lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aG5IZBTJSabxpyct@finisterre.sirena.org.uk>
Date: Wed, 9 Jul 2025 11:45:56 +0100
From: Mark Brown <broonie@...nel.org>
To: Naresh Kamboju <naresh.kamboju@...aro.org>
Cc: open list <linux-kernel@...r.kernel.org>, lkft-triage@...ts.linaro.org,
	Linux Regressions <regressions@...ts.linux.dev>,
	dri-devel@...ts.freedesktop.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Danilo Krummrich <dakr@...nel.org>,
	"Rafael J. Wysocki" <rafael@...nel.org>,
	Abdun Nihaal <abdun.nihaal@...il.com>,
	Dan Carpenter <dan.carpenter@...aro.org>,
	Arnd Bergmann <arnd@...db.de>,
	Anders Roxell <anders.roxell@...aro.org>,
	Ben Copeland <benjamin.copeland@...aro.org>,
	Andrzej Hajda <andrzej.hajda@...el.com>,
	Neil Armstrong <neil.armstrong@...aro.org>,
	Robert Foss <rfoss@...nel.org>,
	Laurent Pinchart <Laurent.pinchart@...asonboard.com>,
	Jonas Karlman <jonas@...boo.se>,
	Jernej Skrabec <jernej.skrabec@...il.com>
Subject: Re: next-20250702 kernel NULL pointer dereference
 adv7511_cec_register_volatile

On Wed, Jul 09, 2025 at 01:26:02AM +0530, Naresh Kamboju wrote:

> I am investigating this issue,
> Planning to revert and re-build and test in a loop.
>   c871c199accb3 regmap: fix potential memory leak of regmap_bus

> [   11.087822] Call trace:
> [   11.094930] adv7511_cec_register_volatile+0xc/0x30 adv7511 (P)
> [   11.097194] regcache_read (drivers/base/regmap/regcache.c:273)
> [   11.103438] _regmap_read (drivers/base/regmap/regmap.c:2805)
> [   11.107084] regmap_read (drivers/base/regmap/regmap.c:2850)

This backtrace seems fishy, the function that's faulting is just doing a
straight lookup of the register number without reference to the supplied
device.  This looks like a preexisting bug in the driver, we create an
I2C bus for the CEC in adv7511_init_cec_regmap() using a non-devm
function but register the interrupt handler using devm_request_threaded_irq()
and devm will free things after the remove function has run.  This means
that on removal or error cleanup we free the I2C bus while the interrupt
is still registered but nothing stops the interrupt handler from
continuing to try to access the freed CEC bus.  This is going to access
freed memory, I'm kind of surprised it wasn't already having trouble -
turning on some of the memory debugging options or sanitisers should
show issues.

Don't use devm_request_threaded_irq() folks...

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ