Re: Nokia N900: refcount_t underflow, use after free
From: Suman Anna
Date: Fri Mar 09 2018 - 18:08:11 EST
On 03/09/2018 04:18 PM, Pavel Machek wrote:
> On Fri 2018-03-09 16:13:36, Suman Anna wrote:
>> On 03/09/2018 06:08 AM, Robin Murphy wrote:
>>> On 08/03/18 18:50, Pavel Machek wrote:
>>>> Hi!
>>>>
>>>>>> * Pavel Machek <pavel@xxxxxx> [180308 14:31]:
>>>>>>> Hi!
>>>>>>>
>>>>>>> I'm getting this warning... Has anyone seen/debugged that before?
>>>>>>> Unfortunately the backtrace does not seem to be too useful :-(.
>>>>>>
>>>>>> Adding Suman to Cc, as it points to arm_iommu_release_mapping().
>>>>>
>>>>> Hmm, we need to find out if the failure paths in isp_probe() are
>>>>> mismatched, or if this is coming from some mismatch between the OMAP
>>>>> IOMMU driver and the DMA plumbing. AFAIK, the cleanup paths in this
>>>>
>>>> Well, camera only started to work on N900 pretty recently. Let me add
>>>> some debug printks...
>>>>
>>>> Camera does not work in 4.16.0-rc4-next-20180308-dirty.
>>>>
>>>> I see this. It looks like problem in isp error paths, indeed:
>>>
>>> Well, there certainly seems to be an obvious bug wherein
>>> isp_detach_iommu() just releases the mapping directly without calling
>>> arm_iommu_detach_device() to balance the equivalent attach. That can't
>>> be helping.
>>
>> Indeed, I have been able to reproduce the same warning using a
>> standalone test module, and the missing arm_iommu_detach_device() is
>> causing the warning after probe (during failure path) or during
>> remove.
>
> Ok do you have an idea how to fix the isp error paths? Untested patch
> would be fine... But it seems that you know what needs to be fixed and
> I don't.
>
OK, see if the following fixes the issue for you, only build tested.
8< ---------------------