lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <27889f60-87e8-13b0-9b50-5fcdc9c490c2@axis.com>
Date:   Tue, 17 Apr 2018 10:31:28 +0200
From:   Lars Persson <lars.persson@...s.com>
To:     <netdev@...r.kernel.org>
Subject: net: 4.9-stable regression in drivers/net/phy/micrel.c on 4.9.94

Hi

We run into a NULL pointer dereference crash when booting 4.9.94 on our
Artpec-6 board with stmmac ethernet and Micrel KSZ9031 phy.

I traced this to the patch d7ba3c00047d ("net: phy: micrel: Restore
led_mode and clk_sel on resume") that was added in 4.9.94. This patch
makes kszphy_resume() depend on the kszphy_priv object having been
created and this happens only for those Micrel PHYs that have a .probe
callback assigned. This is not the case for KSZ9031.

This is already fixed in later kernels by bfe72442578b ("net: phy:
micrel: fix crash when statistic requested for KSZ9031 phy") thas assigns
a probe function for all Micrel PHYs that depend on the kszphy_priv existing.

Please consider applying this to the 4.9 stable tree.

Crash dump splat:
   Unable to handle kernel NULL pointer dereference at virtual address 00000008
   pgd = bd8bc000
   [00000008] *pgd=3d98e831, *pte=00000000, *ppte=00000000
   Internal error: Oops: 17 [#1] PREEMPT SMP ARM
   Modules linked in: e1000e nvmem_artpec6_efuse nvmem_core artpec6_trng(O) artpec6_lcpu(O)
   CPU: 0 PID: 216 Comm: netd Tainted: G           O    4.9.94-axis5-devel #1
   Hardware name: Axis ARTPEC-6 Platform
   task: bf344620 task.stack: bd10c000
   PC is at kszphy_config_reset+0x14/0x148
   LR is at kszphy_resume+0x1c/0x5c
   pc : [<804ad358>]    lr : [<804ad608>]    psr: 600c0113
   sp : bd10dd00  ip : ffff8dc7  fp : bf393200
   r10: 00000000  r9 : 00000002  r8 : 00000000
   r7 : bf3ad000  r6 : 00000000  r5 : bf086000  r4 : bf3ad400
   r3 : 00000001  r2 : 00000000  r1 : 00040003  r0 : bf3ad400
   Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
   Control: 10c5387d  Table: 3d8bc04a  DAC: 00000051
   Process netd (pid: 216, stack limit = 0xbd10c210)
   Stack: (0xbd10dd00 to 0xbd10e000)
   dd00: bf3ad400 bf086000 00000000 bf3ad000 00000000 804ad608 bf3ad400 bf086000
   dd20: 00000000 804ab404 bf3ad400 bf086000 804b345c 00000000 7ee94b94 00000000
   dd40: 00000000 804ab5a4 bf3ad400 bf086000 804b345c 80509278 bf086000 bf086000
   dd60: 00000002 ffffffff 7ee94b94 804ae4a4 00000002 00000001 8014bc78 801647dc
   dd80: 00000000 beb25cc0 beb634e0 00000000 be97c87c 000000c3 800f0093 80682d1c
   dda0: 800f0093 beb634e0 00000000 80682d1c beb25cc0 802a6388 beb88444 00000000
   ddc0: beb88450 000000c3 00000001 00000001 00000001 801647dc 00000001 beb88440
   dde0: 00000001 801414fc 00000001 805de9f4 bd10dea0 00000001 beae9b8c bf086000
   de00: 00000001 80743d58 bf086030 804b25b0 8064fd7c 801414fc fffffff2 bd10de64
   de20: 0000000d 801414fc bf0864c0 bd10de64 0000000d 801414fc bf086000 bf086000
   de40: 00000001 80743d58 bf086030 7ee94b94 00000000 00000000 bf393200 80567b00
   de60: bf086188 bf086000 80567da4 bf086000 00000001 00001003 00001002 80567dcc
   de80: bf086000 00001002 00000000 bf086148 7ee94b94 80567e9c 00000000 bd10dec8
   dea0: 00000000 bf39320c 7ee94b94 805de4b0 00000000 bd10df00 00008914 bf086000
   dec0: 00000014 bf39320c 30687465 00000000 00000000 00000000 00001003 00000000
   dee0: 00000000 00000000 00000000 00008914 be643360 7ee94b94 be643340 7ee94b94
   df00: 00000008 00000000 00000000 80548420 7ee94b94 be643360 beae7ee0 00000008
   df20: 7ee94b94 80271884 00000000 00000000 00000000 beb0a700 00000000 be4f3360
   df40: 00000002 00000023 beb0a708 00000000 76f216c4 8025ec18 00000000 8027db08
   df60: beae7ee0 8027db08 00000000 beae7ee1 beae7ee0 00008914 7ee94b94 00000008
   df80: 00000000 802721c4 01f1bcb0 76fadcf0 00000001 00000036 80108984 bd10c000
   dfa0: 00000000 801087c0 01f1bcb0 76fadcf0 00000008 00008914 7ee94b94 01f1be48
   dfc0: 01f1bcb0 76fadcf0 00000001 00000036 7ee94b94 00000008 0004cd2c 00000000
   dfe0: 00063d60 7ee94b74 00027344 76b10b2c 600f0010 00000008 00000000 7ee727f4
   [<804ad358>] (kszphy_config_reset) from [<804ad608>] (kszphy_resume+0x1c/0x5c)
   [<804ad608>] (kszphy_resume) from [<804ab404>] (phy_attach_direct+0xbc/0x1c4)
   [<804ab404>] (phy_attach_direct) from [<804ab5a4>] (phy_connect_direct+0x1c/0x54)
   [<804ab5a4>] (phy_connect_direct) from [<80509278>] (of_phy_connect+0x40/0x68)
   [<80509278>] (of_phy_connect) from [<804ae4a4>] (stmmac_init_phy+0x50/0x1ec)
   [<804ae4a4>] (stmmac_init_phy) from [<804b25b0>] (stmmac_open+0x70/0xc90)
   [<804b25b0>] (stmmac_open) from [<80567b00>] (__dev_open+0xc4/0x140)
   [<80567b00>] (__dev_open) from [<80567dcc>] (__dev_change_flags+0x9c/0x14c)
   [<80567dcc>] (__dev_change_flags) from [<80567e9c>] (dev_change_flags+0x20/0x50)
   [<80567e9c>] (dev_change_flags) from [<805de4b0>] (devinet_ioctl+0x6d4/0x798)
   [<805de4b0>] (devinet_ioctl) from [<80548420>] (sock_ioctl+0x158/0x2e4)
   [<80548420>] (sock_ioctl) from [<80271884>] (do_vfs_ioctl+0xa8/0x974)
   [<80271884>] (do_vfs_ioctl) from [<802721c4>] (SyS_ioctl+0x74/0x84)
   [<802721c4>] (SyS_ioctl) from [<801087c0>] (ret_fast_syscall+0x0/0x48)
   Code: e52de004 e8bd4000 e1a04000 e59061d0 (e5d63008)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ