lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 12 Oct 2018 13:37:41 +0100
From:   Jon Hunter <jonathanh@...dia.com>
To:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        <linux-stable@...r.kernel.org>, <arend.vanspriel@...adcom.com>
CC:     linux-tegra <linux-tegra@...r.kernel.org>
Subject: PROBLEM: brcmfmac driver crashes on resuming if no firmware is loaded

[1.] One line summary of the problem:
     brcmfmac driver crashes on resuming if no firmware is loaded

[2.] Full description of the problem/report:
     In stable-v4.4, if the brcmfmac driver fails to load the required
     firmware on boot for an SDIO based device, then the driver fails
     to remove one of  the two devices it registered during probe with
     the kernel. If the kernel then enters suspend, on resume the
     kernel tries to resume the device registered by brcmfmac driver
     and crashes due to a NULL pointer deference (see 6 below). 

     This issue is seen in stable-v4.4 but not in stable-v4.9 and I
     believe is fixed by commit 7a51461fc2da ("brcmfmac: unbind all
     devices upon failure in firmware callback"). Unfortunately, this
     fix is dependent on other changes and so is not easily
     back-ported AFAICT.

     This issue is seen on Tegra20 Ventana and Tegra30 Cardhu.

[3.] Keywords (i.e., modules, networking, kernel):
     BROADCOM BRCM80211

[4.] Kernel information
[4.1.] Kernel version (from /proc/version):
       Linux version 4.4.160-rc1-00116-g5826f1d1ce56
[4.2.] Kernel .config file:
       Generated using tegra_defconfig

[5.] Most recent kernel version which did not have the bug:
     Not seen in current mainline or -next.

[6.] Output of Oops.. message (if applicable) with symbolic information

[   51.941094] Unable to handle kernel NULL pointer dereference at virtual address 00000000

[   51.949836] pgd = eee54000

[   51.952771] [00000000] *pgd=2db16831, *pte=00000000, *ppte=00000000

[   51.959722] Internal error: Oops: 17 [#1] SMP ARM

[   51.964774] Modules linked in: snd_soc_tegra_wm8903 snd_soc_wm8903 snd_soc_tegra_utils snd_soc_core snd_pcm_dmaengine snd_pcm brcmfmac brcmutil cfg80211 snd_timer snd soundcore ac97_bus snd_soc_tegra20_das

[   51.984922] CPU: 1 PID: 512 Comm: rtcwake Not tainted 4.4.160-rc1-00116-g5826f1d1ce56 #1

[   51.993577] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)

[   52.000303] task: eefa3900 ti: ed93c000 task.ti: ed93c000

[   52.006294] PC is at brcmf_ops_sdio_resume+0x10/0x5c [brcmfmac]

[   52.012672] LR is at pm_generic_resume+0x2c/0x38

[   52.017641] pc : [<bf12bbb8>]    lr : [<c06502d4>]    psr: 60000113

[   52.017641] sp : ed93ddb8  ip : eed72e74  fp : c0f4a2d8

[   52.029914] r10: c0fa7580  r9 : 00000010  r8 : 00000000

[   52.035522] r7 : 00000010  r6 : eed7303c  r5 : 00000001  r4 : c06502a8

[   52.042514] r3 : 00000000  r2 : 00000002  r1 : eed73008  r0 : eed73008

[   52.049511] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none

[   52.057156] Control: 10c5387d  Table: 2ee5404a  DAC: 00000051

[   52.063319] Process rtcwake (pid: 512, stack limit = 0xed93c220)

[   52.069761] Stack: (0xed93ddb8 to 0xed93e000)

[   52.074450] dda0:                                                       c06502a8 c06502d4

[   52.083225] ddc0: c0cae914 c0653674 17c10408 c027fc00 eed72e08 eed73008 00000001 c0653cdc

[   52.091993] dde0: eed73070 eed73008 c0fa7548 c0fa7578 c104ce7c c0655018 c0f4a2d8 c0654ee8

[   52.100757] de00: 0ea73a40 0000000c 0ea73a40 0000000c 0e3050d8 00000010 00000003 00000000

[   52.109529] de20: c0f1650c c10109f4 c0f170a4 00000000 00000000 c06552e8 c10109f4 c02870b0

[   52.118399] de40: 00000000 c028a464 c0d3b71c ed93de6c c0f49314 c02cd350 00000003 c10109f4

[   52.127166] de60: 00000003 00000000 00000003 edbb45c0 00000004 00000000 00000000 c0287540

[   52.135933] de80: 00000003 c0c8401c c1010a04 c02862fc 00000004 ee8f86e0 edbb45c0 edbb4fcc

[   52.144698] dea0: 00000004 ed93df80 00028290 c048c684 00000004 c036dec8 c036de84 edbb4fc0

[   52.169613] dec0: edbb45c0 c036d70c 00000000 00000000 000081a4 c0a0113c 00028290 eee13b40

[   52.194484] dee0: ed93df80 00000004 00028290 00000000 00000005 c030f990 c0f1ba64 ed93dfb0

[   52.219219] df00: 00002710 000001ff b6fb42e4 c020a29c 5a9fd343 0b532b80 5a9fd343 0b532b80

[   52.244031] df20: 0000050e 00000000 eee13b40 becb54b8 00028128 00028128 000000c5 eee13b40

[   52.268893] df40: eee13b40 00028290 ed93df80 00000004 00000004 c031018c 0000000f 000081a4

[   52.293765] df60: 00000001 00000000 00000000 eee13b40 eee13b40 00000004 00028290 c0310994

[   52.318818] df80: 00000000 00000000 5a9fd343 00000004 00028290 00028128 00000004 c0210c44

[   52.343980] dfa0: ed93c000 c0210a80 00000004 00028290 00000004 00028290 00000004 00000000

[   52.369292] dfc0: 00000004 00028290 00028128 00000004 00014f40 00026180 00014ca4 00000005

[   52.394701] dfe0: 00000000 becb5a1c b6f3479b b6f700d6 000f0030 00000004 00000000 00000000

[   52.420294] [<bf12bbb8>] (brcmf_ops_sdio_resume [brcmfmac]) from [<c06502d4>] (pm_generic_resume+0x2c/0x38)

[   52.447649] [<c06502d4>] (pm_generic_resume) from [<c0653674>] (dpm_run_callback+0x1c/0x58)

[   52.474009] [<c0653674>] (dpm_run_callback) from [<c0653cdc>] (device_resume+0x98/0x260)

[   52.500177] [<c0653cdc>] (device_resume) from [<c0655018>] (dpm_resume+0x100/0x228)

[   52.525931] [<c0655018>] (dpm_resume) from [<c06552e8>] (dpm_resume_end+0xc/0x18)

[   52.551807] [<c06552e8>] (dpm_resume_end) from [<c02870b0>] (suspend_devices_and_enter+0x124/0x420)

[   52.579701] [<c02870b0>] (suspend_devices_and_enter) from [<c0287540>] (pm_suspend+0x194/0x254)

[   52.607599] [<c0287540>] (pm_suspend) from [<c02862fc>] (state_store+0x6c/0xbc)

[   52.634364] [<c02862fc>] (state_store) from [<c048c684>] (kobj_attr_store+0x14/0x20)

[   52.661518] [<c048c684>] (kobj_attr_store) from [<c036dec8>] (sysfs_kf_write+0x44/0x48)

[   52.688909] [<c036dec8>] (sysfs_kf_write) from [<c036d70c>] (kernfs_fop_write+0xbc/0x1b0)

[   52.716566] [<c036d70c>] (kernfs_fop_write) from [<c030f990>] (__vfs_write+0x24/0xd8)

[   52.743917] [<c030f990>] (__vfs_write) from [<c031018c>] (vfs_write+0x94/0x154)

[   52.770230] [<c031018c>] (vfs_write) from [<c0310994>] (SyS_write+0x40/0x94)

[   52.795713] [<c0310994>] (SyS_write) from [<c0210a80>] (ret_fast_syscall+0x0/0x48)

[   52.821478] Code: e92d4010 e590218c e5903058 e3520002 (e5934000) 

[   52.845762] ---[ end trace d797b5b1ce195377 ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ