| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Nov 2018 14:03:09 +0100 From: Ferry Toth <ftoth@...fort.nl> To: linux-kernel@...r.kernel.org Cc: Jan Kiszka <jan.kiszka@...mens.com> Subject: Unloading acpi table through configfs causes NULL pointer dereference bug Since 4.13 we have patch 'ACPI: configfs: Unload SSDT on configfs entry removal' in the kernel. However when I try to actually unload a table I get a bug check. I have tested this on Intel Edison Arduino with 4.18 x86_64 using 2 different tables, 1 called arduino, providing I2C/SPI/HSU and a 2nd one called leds, providing a simple LED connected to a gpio. Result is similar. Logs below. FYI Intel Edison has no BIOS and receives ACPI tables in part from U-Boot and in my case Arduino support through configfs. Loading tables in this fashion appears to work just as fine as through a cpio, with the potential bonus of being able to unload them. The use case for unloading tables on a platform like Edison Arduino would of course be that certain gpio lines are muxed, like a led with a spi line. During platform configuration one would like to provide the user feedback through flashing a LED, while operating normally the LED is less important and the line is used for SPI_CLK. Unloading the LED table is needed to be able to load the SPI table without reboot. I'm hoping that if this patch has worked in the past it will be easy enough to make it work again. Any pointers in the right direction are appreciated. ARDUINO ------- rmdir /sys/kernel/config/acpi/table/arduino/ ACPI: Host-directed Dynamic ACPI Table Unload BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 1 PID: 7181 Comm: kworker/u4:0 Not tainted 4.18.0-edison-acpi-standard #1 Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 Workqueue: kacpi_hotplug acpi_device_del_work_fn RIP: 0010:create_of_modalias.isra.1+0x4d/0x150 Code: 44 24 10 00 00 00 00 48 c7 44 24 08 ff ff ff ff 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 31 c0 e8 4a a2 03 00 48 8b 4c 24 10 <0f> b6 01 84 c0 74 27 48 c7 c7 40 13 f4 a2 0f b6 f0 8d 50 20 f6 04 RSP: 0018:ffff9c51c0c6bc10 EFLAGS: 00010246 RAX: 0000000000001001 RBX: ffff8fa4bb3d4196 RCX: 0000000000000000 RDX: 0000000000001001 RSI: 0000000000000286 RDI: ffff8fa4bd804260 RBP: ffff8fa48ca08210 R08: 0000000000001001 R09: 0000000000000000 R10: ffff8fa48ca08000 R11: ffffffffa305fe3d R12: 0000000000000785 R13: 0000000000000000 R14: ffff8fa4bc698010 R15: ffff8fa4bdad1060 FS: 0000000000000000(0000) GS:ffff8fa4bf300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000000c8de000 CR4: 00000000001006e0 Call Trace: ? vsnprintf+0x2b6/0x4b0 __acpi_device_uevent_modalias+0xde/0x100 spi_uevent+0xd/0x40 dev_uevent+0x96/0x2c0 kobject_uevent_env+0x2e7/0x7f0 device_release_driver_internal+0x227/0x240 bus_remove_device+0xe0/0x150 device_del+0x133/0x350 ? klist_iter_exit+0x17/0x30 device_unregister+0x11/0x60 acpi_spi_notify+0x89/0xa0 notifier_call_chain+0x42/0x60 blocking_notifier_call_chain+0x39/0x60 acpi_device_del_work_fn+0x62/0xb0 process_one_work+0x1e3/0x3c0 worker_thread+0x28/0x3c0 ? set_worker_desc+0xb0/0xb0 kthread+0x10e/0x130 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x35/0x40 Modules linked in: iptable_nat nf_nat_ipv4 nf_nat spi_pxa2xx_platform smsc95xx pwm_lpss_pci pwm_lpss brcmfmac brcmutil spi_pxa2xx_pci hci_uart btbcm ti_ads7950 industrialio_triggered_buffer kfifo_buf spidev mmc_block sdhci_pci cqhci sdhci led_class mmc_core CR2: 0000000000000000 ---[ end trace 77bdc8463ac6088b ]--- LEDS ---- root@...son:~# rmdir /sys/kernel/config/acpi/table/leds/ ACPI: Host-directed Dynamic ACPI Table Unload BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 1 PID: 4316 Comm: kworker/u4:2 Not tainted 4.18.0-edison-acpi-standard #1 Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 Workqueue: kacpi_hotplug acpi_device_del_work_fn RIP: 0010:create_of_modalias.isra.1+0x4d/0x150 Code: 44 24 10 00 00 00 00 48 c7 44 24 08 ff ff ff ff 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 31 c0 e8 4a a2 03 00 48 8b 4c 24 10 <0f> b6 01 84 c0 74 27 48 c7 c7 40 13 74 bd 0f b6 f0 8d 50 20 f6 04 RSP: 0018:ffffaf4800257cf8 EFLAGS: 00010246 RAX: 0000000000001001 RBX: ffff8c403a877176 RCX: 0000000000000000 RDX: 0000000000001001 RSI: 0000000000000296 RDI: ffff8c403d804260 RBP: ffff8c403ae98a10 R08: 0000000000001001 R09: 0000000000000000 R10: ffff8c403ae98800 R11: ffffffffbd85ff0d R12: 00000000000007a5 R13: 0000000000000000 R14: ffff8c403ae98a60 R15: ffff8c403dad1060 FS: 0000000000000000(0000) GS:ffff8c403f300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000003b89c000 CR4: 00000000001006e0 Call Trace: __acpi_device_uevent_modalias+0xde/0x100 dev_uevent+0x96/0x2c0 kobject_uevent_env+0x2e7/0x7f0 ? __pm_runtime_disable+0x13/0xc0 device_del+0x235/0x350 acpi_device_del_work_fn+0x6a/0xb0 process_one_work+0x1e3/0x3c0 worker_thread+0x28/0x3c0 ? set_worker_desc+0xb0/0xb0 kthread+0x10e/0x130 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x35/0x40 Modules linked in: i2c_dev ledtrig_netdev ledtrig_oneshot ledtrig_timer leds_gpio ledtrig_heartbeat iptable_nat nf_nat_ipv4 nf_nat spi_pxa2xx_platform smsc95xx pwm_lpss_pci pwm_lpss brcmfmac brcmutil spi_pxa2xx_pci hci_uart btbcm ti_ads795> CR2: 0000000000000000 ---[ end trace 09430e0923010718 ]---
Powered by blists - more mailing lists