lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <66d15664-0d54-4e89-bf54-508ff072fab8@mev.co.uk>
Date: Mon, 12 Feb 2024 10:03:18 +0000
From: Ian Abbott <abbotti@....co.uk>
To: Frej Drejhammar <frej.drejhammar@...il.com>,
 H Hartley Sweeten <hsweeten@...ionengravers.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-kernel@...r.kernel.org
Cc: stable@...r.kernel.org
Subject: Re: [PATCH] comedi: comedi_8255: Correct error in subdevice
 initialization

On 11/02/2024 17:58, Frej Drejhammar wrote:
> The refactoring done in commit 5c57b1ccecc7 ("comedi: comedi_8255: Rework
> subdevice initialization functions") to the initialization of the io
> field of struct subdev_8255_private broke all cards using the
> drivers/comedi/drivers/comedi_8255.c module.
> 
> Prior to 5c57b1ccecc7, __subdev_8255_init() initialized the io field
> in the newly allocated struct subdev_8255_private to the non-NULL
> callback given to the function, otherwise it used a flag parameter to
> select between subdev_8255_mmio and subdev_8255_io. The refactoring
> removed that logic and the flag, as subdev_8255_mm_init() and
> subdev_8255_io_init() now explicitly pass subdev_8255_mmio and
> subdev_8255_io respectively to __subdev_8255_init(), only
> __subdev_8255_init() never sets spriv->io to the supplied
> callback. That spriv->io is NULL leads to a later BUG:
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> PGD 0 P4D 0
> Oops: 0010 [#1] SMP PTI
> CPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1
> Hardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> RIP: 0010:0x0
> Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b
> RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00
> RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001
> R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000
> R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8
> FS:  00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0
> Call Trace:
>   <TASK>
>   ? __die_body+0x15/0x57
>   ? page_fault_oops+0x2ef/0x33c
>   ? insert_vmap_area.constprop.0+0xb6/0xd5
>   ? alloc_vmap_area+0x529/0x5ee
>   ? exc_page_fault+0x15a/0x489
>   ? asm_exc_page_fault+0x22/0x30
>   __subdev_8255_init+0x79/0x8d [comedi_8255]
>   pci_8255_auto_attach+0x11a/0x139 [8255_pci]
>   comedi_auto_config+0xac/0x117 [comedi]
>   ? __pfx___driver_attach+0x10/0x10
>   pci_device_probe+0x88/0xf9
>   really_probe+0x101/0x248
>   __driver_probe_device+0xbb/0xed
>   driver_probe_device+0x1a/0x72
>   __driver_attach+0xd4/0xed
>   bus_for_each_dev+0x76/0xb8
>   bus_add_driver+0xbe/0x1be
>   driver_register+0x9a/0xd8
>   comedi_pci_driver_register+0x28/0x48 [comedi_pci]
>   ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci]
>   do_one_initcall+0x72/0x183
>   do_init_module+0x5b/0x1e8
>   init_module_from_file+0x86/0xac
>   __do_sys_finit_module+0x151/0x218
>   do_syscall_64+0x72/0xdb
>   entry_SYSCALL_64_after_hwframe+0x6e/0x76
> RIP: 0033:0x7f72f50a0cb9
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48
> RSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9
> RDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e
> RBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000
> R10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df
> R13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8
>   </TASK>
> Modules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid
> CR2: 0000000000000000
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:0x0
> Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b
> RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00
> RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001
> R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000
> R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8
> FS:  00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0
> 
> This patch simply corrects the above mistake by initializing spriv->io
> to the given io callback.
> 
> Fixes: 5c57b1ccecc7 ("comedi: comedi_8255: Rework subdevice initialization functions")
> Signed-off-by: Frej Drejhammar <frej.drejhammar@...il.com>
> Cc: <stable@...r.kernel.org>
> ---
>   drivers/comedi/drivers/comedi_8255.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/comedi/drivers/comedi_8255.c b/drivers/comedi/drivers/comedi_8255.c
> index e4974b508328..a933ef53845a 100644
> --- a/drivers/comedi/drivers/comedi_8255.c
> +++ b/drivers/comedi/drivers/comedi_8255.c
> @@ -159,6 +159,7 @@ static int __subdev_8255_init(struct comedi_device *dev,
>   		return -ENOMEM;
>   
>   	spriv->context = context;
> +	spriv->io      = io;
>   
>   	s->type		= COMEDI_SUBD_DIO;
>   	s->subdev_flags	= SDF_READABLE | SDF_WRITABLE;

Thanks for the fix. I screwed up!

Acked-by: Ian Abbott <abbotti@....co.uk>
Reviewed-by: Ian Abbott <abbotti@....co.uk>

-- 
-=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ