linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path
@ 2014-04-30  8:13 Peter Meerwald
  2014-04-30 16:47 ` Laurent Pinchart
  0 siblings, 1 reply; 3+ messages in thread
From: Peter Meerwald @ 2014-04-30  8:13 UTC (permalink / raw)
  To: linux-media; +Cc: laurent.pinchart, sakari.ailus, stable, Peter Meerwald

isp_save_ctx() is called from omap3isp_put() after iommu_domain_free() in
the isp_probe() error path

[    3.205047] Unable to handle kernel NULL pointer dereference at virtual address 0000003c
[    3.213470] pgd = c0004000
[    3.216308] [0000003c] *pgd=00000000
[    3.220031] Internal error: Oops: 5 [#1] PREEMPT ARM
[    3.225189] Modules linked in:
[    3.228363] CPU: 0    Not tainted  (3.7.10 #3)
[    3.232971] PC is at omap2_iommu_save_ctx+0x0/0x34
[    3.237945] LR is at omap_iommu_save_ctx+0x1c/0x24
[    3.242919] pc : [<c0026a24>]    lr : [<c02b5878>]    psr: 60000113
...
[    3.425109] [<c0026a24>] (omap2_iommu_save_ctx+0x0/0x34) from [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24)
[    3.435150] [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24) from [<c027f39c>] (omap3isp_put+0x84/0xfc)
[    3.444519] [<c027f39c>] (omap3isp_put+0x84/0xfc) from [<c0392b64>] (isp_probe+0x8d8/0xa60)
[    3.453186] [<c0392b64>] (isp_probe+0x8d8/0xa60) from [<c01fa72c>] (platform_drv_probe+0x14/0x18)
[    3.462402] [<c01fa72c>] (platform_drv_probe+0x14/0x18) from [<c01f982c>] (driver_probe_device+0xb0/0x1dc)

compare isp_remove(): isp->domain is set to NULL after iommu_domain_free()

above crash is observed with 3.7
the issue is fixed in 3.11 (7c0f812a5d65e712618af880dda4a5cc7ed79463),
but present in 3.10 longterm

Cc: stable@vger.kernel.org
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
---
 drivers/media/platform/omap3isp/isp.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
index 1d7dbd5..a73d9d9 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -2287,6 +2287,7 @@ detach_dev:
 	iommu_detach_device(isp->domain, &pdev->dev);
 free_domain:
 	iommu_domain_free(isp->domain);
+	isp->domain = NULL;
 error_isp:
 	isp_xclk_cleanup(isp);
 	omap3isp_put(isp);
-- 
1.7.9.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path
  2014-04-30  8:13 [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path Peter Meerwald
@ 2014-04-30 16:47 ` Laurent Pinchart
  2014-05-05 13:06   ` Peter Meerwald
  0 siblings, 1 reply; 3+ messages in thread
From: Laurent Pinchart @ 2014-04-30 16:47 UTC (permalink / raw)
  To: Peter Meerwald; +Cc: linux-media, sakari.ailus, stable

Hi Peter,

Thank you for the patch.

On Wednesday 30 April 2014 10:13:30 Peter Meerwald wrote:
> isp_save_ctx() is called from omap3isp_put() after iommu_domain_free() in
> the isp_probe() error path
> 
> [    3.205047] Unable to handle kernel NULL pointer dereference at virtual
> address 0000003c [    3.213470] pgd = c0004000
> [    3.216308] [0000003c] *pgd=00000000
> [    3.220031] Internal error: Oops: 5 [#1] PREEMPT ARM
> [    3.225189] Modules linked in:
> [    3.228363] CPU: 0    Not tainted  (3.7.10 #3)
> [    3.232971] PC is at omap2_iommu_save_ctx+0x0/0x34
> [    3.237945] LR is at omap_iommu_save_ctx+0x1c/0x24
> [    3.242919] pc : [<c0026a24>]    lr : [<c02b5878>]    psr: 60000113
> ...
> [    3.425109] [<c0026a24>] (omap2_iommu_save_ctx+0x0/0x34) from
> [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24)
> [    3.435150] [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24) from
> [<c027f39c>] (omap3isp_put+0x84/0xfc)
> [    3.444519] [<c027f39c>] (omap3isp_put+0x84/0xfc) from [<c0392b64>]
> (isp_probe+0x8d8/0xa60)
> [    3.453186] [<c0392b64>] (isp_probe+0x8d8/0xa60) from [<c01fa72c>]
> (platform_drv_probe+0x14/0x18)
> [    3.462402] [<c01fa72c>] (platform_drv_probe+0x14/0x18) from [<c01f982c>]
> (driver_probe_device+0xb0/0x1dc)
> 
> compare isp_remove(): isp->domain is set to NULL after iommu_domain_free()
> 
> above crash is observed with 3.7
> the issue is fixed in 3.11 (7c0f812a5d65e712618af880dda4a5cc7ed79463),
> but present in 3.10 longterm

Would cherry-picking commit 7c0f812a5d65e712618af880dda4a5cc7ed79463 for the 
3.10 stable series make sense instead ? Otherwise,

Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> Cc: stable@vger.kernel.org
> Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
> ---
>  drivers/media/platform/omap3isp/isp.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/media/platform/omap3isp/isp.c
> b/drivers/media/platform/omap3isp/isp.c index 1d7dbd5..a73d9d9 100644
> --- a/drivers/media/platform/omap3isp/isp.c
> +++ b/drivers/media/platform/omap3isp/isp.c
> @@ -2287,6 +2287,7 @@ detach_dev:
>  	iommu_detach_device(isp->domain, &pdev->dev);
>  free_domain:
>  	iommu_domain_free(isp->domain);
> +	isp->domain = NULL;
>  error_isp:
>  	isp_xclk_cleanup(isp);
>  	omap3isp_put(isp);

-- 
Regards,

Laurent Pinchart


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path
  2014-04-30 16:47 ` Laurent Pinchart
@ 2014-05-05 13:06   ` Peter Meerwald
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Meerwald @ 2014-05-05 13:06 UTC (permalink / raw)
  To: Laurent Pinchart; +Cc: linux-media, sakari.ailus, stable

Hello,

> > isp_save_ctx() is called from omap3isp_put() after iommu_domain_free() in
> > the isp_probe() error path
> > 
> > [    3.205047] Unable to handle kernel NULL pointer dereference at virtual
> > address 0000003c [    3.213470] pgd = c0004000
> > [    3.216308] [0000003c] *pgd=00000000
> > [    3.220031] Internal error: Oops: 5 [#1] PREEMPT ARM
> > [    3.225189] Modules linked in:
> > [    3.228363] CPU: 0    Not tainted  (3.7.10 #3)
> > [    3.232971] PC is at omap2_iommu_save_ctx+0x0/0x34
> > [    3.237945] LR is at omap_iommu_save_ctx+0x1c/0x24
> > [    3.242919] pc : [<c0026a24>]    lr : [<c02b5878>]    psr: 60000113
> > ...
> > [    3.425109] [<c0026a24>] (omap2_iommu_save_ctx+0x0/0x34) from
> > [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24)
> > [    3.435150] [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24) from
> > [<c027f39c>] (omap3isp_put+0x84/0xfc)
> > [    3.444519] [<c027f39c>] (omap3isp_put+0x84/0xfc) from [<c0392b64>]
> > (isp_probe+0x8d8/0xa60)
> > [    3.453186] [<c0392b64>] (isp_probe+0x8d8/0xa60) from [<c01fa72c>]
> > (platform_drv_probe+0x14/0x18)
> > [    3.462402] [<c01fa72c>] (platform_drv_probe+0x14/0x18) from [<c01f982c>]
> > (driver_probe_device+0xb0/0x1dc)
> > 
> > compare isp_remove(): isp->domain is set to NULL after iommu_domain_free()
> > 
> > above crash is observed with 3.7
> > the issue is fixed in 3.11 (7c0f812a5d65e712618af880dda4a5cc7ed79463),
> > but present in 3.10 longterm
> 
> Would cherry-picking commit 7c0f812a5d65e712618af880dda4a5cc7ed79463 for the 
> 3.10 stable series make sense instead ? Otherwise,
> 
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

7c0f812a5d65e712618af880dda4a5cc7ed79463 looks good as well for 3.10 
longterm

thanks, p.
 
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
> > ---
> >  drivers/media/platform/omap3isp/isp.c |    1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/drivers/media/platform/omap3isp/isp.c
> > b/drivers/media/platform/omap3isp/isp.c index 1d7dbd5..a73d9d9 100644
> > --- a/drivers/media/platform/omap3isp/isp.c
> > +++ b/drivers/media/platform/omap3isp/isp.c
> > @@ -2287,6 +2287,7 @@ detach_dev:
> >  	iommu_detach_device(isp->domain, &pdev->dev);
> >  free_domain:
> >  	iommu_domain_free(isp->domain);
> > +	isp->domain = NULL;
> >  error_isp:
> >  	isp_xclk_cleanup(isp);
> >  	omap3isp_put(isp);
> 
> 

-- 

Peter Meerwald
+43-664-2444418 (mobile)

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-05-05 13:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-30  8:13 [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path Peter Meerwald
2014-04-30 16:47 ` Laurent Pinchart
2014-05-05 13:06   ` Peter Meerwald

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).