lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230828171007.GX14596@pendragon.ideasonboard.com>
Date:   Mon, 28 Aug 2023 20:10:07 +0300
From:   Laurent Pinchart <laurent.pinchart@...asonboard.com>
To:     Bryan O'Donoghue <bryan.odonoghue@...aro.org>
Cc:     rfoss@...nel.org, todor.too@...il.com, agross@...nel.org,
        andersson@...nel.org, konrad.dybcio@...aro.org, mchehab@...nel.org,
        hverkuil-cisco@...all.nl, sakari.ailus@...ux.intel.com,
        andrey.konovalov@...aro.org, linux-media@...r.kernel.org,
        linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH v2 3/9] media: qcom: camss: Fix vfe_get() error jump

Hi Bryan,

Thank you for the patch.

On Tue, Aug 22, 2023 at 09:06:20PM +0100, Bryan O'Donoghue wrote:
> Right now it is possible to do a vfe_get() with the internal reference
> count at 1. If vfe_check_clock_rates() returns non-zero then we will
> leave the reference count as-is and
> 
> run:
> - pm_runtime_put_sync()
> - vfe->ops->pm_domain_off()
> 
> skip:
> - camss_disable_clocks()
> 
> Subsequent vfe_put() calls will when the ref-count is non-zero
> unconditionally run:
> 
> - pm_runtime_put_sync()
> - vfe->ops->pm_domain_off()
> - camss_disable_clocks()
> 
> vfe_get() should not attempt to roll-back on error when the ref-count is
> non-zero as the upper layers will still do their own vfe_put() operations.
> 
> vfe_put() will drop the reference count and do the necessary power
> domain release, the cleanup jumps in vfe_get() should only be run when
> the ref-count is zero.
> 
> [   50.095796] CPU: 7 PID: 3075 Comm: cam Not tainted 6.3.2+ #80
> [   50.095798] Hardware name: LENOVO 21BXCTO1WW/21BXCTO1WW, BIOS N3HET82W (1.54 ) 05/26/2023
> [   50.095799] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [   50.095802] pc : refcount_warn_saturate+0xf4/0x148
> [   50.095804] lr : refcount_warn_saturate+0xf4/0x148
> [   50.095805] sp : ffff80000c7cb8b0
> [   50.095806] x29: ffff80000c7cb8b0 x28: ffff16ecc0e3fc10 x27: 0000000000000000
> [   50.095810] x26: 0000000000000000 x25: 0000000000020802 x24: 0000000000000000
> [   50.095813] x23: ffff16ecc7360640 x22: 00000000ffffffff x21: 0000000000000005
> [   50.095815] x20: ffff16ed175f4400 x19: ffffb4d9852942a8 x18: ffffffffffffffff
> [   50.095818] x17: ffffb4d9852d4a48 x16: ffffb4d983da5db8 x15: ffff80000c7cb320
> [   50.095821] x14: 0000000000000001 x13: 2e656572662d7265 x12: 7466612d65737520
> [   50.095823] x11: 00000000ffffefff x10: ffffb4d9850cebf0 x9 : ffffb4d9835cf954
> [   50.095826] x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000057fa8
> [   50.095829] x5 : ffff16f813fe3d08 x4 : 0000000000000000 x3 : ffff621e8f4d2000
> [   50.095832] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff16ed32119040
> [   50.095835] Call trace:
> [   50.095836]  refcount_warn_saturate+0xf4/0x148
> [   50.095838]  device_link_put_kref+0x84/0xc8
> [   50.095843]  device_link_del+0x38/0x58
> [   50.095846]  vfe_pm_domain_off+0x3c/0x50 [qcom_camss]
> [   50.095860]  vfe_put+0x114/0x140 [qcom_camss]
> [   50.095869]  csid_set_power+0x2c8/0x408 [qcom_camss]
> [   50.095878]  pipeline_pm_power_one+0x164/0x170 [videodev]
> [   50.095896]  pipeline_pm_power+0xc4/0x110 [videodev]
> [   50.095909]  v4l2_pipeline_pm_use+0x5c/0xa0 [videodev]
> [   50.095923]  v4l2_pipeline_pm_get+0x1c/0x30 [videodev]
> [   50.095937]  video_open+0x7c/0x100 [qcom_camss]
> [   50.095945]  v4l2_open+0x84/0x130 [videodev]
> [   50.095960]  chrdev_open+0xc8/0x250
> [   50.095964]  do_dentry_open+0x1bc/0x498
> [   50.095966]  vfs_open+0x34/0x40
> [   50.095968]  path_openat+0xb44/0xf20
> [   50.095971]  do_filp_open+0xa4/0x160
> [   50.095974]  do_sys_openat2+0xc8/0x188
> [   50.095975]  __arm64_sys_openat+0x6c/0xb8
> [   50.095977]  invoke_syscall+0x50/0x128
> [   50.095982]  el0_svc_common.constprop.0+0x4c/0x100
> [   50.095985]  do_el0_svc+0x40/0xa8
> [   50.095988]  el0_svc+0x2c/0x88
> [   50.095991]  el0t_64_sync_handler+0xf4/0x120
> [   50.095994]  el0t_64_sync+0x190/0x198
> [   50.095996] ---[ end trace 0000000000000000 ]---
> 
> Fixes: 779096916dae ("media: camss: vfe: Fix runtime PM imbalance on error")
> Cc: stable@...r.kernel.org
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@...aro.org>

Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>

> ---
>  drivers/media/platform/qcom/camss/camss-vfe.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/platform/qcom/camss/camss-vfe.c b/drivers/media/platform/qcom/camss/camss-vfe.c
> index dabfd613b2f94..938f373bcd1fd 100644
> --- a/drivers/media/platform/qcom/camss/camss-vfe.c
> +++ b/drivers/media/platform/qcom/camss/camss-vfe.c
> @@ -611,7 +611,7 @@ int vfe_get(struct vfe_device *vfe)
>  	} else {
>  		ret = vfe_check_clock_rates(vfe);
>  		if (ret < 0)
> -			goto error_pm_runtime_get;
> +			goto error_pm_domain;
>  	}
>  	vfe->power_count++;
>  

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ