Re: Null pointer dereference in cros-ec-typec

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Benson Leung <bleung@google.com>
To: Alyssa Ross <hi@alyssa.is>
Cc: Benson Leung <bleung@chromium.org>,
	Prashant Malani <pmalani@chromium.org>,
	linux-kernel@vger.kernel.org
Subject: Re: Null pointer dereference in cros-ec-typec
Date: Tue, 18 Jan 2022 11:33:14 -0800	[thread overview]
Message-ID: <YecV+rh/4rzygUbx@google.com> (raw)
In-Reply-To: <20220118163754.nfy53mfjpazgw2a2@eve>

[-- Attachment #1: Type: text/plain, Size: 5067 bytes --]

Hi Alyssa,

Thanks for reaching out.

On Tue, Jan 18, 2022 at 04:37:54PM +0000, Alyssa Ross wrote:
> My distribution recently enabled the Chrome OS EC Type C control driver
> in its kernel builds.  On my Google Pixelbook i7 (eve), the driver reports
> a null pointer dereference at boot.  From what I can tell, this happens
> because typec->ec is set to NULL in cros_typec_probe.  Other drivers,
> like cros-usbpd-notify, appear to be set up to handle this case.  As a
> result of this bug, I'm no longer able to reboot my computer, because
> udevd hangs while trying to do something with the device whose driver
> isn't working.
> 

I've copied Prashant, who's the author of the typec driver as well as
cros-usbpd-notify.

Prashant, any thoughts on a more graceful failure out of the typec driver's
probe in case there's no ec object? 

> Here's the full Oops.  I was able to reproduce the issue with every
> kernel I tried, from 5.10 to mainline.
> 
> cros-usbpd-notify-acpi GOOG0003:00: Couldn't get Chrome EC device pointer.
> input: Intel Virtual Buttons as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input14
> BUG: kernel NULL pointer dereference, address: 00000000000000d8
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] SMP PTI
> CPU: 1 PID: 561 Comm: systemd-udevd Not tainted 5.15.12 #4
> Hardware name: Google Eve/Eve, BIOS MrChromebox-4.14 08/06/2021


Ah, here's the problem. It looks like this is a custom bios from Mr Chromebox,
so this is not a bios combination we validate at Google.

Thank you for the report. We'll look into fixing this and marking the fix
for stable kernels so that it goes back to 5.10.

Thanks,

Benson

> RIP: 0010:__mutex_lock+0x59/0x8c0
> Code: 53 48 89 cb 48 83 ec 70 89 75 9c be 3d 02 00 00 4c 89 45 90 e8 18 47 33 ff e8 e3 e2 ff ff 44 8b 35 a4 85 e8 02 45 85 f6 75 0a <4d> 3b 6d 68 0f 85 bf 07 00 00 65 ff 05 b6 5b 23 75 ff 75 90 4d 8d
> RSP: 0018:ffffb44580a4bb50 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
> RDX: 0000000000000000 RSI: ffffffff8bf91320 RDI: ffff922cbba50e20
> RBP: ffffb44580a4bbf0 R08: 0000000000000000 R09: ffff922c5bac8140
> R10: ffffb44580a4bc10 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000070 R14: 0000000000000000 R15: 0000000000000001
> FS:  00007f55338d6b40(0000) GS:ffff922fae200000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000000000d8 CR3: 000000011bbb2006 CR4: 00000000003706e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  ? fs_reclaim_acquire+0x4d/0xd0
>  ? lock_is_held_type+0xaa/0x120
>  ? cros_ec_cmd_xfer_status+0x1f/0x110
>  ? lock_is_held_type+0xaa/0x120
>  ? cros_ec_cmd_xfer_status+0x1f/0x110
>  cros_ec_cmd_xfer_status+0x1f/0x110
>  cros_typec_ec_command+0x91/0x1c0 [cros_ec_typec]
>  cros_typec_probe+0x7f/0x5a8 [cros_ec_typec]
>  platform_probe+0x3f/0x90
>  really_probe+0x1f5/0x3f0
>  __driver_probe_device+0xfe/0x180
>  driver_probe_device+0x1e/0x90
>  __driver_attach+0xc4/0x1d0
>  ? __device_attach_driver+0xe0/0xe0
>  ? __device_attach_driver+0xe0/0xe0
>  bus_for_each_dev+0x67/0x90
>  bus_add_driver+0x12e/0x1f0
>  driver_register+0x8f/0xe0
>  ? 0xffffffffc04ec000
>  do_one_initcall+0x67/0x320
>  ? rcu_read_lock_sched_held+0x3f/0x80
>  ? trace_kmalloc+0x38/0xe0
>  ? kmem_cache_alloc_trace+0x17c/0x2b0
>  do_init_module+0x5c/0x270
>  __do_sys_finit_module+0x95/0xe0
>  do_syscall_64+0x3b/0x90
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f55344b1f3d
> Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d bb ee 0e 00 f7 d8 64 89 01 48
> RSP: 002b:00007fff187f1388 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 000055a53acbe6e0 RCX: 00007f55344b1f3d
> RDX: 0000000000000000 RSI: 00007f553461732c RDI: 000000000000000e
> RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000002
> R10: 000000000000000e R11: 0000000000000246 R12: 00007f553461732c
> R13: 000055a53ad94010 R14: 0000000000000007 R15: 000055a53ad95690
>  </TASK>
> Modules linked in: fjes(+) cros_ec_typec(+) typec intel_vbtn(+) cros_usbpd_notify sparse_keymap soc_button_array int3403_thermal int340x_thermal_zone int3400_thermal acpi_thermal_rel cros_kbd_led_backlight zram ip_tables i915 hid_multitouch i2c_algo_bit ttm crct10dif_pclmul crc32_pclmul crc32c_intel drm_kms_helper nvme ghash_clmulni_intel sdhci_pci cqhci cec nvme_core sdhci serio_raw drm mmc_core i2c_hid_acpi i2c_hid video pinctrl_sunrisepoint fuse
> CR2: 00000000000000d8
> ---[ end trace 4a12c4896d70352b ]---



-- 
Benson Leung
Staff Software Engineer
Chrome OS Kernel
Google Inc.
bleung@google.com
Chromium OS Project
bleung@chromium.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

next prev parent reply	other threads:[~2022-01-18 19:33 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-18 16:37 Null pointer dereference in cros-ec-typec Alyssa Ross
2022-01-18 19:33 ` Benson Leung [this message]
2022-01-18 19:49   ` Prashant Malani
2022-01-18 20:12     ` Prashant Malani
2022-01-18 22:04       ` Mr. Chromebox
2022-01-18 22:16         ` Prashant Malani
2022-01-18 22:34           ` Mr. Chromebox
2022-01-19  0:35             ` Prashant Malani
2022-01-19  1:13               ` Mr. Chromebox
2022-01-19  2:37               ` Alyssa Ross
2022-01-19 18:24                 ` Prashant Malani
2022-01-19 18:44                   ` Mr. Chromebox
2022-01-19 20:32                     ` Alyssa Ross
2022-01-20 23:51                       ` Prashant Malani
2022-01-26 19:11                         ` Prashant Malani

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YecV+rh/4rzygUbx@google.com \
    --to=bleung@google.com \
    --cc=bleung@chromium.org \
    --cc=hi@alyssa.is \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pmalani@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.