From patchwork Wed Jun 22 00:22:29 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 9191565 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B272C6075E for ; Wed, 22 Jun 2016 00:24:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9EF7C28324 for ; Wed, 22 Jun 2016 00:24:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9353C28365; Wed, 22 Jun 2016 00:24:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 119AD28324 for ; Wed, 22 Jun 2016 00:24:39 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bFVwX-0000kR-E8; Wed, 22 Jun 2016 00:22:57 +0000 Received: from resqmta-po-07v.sys.comcast.net ([2001:558:fe16:19:96:114:154:166]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bFVwU-0000id-9W for linux-arm-kernel@lists.infradead.org; Wed, 22 Jun 2016 00:22:55 +0000 Received: from resomta-po-18v.sys.comcast.net ([96.114.154.242]) by resqmta-po-07v.sys.comcast.net with SMTP id FVvPbxA3Ja1eGFVw8bUmt5; Wed, 22 Jun 2016 00:22:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1466554952; bh=oNOL4L9qK04zDixRGDq8+XeT20GfU6ONFtu0egq6Tls=; h=Received:Received:Received:From:To:Subject:Date:Message-Id; b=F1T4mg/GsGW0hArTWFIc407KXwHP8NTwzuAE65lVoeBymn8zR5JQDjxXRHBdEUGUu yIr6TRLm696N4mWw35mSiJisEy8/mdFkQoGIJG8/4EUlmlT1yuFsV26B/QXAYXLwi+ 4h7MucpW4D7A4Ftw6TxMWJ2PxYFUVxJh9tu7jakZIoJcL1yb9aYbk2wSeieDq936ya /KSxPDi3NDxfLgoJ03cm89qQoHs6DDNb2YwC3JQcWnOrnK7pfleGFdlxOz5sPPwQiR Ibgy+anBuhcXdigzETeIlspCXNZyRCEUkhDQeANT48rF/R9aWsRsYzlG01Zfvtr4U4 ZMebc4hppT7ew== Received: from mail.gonehiking.org ([73.181.52.62]) by resomta-po-18v.sys.comcast.net with comcast id 9cNX1t0011LXgTt01cNXMH; Wed, 22 Jun 2016 00:22:32 +0000 Received: from shuah-XPS-13-9350.sisa.samsung.com (shuah-xps.internal [192.168.1.87]) by mail.gonehiking.org (Postfix) with ESMTP id B30169F2F6; Tue, 21 Jun 2016 18:22:30 -0600 (MDT) From: Shuah Khan To: kyungmin.park@samsung.com, k.debski@samsung.com, jtp.park@samsung.com, mchehab@kernel.org Subject: [PATCH] media: s5p-mfc fix null pointer deference in clk_core_enable() Date: Tue, 21 Jun 2016 18:22:29 -0600 Message-Id: <1466554949-12018-1-git-send-email-shuahkh@osg.samsung.com> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160621_172254_521874_32E00C93 X-CRM114-Status: GOOD ( 12.18 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kernel@vger.kernel.org, shuah@kernel.org, Shuah Khan , linux-arm-kernel@lists.infradead.org, linux-media@vger.kernel.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Fix null pointer deference in clk_core_enable() when driver unbind is run when there is an application has an active pipeline playing. At this point, system hangs and needs to be power cycled. s5p_mfc_release() gets called after s5p_mfc_final_pm() disables and does clk_put() and s5p_mfc_release() attempts to enable clock and runs into null pointer deference accessing invalid pointer. With this fix, null pointer dereference is fixed and there is no hang. Run unbind while the following pipeline is playing: gst-launch-1.0 filesrc location=/home/odroid/GH3_MOV_HD.mp4 ! qtdemux ! h264parse ! v4l2video4dec ! videoconvert ! autovideosink [ 4869.434709] Unable to handle kernel NULL pointer dereference at virtual addr0 [ 4869.441312] pgd = e91ac000 [ 4869.443996] [00000010] *pgd=ba4f7835 [ 4869.447552] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [ 4869.452921] Modules linked in: cpufreq_userspace cpufreq_powersave cpufreq_ca [ 4869.471728] CPU: 4 PID: 2965 Comm: lt-gst-launch-1 Not tainted 4.7.0-rc2-nex0 [ 4869.481778] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 4869.487844] task: e91f1e00 ti: ed650000 task.ti: ed650000 [ 4869.493227] PC is at clk_core_enable+0x4c/0x98 [ 4869.497637] LR is at clk_core_enable+0x40/0x98 [ 4869.502056] pc : [] lr : [] psr: 60060093 [ 4869.502056] sp : ed651f18 ip : 00000000 fp : 002641b4 [ 4869.513493] r10: e9088c08 r9 : 00000008 r8 : ed676d68 [ 4869.518692] r7 : ee3ac000 r6 : bf16b3c0 r5 : a0060013 r4 : ee37a8c0 [ 4869.525191] r3 : 00000000 r2 : 00000001 r1 : 00000004 r0 : 00000000 [ 4869.531692] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment noe [ 4869.538883] Control: 10c5387d Table: 691ac06a DAC: 00000051 [ 4869.544603] Process lt-gst-launch-1 (pid: 2965, stack limit = 0xed650210) [ 4869.551361] Stack: (0xed651f18 to 0xed652000) [ 4869.555694] 1f00: ee373 [ 4869.563841] 1f20: bf16b3c0 c055a0e0 ee3ac004 ed676c10 bf16b3c0 bf1558e0 e9080 [ 4869.571986] 1f40: 00000000 ee98a510 ee502e40 bf047344 e9088c00 ee986938 00004 [ 4869.580132] 1f60: 00000000 00000000 e91f2204 00000000 c0b4658c e91f1e00 c0100 [ 4869.588277] 1f80: 00000000 c0135c58 ed650000 c0107904 ed651fb0 00000006 c0104 [ 4869.596423] 1fa0: 00229500 b6581000 b6f7b544 c0107794 00000000 00000002 b6f90 [ 4869.604568] 1fc0: 00229500 b6581000 b6f7b544 00000006 0017b600 0002c038 00264 [ 4869.612714] 1fe0: 00000000 bee56ef0 00000000 b6d49612 00060030 00000006 00000 [ 4869.620865] [] (clk_core_enable) from [] (clk_enable+0x2) [ 4869.628509] [] (clk_enable) from [] (s5p_mfc_release+0x3) [ 4869.637111] [] (s5p_mfc_release [s5p_mfc]) from [] (v4l2) [ 4869.646706] [] (v4l2_release [videodev]) from [] (__fput) [ 4869.654745] [] (__fput) from [] (task_work_run+0x94/0xc8) [ 4869.661852] [] (task_work_run) from [] (do_work_pending+) [ 4869.669735] [] (do_work_pending) from [] (slow_work_pend) [ 4869.677878] Code: ebffffef e3500000 18bd8070 e5943004 (e5933010) Signed-off-by: Shuah Khan --- drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c index d011f30..d88f1ba 100644 --- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c @@ -76,8 +76,10 @@ int s5p_mfc_init_pm(struct s5p_mfc_dev *dev) err_s_clk: clk_put(pm->clock); + pm->clock = NULL; err_p_ip_clk: clk_put(pm->clock_gate); + pm->clock_gate = NULL; err_g_ip_clk: return ret; } @@ -88,9 +90,11 @@ void s5p_mfc_final_pm(struct s5p_mfc_dev *dev) !IS_ERR_OR_NULL(pm->clock)) { clk_disable_unprepare(pm->clock); clk_put(pm->clock); + pm->clock = NULL; } clk_unprepare(pm->clock_gate); clk_put(pm->clock_gate); + pm->clock_gate = NULL; #ifdef CONFIG_PM pm_runtime_disable(pm->device); #endif @@ -98,12 +102,13 @@ void s5p_mfc_final_pm(struct s5p_mfc_dev *dev) int s5p_mfc_clock_on(void) { - int ret; + int ret = 0; #ifdef CLK_DEBUG atomic_inc(&clk_ref); mfc_debug(3, "+ %d\n", atomic_read(&clk_ref)); #endif - ret = clk_enable(pm->clock_gate); + if (!IS_ERR_OR_NULL(pm->clock_gate)) + ret = clk_enable(pm->clock_gate); return ret; } @@ -113,7 +118,8 @@ void s5p_mfc_clock_off(void) atomic_dec(&clk_ref); mfc_debug(3, "- %d\n", atomic_read(&clk_ref)); #endif - clk_disable(pm->clock_gate); + if (!IS_ERR_OR_NULL(pm->clock_gate)) + clk_disable(pm->clock_gate); } int s5p_mfc_power_on(void)