| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Feb 2009 17:14:40 -0800
From: Daniel Walker <dwalker@...o99.com>
To: Luca Olivetti <luca@...toso.org>
Cc: Ingo Molnar <mingo@...e.hu>, Greg KH <gregkh@...e.de>,
Mauro Carvalho Chehab <mchehab@...radead.org>,
linux-kernel@...r.kernel.org, Hans Verkuil <hverkuil@...all.nl>,
Janne Grunau <janne-dvb@...nau.be>
Subject: Re: [crash] af9005_usb_module_init(): BUG: unable to handle kernel
paging request at ff100000
On Tue, 2009-02-03 at 21:41 +0100, Luca Olivetti wrote:
> No, I don't have 2.6.28, but I guess that maybe once usb_register is
> called the dvb-usb subsystem asynchronously (is that an smp system?)
> starts polling the remote before the rc_decode function pointer has been
> initialized.
> Could you try to initialize it to NULL before calling usb_register?
What happens to the decode function when you have,
CONFIG_DVB_USB_AF9005=y
CONFIG_DVB_USB_AF9005_REMOTE=n
It seems that the decode function is defined inside,
drivers/media/dvb/dvb-usb/af9005-remote.c
but that doesn't get compiled in the case above. It looks like you end
up with af9005_rc_decode being a function local weak symbol
(uninitialized) which then gets assigned to rc_decode .. I think the
crash actually happens on rc_keys_size which get assigned another
uninitialized local, and it gets de-referenced .
Here's a patch I compile tested, and I think it would fix the issue.
--
The Afatech AF9005 uses some functions and variables from the optional
remote code. If the remote code is disabled it's possible the kernel
could crash while access the missing variables. This patch adds ifdefs
to remove any usage of the remote variables when the remote isn't
compiled.
Signed-off-by: Daniel Walker <dwalker@...o99.com>
diff --git a/drivers/media/dvb/dvb-usb/af9005.c b/drivers/media/dvb/dvb-usb/af9005.c
index ca5a0a4..69b9b1b 100644
--- a/drivers/media/dvb/dvb-usb/af9005.c
+++ b/drivers/media/dvb/dvb-usb/af9005.c
@@ -41,11 +41,17 @@ MODULE_PARM_DESC(dump_eeprom, "dump contents of the eeprom.");
DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
+#ifdef CONFIG_DVB_USB_AF9005_REMOTE
/* remote control decoder */
static int (*rc_decode) (struct dvb_usb_device *d, u8 *data, int len,
u32 *event, int *state);
static void *rc_keys;
static int *rc_keys_size;
+#else
+static inline int
+rc_decode(struct dvb_usb_device *d, u8 *data,
+ int len, u32 *event, int *state) { return 0; }
+#endif
u8 regmask[8] = { 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f, 0xff };
@@ -1108,6 +1114,7 @@ static int __init af9005_usb_module_init(void)
err("usb_register failed. (%d)", result);
return result;
}
+#ifdef CONFIG_DVB_USB_AF9005_REMOTE
rc_decode = symbol_request(af9005_rc_decode);
rc_keys = symbol_request(af9005_rc_keys);
rc_keys_size = symbol_request(af9005_rc_keys_size);
@@ -1118,12 +1125,15 @@ static int __init af9005_usb_module_init(void)
af9005_properties.rc_key_map = rc_keys;
af9005_properties.rc_key_map_size = *rc_keys_size;
}
-
+#else
+ af9005_properties.rc_query = NULL;
+#endif
return 0;
}
static void __exit af9005_usb_module_exit(void)
{
+#ifdef CONFIG_DVB_USB_AF9005_REMOTE
/* release rc decode symbols */
if (rc_decode != NULL)
symbol_put(af9005_rc_decode);
@@ -1131,6 +1141,7 @@ static void __exit af9005_usb_module_exit(void)
symbol_put(af9005_rc_keys);
if (rc_keys_size != NULL)
symbol_put(af9005_rc_keys_size);
+#endif
/* deregister this driver from the USB subsystem */
usb_deregister(&af9005_usb_driver);
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists