Bug 87554

Summary:

[NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

Product:

xorg

Reporter:

Bruno <bonbons>

Component:

Driver/nouveau

Assignee:

Nouveau Project <nouveau>

Status:

RESOLVED FIXED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

major

Priority:

medium

CC:

rjgleits

Version:

unspecified

Hardware:

x86 (IA32)

OS:

Linux (All)

Whiteboard:

i915 platform:

i915 features:

Attachments:

Description	Flags
Consider ->init NULL return as a failure	none

Description Bruno 2014-12-21 15:06:34 UTC

[  441.685835] wmi: Mapper loaded
[  442.129083] ACPI: PCI Interrupt Link [LNK5] enabled at IRQ 12
[  442.135019] PCI: setting IRQ 12 as level-triggered
[  442.144839] nouveau  [  DEVICE][0000:02:00.0] BOOT0  : 0x01a000b1
[  442.151063] nouveau  [  DEVICE][0000:02:00.0] Chipset: nForce (NV1A)
[  442.157481] nouveau  [  DEVICE][0000:02:00.0] Family : NV10
[  442.172505] BUG: unable to handle kernel NULL pointer dereference at   (null)
[  442.179823] IP: [<dea2c6c6>] pramin_fini+0x6/0x30 [nouveau]
[  442.180015] *pde = 00000000 
[  442.180015] Oops: 0000 [#1] 
[  442.180015] Modules linked in: nouveau(+) wmi ttm drm_kms_helper nfsv3 nfs_acl nfs lockd grace sunrpc
[  442.180015] CPU: 0 PID: 1267 Comm: modprobe Not tainted 3.19.0-rc1-jupiter #1
[  442.180015] Hardware name: NVIDIA Corporation. nFORCE-MCP/MS-6373, BIOS 6.00 PG 04/12/2002
[  442.180015] task: dc010c90 ti: dcfba000 task.ti: dcfba000
[  442.180015] EIP: 0060:[<dea2c6c6>] EFLAGS: 00010286 CPU: 0
[  442.180015] EIP is at pramin_fini+0x6/0x30 [nouveau]
[  442.180015] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: dea2c6c0
[  442.180015] ESI: dcfbb8a4 EDI: deacf670 EBP: dcfbb834 ESP: dcfbb830
[  442.180015]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[  442.180015] CR0: 8005003b CR2: 00000000 CR3: 1c042000 CR4: 000007d0
[  442.180015] Stack:
[  442.180015]  dcedad90 dcfbb860 dea2c02e dcedad90 00000004 deaef771 deaef81b 00000000
[  442.180015]  deaf5320 dcfbb8a4 dcfbb884 dcfbb884 dcfbb994 dea2c2db dcfbb87c c10dbf41
[  442.180015]  ddfcdb40 dd401180 dcedad90 00000000 dcfbb8a4 10000001 deaf54a0 00000000
[  442.180015] Call Trace:
[  442.180015]  [<dea2c02e>] shadow_method+0x8e/0xe0 [nouveau]
[  442.180015]  [<dea2c2db>] nvbios_shadow+0x25b/0x360 [nouveau]
[  442.180015]  [<c10dbf41>] ? init_object+0x51/0x60
[  442.180015]  [<dea1f0eb>] nouveau_bios_ctor+0x4b/0x3b0 [nouveau]
[  442.180015]  [<c10dd62f>] ? kmem_cache_alloc_trace+0xcf/0x160
[  442.180015]  [<dea1cd25>] nouveau_object_ctor+0x35/0xd0 [nouveau]
[  442.180015]  [<dea64ebf>] nouveau_devobj_ctor+0x77f/0x880 [nouveau]
[  442.180015]  [<dea1cd25>] nouveau_object_ctor+0x35/0xd0 [nouveau]
[  442.180015]  [<dea1bb89>] nvkm_ioctl_new+0x229/0x300 [nouveau]
[  442.180015]  [<dea1c020>] nvkm_ioctl+0x2a0/0x340 [nouveau]
[  442.180015]  [<deaa913c>] nvkm_client_ioctl+0x1c/0x30 [nouveau]
[  442.180015]  [<dea9ccee>] nvif_object_ioctl+0x7e/0x90 [nouveau]
[  442.180015]  [<dea9d44a>] nvif_object_init+0x10a/0x130 [nouveau]
[  442.180015]  [<dea9d7a8>] nvif_device_init+0x28/0x50 [nouveau]
[  442.180015]  [<dea9f630>] nouveau_drm_load+0x2e0/0x560 [nouveau]
[  442.180015]  [<c12c6bff>] drm_dev_register+0x5f/0xe0
[  442.180015]  [<c12c9231>] drm_get_pci_dev+0xe1/0x1a0
[  442.180015]  [<c122e9f5>] ? pcibios_set_master+0x25/0x80
[  442.180015]  [<dea9f068>] nouveau_drm_probe+0x1a8/0x1d0 [nouveau]
[  442.180015]  [<c122fed5>] pci_device_probe+0x65/0xc0
[  442.180015]  [<c12e801d>] driver_probe_device+0x14d/0x330
[  442.180015]  [<c12e824d>] __driver_attach+0x4d/0x80
[  442.180015]  [<c12e8200>] ? driver_probe_device+0x330/0x330
[  442.180015]  [<c12e68dc>] bus_for_each_dev+0x3c/0x70
[  442.180015]  [<c12e7b7c>] driver_attach+0x1c/0x30
[  442.180015]  [<c12e8200>] ? driver_probe_device+0x330/0x330
[  442.180015]  [<c12e76ec>] bus_add_driver+0xdc/0x1f0
[  442.180015]  [<c12e89b7>] driver_register+0x87/0xc0
[  442.180015]  [<c10dffff>] ? migrate_page_copy+0x18f/0x250
[  442.180015]  [<c122ffb8>] __pci_register_driver+0x28/0x30
[  442.180015]  [<c12c933b>] drm_pci_init+0x4b/0xe0
[  442.180015]  [<deb39235>] nouveau_drm_init+0x235/0x1000 [nouveau]
[  442.180015]  [<c1000441>] ? do_one_initcall+0xb1/0x1d0
[  442.180015]  [<c10004b4>] do_one_initcall+0x124/0x1d0
[  442.180015]  [<deb39000>] ? 0xdeb39000
[  442.180015]  [<deb39000>] ? 0xdeb39000
[  442.180015]  [<c10dd344>] ? kfree+0x134/0x140
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c107e125>] load_module+0x1035/0x16b0
[  442.180015]  [<c107e885>] SyS_init_module+0xe5/0xf0
[  442.180015]  [<c14c23d2>] sysenter_do_call+0x12/0x12
[  442.180015] Code: 43 7f e2 39 5d f0 89 07 77 e3 eb 08 90 c7 45 ec 00 00 00 00 8b 45 ec 83 c4 08 5b 5e 5f 5d c3 
[  442.180015] EIP: [<dea2c6c6>] pramin_fini+0x6/0x30 [nouveau] SS:ESP 0068:dcfbb830
[  442.180015] CR2: 0000000000000000
[  442.555577] ---[ end trace 5944a013025347a6 ]---

Comment 1 Bruno 2014-12-21 15:21:20 UTC

Matching objdump -d -S nouveau.ko:

000136c0 <pramin_fini>:

static void
pramin_fini(void *data)
{
   136c0:       55                      push   %ebp
   136c1:       89 e5                   mov    %esp,%ebp
   136c3:       53                      push   %ebx
   136c4:       89 c3                   mov    %eax,%ebx
static inline void
nv_wr32(void *obj, u32 addr, u32 data)
{
        struct nouveau_subdev *subdev = nv_subdev(obj);
        nv_spam(subdev, "nv_wr32 0x%06x 0x%08x\n", addr, data);
        iowrite32_native(data, subdev->mmio + addr);
   136c6:       8b 00                   mov    (%eax),%eax
   136c8:       8b 50 24                mov    0x24(%eax),%edx
   136cb:       8b 43 04                mov    0x4(%ebx),%eax
   136ce:       81 c2 00 17 00 00       add    $0x1700,%edx
   136d4:       e8 fc ff ff ff          call   136d5 <pramin_fini+0x15>
        struct priv *priv = data;
        nv_wr32(priv->bios, 0x001700, priv->bar0);
        kfree(priv);
   136d9:       89 d8                   mov    %ebx,%eax
   136db:       e8 fc ff ff ff          call   136dc <pramin_fini+0x1c>
}
   136e0:       5b                      pop    %ebx
   136e1:       5d                      pop    %ebp
   136e2:       c3                      ret    
   136e3:       8d b6 00 00 00 00       lea    0x0(%esi),%esi
   136e9:       8d bc 27 00 00 00 00    lea    0x0(%edi,%eiz,1),%edi


Source code:
static void
pramin_fini(void *data)
{
        struct priv *priv = data;
        nv_wr32(priv->bios, 0x001700, priv->bar0);
        kfree(priv);
}

Comment 2 Bruno 2014-12-21 15:59:13 UTC

Created attachment 111111 [details] [review]
Consider ->init NULL return as a failure

Things are crashing because pramin_init returns NULL (and not a ERR_PTR).

Would the following change be a proper fix?:

 static int
 shadow_method(struct nouveau_bios *bios, struct shadow *mthd, const char *name)
 {
         const struct nvbios_source *func = mthd->func;
         if (func->name) {
                 nv_debug(bios, "trying %s...\n", name ? name : func->name);
                 if (func->init) {
                         mthd->data = func->init(bios, name);
                         if (IS_ERR(mthd->data)) {
                                 mthd->data = NULL;
                                 return 0;
+                        } else if (!mthd->data) {
+                                return 0;
                         }
                 }
                 mthd->score = shadow_score(bios, mthd);
                 if (func->fini)
                         func->fini(mthd->data);
                 nv_debug(bios, "scored %d\n", mthd->score);
                 mthd->data = bios->data;
                 mthd->size = bios->size;
                 bios->data  = NULL;
                 bios->size  = 0;
         }
         return mthd->score;
 }

If so, please apply attached patch.

Comment 3 Ilia Mirkin 2014-12-21 22:07:47 UTC

http://cgit.freedesktop.org/~darktama/nouveau/commit/?id=b19dbc526bb963670dafc86da92d9fa2755b1997

Comment 4 Ilia Mirkin 2014-12-22 06:15:59 UTC

*** Bug 87576 has been marked as a duplicate of this bug. ***

Comment 5 Tobias Klausmann 2014-12-23 16:18:19 UTC

*** Bug 87641 has been marked as a duplicate of this bug. ***

Comment 6 Ilia Mirkin 2015-10-22 05:08:26 UTC

Should be fixed in 3.19-final.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.