[3.15-rc3] BUG: null ptr dereference in ichx_gpio_request_regions()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Hurley <peter@hurleysoftware.com>
To: Vincent Donnefort <vdonnefort@gmail.com>
Cc: Lee Jones <lee.jones@linaro.org>,
	Linus Walleij <linus.walleij@linaro.org>,
	Linux kernel <linux-kernel@vger.kernel.org>
Subject: [3.15-rc3] BUG: null ptr dereference in ichx_gpio_request_regions()
Date: Wed, 07 May 2014 09:22:37 -0400	[thread overview]
Message-ID: <536A339D.9030606@hurleysoftware.com> (raw)

Booting 3.15-rc3, I get this BUG when loading gpio_ich:

  BUG: unable to handle kernel NULL pointer dereference at           (null)
  IP: [<ffffffffa042339c>] ichx_gpio_probe+0x28c/0x3d0 [gpio_ich]
  usbcore: registered new interface driver btusb
  PGD 2b04aa067 PUD 2af912067 PMD 0
  Oops: 0000 [#1] PREEMPT SMP
  Modules linked in: gpio_ich(+) btusb bluetooth psmouse snd i5400_edac ....
  CPU: 3 PID: 1217 Comm: modprobe Not tainted 3.15.0-rc3+wip-xeon #rc3+wip
  Hardware name: Dell Inc. Precision WorkStation T5400  /0RW203, BIOS A11 04/30/2012
  task: ffff8802ae8448f0 ti: ffff8802b0d74000 task.ti: ffff8802b0d74000
  RIP: 0010:[<ffffffffa042339c>]  [<ffffffffa042339c>] ichx_gpio_probe+0x28c/0x3d0 [gpio_ich]
  RSP: 0018:ffff8802b0d75b78  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000100 RDI: ffffffff81c378a0
  RBP: ffff8802b0d75bb8 R08: 0000000000000000 R09: ffff880036a0e2c8
  R10: 0000000000005dc0 R11: 8000000000000000 R12: ffff880036a0e000
  R13: ffff8800bad62bc0 R14: 0000000000000003 R15: 0000000000000000
  FS:  00007fb9d38fa700(0000) GS:ffff8802bfcc0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 00000002af445000 CR4: 00000000000007e0
  Stack:
   ffff8802b0d75b98 ffff880036a0e010 ffff880036a0e020 ffff880036a0e010
   ffffffffa0425028 ffffffffa0425028 0000000000000000 0000000000000001
   ffff8802b0d75be8 ffffffff814793f2 ffff8802b0d75ca8 ffff880036a0e010
  Call Trace:
   [<ffffffff814793f2>] platform_drv_probe+0x32/0x80
   [<ffffffff8147784b>] driver_probe_device+0x8b/0x3a0
   [<ffffffff81477c0b>] __driver_attach+0xab/0xb0
   [<ffffffff81477b60>] ? driver_probe_device+0x3a0/0x3a0
   [<ffffffff8147586d>] bus_for_each_dev+0x5d/0xa0
   [<ffffffff8147727e>] driver_attach+0x1e/0x20
   [<ffffffff81476dd4>] bus_add_driver+0x124/0x250
   [<ffffffffa029a000>] ? 0xffffffffa0299fff
   [<ffffffff81478314>] driver_register+0x64/0xf0
   [<ffffffffa029a000>] ? 0xffffffffa0299fff
   [<ffffffff8147926a>] __platform_driver_register+0x4a/0x50
   [<ffffffffa029a017>] ichx_gpio_driver_init+0x17/0x1000 [gpio_ich]
   [<ffffffff8100032a>] do_one_initcall+0xda/0x180
   [<ffffffff8103e733>] ? set_memory_nx+0x43/0x50
   [<ffffffff816ffeec>] ? set_section_ro_nx+0x6d/0x75
   [<ffffffff810cc9f9>] load_module+0x1d79/0x2770
   [<ffffffff810c8690>] ? unset_module_init_ro_nx+0x80/0x80
   [<ffffffff81172f80>] ? __vmalloc_node_range+0x170/0x250
   [<ffffffff810cd479>] ? SyS_init_module+0x89/0x100
   [<ffffffff810cd4a2>] SyS_init_module+0xb2/0x100
   [<ffffffff81719ad2>] system_call_fastpath+0x16/0x1b
  Code: c7 05 fd 1f 00 00 40 51 42 a0 e9 00 fe ff ff 48 8b 05 f1 1f 00 00 45 31 c0 48 c7 c7 a0 78 c3 81 48 8b 48 08 48 8b 50 10 48 63 c3 <0f> b6 34 01 4c 89 c9 0f b6 14 1a 49 03 75 00 4c 89 4d c8 e8 ec
  RIP  [<ffffffffa042339c>] ichx_gpio_probe+0x28c/0x3d0 [gpio_ich]
   RSP <ffff8802b0d75b78>
  CR2: 0000000000000000


This is almost certainly caused by the uninitialized regs ptr
in the ich6_desc struct (i3100_desc struct has the same problem)
introduced in this commit:

commit bb62a35bd5d96e506af0ea8dd145480b9172a2a6
Author: Vincent Donnefort <vdonnefort@gmail.com>
Date:   Fri Feb 14 15:01:56 2014 +0100

     gpio: ich: Add support for multiple register addresses

     This patch introduces regs and reglen pointers which allow a chipset to have
     register addresses differing from ICH ones.

     Acked-by: Linus Walleij <linus.walleij@linaro.org>
     Signed-off-by: Vincent Donnefort <vdonnefort@gmail.com>
     Signed-off-by: Lee Jones <lee.jones@linaro.org>


The relevant excerpts from the mixed listing are:

0000000000000110 <ichx_gpio_probe>:

<...snip...>

	for (i = 0; i < ARRAY_SIZE(ichx_priv.desc->regs[0]); i++) {
		if (!(use_gpio & (1 << i)))
			continue;
		if (!request_region(
  380:	48 8b 05 00 00 00 00 	mov    0x0(%rip),%rax        # 387 <ichx_gpio_probe+0x277>
			383: R_X86_64_PC32	.bss+0xb4
  387:	45 31 c0             	xor    %r8d,%r8d
  38a:	48 c7 c7 00 00 00 00 	mov    $0x0,%rdi
			38d: R_X86_64_32S	ioport_resource
  391:	48 8b 48 08          	mov    0x8(%rax),%rcx
  395:	48 8b 50 10          	mov    0x10(%rax),%rdx
  399:	48 63 c3             	movslq %ebx,%rax
  39c:	0f b6 34 01          	movzbl (%rcx,%rax,1),%esi       <===== FAULTING INSTN
  3a0:	4c 89 c9             	mov    %r9,%rcx
  3a3:	0f b6 14 1a          	movzbl (%rdx,%rbx,1),%edx
  3a7:	49 03 75 00          	add    0x0(%r13),%rsi
  3ab:	4c 89 4d c8          	mov    %r9,-0x38(%rbp)
  3af:	e8 00 00 00 00       	callq  3b4 <ichx_gpio_probe+0x2a4>
			3b0: R_X86_64_PC32	__request_region-0x4
  3b4:	4c 8b 4d c8          	mov    -0x38(%rbp),%r9
  3b8:	48 85 c0             	test   %rax,%rax
  3bb:	0f 85 17 fe ff ff    	jne    1d8 <ichx_gpio_probe+0xc8>
	}
	return 0;

request_err:
	/* Clean up: release already requested regions, if any */
	for (i--; i >= 0; i--) {
  3c1:	41 83 ef 01          	sub    $0x1,%r15d
  3c5:	41 83 ff ff          	cmp    $0xffffffff,%r15d
  3c9:	0f 84 d1 00 00 00    	je     4a0 <ichx_gpio_probe+0x390>
		if (!(use_gpio & (1 << i)))
  3cf:	45 0f a3 fe          	bt     %r15d,%r14d
  3d3:	73 ec                	jae    3c1 <ichx_gpio_probe+0x2b1>


Regards,
Peter Hurley

next             reply	other threads:[~2014-05-07 13:22 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-07 13:22 Peter Hurley [this message]
2014-05-07 14:05 ` [3.15-rc3] BUG: null ptr dereference in ichx_gpio_request_regions() Vincent Donnefort
2014-05-07 14:33   ` Peter Hurley
2014-05-08 21:48     ` Linus Walleij
2014-05-08 22:11       ` Peter Hurley
2014-05-09  7:20       ` Lee Jones
2014-05-09 11:30         ` Peter Hurley
2014-05-09 12:29           ` Josh Boyer
2014-05-13  9:34             ` Linus Walleij
2014-05-13 12:50               ` Josh Boyer
2014-05-13 13:12                 ` Linus Walleij

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=536A339D.9030606@hurleysoftware.com \
    --to=peter@hurleysoftware.com \
    --cc=lee.jones@linaro.org \
    --cc=linus.walleij@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=vdonnefort@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.