| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 13:50:10 +0000
From: Jon Hunter <jonathanh@...dia.com>
To: Dmitry Osipenko <digetx@...il.com>,
Jean Delvare <jdelvare@...e.com>,
Guenter Roeck <linux@...ck-us.net>,
Matt Merhar <mattmerhar@...tonmail.com>
Cc: linux-kernel@...r.kernel.org, linux-hwmon@...r.kernel.org,
linux-tegra@...r.kernel.org
Subject: Re: [PATCH v3 2/4] hwmon: (lm90) Use hwmon_notify_event()
On 21/02/2022 12:59, Dmitry Osipenko wrote:
> 21.02.2022 15:56, Jon Hunter пишет:
>>
>> On 21/02/2022 12:36, Dmitry Osipenko wrote:
>>> 21.02.2022 15:01, Jon Hunter пишет:
>>>> Hi Dmitry,
>>>>
>>>> On 18/06/2021 22:54, Dmitry Osipenko wrote:
>>>>> Use hwmon_notify_event() to notify userspace and thermal core about
>>>>> temperature changes.
>>>>>
>>>>> Suggested-by: Guenter Roeck <linux@...ck-us.net>
>>>>> Signed-off-by: Dmitry Osipenko <digetx@...il.com>
>>>>> ---
>>>>> drivers/hwmon/lm90.c | 44
>>>>> +++++++++++++++++++++++++++++++++-----------
>>>>> 1 file changed, 33 insertions(+), 11 deletions(-)
>>>>>
>>>>> diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c
>>>>> index 2e057fad05b4..e7b678a40b39 100644
>>>>> --- a/drivers/hwmon/lm90.c
>>>>> +++ b/drivers/hwmon/lm90.c
>>>>> @@ -465,6 +465,7 @@ enum lm90_temp11_reg_index {
>>>>> struct lm90_data {
>>>>> struct i2c_client *client;
>>>>> + struct device *hwmon_dev;
>>>>> u32 channel_config[4];
>>>>> struct hwmon_channel_info temp_info;
>>>>> const struct hwmon_channel_info *info[3];
>>>>> @@ -1731,22 +1732,41 @@ static bool lm90_is_tripped(struct i2c_client
>>>>> *client, u16 *status)
>>>>> if ((st & (LM90_STATUS_LLOW | LM90_STATUS_LHIGH |
>>>>> LM90_STATUS_LTHRM)) ||
>>>>> (st2 & MAX6696_STATUS2_LOT2))
>>>>> - dev_warn(&client->dev,
>>>>> - "temp%d out of range, please check!\n", 1);
>>>>> + dev_dbg(&client->dev,
>>>>> + "temp%d out of range, please check!\n", 1);
>>>>> if ((st & (LM90_STATUS_RLOW | LM90_STATUS_RHIGH |
>>>>> LM90_STATUS_RTHRM)) ||
>>>>> (st2 & MAX6696_STATUS2_ROT2))
>>>>> - dev_warn(&client->dev,
>>>>> - "temp%d out of range, please check!\n", 2);
>>>>> + dev_dbg(&client->dev,
>>>>> + "temp%d out of range, please check!\n", 2);
>>>>> if (st & LM90_STATUS_ROPEN)
>>>>> - dev_warn(&client->dev,
>>>>> - "temp%d diode open, please check!\n", 2);
>>>>> + dev_dbg(&client->dev,
>>>>> + "temp%d diode open, please check!\n", 2);
>>>>> if (st2 & (MAX6696_STATUS2_R2LOW | MAX6696_STATUS2_R2HIGH |
>>>>> MAX6696_STATUS2_R2THRM | MAX6696_STATUS2_R2OT2))
>>>>> - dev_warn(&client->dev,
>>>>> - "temp%d out of range, please check!\n", 3);
>>>>> + dev_dbg(&client->dev,
>>>>> + "temp%d out of range, please check!\n", 3);
>>>>> if (st2 & MAX6696_STATUS2_R2OPEN)
>>>>> - dev_warn(&client->dev,
>>>>> - "temp%d diode open, please check!\n", 3);
>>>>> + dev_dbg(&client->dev,
>>>>> + "temp%d diode open, please check!\n", 3);
>>>>> +
>>>>> + if (st & LM90_STATUS_LLOW)
>>>>> + hwmon_notify_event(data->hwmon_dev, hwmon_temp,
>>>>> + hwmon_temp_min, 0);
>>>>> + if (st & LM90_STATUS_RLOW)
>>>>> + hwmon_notify_event(data->hwmon_dev, hwmon_temp,
>>>>> + hwmon_temp_min, 1);
>>>>> + if (st2 & MAX6696_STATUS2_R2LOW)
>>>>> + hwmon_notify_event(data->hwmon_dev, hwmon_temp,
>>>>> + hwmon_temp_min, 2);
>>>>> + if (st & LM90_STATUS_LHIGH)
>>>>> + hwmon_notify_event(data->hwmon_dev, hwmon_temp,
>>>>> + hwmon_temp_max, 0);
>>>>> + if (st & LM90_STATUS_RHIGH)
>>>>> + hwmon_notify_event(data->hwmon_dev, hwmon_temp,
>>>>> + hwmon_temp_max, 1);
>>>>> + if (st2 & MAX6696_STATUS2_R2HIGH)
>>>>> + hwmon_notify_event(data->hwmon_dev, hwmon_temp,
>>>>> + hwmon_temp_max, 2);
>>>>
>>>>
>>>> We observed a random null pointer deference crash somewhere in the
>>>> thermal core (crash log below is not very helpful) when calling
>>>> mutex_lock(). It looks like we get an interrupt when this crash
>>>> happens.
>>>>
>>>> Looking at the lm90 driver, per the above, I now see we are calling
>>>> hwmon_notify_event() from the lm90 interrupt handler. Looking at
>>>> hwmon_notify_event() I see that ...
>>>>
>>>> hwmon_notify_event()
>>>> --> hwmon_thermal_notify()
>>>> --> thermal_zone_device_update()
>>>> --> update_temperature()
>>>> --> mutex_lock()
>>>>
>>>> So although I don't completely understand the crash, it does seem
>>>> that we should not be calling hwmon_notify_event() from the
>>>> interrupt handler.
>>>>
>>>> BTW I have not reproduced this myself yet, so I have just been
>>>> reviewing the code to try and understand this.
>>>
>>> Matt Merhar was experiencing a similar issue on T30 Ouya, but I never
>>> managed to reproduce it on Nexus 7 and Acer A500 tablets, and couldn't
>>> spot any problem in the code. IIRC, it was a NULL dereference of another
>>> pointer within that code.
>>
>>
>> OK. From looking at the above I don't think we can call
>> hwmon_notify_event() from an interrupt handler because this is going to
>> try and request a mutex. So we need to fix that.
>
> The interrupt is threaded, so it can take a mutex.
Ah yes, I clearly overlooked that detail.
Good news is that I have been able to reproduce this on Jetson Xavier by ...
$ echo 40000 | sudo tee /sys/devices/platform/bpmp/bpmp\:i2c/i2c-0/0-004c/hwmon/hwmon0/temp1_max
40000
[ 105.890995] Unable to handle kernel NULL pointer dereference at virtual address 00000000000003cd
[ 105.900105] Mem abort info:
[ 105.903328] ESR = 0x96000021
[ 105.906673] EC = 0x25: DABT (current EL), IL = 32 bits
[ 105.912407] SET = 0, FnV = 0
[ 105.915751] EA = 0, S1PTW = 0
[ 105.919230] FSC = 0x21: alignment fault
[ 105.923698] Data abort info:
[ 105.926853] ISV = 0, ISS = 0x00000021
[ 105.931139] CM = 0, WnR = 0
[ 105.934420] user pgtable: 64k pages, 48-bit VAs, pgdp=0000000101f6b600
[ 105.941230] [00000000000003cd] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 105.950864] Internal error: Oops: 96000021 [#1] PREEMPT SMP
[ 105.956608] Modules linked in: btrfs blake2b_generic libcrc32c xor xor_neon raid6_pq zstd_compress rfkill snd_soc_tegra210_mixer snd_soc_tegra210_adx snd_soc_tegra210_dmic snd_soc_tegra210_mvc snd_soc_tegra210_amx snd_soc_tegra210_sfc snd_soc_tegra210_admaif snd_soc_tegra_pcm snd_soc_tegra210_i2s snd_soc_tegra210_ahub uvcvideo videobuf2_vmalloc tegra210_adma videobuf2_memops videobuf2_v4l2 cec videobuf2_common drm_kms_
helper videodev mc snd_soc_rt5659 snd_soc_rl6231 pwm_tegra tegra_aconnect snd_hda_codec_hdmi lm90 tegra_bpmp_thermal snd_hda_tegra snd_soc_tegra_audio_graph_card snd_hda_codec snd_hda_core phy_tegra194_p2u snd_soc_
audio_graph_card at24 snd_soc_simple_card_utils pwm_fan pcie_tegra194 crct10dif_ce drm ip_tables x_tables ipv6
[ 106.032497] CPU: 3 PID: 296 Comm: irq/126-lm90 Tainted: G O 5.16.0-tegra-291805-gf905a41db850 #3
[ 106.042869] Hardware name: Unknown NVIDIA Jetson AGX Xavier Developer Kit/NVIDIA Jetson AGX Xavier Developer Kit, BIOS v1.1.2-901d3c52ed23 02/14/2022
[ 106.056392] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 106.063903] pc : mutex_lock+0x18/0x60
[ 106.067750] lr : thermal_zone_device_update+0x40/0x2e0
[ 106.073161] sp : ffff80001494fc60
[ 106.076553] x29: ffff80001494fc60 x28: ffff59bb27801c00 x27: ffffa4295d826790
[ 106.084052] x26: ffff59bb27801c00 x25: 0000000000000000 x24: ffff59bb27801c00
[ 106.091541] x23: ffffa4295d826870 x22: ffff59bb27801c00 x21: 00000000000003cd
[ 106.098905] x20: ffff59bb28078f08 x19: ffffffffffffffed x18: 0000000000000000
[ 106.106387] x17: ffffa4295d82689c x16: ffffa4292d400b7c x15: 0000000000000040
[ 106.113766] x14: ffffa4295f8889a0 x13: 0000000000000228 x12: 0000000000000000
[ 106.121294] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[ 106.128793] x8 : 0000000000c2f000 x7 : 0000000000000001 x6 : 0000000000000000
[ 106.136133] x5 : 006800047a8e0f07 x4 : 0000000000000000 x3 : 00000000000003cd
[ 106.143473] x2 : ffff59bb27801c00 x1 : 0000000000000000 x0 : 00000000000003cd
[ 106.150813] Call trace:
[ 106.153333] mutex_lock+0x18/0x60
[ 106.156804] hwmon_notify_event+0xfc/0x110
[ 106.161164] 0xffffa4292d400a74
[ 106.164417] 0xffffa4292d400b7c
[ 106.167659] irq_thread_fn+0x2c/0xa0
[ 106.171359] irq_thread+0x134/0x240
[ 106.174971] kthread+0x178/0x190
[ 106.178469] ret_from_fork+0x10/0x20
[ 106.182187] Code: d503201f d503201f d2800001 aa0103e4 (c8e47c02)
[ 106.188550] ---[ end trace 62bf0e0b37a16815 ]---
[ 106.193261] Kernel panic - not syncing: Oops: Fatal exception
[ 106.199106] SMP: stopping secondary CPUs
[ 106.203401] Kernel Offset: 0x24294d740000 from 0xffff800010000000
[ 106.209584] PHYS_OFFSET: 0xffffa645e0000000
[ 106.214011] CPU features: 0x0,40000843,06400846
[ 106.218651] Memory Limit: none
[ 106.221822] ---[ end Kernel panic - not syncing: Oops: Fatal exception ]---
I am wondering if this is some sort of race condition in the thermal
shutdown path. I would be interested to know if you see the same.
Cheers
Jon
--
nvpublic
Powered by blists - more mailing lists