| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14d0d257-a5c3-222e-137d-4991482c6fb4@gmail.com>
Date: Tue, 25 Apr 2017 21:15:15 +0200
From: Jacek Anaszewski <jacek.anaszewski@...il.com>
To: Alexandre Courbot <acourbot@...omium.org>,
Andrzej Pietrasiewicz <andrzej.p@...sung.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [media] s5p-jpeg: fix recursive spinlock acquisition
Hi Alexandre,
Thanks for the patch.
On 04/25/2017 08:19 AM, Alexandre Courbot wrote:
> v4l2_m2m_job_finish(), which is called from the interrupt handler with
> slock acquired, can call the device_run() hook immediately if another
> context was in the queue. This hook also acquires slock, resulting in
> a deadlock for this scenario.
>
> Fix this by releasing slock right before calling v4l2_m2m_job_finish().
> This is safe to do as the state of the hardware cannot change before
> v4l2_m2m_job_finish() is called anyway.
>
> Signed-off-by: Alexandre Courbot <acourbot@...omium.org>
> ---
> drivers/media/platform/s5p-jpeg/jpeg-core.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c
> index 52dc7941db65..223b4379929e 100644
> --- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
> +++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
> @@ -2642,13 +2642,13 @@ static irqreturn_t s5p_jpeg_irq(int irq, void *dev_id)
> if (curr_ctx->mode == S5P_JPEG_ENCODE)
> vb2_set_plane_payload(&dst_buf->vb2_buf, 0, payload_size);
> v4l2_m2m_buf_done(dst_buf, state);
> - v4l2_m2m_job_finish(jpeg->m2m_dev, curr_ctx->fh.m2m_ctx);
>
> curr_ctx->subsampling = s5p_jpeg_get_subsampling_mode(jpeg->regs);
> spin_unlock(&jpeg->slock);
>
> s5p_jpeg_clear_int(jpeg->regs);
>
> + v4l2_m2m_job_finish(jpeg->m2m_dev, curr_ctx->fh.m2m_ctx);
> return IRQ_HANDLED;
> }
>
> @@ -2707,11 +2707,12 @@ static irqreturn_t exynos4_jpeg_irq(int irq, void *priv)
> v4l2_m2m_buf_done(dst_vb, VB2_BUF_STATE_ERROR);
> }
>
> - v4l2_m2m_job_finish(jpeg->m2m_dev, curr_ctx->fh.m2m_ctx);
> if (jpeg->variant->version == SJPEG_EXYNOS4)
> curr_ctx->subsampling = exynos4_jpeg_get_frame_fmt(jpeg->regs);
>
> spin_unlock(&jpeg->slock);
> +
> + v4l2_m2m_job_finish(jpeg->m2m_dev, curr_ctx->fh.m2m_ctx);
> return IRQ_HANDLED;
> }
>
> @@ -2770,10 +2771,15 @@ static irqreturn_t exynos3250_jpeg_irq(int irq, void *dev_id)
> if (curr_ctx->mode == S5P_JPEG_ENCODE)
> vb2_set_plane_payload(&dst_buf->vb2_buf, 0, payload_size);
> v4l2_m2m_buf_done(dst_buf, state);
> - v4l2_m2m_job_finish(jpeg->m2m_dev, curr_ctx->fh.m2m_ctx);
>
> curr_ctx->subsampling =
> exynos3250_jpeg_get_subsampling_mode(jpeg->regs);
> +
> + spin_unlock(&jpeg->slock);
> +
> + v4l2_m2m_job_finish(jpeg->m2m_dev, curr_ctx->fh.m2m_ctx);
> + return IRQ_HANDLED;
> +
> exit_unlock:
> spin_unlock(&jpeg->slock);
> return IRQ_HANDLED;
>
Acked-by: Jacek Anaszewski <jacek.anaszewski@...il.com>
Just out of curiosity - could you share how you discovered the problem -
by some static checkers or trying to use the driver?
--
Best regards,
Jacek Anaszewski
Powered by blists - more mailing lists