| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <589670a9-ac91-4fde-b595-473408b3df18@kernel.org>
Date: Wed, 12 Nov 2025 16:51:32 +0100
From: Krzysztof Kozlowski <krzk@...nel.org>
To: Jian Hui Lee <jianhui.lee@...onical.com>, Yong Wu <yong.wu@...iatek.com>,
Matthias Brugger <matthias.bgg@...il.com>,
AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>,
Joerg Roedel <jroedel@...e.de>, linux-mediatek@...ts.infradead.org,
linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH] memory: mtk-smi: Fix NULL pointer dereference in
config_port
On 11/11/2025 13:48, Jian Hui Lee wrote:
> Fix a race condition where mtk_smi_larb_resume() can be called before
> mtk_smi_larb_bind() completes, leading to NULL pointer dereference when
> accessing larb->mmu and larb->bank.
>
> Add NULL checks to skip port configuration gracefully when the device
> hasn't been bound yet.
>
> Crash trace:
> [ 7.605014] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> [ 7.605029] Mem abort info:
> [ 7.605031] ESR = 0x0000000096000004
> [ 7.605034] EC = 0x25: DABT (current EL), IL = 32 bits
> [ 7.605037] SET = 0, FnV = 0
> [ 7.605040] EA = 0, S1PTW = 0
> [ 7.605042] FSC = 0x04: level 0 translation fault
> [ 7.605045] Data abort info:
> [ 7.605046] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> [ 7.605049] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> [ 7.605052] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [ 7.605055] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106755000
> [ 7.605059] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
> [ 7.605069] Internal error: Oops: 0000000096000004 [#1] SMP
> [ 7.605075] Modules linked in: mtk_mdp3(+) snd_compress(+) ac97_bus snd_pcm_dmaengine snd_pcm v4l2_mem2mem videobufo
> [ 7.605223] pwm_mtk_disp spmi_mtk_pmif spmi_devres clk_mt8188_imp_iic_wrap spi_mt65xx mmc_hsq stmmac clk_mt8188_ado
> [ 7.605267] CPU: 5 UID: 0 PID: 417 Comm: (udev-worker) Not tainted 6.17.2-custom #29 PREEMPT(voluntary)
> [ 7.605273] Hardware name: mediatek Genio 700 EVK P1V4 (eMMC Boot)/Genio 700 EVK P1V4, BIOS 2022.10-gb56d2a20f5 10/2
> [ 7.605278] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [ 7.605283] pc : mtk_smi_larb_config_port_gen2_general+0x2a8/0x458 [mtk_smi]
> [ 7.605301] lr : mtk_smi_larb_config_port_gen2_general+0x110/0x458 [mtk_smi]
> [ 7.605307] sp : ffff8000867f3370
> [ 7.605309] x29: ffff8000867f33e0 x28: 0000000000000000 x27: ffff80007c403fcc
> [ 7.605317] x26: 000000000000000a x25: ffff0000d5107c80 x24: ffff80007c4040f8
> [ 7.605325] x23: ffff80007c4040f8 x22: ffff80007c403fcc x21: ffff80007c43c918
> [ 7.605332] x20: 0000000000000007 x19: ffff80008685d218 x18: ffff8000863b90e8
> [ 7.605340] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
> [ 7.605346] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
> [ 7.605353] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff80007c403fcc
> [ 7.605360] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
> [ 7.605367] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
> [ 7.605373] x2 : 0000000000000000 x1 : ffff8000867f33b8 x0 : 0000000000000000
> [ 7.605381] Call trace:
> [ 7.605384] mtk_smi_larb_config_port_gen2_general+0x2a8/0x458 [mtk_smi] (P)
> [ 7.605393] mtk_smi_larb_resume+0xbc/0x130 [mtk_smi]
> [ 7.605399] pm_generic_runtime_resume+0x38/0x80
> [ 7.605410] __genpd_runtime_resume+0x3c/0xb8
> [ 7.605419] genpd_runtime_resume+0xec/0x338
> [ 7.605425] __rpm_callback+0x54/0x210
> [ 7.605431] rpm_callback+0x94/0xa8
> [ 7.605436] rpm_resume+0x484/0x668
> [ 7.605442] __pm_runtime_resume+0x68/0xd8
> [ 7.605447] pm_runtime_get_suppliers+0x6c/0xb8
> [ 7.605453] __driver_probe_device+0x5c/0x1c8
> [ 7.605461] driver_probe_device+0x48/0x188
> [ 7.605466] __driver_attach+0x14c/0x2c8
> [ 7.605471] bus_for_each_dev+0x88/0x110
> [ 7.605476] driver_attach+0x30/0x60
> [ 7.605481] bus_add_driver+0x17c/0x2e8
> [ 7.605486] driver_register+0x68/0x178
> [ 7.605492] __platform_driver_register+0x30/0x60
> [ 7.605498] mdp_driver_init+0x2c/0xff8 [mtk_mdp3]
> [ 7.605519] do_one_initcall+0x64/0x378
> [ 7.605526] do_init_module+0xa4/0x2e0
> [ 7.605534] load_module+0x24a8/0x2618
> [ 7.605541] init_module_from_file+0x98/0x118
> [ 7.605547] __arm64_sys_finit_module+0x284/0x380
> [ 7.605554] invoke_syscall+0x74/0x128
> [ 7.605560] el0_svc_common.constprop.0+0x114/0x140
> [ 7.605565] do_el0_svc+0x28/0x58
> [ 7.605570] el0_svc+0x44/0x1f0
> [ 7.605579] el0t_64_sync_handler+0xc0/0x108
> [ 7.605586] el0t_64_sync+0x1b8/0x1c0
> [ 7.605594] Code: d2800011 d65f03c0 b9808b22 910123e1 (b9400003)
> [ 7.605599] ---[ end trace 0000000000000000 ]---
Please trim the traces from all irrelevant information.
>
> Fixes: e6dec92308628 ("iommu/mediatek: Add mt2712 IOMMU support")
Add Cc stable.
> Signed-off-by: Jian Hui Lee <jianhui.lee@...onical.com>
> ---
> drivers/memory/mtk-smi.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
> index 733e22f695ab..8eb043ff8280 100644
> --- a/drivers/memory/mtk-smi.c
> +++ b/drivers/memory/mtk-smi.c
> @@ -244,6 +244,10 @@ static int mtk_smi_larb_config_port_gen2_general(struct device *dev)
> struct arm_smccc_res res;
> int i;
>
> + /* larb->mmu and larb->bank are set in bind(), may not be ready yet */
And how do you synchronize this between CPUs? IOW, what certainty you
have that this CPU sees correct data and the checks below have any sense?
> + if (!larb->mmu || !larb->bank)
> + return 0;
> +
> if (BIT(larb->larbid) & larb->larb_gen->larb_direct_to_common_mask)
> return 0;
>
Best regards,
Krzysztof
Powered by blists - more mailing lists