Unloading acpi table through configfs causes NULL pointer dereference bug

From: Ferry Toth
Date: Sat Nov 17 2018 - 08:33:36 EST

Next message: Jeff Layton: "Re: KASAN: use-after-free Read in locks_delete_block"
Previous message: Tom Burkart: "[PATCH v8 4/4] pps: pps-gpio pps-echo implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since 4.13 we have patch 'ACPI: configfs: Unload SSDT on configfs entry
removal' in the kernel.

However when I try to actually unload a table I get a bug check. I have
tested this on Intel Edison Arduino with 4.18 x86_64 using 2 different
tables, 1 called arduino, providing I2C/SPI/HSU and a 2nd one called leds, providing a simple LED connected to a gpio. Result is similar. Logs below.

FYI Intel Edison has no BIOS and receives ACPI tables in part from U-Boot and in my case Arduino support through configfs. Loading tables in this fashion appears to work just as fine as through a cpio, with the potential bonus of being able to unload them.

The use case for unloading tables on a platform like Edison Arduino would of course be that certain gpio lines are muxed, like a led with a spi line. During platform configuration one would like to provide the user feedback through flashing a LED, while operating normally the LED is less important and the line is used for SPI_CLK. Unloading the LED table is needed to be able to load the SPI table without reboot.

I'm hoping that if this patch has worked in the past it will be easy enough to make it work again. Any pointers in the right direction are appreciated.

ARDUINO
-------
rmdir /sys/kernel/config/acpi/table/arduino/
ACPI: Host-directed Dynamic ACPI Table Unload
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 1 PID: 7181 Comm: kworker/u4:0 Not tainted 4.18.0-edison-acpi-standard
#1
Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542
2015.01.21:18.19.48
Workqueue: kacpi_hotplug acpi_device_del_work_fn
RIP: 0010:create_of_modalias.isra.1+0x4d/0x150
Code: 44 24 10 00 00 00 00 48 c7 44 24 08 ff ff ff ff 65 48 8b 04 25 28 00
00 00 48 89 44 24 18 31 c0 e8 4a a2 03 00 48 8b 4c 24 10 <0f> b6 01 84 c0 74
27 48 c7 c7 40 13 f4 a2 0f b6 f0 8d 50 20 f6 04
RSP: 0018:ffff9c51c0c6bc10 EFLAGS: 00010246
RAX: 0000000000001001 RBX: ffff8fa4bb3d4196 RCX: 0000000000000000
RDX: 0000000000001001 RSI: 0000000000000286 RDI: ffff8fa4bd804260
RBP: ffff8fa48ca08210 R08: 0000000000001001 R09: 0000000000000000
R10: ffff8fa48ca08000 R11: ffffffffa305fe3d R12: 0000000000000785
R13: 0000000000000000 R14: ffff8fa4bc698010 R15: ffff8fa4bdad1060
FS:ÂÂ0000000000000000(0000) GS:ffff8fa4bf300000(0000) knlGS:0000000000000000
CS:ÂÂ0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000c8de000 CR4: 00000000001006e0
Call Trace:
Â? vsnprintf+0x2b6/0x4b0
Â__acpi_device_uevent_modalias+0xde/0x100
Âspi_uevent+0xd/0x40
Âdev_uevent+0x96/0x2c0
Âkobject_uevent_env+0x2e7/0x7f0
Âdevice_release_driver_internal+0x227/0x240
Âbus_remove_device+0xe0/0x150
Âdevice_del+0x133/0x350
Â? klist_iter_exit+0x17/0x30
Âdevice_unregister+0x11/0x60
Âacpi_spi_notify+0x89/0xa0
Ânotifier_call_chain+0x42/0x60
Âblocking_notifier_call_chain+0x39/0x60
Âacpi_device_del_work_fn+0x62/0xb0
Âprocess_one_work+0x1e3/0x3c0
Âworker_thread+0x28/0x3c0
Â? set_worker_desc+0xb0/0xb0
Âkthread+0x10e/0x130
Â? kthread_create_worker_on_cpu+0x70/0x70
Âret_from_fork+0x35/0x40
Modules linked in: iptable_nat nf_nat_ipv4 nf_nat spi_pxa2xx_platform
smsc95xx pwm_lpss_pci pwm_lpss brcmfmac brcmutil spi_pxa2xx_pci hci_uart
btbcm ti_ads7950 industrialio_triggered_buffer kfifo_buf spidev mmc_block
sdhci_pci cqhci sdhci led_class mmc_core
CR2: 0000000000000000
---[ end trace 77bdc8463ac6088b ]---

LEDS
----
root@edison:~# rmdir /sys/kernel/config/acpi/table/leds/
ACPI: Host-directed Dynamic ACPI Table Unload
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 1 PID: 4316 Comm: kworker/u4:2 Not tainted 4.18.0-edison-acpi-standard
#1
Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542
2015.01.21:18.19.48
Workqueue: kacpi_hotplug acpi_device_del_work_fn
RIP: 0010:create_of_modalias.isra.1+0x4d/0x150
Code: 44 24 10 00 00 00 00 48 c7 44 24 08 ff ff ff ff 65 48 8b 04 25 28 00
00 00 48 89 44 24 18 31 c0 e8 4a a2 03 00 48 8b 4c 24 10 <0f> b6 01 84 c0 74
27 48 c7 c7 40 13 74 bd 0f b6 f0 8d 50 20 f6 04
RSP: 0018:ffffaf4800257cf8 EFLAGS: 00010246
RAX: 0000000000001001 RBX: ffff8c403a877176 RCX: 0000000000000000
RDX: 0000000000001001 RSI: 0000000000000296 RDI: ffff8c403d804260
RBP: ffff8c403ae98a10 R08: 0000000000001001 R09: 0000000000000000
R10: ffff8c403ae98800 R11: ffffffffbd85ff0d R12: 00000000000007a5
R13: 0000000000000000 R14: ffff8c403ae98a60 R15: ffff8c403dad1060
FS:ÂÂ0000000000000000(0000) GS:ffff8c403f300000(0000) knlGS:0000000000000000
CS:ÂÂ0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000003b89c000 CR4: 00000000001006e0
Call Trace:
Â__acpi_device_uevent_modalias+0xde/0x100
Âdev_uevent+0x96/0x2c0
Âkobject_uevent_env+0x2e7/0x7f0
Â? __pm_runtime_disable+0x13/0xc0
Âdevice_del+0x235/0x350
Âacpi_device_del_work_fn+0x6a/0xb0
Âprocess_one_work+0x1e3/0x3c0
Âworker_thread+0x28/0x3c0
Â? set_worker_desc+0xb0/0xb0
Âkthread+0x10e/0x130
Â? kthread_create_worker_on_cpu+0x70/0x70
Âret_from_fork+0x35/0x40
Modules linked in: i2c_dev ledtrig_netdev ledtrig_oneshot ledtrig_timer
leds_gpio ledtrig_heartbeat iptable_nat nf_nat_ipv4 nf_nat
spi_pxa2xx_platform smsc95xx pwm_lpss_pci pwm_lpss brcmfmac brcmutil
spi_pxa2xx_pci hci_uart btbcm ti_ads795>
CR2: 0000000000000000
---[ end trace 09430e0923010718 ]---

Next message: Jeff Layton: "Re: KASAN: use-after-free Read in locks_delete_block"
Previous message: Tom Burkart: "[PATCH v8 4/4] pps: pps-gpio pps-echo implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]