lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <F59FC6AB-40E6-4BBA-A0BD-C7221160854B@gmail.com>
Date:   Wed, 30 Aug 2023 21:23:58 +0800
From:   Qiujun Huang <hqjagain@...il.com>
To:     Sudeep Holla <sudeep.holla@....com>
Cc:     cristian.marussi@....com, linux-arm-kernel@...ts.infradead.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] firmware: arm_scmi: Fix NULL pointer dereference in
 mailbox_clear_channel



> 2023年8月30日 下午5:39,Sudeep Holla <sudeep.holla@....com> 写道:
> 
> On Wed, Aug 30, 2023 at 01:07:47AM +0800, Qiujun Huang wrote:
>> There is a race between the failure of probe and rx_callback (due to a
>> delayed response).
>> 
>> scmi_probe
>> scmi_acquire_protocal
>> do_xfer
>> timeout
>> mailbox_chan_free
>>                                                    <--- delay response
>>                                                           rx_callback
>> mbox_free_channel
>> cinfo->transport_info = NULL
>>                                                          mailbox_clear_channel
>>                                                         dereference cinfo->transport_info
> 
> It is always good to provide the kernel stacktrace which you get when a
> NULL pointer is dereference. It helps for review and also to document it.
> 
> -- 
> Regards,
> Sudeep

Get it. Here is the splat.

[    1.942240][    C0] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048
[    1.942241][    C0] Mem abort info:
[    1.942243][    C0]   ESR = 0x96000005
[    1.944888][    T9] spmi spmi-1: PMIC arbiter version v7 (0x70000000)
[    1.950652][    C0]   EC = 0x25: DABT (current EL), IL = 32 bits
[    1.950653][    C0]   SET = 0, FnV = 0
[    1.950654][    C0]   EA = 0, S1PTW = 0
[    1.950656][    C0] Data abort info:
[    1.950657][    C0]   ISV = 0, ISS = 0x00000005
[    1.950658][    C0]   CM = 0, WnR = 0
[    1.950660][    C0] [0000000000000048] user address but active_mm is swapper
[    1.950663][    C0] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[    2.338929][    C0] pc : mailbox_clear_channel+0x18/0x64
[    2.344384][    C0] lr : scmi_handle_response+0x17c/0x4f4
[    2.349923][    C0] sp : ffffffc010003db0
[    2.354045][    C0] x29: ffffffc010003dc0 x28: ffffffd85263f000 
[    2.360216][    C0] x27: ffffffd851621068 x26: ffffffd84ec815c8 
[    2.366386][    C0] x25: ffffffd85263bf80 x24: ffffffd85263d230 
[    2.372556][    C0] x23: ffffff803cd70cc0 x22: 0000000000000008 
[    2.378726][    C0] x21: ffffff8036cf0df8 x20: ffffffd85161bac8 
[    2.384896][    C0] x19: ffffff8043ffa580 x18: ffffffc010005050 
[    2.391065][    C0] x17: 0000000000000000 x16: 00000000000000d8 
[    2.397234][    C0] x15: ffffffd8507965e8 x14: ffffffd84eaebdf0 
[    2.403404][    C0] x13: 00000000000001ea x12: 0000000000007ffb 
[    2.409574][    C0] x11: 000000000000ffff x10: ffffffd852c5a000 
[    2.415744][    C0] x9 : d7be1a9b75f29500 x8 : 0000000000000000 
[    2.421914][    C0] x7 : 382e31202020205b x6 : ffffffd852c57e7c 
[    2.428084][    C0] x5 : ffffffffffffffff x4 : 0000000000000000 
[    2.434254][    C0] x3 : ffffffd84eae6668 x2 : 0000000000000001 
[    2.440424][    C0] x1 : 0000000000000000 x0 : ffffff8043ffa580 
[    2.446594][    C0] Call trace:
[    2.449819][    C0]  mailbox_clear_channel+0x18/0x64
[    2.454916][    C0]  scmi_handle_response+0x17c/0x4f4
[    2.460100][    C0]  rx_callback+0x60/0xec
[    2.464311][    C0]  mbox_chan_received_data+0x44/0x94
[    2.469584][    C0]  qcom_rimps_rx_interrupt+0xc0/0x144 [qcom_rimps]
[    2.476111][    C0]  __handle_irq_event_percpu+0xa0/0x414
[    2.481652][    C0]  handle_irq_event+0x84/0x1cc
[    2.486393][    C0]  handle_fasteoi_irq+0x150/0x394
[    2.491403][    C0]  __handle_domain_irq+0x114/0x1e4
[    2.496500][    C0]  gic_handle_irq.33979+0x6c/0x2b8
[    2.501597][    C0]  el1_irq+0xe4/0x1c0
[    2.505537][    C0]  cpuidle_enter_state+0x3a4/0xa04
[    2.510634][    C0]  do_idle+0x308/0x574
[    2.514661][    C0]  cpu_startup_entry+0x84/0x90
[    2.519402][    C0]  kernel_init+0x0/0x310
[    2.523611][    C0]  start_kernel+0x0/0x648
[    2.527908][    C0]  start_kernel+0x52c/0x648
[    2.532390][    C0] Code: f800865e a9017bfd 910043fd f9400808 (f9402508) 
[    2.539360][    C0] ---[ end trace da7fdd5fdd7f7f09 ]---
[    2.550088][    C0] Kernel panic - not syncing: Oops: Fatal exception in interrupt


- - -
thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ