iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
de15e6231e
linux/drivers/media/platform
History
Mansur Alisha Shaik de15e6231e media: venus: handle use after free for iommu_map/iommu_unmap 
In concurrency usecase and reboot scenario we are seeing muliple
crashes related to iommu_map/iommu_unamp of core->fw.iommu_domain.

In one case we are seeing "Unable to handle kernel NULL pointer
dereference at virtual address 0000000000000008" crash, this is
because of core->fw.iommu_domain in venus_firmware_deinit() and
trying to map in venus_boot() during venus_sys_error_handler()

Call trace:
 __iommu_map+0x4c/0x348
 iommu_map+0x5c/0x70
 venus_boot+0x184/0x230 [venus_core]
 venus_sys_error_handler+0xa0/0x14c [venus_core]
 process_one_work+0x210/0x3d0
 worker_thread+0x248/0x3f4
 kthread+0x11c/0x12c
 ret_from_fork+0x10/0x18

In second case we are seeing "Unable to handle kernel paging request
at virtual address 006b6b6b6b6b6b9b" crash, this is because of
unmapping iommu domain which is already unmapped.

Call trace:
 venus_remove+0xf8/0x108 [venus_core]
 venus_core_shutdown+0x1c/0x34 [venus_core]
 platform_drv_shutdown+0x28/0x34
 device_shutdown+0x154/0x1fc
 kernel_restart_prepare+0x40/0x4c
 kernel_restart+0x1c/0x64
 __arm64_sys_reboot+0x190/0x238
 el0_svc_common+0xa4/0x154
 el0_svc_compat_handler+0x2c/0x38
 el0_svc_compat+0x8/0x10

Signed-off-by: Mansur Alisha Shaik <mansur@codeaurora.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2020-11-17 06:54:59 +01:00
..
am437x media: use v4l2_rect_enclosed helper 2020-07-04 12:30:13 +02:00
atmel media: atmel: atmel-isc: rework component offsets 2020-07-19 07:55:39 +02:00
cadence media: Kconfig files: use select for V4L2 subdevs and MC 2020-04-14 10:29:05 +02:00
coda media: coda: Add a V4L2 user for control error macroblocks count 2020-11-16 10:31:16 +01:00
davinci media: isif: reset global state 2020-11-16 10:31:15 +01:00
exynos4-is media: exynos4-is: use semicolons rather than commas to separate statements 2020-11-16 10:31:07 +01:00
exynos-gsc media: Add V4L2_TYPE_IS_CAPTURE helper 2020-07-19 08:13:24 +02:00
marvell-ccic media: marvell-ccic: Fix -Wunused-function warnings 2020-11-16 10:31:07 +01:00
mtk-jpeg media: platform: add missing put_device() call in mtk_jpeg_probe() and mtk_jpeg_remove() 2020-11-16 10:31:16 +01:00
mtk-mdp media: mtk-mdp: Fix Null pointer dereference when calling list_add 2020-09-26 10:23:48 +02:00
mtk-vcodec media: mtk-vcodec: remove allocated dma_parms 2020-11-16 10:31:15 +01:00
mtk-vpu media: mtk-vpu: no need to check return value of debugfs_create functions 2020-09-01 14:13:26 +02:00
omap media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
omap3isp media: omap3isp: Fix memleak in isp_probe 2020-09-10 14:09:25 +02:00
qcom media: venus: handle use after free for iommu_map/iommu_unmap 2020-11-17 06:54:59 +01:00
rcar-vin media: rcar-csi2: Set bus type when parsing fwnode 2020-11-16 10:31:14 +01:00
rockchip/rga media: rockchip/rga: Fix a reference count leak. 2020-09-27 10:52:34 +02:00
s3c-camif media: s3c-camif: use semicolons rather than commas to separate statements 2020-11-16 10:31:06 +01:00
s5p-g2d media: s5p-g2d: Fix a memory leak in an error handling path in 'g2d_probe()' 2020-07-19 08:14:00 +02:00
s5p-jpeg media: use v4l2_rect_enclosed helper 2020-07-04 12:30:13 +02:00
s5p-mfc media: platform: s5p-mfc: Fix adding a standard frame skip mode control 2020-10-01 09:27:47 +02:00
sti media: st-delta: Fix reference count leak in delta_run_work 2020-09-27 10:56:07 +02:00
stm32 media: stm32-dcmi: add 8-bit Bayer formats support 2020-11-16 10:31:15 +01:00
sunxi media: sun4i-csi: use semicolons rather than commas to separate statements 2020-11-16 10:31:06 +01:00
ti-vpe media: ti-vpe: Fix a missing check and reference count leak 2020-09-27 10:54:11 +02:00
vsp1 drm next for 5.10-rc1 2020-10-15 10:46:16 -07:00
xilinx media: v4l: xilinx: Add Xilinx MIPI CSI-2 Rx Subsystem driver 2020-06-23 13:11:46 +02:00
aspeed-video.c media: media/platform: drop vb2_queue_release() 2020-08-28 15:02:26 +02:00
fsl-viu.c media: Bulk remove BUG_ON(in_interrupt()) 2020-11-16 10:31:10 +01:00
imx-pxp.c media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
imx-pxp.h
Kconfig media: rcar-fcp: Update description for VIDEO_RENESAS_FCP Kconfig entry 2020-09-26 10:54:05 +02:00
m2m-deinterlace.c media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
Makefile media: media: sh_veu: Remove driver 2020-05-14 14:34:38 +02:00
mx2_emmaprp.c media: mx2_emmaprp: Fix memleak in emmaprp_probe 2020-09-26 10:15:39 +02:00
pxa_camera.c media: pxa_camera: Use fallthrough pseudo-keyword 2020-11-16 10:31:09 +01:00
rcar_drif.c media: rcar_drif: Allocate v4l2_async_subdev dynamically 2020-09-10 14:27:04 +02:00
rcar_fdp1.c media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
rcar_jpu.c media: Add V4L2_TYPE_IS_CAPTURE helper 2020-07-19 08:13:24 +02:00
rcar-fcp.c media: platform: fcp: Fix a reference count leak. 2020-09-27 10:52:52 +02:00
renesas-ceu.c media: Use fallthrough pseudo-keyword 2020-08-29 08:35:27 +02:00
sh_vou.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
via-camera.c Power management updates for 5.7-rc1 2020-03-30 15:05:01 -07:00
via-camera.h
video-mux.c media: video-mux: Create media links in bound notifier 2020-05-18 14:20:56 +02:00