lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 3 Feb 2018 19:20:21 +0300
From:   Alexander Sergeyev <sergeev917@...il.com>
To:     Mario Limonciello <mario.limonciello@...l.com>,
        Matthew Garrett <mjg59@...f.ucam.org>,
        Pali Rohár <pali.rohar@...il.com>,
        Darren Hart <dvhart@...radead.org>,
        Andy Shevchenko <andy@...radead.org>
Cc:     platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: PROBLEM: NULL pointer dereference in dell_set_arguments() in 4.15

Hello,

I'm getting a null pointer dereference after upgrading to 4.15 kernel. The 
machine is a Dell Latitude E5570 laptop. The problem happens early during 
bootup (and earlier than netconsole can do its job), so a photo is attached as 
well as the kernel config (note: efistub).

Call trace:
 dell_set_arguments+0xb (RIP)
 dell_micmute_led_set+0x35
 alc_fixup_dell_wmi+0x44
 apply_fixup+0x103
 snd_hda_apply_fixup+0x1d
 patch_alc269+0x282
 hda_codec_driver_probe+0x4a
 driver_probe_device+0x221
 __device_attach_driver+0x79
 ? __driver_attach+0x90
 bus_for_each_drv+0x74
 __device_attach+0xe8
 device_initial_probe+0xe
 bus_probe_device+0x8d
 device_add+0x3b9
 snd_hdac_device_register+0x11
 ? azx_probe_codecs+0x11f
 snd_hda_codec_configure+0x36
 azx_codec_configure+0x2f
 azx_probe_work+0x47d
 process_one_work+0x182
 worker_thread+0x37
 kthread+0x11a
 ? process_one_work+0x310
 ? __kthread_create_on_node+0x1a0
 ret_from_fork+0x22

I bisected the bug using repository at [1], the log follows:
 git bisect start
 # good: [8d577afdee3540808302d9dc7a0a7be96c91178f] Linux 4.14.12
 git bisect good 8d577afdee3540808302d9dc7a0a7be96c91178f
 # bad: [d8a5b80568a9cb66810e75b182018e9edb68e8ff] Linux 4.15
 git bisect bad d8a5b80568a9cb66810e75b182018e9edb68e8ff
 # good: [bebc6082da0a9f5d47a1ea2edc099bf671058bd4] Linux 4.14
 git bisect good bebc6082da0a9f5d47a1ea2edc099bf671058bd4
 # good: [5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a] Merge tag 'media/v4.15-1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
 git bisect good 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a
 # good: [f6705bf959efac87bca76d40050d342f1d212587] Merge tag 'drm-for-v4.15-amd-dc' of git://people.freedesktop.org/~airlied/linux
 git bisect good f6705bf959efac87bca76d40050d342f1d212587
 # bad: [4066aa72f9f2886105c6f747d7f9bd4f14f53c12] Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux
 git bisect bad 4066aa72f9f2886105c6f747d7f9bd4f14f53c12
 # bad: [3d18cbb7fd0cfdf0b2ca18139950a4b0c1a0a220] rxrpc: Fix conn expiry timers
 git bisect bad 3d18cbb7fd0cfdf0b2ca18139950a4b0c1a0a220
 # good: [c131187db2d3fa2f8bf32fdf4e9a4ef805168467] bpf: fix branch pruning logic
 git bisect good c131187db2d3fa2f8bf32fdf4e9a4ef805168467
 # bad: [9ed33805cdf81eadcc6ef54a81a8448e80e19f54] Merge branch 'ipvlan-Fix-insufficient-skb-linear-check'
 git bisect bad 9ed33805cdf81eadcc6ef54a81a8448e80e19f54
 # bad: [bf8973fc76e456378d3e2d6a13ed62a52281d379] Merge tag 'jfs-4.15-2' of git://github.com/kleikamp/linux-shaggy
 git bisect bad bf8973fc76e456378d3e2d6a13ed62a52281d379
 # bad: [e4a18052bb99e25d2c0074981120b76638285c22] platform/x86: sony-laptop: Drop variable assignment in sony_nc_setup_rfkill()
 git bisect bad e4a18052bb99e25d2c0074981120b76638285c22
 # good: [a5e50220edbdd1ec8912c191a0f5272d629743bf] platform/x86: intel_telemetry: cleanup redundant headers
 git bisect good a5e50220edbdd1ec8912c191a0f5272d629743bf
 # good: [722c856d46c6ca74a246b54a72f14751fec01aae] platform/x86: wmi: Add new method wmidev_evaluate_method
 git bisect good 722c856d46c6ca74a246b54a72f14751fec01aae
 # bad: [549b4930f057658dc50d8010e66219233119a4d8] platform/x86: dell-smbios: Introduce dispatcher for SMM calls
 git bisect bad 549b4930f057658dc50d8010e66219233119a4d8
 # good: [92b8c540bce7b1662212dff35f503f5b1266725b] platform/x86: dell-wmi-descriptor: split WMI descriptor into it's own driver
 git bisect good 92b8c540bce7b1662212dff35f503f5b1266725b
 # good: [980f481d63f57bb62ac171a66294de3e14d52b77] platform/x86: dell-smbios: only run if proper oem string is detected
 git bisect good 980f481d63f57bb62ac171a66294de3e14d52b77
 # good: [33b9ca1e53b45f7cacdba9d4fba5cb1387b26827] platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens
 git bisect good 33b9ca1e53b45f7cacdba9d4fba5cb1387b26827
 # first bad commit: [549b4930f057658dc50d8010e66219233119a4d8] platform/x86: dell-smbios: Introduce dispatcher for SMM calls

>From source code (at 549b4930f057) it looks like dell_set_arguments() which 
writes to `buffer` is called before the buffer gets allocated, but I might be 
wrong.

But this is not the whole story. After a downgrade to a known-good 4.14.12 
kernel, I ran unto another problem. The system consistently failed to wake up 
from suspend-to-ram state and was rebooting instead. By some intuition I 
navigated myself into the BIOS settings screen (which gave me unusual freezes 
up to ~30 seconds) and switched POST diagnostic mode from minimal to thorough, 
which somehow resolved the problem. There was no problem with system suspending 
before, and the problem appeared only after I tried 4.15. It would be great to 
hear any ideas or explanations of such behaviour.

[1] git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git

View attachment "kconfig" of type "text/plain" (112217 bytes)

Download attachment "dmesg.png" of type "image/png" (228265 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ