NULL pointer dereference in sony-laptop

NULL pointer dereference in sony-laptop

[Alessandro Guido]

With 2.6.39-rc1-00103-g6aba74f, trying to load the sony-laptop module leads to:

Mar 31 19:18:16 [kernel] BUG: unable to handle kernel NULL pointer dereference at   (null)
Mar 31 19:18:16 [kernel] IP: [<f8021060>] sony_find_snc_handle+0x10/0x70 [sony_laptop]
Mar 31 19:18:16 [kernel] *pde = 00000000 
Mar 31 19:18:16 [kernel] Modules linked in: sony_laptop(+)
Mar 31 19:18:16 [kernel] Pid: 1464, comm: modprobe Not tainted 2.6.39-rc1-00103-g6aba74f #1 Sony Corporation VGN-FS215S
Mar 31 19:18:16 [kernel] EIP: 0060:[<f8021060>] EFLAGS: 00010282 CPU: 0
Mar 31 19:18:16 [kernel] EIP is at sony_find_snc_handle+0x10/0x70 [sony_laptop]
Mar 31 19:18:16 [kernel] EAX: 0000012f EBX: 00000000 ECX: 00000000 EDX: 00000000
Mar 31 19:18:16 [kernel] ESI: f480fe04 EDI: f65d7400 EBP: 00000000 ESP: f480fdb0
Mar 31 19:18:16 [kernel]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Mar 31 19:18:16 [kernel]  f80255cc f480fe04 f65d7400 f80255cc f8023126 f80255ed f80255d0 f80255cc
Mar 31 19:18:16 [kernel]  f5c2ef60 f645e300 00000000 c10f35b5 f480fe18 f5c2ef00 f480fe18 c10f2dcc
Mar 31 19:18:16 [kernel]  c10f2ad3 000041ed f6747e60 f5f671e0 f645e300 00000000 f65d7400 f8025840
Mar 31 19:18:16 [kernel]  [<f8023126>] ? sony_nc_add+0x286/0x8b0 [sony_laptop]
Mar 31 19:18:16 [kernel]  [<c10f35b5>] ? sysfs_do_create_link+0xc5/0x1f0
Mar 31 19:18:16 [kernel]  [<c10f2dcc>] ? sysfs_add_one+0x1c/0xc0
Mar 31 19:18:16 [kernel]  [<c10f2ad3>] ? sysfs_addrm_finish+0x13/0xa0
Mar 31 19:18:16 [kernel]  [<c11820a2>] ? acpi_device_probe+0x37/0xee
Mar 31 19:18:16 [kernel]  [<c11c6e15>] ? driver_probe_device+0x85/0x190
Mar 31 19:18:16 [kernel]  [<c11824a1>] ? acpi_match_device_ids+0x27/0x4d
Mar 31 19:18:16 [kernel]  [<c11c6f99>] ? __driver_attach+0x79/0x80
Mar 31 19:18:16 [kernel]  [<c11c6f20>] ? driver_probe_device+0x190/0x190
Mar 31 19:18:16 [kernel]  [<c11c608b>] ? bus_for_each_dev+0x4b/0x70
Mar 31 19:18:16 [kernel]  [<c11c6b36>] ? driver_attach+0x16/0x20
Mar 31 19:18:16 [kernel]  [<c11c6f20>] ? driver_probe_device+0x190/0x190
Mar 31 19:18:16 [kernel]  [<c11c6827>] ? bus_add_driver+0x197/0x270
Mar 31 19:18:16 [kernel]  [<c1181fdf>] ? acpi_device_hid+0x13/0x13
Mar 31 19:18:16 [kernel]  [<c11c7497>] ? driver_register+0x57/0xf0
Mar 31 19:18:16 [kernel]  [<f808104d>] ? sony_laptop_init+0x4d/0x79 [sony_laptop]
Mar 31 19:18:16 [kernel]  [<c10011f3>] ? do_one_initcall+0x33/0x170
Mar 31 19:18:16 [kernel]  [<c1042c3d>] ? __blocking_notifier_call_chain+0x4d/0x60
Mar 31 19:18:16 [kernel]  [<f8081000>] ? 0xf8080fff
Mar 31 19:18:16 [kernel]  [<c10523f1>] ? sys_init_module+0x151/0x1a50
Mar 31 19:18:16 [kernel]  [<c10a38c9>] ? sys_close+0x69/0xe0
Mar 31 19:18:16 [kernel]  [<c131d30c>] ? sysenter_do_call+0x12/0x22
Mar 31 19:18:16 [kernel] ---[ end trace aac6d83f93fcda93 ]---

Re: NULL pointer dereference in sony-laptop

[Mattia Dongili]

Hi Alessandro,

On Thu, Mar 31, 2011 at 07:28:14PM +0200, Alessandro Guido wrote:
> With 2.6.39-rc1-00103-g6aba74f, trying to load the sony-laptop module leads to:
> 
> Mar 31 19:18:16 [kernel] BUG: unable to handle kernel NULL pointer dereference at   (null)
> Mar 31 19:18:16 [kernel] IP: [<f8021060>] sony_find_snc_handle+0x10/0x70 [sony_laptop]
> Mar 31 19:18:16 [kernel] *pde = 00000000 
> Mar 31 19:18:16 [kernel] Modules linked in: sony_laptop(+)
> Mar 31 19:18:16 [kernel] Pid: 1464, comm: modprobe Not tainted 2.6.39-rc1-00103-g6aba74f #1 Sony Corporation VGN-FS215S
> Mar 31 19:18:16 [kernel] EIP: 0060:[<f8021060>] EFLAGS: 00010282 CPU: 0
> Mar 31 19:18:16 [kernel] EIP is at sony_find_snc_handle+0x10/0x70 [sony_laptop]
> Mar 31 19:18:16 [kernel] EAX: 0000012f EBX: 00000000 ECX: 00000000 EDX: 00000000
> Mar 31 19:18:16 [kernel] ESI: f480fe04 EDI: f65d7400 EBP: 00000000 ESP: f480fdb0
> Mar 31 19:18:16 [kernel]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> Mar 31 19:18:16 [kernel]  f80255cc f480fe04 f65d7400 f80255cc f8023126 f80255ed f80255d0 f80255cc
> Mar 31 19:18:16 [kernel]  f5c2ef60 f645e300 00000000 c10f35b5 f480fe18 f5c2ef00 f480fe18 c10f2dcc
> Mar 31 19:18:16 [kernel]  c10f2ad3 000041ed f6747e60 f5f671e0 f645e300 00000000 f65d7400 f8025840
> Mar 31 19:18:16 [kernel]  [<f8023126>] ? sony_nc_add+0x286/0x8b0 [sony_laptop]

I am under the impression that the SNC devices gets a notification early
during initialization when we still haven't read the available handles.
This patch should fix it but if my thoughts are incorrect then it may
break something else later.
Give it a try and let me know (it may apply with a little fuzz).
Also, could you try to load the module with and without the patch using
the parameter debug=1 ?

diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
index cfe4493..bed6ebd 100644
--- a/drivers/platform/x86/sony-laptop.c
+++ b/drivers/platform/x86/sony-laptop.c
@@ -808,6 +808,11 @@ static int sony_nc_handles_cleanup(struct platform_device *pd)
 static int sony_find_snc_handle(int handle)
 {
 	int i;
+
+	/* not initialized yet, return early */
+	if (!handles)
+		return -1;
+
 	for (i = 0; i < 0x10; i++) {
 		if (handles->cap[i] == handle) {
 			dprintk("found handle 0x%.4x (offset: 0x%.2x)\n",
-- 
mattia
:wq!

[RESEND] Re: NULL pointer dereference in sony-laptop

[Alessandro Guido]

[-- Attachment #1: Type: text/plain, Size: 1329 bytes --]

[First try got blocked from platform-driver-x86 antispam filter]

On Fri, Apr 1, 2011 at 2:29 AM, Mattia Dongili <malattia@linux.it> wrote:

> Hi Alessandro,
>
> I am under the impression that the SNC devices gets a notification early
> during initialization when we still haven't read the available handles.
> This patch should fix it but if my thoughts are incorrect then it may
> break something else later.
> Give it a try and let me know (it may apply with a little fuzz).
> Also, could you try to load the module with and without the patch using
> the parameter debug=1 ?
>
> diff --git a/drivers/platform/x86/sony-laptop.c
> b/drivers/platform/x86/sony-laptop.c
> index cfe4493..bed6ebd 100644
> --- a/drivers/platform/x86/sony-laptop.c
> +++ b/drivers/platform/x86/sony-laptop.c
> @@ -808,6 +808,11 @@ static int sony_nc_handles_cleanup(struct
> platform_device *pd)
>  static int sony_find_snc_handle(int handle)
>  {
>        int i;
> +
> +       /* not initialized yet, return early */
> +       if (!handles)
> +               return -1;
> +
>        for (i = 0; i < 0x10; i++) {
>                if (handles->cap[i] == handle) {
>                        dprintk("found handle 0x%.4x (offset: 0x%.2x)\n",


It works, thanks!

I've attached debug output from sony-laptop with and without the patch 
as you requested.


[-- Attachment #2: patched.dmesg --]
[-- Type: application/octet-stream, Size: 989 bytes --]

sony-laptop: Sony Notebook Control Driver v0.6.
sony-laptop: method: name: GBRT, args 0
sony-laptop: method: name: SBRT, args 1
sony-laptop: method: name: GPBR, args 0
sony-laptop: method: name: SPBR, args 1
sony-laptop: method: name: PWAK, args 0
sony-laptop: method: name: GHKE, args 0
sony-laptop: method: name: GWDP, args 0
sony-laptop: method: name: GSNE, args 1
sony-laptop: method: name: SSNE, args 1
sony-laptop: method: name: CSXB, args 1
sony-laptop: method: name: SODV, args 1
sony-laptop: method: name: GDDI, args 0
sony-laptop: method: name: STCS, args 1
sony-laptop: method: name: RBMF, args 1
sony-laptop: method: name: RSBI, args 1
sony-laptop: method: name: CBMF, args 1
input: Sony Vaio Keys as /devices/LNXSYSTM:00/device:00/PNP0A03:00/device:18/SNY5001:00/input/input11
input: Sony Vaio Jogdial as /devices/virtual/input/input12
sony-laptop: Found brightness_default getter: GPBR
sony-laptop: Found brightness_default setter: SPBR
sony-laptop: Found fnkey getter: GHKE

[-- Attachment #3: unpatched.dmesg --]
[-- Type: application/octet-stream, Size: 3169 bytes --]

sony-laptop: Sony Notebook Control Driver v0.6.
sony-laptop: method: name: GBRT, args 0
sony-laptop: method: name: SBRT, args 1
sony-laptop: method: name: GPBR, args 0
sony-laptop: method: name: SPBR, args 1
sony-laptop: method: name: PWAK, args 0
sony-laptop: method: name: GHKE, args 0
sony-laptop: method: name: GWDP, args 0
sony-laptop: method: name: GSNE, args 1
sony-laptop: method: name: SSNE, args 1
sony-laptop: method: name: CSXB, args 1
sony-laptop: method: name: SODV, args 1
sony-laptop: method: name: GDDI, args 0
sony-laptop: method: name: STCS, args 1
sony-laptop: method: name: RBMF, args 1
sony-laptop: method: name: RSBI, args 1
sony-laptop: method: name: CBMF, args 1
input: Sony Vaio Keys as /devices/LNXSYSTM:00/device:00/PNP0A03:00/device:18/SNY5001:00/input/input11
input: Sony Vaio Jogdial as /devices/virtual/input/input12
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [<f8021060>] sony_find_snc_handle+0x10/0x70 [sony_laptop]
*pde = 00000000 
Oops: 0000 [#1] PREEMPT 
last sysfs file: /sys/devices/platform/sony-laptop/uevent
Modules linked in: sony_laptop(+)

Pid: 1494, comm: modprobe Not tainted 2.6.39-rc1-00103-g6aba74f #3 Sony Corporation VGN-FS215S
EIP: 0060:[<f8021060>] EFLAGS: 00010282 CPU: 0
EIP is at sony_find_snc_handle+0x10/0x70 [sony_laptop]
EAX: 0000012f EBX: 00000000 ECX: 00000000 EDX: 00000000
ESI: f6559e04 EDI: f652f400 EBP: 00000000 ESP: f6559db0
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process modprobe (pid: 1494, ti=f6558000 task=f5d06a40 task.ti=f6558000)
Stack:
 00000000 f6559e04 f652f400 00000000 f8023126 f8022900 00000000 00000000
 00000000 f6512300 00000000 c10f35b5 f6559e18 f5c27f00 f6559e18 c10f2dcc
 c10f2ad3 000041ed f6403c00 f5c268a0 f6512300 00000000 f652f400 f8025840
Call Trace:
 [<f8023126>] ? sony_nc_add+0x286/0x8b0 [sony_laptop]
 [<f8022900>] ? sony_nc_update_status_ng+0x30/0x30 [sony_laptop]
 [<c10f35b5>] ? sysfs_do_create_link+0xc5/0x1f0
 [<c10f2dcc>] ? sysfs_add_one+0x1c/0xc0
 [<c10f2ad3>] ? sysfs_addrm_finish+0x13/0xa0
 [<c11820a2>] ? acpi_device_probe+0x37/0xee
 [<c11c6e15>] ? driver_probe_device+0x85/0x190
 [<c11824a1>] ? acpi_match_device_ids+0x27/0x4d
 [<c11c6f99>] ? __driver_attach+0x79/0x80
 [<c11c6f20>] ? driver_probe_device+0x190/0x190
 [<c11c608b>] ? bus_for_each_dev+0x4b/0x70
 [<c11c6b36>] ? driver_attach+0x16/0x20
 [<c11c6f20>] ? driver_probe_device+0x190/0x190
 [<c11c6827>] ? bus_add_driver+0x197/0x270
 [<c1181fdf>] ? acpi_device_hid+0x13/0x13
 [<c11c7497>] ? driver_register+0x57/0xf0
 [<f808104d>] ? sony_laptop_init+0x4d/0x79 [sony_laptop]
 [<c10011f3>] ? do_one_initcall+0x33/0x170
 [<c1042c3d>] ? __blocking_notifier_call_chain+0x4d/0x60
 [<f8081000>] ? 0xf8080fff
 [<c10523f1>] ? sys_init_module+0x151/0x1a50
 [<c10a38c9>] ? sys_close+0x69/0xe0
 [<c131d30c>] ? sysenter_do_call+0x12/0x22
Code: d0 c3 89 f6 8d bc 27 00 00 00 00 83 fa 01 b8 ea ff ff ff 0f 47 d0 eb e7 8d 76 00 53 31 db 83 ec 0c 8b 0d 6c 64 02 f8 8d 74 26 00 <0f> b7 14 59 39 c2 74 20 43 83 fb 10 75 f2 8b 15 14 64 02 f8 85 
EIP: [<f8021060>] sony_find_snc_handle+0x10/0x70 [sony_laptop] SS:ESP 0068:f6559db0
CR2: 0000000000000000
---[ end trace 6fd3f5669318a954 ]---

Re: NULL pointer dereference in sony-laptop

[Matthew Garrett]

Looks good to me. I'll send this to Linus with a couple of other fixes.

-- 
Matthew Garrett | mjg59@srcf.ucam.org

Re: NULL pointer dereference in sony-laptop

[Mattia Dongili]

On Fri, Apr 01, 2011 at 06:36:19PM +0100, Matthew Garrett wrote:
> Looks good to me. I'll send this to Linus with a couple of other fixes.

ok, if you want the full commit as I have it here, here you go:

commit 5d2aa67eee2f55d34fb8be32b69886a49b93c3c1
Author: Mattia Dongili <malattia@linux.it>
Date:   Fri Apr 1 10:01:41 2011 +0900

    sony-laptop: fix early NULL pointer dereference
    
    The SNC acpi driver could get early notifications before it fully
    initializes and that could lead to dereferencing the sony_nc_handles
    structure pointer that is still NULL at that stage.
    Make sure we return early from the handle lookup function in these
    cases.
    
    Signed-off-by: Mattia Dongili <malattia@linux.it>

diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
index b2ce172..7082c55 100644
--- a/drivers/platform/x86/sony-laptop.c
+++ b/drivers/platform/x86/sony-laptop.c
@@ -810,6 +810,11 @@ static int sony_nc_handles_cleanup(struct platform_device *pd)
 static int sony_find_snc_handle(int handle)
 {
 	int i;
+
+	/* not initialized yet, return early */
+	if (!handles)
+		return -1;
+
 	for (i = 0; i < 0x10; i++) {
 		if (handles->cap[i] == handle) {
 			dprintk("found handle 0x%.4x (offset: 0x%.2x)\n",
-- 
mattia
:wq!