From: "David E. Box" <david.e.box@linux.intel.com>
To: Prarit Bhargava <prarit@redhat.com>, linux-kernel@vger.kernel.org
Cc: Hans de Goede <hdegoede@redhat.com>,
Mark Gross <markgross@kernel.org>,
platform-driver-x86@vger.kernel.org,
David Arcari <darcari@redhat.com>
Subject: Re: [PATCH] platform/x86/intel: Fix 'rmmod pmt_telemetry' panic
Date: Fri, 29 Apr 2022 08:25:22 -0700 [thread overview]
Message-ID: <8bca3baf599ed202e71127ed2fa1b3a120a96010.camel@linux.intel.com> (raw)
In-Reply-To: <20220429122322.2550003-1-prarit@redhat.com>
On Fri, 2022-04-29 at 08:23 -0400, Prarit Bhargava wrote:
> 'rmmod pmt_telemetry' panics with:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000040
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 4 PID: 1697 Comm: rmmod Tainted: G S W --------
> --- 5.18.0-rc4 #3
> Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR5
> RVP, BIOS ADLPFWI1.R00.3056.B00.2201310233 01/31/2022
> RIP: 0010:device_del+0x1b/0x3d0
> Code: e8 1a d9 e9 ff e9 58 ff ff ff 48 8b 08 eb dc 0f 1f 44 00 00 41 56 41 55
> 41 54 55 48 8d af 80 00 00 00 53 48 89 fb 48 83 ec 18 <4c> 8b 67 40 48 89 ef
> 65 48 8b 04 25 28 00 00 00 48 89 44 24 10 31
> RSP: 0018:ffffb520415cfd60 EFLAGS: 00010286
> RAX: 0000000000000070 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000080 R08: ffffffffffffffff R09: ffffb520415cfd78
> R10: 0000000000000002 R11: ffffb520415cfd78 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> FS: 00007f7e198e5740(0000) GS:ffff905c9f700000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000040 CR3: 000000010782a005 CR4: 0000000000770ee0
> PKRU: 55555554
> Call Trace:
> <TASK>
> ? __xa_erase+0x53/0xb0
> device_unregister+0x13/0x50
> intel_pmt_dev_destroy+0x34/0x60 [pmt_class]
> pmt_telem_remove+0x40/0x50 [pmt_telemetry]
> auxiliary_bus_remove+0x18/0x30
> device_release_driver_internal+0xc1/0x150
> driver_detach+0x44/0x90
> bus_remove_driver+0x74/0xd0
> auxiliary_driver_unregister+0x12/0x20
> pmt_telem_exit+0xc/0xe4a [pmt_telemetry]
> __x64_sys_delete_module+0x13a/0x250
> ? syscall_trace_enter.isra.19+0x11e/0x1a0
> do_syscall_64+0x58/0x80
> ? syscall_exit_to_user_mode+0x12/0x30
> ? do_syscall_64+0x67/0x80
> ? syscall_exit_to_user_mode+0x12/0x30
> ? do_syscall_64+0x67/0x80
> ? syscall_exit_to_user_mode+0x12/0x30
> ? do_syscall_64+0x67/0x80
> ? exc_page_fault+0x64/0x140
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f7e1803a05b
> Code: 73 01 c3 48 8b 0d 2d 4e 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
> 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73
> 01 c3 48 8b 0d fd 4d 38 00 f7 d8 64 89 01 48
>
> The probe function, pmt_telem_probe(), adds an entry for devices even if
> they have not been initialized. This results in the array of initialized
> devices containing both initialized and uninitialized entries. This
> causes a panic in the remove function, pmt_telem_remove() which expects
> the array to only contain initialized entries.
>
> Only use an entry when a device is initialized.
>
> Cc: "David E. Box" <david.e.box@linux.intel.com>
> Cc: Hans de Goede <hdegoede@redhat.com>
> Cc: Mark Gross <markgross@kernel.org>
> Cc: platform-driver-x86@vger.kernel.org
> Signed-off-by: David Arcari <darcari@redhat.com>
> Signed-off-by: Prarit Bhargava <prarit@redhat.com>
> ---
> drivers/platform/x86/intel/pmt/telemetry.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/intel/pmt/telemetry.c
> b/drivers/platform/x86/intel/pmt/telemetry.c
> index 6b6f3e2a617a..f73ecfd4a309 100644
> --- a/drivers/platform/x86/intel/pmt/telemetry.c
> +++ b/drivers/platform/x86/intel/pmt/telemetry.c
> @@ -103,7 +103,7 @@ static int pmt_telem_probe(struct auxiliary_device
> *auxdev, const struct auxilia
> auxiliary_set_drvdata(auxdev, priv);
>
> for (i = 0; i < intel_vsec_dev->num_resources; i++) {
> - struct intel_pmt_entry *entry = &priv->entry[i];
> + struct intel_pmt_entry *entry = &priv->entry[priv->num_entries];
>
> ret = intel_pmt_dev_create(entry, &pmt_telem_ns, intel_vsec_dev,
> i);
> if (ret < 0)
The unused entries are at the end of the array on Tiger Lake, so we missed
catching this. Thanks for the fix.
Reviewed-by: David E. Box <david.e.box@linux.intel.com>
next prev parent reply other threads:[~2022-04-29 15:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-29 12:23 [PATCH] platform/x86/intel: Fix 'rmmod pmt_telemetry' panic Prarit Bhargava
2022-04-29 15:25 ` David E. Box [this message]
2022-05-02 15:37 ` Hans de Goede
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8bca3baf599ed202e71127ed2fa1b3a120a96010.camel@linux.intel.com \
--to=david.e.box@linux.intel.com \
--cc=darcari@redhat.com \
--cc=hdegoede@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=markgross@kernel.org \
--cc=platform-driver-x86@vger.kernel.org \
--cc=prarit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.