lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180308185046.GA22796@amd>
Date:   Thu, 8 Mar 2018 19:50:47 +0100
From:   Pavel Machek <pavel@....cz>
To:     Suman Anna <s-anna@...com>
Cc:     Tony Lindgren <tony@...mide.com>, pali.rohar@...il.com,
        sre@...nel.org, kernel list <linux-kernel@...r.kernel.org>,
        linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
        linux-omap@...r.kernel.org, khilman@...nel.org,
        aaro.koskinen@....fi, ivo.g.dimitrov.75@...il.com,
        patrikbachan@...il.com, serge@...lyn.com, abcloriens@...il.com,
        clayton@...ftyguy.net, martijn@...xit.nl,
        sakari.ailus@...ux.intel.com,
        Filip Matijević <filip.matijevic.pz@...il.com>
Subject: Re: Nokia N900: refcount_t underflow, use after free

Hi!

> > * Pavel Machek <pavel@....cz> [180308 14:31]:
> >> Hi!
> >>
> >> I'm getting this warning... Has anyone seen/debugged that before?
> >> Unfortunately the backtrace does not seem to be too useful :-(.
> > 
> > Adding Suman to Cc, as it points to arm_iommu_release_mapping().
> 
> Hmm, we need to find out if the failure paths in isp_probe() are
> mismatched, or if this is coming from some mismatch between the OMAP
> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this

Well, camera only started to work on N900 pretty recently. Let me add
some debug printks...

Camera does not work in 4.16.0-rc4-next-20180308-dirty.

I see this. It looks like problem in isp error paths, indeed:

[    1.672210] bus: 'platform': driver_probe_device: matched device
480bc000.isp with dr
iver omap3isp
[    1.681976] isp_probe: 1
[    1.684906] isp_probe: 2
[    1.687591] isp_probe: 3
[    1.690338] isp_probe: 4
[    1.693054] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy1
not found, using d
ummy regulator
[    1.702728] omap3isp 480bc000.isp: 480bc000.isp supply vdd-csiphy2
not found, using d
ummy regulator
[    1.712402] isp_probe: 5
[    1.715393] omap3isp 480bc000.isp: Revision 2.0 found
[    1.720794] isp_probe: 6
[    1.723815] isp_probe: 7
[    1.726715] omap-iommu 480bd400.mmu: 480bd400.mmu: version 1.1
[    1.732849] isp_probe: 8
[    1.735656] isp_probe: 9
[    1.738403] isp_probe: 10
[    1.741241] isp_probe: f3
[    1.744018] iommu_release_mapping... ce4d9500 ce4d949c
[    1.749450] iommu_release_mapping... ok
[    1.753479] isp_probe: f4
[    1.756286] clk_unregister: unregistering prepared clock: cam_xclka
[    1.762878] clk_unregister: unregistering prepared clock: cam_xclkb
[    1.769500] isp_probe: f5
[    1.772430] iommu_release_mapping... ce4d9500 ce4d949c
[    1.777862] ------------[ cut here ]------------
[    1.782745] WARNING: CPU: 0 PID: 1 at lib/refcount.c:187
refcount_sub_and_test+0x94/0
xa8
[    1.791290] refcount_t: underflow; use-after-free.
[    1.796356] Modules linked in:
[    1.799591] CPU: 0 PID: 1 Comm: swapper Not tainted
4.16.0-rc4-next-20180308-dirty #7
3
[    1.807922] Hardware name: Nokia RX-51 board
[    1.812469] [<c010d6cc>] (unwind_backtrace) from [<c010b568>]
(show_stack+0x10/0x14)
[    1.820648] [<c010b568>] (show_stack) from [<c0127df4>]
(__warn+0xe8/0x110)
...
[    1.968688] iommu_release_mapping... ok
[    1.973754] bus: 'platform': driver_probe_device: matched device
n900-battery with driver rx51-battery
[    1.984436] bus: 'platform': driver_probe_device: matched device
48002524.bandgap with driver ti-soc-thermal

diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index 8c398fe..16f4c69 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -2251,8 +2251,11 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
 
 void arm_iommu_release_mapping(struct dma_iommu_mapping *mapping)
 {
+	printk("iommu_release_mapping... %lx %lx\n", mapping, mapping->domain);
 	if (mapping)
 		kref_put(&mapping->kref, release_iommu_mapping);
+	printk("iommu_release_mapping... ok\n");
+	
 }
 EXPORT_SYMBOL_GPL(arm_iommu_release_mapping);
 
diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
index 8eb000e..4d58683 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -2193,12 +2193,14 @@ static int isp_probe(struct platform_device *pdev)
 	int ret;
 	int i, m;
 
+	printk("isp_probe: 1\n");
 	isp = devm_kzalloc(&pdev->dev, sizeof(*isp), GFP_KERNEL);
 	if (!isp) {
 		dev_err(&pdev->dev, "could not allocate memory\n");
 		return -ENOMEM;
 	}
 
+		printk("isp_probe: 2\n");
 	ret = fwnode_property_read_u32(of_fwnode_handle(pdev->dev.of_node),
 				       "ti,phy-type", &isp->phy_type);
 	if (ret)
@@ -2219,6 +2221,8 @@ static int isp_probe(struct platform_device *pdev)
 	mutex_init(&isp->isp_mutex);
 	spin_lock_init(&isp->stat_lock);
 
+			printk("isp_probe: 3\n");
+
 	ret = v4l2_async_notifier_parse_fwnode_endpoints(
 		&pdev->dev, &isp->notifier, sizeof(struct isp_async_subdev),
 		isp_fwnode_parse);
@@ -2232,6 +2236,7 @@ static int isp_probe(struct platform_device *pdev)
 	if (ret)
 		goto error;
 
+				printk("isp_probe: 4\n");
 	platform_set_drvdata(pdev, isp);
 
 	/* Regulators */
@@ -2258,6 +2263,7 @@ static int isp_probe(struct platform_device *pdev)
 			return PTR_ERR(isp->mmio_base[map_idx]);
 	}
 
+	printk("isp_probe: 5\n");
 	ret = isp_get_clocks(isp);
 	if (ret < 0)
 		goto error;
@@ -2277,6 +2283,7 @@ static int isp_probe(struct platform_device *pdev)
 		goto error;
 	}
 
+		printk("isp_probe: 6\n");
 	ret = isp_reset(isp);
 	if (ret < 0)
 		goto error_isp;
@@ -2306,6 +2313,7 @@ static int isp_probe(struct platform_device *pdev)
 			isp->mmio_base[OMAP3_ISP_IOMEM_CSI2A_REGS1]
 			+ isp_res_maps[m].offset[i];
 
+		printk("isp_probe: 7\n");
 	isp->mmio_hist_base_phys =
 		mem->start + isp_res_maps[m].offset[OMAP3_ISP_IOMEM_HIST];
 
@@ -2316,6 +2324,8 @@ static int isp_probe(struct platform_device *pdev)
 		goto error_isp;
 	}
 
+		printk("isp_probe: 8\n");
+
 	/* Interrupt */
 	ret = platform_get_irq(pdev, 0);
 	if (ret <= 0) {
@@ -2325,6 +2335,7 @@ static int isp_probe(struct platform_device *pdev)
 	}
 	isp->irq_num = ret;
 
+			printk("isp_probe: 9\n");
 	if (devm_request_irq(isp->dev, isp->irq_num, isp_isr, IRQF_SHARED,
 			     "OMAP3 ISP", isp)) {
 		dev_err(isp->dev, "Unable to request IRQ\n");
@@ -2332,6 +2343,7 @@ static int isp_probe(struct platform_device *pdev)
 		goto error_iommu;
 	}
 
+				printk("isp_probe: 10\n");
 	/* Entities */
 	ret = isp_initialize_modules(isp);
 	if (ret < 0)
@@ -2345,27 +2357,35 @@ static int isp_probe(struct platform_device *pdev)
 	if (ret < 0)
 		goto error_register_entities;
 
+					printk("isp_probe: 11\n");
 	isp->notifier.ops = &isp_subdev_notifier_ops;
 
 	ret = v4l2_async_notifier_register(&isp->v4l2_dev, &isp->notifier);
 	if (ret)
 		goto error_register_entities;
 
+					printk("isp_probe: 12\n");	
 	isp_core_init(isp, 1);
+					printk("isp_probe: 13\n");		
 	omap3isp_put(isp);
 
 	return 0;
 
 error_register_entities:
+					printk("isp_probe: f1\n");		
 	isp_unregister_entities(isp);
 error_modules:
+						printk("isp_probe: f2\n");		
 	isp_cleanup_modules(isp);
 error_iommu:
+							printk("isp_probe: f3\n");		
 	isp_detach_iommu(isp);
 error_isp:
+							printk("isp_probe: f4\n");		
 	isp_xclk_cleanup(isp);
 	__omap3isp_put(isp, false);
 error:
+						printk("isp_probe: f5\n");			
 	v4l2_async_notifier_cleanup(&isp->notifier);
 	mutex_destroy(&isp->isp_mutex);
 


-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ