Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1045928pxk; Thu, 10 Sep 2020 05:51:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMGrEniiMULOgtkyLTx5KuY4/dvllHCuaBT8K7gq4ZA4MxFTrupBDxe2nn5fto7SNI0hU2 X-Received: by 2002:a17:906:e24d:: with SMTP id gq13mr7314367ejb.152.1599742270912; Thu, 10 Sep 2020 05:51:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599742270; cv=none; d=google.com; s=arc-20160816; b=kgZDcp1BbtVF7qCs0W4GR68a7WcWUewAEwHWvO2s25JIXsT0qDDh+HunN+KzssqBgQ C4jwN/X96a5crK1qARdy3RyoxyzkGEOiEl3ieVDWDxzjB3BW2ofUWRyM7ZXKKnPT6QT2 J/v8x4TJHgihkAemHhx5Zt7sNgGxjyHOwBTn2l2Tw7hG1NbCNVSzppouBGsaMJZcFgG8 0LrRXIfhRM9J0jstObcHxVeTrSq8t1xopoCyl3fW8oweCkwLTH0Is1cJC+qQruZTUHA0 sTNnx5ALiujOYMHg4tmVPdQZt5mBgv3BEJ1ldaHi/yviBcC7+5aw0+59LdmD0jAnIgj6 01gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=jXqMMjlbuDYrKoLqx7Y+lcFzHRg8Q/+wFfmPYG40wYA=; b=UgBTHK8XQZefObRXw2+/5fsNWLTnOxS2sLymrnYTUEi4YRv4eeGsSYX+7COR4eUzRl 3tWnVC8C5n4IfFtlM5MOKdLoG3XTZ48Sbtca9+Sqc/YQ6QCGxAl0jSM9F1owjKcJ6KY3 u3PsfkCZ9PMM62cm/aawGdByMP0NeRLoGuRwT0YqnoyajbKg2HworQp/5czDj+elosiY +bDMdCxw8zFvY0XLJytoWxsVKtXTZKwWSpnP6SezH6f93NKB0l8eABCfChnS6Di0oSRr k3msQU5No4BWrm5IEffzSW4M1RFW/SUfI4rMHzWQ04dl6HzpsNVU6y6EQ2iXMAe2NH9x ix9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gu3si3276532ejb.617.2020.09.10.05.50.48; Thu, 10 Sep 2020 05:51:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730880AbgIJMsb (ORCPT + 99 others); Thu, 10 Sep 2020 08:48:31 -0400 Received: from alexa-out.qualcomm.com ([129.46.98.28]:45050 "EHLO alexa-out.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730684AbgIJMo7 (ORCPT ); Thu, 10 Sep 2020 08:44:59 -0400 Received: from ironmsg09-lv.qualcomm.com ([10.47.202.153]) by alexa-out.qualcomm.com with ESMTP; 10 Sep 2020 05:44:39 -0700 Received: from ironmsg02-blr.qualcomm.com ([10.86.208.131]) by ironmsg09-lv.qualcomm.com with ESMTP/TLS/AES256-SHA; 10 Sep 2020 05:44:37 -0700 Received: from c-mansur-linux.qualcomm.com ([10.204.90.208]) by ironmsg02-blr.qualcomm.com with ESMTP; 10 Sep 2020 18:14:26 +0530 Received: by c-mansur-linux.qualcomm.com (Postfix, from userid 461723) id 4B51221D23; Thu, 10 Sep 2020 18:14:25 +0530 (IST) From: Mansur Alisha Shaik To: linux-media@vger.kernel.org, stanimir.varbanov@linaro.org Cc: linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, vgarodia@codeaurora.org, Mansur Alisha Shaik Subject: [PATCH v2 3/3] venus: handle use after free for iommu_map/iommu_unmap Date: Thu, 10 Sep 2020 18:14:16 +0530 Message-Id: <1599741856-16239-4-git-send-email-mansur@codeaurora.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1599741856-16239-1-git-send-email-mansur@codeaurora.org> References: <1599741856-16239-1-git-send-email-mansur@codeaurora.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In concurrency usecase and reboot scenario we are seeing muliple crashes related to iommu_map/iommu_unamp of core->fw.iommu_domain. In one case we are seeing "Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008" crash, this is because of core->fw.iommu_domain in venus_firmware_deinit() and trying to map in venus_boot() during venus_sys_error_handler() Call trace: __iommu_map+0x4c/0x348 iommu_map+0x5c/0x70 venus_boot+0x184/0x230 [venus_core] venus_sys_error_handler+0xa0/0x14c [venus_core] process_one_work+0x210/0x3d0 worker_thread+0x248/0x3f4 kthread+0x11c/0x12c ret_from_fork+0x10/0x18 In second case we are seeing "Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b9b" crash, this is because of unmappin iommu domain which is already unmapped. Call trace: venus_remove+0xf8/0x108 [venus_core] venus_core_shutdown+0x1c/0x34 [venus_core] platform_drv_shutdown+0x28/0x34 device_shutdown+0x154/0x1fc kernel_restart_prepare+0x40/0x4c kernel_restart+0x1c/0x64 __arm64_sys_reboot+0x190/0x238 el0_svc_common+0xa4/0x154 el0_svc_compat_handler+0x2c/0x38 el0_svc_compat+0x8/0x10 Signed-off-by: Mansur Alisha Shaik --- Changes in V2: - Addressed review comments by stan - Elaborated commit message drivers/media/platform/qcom/venus/firmware.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/qcom/venus/firmware.c b/drivers/media/platform/qcom/venus/firmware.c index 8801a6a..c427e88 100644 --- a/drivers/media/platform/qcom/venus/firmware.c +++ b/drivers/media/platform/qcom/venus/firmware.c @@ -171,9 +171,14 @@ static int venus_shutdown_no_tz(struct venus_core *core) iommu = core->fw.iommu_domain; - unmapped = iommu_unmap(iommu, VENUS_FW_START_ADDR, mapped); - if (unmapped != mapped) - dev_err(dev, "failed to unmap firmware\n"); + if (core->fw.mapped_mem_size && iommu) { + unmapped = iommu_unmap(iommu, VENUS_FW_START_ADDR, mapped); + + if (unmapped != mapped) + dev_err(dev, "failed to unmap firmware\n"); + else + core->fw.mapped_mem_size = 0; + } return 0; } @@ -288,7 +293,11 @@ void venus_firmware_deinit(struct venus_core *core) iommu = core->fw.iommu_domain; iommu_detach_device(iommu, core->fw.dev); - iommu_domain_free(iommu); + + if (core->fw.iommu_domain) { + iommu_domain_free(iommu); + core->fw.iommu_domain = NULL; + } platform_device_unregister(to_platform_device(core->fw.dev)); } -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation