lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <m3qzxyug1s.fsf@t19.piap.pl>
Date: Wed, 30 Jul 2025 12:30:23 +0200
From: Krzysztof Hałasa <khalasa@...p.pl>
To: Stefan Klug <stefan.klug@...asonboard.com>
Cc: Dafna Hirschfeld <dafna@...tmail.com>,  Laurent Pinchart
 <laurent.pinchart@...asonboard.com>,  Heiko Stuebner <heiko@...ech.de>,
  Paul Elder <paul.elder@...asonboard.com>,  Jacopo Mondi
 <jacopo.mondi@...asonboard.com>,  Ondrej Jirman <megi@....cz>,
  linux-media@...r.kernel.org,  linux-rockchip@...ts.infradead.org,
  linux-arm-kernel@...ts.infradead.org,  linux-kernel@...r.kernel.org
Subject: Re: FYI: i.MX8MP ISP (RKISP1) MI registers corruption

Hi,

still investigating the problem, but I can't see a simple way to work
around it.

It happens with the second ISP only, so the single camera setups (using
isp0) are immune.

The ISP MI (memory interface) register read operations are not
a problem, the workaround uses LDP instructions (for registers located
at addresses not on 32-byte boundary) or read multiple times and return
the most frequent result (fortunately the MI reads have no side
effects).

The writes are a problem, though. Especially writing to
RKISP1_CIF_MI_ICR register (address 0x32E21504) can (and does) corrupt
other MI registers, like RKISP1_CIF_MI_CTRL (0x32E21400):

Camera apps just started:
32E21400:   7A2001       20 3C180000   1FA400
32E21410:        0        0        0 3C200000
32E21420:    FD200        0        0        0
32E21470:        0    10001 3C0C0000   1FA400
32E21480:        0        0 3C140000    FD200
32E214F0:        0        0        1       3C
32E21540:        0        0        0  2000000
32E21550:      780        0        0        1
32E21560:        0      780      438   1FA400
32E21570:        0 1E1E00EF 1E2200E0        0

Video stream halted:
32E21400:  1000007       20 3C240000   1FA400
32E21410:        0        0        0 3C2C0000
32E21420:    FD200        0        0        0
32E21470:        0        0 3C0C0000   1FA400
32E21480:        0        0 3C140000    FD200
32E21490:    7E900        0        0        0
32E214F0:        0        0        1       7C
32E21500:        0        0        0        7
32E21540:        0        0        0  2000000
32E21550:      780        0        0        1
32E21560:        0      780      438   1FA400
32E21570:        0 1E060000 1E0A0000       77

Note that e.g. the 0x32E21400 register, MI_CTRL, has changed value from
the valid one (0x7A2001) to 0x1000007, which probably originated in
MI_MIS (and was to be written to MI_ICR).


It appears the problems are not constant, they manifest themselves in
maybe 10% of system boots. Once a system boots, the problems are either
present (and don't go away) or not.

It appears the ISP uses 3 clocks (+2 used by CSI receiver) - dump of
their CCM registers (Clock Control Module, IMX8MPRM page 227 and so on):
MEDIA_ISP           EN mux 7       post 0 SYSTEM_PLL2_DIV2 = 500 MHz
MEDIA_AXI           EN mux 1 pre 1 post 0 SYSTEM_PLL2_CLK / 2 = 500 MHz
MEDIA_APB           EN mux 2 pre 3 post 0 SYSTEM_PLL1_CLK / 4 = 200 MHz
MEDIA_MIPI_PHY1_REF EN mux 0 pre 0 post 0 24M_REF_CLK = 24 MHz
MEDIA_CAM2_PIX      EN mux 2 pre 0 post 0 SYSTEM_PLL2_DIV4 = 250 MHz

Now, it appears that in certain cases changing the MEDIA_APB
(MEDIA_APB_CLOCK_ROOT) "fixes" the problem (for current boot only), or
make it less (or more) visible. I'm changing the POST divider in
CCM_POST_ROOT21_SET register directly (the MEDIA_APB frequency is then
100 MHz):

0x30388A80 MEDIA_APB EN mux 2 pre 3 post 0 SYSTEM_PLL1_CLK / 4 = 200 MHz
# devmem write32 0x30388AA4 1
0x30388A80 MEDIA_APB EN mux 2 pre 3 post 1 SYSTEM_PLL1_CLK / 8 = 100 MHz

Examples - bad read counts from register 0x32E21400 (mi_ctrl)
per 10 millions of read operations:
POST=0 (default)  with POST=1
945               1
1448              2361
1088              2419
1842              2451
1333              0
67                5
2033              0
1                 8
13                16
2                 4
7                 0
1                 0
539               0
2605              0
1                 0
1723              1

I'm starting to run out of ideas.
-- 
Krzysztof "Chris" Hałasa

Sieć Badawcza Łukasiewicz
Przemysłowy Instytut Automatyki i Pomiarów PIAP
Al. Jerozolimskie 202, 02-486 Warszawa

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ