lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251124200019.GIaSS5U9HhsWBotrQZ@fat_crate.local>
Date: Mon, 24 Nov 2025 21:00:19 +0100
From: Borislav Petkov <bp@...en8.de>
To: "Rafael J. Wysocki" <rafael@...nel.org>
Cc: x86-ml <x86@...nel.org>, lkml <linux-kernel@...r.kernel.org>
Subject: NULL ptr deref in acpi_idle_enter+0x46/0x100

Hey,

I'm seeing this on one of my old test boxes here with -rc7 + the whole tip
lineup.

[    2.968330] Initialise system trusted keyrings
[    2.973149] workingset: timestamp_bits=62 max_order=20 bucket_order=0
[    2.980130] 9p: Installing v9fs 9p2000 file system support
[    2.985963] Key type asymmetric registered
[    2.990178] Asymmetric key parser 'x509' registered
[    2.995213] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[    3.005889] ACPI: processor limited to max C-state 1

This might be relevant...

[    3.011766] BUG: kernel NULL pointer dereference, address: 0000000000000001
[    3.015317] #PF: supervisor read access in kernel mode
[    3.015317] #PF: error_code(0x0000) - not-present page
[    3.015317] PGD 0 P4D 0 
[    3.015317] Oops: Oops: 0000 [#1] SMP NOPTI
[    3.015317] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-rc7+ #1 PREEMPT(full) 
[    3.015317] Hardware name: MICRO-STAR INTERNATIONAL CO.,LTD MS-7599/870-C45 (MS-7599), BIOS V1.15 03/04/21
[    3.015317] RIP: 0010:acpi_idle_enter+0x46/0x100
[    3.015317] Code: 48 8d 04 c5 60 00 1c 83 48 8b 14 d5 40 8c 19 82 48 8b 2c 02 e8 7b ee ff ff 65 48 8b 35 6
[    3.015317] RSP: 0018:ffffffff82403e18 EFLAGS: 00010086
[    3.015317] RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffffffff819b196d
[    3.015317] RDX: ffff8881ac267000 RSI: ffff888100269c00 RDI: ffffffff82152352
[    3.015317] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[    3.015317] R10: 0000000000000000 R11: 000000008240d201 R12: ffff888100e74c00
[    3.015317] R13: ffffffff82bae2a0 R14: ffffffff82bae2a0 R15: 0000000000000000
[    3.015317] FS:  0000000000000000(0000) GS:ffff8881ac267000(0000) knlGS:0000000000000000
[    3.015317] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.015317] CR2: 0000000000000001 CR3: 000000000241a000 CR4: 00000000000006f0
[    3.015317] Call Trace:
[    3.015317]  <TASK>
[    3.015317]  cpuidle_enter_state+0xb0/0x4d0
[    3.015317]  cpuidle_enter+0x2d/0x40
[    3.015317]  do_idle+0x1b4/0x230
[    3.015317]  cpu_startup_entry+0x25/0x30
[    3.015317]  rest_init+0x14d/0x150
[    3.015317]  start_kernel+0x645/0x650
[    3.015317]  x86_64_start_reservations+0x20/0x20
[    3.015317]  x86_64_start_kernel+0xc3/0xd0
[    3.015317]  common_startup_64+0x12c/0x138
[    3.015317]  </TASK>
[    3.015317] Modules linked in:
[    3.015317] CR2: 0000000000000001
[    3.015317] ---[ end trace 0000000000000000 ]---


ffffffff81c0b6a0:       e8 7b ee ff ff          call   ffffffff81c0a520 <__this_cpu_preempt_check>
ffffffff81c0b6a5:       65 48 8b 35 a3 49 5b    mov    %gs:0x15b49a3(%rip),%rsi        # ffffffff831c0050 <processors>
ffffffff81c0b6ac:       01 
ffffffff81c0b6ad:       48 85 f6                test   %rsi,%rsi
ffffffff81c0b6b0:       0f 84 8a 00 00 00       je     ffffffff81c0b740 <acpi_idle_enter+0xd0>
ffffffff81c0b6b6:       0f b6 45 01             movzbl 0x1(%rbp),%eax

<--- here

ffffffff81c0b6ba:       3c 01                   cmp    $0x1,%al

which is:

# drivers/acpi/processor_idle.c:680: 	struct acpi_processor_cx *cx = per_cpu(acpi_cstate[index], dev->cpu);
# drivers/acpi/processor_idle.c:680: 	struct acpi_processor_cx *cx = per_cpu(acpi_cstate[index], dev->cpu);
	movq	(%rdx,%rax), %rbp	# *_26, cx
# drivers/acpi/processor_idle.c:683: 	pr = __this_cpu_read(processors);
	call	__this_cpu_preempt_check	#
# drivers/acpi/processor_idle.c:683: 	pr = __this_cpu_read(processors);
	movq	%gs:processors(%rip), %rsi	# processors, pscr_ret__
# drivers/acpi/processor_idle.c:684: 	if (unlikely(!pr))
	testq	%rsi, %rsi	# pscr_ret__
	je	.L175	#,
# drivers/acpi/processor_idle.c:687: 	if (cx->type != ACPI_STATE_C1) {
	movzbl	1(%rbp), %eax	# cx_27->type, _9
# drivers/acpi/processor_idle.c:687: 	if (cx->type != ACPI_STATE_C1) {
	cmpb	$1, %al	#, _9
	je	.L164	#,

Looks like that cx pointer is NULL:

static int __cpuidle acpi_idle_enter(struct cpuidle_device *dev,
                           struct cpuidle_driver *drv, int index)
{
        struct acpi_processor_cx *cx = per_cpu(acpi_cstate[index], dev->cpu);
        struct acpi_processor *pr;
 
        pr = __this_cpu_read(processors);
        if (unlikely(!pr))
                return -EINVAL;
 
        if (cx->type != ACPI_STATE_C1) {
	   ^^^^^

I can try to bisect if you don't get any ideas from seeing this.

There might be some crap in tip too, who knows.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ