Re: [PATCH] [REGRESSION] i2c-acpi: Fix NULL Pointer dereference

From: Peter Hüwe
Date: Fri Sep 12 2014 - 15:11:45 EST

Next message: Paul E. McKenney: "Re: [PATCH 3/9] locktorture: Support mutexes"
Previous message: Andrew Morton: "Re: [PATCH 0/3 v3] mmu_notifier: Allow to manage CPU external TLBs"
In reply to: Peter Huewe: "[PATCH] [REGRESSION] i2c-acpi: Fix NULL Pointer dereference"
Next in thread: Mika Westerberg: "Re: [PATCH] [REGRESSION] i2c-acpi: Fix NULL Pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Freitag, 12. September 2014, 21:09:47 schrieb Peter Huewe:
> If adapter->dev.parent == NULL there is a NULL pointer dereference in
> acpi_i2c_install_space_handler and acpi_i2c_remove_space_handler.
>
> This is present since introduction of this code:
> 366047515c6e "i2c: rework kernel config I2C_ACPI" or even
> da3c6647ee08 "I2C/ACPI: Clean up I2C ACPI code and Add CONFIG_I2C_ACPI"
>
> The adapter->dev.parent == NULL case is valid for the i2c_stub,
> so loading i2c_stub with ACPI_I2C_OPREGION enabled results in an oops.
> This is also valid at least for i2c_tiny_usb and i2c_robotfuzz_osif.
>
> Fix by checking whether it is null before calling ACPI_HANDLE.
>
> Signed-off-by: Peter Huewe <peterhuewe@xxxxxx>
> ---

Patch against current i2c/master.

For those who care - here's the oops:
# modprobe i2c_stub chip_addr=0x20
# dmesg

[ 39.315090] i2c-stub: Virtual chip at 0x20
[ 39.315149] BUG: unable to handle kernel NULL pointer dereference at
0000000000000240
[ 39.317716] IP: [<ffffffff8248ed65>] acpi_i2c_install_space_handler+0x16/0xb2
[ 39.320261] PGD 40db4b067 PUD 40d2bf067 PMD 0
[ 39.322848] Oops: 0000 [#1] PREEMPT SMP
[ 39.325360] Modules linked in: i2c_stub(+) w83627ehf hwmon_vid ipv6 usbhid
snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek coretemp
snd_hda_codec_generic kvm_intel kvm crc32_pclmul ghash_clmulni_intel snd_hda_intel
snd_hda_controller pcspkr snd_hda_codec i2c_i801 snd_hwdep snd_pcm snd_timer snd
battery tpm_tis tpm
[ 39.330770] CPU: 0 PID: 2783 Comm: modprobe Not tainted 3.17.0-rc4-00131-gd030671
#151
[ 39.333451] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Pro4,
BIOS P1.70 01/17/2013
[ 39.336153] task: ffff88040e4bd7d0 ti: ffff88040e60c000 task.ti: ffff88040e60c000
[ 39.338876] RIP: 0010:[<ffffffff8248ed65>] [<ffffffff8248ed65>]
acpi_i2c_install_space_handler+0x16/0xb2
[ 39.341657] RSP: 0018:ffff88040e60fca8 EFLAGS: 00010296
[ 39.344421] RAX: 0000000000000000 RBX: ffffffffc099db30 RCX: ffff88040d8def40
[ 39.347193] RDX: 00000000ffffffed RSI: ffff8800bff975e0 RDI: ffffffffc099db30
[ 39.349965] RBP: ffff88040e60fcc8 R08: ffff8800bff975e0 R09: ffff8800bff975e0
[ 39.352742] R10: ffffffffc099db78 R11: ffff88040b51c028 R12: ffffffffc099db78
[ 39.355510] R13: ffffffffc099db30 R14: 0000000000000000 R15: ffffffffc099ded0
[ 39.358275] FS: 00007f638fd52700(0000) GS:ffff88041f200000(0000)
knlGS:0000000000000000
[ 39.361008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 39.363681] CR2: 0000000000000240 CR3: 000000040dbba000 CR4: 00000000001407f0
[ 39.366332] Stack:
[ 39.368924] ffff88040d8def40 ffffffffc099db30 ffffffffc099db78 0000000000000000
[ 39.371576] ffff88040e60fcf8 ffffffff8248e2ee ffffffffc099db30 0000000000000001
[ 39.374216] 0000000000000000 ffffffff82782250 ffff88040e60fd28 ffffffff8248e424
[ 39.376840] Call Trace:
[ 39.379424] [<ffffffff8248e2ee>] i2c_register_adapter+0x1bc/0x299
[ 39.382044] [<ffffffff8248e424>] i2c_add_adapter+0x59/0x60
[ 39.384650] [<ffffffffc09a01b6>] i2c_stub_init+0x1b6/0x1d4 [i2c_stub]
[ 39.387277] [<ffffffffc09a0000>] ? 0xffffffffc09a0000
[ 39.389896] [<ffffffffc09a0000>] ? 0xffffffffc09a0000
[ 39.392504] [<ffffffff8200030e>] do_one_initcall+0xea/0x184
[ 39.395128] [<ffffffff82172a63>] ? vfree+0x74/0x7b
[ 39.397763] [<ffffffff82109550>] load_module+0x1b0f/0x1e11
[ 39.397768] [<ffffffff82106d13>] ? module_unload_free+0xd2/0xd2
[ 39.397773] [<ffffffff82109943>] SyS_finit_module+0x56/0x6c
[ 39.397779] [<ffffffff8255fdcb>] tracesys+0xdd/0xe2
[ 39.397822] Code: 48 c7 c6 37 37 70 82 31 c0 e8 56 66 f5 ff 48 83 c4 18 5b 5d c3
55 ba ed ff ff ff 48 89 e5 41 55 49 89 fd 41 54 53 51 48 8b 47 48 <48> 8b 80 40 02 00
00 48 85 c0 0f 84 82 00 00 00 4c 8b 60 08 4d
[ 39.397827] RIP [<ffffffff8248ed65>] acpi_i2c_install_space_handler+0x16/0xb2
[ 39.397828] RSP <ffff88040e60fca8>
[ 39.397829] CR2: 0000000000000240
[ 39.397863] ---[ end trace 9f55e6ce67aaaafb ]---

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul E. McKenney: "Re: [PATCH 3/9] locktorture: Support mutexes"
Previous message: Andrew Morton: "Re: [PATCH 0/3 v3] mmu_notifier: Allow to manage CPU external TLBs"
In reply to: Peter Huewe: "[PATCH] [REGRESSION] i2c-acpi: Fix NULL Pointer dereference"
Next in thread: Mika Westerberg: "Re: [PATCH] [REGRESSION] i2c-acpi: Fix NULL Pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]