* [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107
@ 2018-11-12 13:24 Jon Hunter
2018-11-12 13:25 ` Jon Hunter
[not found] ` <dbc5e8f9-6f14-77d2-be2a-f0738e13b773-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
0 siblings, 2 replies; 10+ messages in thread
From: Jon Hunter @ 2018-11-12 13:24 UTC (permalink / raw)
To: Hans de Goede, Kalle Valo, linux-tegra, linux-wireless,
Linux Kernel Mailing List
Hi Hans, Kalle,
Starting with next-20181107 I am seeing the following NULL pointer
deference on Tegra (note the firmware is missing on this board) ...
[ 14.072883] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4329-sdio for chip BCM4329/3
[ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2
[ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.txt failed with error -2
[ 14.177769] Unable to handle kernel NULL pointer dereference at virtual address 00000008
[ 14.197303] pgd = 60bfa5f1
[ 14.211842] [00000008] *pgd=00000000
[ 14.227373] Internal error: Oops: 5 [#1] SMP ARM
[ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt
[ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted 4.20.0-rc1-next-20181107-gd881de3 #1
[ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
[ 14.269154] Workqueue: events request_firmware_work_func
[ 14.269177] PC is at efivar_entry_size+0x28/0x90
[ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]
[ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113
[ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30
[ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258
[ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0
[ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8
[ 14.269398] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 14.269404] Control: 10c5387d Table: ad16804a DAC: 00000051
[ 14.269417] Process kworker/1:2 (pid: 114, stack limit = 0x984bfbff)
[ 14.269423] Stack: (0xede7fe28 to 0xede80000)
[ 14.269434] fe20: 00000000 c1604c48 edf336e0 edf337c0 ee983000 c1604c48
[ 14.269447] fe40: edf336e0 bf2a3ef4 edf339db c0466bcc edf339c0 edd1417c edd14008 00000000
[ 14.269460] fe60: 006000c0 edf33b40 edf339c0 edf33250 c0f9110c edf33b40 c17db2d0 edf339c0
[ 14.269471] fe80: 00000000 edd14008 00000000 0076006e 00610072 0000006d edf33940 00000003
[ 14.269482] fea0: edf33980 c0923f84 edf33840 edf33940 edf33980 ede7ff1c c0f9110c c0924410
[ 14.269492] fec0: 7fffffff d9025ae9 00000001 edf337c0 00000000 ef7b9e00 edf33804 ef7bd000
[ 14.269512] fee0: 00000000 00000000 c1787f30 bf2a4438 ee952280 00000000 edf33800 ee952280
[ 14.678917] ff00: ef7b9e00 edf33804 ef7bd000 c0924738 00000000 00000003 00000001 edf33940
[ 14.678931] ff20: edf33800 c035ee0c ef7b9e00 ef7b9e18 ede7e018 ee952280 ef7b9e00 ef7b9e18
[ 14.720757] ff40: ede7e018 c17878b8 ee952294 c1603d00 00000008 c035f130 eea99d9c ede7e000
[ 14.720769] ff60: ee970740 c1603d00 eea99d9c eea99d80 ee970740 00000000 eea99d9c ee952280
[ 14.720785] ff80: c035f0f0 ee911ebc 00000000 c0364418 ee970740 c03642f0 00000000 00000000
[ 14.783682] ffa0: 00000000 00000000 00000000 c03010e8 00000000 00000000 00000000 00000000
[ 14.783693] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 14.783707] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[ 14.846132] [<c0c40718>] (efivar_entry_size) from [<bf2a3ef4>] (brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac])
[ 14.846253] [<bf2a3ef4>] (brcmf_fw_complete_request [brcmfmac]) from [<bf2a4438>] (brcmf_fw_request_done+0x68/0x11c [brcmfmac])
[ 14.893363] [<bf2a4438>] (brcmf_fw_request_done [brcmfmac]) from [<c0924738>] (request_firmware_work_func+0x40/0x68)
[ 14.893396] [<c0924738>] (request_firmware_work_func) from [<c035ee0c>] (process_one_work+0x164/0x448)
[ 14.939206] [<c035ee0c>] (process_one_work) from [<c035f130>] (worker_thread+0x40/0x524)
[ 14.939228] [<c035f130>] (worker_thread) from [<c0364418>] (kthread+0x128/0x158)
[ 14.981096] [<c0364418>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c)
[ 14.981102] Exception stack(0xede7ffb0 to 0xede7fff8)
[ 14.981112] ffa0: 00000000 00000000 00000000 00000000
[ 15.041390] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 15.041399] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 15.041415] Code: e1a07000 e30102c8 e34c0177 e1a05001 (e5926008)
[ 15.041491] ---[ end trace 06697c36d390de92 ]---
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 2018-11-12 13:24 [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 Jon Hunter @ 2018-11-12 13:25 ` Jon Hunter [not found] ` <dbc5e8f9-6f14-77d2-be2a-f0738e13b773-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> 1 sibling, 0 replies; 10+ messages in thread From: Jon Hunter @ 2018-11-12 13:25 UTC (permalink / raw) To: Hans de Goede, Kalle Valo, linux-tegra, linux-wireless, Linux Kernel Mailing List I forgot to mention the critical piece of information that the bisect points to ... commit ce2e6db554fad444fa0b3904fc3015336e0ef765 Author: Hans de Goede <hdegoede@redhat.com> Date: Thu Oct 11 11:51:06 2018 +0200 brcmfmac: Add support for getting nvram contents from EFI variables Cheers, Jon On 12/11/2018 13:24, Jon Hunter wrote: > Hi Hans, Kalle, > > Starting with next-20181107 I am seeing the following NULL pointer > deference on Tegra (note the firmware is missing on this board) ... > > [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4329-sdio for chip BCM4329/3 > > [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 > > [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.txt failed with error -2 > > [ 14.177769] Unable to handle kernel NULL pointer dereference at virtual address 00000008 > > [ 14.197303] pgd = 60bfa5f1 > > [ 14.211842] [00000008] *pgd=00000000 > > [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM > > [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt > > [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted 4.20.0-rc1-next-20181107-gd881de3 #1 > > [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) > > [ 14.269154] Workqueue: events request_firmware_work_func > > [ 14.269177] PC is at efivar_entry_size+0x28/0x90 > > [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] > > [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 > > [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 > > [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 > > [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0 > > [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8 > > [ 14.269398] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none > > [ 14.269404] Control: 10c5387d Table: ad16804a DAC: 00000051 > > [ 14.269417] Process kworker/1:2 (pid: 114, stack limit = 0x984bfbff) > > [ 14.269423] Stack: (0xede7fe28 to 0xede80000) > > [ 14.269434] fe20: 00000000 c1604c48 edf336e0 edf337c0 ee983000 c1604c48 > > [ 14.269447] fe40: edf336e0 bf2a3ef4 edf339db c0466bcc edf339c0 edd1417c edd14008 00000000 > > [ 14.269460] fe60: 006000c0 edf33b40 edf339c0 edf33250 c0f9110c edf33b40 c17db2d0 edf339c0 > > [ 14.269471] fe80: 00000000 edd14008 00000000 0076006e 00610072 0000006d edf33940 00000003 > > [ 14.269482] fea0: edf33980 c0923f84 edf33840 edf33940 edf33980 ede7ff1c c0f9110c c0924410 > > [ 14.269492] fec0: 7fffffff d9025ae9 00000001 edf337c0 00000000 ef7b9e00 edf33804 ef7bd000 > > [ 14.269512] fee0: 00000000 00000000 c1787f30 bf2a4438 ee952280 00000000 edf33800 ee952280 > > [ 14.678917] ff00: ef7b9e00 edf33804 ef7bd000 c0924738 00000000 00000003 00000001 edf33940 > > [ 14.678931] ff20: edf33800 c035ee0c ef7b9e00 ef7b9e18 ede7e018 ee952280 ef7b9e00 ef7b9e18 > > [ 14.720757] ff40: ede7e018 c17878b8 ee952294 c1603d00 00000008 c035f130 eea99d9c ede7e000 > > [ 14.720769] ff60: ee970740 c1603d00 eea99d9c eea99d80 ee970740 00000000 eea99d9c ee952280 > > [ 14.720785] ff80: c035f0f0 ee911ebc 00000000 c0364418 ee970740 c03642f0 00000000 00000000 > > [ 14.783682] ffa0: 00000000 00000000 00000000 c03010e8 00000000 00000000 00000000 00000000 > > [ 14.783693] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > > [ 14.783707] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 > > [ 14.846132] [<c0c40718>] (efivar_entry_size) from [<bf2a3ef4>] (brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]) > > [ 14.846253] [<bf2a3ef4>] (brcmf_fw_complete_request [brcmfmac]) from [<bf2a4438>] (brcmf_fw_request_done+0x68/0x11c [brcmfmac]) > > [ 14.893363] [<bf2a4438>] (brcmf_fw_request_done [brcmfmac]) from [<c0924738>] (request_firmware_work_func+0x40/0x68) > > [ 14.893396] [<c0924738>] (request_firmware_work_func) from [<c035ee0c>] (process_one_work+0x164/0x448) > > [ 14.939206] [<c035ee0c>] (process_one_work) from [<c035f130>] (worker_thread+0x40/0x524) > > [ 14.939228] [<c035f130>] (worker_thread) from [<c0364418>] (kthread+0x128/0x158) > > [ 14.981096] [<c0364418>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c) > > [ 14.981102] Exception stack(0xede7ffb0 to 0xede7fff8) > > [ 14.981112] ffa0: 00000000 00000000 00000000 00000000 > > [ 15.041390] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > > [ 15.041399] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 > > [ 15.041415] Code: e1a07000 e30102c8 e34c0177 e1a05001 (e5926008) > > [ 15.041491] ---[ end trace 06697c36d390de92 ]--- > -- nvpublic ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <dbc5e8f9-6f14-77d2-be2a-f0738e13b773-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>]
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 [not found] ` <dbc5e8f9-6f14-77d2-be2a-f0738e13b773-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> @ 2018-11-13 10:24 ` Arend van Spriel [not found] ` <9f72ac4f-a83a-7af7-3c26-b1ced6d98653-dY08KVG/lbpWk0Htik3J/w@public.gmane.org> 2018-11-13 11:29 ` Jon Hunter 0 siblings, 2 replies; 10+ messages in thread From: Arend van Spriel @ 2018-11-13 10:24 UTC (permalink / raw) To: Jon Hunter, Hans de Goede, Kalle Valo, linux-tegra, linux-wireless-u79uwXL29TY76Z2rM5mHXA, Linux Kernel Mailing List, Ard Biesheuvel + Ard as this involves EFI. On 11/12/2018 2:24 PM, Jon Hunter wrote: > Hi Hans, Kalle, > > Starting with next-20181107 I am seeing the following NULL pointer > deference on Tegra (note the firmware is missing on this board) ... > > [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4329-sdio for chip BCM4329/3 > > [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 > > [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.txt failed with error -2 > > [ 14.177769] Unable to handle kernel NULL pointer dereference at virtual address 00000008 > > [ 14.197303] pgd = 60bfa5f1 > > [ 14.211842] [00000008] *pgd=00000000 > > [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM > > [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt > > [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted 4.20.0-rc1-next-20181107-gd881de3 #1 > > [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) > > [ 14.269154] Workqueue: events request_firmware_work_func > > [ 14.269177] PC is at efivar_entry_size+0x28/0x90 > > [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] > > [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 > > [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 > > [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 > > [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0 > > [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8 > Hi Jon, I tried building drivers/firmware/efi/vars.c using tegra_defconfig. Had to enable CONFIG_EFI. So the null pointer access is a 0x00000008 so I looked at the disassembly below: int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) { 310: e1a05001 mov r5, r1 const struct efivar_operations *ops = __efivars->ops; ==> 314: e5936008 ldr r6, [r3, #8] So I think __efivars is NULL on your platform. It is private to the source file. Not sure how the driver should deal with this. Maybe use efi_enabled() but not sure what feature to use. My best bet would be EFI_RUNTIME_SERVICES. efi_status_t status; *size = 0; 318: e3a03000 mov r3, #0 31c: e5813000 str r3, [r1] if (down_interruptible(&efivars_lock)) 320: ebfffffe bl 0 <down_interruptible> 324: e2504000 subs r4, r0, #0 328: 1a000012 bne 378 <efivar_entry_size+0x80> return -EINTR; status = ops->get_variable(entry->var.VariableName, Regards, Arend > [ 14.269398] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none > > [ 14.269404] Control: 10c5387d Table: ad16804a DAC: 00000051 > > [ 14.269417] Process kworker/1:2 (pid: 114, stack limit = 0x984bfbff) > > [ 14.269423] Stack: (0xede7fe28 to 0xede80000) > > [ 14.269434] fe20: 00000000 c1604c48 edf336e0 edf337c0 ee983000 c1604c48 > > [ 14.269447] fe40: edf336e0 bf2a3ef4 edf339db c0466bcc edf339c0 edd1417c edd14008 00000000 > > [ 14.269460] fe60: 006000c0 edf33b40 edf339c0 edf33250 c0f9110c edf33b40 c17db2d0 edf339c0 > > [ 14.269471] fe80: 00000000 edd14008 00000000 0076006e 00610072 0000006d edf33940 00000003 > > [ 14.269482] fea0: edf33980 c0923f84 edf33840 edf33940 edf33980 ede7ff1c c0f9110c c0924410 > > [ 14.269492] fec0: 7fffffff d9025ae9 00000001 edf337c0 00000000 ef7b9e00 edf33804 ef7bd000 > > [ 14.269512] fee0: 00000000 00000000 c1787f30 bf2a4438 ee952280 00000000 edf33800 ee952280 > > [ 14.678917] ff00: ef7b9e00 edf33804 ef7bd000 c0924738 00000000 00000003 00000001 edf33940 > > [ 14.678931] ff20: edf33800 c035ee0c ef7b9e00 ef7b9e18 ede7e018 ee952280 ef7b9e00 ef7b9e18 > > [ 14.720757] ff40: ede7e018 c17878b8 ee952294 c1603d00 00000008 c035f130 eea99d9c ede7e000 > > [ 14.720769] ff60: ee970740 c1603d00 eea99d9c eea99d80 ee970740 00000000 eea99d9c ee952280 > > [ 14.720785] ff80: c035f0f0 ee911ebc 00000000 c0364418 ee970740 c03642f0 00000000 00000000 > > [ 14.783682] ffa0: 00000000 00000000 00000000 c03010e8 00000000 00000000 00000000 00000000 > > [ 14.783693] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > > [ 14.783707] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 > > [ 14.846132] [<c0c40718>] (efivar_entry_size) from [<bf2a3ef4>] (brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]) > > [ 14.846253] [<bf2a3ef4>] (brcmf_fw_complete_request [brcmfmac]) from [<bf2a4438>] (brcmf_fw_request_done+0x68/0x11c [brcmfmac]) > > [ 14.893363] [<bf2a4438>] (brcmf_fw_request_done [brcmfmac]) from [<c0924738>] (request_firmware_work_func+0x40/0x68) > > [ 14.893396] [<c0924738>] (request_firmware_work_func) from [<c035ee0c>] (process_one_work+0x164/0x448) > > [ 14.939206] [<c035ee0c>] (process_one_work) from [<c035f130>] (worker_thread+0x40/0x524) > > [ 14.939228] [<c035f130>] (worker_thread) from [<c0364418>] (kthread+0x128/0x158) > > [ 14.981096] [<c0364418>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c) > > [ 14.981102] Exception stack(0xede7ffb0 to 0xede7fff8) > > [ 14.981112] ffa0: 00000000 00000000 00000000 00000000 > > [ 15.041390] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > > [ 15.041399] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 > > [ 15.041415] Code: e1a07000 e30102c8 e34c0177 e1a05001 (e5926008) > > [ 15.041491] ---[ end trace 06697c36d390de92 ]--- > ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <9f72ac4f-a83a-7af7-3c26-b1ced6d98653-dY08KVG/lbpWk0Htik3J/w@public.gmane.org>]
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 [not found] ` <9f72ac4f-a83a-7af7-3c26-b1ced6d98653-dY08KVG/lbpWk0Htik3J/w@public.gmane.org> @ 2018-11-13 10:33 ` Arend van Spriel 2018-11-13 10:40 ` Hans de Goede 1 sibling, 0 replies; 10+ messages in thread From: Arend van Spriel @ 2018-11-13 10:33 UTC (permalink / raw) To: Jon Hunter, Hans de Goede, Kalle Valo, linux-tegra, linux-wireless-u79uwXL29TY76Z2rM5mHXA, Linux Kernel Mailing List, Ard Biesheuvel On 11/13/2018 11:24 AM, Arend van Spriel wrote: > + Ard as this involves EFI. > > On 11/12/2018 2:24 PM, Jon Hunter wrote: >> Hi Hans, Kalle, >> >> Starting with next-20181107 I am seeing the following NULL pointer >> deference on Tegra (note the firmware is missing on this board) ... >> >> [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using >> brcm/brcmfmac4329-sdio for chip BCM4329/3 >> >> [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for >> brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 >> >> [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for >> brcm/brcmfmac4329-sdio.txt failed with error -2 >> >> [ 14.177769] Unable to handle kernel NULL pointer dereference at >> virtual address 00000008 >> >> [ 14.197303] pgd = 60bfa5f1 >> >> [ 14.211842] [00000008] *pgd=00000000 >> >> [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM >> >> [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm >> snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt >> >> [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted >> 4.20.0-rc1-next-20181107-gd881de3 #1 >> >> [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) >> >> [ 14.269154] Workqueue: events request_firmware_work_func >> >> [ 14.269177] PC is at efivar_entry_size+0x28/0x90 >> >> [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] >> >> [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 >> >> [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 >> >> [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 >> >> [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0 >> >> [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8 >> > > Hi Jon, > > I tried building drivers/firmware/efi/vars.c using tegra_defconfig. Had > to enable CONFIG_EFI. So the null pointer access is a 0x00000008 so I > looked at the disassembly below: > > int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) > { > 310: e1a05001 mov r5, r1 > const struct efivar_operations *ops = __efivars->ops; > ==> 314: e5936008 ldr r6, [r3, #8] > > So I think __efivars is NULL on your platform. It is private to the > source file. Not sure how the driver should deal with this. Maybe use > efi_enabled() but not sure what feature to use. My best bet would be > EFI_RUNTIME_SERVICES. Another API function to check could be efivars_kobject(), which returns NULL if __efivars is NULL. Regards, Arend ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 [not found] ` <9f72ac4f-a83a-7af7-3c26-b1ced6d98653-dY08KVG/lbpWk0Htik3J/w@public.gmane.org> 2018-11-13 10:33 ` Arend van Spriel @ 2018-11-13 10:40 ` Hans de Goede 2018-11-13 10:45 ` Arend van Spriel 2018-11-13 13:21 ` Jon Hunter 1 sibling, 2 replies; 10+ messages in thread From: Hans de Goede @ 2018-11-13 10:40 UTC (permalink / raw) To: Arend van Spriel, Jon Hunter, Kalle Valo, linux-tegra, linux-wireless-u79uwXL29TY76Z2rM5mHXA, Linux Kernel Mailing List, Ard Biesheuvel Hi, On 13-11-18 11:24, Arend van Spriel wrote: > + Ard as this involves EFI. > > On 11/12/2018 2:24 PM, Jon Hunter wrote: >> Hi Hans, Kalle, >> >> Starting with next-20181107 I am seeing the following NULL pointer >> deference on Tegra (note the firmware is missing on this board) ... >> >> [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4329-sdio for chip BCM4329/3 >> >> [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 >> >> [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4329-sdio.txt failed with error -2 >> >> [ 14.177769] Unable to handle kernel NULL pointer dereference at virtual address 00000008 >> >> [ 14.197303] pgd = 60bfa5f1 >> >> [ 14.211842] [00000008] *pgd=00000000 >> >> [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM >> >> [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt >> >> [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted 4.20.0-rc1-next-20181107-gd881de3 #1 >> >> [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) >> >> [ 14.269154] Workqueue: events request_firmware_work_func >> >> [ 14.269177] PC is at efivar_entry_size+0x28/0x90 >> >> [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] >> >> [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 >> >> [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 >> >> [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 >> >> [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0 >> >> [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8 >> > > Hi Jon, > > I tried building drivers/firmware/efi/vars.c using tegra_defconfig. Had to enable CONFIG_EFI. So the null pointer access is a 0x00000008 so I looked at the disassembly below: > > int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) > { > 310: e1a05001 mov r5, r1 > const struct efivar_operations *ops = __efivars->ops; > ==> 314: e5936008 ldr r6, [r3, #8] > > So I think __efivars is NULL on your platform. It is private to the source file. Not sure how the driver should deal with this. Maybe use efi_enabled() but not sure what feature to use. My best bet would be EFI_RUNTIME_SERVICES. Ah right, thank you for catching this I had looking into this on my TODO list, but you beat me to it. IMHO the best fix here would be to modify efivar_entry_size(), adding: if (!ops) return -ENOENT; Which makes it return the same error as when we do have efivar support but the requested variable is not found. Regards, Hans > > efi_status_t status; > > *size = 0; > 318: e3a03000 mov r3, #0 > 31c: e5813000 str r3, [r1] > > if (down_interruptible(&efivars_lock)) > 320: ebfffffe bl 0 <down_interruptible> > 324: e2504000 subs r4, r0, #0 > 328: 1a000012 bne 378 <efivar_entry_size+0x80> > return -EINTR; > status = ops->get_variable(entry->var.VariableName, > > Regards, > Arend > >> [ 14.269398] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none >> >> [ 14.269404] Control: 10c5387d Table: ad16804a DAC: 00000051 >> >> [ 14.269417] Process kworker/1:2 (pid: 114, stack limit = 0x984bfbff) >> >> [ 14.269423] Stack: (0xede7fe28 to 0xede80000) >> >> [ 14.269434] fe20: 00000000 c1604c48 edf336e0 edf337c0 ee983000 c1604c48 >> >> [ 14.269447] fe40: edf336e0 bf2a3ef4 edf339db c0466bcc edf339c0 edd1417c edd14008 00000000 >> >> [ 14.269460] fe60: 006000c0 edf33b40 edf339c0 edf33250 c0f9110c edf33b40 c17db2d0 edf339c0 >> >> [ 14.269471] fe80: 00000000 edd14008 00000000 0076006e 00610072 0000006d edf33940 00000003 >> >> [ 14.269482] fea0: edf33980 c0923f84 edf33840 edf33940 edf33980 ede7ff1c c0f9110c c0924410 >> >> [ 14.269492] fec0: 7fffffff d9025ae9 00000001 edf337c0 00000000 ef7b9e00 edf33804 ef7bd000 >> >> [ 14.269512] fee0: 00000000 00000000 c1787f30 bf2a4438 ee952280 00000000 edf33800 ee952280 >> >> [ 14.678917] ff00: ef7b9e00 edf33804 ef7bd000 c0924738 00000000 00000003 00000001 edf33940 >> >> [ 14.678931] ff20: edf33800 c035ee0c ef7b9e00 ef7b9e18 ede7e018 ee952280 ef7b9e00 ef7b9e18 >> >> [ 14.720757] ff40: ede7e018 c17878b8 ee952294 c1603d00 00000008 c035f130 eea99d9c ede7e000 >> >> [ 14.720769] ff60: ee970740 c1603d00 eea99d9c eea99d80 ee970740 00000000 eea99d9c ee952280 >> >> [ 14.720785] ff80: c035f0f0 ee911ebc 00000000 c0364418 ee970740 c03642f0 00000000 00000000 >> >> [ 14.783682] ffa0: 00000000 00000000 00000000 c03010e8 00000000 00000000 00000000 00000000 >> >> [ 14.783693] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 >> >> [ 14.783707] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 >> >> [ 14.846132] [<c0c40718>] (efivar_entry_size) from [<bf2a3ef4>] (brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]) >> >> [ 14.846253] [<bf2a3ef4>] (brcmf_fw_complete_request [brcmfmac]) from [<bf2a4438>] (brcmf_fw_request_done+0x68/0x11c [brcmfmac]) >> >> [ 14.893363] [<bf2a4438>] (brcmf_fw_request_done [brcmfmac]) from [<c0924738>] (request_firmware_work_func+0x40/0x68) >> >> [ 14.893396] [<c0924738>] (request_firmware_work_func) from [<c035ee0c>] (process_one_work+0x164/0x448) >> >> [ 14.939206] [<c035ee0c>] (process_one_work) from [<c035f130>] (worker_thread+0x40/0x524) >> >> [ 14.939228] [<c035f130>] (worker_thread) from [<c0364418>] (kthread+0x128/0x158) >> >> [ 14.981096] [<c0364418>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c) >> >> [ 14.981102] Exception stack(0xede7ffb0 to 0xede7fff8) >> >> [ 14.981112] ffa0: 00000000 00000000 00000000 00000000 >> >> [ 15.041390] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 >> >> [ 15.041399] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 >> >> [ 15.041415] Code: e1a07000 e30102c8 e34c0177 e1a05001 (e5926008) >> >> [ 15.041491] ---[ end trace 06697c36d390de92 ]--- >> > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 2018-11-13 10:40 ` Hans de Goede @ 2018-11-13 10:45 ` Arend van Spriel 2018-11-13 13:21 ` Jon Hunter 1 sibling, 0 replies; 10+ messages in thread From: Arend van Spriel @ 2018-11-13 10:45 UTC (permalink / raw) To: Hans de Goede, Jon Hunter, Kalle Valo, linux-tegra, linux-wireless, Linux Kernel Mailing List, Ard Biesheuvel On 11/13/2018 11:40 AM, Hans de Goede wrote: > Hi, > > On 13-11-18 11:24, Arend van Spriel wrote: >> + Ard as this involves EFI. >> >> On 11/12/2018 2:24 PM, Jon Hunter wrote: >>> Hi Hans, Kalle, >>> >>> Starting with next-20181107 I am seeing the following NULL pointer >>> deference on Tegra (note the firmware is missing on this board) ... >>> >>> [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using >>> brcm/brcmfmac4329-sdio for chip BCM4329/3 >>> >>> [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for >>> brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 >>> >>> [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for >>> brcm/brcmfmac4329-sdio.txt failed with error -2 >>> >>> [ 14.177769] Unable to handle kernel NULL pointer dereference at >>> virtual address 00000008 >>> >>> [ 14.197303] pgd = 60bfa5f1 >>> >>> [ 14.211842] [00000008] *pgd=00000000 >>> >>> [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM >>> >>> [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm >>> snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt >>> >>> [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted >>> 4.20.0-rc1-next-20181107-gd881de3 #1 >>> >>> [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) >>> >>> [ 14.269154] Workqueue: events request_firmware_work_func >>> >>> [ 14.269177] PC is at efivar_entry_size+0x28/0x90 >>> >>> [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] >>> >>> [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 >>> >>> [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 >>> >>> [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 >>> >>> [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : >>> edf337c0 >>> >>> [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : >>> c17712c8 >>> >> >> Hi Jon, >> >> I tried building drivers/firmware/efi/vars.c using tegra_defconfig. >> Had to enable CONFIG_EFI. So the null pointer access is a 0x00000008 >> so I looked at the disassembly below: >> >> int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) >> { >> 310: e1a05001 mov r5, r1 >> const struct efivar_operations *ops = __efivars->ops; >> ==> 314: e5936008 ldr r6, [r3, #8] >> >> So I think __efivars is NULL on your platform. It is private to the >> source file. Not sure how the driver should deal with this. Maybe use >> efi_enabled() but not sure what feature to use. My best bet would be >> EFI_RUNTIME_SERVICES. > > Ah right, thank you for catching this I had looking into this > on my TODO list, but you beat me to it. > > IMHO the best fix here would be to modify efivar_entry_size(), > adding: > > if (!ops) > return -ENOENT; > > Which makes it return the same error as when we do have efivar > support but the requested variable is not found. That was my first thought, but I just wanted Jon to try modifying brcmfmac and confirm. I can create a patch like above and maybe a patch adding sanity checks in efivars_register(). Regards, Arend ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 2018-11-13 10:40 ` Hans de Goede 2018-11-13 10:45 ` Arend van Spriel @ 2018-11-13 13:21 ` Jon Hunter 2018-11-13 13:32 ` Jon Hunter 2018-11-13 13:32 ` Hans de Goede 1 sibling, 2 replies; 10+ messages in thread From: Jon Hunter @ 2018-11-13 13:21 UTC (permalink / raw) To: Hans de Goede, Arend van Spriel, Kalle Valo, linux-tegra, linux-wireless, Linux Kernel Mailing List, Ard Biesheuvel On 13/11/2018 10:40, Hans de Goede wrote: > Hi, > > On 13-11-18 11:24, Arend van Spriel wrote: >> + Ard as this involves EFI. >> >> On 11/12/2018 2:24 PM, Jon Hunter wrote: >>> Hi Hans, Kalle, >>> >>> Starting with next-20181107 I am seeing the following NULL pointer >>> deference on Tegra (note the firmware is missing on this board) ... >>> >>> [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using >>> brcm/brcmfmac4329-sdio for chip BCM4329/3 >>> >>> [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for >>> brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 >>> >>> [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for >>> brcm/brcmfmac4329-sdio.txt failed with error -2 >>> >>> [ 14.177769] Unable to handle kernel NULL pointer dereference at >>> virtual address 00000008 >>> >>> [ 14.197303] pgd = 60bfa5f1 >>> >>> [ 14.211842] [00000008] *pgd=00000000 >>> >>> [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM >>> >>> [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm >>> snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt >>> >>> [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted >>> 4.20.0-rc1-next-20181107-gd881de3 #1 >>> >>> [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) >>> >>> [ 14.269154] Workqueue: events request_firmware_work_func >>> >>> [ 14.269177] PC is at efivar_entry_size+0x28/0x90 >>> >>> [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] >>> >>> [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 >>> >>> [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 >>> >>> [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 >>> >>> [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : >>> edf337c0 >>> >>> [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : >>> c17712c8 >>> >> >> Hi Jon, >> >> I tried building drivers/firmware/efi/vars.c using tegra_defconfig. >> Had to enable CONFIG_EFI. So the null pointer access is a 0x00000008 >> so I looked at the disassembly below: >> >> int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) >> { >> 310: e1a05001 mov r5, r1 >> const struct efivar_operations *ops = __efivars->ops; >> ==> 314: e5936008 ldr r6, [r3, #8] >> >> So I think __efivars is NULL on your platform. It is private to the >> source file. Not sure how the driver should deal with this. Maybe use >> efi_enabled() but not sure what feature to use. My best bet would be >> EFI_RUNTIME_SERVICES. > > Ah right, thank you for catching this I had looking into this > on my TODO list, but you beat me to it. > > IMHO the best fix here would be to modify efivar_entry_size(), > adding: > > if (!ops) > return -ENOENT; > > Which makes it return the same error as when we do have efivar > support but the requested variable is not found. So the above did not work. I see a patch from Arend and I will give this a try. Cheers Jon -- nvpublic ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 2018-11-13 13:21 ` Jon Hunter @ 2018-11-13 13:32 ` Jon Hunter 2018-11-13 13:32 ` Hans de Goede 1 sibling, 0 replies; 10+ messages in thread From: Jon Hunter @ 2018-11-13 13:32 UTC (permalink / raw) To: Hans de Goede, Arend van Spriel, Kalle Valo, linux-tegra, linux-wireless, Linux Kernel Mailing List, Ard Biesheuvel On 13/11/2018 13:21, Jon Hunter wrote: ... >> IMHO the best fix here would be to modify efivar_entry_size(), >> adding: >> >> if (!ops) >> return -ENOENT; >> >> Which makes it return the same error as when we do have efivar >> support but the requested variable is not found. > > So the above did not work. I see a patch from Arend and I will give this > a try. FWIW, this did work ... diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c index 9336ffdf6e2c..8181e548f32b 100644 --- a/drivers/firmware/efi/vars.c +++ b/drivers/firmware/efi/vars.c @@ -829,9 +829,14 @@ struct efivar_entry *efivar_entry_find(efi_char16_t *name, efi_guid_t guid, */ int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) { - const struct efivar_operations *ops = __efivars->ops; + const struct efivar_operations *ops; efi_status_t status; + if (!__efivars || !__efivars->ops) + return -ENOENT; + + ops = __efivars->ops; + *size = 0; if (down_interruptible(&efivars_lock)) I will let you know about Arend's patch as well. Jon -- nvpublic ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 2018-11-13 13:21 ` Jon Hunter 2018-11-13 13:32 ` Jon Hunter @ 2018-11-13 13:32 ` Hans de Goede 1 sibling, 0 replies; 10+ messages in thread From: Hans de Goede @ 2018-11-13 13:32 UTC (permalink / raw) To: Jon Hunter, Arend van Spriel, Kalle Valo, linux-tegra, linux-wireless, Linux Kernel Mailing List, Ard Biesheuvel HI, On 13-11-18 14:21, Jon Hunter wrote: > > On 13/11/2018 10:40, Hans de Goede wrote: >> Hi, >> >> On 13-11-18 11:24, Arend van Spriel wrote: >>> + Ard as this involves EFI. >>> >>> On 11/12/2018 2:24 PM, Jon Hunter wrote: >>>> Hi Hans, Kalle, >>>> >>>> Starting with next-20181107 I am seeing the following NULL pointer >>>> deference on Tegra (note the firmware is missing on this board) ... >>>> >>>> [ 14.072883] brcmfmac: brcmf_fw_alloc_request: using >>>> brcm/brcmfmac4329-sdio for chip BCM4329/3 >>>> >>>> [ 14.130287] brcmfmac mmc1:0001:1: Direct firmware load for >>>> brcm/brcmfmac4329-sdio.nvidia,cardhu-a04.txt failed with error -2 >>>> >>>> [ 14.156283] brcmfmac mmc1:0001:1: Direct firmware load for >>>> brcm/brcmfmac4329-sdio.txt failed with error -2 >>>> >>>> [ 14.177769] Unable to handle kernel NULL pointer dereference at >>>> virtual address 00000008 >>>> >>>> [ 14.197303] pgd = 60bfa5f1 >>>> >>>> [ 14.211842] [00000008] *pgd=00000000 >>>> >>>> [ 14.227373] Internal error: Oops: 5 [#1] SMP ARM >>>> >>>> [ 14.244244] Modules linked in: brcmfmac sha256_generic sha256_arm >>>> snd cfg80211 brcmutil soundcore snd_soc_tegra30_ahub tegra_wdt >>>> >>>> [ 14.269109] CPU: 1 PID: 114 Comm: kworker/1:2 Not tainted >>>> 4.20.0-rc1-next-20181107-gd881de3 #1 >>>> >>>> [ 14.269114] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) >>>> >>>> [ 14.269154] Workqueue: events request_firmware_work_func >>>> >>>> [ 14.269177] PC is at efivar_entry_size+0x28/0x90 >>>> >>>> [ 14.269362] LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] >>>> >>>> [ 14.269369] pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113 >>>> >>>> [ 14.269374] sp : ede7fe28 ip : ee983410 fp : c1787f30 >>>> >>>> [ 14.269378] r10: 00000000 r9 : 00000000 r8 : bf2b2258 >>>> >>>> [ 14.269384] r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : >>>> edf337c0 >>>> >>>> [ 14.269389] r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : >>>> c17712c8 >>>> >>> >>> Hi Jon, >>> >>> I tried building drivers/firmware/efi/vars.c using tegra_defconfig. >>> Had to enable CONFIG_EFI. So the null pointer access is a 0x00000008 >>> so I looked at the disassembly below: >>> >>> int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) >>> { >>> 310: e1a05001 mov r5, r1 >>> const struct efivar_operations *ops = __efivars->ops; >>> ==> 314: e5936008 ldr r6, [r3, #8] >>> >>> So I think __efivars is NULL on your platform. It is private to the >>> source file. Not sure how the driver should deal with this. Maybe use >>> efi_enabled() but not sure what feature to use. My best bet would be >>> EFI_RUNTIME_SERVICES. >> >> Ah right, thank you for catching this I had looking into this >> on my TODO list, but you beat me to it. >> >> IMHO the best fix here would be to modify efivar_entry_size(), >> adding: >> >> if (!ops) >> return -ENOENT; >> >> Which makes it return the same error as when we do have efivar >> support but the requested variable is not found. > > So the above did not work. I see a patch from Arend and I will give this > a try. Ah right, looking at Arend's patch my little snippet got the test wrong. Hopefully Arend's patch will fix things. Regards, Hans ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 2018-11-13 10:24 ` Arend van Spriel [not found] ` <9f72ac4f-a83a-7af7-3c26-b1ced6d98653-dY08KVG/lbpWk0Htik3J/w@public.gmane.org> @ 2018-11-13 11:29 ` Jon Hunter 1 sibling, 0 replies; 10+ messages in thread From: Jon Hunter @ 2018-11-13 11:29 UTC (permalink / raw) To: Arend van Spriel, Hans de Goede, Kalle Valo, linux-tegra, linux-wireless, Linux Kernel Mailing List, Ard Biesheuvel Hi Arend, On 13/11/2018 10:24, Arend van Spriel wrote: ... > I tried building drivers/firmware/efi/vars.c using tegra_defconfig. Had > to enable CONFIG_EFI. So the null pointer access is a 0x00000008 so I > looked at the disassembly below: > > int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) > { > 310: e1a05001 mov r5, r1 > const struct efivar_operations *ops = __efivars->ops; > ==> 314: e5936008 ldr r6, [r3, #8] > > So I think __efivars is NULL on your platform. It is private to the > source file. Not sure how the driver should deal with this. Maybe use > efi_enabled() but not sure what feature to use. My best bet would be > EFI_RUNTIME_SERVICES. > > efi_status_t status; > > *size = 0; > 318: e3a03000 mov r3, #0 > 31c: e5813000 str r3, [r1] > > if (down_interruptible(&efivars_lock)) > 320: ebfffffe bl 0 <down_interruptible> > 324: e2504000 subs r4, r0, #0 > 328: 1a000012 bne 378 <efivar_entry_size+0x80> > return -EINTR; > status = ops->get_variable(entry->var.VariableName, So actually, I am seeing the crash with the 'multi_v7_defconfig' and I don't see it with the 'tegra_defconfig' (probably because CONFIG_EFI is not enabled). Cheers Jon -- nvpublic ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-11-13 13:32 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-12 13:24 [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107 Jon Hunter
2018-11-12 13:25 ` Jon Hunter
[not found] ` <dbc5e8f9-6f14-77d2-be2a-f0738e13b773-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2018-11-13 10:24 ` Arend van Spriel
[not found] ` <9f72ac4f-a83a-7af7-3c26-b1ced6d98653-dY08KVG/lbpWk0Htik3J/w@public.gmane.org>
2018-11-13 10:33 ` Arend van Spriel
2018-11-13 10:40 ` Hans de Goede
2018-11-13 10:45 ` Arend van Spriel
2018-11-13 13:21 ` Jon Hunter
2018-11-13 13:32 ` Jon Hunter
2018-11-13 13:32 ` Hans de Goede
2018-11-13 11:29 ` Jon Hunter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox