lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 7 Mar 2022 16:51:28 +0200
From:   Laurentiu Palcu <laurentiu.palcu@....nxp.com>
To:     Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc:     Kieran Bingham <kieran.bingham+renesas@...asonboard.com>,
        Jacopo Mondi <jacopo+renesas@...ndi.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Niklas Söderlund 
        <niklas.soderlund+renesas@...natech.se>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: i2c: max9286: fix kernel oops when removing module

Hi Kieran, Laurent,

On Mon, Mar 07, 2022 at 04:35:44PM +0200, Laurent Pinchart wrote:
> On Mon, Mar 07, 2022 at 02:27:11PM +0000, Kieran Bingham wrote:
> > Hi Laurentiu,
> > 
> > Quoting Laurentiu Palcu (2022-03-07 13:37:50)
> > > When removing the max9286 module we get a kernel oops:
> > > 
> > > Unable to handle kernel paging request at virtual address 000000aa00000094
> > > Mem abort info:
> > >   ESR = 0x96000004
> > >   EC = 0x25: DABT (current EL), IL = 32 bits
> > >   SET = 0, FnV = 0
> > >   EA = 0, S1PTW = 0
> > >   FSC = 0x04: level 0 translation fault
> > > Data abort info:
> > >   ISV = 0, ISS = 0x00000004
> > >   CM = 0, WnR = 0
> > > user pgtable: 4k pages, 48-bit VAs, pgdp=0000000880d85000
> > > [000000aa00000094] pgd=0000000000000000, p4d=0000000000000000
> > > Internal error: Oops: 96000004 [#1] PREEMPT SMP
> > > Modules linked in: fsl_jr_uio caam_jr rng_core libdes caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine max9271 authenc crct10dif_ce mxc_jpeg_encdec
> > > CPU: 2 PID: 713 Comm: rmmod Tainted: G         C        5.15.5-00057-gaebcd29c8ed7-dirty #5
> > > Hardware name: Freescale i.MX8QXP MEK (DT)
> > > pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> > > pc : i2c_mux_del_adapters+0x24/0xf0
> > > lr : max9286_remove+0x28/0xd0 [max9286]
> > > sp : ffff800013a9bbf0
> > > x29: ffff800013a9bbf0 x28: ffff00080b6da940 x27: 0000000000000000
> > > x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
> > > x23: ffff000801a5b970 x22: ffff0008048b0890 x21: ffff800009297000
> > > x20: ffff0008048b0f70 x19: 000000aa00000064 x18: 0000000000000000
> > > x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
> > > x14: 0000000000000014 x13: 0000000000000000 x12: ffff000802da49e8
> > > x11: ffff000802051918 x10: ffff000802da4920 x9 : ffff000800030098
> > > x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
> > > x5 : 8080808000000000 x4 : 0000000000000000 x3 : 0000000000000000
> > > x2 : ffffffffffffffff x1 : ffff00080b6da940 x0 : 0000000000000000
> > > Call trace:
> > >  i2c_mux_del_adapters+0x24/0xf0
> > >  max9286_remove+0x28/0xd0 [max9286]
> > >  i2c_device_remove+0x40/0x110
> > >  __device_release_driver+0x188/0x234
> > >  driver_detach+0xc4/0x150
> > >  bus_remove_driver+0x60/0xe0
> > >  driver_unregister+0x34/0x64
> > >  i2c_del_driver+0x58/0xa0
> > >  max9286_i2c_driver_exit+0x1c/0x490 [max9286]
> > >  __arm64_sys_delete_module+0x194/0x260
> > >  invoke_syscall+0x48/0x114
> > >  el0_svc_common.constprop.0+0xd4/0xfc
> > >  do_el0_svc+0x2c/0x94
> > >  el0_svc+0x28/0x80
> > >  el0t_64_sync_handler+0xa8/0x130
> > >  el0t_64_sync+0x1a0/0x1a4
> > > 
> > > The Oops happens because the I2C client data does not point to
> > > max9286_priv anymore but to v4l2_subdev. The change happened in
> > > max9286_init() which calls v4l2_i2c_subdev_init() later on...
> > > 
> > 
> > I think this needs a Fixes tag, but it looks like it happened when we
> > merged the driver. So that makes it:
> > 
> > Fixes: 66d8c9d2422d ("media: i2c: Add MAX9286 driver")
> > 
> > I see in max9286_probe() we set
> > 	i2c_set_clientdata(client, (struct max9286_priv) priv);
> > 
> > And indeed, then we call 
> > 
> > max9286_init()
> >  max9286_v4l2_register()
> >   v4l2_i2c_subdev_init(&priv->sd, priv->client, &max9286_subdev_ops);
> > 
> > So I think this patch should probably also remove the call to 
> > i2c_set_clientdata() in probe to prevent confusion.
> 
> Agreed.

I suppose the reason why i2c_set_clientdata() is called in probe() is
because max9286_init() uses i2c_get_clientdata() to get priv. But, that
would be easily fixed if we change the function declaration to

static int max9286_init(struct max9286_priv *priv)

>From priv we can get both client and dev, which are used inside the
function.

I'll send a v2 shortly.

Thanks,
Laurentiu

> 
> > > Signed-off-by: Laurentiu Palcu <laurentiu.palcu@....nxp.com>
> > > ---
> > >  drivers/media/i2c/max9286.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c
> > > index d2a4915ed9f7..04f5b7e3a9e5 100644
> > > --- a/drivers/media/i2c/max9286.c
> > > +++ b/drivers/media/i2c/max9286.c
> > > @@ -1385,7 +1385,7 @@ static int max9286_probe(struct i2c_client *client)
> > >  
> > >  static int max9286_remove(struct i2c_client *client)
> > >  {
> > > -       struct max9286_priv *priv = i2c_get_clientdata(client);
> > > +       struct max9286_priv *priv = sd_to_max9286(i2c_get_clientdata(client));
> > 
> > What happens if the module load failed before calling max9286_init(), in
> > that case, would the i2c_get_clientdata() return NULL?
> > 
> > If so, should this be checked?
> 
> .remove() isn't called if .probe() fails, so it should be fine
> 
> > >  
> > >         i2c_mux_del_adapters(priv->mux);
> > >  
> 
> -- 
> Regards,
> 
> Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ