[3.15-rc3] BUG: null ptr dereference in ichx_gpio_request_regions()
From: Peter Hurley
Date: Wed May 07 2014 - 09:22:51 EST
Booting 3.15-rc3, I get this BUG when loading gpio_ich:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffffa042339c>] ichx_gpio_probe+0x28c/0x3d0 [gpio_ich]
usbcore: registered new interface driver btusb
PGD 2b04aa067 PUD 2af912067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: gpio_ich(+) btusb bluetooth psmouse snd i5400_edac ....
CPU: 3 PID: 1217 Comm: modprobe Not tainted 3.15.0-rc3+wip-xeon #rc3+wip
Hardware name: Dell Inc. Precision WorkStation T5400 /0RW203, BIOS A11 04/30/2012
task: ffff8802ae8448f0 ti: ffff8802b0d74000 task.ti: ffff8802b0d74000
RIP: 0010:[<ffffffffa042339c>] [<ffffffffa042339c>] ichx_gpio_probe+0x28c/0x3d0 [gpio_ich]
RSP: 0018:ffff8802b0d75b78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: ffffffff81c378a0
RBP: ffff8802b0d75bb8 R08: 0000000000000000 R09: ffff880036a0e2c8
R10: 0000000000005dc0 R11: 8000000000000000 R12: ffff880036a0e000
R13: ffff8800bad62bc0 R14: 0000000000000003 R15: 0000000000000000
FS: 00007fb9d38fa700(0000) GS:ffff8802bfcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000002af445000 CR4: 00000000000007e0
Stack:
ffff8802b0d75b98 ffff880036a0e010 ffff880036a0e020 ffff880036a0e010
ffffffffa0425028 ffffffffa0425028 0000000000000000 0000000000000001
ffff8802b0d75be8 ffffffff814793f2 ffff8802b0d75ca8 ffff880036a0e010
Call Trace:
[<ffffffff814793f2>] platform_drv_probe+0x32/0x80
[<ffffffff8147784b>] driver_probe_device+0x8b/0x3a0
[<ffffffff81477c0b>] __driver_attach+0xab/0xb0
[<ffffffff81477b60>] ? driver_probe_device+0x3a0/0x3a0
[<ffffffff8147586d>] bus_for_each_dev+0x5d/0xa0
[<ffffffff8147727e>] driver_attach+0x1e/0x20
[<ffffffff81476dd4>] bus_add_driver+0x124/0x250
[<ffffffffa029a000>] ? 0xffffffffa0299fff
[<ffffffff81478314>] driver_register+0x64/0xf0
[<ffffffffa029a000>] ? 0xffffffffa0299fff
[<ffffffff8147926a>] __platform_driver_register+0x4a/0x50
[<ffffffffa029a017>] ichx_gpio_driver_init+0x17/0x1000 [gpio_ich]
[<ffffffff8100032a>] do_one_initcall+0xda/0x180
[<ffffffff8103e733>] ? set_memory_nx+0x43/0x50
[<ffffffff816ffeec>] ? set_section_ro_nx+0x6d/0x75
[<ffffffff810cc9f9>] load_module+0x1d79/0x2770
[<ffffffff810c8690>] ? unset_module_init_ro_nx+0x80/0x80
[<ffffffff81172f80>] ? __vmalloc_node_range+0x170/0x250
[<ffffffff810cd479>] ? SyS_init_module+0x89/0x100
[<ffffffff810cd4a2>] SyS_init_module+0xb2/0x100
[<ffffffff81719ad2>] system_call_fastpath+0x16/0x1b
Code: c7 05 fd 1f 00 00 40 51 42 a0 e9 00 fe ff ff 48 8b 05 f1 1f 00 00 45 31 c0 48 c7 c7 a0 78 c3 81 48 8b 48 08 48 8b 50 10 48 63 c3 <0f> b6 34 01 4c 89 c9 0f b6 14 1a 49 03 75 00 4c 89 4d c8 e8 ec
RIP [<ffffffffa042339c>] ichx_gpio_probe+0x28c/0x3d0 [gpio_ich]
RSP <ffff8802b0d75b78>
CR2: 0000000000000000
This is almost certainly caused by the uninitialized regs ptr
in the ich6_desc struct (i3100_desc struct has the same problem)
introduced in this commit:
commit bb62a35bd5d96e506af0ea8dd145480b9172a2a6
Author: Vincent Donnefort <vdonnefort@xxxxxxxxx>
Date: Fri Feb 14 15:01:56 2014 +0100
gpio: ich: Add support for multiple register addresses
This patch introduces regs and reglen pointers which allow a chipset to have
register addresses differing from ICH ones.
Acked-by: Linus Walleij <linus.walleij@xxxxxxxxxx>
Signed-off-by: Vincent Donnefort <vdonnefort@xxxxxxxxx>
Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx>
The relevant excerpts from the mixed listing are:
0000000000000110 <ichx_gpio_probe>:
<...snip...>
for (i = 0; i < ARRAY_SIZE(ichx_priv.desc->regs[0]); i++) {
if (!(use_gpio & (1 << i)))
continue;
if (!request_region(
380: 48 8b 05 00 00 00 00 mov 0x0(%rip),%rax # 387 <ichx_gpio_probe+0x277>
383: R_X86_64_PC32 .bss+0xb4
387: 45 31 c0 xor %r8d,%r8d
38a: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
38d: R_X86_64_32S ioport_resource
391: 48 8b 48 08 mov 0x8(%rax),%rcx
395: 48 8b 50 10 mov 0x10(%rax),%rdx
399: 48 63 c3 movslq %ebx,%rax
39c: 0f b6 34 01 movzbl (%rcx,%rax,1),%esi <===== FAULTING INSTN
3a0: 4c 89 c9 mov %r9,%rcx
3a3: 0f b6 14 1a movzbl (%rdx,%rbx,1),%edx
3a7: 49 03 75 00 add 0x0(%r13),%rsi
3ab: 4c 89 4d c8 mov %r9,-0x38(%rbp)
3af: e8 00 00 00 00 callq 3b4 <ichx_gpio_probe+0x2a4>
3b0: R_X86_64_PC32 __request_region-0x4
3b4: 4c 8b 4d c8 mov -0x38(%rbp),%r9
3b8: 48 85 c0 test %rax,%rax
3bb: 0f 85 17 fe ff ff jne 1d8 <ichx_gpio_probe+0xc8>
}
return 0;
request_err:
/* Clean up: release already requested regions, if any */
for (i--; i >= 0; i--) {
3c1: 41 83 ef 01 sub $0x1,%r15d
3c5: 41 83 ff ff cmp $0xffffffff,%r15d
3c9: 0f 84 d1 00 00 00 je 4a0 <ichx_gpio_probe+0x390>
if (!(use_gpio & (1 << i)))
3cf: 45 0f a3 fe bt %r15d,%r14d
3d3: 73 ec jae 3c1 <ichx_gpio_probe+0x2b1>
Regards,
Peter Hurley
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/