lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <700df3c4-2f6c-85f9-6c61-065bc5b2db3a@intel.com>
Date:   Tue, 5 Sep 2023 12:10:02 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     LKML <linux-kernel@...r.kernel.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        Saranya Gopal <saranya.gopal@...el.com>,
        Rajaram Regupathy <rajaram.regupathy@...el.com>,
        Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Uwe Kleine-König <u.kleine-koenig@...gutronix.de>,
        Wayne Chang <waynec@...dia.com>,
        Hans de Goede <hdegoede@...hat.com>,
        Neil Armstrong <neil.armstrong@...aro.org>,
        Mario Limonciello <mario.limonciello@....com>,
        linux-usb@...r.kernel.org
Subject: ucsi debugfs oops (current Linus pre-6.6-rc1)

I'm having some problems booting Linus's current tree.  It seems to have
happened in some content between commit 3f86ed6ec0b3 and df0383ffad.

I'm suspecting this commit:

> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df0383ffad64dc09954a60873c1e202b47f08d90

I'm seeing a null pointer oops on this line:

void ucsi_debugfs_unregister(struct ucsi *ucsi)
{
===>    debugfs_remove_recursive(ucsi->debugfs->dentry);
        kfree(ucsi->debugfs);
}

on this instruction:

    66 0f 1f 00             nop    WORD PTR [rax]
    0f 1f 44 00 00          nop    DWORD PTR [rax+rax*1+0x0]
    53                      push   rbx
    48 8b 47 38             mov    rax,QWORD PTR [rdi+0x38]
    48 89 fb                mov    rbx,rdi
=>  48 8b 78 20             mov    rdi,QWORD PTR [rax+0x20]
    e8 36 16 26 e1          call   0xffffffffe1261669
    48 8b 7b 38             mov    rdi,QWORD PTR [rbx+0x38]
    5b                      pop    rbx
    e9 5c 79 03 e1          jmp    0xffffffffe1037999

That's the second dereference in the function, so I assume this is
trying to dereference 'debugfs' above.  It appears that this is some
failure/error path out of ucsi_acpi_probe() that's not handled correctly.

Probably this:

>         if (ACPI_FAILURE(status)) { 
>                 dev_err(&pdev->dev, "failed to install notify handler\n");
>                 ucsi_destroy(ua->ucsi);
>                 return -ENODEV;
>         }
> 
>         ret = ucsi_register(ua->ucsi);

where ucsi_destroy() is called before ucsi_register().  Although I do
_not_ see the dev_err() message anywhere.

Full oops is below.

I'll try putting some hacks in place to avoid the null pointer.  Also,
please forgive the lack of a bisect for the moment.  This is happening
on my main laptop and it's a mild pain to do bisects on here.

> [    4.903493] BUG: kernel NULL pointer dereference, address: 0000000000000020^M
> [    4.905624] #PF: supervisor read access in kernel mode^M
> [    4.907326] #PF: error_code(0x0000) - not-present page^M
> [    4.908993] PGD 0 P4D 0 ^M
> [    4.910998] Oops: 0000 [#1] PREEMPT SMP NOPTI^M
> [    4.913077] CPU: 6 PID: 150 Comm: systemd-udevd Not tainted 6.5.0-11704-g3f86ed6ec0b3 #138^M
> [    4.915211] Hardware name: Framework Laptop/FRANBMCP0B, BIOS 03.10 07/19/2022^M
> [    4.917355] RIP: 0010:ucsi_debugfs_unregister+0x11/0x30 [typec_ucsi]^M
> [    4.919705] Code: 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 53 48 8b 47 38 48 89 fb <48> 8b 78 20 e8 36 16 26 e1 48 8b 7b 38 5b e9 5c 79 03 e1 66 66 2e^M
> [    4.921982] RSP: 0018:ffffc900007e7bb8 EFLAGS: 00010246^M
> [    4.924227] RAX: 0000000000000000 RBX: ffff888101b2be00 RCX: 0000000000009a06^M
> [    4.926752] RDX: 0000000000000000 RSI: ffff888104491798 RDI: ffff888101b2be00^M
> [    4.929312] RBP: ffff888101b2be00 R08: 0000000000009906 R09: 00000000000333f0^M
> [    4.931887] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffed^M
> [    4.934451] R13: ffff888102594810 R14: ffff888100653600 R15: ffff888101fa7f78^M
> [    4.937115] FS:  00007f5dd0fb48c0(0000) GS:ffff88906fb80000(0000) knlGS:0000000000000000^M
> [    4.939581] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
> [    4.941308] CR2: 0000000000000020 CR3: 0000000105070005 CR4: 0000000000f70ee0^M
> [    4.943022] PKRU: 55555554^M
> [    4.944731] Call Trace:^M
> [    4.946438]  <TASK>^M
> [    4.948167]  ? __die+0x24/0x70^M
> [    4.949864]  ? page_fault_oops+0x15b/0x440^M
> [    4.951563]  ? acpi_evaluate_object+0x190/0x2f0^M
> [    4.953201]  ? _raw_spin_lock_irqsave+0x28/0x50^M
> [    4.954841]  ? exc_page_fault+0x6e/0x160^M
> [    4.956461]  ? asm_exc_page_fault+0x26/0x30^M
> [    4.958067]  ? ucsi_debugfs_unregister+0x11/0x30 [typec_ucsi]^M
> [    4.959677]  ucsi_destroy+0x12/0x20 [typec_ucsi]^M
> [    4.961298]  ucsi_acpi_probe+0x1cc/0x230 [ucsi_acpi]^M
> [    4.962908]  platform_probe+0x40/0xb0^M
> [    4.964522]  really_probe+0x1a2/0x410^M
> [    4.966110]  __driver_probe_device+0x78/0x160^M
> [    4.967735]  driver_probe_device+0x1e/0x90^M
> [    4.969306]  __driver_attach+0xd6/0x1d0^M
> [    4.970874]  ? __pfx___driver_attach+0x10/0x10^M
> [    4.972449]  bus_for_each_dev+0x79/0xd0^M
> [    4.974022]  bus_add_driver+0x116/0x220^M
> [    4.975600]  driver_register+0x60/0x120^M
> [    4.977169]  ? __pfx_ucsi_acpi_platform_driver_init+0x10/0x10 [ucsi_acpi]^M
> [    4.978762]  do_one_initcall+0x45/0x220^M
> [    4.980367]  ? kmalloc_trace+0x29/0x90^M
> [    4.981952]  do_init_module+0x90/0x260^M
> [    4.983530]  init_module_from_file+0x8b/0xd0^M
> [    4.985087]  idempotent_init_module+0x181/0x240^M
> [    4.986639]  __x64_sys_finit_module+0x5e/0xb0^M
> [    4.988198]  do_syscall_64+0x3c/0x90^M
> [    4.989739]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8^M
> [    4.991290] RIP: 0033:0x7f5dd16aaa3d^M

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ