xa8)
> [ 1.333557] [<c034e630>] (refcount_sub_and_test) from [<c01109a8>]
> (arm_iommu_release_mapping+0x18/0x2c)
> [ 1.343597] [<c01109a8>] (arm_iommu_release_mapping) from
> [<c041752c>] (driver_probe_device+0x24c/0x314)
> [ 1.353637] [<c041752c>] (driver_probe_device) from [<c04176a0>]
> (__driver_attach+0xac/0xb0)
> [ 1.362548] [<c04176a0>] (__driver_attach) from [<c0415b94>]
> (bus_for_each_dev+0x58/0x7c)
> [ 1.371185] [<c0415b94>] (bus_for_each_dev) from [<c0416a14>]
> (bus_add_driver+0xe0/0x1f0)
> [ 1.379852] [<c0416a14>] (bus_add_driver) from [<c0417f10>]
> (driver_register+0x78/0xf4)
> [ 1.388305] [<c0417f10>] (driver_register) from [<c010257c>]
> (do_one_initcall+0x3c/0x16c)
> [ 1.396972] [<c010257c>] (do_one_initcall) from [<c0b00d5c>]
> (kernel_init_freeable+0xf8/0x1c4)
> [ 1.406066] [<c0b00d5c>] (kernel_init_freeable) from [<c071640c>]
> (kernel_init+0x8/0x108)
> [ 1.414703] [<c071640c>] (kernel_init) from [<c01010e8>]
> (ret_from_fork+0x14/0x2c)
> [ 1.422698] Exception stack(0xce049fb0 to 0xce049ff8)
> [ 1.428039] 9fa0: 00000000
> 00000000 00000000 00000000
> [ 1.436676] 9fc0: 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000
> [ 1.445312] 9fe0: 00000000 00000000 00000000 00000000 00000013
> 00000000
> [ 1.452270] ---[ end trace dcb3a72772bbfe7a ]---
> [ 1.459045] ti-soc-thermal 48002524.bandgap: This OMAP thermal
> sensor is unreliable. You've been warned
> [ 1.469055] ti-soc-thermal 48002524.bandgap: Non-trimmed BGAP, Temp
> not accurate
> [ 1.476898] ti-soc-thermal 48002524.bandgap: thermal zone device is
> NULL
> [ 1.485198] omap_wdt: OMAP Watchdog Timer Rev 0x31: initial timeout
> 60 sec
> [ 1.495208] omap_hsmmc 4809c000.mmc: GPIO lookup for consumer cd
>
> --
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-08 16:59 ` Tony Lindgren
0 siblings, 0 replies; 26+ messages in thread
From: Tony Lindgren @ 2018-03-08 16:59 UTC (permalink / raw)
To: linux-arm-kernel
* Pavel Machek <pavel@ucw.cz> [180308 14:31]:
> Hi!
>
> I'm getting this warning... Has anyone seen/debugged that before?
> Unfortunately the backtrace does not seem to be too useful :-(.
Adding Suman to Cc, as it points to arm_iommu_release_mapping().
Regards,
Tony
> [ 0.000000] Booting Linux on physical CPU 0x0
> [ 0.000000] Linux version 4.16.0-rc3-next-20180302 (pavel at duo) (gcc
> version 4.7.2 (GC
> C)) #70 Fri Mar 2 10:16:00 CET 2018
> [ 0.000000] CPU: ARMv7 Processor [411fc083] revision 3 (ARMv7),
> cr=10c5387d
> [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT
> nonaliasing instruction cac
> ...
> [ 1.244140] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
> not found, using d
> ummy regulator
> [ 1.254089] omap3isp 480bc000.isp: Revision 2.0 found
> [ 1.260009] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
> [ 1.266693] ------------[ cut here ]------------
> [ 1.271606] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
> refcount_sub_and_test+0x94/0xa8
> [ 1.280181] refcount_t: underflow; use-after-free.
> [ 1.285247] Modules linked in:
> [ 1.288482] CPU: 0 PID: 1 Comm: swapper Not tainted
> 4.16.0-rc3-next-20180302 #70
> [ 1.296295] Hardware name: Nokia RX-51 board
> [ 1.300811] [<c010d6cc>] (unwind_backtrace) from [<c010b560>]
> (show_stack+0x10/0x14)
> [ 1.309020] [<c010b560>] (show_stack) from [<c0127dec>]
> (__warn+0xe8/0x110)
> [ 1.316375] [<c0127dec>] (__warn) from [<c0127edc>]
> (warn_slowpath_fmt+0x38/0x48)
> [ 1.324310] [<c0127edc>] (warn_slowpath_fmt) from [<c034e630>]
> (refcount_sub_and_test+0x94/0xa8)
> [ 1.333557] [<c034e630>] (refcount_sub_and_test) from [<c01109a8>]
> (arm_iommu_release_mapping+0x18/0x2c)
> [ 1.343597] [<c01109a8>] (arm_iommu_release_mapping) from
> [<c041752c>] (driver_probe_device+0x24c/0x314)
> [ 1.353637] [<c041752c>] (driver_probe_device) from [<c04176a0>]
> (__driver_attach+0xac/0xb0)
> [ 1.362548] [<c04176a0>] (__driver_attach) from [<c0415b94>]
> (bus_for_each_dev+0x58/0x7c)
> [ 1.371185] [<c0415b94>] (bus_for_each_dev) from [<c0416a14>]
> (bus_add_driver+0xe0/0x1f0)
> [ 1.379852] [<c0416a14>] (bus_add_driver) from [<c0417f10>]
> (driver_register+0x78/0xf4)
> [ 1.388305] [<c0417f10>] (driver_register) from [<c010257c>]
> (do_one_initcall+0x3c/0x16c)
> [ 1.396972] [<c010257c>] (do_one_initcall) from [<c0b00d5c>]
> (kernel_init_freeable+0xf8/0x1c4)
> [ 1.406066] [<c0b00d5c>] (kernel_init_freeable) from [<c071640c>]
> (kernel_init+0x8/0x108)
> [ 1.414703] [<c071640c>] (kernel_init) from [<c01010e8>]
> (ret_from_fork+0x14/0x2c)
> [ 1.422698] Exception stack(0xce049fb0 to 0xce049ff8)
> [ 1.428039] 9fa0: 00000000
> 00000000 00000000 00000000
> [ 1.436676] 9fc0: 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000
> [ 1.445312] 9fe0: 00000000 00000000 00000000 00000000 00000013
> 00000000
> [ 1.452270] ---[ end trace dcb3a72772bbfe7a ]---
> [ 1.459045] ti-soc-thermal 48002524.bandgap: This OMAP thermal
> sensor is unreliable. You've been warned
> [ 1.469055] ti-soc-thermal 48002524.bandgap: Non-trimmed BGAP, Temp
> not accurate
> [ 1.476898] ti-soc-thermal 48002524.bandgap: thermal zone device is
> NULL
> [ 1.485198] omap_wdt: OMAP Watchdog Timer Rev 0x31: initial timeout
> 60 sec
> [ 1.495208] omap_hsmmc 4809c000.mmc: GPIO lookup for consumer cd
>
> --
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-08 16:59 ` Tony Lindgren
@ 2018-03-08 18:21 ` Suman Anna
-1 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-08 18:21 UTC (permalink / raw)
To: Tony Lindgren, Pavel Machek
Cc: pali.rohar, sre, kernel list, linux-arm-kernel, linux-omap,
khilman, aaro.koskinen, ivo.g.dimitrov.75, patrikbachan, serge,
abcloriens, clayton, martijn, sakari.ailus, Filip Matijević
Hi Pavel,
On 03/08/2018 10:59 AM, Tony Lindgren wrote:
> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>> Hi!
>>
>> I'm getting this warning... Has anyone seen/debugged that before?
>> Unfortunately the backtrace does not seem to be too useful :-(.
>
> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
Hmm, we need to find out if the failure paths in isp_probe() are
mismatched, or if this is coming from some mismatch between the OMAP
IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
driver hasn't changed in sometime. Do you see this on mainline branch or
just the next branch? Also, can you check where you are failing in the
isp_probe and if the warning is seen before or after the function
returns. I don't have any OMAP3 board nor any ISP-enabled device to
check this behavior.
regards
Suman
>
> Regards,
>
> Tony
>
>> [ 0.000000] Booting Linux on physical CPU 0x0
>> [ 0.000000] Linux version 4.16.0-rc3-next-20180302 (pavel@duo) (gcc
>> version 4.7.2 (GC
>> C)) #70 Fri Mar 2 10:16:00 CET 2018
>> [ 0.000000] CPU: ARMv7 Processor [411fc083] revision 3 (ARMv7),
>> cr=10c5387d
>> [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT
>> nonaliasing instruction cac
>> ...
>> [ 1.244140] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
>> not found, using d
>> ummy regulator
>> [ 1.254089] omap3isp 480bc000.isp: Revision 2.0 found
>> [ 1.260009] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
>> [ 1.266693] ------------[ cut here ]------------
>> [ 1.271606] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
>> refcount_sub_and_test+0x94/0xa8
>> [ 1.280181] refcount_t: underflow; use-after-free.
>> [ 1.285247] Modules linked in:
>> [ 1.288482] CPU: 0 PID: 1 Comm: swapper Not tainted
>> 4.16.0-rc3-next-20180302 #70
>> [ 1.296295] Hardware name: Nokia RX-51 board
>> [ 1.300811] [<c010d6cc>] (unwind_backtrace) from [<c010b560>]
>> (show_stack+0x10/0x14)
>> [ 1.309020] [<c010b560>] (show_stack) from [<c0127dec>]
>> (__warn+0xe8/0x110)
>> [ 1.316375] [<c0127dec>] (__warn) from [<c0127edc>]
>> (warn_slowpath_fmt+0x38/0x48)
>> [ 1.324310] [<c0127edc>] (warn_slowpath_fmt) from [<c034e630>]
>> (refcount_sub_and_test+0x94/0xa8)
>> [ 1.333557] [<c034e630>] (refcount_sub_and_test) from [<c01109a8>]
>> (arm_iommu_release_mapping+0x18/0x2c)
>> [ 1.343597] [<c01109a8>] (arm_iommu_release_mapping) from
>> [<c041752c>] (driver_probe_device+0x24c/0x314)
>> [ 1.353637] [<c041752c>] (driver_probe_device) from [<c04176a0>]
>> (__driver_attach+0xac/0xb0)
>> [ 1.362548] [<c04176a0>] (__driver_attach) from [<c0415b94>]
>> (bus_for_each_dev+0x58/0x7c)
>> [ 1.371185] [<c0415b94>] (bus_for_each_dev) from [<c0416a14>]
>> (bus_add_driver+0xe0/0x1f0)
>> [ 1.379852] [<c0416a14>] (bus_add_driver) from [<c0417f10>]
>> (driver_register+0x78/0xf4)
>> [ 1.388305] [<c0417f10>] (driver_register) from [<c010257c>]
>> (do_one_initcall+0x3c/0x16c)
>> [ 1.396972] [<c010257c>] (do_one_initcall) from [<c0b00d5c>]
>> (kernel_init_freeable+0xf8/0x1c4)
>> [ 1.406066] [<c0b00d5c>] (kernel_init_freeable) from [<c071640c>]
>> (kernel_init+0x8/0x108)
>> [ 1.414703] [<c071640c>] (kernel_init) from [<c01010e8>]
>> (ret_from_fork+0x14/0x2c)
>> [ 1.422698] Exception stack(0xce049fb0 to 0xce049ff8)
>> [ 1.428039] 9fa0: 00000000
>> 00000000 00000000 00000000
>> [ 1.436676] 9fc0: 00000000 00000000 00000000 00000000 00000000
>> 00000000 00000000 00000000
>> [ 1.445312] 9fe0: 00000000 00000000 00000000 00000000 00000013
>> 00000000
>> [ 1.452270] ---[ end trace dcb3a72772bbfe7a ]---
>> [ 1.459045] ti-soc-thermal 48002524.bandgap: This OMAP thermal
>> sensor is unreliable. You've been warned
>> [ 1.469055] ti-soc-thermal 48002524.bandgap: Non-trimmed BGAP, Temp
>> not accurate
>> [ 1.476898] ti-soc-thermal 48002524.bandgap: thermal zone device is
>> NULL
>> [ 1.485198] omap_wdt: OMAP Watchdog Timer Rev 0x31: initial timeout
>> 60 sec
>> [ 1.495208] omap_hsmmc 4809c000.mmc: GPIO lookup for consumer cd
>>
>> --
>> (english) http://www.livejournal.com/~pavelmachek
>> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
>
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-08 18:21 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-08 18:21 UTC (permalink / raw)
To: linux-arm-kernel
Hi Pavel,
On 03/08/2018 10:59 AM, Tony Lindgren wrote:
> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>> Hi!
>>
>> I'm getting this warning... Has anyone seen/debugged that before?
>> Unfortunately the backtrace does not seem to be too useful :-(.
>
> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
Hmm, we need to find out if the failure paths in isp_probe() are
mismatched, or if this is coming from some mismatch between the OMAP
IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
driver hasn't changed in sometime. Do you see this on mainline branch or
just the next branch? Also, can you check where you are failing in the
isp_probe and if the warning is seen before or after the function
returns. I don't have any OMAP3 board nor any ISP-enabled device to
check this behavior.
regards
Suman
>
> Regards,
>
> Tony
>
>> [ 0.000000] Booting Linux on physical CPU 0x0
>> [ 0.000000] Linux version 4.16.0-rc3-next-20180302 (pavel at duo) (gcc
>> version 4.7.2 (GC
>> C)) #70 Fri Mar 2 10:16:00 CET 2018
>> [ 0.000000] CPU: ARMv7 Processor [411fc083] revision 3 (ARMv7),
>> cr=10c5387d
>> [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT
>> nonaliasing instruction cac
>> ...
>> [ 1.244140] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
>> not found, using d
>> ummy regulator
>> [ 1.254089] omap3isp 480bc000.isp: Revision 2.0 found
>> [ 1.260009] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
>> [ 1.266693] ------------[ cut here ]------------
>> [ 1.271606] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
>> refcount_sub_and_test+0x94/0xa8
>> [ 1.280181] refcount_t: underflow; use-after-free.
>> [ 1.285247] Modules linked in:
>> [ 1.288482] CPU: 0 PID: 1 Comm: swapper Not tainted
>> 4.16.0-rc3-next-20180302 #70
>> [ 1.296295] Hardware name: Nokia RX-51 board
>> [ 1.300811] [<c010d6cc>] (unwind_backtrace) from [<c010b560>]
>> (show_stack+0x10/0x14)
>> [ 1.309020] [<c010b560>] (show_stack) from [<c0127dec>]
>> (__warn+0xe8/0x110)
>> [ 1.316375] [<c0127dec>] (__warn) from [<c0127edc>]
>> (warn_slowpath_fmt+0x38/0x48)
>> [ 1.324310] [<c0127edc>] (warn_slowpath_fmt) from [<c034e630>]
>> (refcount_sub_and_test+0x94/0xa8)
>> [ 1.333557] [<c034e630>] (refcount_sub_and_test) from [<c01109a8>]
>> (arm_iommu_release_mapping+0x18/0x2c)
>> [ 1.343597] [<c01109a8>] (arm_iommu_release_mapping) from
>> [<c041752c>] (driver_probe_device+0x24c/0x314)
>> [ 1.353637] [<c041752c>] (driver_probe_device) from [<c04176a0>]
>> (__driver_attach+0xac/0xb0)
>> [ 1.362548] [<c04176a0>] (__driver_attach) from [<c0415b94>]
>> (bus_for_each_dev+0x58/0x7c)
>> [ 1.371185] [<c0415b94>] (bus_for_each_dev) from [<c0416a14>]
>> (bus_add_driver+0xe0/0x1f0)
>> [ 1.379852] [<c0416a14>] (bus_add_driver) from [<c0417f10>]
>> (driver_register+0x78/0xf4)
>> [ 1.388305] [<c0417f10>] (driver_register) from [<c010257c>]
>> (do_one_initcall+0x3c/0x16c)
>> [ 1.396972] [<c010257c>] (do_one_initcall) from [<c0b00d5c>]
>> (kernel_init_freeable+0xf8/0x1c4)
>> [ 1.406066] [<c0b00d5c>] (kernel_init_freeable) from [<c071640c>]
>> (kernel_init+0x8/0x108)
>> [ 1.414703] [<c071640c>] (kernel_init) from [<c01010e8>]
>> (ret_from_fork+0x14/0x2c)
>> [ 1.422698] Exception stack(0xce049fb0 to 0xce049ff8)
>> [ 1.428039] 9fa0: 00000000
>> 00000000 00000000 00000000
>> [ 1.436676] 9fc0: 00000000 00000000 00000000 00000000 00000000
>> 00000000 00000000 00000000
>> [ 1.445312] 9fe0: 00000000 00000000 00000000 00000000 00000013
>> 00000000
>> [ 1.452270] ---[ end trace dcb3a72772bbfe7a ]---
>> [ 1.459045] ti-soc-thermal 48002524.bandgap: This OMAP thermal
>> sensor is unreliable. You've been warned
>> [ 1.469055] ti-soc-thermal 48002524.bandgap: Non-trimmed BGAP, Temp
>> not accurate
>> [ 1.476898] ti-soc-thermal 48002524.bandgap: thermal zone device is
>> NULL
>> [ 1.485198] omap_wdt: OMAP Watchdog Timer Rev 0x31: initial timeout
>> 60 sec
>> [ 1.495208] omap_hsmmc 4809c000.mmc: GPIO lookup for consumer cd
>>
>> --
>> (english) http://www.livejournal.com/~pavelmachek
>> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
>
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-08 18:21 ` Suman Anna
@ 2018-03-08 18:50 ` Pavel Machek
-1 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-08 18:50 UTC (permalink / raw)
To: Suman Anna
Cc: Tony Lindgren, pali.rohar, sre, kernel list, linux-arm-kernel,
linux-omap, khilman, aaro.koskinen, ivo.g.dimitrov.75,
patrikbachan, serge, abcloriens, clayton, martijn, sakari.ailus,
Filip Matijević
[-- Attachment #1: Type: text/plain, Size: 6959 bytes --]
Hi!
> > * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
> >> Hi!
> >>
> >> I'm getting this warning... Has anyone seen/debugged that before?
> >> Unfortunately the backtrace does not seem to be too useful :-(.
> >
> > Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>
> Hmm, we need to find out if the failure paths in isp_probe() are
> mismatched, or if this is coming from some mismatch between the OMAP
> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
Well, camera only started to work on N900 pretty recently. Let me add
some debug printks...
Camera does not work in 4.16.0-rc4-next-20180308-dirty.
I see this. It looks like problem in isp error paths, indeed:
[ 1.672210] bus: 'platform': driver_probe_device: matched device
480bc000.isp with dr
iver omap3isp
[ 1.681976] isp_probe: 1
[ 1.684906] isp_probe: 2
[ 1.687591] isp_probe: 3
[ 1.690338] isp_probe: 4
[ 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
not found, using d
ummy regulator
[ 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
not found, using d
ummy regulator
[ 1.712402] isp_probe: 5
[ 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
[ 1.720794] isp_probe: 6
[ 1.723815] isp_probe: 7
[ 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
[ 1.732849] isp_probe: 8
[ 1.735656] isp_probe: 9
[ 1.738403] isp_probe: 10
[ 1.741241] isp_probe: f3
[ 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
[ 1.749450] iommu_release_mapping... ok
[ 1.753479] isp_probe: f4
[ 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
[ 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
[ 1.769500] isp_probe: f5
[ 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
[ 1.777862] ------------[ cut here ]------------
[ 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
refcount_sub_and_test+0x94/0
xa8
[ 1.791290] refcount_t: underflow; use-after-free.
[ 1.796356] Modules linked in:
[ 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
4.16.0-rc4-next-20180308-dirty #7
3
[ 1.807922] Hardware name: Nokia RX-51 board
[ 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
(show_stack+0x10/0x14)
[ 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
(__warn+0xe8/0x110)
...
[ 1.968688] iommu_release_mapping... ok
[ 1.973754] bus: 'platform': driver_probe_device: matched device
n900-battery with driver rx51-battery
[ 1.984436] bus: 'platform': driver_probe_device: matched device
48002524.bandgap with driver ti-soc-thermal
diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index 8c398fe..16f4c69 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
{
+ printk("iommu_release_mapping... %lx %lx\n", mapping, mapping->domain);
if (mapping)
kref_put(&mapping->kref, release_iommu_mapping);
+ printk("iommu_release_mapping... ok\n");
+
}
EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
index 8eb000e..4d58683 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device *pdev)
int ret;
int i, m;
+ printk("isp_probe: 1\n");
isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
if (!isp) {
dev_err(&pdev->dev, "could not allocate memory\n");
return -ENOMEM;
}
+ printk("isp_probe: 2\n");
ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
"ti,phy-type", &isp->phy_type);
if (ret)
@@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
mutex_init(&isp->isp_mutex);
spin_lock_init(&isp->stat_lock);
+ printk("isp_probe: 3\n");
+
ret = v4l2_async_notifier_parse_fwnode_endpoints(
&pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
isp_fwnode_parse);
@@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
if (ret)
goto error;
+ printk("isp_probe: 4\n");
platform_set_drvdata(pdev, isp);
/* Regulators */
@@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
return PTR_ERR(isp->mmio_base[map_idx]);
}
+ printk("isp_probe: 5\n");
ret = isp_get_clocks(isp);
if (ret < 0)
goto error;
@@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
goto error;
}
+ printk("isp_probe: 6\n");
ret = isp_reset(isp);
if (ret < 0)
goto error_isp;
@@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
+ isp_res_maps[m].offset[i];
+ printk("isp_probe: 7\n");
isp->mmio_hist_base_phys =
mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
@@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device *pdev)
goto error_isp;
}
+ printk("isp_probe: 8\n");
+
/* Interrupt */
ret = platform_get_irq(pdev, 0);
if (ret <= 0) {
@@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
}
isp->irq_num = ret;
+ printk("isp_probe: 9\n");
if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
"OMAP3 ISP", isp)) {
dev_err(isp->dev, "Unable to request IRQ\n");
@@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
goto error_iommu;
}
+ printk("isp_probe: 10\n");
/* Entities */
ret = isp_initialize_modules(isp);
if (ret < 0)
@@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device *pdev)
if (ret < 0)
goto error_register_entities;
+ printk("isp_probe: 11\n");
isp->notifier.ops = &isp_subdev_notifier_ops;
ret = v4l2_async_notifier_register(&isp->v4l2_dev, &isp->notifier);
if (ret)
goto error_register_entities;
+ printk("isp_probe: 12\n");
isp_core_init(isp, 1);
+ printk("isp_probe: 13\n");
omap3isp_put(isp);
return 0;
error_register_entities:
+ printk("isp_probe: f1\n");
isp_unregister_entities(isp);
error_modules:
+ printk("isp_probe: f2\n");
isp_cleanup_modules(isp);
error_iommu:
+ printk("isp_probe: f3\n");
isp_detach_iommu(isp);
error_isp:
+ printk("isp_probe: f4\n");
isp_xclk_cleanup(isp);
__omap3isp_put(isp, false);
error:
+ printk("isp_probe: f5\n");
v4l2_async_notifier_cleanup(&isp->notifier);
mutex_destroy(&isp->isp_mutex);
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-08 18:50 ` Pavel Machek
0 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-08 18:50 UTC (permalink / raw)
To: linux-arm-kernel
Hi!
> > * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
> >> Hi!
> >>
> >> I'm getting this warning... Has anyone seen/debugged that before?
> >> Unfortunately the backtrace does not seem to be too useful :-(.
> >
> > Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>
> Hmm, we need to find out if the failure paths in isp_probe() are
> mismatched, or if this is coming from some mismatch between the OMAP
> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
Well, camera only started to work on N900 pretty recently. Let me add
some debug printks...
Camera does not work in 4.16.0-rc4-next-20180308-dirty.
I see this. It looks like problem in isp error paths, indeed:
[ 1.672210] bus: 'platform': driver_probe_device: matched device
480bc000.isp with dr
iver omap3isp
[ 1.681976] isp_probe: 1
[ 1.684906] isp_probe: 2
[ 1.687591] isp_probe: 3
[ 1.690338] isp_probe: 4
[ 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
not found, using d
ummy regulator
[ 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
not found, using d
ummy regulator
[ 1.712402] isp_probe: 5
[ 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
[ 1.720794] isp_probe: 6
[ 1.723815] isp_probe: 7
[ 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
[ 1.732849] isp_probe: 8
[ 1.735656] isp_probe: 9
[ 1.738403] isp_probe: 10
[ 1.741241] isp_probe: f3
[ 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
[ 1.749450] iommu_release_mapping... ok
[ 1.753479] isp_probe: f4
[ 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
[ 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
[ 1.769500] isp_probe: f5
[ 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
[ 1.777862] ------------[ cut here ]------------
[ 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
refcount_sub_and_test+0x94/0
xa8
[ 1.791290] refcount_t: underflow; use-after-free.
[ 1.796356] Modules linked in:
[ 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
4.16.0-rc4-next-20180308-dirty #7
3
[ 1.807922] Hardware name: Nokia RX-51 board
[ 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
(show_stack+0x10/0x14)
[ 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
(__warn+0xe8/0x110)
...
[ 1.968688] iommu_release_mapping... ok
[ 1.973754] bus: 'platform': driver_probe_device: matched device
n900-battery with driver rx51-battery
[ 1.984436] bus: 'platform': driver_probe_device: matched device
48002524.bandgap with driver ti-soc-thermal
diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index 8c398fe..16f4c69 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
{
+ printk("iommu_release_mapping... %lx %lx\n", mapping, mapping->domain);
if (mapping)
kref_put(&mapping->kref, release_iommu_mapping);
+ printk("iommu_release_mapping... ok\n");
+
}
EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
index 8eb000e..4d58683 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device *pdev)
int ret;
int i, m;
+ printk("isp_probe: 1\n");
isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
if (!isp) {
dev_err(&pdev->dev, "could not allocate memory\n");
return -ENOMEM;
}
+ printk("isp_probe: 2\n");
ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
"ti,phy-type", &isp->phy_type);
if (ret)
@@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
mutex_init(&isp->isp_mutex);
spin_lock_init(&isp->stat_lock);
+ printk("isp_probe: 3\n");
+
ret = v4l2_async_notifier_parse_fwnode_endpoints(
&pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
isp_fwnode_parse);
@@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
if (ret)
goto error;
+ printk("isp_probe: 4\n");
platform_set_drvdata(pdev, isp);
/* Regulators */
@@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
return PTR_ERR(isp->mmio_base[map_idx]);
}
+ printk("isp_probe: 5\n");
ret = isp_get_clocks(isp);
if (ret < 0)
goto error;
@@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
goto error;
}
+ printk("isp_probe: 6\n");
ret = isp_reset(isp);
if (ret < 0)
goto error_isp;
@@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
+ isp_res_maps[m].offset[i];
+ printk("isp_probe: 7\n");
isp->mmio_hist_base_phys =
mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
@@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device *pdev)
goto error_isp;
}
+ printk("isp_probe: 8\n");
+
/* Interrupt */
ret = platform_get_irq(pdev, 0);
if (ret <= 0) {
@@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
}
isp->irq_num = ret;
+ printk("isp_probe: 9\n");
if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
"OMAP3 ISP", isp)) {
dev_err(isp->dev, "Unable to request IRQ\n");
@@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
goto error_iommu;
}
+ printk("isp_probe: 10\n");
/* Entities */
ret = isp_initialize_modules(isp);
if (ret < 0)
@@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device *pdev)
if (ret < 0)
goto error_register_entities;
+ printk("isp_probe: 11\n");
isp->notifier.ops = &isp_subdev_notifier_ops;
ret = v4l2_async_notifier_register(&isp->v4l2_dev, &isp->notifier);
if (ret)
goto error_register_entities;
+ printk("isp_probe: 12\n");
isp_core_init(isp, 1);
+ printk("isp_probe: 13\n");
omap3isp_put(isp);
return 0;
error_register_entities:
+ printk("isp_probe: f1\n");
isp_unregister_entities(isp);
error_modules:
+ printk("isp_probe: f2\n");
isp_cleanup_modules(isp);
error_iommu:
+ printk("isp_probe: f3\n");
isp_detach_iommu(isp);
error_isp:
+ printk("isp_probe: f4\n");
isp_xclk_cleanup(isp);
__omap3isp_put(isp, false);
error:
+ printk("isp_probe: f5\n");
v4l2_async_notifier_cleanup(&isp->notifier);
mutex_destroy(&isp->isp_mutex);
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180308/6fddecea/attachment-0001.sig>
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-08 18:50 ` Pavel Machek
@ 2018-03-09 12:08 ` Robin Murphy
-1 siblings, 0 replies; 26+ messages in thread
From: Robin Murphy @ 2018-03-09 12:08 UTC (permalink / raw)
To: Pavel Machek, Suman Anna
Cc: ivo.g.dimitrov.75, khilman, Tony Lindgren, aaro.koskinen,
kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge
On 08/03/18 18:50, Pavel Machek wrote:
> Hi!
>
>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>> Hi!
>>>>
>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>
>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>
>> Hmm, we need to find out if the failure paths in isp_probe() are
>> mismatched, or if this is coming from some mismatch between the OMAP
>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>
> Well, camera only started to work on N900 pretty recently. Let me add
> some debug printks...
>
> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>
> I see this. It looks like problem in isp error paths, indeed:
Well, there certainly seems to be an obvious bug wherein
isp_detach_iommu() just releases the mapping directly without calling
arm_iommu_detach_device() to balance the equivalent attach. That can't
be helping.
Robin.
>
> [ 1.672210] bus: 'platform': driver_probe_device: matched device
> 480bc000.isp with dr
> iver omap3isp
> [ 1.681976] isp_probe: 1
> [ 1.684906] isp_probe: 2
> [ 1.687591] isp_probe: 3
> [ 1.690338] isp_probe: 4
> [ 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
> not found, using d
> ummy regulator
> [ 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
> not found, using d
> ummy regulator
> [ 1.712402] isp_probe: 5
> [ 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
> [ 1.720794] isp_probe: 6
> [ 1.723815] isp_probe: 7
> [ 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
> [ 1.732849] isp_probe: 8
> [ 1.735656] isp_probe: 9
> [ 1.738403] isp_probe: 10
> [ 1.741241] isp_probe: f3
> [ 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
> [ 1.749450] iommu_release_mapping... ok
> [ 1.753479] isp_probe: f4
> [ 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
> [ 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
> [ 1.769500] isp_probe: f5
> [ 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
> [ 1.777862] ------------[ cut here ]------------
> [ 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
> refcount_sub_and_test+0x94/0
> xa8
> [ 1.791290] refcount_t: underflow; use-after-free.
> [ 1.796356] Modules linked in:
> [ 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
> 4.16.0-rc4-next-20180308-dirty #7
> 3
> [ 1.807922] Hardware name: Nokia RX-51 board
> [ 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
> (show_stack+0x10/0x14)
> [ 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
> (__warn+0xe8/0x110)
> ...
> [ 1.968688] iommu_release_mapping... ok
> [ 1.973754] bus: 'platform': driver_probe_device: matched device
> n900-battery with driver rx51-battery
> [ 1.984436] bus: 'platform': driver_probe_device: matched device
> 48002524.bandgap with driver ti-soc-thermal
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index 8c398fe..16f4c69 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
>
> void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
> {
> + printk("iommu_release_mapping... %lx %lx\n", mapping, mapping->domain);
> if (mapping)
> kref_put(&mapping->kref, release_iommu_mapping);
> + printk("iommu_release_mapping... ok\n");
> +
> }
> EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
>
> diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
> index 8eb000e..4d58683 100644
> --- a/drivers/media/platform/omap3isp/isp.c
> +++ b/drivers/media/platform/omap3isp/isp.c
> @@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device *pdev)
> int ret;
> int i, m;
>
> + printk("isp_probe: 1\n");
> isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
> if (!isp) {
> dev_err(&pdev->dev, "could not allocate memory\n");
> return -ENOMEM;
> }
>
> + printk("isp_probe: 2\n");
> ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
> "ti,phy-type", &isp->phy_type);
> if (ret)
> @@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
> mutex_init(&isp->isp_mutex);
> spin_lock_init(&isp->stat_lock);
>
> + printk("isp_probe: 3\n");
> +
> ret = v4l2_async_notifier_parse_fwnode_endpoints(
> &pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
> isp_fwnode_parse);
> @@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
> if (ret)
> goto error;
>
> + printk("isp_probe: 4\n");
> platform_set_drvdata(pdev, isp);
>
> /* Regulators */
> @@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
> return PTR_ERR(isp->mmio_base[map_idx]);
> }
>
> + printk("isp_probe: 5\n");
> ret = isp_get_clocks(isp);
> if (ret < 0)
> goto error;
> @@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
> goto error;
> }
>
> + printk("isp_probe: 6\n");
> ret = isp_reset(isp);
> if (ret < 0)
> goto error_isp;
> @@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
> isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
> + isp_res_maps[m].offset[i];
>
> + printk("isp_probe: 7\n");
> isp->mmio_hist_base_phys =
> mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
>
> @@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device *pdev)
> goto error_isp;
> }
>
> + printk("isp_probe: 8\n");
> +
> /* Interrupt */
> ret = platform_get_irq(pdev, 0);
> if (ret <= 0) {
> @@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
> }
> isp->irq_num = ret;
>
> + printk("isp_probe: 9\n");
> if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
> "OMAP3 ISP", isp)) {
> dev_err(isp->dev, "Unable to request IRQ\n");
> @@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
> goto error_iommu;
> }
>
> + printk("isp_probe: 10\n");
> /* Entities */
> ret = isp_initialize_modules(isp);
> if (ret < 0)
> @@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device *pdev)
> if (ret < 0)
> goto error_register_entities;
>
> + printk("isp_probe: 11\n");
> isp->notifier.ops = &isp_subdev_notifier_ops;
>
> ret = v4l2_async_notifier_register(&isp->v4l2_dev, &isp->notifier);
> if (ret)
> goto error_register_entities;
>
> + printk("isp_probe: 12\n");
> isp_core_init(isp, 1);
> + printk("isp_probe: 13\n");
> omap3isp_put(isp);
>
> return 0;
>
> error_register_entities:
> + printk("isp_probe: f1\n");
> isp_unregister_entities(isp);
> error_modules:
> + printk("isp_probe: f2\n");
> isp_cleanup_modules(isp);
> error_iommu:
> + printk("isp_probe: f3\n");
> isp_detach_iommu(isp);
> error_isp:
> + printk("isp_probe: f4\n");
> isp_xclk_cleanup(isp);
> __omap3isp_put(isp, false);
> error:
> + printk("isp_probe: f5\n");
> v4l2_async_notifier_cleanup(&isp->notifier);
> mutex_destroy(&isp->isp_mutex);
>
>
>
>
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-09 12:08 ` Robin Murphy
0 siblings, 0 replies; 26+ messages in thread
From: Robin Murphy @ 2018-03-09 12:08 UTC (permalink / raw)
To: linux-arm-kernel
On 08/03/18 18:50, Pavel Machek wrote:
> Hi!
>
>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>> Hi!
>>>>
>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>
>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>
>> Hmm, we need to find out if the failure paths in isp_probe() are
>> mismatched, or if this is coming from some mismatch between the OMAP
>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>
> Well, camera only started to work on N900 pretty recently. Let me add
> some debug printks...
>
> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>
> I see this. It looks like problem in isp error paths, indeed:
Well, there certainly seems to be an obvious bug wherein
isp_detach_iommu() just releases the mapping directly without calling
arm_iommu_detach_device() to balance the equivalent attach. That can't
be helping.
Robin.
>
> [ 1.672210] bus: 'platform': driver_probe_device: matched device
> 480bc000.isp with dr
> iver omap3isp
> [ 1.681976] isp_probe: 1
> [ 1.684906] isp_probe: 2
> [ 1.687591] isp_probe: 3
> [ 1.690338] isp_probe: 4
> [ 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
> not found, using d
> ummy regulator
> [ 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
> not found, using d
> ummy regulator
> [ 1.712402] isp_probe: 5
> [ 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
> [ 1.720794] isp_probe: 6
> [ 1.723815] isp_probe: 7
> [ 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
> [ 1.732849] isp_probe: 8
> [ 1.735656] isp_probe: 9
> [ 1.738403] isp_probe: 10
> [ 1.741241] isp_probe: f3
> [ 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
> [ 1.749450] iommu_release_mapping... ok
> [ 1.753479] isp_probe: f4
> [ 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
> [ 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
> [ 1.769500] isp_probe: f5
> [ 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
> [ 1.777862] ------------[ cut here ]------------
> [ 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
> refcount_sub_and_test+0x94/0
> xa8
> [ 1.791290] refcount_t: underflow; use-after-free.
> [ 1.796356] Modules linked in:
> [ 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
> 4.16.0-rc4-next-20180308-dirty #7
> 3
> [ 1.807922] Hardware name: Nokia RX-51 board
> [ 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
> (show_stack+0x10/0x14)
> [ 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
> (__warn+0xe8/0x110)
> ...
> [ 1.968688] iommu_release_mapping... ok
> [ 1.973754] bus: 'platform': driver_probe_device: matched device
> n900-battery with driver rx51-battery
> [ 1.984436] bus: 'platform': driver_probe_device: matched device
> 48002524.bandgap with driver ti-soc-thermal
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index 8c398fe..16f4c69 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
>
> void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
> {
> + printk("iommu_release_mapping... %lx %lx\n", mapping, mapping->domain);
> if (mapping)
> kref_put(&mapping->kref, release_iommu_mapping);
> + printk("iommu_release_mapping... ok\n");
> +
> }
> EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
>
> diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
> index 8eb000e..4d58683 100644
> --- a/drivers/media/platform/omap3isp/isp.c
> +++ b/drivers/media/platform/omap3isp/isp.c
> @@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device *pdev)
> int ret;
> int i, m;
>
> + printk("isp_probe: 1\n");
> isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
> if (!isp) {
> dev_err(&pdev->dev, "could not allocate memory\n");
> return -ENOMEM;
> }
>
> + printk("isp_probe: 2\n");
> ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
> "ti,phy-type", &isp->phy_type);
> if (ret)
> @@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
> mutex_init(&isp->isp_mutex);
> spin_lock_init(&isp->stat_lock);
>
> + printk("isp_probe: 3\n");
> +
> ret = v4l2_async_notifier_parse_fwnode_endpoints(
> &pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
> isp_fwnode_parse);
> @@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
> if (ret)
> goto error;
>
> + printk("isp_probe: 4\n");
> platform_set_drvdata(pdev, isp);
>
> /* Regulators */
> @@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
> return PTR_ERR(isp->mmio_base[map_idx]);
> }
>
> + printk("isp_probe: 5\n");
> ret = isp_get_clocks(isp);
> if (ret < 0)
> goto error;
> @@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
> goto error;
> }
>
> + printk("isp_probe: 6\n");
> ret = isp_reset(isp);
> if (ret < 0)
> goto error_isp;
> @@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
> isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
> + isp_res_maps[m].offset[i];
>
> + printk("isp_probe: 7\n");
> isp->mmio_hist_base_phys =
> mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
>
> @@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device *pdev)
> goto error_isp;
> }
>
> + printk("isp_probe: 8\n");
> +
> /* Interrupt */
> ret = platform_get_irq(pdev, 0);
> if (ret <= 0) {
> @@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
> }
> isp->irq_num = ret;
>
> + printk("isp_probe: 9\n");
> if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
> "OMAP3 ISP", isp)) {
> dev_err(isp->dev, "Unable to request IRQ\n");
> @@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
> goto error_iommu;
> }
>
> + printk("isp_probe: 10\n");
> /* Entities */
> ret = isp_initialize_modules(isp);
> if (ret < 0)
> @@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device *pdev)
> if (ret < 0)
> goto error_register_entities;
>
> + printk("isp_probe: 11\n");
> isp->notifier.ops = &isp_subdev_notifier_ops;
>
> ret = v4l2_async_notifier_register(&isp->v4l2_dev, &isp->notifier);
> if (ret)
> goto error_register_entities;
>
> + printk("isp_probe: 12\n");
> isp_core_init(isp, 1);
> + printk("isp_probe: 13\n");
> omap3isp_put(isp);
>
> return 0;
>
> error_register_entities:
> + printk("isp_probe: f1\n");
> isp_unregister_entities(isp);
> error_modules:
> + printk("isp_probe: f2\n");
> isp_cleanup_modules(isp);
> error_iommu:
> + printk("isp_probe: f3\n");
> isp_detach_iommu(isp);
> error_isp:
> + printk("isp_probe: f4\n");
> isp_xclk_cleanup(isp);
> __omap3isp_put(isp, false);
> error:
> + printk("isp_probe: f5\n");
> v4l2_async_notifier_cleanup(&isp->notifier);
> mutex_destroy(&isp->isp_mutex);
>
>
>
>
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-09 12:08 ` Robin Murphy
(?)
@ 2018-03-09 22:13 ` Suman Anna
-1 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-09 22:13 UTC (permalink / raw)
To: Robin Murphy, Pavel Machek
Cc: ivo.g.dimitrov.75, khilman, Tony Lindgren, aaro.koskinen,
kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge
On 03/09/2018 06:08 AM, Robin Murphy wrote:
> On 08/03/18 18:50, Pavel Machek wrote:
>> Hi!
>>
>>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>>> Hi!
>>>>>
>>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>>
>>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>>
>>> Hmm, we need to find out if the failure paths in isp_probe() are
>>> mismatched, or if this is coming from some mismatch between the OMAP
>>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>>
>> Well, camera only started to work on N900 pretty recently. Let me add
>> some debug printks...
>>
>> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>>
>> I see this. It looks like problem in isp error paths, indeed:
>
> Well, there certainly seems to be an obvious bug wherein
> isp_detach_iommu() just releases the mapping directly without calling
> arm_iommu_detach_device() to balance the equivalent attach. That can't
> be helping.
Indeed, I have been able to reproduce the same warning using a
standalone test module, and the missing arm_iommu_detach_device() is
causing the warning after probe (during failure path) or during remove.
regards
Suman
>
> Robin.
>
>>
>> [ 1.672210] bus: 'platform': driver_probe_device: matched device
>> 480bc000.isp with dr
>> iver omap3isp
>> [ 1.681976] isp_probe: 1
>> [ 1.684906] isp_probe: 2
>> [ 1.687591] isp_probe: 3
>> [ 1.690338] isp_probe: 4
>> [ 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
>> not found, using d
>> ummy regulator
>> [ 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
>> not found, using d
>> ummy regulator
>> [ 1.712402] isp_probe: 5
>> [ 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
>> [ 1.720794] isp_probe: 6
>> [ 1.723815] isp_probe: 7
>> [ 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
>> [ 1.732849] isp_probe: 8
>> [ 1.735656] isp_probe: 9
>> [ 1.738403] isp_probe: 10
>> [ 1.741241] isp_probe: f3
>> [ 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
>> [ 1.749450] iommu_release_mapping... ok
>> [ 1.753479] isp_probe: f4
>> [ 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
>> [ 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
>> [ 1.769500] isp_probe: f5
>> [ 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
>> [ 1.777862] ------------[ cut here ]------------
>> [ 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
>> refcount_sub_and_test+0x94/0
>> xa8
>> [ 1.791290] refcount_t: underflow; use-after-free.
>> [ 1.796356] Modules linked in:
>> [ 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
>> 4.16.0-rc4-next-20180308-dirty #7
>> 3
>> [ 1.807922] Hardware name: Nokia RX-51 board
>> [ 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
>> (show_stack+0x10/0x14)
>> [ 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
>> (__warn+0xe8/0x110)
>> ...
>> [ 1.968688] iommu_release_mapping... ok
>> [ 1.973754] bus: 'platform': driver_probe_device: matched device
>> n900-battery with driver rx51-battery
>> [ 1.984436] bus: 'platform': driver_probe_device: matched device
>> 48002524.bandgap with driver ti-soc-thermal
>>
>> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
>> index 8c398fe..16f4c69 100644
>> --- a/arch/arm/mm/dma-mapping.c
>> +++ b/arch/arm/mm/dma-mapping.c
>> @@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct
>> dma_iommu_mapping *mapping)
>> void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
>> {
>> + printk("iommu_release_mapping... %lx %lx\n", mapping,
>> mapping->domain);
>> if (mapping)
>> kref_put(&mapping->kref, release_iommu_mapping);
>> + printk("iommu_release_mapping... ok\n");
>> +
>> }
>> EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
>> diff --git a/drivers/media/platform/omap3isp/isp.c
>> b/drivers/media/platform/omap3isp/isp.c
>> index 8eb000e..4d58683 100644
>> --- a/drivers/media/platform/omap3isp/isp.c
>> +++ b/drivers/media/platform/omap3isp/isp.c
>> @@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device
>> *pdev)
>> int ret;
>> int i, m;
>> + printk("isp_probe: 1\n");
>> isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
>> if (!isp) {
>> dev_err(&pdev->dev, "could not allocate memory\n");
>> return -ENOMEM;
>> }
>> + printk("isp_probe: 2\n");
>> ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
>> "ti,phy-type", &isp->phy_type);
>> if (ret)
>> @@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
>> mutex_init(&isp->isp_mutex);
>> spin_lock_init(&isp->stat_lock);
>> + printk("isp_probe: 3\n");
>> +
>> ret = v4l2_async_notifier_parse_fwnode_endpoints(
>> &pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
>> isp_fwnode_parse);
>> @@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
>> if (ret)
>> goto error;
>> + printk("isp_probe: 4\n");
>> platform_set_drvdata(pdev, isp);
>> /* Regulators */
>> @@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
>> return PTR_ERR(isp->mmio_base[map_idx]);
>> }
>> + printk("isp_probe: 5\n");
>> ret = isp_get_clocks(isp);
>> if (ret < 0)
>> goto error;
>> @@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
>> goto error;
>> }
>> + printk("isp_probe: 6\n");
>> ret = isp_reset(isp);
>> if (ret < 0)
>> goto error_isp;
>> @@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
>> isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
>> + isp_res_maps[m].offset[i];
>> + printk("isp_probe: 7\n");
>> isp->mmio_hist_base_phys =
>> mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
>> @@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device
>> *pdev)
>> goto error_isp;
>> }
>> + printk("isp_probe: 8\n");
>> +
>> /* Interrupt */
>> ret = platform_get_irq(pdev, 0);
>> if (ret <= 0) {
>> @@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
>> }
>> isp->irq_num = ret;
>> + printk("isp_probe: 9\n");
>> if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
>> "OMAP3 ISP", isp)) {
>> dev_err(isp->dev, "Unable to request IRQ\n");
>> @@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
>> goto error_iommu;
>> }
>> + printk("isp_probe: 10\n");
>> /* Entities */
>> ret = isp_initialize_modules(isp);
>> if (ret < 0)
>> @@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device
>> *pdev)
>> if (ret < 0)
>> goto error_register_entities;
>> + printk("isp_probe: 11\n");
>> isp->notifier.ops = &isp_subdev_notifier_ops;
>> ret = v4l2_async_notifier_register(&isp->v4l2_dev,
>> &isp->notifier);
>> if (ret)
>> goto error_register_entities;
>> + printk("isp_probe: 12\n");
>> isp_core_init(isp, 1);
>> + printk("isp_probe: 13\n");
>> omap3isp_put(isp);
>> return 0;
>> error_register_entities:
>> + printk("isp_probe: f1\n");
>> isp_unregister_entities(isp);
>> error_modules:
>> + printk("isp_probe: f2\n");
>> isp_cleanup_modules(isp);
>> error_iommu:
>> + printk("isp_probe: f3\n");
>> isp_detach_iommu(isp);
>> error_isp:
>> + printk("isp_probe: f4\n");
>> isp_xclk_cleanup(isp);
>> __omap3isp_put(isp, false);
>> error:
>> + printk("isp_probe: f5\n");
>> v4l2_async_notifier_cleanup(&isp->notifier);
>> mutex_destroy(&isp->isp_mutex);
>>
>>
>>
>>
>> _______________________________________________
>> linux-arm-kernel mailing list
>> linux-arm-kernel@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
@ 2018-03-09 22:13 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-09 22:13 UTC (permalink / raw)
To: Robin Murphy, Pavel Machek
Cc: ivo.g.dimitrov.75, aaro.koskinen, Tony Lindgren, khilman, sre,
kernel list, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge
On 03/09/2018 06:08 AM, Robin Murphy wrote:
> On 08/03/18 18:50, Pavel Machek wrote:
>> Hi!
>>
>>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>>> Hi!
>>>>>
>>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>>
>>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>>
>>> Hmm, we need to find out if the failure paths in isp_probe() are
>>> mismatched, or if this is coming from some mismatch between the OMAP
>>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>>
>> Well, camera only started to work on N900 pretty recently. Let me add
>> some debug printks...
>>
>> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>>
>> I see this. It looks like problem in isp error paths, indeed:
>
> Well, there certainly seems to be an obvious bug wherein
> isp_detach_iommu() just releases the mapping directly without calling
> arm_iommu_detach_device() to balance the equivalent attach. That can't
> be helping.
Indeed, I have been able to reproduce the same warning using a
standalone test module, and the missing arm_iommu_detach_device() is
causing the warning after probe (during failure path) or during remove.
regards
Suman
>
> Robin.
>
>>
>> [ 1.672210] bus: 'platform': driver_probe_device: matched device
>> 480bc000.isp with dr
>> iver omap3isp
>> [ 1.681976] isp_probe: 1
>> [ 1.684906] isp_probe: 2
>> [ 1.687591] isp_probe: 3
>> [ 1.690338] isp_probe: 4
>> [ 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
>> not found, using d
>> ummy regulator
>> [ 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
>> not found, using d
>> ummy regulator
>> [ 1.712402] isp_probe: 5
>> [ 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
>> [ 1.720794] isp_probe: 6
>> [ 1.723815] isp_probe: 7
>> [ 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
>> [ 1.732849] isp_probe: 8
>> [ 1.735656] isp_probe: 9
>> [ 1.738403] isp_probe: 10
>> [ 1.741241] isp_probe: f3
>> [ 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
>> [ 1.749450] iommu_release_mapping... ok
>> [ 1.753479] isp_probe: f4
>> [ 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
>> [ 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
>> [ 1.769500] isp_probe: f5
>> [ 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
>> [ 1.777862] ------------[ cut here ]------------
>> [ 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
>> refcount_sub_and_test+0x94/0
>> xa8
>> [ 1.791290] refcount_t: underflow; use-after-free.
>> [ 1.796356] Modules linked in:
>> [ 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
>> 4.16.0-rc4-next-20180308-dirty #7
>> 3
>> [ 1.807922] Hardware name: Nokia RX-51 board
>> [ 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
>> (show_stack+0x10/0x14)
>> [ 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
>> (__warn+0xe8/0x110)
>> ...
>> [ 1.968688] iommu_release_mapping... ok
>> [ 1.973754] bus: 'platform': driver_probe_device: matched device
>> n900-battery with driver rx51-battery
>> [ 1.984436] bus: 'platform': driver_probe_device: matched device
>> 48002524.bandgap with driver ti-soc-thermal
>>
>> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
>> index 8c398fe..16f4c69 100644
>> --- a/arch/arm/mm/dma-mapping.c
>> +++ b/arch/arm/mm/dma-mapping.c
>> @@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct
>> dma_iommu_mapping *mapping)
>> void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
>> {
>> + printk("iommu_release_mapping... %lx %lx\n", mapping,
>> mapping->domain);
>> if (mapping)
>> kref_put(&mapping->kref, release_iommu_mapping);
>> + printk("iommu_release_mapping... ok\n");
>> +
>> }
>> EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
>> diff --git a/drivers/media/platform/omap3isp/isp.c
>> b/drivers/media/platform/omap3isp/isp.c
>> index 8eb000e..4d58683 100644
>> --- a/drivers/media/platform/omap3isp/isp.c
>> +++ b/drivers/media/platform/omap3isp/isp.c
>> @@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device
>> *pdev)
>> int ret;
>> int i, m;
>> + printk("isp_probe: 1\n");
>> isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
>> if (!isp) {
>> dev_err(&pdev->dev, "could not allocate memory\n");
>> return -ENOMEM;
>> }
>> + printk("isp_probe: 2\n");
>> ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
>> "ti,phy-type", &isp->phy_type);
>> if (ret)
>> @@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
>> mutex_init(&isp->isp_mutex);
>> spin_lock_init(&isp->stat_lock);
>> + printk("isp_probe: 3\n");
>> +
>> ret = v4l2_async_notifier_parse_fwnode_endpoints(
>> &pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
>> isp_fwnode_parse);
>> @@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
>> if (ret)
>> goto error;
>> + printk("isp_probe: 4\n");
>> platform_set_drvdata(pdev, isp);
>> /* Regulators */
>> @@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
>> return PTR_ERR(isp->mmio_base[map_idx]);
>> }
>> + printk("isp_probe: 5\n");
>> ret = isp_get_clocks(isp);
>> if (ret < 0)
>> goto error;
>> @@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
>> goto error;
>> }
>> + printk("isp_probe: 6\n");
>> ret = isp_reset(isp);
>> if (ret < 0)
>> goto error_isp;
>> @@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
>> isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
>> + isp_res_maps[m].offset[i];
>> + printk("isp_probe: 7\n");
>> isp->mmio_hist_base_phys =
>> mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
>> @@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device
>> *pdev)
>> goto error_isp;
>> }
>> + printk("isp_probe: 8\n");
>> +
>> /* Interrupt */
>> ret = platform_get_irq(pdev, 0);
>> if (ret <= 0) {
>> @@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
>> }
>> isp->irq_num = ret;
>> + printk("isp_probe: 9\n");
>> if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
>> "OMAP3 ISP", isp)) {
>> dev_err(isp->dev, "Unable to request IRQ\n");
>> @@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
>> goto error_iommu;
>> }
>> + printk("isp_probe: 10\n");
>> /* Entities */
>> ret = isp_initialize_modules(isp);
>> if (ret < 0)
>> @@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device
>> *pdev)
>> if (ret < 0)
>> goto error_register_entities;
>> + printk("isp_probe: 11\n");
>> isp->notifier.ops = &isp_subdev_notifier_ops;
>> ret = v4l2_async_notifier_register(&isp->v4l2_dev,
>> &isp->notifier);
>> if (ret)
>> goto error_register_entities;
>> + printk("isp_probe: 12\n");
>> isp_core_init(isp, 1);
>> + printk("isp_probe: 13\n");
>> omap3isp_put(isp);
>> return 0;
>> error_register_entities:
>> + printk("isp_probe: f1\n");
>> isp_unregister_entities(isp);
>> error_modules:
>> + printk("isp_probe: f2\n");
>> isp_cleanup_modules(isp);
>> error_iommu:
>> + printk("isp_probe: f3\n");
>> isp_detach_iommu(isp);
>> error_isp:
>> + printk("isp_probe: f4\n");
>> isp_xclk_cleanup(isp);
>> __omap3isp_put(isp, false);
>> error:
>> + printk("isp_probe: f5\n");
>> v4l2_async_notifier_cleanup(&isp->notifier);
>> mutex_destroy(&isp->isp_mutex);
>>
>>
>>
>>
>> _______________________________________________
>> linux-arm-kernel mailing list
>> linux-arm-kernel@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-09 22:13 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-09 22:13 UTC (permalink / raw)
To: linux-arm-kernel
On 03/09/2018 06:08 AM, Robin Murphy wrote:
> On 08/03/18 18:50, Pavel Machek wrote:
>> Hi!
>>
>>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>>> Hi!
>>>>>
>>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>>
>>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>>
>>> Hmm, we need to find out if the failure paths in isp_probe() are
>>> mismatched, or if this is coming from some mismatch between the OMAP
>>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>>
>> Well, camera only started to work on N900 pretty recently. Let me add
>> some debug printks...
>>
>> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>>
>> I see this. It looks like problem in isp error paths, indeed:
>
> Well, there certainly seems to be an obvious bug wherein
> isp_detach_iommu() just releases the mapping directly without calling
> arm_iommu_detach_device() to balance the equivalent attach. That can't
> be helping.
Indeed, I have been able to reproduce the same warning using a
standalone test module, and the missing arm_iommu_detach_device() is
causing the warning after probe (during failure path) or during remove.
regards
Suman
>
> Robin.
>
>>
>> [??? 1.672210] bus: 'platform': driver_probe_device: matched device
>> 480bc000.isp with dr
>> iver omap3isp
>> [??? 1.681976] isp_probe: 1
>> [??? 1.684906] isp_probe: 2
>> [??? 1.687591] isp_probe: 3
>> [??? 1.690338] isp_probe: 4
>> [??? 1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
>> not found, using d
>> ummy regulator
>> [??? 1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
>> not found, using d
>> ummy regulator
>> [??? 1.712402] isp_probe: 5
>> [??? 1.715393] omap3isp 480bc000.isp: Revision 2.0 found
>> [??? 1.720794] isp_probe: 6
>> [??? 1.723815] isp_probe: 7
>> [??? 1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
>> [??? 1.732849] isp_probe: 8
>> [??? 1.735656] isp_probe: 9
>> [??? 1.738403] isp_probe: 10
>> [??? 1.741241] isp_probe: f3
>> [??? 1.744018] iommu_release_mapping... ce4d9500 ce4d949c
>> [??? 1.749450] iommu_release_mapping... ok
>> [??? 1.753479] isp_probe: f4
>> [??? 1.756286] clk_unregister: unregistering prepared clock: cam_xclka
>> [??? 1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
>> [??? 1.769500] isp_probe: f5
>> [??? 1.772430] iommu_release_mapping... ce4d9500 ce4d949c
>> [??? 1.777862] ------------[ cut here ]------------
>> [??? 1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
>> refcount_sub_and_test+0x94/0
>> xa8
>> [??? 1.791290] refcount_t: underflow; use-after-free.
>> [??? 1.796356] Modules linked in:
>> [??? 1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
>> 4.16.0-rc4-next-20180308-dirty #7
>> 3
>> [??? 1.807922] Hardware name: Nokia RX-51 board
>> [??? 1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
>> (show_stack+0x10/0x14)
>> [??? 1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
>> (__warn+0xe8/0x110)
>> ...
>> [??? 1.968688] iommu_release_mapping... ok
>> [??? 1.973754] bus: 'platform': driver_probe_device: matched device
>> n900-battery with driver rx51-battery
>> [??? 1.984436] bus: 'platform': driver_probe_device: matched device
>> 48002524.bandgap with driver ti-soc-thermal
>>
>> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
>> index 8c398fe..16f4c69 100644
>> --- a/arch/arm/mm/dma-mapping.c
>> +++ b/arch/arm/mm/dma-mapping.c
>> @@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct
>> dma_iommu_mapping *mapping)
>> ? ? void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
>> ? {
>> +??? printk("iommu_release_mapping... %lx %lx\n", mapping,
>> mapping->domain);
>> ????? if (mapping)
>> ????????? kref_put(&mapping->kref, release_iommu_mapping);
>> +??? printk("iommu_release_mapping... ok\n");
>> +???
>> ? }
>> ? EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
>> ? diff --git a/drivers/media/platform/omap3isp/isp.c
>> b/drivers/media/platform/omap3isp/isp.c
>> index 8eb000e..4d58683 100644
>> --- a/drivers/media/platform/omap3isp/isp.c
>> +++ b/drivers/media/platform/omap3isp/isp.c
>> @@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device
>> *pdev)
>> ????? int ret;
>> ????? int i, m;
>> ? +??? printk("isp_probe: 1\n");
>> ????? isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
>> ????? if (!isp) {
>> ????????? dev_err(&pdev->dev, "could not allocate memory\n");
>> ????????? return -ENOMEM;
>> ????? }
>> ? +??????? printk("isp_probe: 2\n");
>> ????? ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
>> ???????????????????????? "ti,phy-type", &isp->phy_type);
>> ????? if (ret)
>> @@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
>> ????? mutex_init(&isp->isp_mutex);
>> ????? spin_lock_init(&isp->stat_lock);
>> ? +??????????? printk("isp_probe: 3\n");
>> +
>> ????? ret = v4l2_async_notifier_parse_fwnode_endpoints(
>> ????????? &pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
>> ????????? isp_fwnode_parse);
>> @@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
>> ????? if (ret)
>> ????????? goto error;
>> ? +??????????????? printk("isp_probe: 4\n");
>> ????? platform_set_drvdata(pdev, isp);
>> ? ????? /* Regulators */
>> @@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
>> ????????????? return PTR_ERR(isp->mmio_base[map_idx]);
>> ????? }
>> ? +??? printk("isp_probe: 5\n");
>> ????? ret = isp_get_clocks(isp);
>> ????? if (ret < 0)
>> ????????? goto error;
>> @@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
>> ????????? goto error;
>> ????? }
>> ? +??????? printk("isp_probe: 6\n");
>> ????? ret = isp_reset(isp);
>> ????? if (ret < 0)
>> ????????? goto error_isp;
>> @@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
>> ????????????? isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
>> ????????????? + isp_res_maps[m].offset[i];
>> ? +??????? printk("isp_probe: 7\n");
>> ????? isp->mmio_hist_base_phys =
>> ????????? mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
>> ? @@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device
>> *pdev)
>> ????????? goto error_isp;
>> ????? }
>> ? +??????? printk("isp_probe: 8\n");
>> +
>> ????? /* Interrupt */
>> ????? ret = platform_get_irq(pdev, 0);
>> ????? if (ret <= 0) {
>> @@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
>> ????? }
>> ????? isp->irq_num = ret;
>> ? +??????????? printk("isp_probe: 9\n");
>> ????? if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
>> ?????????????????? "OMAP3 ISP", isp)) {
>> ????????? dev_err(isp->dev, "Unable to request IRQ\n");
>> @@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
>> ????????? goto error_iommu;
>> ????? }
>> ? +??????????????? printk("isp_probe: 10\n");
>> ????? /* Entities */
>> ????? ret = isp_initialize_modules(isp);
>> ????? if (ret < 0)
>> @@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device
>> *pdev)
>> ????? if (ret < 0)
>> ????????? goto error_register_entities;
>> ? +??????????????????? printk("isp_probe: 11\n");
>> ????? isp->notifier.ops = &isp_subdev_notifier_ops;
>> ? ????? ret = v4l2_async_notifier_register(&isp->v4l2_dev,
>> &isp->notifier);
>> ????? if (ret)
>> ????????? goto error_register_entities;
>> ? +??????????????????? printk("isp_probe: 12\n");???
>> ????? isp_core_init(isp, 1);
>> +??????????????????? printk("isp_probe: 13\n");???????
>> ????? omap3isp_put(isp);
>> ? ????? return 0;
>> ? ? error_register_entities:
>> +??????????????????? printk("isp_probe: f1\n");???????
>> ????? isp_unregister_entities(isp);
>> ? error_modules:
>> +??????????????????????? printk("isp_probe: f2\n");???????
>> ????? isp_cleanup_modules(isp);
>> ? error_iommu:
>> +??????????????????????????? printk("isp_probe: f3\n");???????
>> ????? isp_detach_iommu(isp);
>> ? error_isp:
>> +??????????????????????????? printk("isp_probe: f4\n");???????
>> ????? isp_xclk_cleanup(isp);
>> ????? __omap3isp_put(isp, false);
>> ? error:
>> +??????????????????????? printk("isp_probe: f5\n");???????????
>> ????? v4l2_async_notifier_cleanup(&isp->notifier);
>> ????? mutex_destroy(&isp->isp_mutex);
>> ?
>>
>>
>>
>> _______________________________________________
>> linux-arm-kernel mailing list
>> linux-arm-kernel at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-09 22:13 ` Suman Anna
@ 2018-03-09 22:18 ` Pavel Machek
-1 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-09 22:18 UTC (permalink / raw)
To: Suman Anna
Cc: Robin Murphy, ivo.g.dimitrov.75, khilman, Tony Lindgren,
aaro.koskinen, kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge
[-- Attachment #1: Type: text/plain, Size: 1709 bytes --]
On Fri 2018-03-09 16:13:36, Suman Anna wrote:
> On 03/09/2018 06:08 AM, Robin Murphy wrote:
> > On 08/03/18 18:50, Pavel Machek wrote:
> >> Hi!
> >>
> >>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
> >>>>> Hi!
> >>>>>
> >>>>> I'm getting this warning... Has anyone seen/debugged that before?
> >>>>> Unfortunately the backtrace does not seem to be too useful :-(.
> >>>>
> >>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
> >>>
> >>> Hmm, we need to find out if the failure paths in isp_probe() are
> >>> mismatched, or if this is coming from some mismatch between the OMAP
> >>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
> >>
> >> Well, camera only started to work on N900 pretty recently. Let me add
> >> some debug printks...
> >>
> >> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
> >>
> >> I see this. It looks like problem in isp error paths, indeed:
> >
> > Well, there certainly seems to be an obvious bug wherein
> > isp_detach_iommu() just releases the mapping directly without calling
> > arm_iommu_detach_device() to balance the equivalent attach. That can't
> > be helping.
>
> Indeed, I have been able to reproduce the same warning using a
> standalone test module, and the missing arm_iommu_detach_device() is
> causing the warning after probe (during failure path) or during
> remove.
Ok do you have an idea how to fix the isp error paths? Untested patch
would be fine... But it seems that you know what needs to be fixed and
I don't.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-09 22:18 ` Pavel Machek
0 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-09 22:18 UTC (permalink / raw)
To: linux-arm-kernel
On Fri 2018-03-09 16:13:36, Suman Anna wrote:
> On 03/09/2018 06:08 AM, Robin Murphy wrote:
> > On 08/03/18 18:50, Pavel Machek wrote:
> >> Hi!
> >>
> >>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
> >>>>> Hi!
> >>>>>
> >>>>> I'm getting this warning... Has anyone seen/debugged that before?
> >>>>> Unfortunately the backtrace does not seem to be too useful :-(.
> >>>>
> >>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
> >>>
> >>> Hmm, we need to find out if the failure paths in isp_probe() are
> >>> mismatched, or if this is coming from some mismatch between the OMAP
> >>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
> >>
> >> Well, camera only started to work on N900 pretty recently. Let me add
> >> some debug printks...
> >>
> >> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
> >>
> >> I see this. It looks like problem in isp error paths, indeed:
> >
> > Well, there certainly seems to be an obvious bug wherein
> > isp_detach_iommu() just releases the mapping directly without calling
> > arm_iommu_detach_device() to balance the equivalent attach. That can't
> > be helping.
>
> Indeed, I have been able to reproduce the same warning using a
> standalone test module, and the missing arm_iommu_detach_device() is
> causing the warning after probe (during failure path) or during
> remove.
Ok do you have an idea how to fix the isp error paths? Untested patch
would be fine... But it seems that you know what needs to be fixed and
I don't.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180309/d5d56f16/attachment.sig>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-09 22:18 ` Pavel Machek
@ 2018-03-09 23:06 ` Suman Anna
-1 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-09 23:06 UTC (permalink / raw)
To: Pavel Machek
Cc: Robin Murphy, ivo.g.dimitrov.75, khilman, Tony Lindgren,
aaro.koskinen, kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge, Laurent Pinchart
On 03/09/2018 04:18 PM, Pavel Machek wrote:
> On Fri 2018-03-09 16:13:36, Suman Anna wrote:
>> On 03/09/2018 06:08 AM, Robin Murphy wrote:
>>> On 08/03/18 18:50, Pavel Machek wrote:
>>>> Hi!
>>>>
>>>>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>>>>> Hi!
>>>>>>>
>>>>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>>>>
>>>>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>>>>
>>>>> Hmm, we need to find out if the failure paths in isp_probe() are
>>>>> mismatched, or if this is coming from some mismatch between the OMAP
>>>>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>>>>
>>>> Well, camera only started to work on N900 pretty recently. Let me add
>>>> some debug printks...
>>>>
>>>> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>>>>
>>>> I see this. It looks like problem in isp error paths, indeed:
>>>
>>> Well, there certainly seems to be an obvious bug wherein
>>> isp_detach_iommu() just releases the mapping directly without calling
>>> arm_iommu_detach_device() to balance the equivalent attach. That can't
>>> be helping.
>>
>> Indeed, I have been able to reproduce the same warning using a
>> standalone test module, and the missing arm_iommu_detach_device() is
>> causing the warning after probe (during failure path) or during
>> remove.
>
> Ok do you have an idea how to fix the isp error paths? Untested patch
> would be fine... But it seems that you know what needs to be fixed and
> I don't.
>
OK, see if the following fixes the issue for you, only build tested.
8< ---------------------
>From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
From: Suman Anna <s-anna@ti.com>
Date: Fri, 9 Mar 2018 16:39:59 -0600
Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
ARM DMA backend. The current code creates a dma_iommu_mapping and
attaches this to the ISP device, but never detaches the mapping in
either the probe failure paths or the driver remove path resulting
in an unbalanced mapping refcount and a memory leak. Fix this properly.
Reported-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Suman Anna <s-anna@ti.com>
---
drivers/media/platform/omap3isp/isp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/omap3isp/isp.c
b/drivers/media/platform/omap3isp/isp.c
index 8eb000e3d8fd..c7d667bfc2af 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -1945,6 +1945,7 @@ static int isp_initialize_modules(struct
isp_device *isp)
static void isp_detach_iommu(struct isp_device *isp)
{
+ arm_iommu_detach_device(isp->dev);
arm_iommu_release_mapping(isp->mapping);
isp->mapping = NULL;
}
@@ -1971,13 +1972,15 @@ static int isp_attach_iommu(struct isp_device *isp)
ret = arm_iommu_attach_device(isp->dev, mapping);
if (ret < 0) {
dev_err(isp->dev, "failed to attach device to VA
mapping\n");
- goto error;
+ goto error_attach;
}
return 0;
+error_attach:
+ arm_iommu_release_mapping(isp->mapping);
+ isp->mapping = NULL;
error:
- isp_detach_iommu(isp);
return ret;
}
--
2.16.2
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-09 23:06 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-09 23:06 UTC (permalink / raw)
To: linux-arm-kernel
On 03/09/2018 04:18 PM, Pavel Machek wrote:
> On Fri 2018-03-09 16:13:36, Suman Anna wrote:
>> On 03/09/2018 06:08 AM, Robin Murphy wrote:
>>> On 08/03/18 18:50, Pavel Machek wrote:
>>>> Hi!
>>>>
>>>>>> * Pavel Machek <pavel@ucw.cz> [180308 14:31]:
>>>>>>> Hi!
>>>>>>>
>>>>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>>>>
>>>>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>>>>
>>>>> Hmm, we need to find out if the failure paths in isp_probe() are
>>>>> mismatched, or if this is coming from some mismatch between the OMAP
>>>>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>>>>
>>>> Well, camera only started to work on N900 pretty recently. Let me add
>>>> some debug printks...
>>>>
>>>> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>>>>
>>>> I see this. It looks like problem in isp error paths, indeed:
>>>
>>> Well, there certainly seems to be an obvious bug wherein
>>> isp_detach_iommu() just releases the mapping directly without calling
>>> arm_iommu_detach_device() to balance the equivalent attach. That can't
>>> be helping.
>>
>> Indeed, I have been able to reproduce the same warning using a
>> standalone test module, and the missing arm_iommu_detach_device() is
>> causing the warning after probe (during failure path) or during
>> remove.
>
> Ok do you have an idea how to fix the isp error paths? Untested patch
> would be fine... But it seems that you know what needs to be fixed and
> I don't.
>
OK, see if the following fixes the issue for you, only build tested.
8< ---------------------
>From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
From: Suman Anna <s-anna@ti.com>
Date: Fri, 9 Mar 2018 16:39:59 -0600
Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
ARM DMA backend. The current code creates a dma_iommu_mapping and
attaches this to the ISP device, but never detaches the mapping in
either the probe failure paths or the driver remove path resulting
in an unbalanced mapping refcount and a memory leak. Fix this properly.
Reported-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Suman Anna <s-anna@ti.com>
---
drivers/media/platform/omap3isp/isp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/omap3isp/isp.c
b/drivers/media/platform/omap3isp/isp.c
index 8eb000e3d8fd..c7d667bfc2af 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -1945,6 +1945,7 @@ static int isp_initialize_modules(struct
isp_device *isp)
static void isp_detach_iommu(struct isp_device *isp)
{
+ arm_iommu_detach_device(isp->dev);
arm_iommu_release_mapping(isp->mapping);
isp->mapping = NULL;
}
@@ -1971,13 +1972,15 @@ static int isp_attach_iommu(struct isp_device *isp)
ret = arm_iommu_attach_device(isp->dev, mapping);
if (ret < 0) {
dev_err(isp->dev, "failed to attach device to VA
mapping\n");
- goto error;
+ goto error_attach;
}
return 0;
+error_attach:
+ arm_iommu_release_mapping(isp->mapping);
+ isp->mapping = NULL;
error:
- isp_detach_iommu(isp);
return ret;
}
--
2.16.2
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-09 23:06 ` Suman Anna
@ 2018-03-10 11:26 ` Pavel Machek
-1 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-10 11:26 UTC (permalink / raw)
To: Suman Anna
Cc: Robin Murphy, ivo.g.dimitrov.75, khilman, Tony Lindgren,
aaro.koskinen, kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge, Laurent Pinchart
[-- Attachment #1: Type: text/plain, Size: 1819 bytes --]
Hi!
> >>> Well, there certainly seems to be an obvious bug wherein
> >>> isp_detach_iommu() just releases the mapping directly without calling
> >>> arm_iommu_detach_device() to balance the equivalent attach. That can't
> >>> be helping.
> >>
> >> Indeed, I have been able to reproduce the same warning using a
> >> standalone test module, and the missing arm_iommu_detach_device() is
> >> causing the warning after probe (during failure path) or during
> >> remove.
> >
> > Ok do you have an idea how to fix the isp error paths? Untested patch
> > would be fine... But it seems that you know what needs to be fixed and
> > I don't.
> >
>
> OK, see if the following fixes the issue for you, only build tested.
Word-wrapped, so I applied by hand. And yes, the oops at boot is
gone. Thanks!
(Camera still does not work in -next... kills system. Oh well. Lets
debug that some other day.)
> 8< ---------------------
> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
> From: Suman Anna <s-anna@ti.com>
> Date: Fri, 9 Mar 2018 16:39:59 -0600
> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>
> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
> ARM DMA backend. The current code creates a dma_iommu_mapping and
> attaches this to the ISP device, but never detaches the mapping in
> either the probe failure paths or the driver remove path resulting
> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>
> Reported-by: Pavel Machek <pavel@ucw.cz>
> Signed-off-by: Suman Anna <s-anna@ti.com>
Tested-by: Pavel Machek <pavel@ucw.cz>
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-10 11:26 ` Pavel Machek
0 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-03-10 11:26 UTC (permalink / raw)
To: linux-arm-kernel
Hi!
> >>> Well, there certainly seems to be an obvious bug wherein
> >>> isp_detach_iommu() just releases the mapping directly without calling
> >>> arm_iommu_detach_device() to balance the equivalent attach. That can't
> >>> be helping.
> >>
> >> Indeed, I have been able to reproduce the same warning using a
> >> standalone test module, and the missing arm_iommu_detach_device() is
> >> causing the warning after probe (during failure path) or during
> >> remove.
> >
> > Ok do you have an idea how to fix the isp error paths? Untested patch
> > would be fine... But it seems that you know what needs to be fixed and
> > I don't.
> >
>
> OK, see if the following fixes the issue for you, only build tested.
Word-wrapped, so I applied by hand. And yes, the oops at boot is
gone. Thanks!
(Camera still does not work in -next... kills system. Oh well. Lets
debug that some other day.)
> 8< ---------------------
> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
> From: Suman Anna <s-anna@ti.com>
> Date: Fri, 9 Mar 2018 16:39:59 -0600
> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>
> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
> ARM DMA backend. The current code creates a dma_iommu_mapping and
> attaches this to the ISP device, but never detaches the mapping in
> either the probe failure paths or the driver remove path resulting
> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>
> Reported-by: Pavel Machek <pavel@ucw.cz>
> Signed-off-by: Suman Anna <s-anna@ti.com>
Tested-by: Pavel Machek <pavel@ucw.cz>
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180310/85acc094/attachment.sig>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-10 11:26 ` Pavel Machek
(?)
@ 2018-03-12 16:10 ` Suman Anna
-1 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-12 16:10 UTC (permalink / raw)
To: Pavel Machek
Cc: Robin Murphy, ivo.g.dimitrov.75, khilman, Tony Lindgren,
aaro.koskinen, kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge, Laurent Pinchart
On 03/10/2018 05:26 AM, Pavel Machek wrote:
> Hi!
>
>>>>> Well, there certainly seems to be an obvious bug wherein
>>>>> isp_detach_iommu() just releases the mapping directly without calling
>>>>> arm_iommu_detach_device() to balance the equivalent attach. That can't
>>>>> be helping.
>>>>
>>>> Indeed, I have been able to reproduce the same warning using a
>>>> standalone test module, and the missing arm_iommu_detach_device() is
>>>> causing the warning after probe (during failure path) or during
>>>> remove.
>>>
>>> Ok do you have an idea how to fix the isp error paths? Untested patch
>>> would be fine... But it seems that you know what needs to be fixed and
>>> I don't.
>>>
>>
>> OK, see if the following fixes the issue for you, only build tested.
>
> Word-wrapped, so I applied by hand. And yes, the oops at boot is
> gone. Thanks!
Sorry about that, have to check my mail settings. Anyway will post the
patch again, glad that it fixed your issue.
regards
Suman
>
> (Camera still does not work in -next... kills system. Oh well. Lets
> debug that some other day.)
>
>> 8< ---------------------
>> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
>> From: Suman Anna <s-anna@ti.com>
>> Date: Fri, 9 Mar 2018 16:39:59 -0600
>> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>>
>> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
>> ARM DMA backend. The current code creates a dma_iommu_mapping and
>> attaches this to the ISP device, but never detaches the mapping in
>> either the probe failure paths or the driver remove path resulting
>> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>>
>> Reported-by: Pavel Machek <pavel@ucw.cz>
>> Signed-off-by: Suman Anna <s-anna@ti.com>
>
> Tested-by: Pavel Machek <pavel@ucw.cz>
> Pavel
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
@ 2018-03-12 16:10 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-12 16:10 UTC (permalink / raw)
To: Pavel Machek
Cc: ivo.g.dimitrov.75, aaro.koskinen, Tony Lindgren, khilman,
kernel list, sre, martijn, Filip Matijević,
abcloriens, Laurent Pinchart, sakari.ailus, pali.rohar, clayton,
linux-omap, Robin Murphy, patrikbachan, linux-arm-kernel, serge
On 03/10/2018 05:26 AM, Pavel Machek wrote:
> Hi!
>
>>>>> Well, there certainly seems to be an obvious bug wherein
>>>>> isp_detach_iommu() just releases the mapping directly without calling
>>>>> arm_iommu_detach_device() to balance the equivalent attach. That can't
>>>>> be helping.
>>>>
>>>> Indeed, I have been able to reproduce the same warning using a
>>>> standalone test module, and the missing arm_iommu_detach_device() is
>>>> causing the warning after probe (during failure path) or during
>>>> remove.
>>>
>>> Ok do you have an idea how to fix the isp error paths? Untested patch
>>> would be fine... But it seems that you know what needs to be fixed and
>>> I don't.
>>>
>>
>> OK, see if the following fixes the issue for you, only build tested.
>
> Word-wrapped, so I applied by hand. And yes, the oops at boot is
> gone. Thanks!
Sorry about that, have to check my mail settings. Anyway will post the
patch again, glad that it fixed your issue.
regards
Suman
>
> (Camera still does not work in -next... kills system. Oh well. Lets
> debug that some other day.)
>
>> 8< ---------------------
>> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
>> From: Suman Anna <s-anna@ti.com>
>> Date: Fri, 9 Mar 2018 16:39:59 -0600
>> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>>
>> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
>> ARM DMA backend. The current code creates a dma_iommu_mapping and
>> attaches this to the ISP device, but never detaches the mapping in
>> either the probe failure paths or the driver remove path resulting
>> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>>
>> Reported-by: Pavel Machek <pavel@ucw.cz>
>> Signed-off-by: Suman Anna <s-anna@ti.com>
>
> Tested-by: Pavel Machek <pavel@ucw.cz>
> Pavel
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-03-12 16:10 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-03-12 16:10 UTC (permalink / raw)
To: linux-arm-kernel
On 03/10/2018 05:26 AM, Pavel Machek wrote:
> Hi!
>
>>>>> Well, there certainly seems to be an obvious bug wherein
>>>>> isp_detach_iommu() just releases the mapping directly without calling
>>>>> arm_iommu_detach_device() to balance the equivalent attach. That can't
>>>>> be helping.
>>>>
>>>> Indeed, I have been able to reproduce the same warning using a
>>>> standalone test module, and the missing arm_iommu_detach_device() is
>>>> causing the warning after probe (during failure path) or during
>>>> remove.
>>>
>>> Ok do you have an idea how to fix the isp error paths? Untested patch
>>> would be fine... But it seems that you know what needs to be fixed and
>>> I don't.
>>>
>>
>> OK, see if the following fixes the issue for you, only build tested.
>
> Word-wrapped, so I applied by hand. And yes, the oops at boot is
> gone. Thanks!
Sorry about that, have to check my mail settings. Anyway will post the
patch again, glad that it fixed your issue.
regards
Suman
>
> (Camera still does not work in -next... kills system. Oh well. Lets
> debug that some other day.)
>
>> 8< ---------------------
>> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
>> From: Suman Anna <s-anna@ti.com>
>> Date: Fri, 9 Mar 2018 16:39:59 -0600
>> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>>
>> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
>> ARM DMA backend. The current code creates a dma_iommu_mapping and
>> attaches this to the ISP device, but never detaches the mapping in
>> either the probe failure paths or the driver remove path resulting
>> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>>
>> Reported-by: Pavel Machek <pavel@ucw.cz>
>> Signed-off-by: Suman Anna <s-anna@ti.com>
>
> Tested-by: Pavel Machek <pavel@ucw.cz>
> Pavel
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-03-12 16:10 ` Suman Anna
@ 2018-05-24 11:05 ` Pavel Machek
-1 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-05-24 11:05 UTC (permalink / raw)
To: Suman Anna
Cc: Robin Murphy, ivo.g.dimitrov.75, khilman, Tony Lindgren,
aaro.koskinen, kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge, Laurent Pinchart
[-- Attachment #1: Type: text/plain, Size: 1505 bytes --]
Hi!
> >>
> >> OK, see if the following fixes the issue for you, only build tested.
> >
> > Word-wrapped, so I applied by hand. And yes, the oops at boot is
> > gone. Thanks!
>
> Sorry about that, have to check my mail settings. Anyway will post the
> patch again, glad that it fixed your issue.
Any news here? AFAICT the bug creeped into v4.17-rcX in the
meantime...
Pavel
> regards
> Suman
>
> >
> > (Camera still does not work in -next... kills system. Oh well. Lets
> > debug that some other day.)
> >
> >> 8< ---------------------
> >> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
> >> From: Suman Anna <s-anna@ti.com>
> >> Date: Fri, 9 Mar 2018 16:39:59 -0600
> >> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
> >>
> >> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
> >> ARM DMA backend. The current code creates a dma_iommu_mapping and
> >> attaches this to the ISP device, but never detaches the mapping in
> >> either the probe failure paths or the driver remove path resulting
> >> in an unbalanced mapping refcount and a memory leak. Fix this properly.
> >>
> >> Reported-by: Pavel Machek <pavel@ucw.cz>
> >> Signed-off-by: Suman Anna <s-anna@ti.com>
> >
> > Tested-by: Pavel Machek <pavel@ucw.cz>
> > Pavel
> >
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-05-24 11:05 ` Pavel Machek
0 siblings, 0 replies; 26+ messages in thread
From: Pavel Machek @ 2018-05-24 11:05 UTC (permalink / raw)
To: linux-arm-kernel
Hi!
> >>
> >> OK, see if the following fixes the issue for you, only build tested.
> >
> > Word-wrapped, so I applied by hand. And yes, the oops at boot is
> > gone. Thanks!
>
> Sorry about that, have to check my mail settings. Anyway will post the
> patch again, glad that it fixed your issue.
Any news here? AFAICT the bug creeped into v4.17-rcX in the
meantime...
Pavel
> regards
> Suman
>
> >
> > (Camera still does not work in -next... kills system. Oh well. Lets
> > debug that some other day.)
> >
> >> 8< ---------------------
> >> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
> >> From: Suman Anna <s-anna@ti.com>
> >> Date: Fri, 9 Mar 2018 16:39:59 -0600
> >> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
> >>
> >> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
> >> ARM DMA backend. The current code creates a dma_iommu_mapping and
> >> attaches this to the ISP device, but never detaches the mapping in
> >> either the probe failure paths or the driver remove path resulting
> >> in an unbalanced mapping refcount and a memory leak. Fix this properly.
> >>
> >> Reported-by: Pavel Machek <pavel@ucw.cz>
> >> Signed-off-by: Suman Anna <s-anna@ti.com>
> >
> > Tested-by: Pavel Machek <pavel@ucw.cz>
> > Pavel
> >
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180524/38b64362/attachment-0001.sig>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: Nokia N900: refcount_t underflow, use after free
2018-05-24 11:05 ` Pavel Machek
@ 2018-05-25 2:37 ` Suman Anna
-1 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-05-25 2:37 UTC (permalink / raw)
To: Pavel Machek
Cc: Robin Murphy, ivo.g.dimitrov.75, khilman, Tony Lindgren,
aaro.koskinen, kernel list, sre, martijn, Filip Matijević,
abcloriens, sakari.ailus, pali.rohar, clayton, linux-omap,
patrikbachan, linux-arm-kernel, serge, Laurent Pinchart
On 05/24/2018 06:05 AM, Pavel Machek wrote:
> Hi!
>
>>>>
>>>> OK, see if the following fixes the issue for you, only build tested.
>>>
>>> Word-wrapped, so I applied by hand. And yes, the oops at boot is
>>> gone. Thanks!
>>
>> Sorry about that, have to check my mail settings. Anyway will post the
>> patch again, glad that it fixed your issue.
>
> Any news here? AFAICT the bug creeped into v4.17-rcX in the
> meantime...
>
The patch has been on linux-next for sometime now.
regards
Suman
> Pavel
>
>> regards
>> Suman
>>
>>>
>>> (Camera still does not work in -next... kills system. Oh well. Lets
>>> debug that some other day.)
>>>
>>>> 8< ---------------------
>>>> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
>>>> From: Suman Anna <s-anna@ti.com>
>>>> Date: Fri, 9 Mar 2018 16:39:59 -0600
>>>> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>>>>
>>>> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
>>>> ARM DMA backend. The current code creates a dma_iommu_mapping and
>>>> attaches this to the ISP device, but never detaches the mapping in
>>>> either the probe failure paths or the driver remove path resulting
>>>> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>>>>
>>>> Reported-by: Pavel Machek <pavel@ucw.cz>
>>>> Signed-off-by: Suman Anna <s-anna@ti.com>
>>>
>>> Tested-by: Pavel Machek <pavel@ucw.cz>
>>> Pavel
>>>
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Nokia N900: refcount_t underflow, use after free
@ 2018-05-25 2:37 ` Suman Anna
0 siblings, 0 replies; 26+ messages in thread
From: Suman Anna @ 2018-05-25 2:37 UTC (permalink / raw)
To: linux-arm-kernel
On 05/24/2018 06:05 AM, Pavel Machek wrote:
> Hi!
>
>>>>
>>>> OK, see if the following fixes the issue for you, only build tested.
>>>
>>> Word-wrapped, so I applied by hand. And yes, the oops at boot is
>>> gone. Thanks!
>>
>> Sorry about that, have to check my mail settings. Anyway will post the
>> patch again, glad that it fixed your issue.
>
> Any news here? AFAICT the bug creeped into v4.17-rcX in the
> meantime...
>
The patch has been on linux-next for sometime now.
regards
Suman
> Pavel
>
>> regards
>> Suman
>>
>>>
>>> (Camera still does not work in -next... kills system. Oh well. Lets
>>> debug that some other day.)
>>>
>>>> 8< ---------------------
>>>> >From bac9a48fb646dc51f2030d676a0dbe3298c3b134 Mon Sep 17 00:00:00 2001
>>>> From: Suman Anna <s-anna@ti.com>
>>>> Date: Fri, 9 Mar 2018 16:39:59 -0600
>>>> Subject: [PATCH] media: omap3isp: fix unbalanced dma_iommu_mapping
>>>>
>>>> The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware
>>>> ARM DMA backend. The current code creates a dma_iommu_mapping and
>>>> attaches this to the ISP device, but never detaches the mapping in
>>>> either the probe failure paths or the driver remove path resulting
>>>> in an unbalanced mapping refcount and a memory leak. Fix this properly.
>>>>
>>>> Reported-by: Pavel Machek <pavel@ucw.cz>
>>>> Signed-off-by: Suman Anna <s-anna@ti.com>
>>>
>>> Tested-by: Pavel Machek <pavel@ucw.cz>
>>> Pavel
>>>
>
^ permalink raw reply [flat|nested] 26+ messages in thread
end of thread, other threads:[~2018-05-25 2:38 UTC | newest]
Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-08 14:30 Nokia N900: refcount_t underflow, use after free Pavel Machek
2018-03-08 14:30 ` Pavel Machek
2018-03-08 16:59 ` Tony Lindgren
2018-03-08 16:59 ` Tony Lindgren
2018-03-08 18:21 ` Suman Anna
2018-03-08 18:21 ` Suman Anna
2018-03-08 18:50 ` Pavel Machek
2018-03-08 18:50 ` Pavel Machek
2018-03-09 12:08 ` Robin Murphy
2018-03-09 12:08 ` Robin Murphy
2018-03-09 22:13 ` Suman Anna
2018-03-09 22:13 ` Suman Anna
2018-03-09 22:13 ` Suman Anna
2018-03-09 22:18 ` Pavel Machek
2018-03-09 22:18 ` Pavel Machek
2018-03-09 23:06 ` Suman Anna
2018-03-09 23:06 ` Suman Anna
2018-03-10 11:26 ` Pavel Machek
2018-03-10 11:26 ` Pavel Machek
2018-03-12 16:10 ` Suman Anna
2018-03-12 16:10 ` Suman Anna
2018-03-12 16:10 ` Suman Anna
2018-05-24 11:05 ` Pavel Machek
2018-05-24 11:05 ` Pavel Machek
2018-05-25 2:37 ` Suman Anna
2018-05-25 2:37 ` Suman Anna
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.