6.0 tty regression, NULL pointer deref in flush_to_ldisc
From: Hans de Goede
Date: Mon Aug 29 2022 - 04:37:24 EST
Hi All,
This weekend I noticed that on various Bay Trail based systems which have
their bluetooth HCI connected over an uart (using hci_uart driver /
using the drivers/tty/serial bus) there is a NULL pointer deref in
flush_to_ldisc, see below for the full backtrace.
I *suspect* that this is caused by commit 6bb6fa6908eb
("tty: Implement lookahead to process XON/XOFF timely").
I can cleanly revert this by reverting the following commits:
ab24a01b2765 ("tty: Add closing marker into comment in tty_ldisc.h")
65534736d9a5 ("tty: Use flow-control char function on closing path")
6bb6fa6908eb ("tty: Implement lookahead to process XON/XOFF timely")
ATM I don't have one of the affected systems handy. I will give
a 6.0-rc3 kernel with these 3 commits reverted a try tonight (CEST)
and I'll let you know the results.
Note I can NOT confirm yet that these reverts fix things, so please
don't revert anything yet. I just wanted to give people a headsup
about this issue.
Also maybe we can fix the new lookahead code instead of reverting.
I would be happy to add a patch adding some debugging prints the
systems run fine after the backtrace as long as I don't suspend them
so gathering logs is easy.
Regards,
Hans
[ 28.626537] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 28.626555] #PF: supervisor instruction fetch in kernel mode
[ 28.626563] #PF: error_code(0x0010) - not-present page
[ 28.626569] PGD 0 P4D 0
[ 28.626580] Oops: 0010 [#1] PREEMPT SMP PTI
[ 28.626589] CPU: 2 PID: 8 Comm: kworker/u8:0 Tainted: G C E 6.0.0-rc2+ #102
[ 28.626598] Hardware name: MPMAN Converter9/Converter9, BIOS 5.6.5 07/28/2015
[ 28.626604] Workqueue: events_unbound flush_to_ldisc
[ 28.626617] RIP: 0010:0x0
[ 28.626633] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[ 28.626639] RSP: 0018:ffffacec40087e28 EFLAGS: 00010202
[ 28.626648] RAX: 0000000000000000 RBX: ffff92dc05fee000 RCX: 0000000000000001
[ 28.626654] RDX: 0000000000000000 RSI: ffff92dc05fee020 RDI: ffff92dc07341040
[ 28.626660] RBP: ffff92dc07341048 R08: ffff92dc05fee020 R09: 00000000f1e77022
[ 28.626667] R10: ffffacec40087e30 R11: 000000002f1e7702 R12: ffff92dc07341040
[ 28.626673] R13: ffff92dc07341090 R14: 0000000000000000 R15: 0000000000000001
[ 28.626679] FS: 0000000000000000(0000) GS:ffff92dc7bb00000(0000) knlGS:0000000000000000
[ 28.626687] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 28.626693] CR2: ffffffffffffffd6 CR3: 00000000060c6000 CR4: 00000000001006e0
[ 28.626700] Call Trace:
[ 28.626706] <TASK>
[ 28.626712] flush_to_ldisc+0x178/0x190
[ 28.626728] process_one_work+0x257/0x570
[ 28.626749] worker_thread+0x4f/0x3a0
[ 28.626762] ? process_one_work+0x570/0x570
[ 28.626772] kthread+0xf5/0x120
[ 28.626782] ? kthread_complete_and_exit+0x20/0x20
[ 28.626794] ret_from_fork+0x22/0x30
[ 28.626815] </TASK>
[ 28.626820] Modules linked in: fjes(-) snd_soc_rl6231 snd_intel_sdw_acpi hci_uart dw_dmac soc_button_array dptf_power int3406_thermal snd_soc_core btqca int3401_thermal btrtl processor_thermal_device btbcm processor_thermal_rfim snd_compress processor_thermal_mbox processor_thermal_rapl ac97_bus btintel snd_pcm_dmaengine intel_rapl_common int3403_thermal snd_seq int3400_thermal int340x_thermal_zone snd_seq_device acpi_thermal_rel bluetooth intel_int0002_vgpio(E) kxcjk_1013 atomisp_gc0310(CE) industrialio_triggered_buffer atomisp_ov2680(CE) snd_pcm kfifo_buf atomisp_gmin_platform(CE) industrialio acpi_pad silead(+) videodev mc snd_timer snd ecdh_generic rfkill soundcore mei_txe mei dwc3_pci lpc_ich vfat fat zram mmc_block i915 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel drm_buddy drm_display_helper cec ttm video wmi(E) sdhci_acpi sdhci mmc_core pwm_lpss_platform pwm_lpss ip6_tables ip_tables i2c_dev ipmi_devintf ipmi_msghandler fuse
[ 28.627005] CR2: 0000000000000000
[ 28.627013] ---[ end trace 0000000000000000 ]---
[ 28.627020] RIP: 0010:0x0
[ 28.627032] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[ 28.627038] RSP: 0018:ffffacec40087e28 EFLAGS: 00010202
[ 28.627047] RAX: 0000000000000000 RBX: ffff92dc05fee000 RCX: 0000000000000001
[ 28.627053] RDX: 0000000000000000 RSI: ffff92dc05fee020 RDI: ffff92dc07341040
[ 28.627059] RBP: ffff92dc07341048 R08: ffff92dc05fee020 R09: 00000000f1e77022
[ 28.627065] R10: ffffacec40087e30 R11: 000000002f1e7702 R12: ffff92dc07341040
[ 28.627071] R13: ffff92dc07341090 R14: 0000000000000000 R15: 0000000000000001
[ 28.627077] FS: 0000000000000000(0000) GS:ffff92dc7bb00000(0000) knlGS:0000000000000000
[ 28.627085] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 28.627091] CR2: ffffffffffffffd6 CR3: 00000000060c6000 CR4: 00000000001006e0