Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1595732pxa; Thu, 6 Aug 2020 11:08:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzX+y1CE0BhBod9N/xPSSjyL2k4QWSiGyDXkHTwUob9xN6vTCkof0Ffv3xX9kTDbSw+P6wA X-Received: by 2002:a05:6402:758:: with SMTP id p24mr5125061edy.35.1596737300658; Thu, 06 Aug 2020 11:08:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596737300; cv=none; d=google.com; s=arc-20160816; b=jYyY12hx+/LRdUkUfRZ41315wdLsTBD7+85a5Qi8cChAfpOziauRfB/wvsG0OXCQjI IUP+T2KiUvxn6II1LOtLV/77ijjgJAC0oox6ThGN/7ZW8Eznmx6RfuOBn5cyMK/qXs9h uWNqTBJxgooMcQtzENHr/+7lWnltycy4Af3aRAGZJxvBemnnrPILKx3UtZlAfPJgtCrh e5T9gJh4W27ehuXUkpXC8BfaMMNPCC6+279bCJ83vxv1sxDkzOY/7PnR5Tn6qHsaxji2 oHgXu2hFEvpMlU3Q7YIxBx80chO+0XwoGf5YXpPVXqxpnhFMHry7+6h8UsIbKWtm1oAL idZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=5+A9lhBXOiV4tRzK2yMU/6dcCRUBaGgpxXTFCrfvBHk=; b=CYhCvuxwses5+cR7tV/YX0hXCLklTu4inPesTzfvkikB6L6CZpZaLvfXPsoEOmsmdf 9DI55ob9888NR8O2U18LQHMWxRGn8gd8hjfQrYt7YJk7agkYPbvSzyGMaCOj/PiVIjNs zakkQp1IsaHXUdsLtA6iXmiRuui+DIEEYckYwF7jnsh+dJVlrLDJnabLr4YKBYwivI71 adX3BLQ2N9UQkECGHNCwBrsANCbDfEYl3CYj+TvRPawRkX0MdG6PkNKJPUXY1Xgiq6kK x6b7Z8hVragredAxv3Ti/lvctsStFL5iBynNQthlgcfAiXG+XuimQWU/sOweQk55vGyk P/aA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w12si1694470edj.282.2020.08.06.11.07.47; Thu, 06 Aug 2020 11:08:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727032AbgHFSHW (ORCPT + 99 others); Thu, 6 Aug 2020 14:07:22 -0400 Received: from alexa-out.qualcomm.com ([129.46.98.28]:31669 "EHLO alexa-out.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726977AbgHFSFv (ORCPT ); Thu, 6 Aug 2020 14:05:51 -0400 Received: from ironmsg09-lv.qualcomm.com ([10.47.202.153]) by alexa-out.qualcomm.com with ESMTP; 06 Aug 2020 06:17:52 -0700 Received: from ironmsg01-blr.qualcomm.com ([10.86.208.130]) by ironmsg09-lv.qualcomm.com with ESMTP/TLS/AES256-SHA; 06 Aug 2020 06:17:50 -0700 Received: from c-mansur-linux.qualcomm.com ([10.204.90.208]) by ironmsg01-blr.qualcomm.com with ESMTP; 06 Aug 2020 18:47:45 +0530 Received: by c-mansur-linux.qualcomm.com (Postfix, from userid 461723) id 288A921C62; Thu, 6 Aug 2020 18:47:44 +0530 (IST) From: Mansur Alisha Shaik To: linux-media@vger.kernel.org, stanimir.varbanov@linaro.org Cc: linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, vgarodia@codeaurora.org, Mansur Alisha Shaik Subject: [PATCH 3/3] venus: handle use after free for iommu_map/iommu_unmap Date: Thu, 6 Aug 2020 18:47:35 +0530 Message-Id: <1596719855-1725-4-git-send-email-mansur@codeaurora.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1596719855-1725-1-git-send-email-mansur@codeaurora.org> References: <1596719855-1725-1-git-send-email-mansur@codeaurora.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In concurrency usecase and reboot scenario we are trying to map fw.iommu_domain which is already unmapped during shutdown. This is causing NULL pointer dereference crash. This case is handled by necesassary check before unmappin. Call trace: __iommu_map+0x4c/0x348 iommu_map+0x5c/0x70 venus_boot+0x184/0x230 [venus_core] venus_sys_error_handler+0xa0/0x14c [venus_core] process_one_work+0x210/0x3d0 worker_thread+0x248/0x3f4 kthread+0x11c/0x12c ret_from_fork+0x10/0x18 Signed-off-by: Mansur Alisha Shaik --- drivers/media/platform/qcom/venus/firmware.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/qcom/venus/firmware.c b/drivers/media/platform/qcom/venus/firmware.c index 8801a6a..d8cfa16 100644 --- a/drivers/media/platform/qcom/venus/firmware.c +++ b/drivers/media/platform/qcom/venus/firmware.c @@ -171,9 +171,14 @@ static int venus_shutdown_no_tz(struct venus_core *core) iommu = core->fw.iommu_domain; - unmapped = iommu_unmap(iommu, VENUS_FW_START_ADDR, mapped); - if (unmapped != mapped) - dev_err(dev, "failed to unmap firmware\n"); + if (core->fw.mapped_mem_size && iommu) { + unmapped = iommu_unmap(iommu, VENUS_FW_START_ADDR, mapped); + + if (unmapped != mapped) + dev_err(dev, "failed to unmap firmware\n"); + else + core->fw.mapped_mem_size = 0; + } return 0; } @@ -288,7 +293,11 @@ void venus_firmware_deinit(struct venus_core *core) iommu = core->fw.iommu_domain; iommu_detach_device(iommu, core->fw.dev); - iommu_domain_free(iommu); + + if (core->fw.iommu_domain) { + iommu_domain_free(iommu); + core->fw.iommu_domain = NULL; + } platform_device_unregister(to_platform_device(core->fw.dev)); } -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation