Re: [PATCH 01/15] media: intel/ipu6: add Intel IPU6 PCI device driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2023-10-19 at 16:23 +0800, Bingbu Cao wrote:
> > 
> > Andreas,
> > 
> > On 10/16/23 5:39 PM, Andreas Helbech Kleist wrote:
> > > > On Tue, 2023-10-03 at 12:12 +0200, Andreas Helbech Kleist
> > > > wrote:
> > > > > > On Thu, 2023-07-27 at 15:15 +0800,
> > > > > > bingbu.cao@xxxxxxxxx wrote:
> > > > > > > > From: Bingbu Cao <bingbu.cao@xxxxxxxxx>
> > > > ...
> > > > > > > > +static void ipu6_pci_remove(struct pci_dev *pdev)
> > > > > > > > +{
> > > > > > ...
> > > > > > > > +       ipu6_bus_del_devices(pdev);
> > > > > > ...
> > > > > > > > +       ipu6_mmu_cleanup(isp->psys->mmu);
> > > > > > > > +       ipu6_mmu_cleanup(isp->isys->mmu);
> > > > > > 
> > > > > > I think ipu6_mmu_cleanup() should be done before
> > > > > > ipu6_bus_del_devices()
> > > > > > like in the ipu6_pci_probe() error path.
> > > > 
> > 
> > Thank you for pointing out this issue.
> > 
> > > > Scratch that, it also causes issues (because isys_remove frees
> > > > > > stuff in
> > > > the MMU).
> > 
> > What stuff in the mmu was freed in isys_remove()?

I don't recall exactly, but I think it might happen through the
dma_free_attrs() call.

You can reproduce the issue by using the
kernel/configs/x86_debug.config config fragment, loading the driver and
then unbinding the device with something like:

 echo -n 0000:00:03.0 > /sys/bus/pci/drivers/intel-ipu6/unbind

That should give you a use-after-free of isp->psys->mmu and isp->isys-
>mmu.

> > > > @@ -830,7 +832,7 @@ static void ipu6_pci_remove(struct pci_dev
> > > > > > *pdev)
> > > >         release_firmware(isp->cpd_fw);
> > > >  
> > > >         ipu6_mmu_cleanup(isp->psys->mmu);
> > > > -       ipu6_mmu_cleanup(isp->isys->mmu);
> > > > +       ipu6_mmu_cleanup(isys_mmu);


Looking at this again, the first line line above (isp->psys->mmu) is
also problematic because isp->psys has been freed by
ipu6_bus_del_devices as well.

/Andreas




[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux