lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <D8TEDS91VAGU.1UVZWWWWMRRNG@gmail.com>
Date: Sun, 30 Mar 2025 03:47:11 -0300
From: "Kurt Borja" <kuurtb@...il.com>
To: "Damian Tometzki" <damian@...cv-rocks.de>
Cc: <hmh@....eng.br>, <ibm-acpi-devel@...ts.sourceforge.net>,
 <platform-driver-x86@...r.kernel.org>, "Linux Kernel Mailing List"
 <linux-kernel@...r.kernel.org>
Subject: Re: Kernel Null Pointer Dereference on Fedora with thinkpad_acpi

On Sun Mar 30, 2025 at 3:28 AM -03, Damian Tometzki wrote:
> On Sun, Mar 30, 2025 at 8:01 AM Kurt Borja <kuurtb@...il.com> wrote:
>>
>> Hi Damian,
>>
>> On Sun Mar 30, 2025 at 2:19 AM -03, Damian Tometzki wrote:
>> > Hi together,
>> >
>> > I encountered a kernel crash on a Lenovo ThinkPad (BIOS N32ET95W 1.71)
>> > running Fedora with kernel 6.15 (merge window) 7f2ff7b62617. The issue
>> > is a NULL pointer dereference during initialization of the
>> > thinkpad_acpi module. The crash occurs in kobject_get() while handling
>> > RFKill device registration (tpacpi_new_rfkill → rfkill_register →
>> > device_add).
>> > With kernel 6.14 system boot´s fine
>> >
>> > Let me know if further logs or debugging info are needed. Below the short dump
>> >
>> > Mar 29 17:43:16.173712 fedora kernel: thinkpad_acpi: Disabling
>> > thinkpad-acpi brightness events by default...
>> > Mar 29 17:43:16.175636 fedora kernel: ACPI: bus type thunderbolt registered
>> > Mar 29 17:43:16.179626 fedora kernel: BUG: kernel NULL pointer
>> > dereference, address: 000000000000004c
>> > Mar 29 17:43:16.179689 fedora kernel: #PF: supervisor read access in kernel mode
>> > Mar 29 17:43:16.180235 fedora kernel: #PF: error_code(0x0000) - not-present page
>> > Mar 29 17:43:16.180290 fedora kernel: PGD 0 P4D 0
>> > Mar 29 17:43:16.180325 fedora kernel: Oops: Oops: 0000 [#1] SMP NOPTI
>> > Mar 29 17:43:16.180340 fedora kernel: CPU: 6 UID: 0 PID: 1015 Comm:
>> > (udev-worker) Not tainted 6.14.0 #355 PREEMPT(lazy)
>> > Mar 29 17:43:16.180449 fedora kernel: Hardware name: LENOVO
>> > 20XWCTO1WW/20XWCTO1WW, BIOS N32ET95W (1.71 ) 10/24/2024
>> > Mar 29 17:43:16.180469 fedora kernel: RIP: 0010:kobject_get+0xd/0x70
>> > Mar 29 17:43:16.180491 fedora kernel: Code: 66 66 2e 0f 1f 84 00 00 00
>> > 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e
>> > fa 53 48 89 fb 48 85 ff 74 1f <f6> 47 3c 01 74 22 48 8d 7b 38 b8 01
>> > 00>
>> > Mar 29 17:43:16.180506 fedora kernel: RSP: 0018:ffffd3d200b5f750
>> > EFLAGS: 00010202
>> > Mar 29 17:43:16.180523 fedora kernel: RAX: ffff8ebbc10fac00 RBX:
>> > 0000000000000010 RCX: 0000000000000000
>> > Mar 29 17:43:16.180534 fedora kernel: RDX: 0000000000000000 RSI:
>> > ffffffff9aebafa0 RDI: 0000000000000010
>> > Mar 29 17:43:16.180547 fedora kernel: RBP: ffff8ebbd49f4b88 R08:
>> > 0000000000000100 R09: 0000000000000000
>> > Mar 29 17:43:16.180559 fedora kernel: R10: ffffd3d200b5f760 R11:
>> > 0000000000000008 R12: 0000000000000010
>> > Mar 29 17:43:16.180573 fedora kernel: R13: ffff8ebbc8b12388 R14:
>> > ffffffffc14a7500 R15: 0000000000000000
>> > Mar 29 17:43:16.180587 fedora kernel: FS:  00007f1aa7c15040(0000)
>> > GS:ffff8ebf72546000(0000) knlGS:0000000000000000
>> > Mar 29 17:43:16.180606 fedora kernel: CS:  0010 DS: 0000 ES: 0000 CR0:
>> > 0000000080050033
>> > Mar 29 17:43:16.180630 fedora kernel: CR2: 000000000000004c CR3:
>> > 0000000113948001 CR4: 0000000000f70ef0
>> > Mar 29 17:43:16.180642 fedora kernel: PKRU: 55555554
>> > Mar 29 17:43:16.180654 fedora kernel: Call Trace:
>> > Mar 29 17:43:16.180664 fedora kernel:  <TASK>
>> > Mar 29 17:43:16.180676 fedora kernel:  ? show_trace_log_lvl+0x1d2/0x2f0
>> > Mar 29 17:43:16.180688 fedora kernel:  ? show_trace_log_lvl+0x1d2/0x2f0
>> > Mar 29 17:43:16.180704 fedora kernel:  ? show_trace_log_lvl+0x1d2/0x2f0
>> > Mar 29 17:43:16.180712 fedora kernel:  ? device_add+0x8f/0x6e0
>> > Mar 29 17:43:16.180724 fedora kernel:  ? __die_body.cold+0x8/0x12
>> > Mar 29 17:43:16.180739 fedora kernel:  ? page_fault_oops+0x146/0x180
>> > Mar 29 17:43:16.180748 fedora kernel:  ? exc_page_fault+0x7e/0x1a0
>> > Mar 29 17:43:16.180758 fedora kernel:  ? asm_exc_page_fault+0x26/0x30
>> > Mar 29 17:43:16.180769 fedora kernel:  ? __pfx_klist_children_get+0x10/0x10
>> > Mar 29 17:43:16.180781 fedora kernel:  ? kobject_get+0xd/0x70
>> > Mar 29 17:43:16.180792 fedora kernel:  device_add+0x8f/0x6e0
>> > Mar 29 17:43:16.180804 fedora kernel:  rfkill_register+0xbc/0x2c0 [rfkill]
>> > Mar 29 17:43:16.180813 fedora kernel:  tpacpi_new_rfkill+0x185/0x230
>> > [thinkpad_acpi]
>> > Mar 29 17:43:16.180826 fedora kernel:  ibm_init+0x66/0x2a0 [thinkpad_acpi]
>> > Mar 29 17:43:16.180840 fedora kernel:
>> > tpacpi_pdriver_probe+0x160/0x250 [thinkpad_acpi]
>> > Mar 29 17:43:16.180852 fedora kernel:  platform_probe+0x41/0xa0
>> > Mar 29 17:43:16.180887 fedora kernel:  really_probe+0xdb/0x340
>> > Mar 29 17:43:16.180900 fedora kernel:  ? pm_runtime_barrier+0x55/0x90
>> > Mar 29 17:43:16.180912 fedora kernel:  ? __pfx___driver_attach+0x10/0x10
>> > Mar 29 17:43:16.180920 fedora kernel:  __driver_probe_device+0x78/0x140
>> > Mar 29 17:43:16.180932 fedora kernel:  driver_probe_device+0x1f/0xa0
>> > Mar 29 17:43:16.180942 fedora kernel:  __driver_attach+0xb8/0x1d0
>> > Mar 29 17:43:16.180954 fedora kernel:  bus_for_each_dev+0x82/0xd0
>> > Mar 29 17:43:16.180966 fedora kernel:  bus_add_driver+0x12f/0x210
>> > Mar 29 17:43:16.180976 fedora kernel:  driver_register+0x72/0xd0
>> > Mar 29 17:43:16.180988 fedora kernel:  __platform_driver_probe+0x45/0x90
>> > Mar 29 17:43:16.180999 fedora kernel:  __platform_create_bundle+0xe7/0x100
>> > Mar 29 17:43:16.181011 fedora kernel:  ?
>> > __pfx_tpacpi_pdriver_probe+0x10/0x10 [thinkpad_acpi]
>> > Mar 29 17:43:16.181025 fedora kernel:  ?
>> > __pfx_thinkpad_acpi_module_init+0x10/0x10 [thinkpad_acpi]
>> > Mar 29 17:43:16.181035 fedora kernel:
>> > thinkpad_acpi_module_init+0x37e/0x430 [thinkpad_acpi]
>> > Mar 29 17:43:16.181045 fedora kernel:  do_one_initcall+0x58/0x300
>> > Mar 29 17:43:16.181053 fedora kernel:  do_init_module+0x82/0x240
>> > Mar 29 17:43:16.181065 fedora kernel:  init_module_from_file+0x8b/0xe0
>> > Mar 29 17:43:16.181073 fedora kernel:  idempotent_init_module+0x113/0x310
>> > Mar 29 17:43:16.181083 fedora kernel:  __x64_sys_finit_module+0x67/0xc0
>> > Mar 29 17:43:16.181093 fedora kernel:  do_syscall_64+0x7f/0x170
>> > Mar 29 17:43:16.181103 fedora kernel:  ? syscall_exit_to_user_mode+0x1d5/0x210
>> > Mar 29 17:43:16.181112 fedora kernel:  ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181124 fedora kernel:  ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181135 fedora kernel:  ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181144 fedora kernel:  ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181152 fedora kernel:  ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181163 fedora kernel:  ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181173 fedora kernel:  ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181182 fedora kernel:  ? seq_read_iter+0x20e/0x480
>> > Mar 29 17:43:16.181198 fedora kernel:  ? vfs_read+0x29b/0x370
>> > Mar 29 17:43:16.181217 fedora kernel:  ? __seccomp_filter+0x41/0x4e0
>> > Mar 29 17:43:16.181233 fedora kernel:  ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181250 fedora kernel:  ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181264 fedora kernel:  ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181280 fedora kernel:  ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181292 fedora kernel:  ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181316 fedora kernel:  ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181331 fedora kernel:  ? clear_bhb_loop+0x35/0x90
>> > Mar 29 17:43:16.181341 fedora kernel:  ? clear_bhb_loop+0x35/0x90
>> > Mar 29 17:43:16.181351 fedora kernel:  ? clear_bhb_loop+0x35/0x90
>> > Mar 29 17:43:16.181360 fedora kernel:  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> > Mar 29 17:43:16.181372 fedora kernel: RIP: 0033:0x7f1aa84c5a8d
>> > Mar 29 17:43:16.181381 fedora kernel: Code: ff c3 66 2e 0f 1f 84 00 00
>> > 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2
>> > 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d
>> > 4b>
>> > Mar 29 17:43:16.181392 fedora kernel: RSP: 002b:00007ffe5ca79bc8
>> > EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>> > Mar 29 17:43:16.181406 fedora kernel: RAX: ffffffffffffffda RBX:
>> > 00005610a8c7deb0 RCX: 00007f1aa84c5a8d
>> > Mar 29 17:43:16.181419 fedora kernel: RDX: 0000000000000000 RSI:
>> > 00007f1aa7b88965 RDI: 0000000000000032
>> > Mar 29 17:43:16.181431 fedora kernel: RBP: 00007ffe5ca79c80 R08:
>> > 0000000000000000 R09: 00007ffe5ca79c30
>> > Mar 29 17:43:16.181441 fedora kernel: R10: 0000000000000000 R11:
>> > 0000000000000246 R12: 0000000000020000
>> > Mar 29 17:43:16.181448 fedora kernel: R13: 00005610a8c7f880 R14:
>> > 00007f1aa7b88965 R15: 0000000000000000
>> > Mar 29 17:43:16.181458 fedora kernel:  </TASK>
>> > Mar 29 17:43:16.181472 fedora kernel: Modules linked in: cfg80211(+)
>> > thunderbolt(+) thinkpad_acpi(+) igen6_edac intel_soc_dts_iosf
>> > platform_profile snd soundcore int3403_thermal int340x_thermal_zone
>> > soc_button_>
>> > Mar 29 17:43:16.181784 fedora kernel: CR2: 000000000000004c
>> > Mar 29 17:43:16.181806 fedora kernel: ---[ end trace 0000000000000000 ]---
>> >
>> > Best regards
>> > Damian
>>
>> Hmmm - I have a feeling about this one.
>>
>> Can you apply and test the attached proposed patch? If you do please
>> verify if the problem persist and if the driver has all the features
>> present before the regression.
>>
>> If everything goes nicely, feel free to add a Tested-by: tag for when I
>> submit this.
>>
>> --
>>  ~ Kurt
>
> Hi Kurt,
>
> many thnaks for the fast response.
> With this patch my system boot again but i have other dump in dmesg

Oh, makes sense. It's the same problem but it was hidden because of the
previous one.

The attached patch should fix it.

-- 
 ~ Kurt


View attachment "0001-platform-x86-thinkpad_acpi-Fix-rfkill-null-pointer-d.patch" of type "text/x-patch" (2733 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ