lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Sep 2021 15:30:22 +0200
From:   Maxime Ripard <maxime@...no.tech>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Sudip Mukherjee <sudipm.mukherjee@...il.com>,
        Emma Anholt <emma@...olt.net>, David Airlie <airlied@...ux.ie>,
        Daniel Vetter <daniel@...ll.ch>,
        Philipp Zabel <p.zabel@...gutronix.de>,
        dri-devel <dri-devel@...ts.freedesktop.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Regression with mainline kernel on rpi4

On Wed, Sep 22, 2021 at 01:25:21PM -0700, Linus Torvalds wrote:
> On Wed, Sep 22, 2021 at 1:19 PM Sudip Mukherjee
> <sudipm.mukherjee@...il.com> wrote:
> >
> > I added some debugs to print the addresses, and I am getting:
> > [   38.813809] sudip crtc 0000000000000000
> >
> > This is from struct drm_crtc *crtc = connector->state->crtc;
> 
> Yeah, that was my personal suspicion, because while the line number
> implied "crtc->state" being NULL, the drm data structure documentation
> and other drivers both imply that "crtc" was the more likely one.
> 
> I suspect a simple
> 
>         if (!crtc)
>                 return;
> 
> in vc4_hdmi_set_n_cts() is at least part of the fix for this all, but
> I didn't check if there is possibly something else that needs to be
> done too.

Thanks for the decode_stacktrace.sh and the follow-up

Yeah, it looks like we have several things wrong here:

  * we only check that connector->state is set, and not
    connector->state->crtc indeed.

  * We also check only in startup(), so at open() and not later on when
    the sound streaming actually start. This has been there for a while,
    so I guess it's never really been causing a practical issue before.

I'm still not entirely sure how we can end up in that situation though.
The only case I could think of is that:

  * The firmware enables the HDMI controller, then boots Linux

  * The driver starts, registers its audio card. connector->state is
    NULL then, and if the HDMI monitor is actually an HDMI monitor (vs a
    DVI monitor), the VC4_HDMI_RAM_PACKET_ENABLE bit that we test in
    startup will be set.

  * The driver will create the connector->state (through a call to
    drm_mode_config_reset in vc4_kms_load), connector->state isn't NULL
    anymore, VC4_HDMI_RAM_PACKET_ENABLE is still set.

  * The driver then disables the HDMI controller (in
    vc4_crtc_disable_at_boot) but never clears the
    VC4_HDMI_RAM_PACKET_ENABLE bit.

  * Pulseaudio opens the audio device, startup succeeds because both
    conditions we test succeed.

  * However, since we either never enabled the HDMI connector (or if it
    was disabled at some point), connector->state->crtc is NULL and we
    get our NULL pointer dereference.

    The Ubuntu configuration has the framebuffer emulation and the
    framebuffer console enabled, so it's likely to be enabled and
    something (X.org?) comes along and disables the connector right when
    pulseaudio calls prepare().

Maxime

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ