lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <55B736A2.6020900@atmel.com>
Date:	Tue, 28 Jul 2015 10:00:34 +0200
From:	Nicolas Ferre <nicolas.ferre@...el.com>
To:	Ludovic Desroches <ludovic.desroches@...el.com>,
	<linux-gpio@...r.kernel.org>,
	Linus Walleij <linus.walleij@...aro.org>
CC:	<plagnioj@...osoft.com>, <davidcdueck@...glemail.com>,
	<alexandre.belloni@...e-electrons.com>,
	Boris Brezillon <boris.brezillon@...e-electrons.com>,
	<linux-arm-kernel@...ts.infradead.org>,
	<linux-kernel@...r.kernel.org>
Subject: Re: [RESEND PATCH] pinctrl: at91: fix null pointer dereference

Le 28/07/2015 09:48, Ludovic Desroches a écrit :
> From: David Dueck <davidcdueck@...glemail.com>
> 
> Not all gpio banks are necessarily enabled, in the current code this can
> lead to null pointer dereferences.
> 
> [   51.130000] Unable to handle kernel NULL pointer dereference at virtual address 00000058
> [   51.130000] pgd = dee04000
> [   51.130000] [00000058] *pgd=3f66d831, *pte=00000000, *ppte=00000000
> [   51.140000] Internal error: Oops: 17 [#1] ARM
> [   51.140000] Modules linked in:
> [   51.140000] CPU: 0 PID: 1664 Comm: cat Not tainted 4.1.1+ #6
> [   51.140000] Hardware name: Atmel SAMA5
> [   51.140000] task: df6dd880 ti: dec60000 task.ti: dec60000
> [   51.140000] PC is at at91_pinconf_get+0xb4/0x200
> [   51.140000] LR is at at91_pinconf_get+0xb4/0x200
> [   51.140000] pc : [<c01e71a0>]    lr : [<c01e71a0>]    psr: 600f0013
> sp : dec61e48  ip : 600f0013  fp : df522538
> [   51.140000] r10: df52250c  r9 : 00000058  r8 : 00000068
> [   51.140000] r7 : 00000000  r6 : df53c910  r5 : 00000000  r4 : dec61e7c
> [   51.140000] r3 : 00000000  r2 : c06746d4  r1 : 00000000  r0 : 00000003
> [   51.140000] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
> [   51.140000] Control: 10c53c7d  Table: 3ee04059  DAC: 00000015
> [   51.140000] Process cat (pid: 1664, stack limit = 0xdec60208)
> [   51.140000] Stack: (0xdec61e48 to 0xdec62000)
> [   51.140000] 1e40:                   00000358 00000000 df522500 ded15f80 c05a9d08 ded15f80
> [   51.140000] 1e60: 0000048c 00000061 df522500 ded15f80 c05a9d08 c01e7304 ded15f80 00000000
> [   51.140000] 1e80: c01e6008 00000060 0000048c c01e6034 c01e5f6c ded15f80 dec61ec0 00000000
> [   51.140000] 1ea0: 00020000 ded6f280 dec61f80 00000001 00000001 c00ae0b8 b6e80000 ded15fb0
> [   51.140000] 1ec0: 00000000 00000000 df4bc974 00000055 00000800 ded6f280 b6e80000 ded6f280
> [   51.140000] 1ee0: ded6f280 00020000 b6e80000 00000000 00020000 c0090dec c0671e1c dec61fb0
> [   51.140000] 1f00: b6f8b510 00000001 00004201 c000924c 00000000 00000003 00000003 00000000
> [   51.140000] 1f20: df4bc940 00022000 00000022 c066e188 b6e7f000 c00836f4 000b6e7f ded6f280
> [   51.140000] 1f40: ded6f280 b6e80000 dec61f80 ded6f280 00020000 c0091508 00000000 00000003
> [   51.140000] 1f60: 00022000 00000000 00000000 ded6f280 ded6f280 00020000 b6e80000 c0091d9c
> [   51.140000] 1f80: 00000000 00000000 ffffffff 00020000 00020000 b6e80000 00000003 c000f124
> [   51.140000] 1fa0: dec60000 c000efa0 00020000 00020000 00000003 b6e80000 00020000 000271c4
> [   51.140000] 1fc0: 00020000 00020000 b6e80000 00000003 7fffe000 00000000 00000000 00020000
> [   51.140000] 1fe0: 00000000 bef50b64 00013835 b6f29c76 400f0030 00000003 00000000 00000000
> [   51.140000] [<c01e71a0>] (at91_pinconf_get) from [<c01e7304>] (at91_pinconf_dbg_show+0x18/0x2c0)
> [   51.140000] [<c01e7304>] (at91_pinconf_dbg_show) from [<c01e6034>] (pinconf_pins_show+0xc8/0xf8)
> [   51.140000] [<c01e6034>] (pinconf_pins_show) from [<c00ae0b8>] (seq_read+0x1a0/0x464)
> [   51.140000] [<c00ae0b8>] (seq_read) from [<c0090dec>] (__vfs_read+0x20/0xd0)
> [   51.140000] [<c0090dec>] (__vfs_read) from [<c0091508>] (vfs_read+0x7c/0x108)
> [   51.140000] [<c0091508>] (vfs_read) from [<c0091d9c>] (SyS_read+0x40/0x94)
> [   51.140000] [<c0091d9c>] (SyS_read) from [<c000efa0>] (ret_fast_syscall+0x0/0x3c)
> [   51.140000] Code: eb010ec2 e30a0d08 e34c005a eb0ae5a7 (e5993000)
> [   51.150000] ---[ end trace fb3c370da3ea4794 ]---
> 
> Signed-off-by: David Dueck <davidcdueck@...glemail.com>
> Acked-by: Ludovic Desroches <ludovic.desroches@...el.com>
> Acked-by: Alexandre Belloni <alexandre.belloni@...e-electrons.com>
> CC: Nicolas Ferre <nicolas.ferre@...el.com>

Acked-by: Nicolas Ferre <nicolas.ferre@...el.com>

> CC: Boris Brezillon <boris.brezillon@...e-electrons.com>
> CC: linux-arm-kernel@...ts.infradead.org
> CC: linux-kernel@...r.kernel.org
> ---
> 
> This patch fixes a oops in the kernel because of a NULL pointer in a table.
> Having a NULL pointer in this table is the normal behavior if a PIO controller
> is not enabled. So this fix is not a quick and dirty hack, it's usual to skip
> an entry from a table if it is not filled.

Absolutely.

Thanks David for having written the fix and Ludovic for having verified
and confirmed that it's actually the proper way to fix the bug.

Bye,

>  drivers/pinctrl/pinctrl-at91.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
> index a082447..2deb130 100644
> --- a/drivers/pinctrl/pinctrl-at91.c
> +++ b/drivers/pinctrl/pinctrl-at91.c
> @@ -320,6 +320,9 @@ static const struct pinctrl_ops at91_pctrl_ops = {
>  static void __iomem *pin_to_controller(struct at91_pinctrl *info,
>  				 unsigned int bank)
>  {
> +	if (!gpio_chips[bank])
> +		return NULL;
> +
>  	return gpio_chips[bank]->regbase;
>  }
>  
> @@ -729,6 +732,10 @@ static int at91_pmx_set(struct pinctrl_dev *pctldev, unsigned selector,
>  		pin = &pins_conf[i];
>  		at91_pin_dbg(info->dev, pin);
>  		pio = pin_to_controller(info, pin->bank);
> +
> +		if (!pio)
> +			continue;
> +
>  		mask = pin_to_mask(pin->pin);
>  		at91_mux_disable_interrupt(pio, mask);
>  		switch (pin->mux) {
> @@ -848,6 +855,10 @@ static int at91_pinconf_get(struct pinctrl_dev *pctldev,
>  	*config = 0;
>  	dev_dbg(info->dev, "%s:%d, pin_id=%d", __func__, __LINE__, pin_id);
>  	pio = pin_to_controller(info, pin_to_bank(pin_id));
> +
> +	if (!pio)
> +		return -EINVAL;
> +
>  	pin = pin_id % MAX_NB_GPIO_PER_BANK;
>  
>  	if (at91_mux_get_multidrive(pio, pin))
> @@ -889,6 +900,10 @@ static int at91_pinconf_set(struct pinctrl_dev *pctldev,
>  			"%s:%d, pin_id=%d, config=0x%lx",
>  			__func__, __LINE__, pin_id, config);
>  		pio = pin_to_controller(info, pin_to_bank(pin_id));
> +
> +		if (!pio)
> +			return -EINVAL;
> +
>  		pin = pin_id % MAX_NB_GPIO_PER_BANK;
>  		mask = pin_to_mask(pin);
>  
> 


-- 
Nicolas Ferre
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ