lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 29 Aug 2022 10:37:08 +0200
From:   Hans de Goede <hdegoede@...hat.com>
To:     Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jirislaby@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux regressions mailing list <regressions@...ts.linux.dev>
Subject: 6.0 tty regression, NULL pointer deref in flush_to_ldisc

Hi All,

This weekend I noticed that on various Bay Trail based systems which have
their bluetooth HCI connected over an uart (using hci_uart driver /
using the drivers/tty/serial bus) there is a NULL pointer deref in
flush_to_ldisc, see below for the full backtrace.

I *suspect* that this is caused by commit 6bb6fa6908eb
("tty: Implement lookahead to process XON/XOFF timely").

I can cleanly revert this by reverting the following commits:

ab24a01b2765 ("tty: Add closing marker into comment in tty_ldisc.h")
65534736d9a5 ("tty: Use flow-control char function on closing path")
6bb6fa6908eb ("tty: Implement lookahead to process XON/XOFF timely")

ATM I don't have one of the affected systems handy. I will give
a 6.0-rc3 kernel with these 3 commits reverted a try tonight (CEST)
and I'll let you know the results.

Note I can NOT confirm yet that these reverts fix things, so please
don't revert anything yet. I just wanted to give people a headsup
about this issue.

Also maybe we can fix the new lookahead code instead of reverting.
I would be happy to add a patch adding some debugging prints the
systems run fine after the backtrace as long as I don't suspend them
so gathering logs is easy.

Regards,

Hans



[   28.626537] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   28.626555] #PF: supervisor instruction fetch in kernel mode
[   28.626563] #PF: error_code(0x0010) - not-present page
[   28.626569] PGD 0 P4D 0 
[   28.626580] Oops: 0010 [#1] PREEMPT SMP PTI
[   28.626589] CPU: 2 PID: 8 Comm: kworker/u8:0 Tainted: G         C  E      6.0.0-rc2+ #102
[   28.626598] Hardware name: MPMAN Converter9/Converter9, BIOS 5.6.5 07/28/2015
[   28.626604] Workqueue: events_unbound flush_to_ldisc
[   28.626617] RIP: 0010:0x0
[   28.626633] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   28.626639] RSP: 0018:ffffacec40087e28 EFLAGS: 00010202
[   28.626648] RAX: 0000000000000000 RBX: ffff92dc05fee000 RCX: 0000000000000001
[   28.626654] RDX: 0000000000000000 RSI: ffff92dc05fee020 RDI: ffff92dc07341040
[   28.626660] RBP: ffff92dc07341048 R08: ffff92dc05fee020 R09: 00000000f1e77022
[   28.626667] R10: ffffacec40087e30 R11: 000000002f1e7702 R12: ffff92dc07341040
[   28.626673] R13: ffff92dc07341090 R14: 0000000000000000 R15: 0000000000000001
[   28.626679] FS:  0000000000000000(0000) GS:ffff92dc7bb00000(0000) knlGS:0000000000000000
[   28.626687] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   28.626693] CR2: ffffffffffffffd6 CR3: 00000000060c6000 CR4: 00000000001006e0
[   28.626700] Call Trace:
[   28.626706]  <TASK>
[   28.626712]  flush_to_ldisc+0x178/0x190
[   28.626728]  process_one_work+0x257/0x570
[   28.626749]  worker_thread+0x4f/0x3a0
[   28.626762]  ? process_one_work+0x570/0x570
[   28.626772]  kthread+0xf5/0x120
[   28.626782]  ? kthread_complete_and_exit+0x20/0x20
[   28.626794]  ret_from_fork+0x22/0x30
[   28.626815]  </TASK>
[   28.626820] Modules linked in: fjes(-) snd_soc_rl6231 snd_intel_sdw_acpi hci_uart dw_dmac soc_button_array dptf_power int3406_thermal snd_soc_core btqca int3401_thermal btrtl processor_thermal_device btbcm processor_thermal_rfim snd_compress processor_thermal_mbox processor_thermal_rapl ac97_bus btintel snd_pcm_dmaengine intel_rapl_common int3403_thermal snd_seq int3400_thermal int340x_thermal_zone snd_seq_device acpi_thermal_rel bluetooth intel_int0002_vgpio(E) kxcjk_1013 atomisp_gc0310(CE) industrialio_triggered_buffer atomisp_ov2680(CE) snd_pcm kfifo_buf atomisp_gmin_platform(CE) industrialio acpi_pad silead(+) videodev mc snd_timer snd ecdh_generic rfkill soundcore mei_txe mei dwc3_pci lpc_ich vfat fat zram mmc_block i915 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel drm_buddy drm_display_helper cec ttm video wmi(E) sdhci_acpi sdhci mmc_core pwm_lpss_platform pwm_lpss ip6_tables ip_tables i2c_dev ipmi_devintf ipmi_msghandler fuse
[   28.627005] CR2: 0000000000000000
[   28.627013] ---[ end trace 0000000000000000 ]---
[   28.627020] RIP: 0010:0x0
[   28.627032] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   28.627038] RSP: 0018:ffffacec40087e28 EFLAGS: 00010202
[   28.627047] RAX: 0000000000000000 RBX: ffff92dc05fee000 RCX: 0000000000000001
[   28.627053] RDX: 0000000000000000 RSI: ffff92dc05fee020 RDI: ffff92dc07341040
[   28.627059] RBP: ffff92dc07341048 R08: ffff92dc05fee020 R09: 00000000f1e77022
[   28.627065] R10: ffffacec40087e30 R11: 000000002f1e7702 R12: ffff92dc07341040
[   28.627071] R13: ffff92dc07341090 R14: 0000000000000000 R15: 0000000000000001
[   28.627077] FS:  0000000000000000(0000) GS:ffff92dc7bb00000(0000) knlGS:0000000000000000
[   28.627085] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   28.627091] CR2: ffffffffffffffd6 CR3: 00000000060c6000 CR4: 00000000001006e0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ