Re: [REGRESSION] brcmfmac: NULL pointer deference starting next-20181107

From: Jon Hunter
Date: Tue Nov 13 2018 - 06:29:27 EST


Hi Arend,

On 13/11/2018 10:24, Arend van Spriel wrote:

...

> I tried building drivers/firmware/efi/vars.c using tegra_defconfig. Had
> to enable CONFIG_EFI. So the null pointer access is a 0x00000008 so I
> looked at the disassembly below:
>
> int efivar_entry_size(struct efivar_entry *entry, unsigned long *size)
> {
> ÂÂÂÂ 310:ÂÂÂÂÂÂ e1a05001ÂÂÂÂÂÂÂ movÂÂÂÂ r5, r1
> ÂÂÂÂÂÂÂ const struct efivar_operations *ops = __efivars->ops;
> ==>Â 314:ÂÂÂÂÂÂ e5936008ÂÂÂÂÂÂÂ ldrÂÂÂÂ r6, [r3, #8]
>
> So I think __efivars is NULL on your platform. It is private to the
> source file. Not sure how the driver should deal with this. Maybe use
> efi_enabled() but not sure what feature to use. My best bet would be
> EFI_RUNTIME_SERVICES.
>
> ÂÂÂÂÂÂÂ efi_status_t status;
>
> ÂÂÂÂÂÂÂ *size = 0;
> ÂÂÂÂ 318:ÂÂÂÂÂÂ e3a03000ÂÂÂÂÂÂÂ movÂÂÂÂ r3, #0
> ÂÂÂÂ 31c:ÂÂÂÂÂÂ e5813000ÂÂÂÂÂÂÂ strÂÂÂÂ r3, [r1]
>
> ÂÂÂÂÂÂÂ if (down_interruptible(&efivars_lock))
> ÂÂÂÂ 320:ÂÂÂÂÂÂ ebfffffeÂÂÂÂÂÂÂ blÂÂÂÂÂ 0 <down_interruptible>
> ÂÂÂÂ 324:ÂÂÂÂÂÂ e2504000ÂÂÂÂÂÂÂ subsÂÂÂ r4, r0, #0
> ÂÂÂÂ 328:ÂÂÂÂÂÂ 1a000012ÂÂÂÂÂÂÂ bneÂÂÂÂ 378 <efivar_entry_size+0x80>
> ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ return -EINTR;
> ÂÂÂÂÂÂÂ status = ops->get_variable(entry->var.VariableName,

So actually, I am seeing the crash with the 'multi_v7_defconfig' and I
don't see it with the 'tegra_defconfig' (probably because CONFIG_EFI is
not enabled).

Cheers
Jon

--
nvpublic