* [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path
@ 2014-04-30 8:13 Peter Meerwald
2014-04-30 16:47 ` Laurent Pinchart
0 siblings, 1 reply; 3+ messages in thread
From: Peter Meerwald @ 2014-04-30 8:13 UTC (permalink / raw)
To: linux-media; +Cc: laurent.pinchart, sakari.ailus, stable, Peter Meerwald
isp_save_ctx() is called from omap3isp_put() after iommu_domain_free() in
the isp_probe() error path
[ 3.205047] Unable to handle kernel NULL pointer dereference at virtual address 0000003c
[ 3.213470] pgd = c0004000
[ 3.216308] [0000003c] *pgd=00000000
[ 3.220031] Internal error: Oops: 5 [#1] PREEMPT ARM
[ 3.225189] Modules linked in:
[ 3.228363] CPU: 0 Not tainted (3.7.10 #3)
[ 3.232971] PC is at omap2_iommu_save_ctx+0x0/0x34
[ 3.237945] LR is at omap_iommu_save_ctx+0x1c/0x24
[ 3.242919] pc : [<c0026a24>] lr : [<c02b5878>] psr: 60000113
...
[ 3.425109] [<c0026a24>] (omap2_iommu_save_ctx+0x0/0x34) from [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24)
[ 3.435150] [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24) from [<c027f39c>] (omap3isp_put+0x84/0xfc)
[ 3.444519] [<c027f39c>] (omap3isp_put+0x84/0xfc) from [<c0392b64>] (isp_probe+0x8d8/0xa60)
[ 3.453186] [<c0392b64>] (isp_probe+0x8d8/0xa60) from [<c01fa72c>] (platform_drv_probe+0x14/0x18)
[ 3.462402] [<c01fa72c>] (platform_drv_probe+0x14/0x18) from [<c01f982c>] (driver_probe_device+0xb0/0x1dc)
compare isp_remove(): isp->domain is set to NULL after iommu_domain_free()
above crash is observed with 3.7
the issue is fixed in 3.11 (7c0f812a5d65e712618af880dda4a5cc7ed79463),
but present in 3.10 longterm
Cc: stable@vger.kernel.org
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
---
drivers/media/platform/omap3isp/isp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
index 1d7dbd5..a73d9d9 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -2287,6 +2287,7 @@ detach_dev:
iommu_detach_device(isp->domain, &pdev->dev);
free_domain:
iommu_domain_free(isp->domain);
+ isp->domain = NULL;
error_isp:
isp_xclk_cleanup(isp);
omap3isp_put(isp);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path
2014-04-30 8:13 [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path Peter Meerwald
@ 2014-04-30 16:47 ` Laurent Pinchart
2014-05-05 13:06 ` Peter Meerwald
0 siblings, 1 reply; 3+ messages in thread
From: Laurent Pinchart @ 2014-04-30 16:47 UTC (permalink / raw)
To: Peter Meerwald; +Cc: linux-media, sakari.ailus, stable
Hi Peter,
Thank you for the patch.
On Wednesday 30 April 2014 10:13:30 Peter Meerwald wrote:
> isp_save_ctx() is called from omap3isp_put() after iommu_domain_free() in
> the isp_probe() error path
>
> [ 3.205047] Unable to handle kernel NULL pointer dereference at virtual
> address 0000003c [ 3.213470] pgd = c0004000
> [ 3.216308] [0000003c] *pgd=00000000
> [ 3.220031] Internal error: Oops: 5 [#1] PREEMPT ARM
> [ 3.225189] Modules linked in:
> [ 3.228363] CPU: 0 Not tainted (3.7.10 #3)
> [ 3.232971] PC is at omap2_iommu_save_ctx+0x0/0x34
> [ 3.237945] LR is at omap_iommu_save_ctx+0x1c/0x24
> [ 3.242919] pc : [<c0026a24>] lr : [<c02b5878>] psr: 60000113
> ...
> [ 3.425109] [<c0026a24>] (omap2_iommu_save_ctx+0x0/0x34) from
> [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24)
> [ 3.435150] [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24) from
> [<c027f39c>] (omap3isp_put+0x84/0xfc)
> [ 3.444519] [<c027f39c>] (omap3isp_put+0x84/0xfc) from [<c0392b64>]
> (isp_probe+0x8d8/0xa60)
> [ 3.453186] [<c0392b64>] (isp_probe+0x8d8/0xa60) from [<c01fa72c>]
> (platform_drv_probe+0x14/0x18)
> [ 3.462402] [<c01fa72c>] (platform_drv_probe+0x14/0x18) from [<c01f982c>]
> (driver_probe_device+0xb0/0x1dc)
>
> compare isp_remove(): isp->domain is set to NULL after iommu_domain_free()
>
> above crash is observed with 3.7
> the issue is fixed in 3.11 (7c0f812a5d65e712618af880dda4a5cc7ed79463),
> but present in 3.10 longterm
Would cherry-picking commit 7c0f812a5d65e712618af880dda4a5cc7ed79463 for the
3.10 stable series make sense instead ? Otherwise,
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
> ---
> drivers/media/platform/omap3isp/isp.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/media/platform/omap3isp/isp.c
> b/drivers/media/platform/omap3isp/isp.c index 1d7dbd5..a73d9d9 100644
> --- a/drivers/media/platform/omap3isp/isp.c
> +++ b/drivers/media/platform/omap3isp/isp.c
> @@ -2287,6 +2287,7 @@ detach_dev:
> iommu_detach_device(isp->domain, &pdev->dev);
> free_domain:
> iommu_domain_free(isp->domain);
> + isp->domain = NULL;
> error_isp:
> isp_xclk_cleanup(isp);
> omap3isp_put(isp);
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path
2014-04-30 16:47 ` Laurent Pinchart
@ 2014-05-05 13:06 ` Peter Meerwald
0 siblings, 0 replies; 3+ messages in thread
From: Peter Meerwald @ 2014-05-05 13:06 UTC (permalink / raw)
To: Laurent Pinchart; +Cc: linux-media, sakari.ailus, stable
Hello,
> > isp_save_ctx() is called from omap3isp_put() after iommu_domain_free() in
> > the isp_probe() error path
> >
> > [ 3.205047] Unable to handle kernel NULL pointer dereference at virtual
> > address 0000003c [ 3.213470] pgd = c0004000
> > [ 3.216308] [0000003c] *pgd=00000000
> > [ 3.220031] Internal error: Oops: 5 [#1] PREEMPT ARM
> > [ 3.225189] Modules linked in:
> > [ 3.228363] CPU: 0 Not tainted (3.7.10 #3)
> > [ 3.232971] PC is at omap2_iommu_save_ctx+0x0/0x34
> > [ 3.237945] LR is at omap_iommu_save_ctx+0x1c/0x24
> > [ 3.242919] pc : [<c0026a24>] lr : [<c02b5878>] psr: 60000113
> > ...
> > [ 3.425109] [<c0026a24>] (omap2_iommu_save_ctx+0x0/0x34) from
> > [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24)
> > [ 3.435150] [<c02b5878>] (omap_iommu_save_ctx+0x1c/0x24) from
> > [<c027f39c>] (omap3isp_put+0x84/0xfc)
> > [ 3.444519] [<c027f39c>] (omap3isp_put+0x84/0xfc) from [<c0392b64>]
> > (isp_probe+0x8d8/0xa60)
> > [ 3.453186] [<c0392b64>] (isp_probe+0x8d8/0xa60) from [<c01fa72c>]
> > (platform_drv_probe+0x14/0x18)
> > [ 3.462402] [<c01fa72c>] (platform_drv_probe+0x14/0x18) from [<c01f982c>]
> > (driver_probe_device+0xb0/0x1dc)
> >
> > compare isp_remove(): isp->domain is set to NULL after iommu_domain_free()
> >
> > above crash is observed with 3.7
> > the issue is fixed in 3.11 (7c0f812a5d65e712618af880dda4a5cc7ed79463),
> > but present in 3.10 longterm
>
> Would cherry-picking commit 7c0f812a5d65e712618af880dda4a5cc7ed79463 for the
> 3.10 stable series make sense instead ? Otherwise,
>
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
7c0f812a5d65e712618af880dda4a5cc7ed79463 looks good as well for 3.10
longterm
thanks, p.
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
> > ---
> > drivers/media/platform/omap3isp/isp.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/media/platform/omap3isp/isp.c
> > b/drivers/media/platform/omap3isp/isp.c index 1d7dbd5..a73d9d9 100644
> > --- a/drivers/media/platform/omap3isp/isp.c
> > +++ b/drivers/media/platform/omap3isp/isp.c
> > @@ -2287,6 +2287,7 @@ detach_dev:
> > iommu_detach_device(isp->domain, &pdev->dev);
> > free_domain:
> > iommu_domain_free(isp->domain);
> > + isp->domain = NULL;
> > error_isp:
> > isp_xclk_cleanup(isp);
> > omap3isp_put(isp);
>
>
--
Peter Meerwald
+43-664-2444418 (mobile)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-05-05 13:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-30 8:13 [PATCH] omap3isp: Fix iommu domain use-after-free in isp_probe() error path Peter Meerwald
2014-04-30 16:47 ` Laurent Pinchart
2014-05-05 13:06 ` Peter Meerwald
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).