[PATCH] pinctrl-intel: Fix NULL pointer dereference

[PATCH] pinctrl-intel: Fix NULL pointer dereference

[zboszor]

From: Zoltán Böszörményi <zboszor@gmail.com>

On an Elkhart Lake based POS hardware prototype, I got this Oops:

[    1.587455] BUG: kernel NULL pointer dereference, address: 0000000000000000
[    1.587460] #PF: supervisor read access in kernel mode
[    1.587461] #PF: error_code(0x0000) - not-present page
[    1.587462] PGD 0 P4D 0
[    1.587465] Oops: 0000 [#1] SMP NOPTI
[    1.587467] CPU: 3 PID: 345 Comm: systemd-udevd Not tainted 5.15.0-rc2 #1
[    1.587470] Hardware name: Insyde ElkhartLake/Type2 - Board Product Name1, BIOS F340V030(F340-030) 08/27/2021
[    1.587471] RIP: 0010:strcmp+0xc/0x20
[    1.587476] Code: 06 49 89 f8 48 83 c6 01 48 83 c7 01 88 47 ff 84 c0 75 eb 4c 89 c0 c3 0f 1f 80 00 00 00 00 31 c0 eb 08 48 83 c0 01 84 d2 74 0f <0f> b6 14 07 3a 14 06 74 ef 19 c0 83 c8 01 c3 31 c0 c3 66 90 48 85
[    1.587478] RSP: 0018:ffffbc4f4031bc68 EFLAGS: 00010246
[    1.587480] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffbc4f4031bc40
[    1.587482] RDX: 0000000000000000 RSI: ffffffffc00b7c3f RDI: 0000000000000000
[    1.587483] RBP: ffffffffc00bb0e0 R08: ffff945184f98d90 R09: ffff945184f98d90
[    1.587484] R10: ffff94518c24fd00 R11: 0000000000000000 R12: ffffffffc00b9be0
[    1.587485] R13: 0000000000000000 R14: 00007f9dfe55836b R15: ffffbc4f4031be60
[    1.587487] FS:  00007f9dfe186c00(0000) GS:ffff945307f80000(0000) knlGS:0000000000000000
[    1.587488] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.587490] CR2: 0000000000000000 CR3: 000000010ec26000 CR4: 0000000000350ee0
[    1.587491] Call Trace:
[    1.587495]  intel_pinctrl_get_soc_data+0x62/0xb0
[    1.587500]  intel_pinctrl_probe_by_uid+0xe/0x30
[    1.587502]  platform_probe+0x54/0xb0
[    1.587507]  really_probe+0x1f2/0x3f0
[    1.587509]  ? pm_runtime_barrier+0x43/0x80
[    1.587512]  __driver_probe_device+0xfe/0x180
[    1.587514]  driver_probe_device+0x1e/0x90
[    1.587516]  __driver_attach+0xc0/0x1c0
[    1.587518]  ? __device_attach_driver+0xe0/0xe0
[    1.587519]  ? __device_attach_driver+0xe0/0xe0
[    1.587521]  bus_for_each_dev+0x75/0xc0
[    1.587525]  bus_add_driver+0x12b/0x1e0
[    1.587527]  driver_register+0x8f/0xe0
[    1.587529]  ? 0xffffffffc00be000
[    1.587531]  do_one_initcall+0x41/0x1d0
[    1.587535]  ? kmem_cache_alloc_trace+0x179/0x290
[    1.587539]  do_init_module+0x5c/0x260
[    1.587542]  __do_sys_init_module+0x12e/0x1b0
[    1.587545]  do_syscall_64+0x59/0x80
[    1.587549]  ? exc_page_fault+0x72/0x150
[    1.587551]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[    1.587555] RIP: 0033:0x7f9dfe3f1fbe
[    1.587557] Code: 48 8b 0d 5d 2e 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2a 2e 0e 00 f7 d8 64 89 01 48
[    1.587558] RSP: 002b:00007ffc6d730128 EFLAGS: 00000246 ORIG_RAX: 00000000000000af
[    1.587560] RAX: ffffffffffffffda RBX: 00005622cd061ae0 RCX: 00007f9dfe3f1fbe
[    1.587562] RDX: 00007f9dfe55836b RSI: 00000000000073c1 RDI: 00007f9dfe08c010
[    1.587563] RBP: 00007f9dfe08c010 R08: 00007f9dfe0ee000 R09: 0000000000000000
[    1.587564] R10: 000000000000e791 R11: 0000000000000246 R12: 00007f9dfe55836b
[    1.587565] R13: 0000000000000000 R14: 0000000000000007 R15: 00005622cd061ae0
[    1.587567] Modules linked in: pinctrl_elkhartlake(+)
[    1.587570] CR2: 0000000000000000
[    1.587572] ---[ end trace 57cca7635b10fc01 ]---

It's probably a firmware bug, so be overly protective:
* check whether struct intel_pinctrl_soc_data **table is NULL
  before dereferencing it, and
* check that none of the arguments to strcmp() are NULL

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 drivers/pinctrl/intel/pinctrl-intel.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
index 85750974d182..5d4c5dff166d 100644
--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -1608,8 +1608,11 @@ const struct intel_pinctrl_soc_data *intel_pinctrl_get_soc_data(struct platform_
 		const void *match = device_get_match_data(&pdev->dev);
 
 		table = (const struct intel_pinctrl_soc_data **)match;
+		if (!table)
+			return ERR_PTR(-ENODEV);
+
 		for (i = 0; table[i]; i++) {
-			if (!strcmp(adev->pnp.unique_id, table[i]->uid)) {
+			if (adev->pnp.unique_id && table[i]->uid && !strcmp(adev->pnp.unique_id, table[i]->uid)) {
 				data = table[i];
 				break;
 			}
@@ -1622,6 +1625,9 @@ const struct intel_pinctrl_soc_data *intel_pinctrl_get_soc_data(struct platform_
 			return ERR_PTR(-ENODEV);
 
 		table = (const struct intel_pinctrl_soc_data **)id->driver_data;
+		if (!table)
+			return ERR_PTR(-ENODEV);
+
 		data = table[pdev->id];
 	}
 
-- 
2.31.1

Re: [PATCH] pinctrl-intel: Fix NULL pointer dereference

[Andy Shevchenko]

On Mon, Sep 20, 2021 at 4:00 PM <zboszor@pr.hu> wrote:
> On an Elkhart Lake based POS hardware prototype, I got this Oops:

Thank you for the report, my comments below.

> [    1.587455] BUG: kernel NULL pointer dereference, address: 0000000000000000

First of all, do not spoil the commit message with unneeded lines of
the traceback. Only ~4-5 is usually more than enough.

> It's probably a firmware bug, so be overly protective:

Patch is simply wrong. While Oops will be gone, the driver won't work correctly.
Yes, it's either a firmware bug or the driver is outdated (depends
from which side you look at this issue).

I have heard that new firmware is on its way to the customers, but I
have no more information right now.

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] pinctrl-intel: Fix NULL pointer dereference

[Andy Shevchenko]

On Tue, Sep 21, 2021 at 07:07:17AM +0200, Böszörményi Zoltán wrote:
> On 2021. 09. 20. 18:00, Andy Shevchenko wrote:
> > On Mon, Sep 20, 2021 at 4:00 PM <zboszor@pr.hu> wrote:
> > > On an Elkhart Lake based POS hardware prototype, I got this Oops:

...

> > > It's probably a firmware bug, so be overly protective:
> > Patch is simply wrong. While Oops will be gone, the driver won't work correctly.
> 
> Of course. But a driver that gives up is better than a
> crashing kernel which results in udevd and "udevadm settle"
> stalling forever on it. systemd waits about 6 minutes before
> continuing the boot process that involves these two services
> timing out and this also prevents powering the computer down.

Hiding real bugs is not a good strategy. What you may do is blacklisting it.

> > Yes, it's either a firmware bug or the driver is outdated (depends
> > from which side you look at this issue).
> > 
> > I have heard that new firmware is on its way to the customers, but I
> > have no more information right now.
> 
> Thanks, good to know.
> 
> I also reported it to the manufacturer, I hope to receive
> a response from them soon.
> 
> The kernel reports other firmware bugs for this
> Celeron J6412 based machine.

Yeah...

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] pinctrl-intel: Fix NULL pointer dereference

[Böszörményi Zoltán]

On 2021. 10. 01. 20:11, Andy Shevchenko wrote:
> On Tue, Sep 21, 2021 at 07:07:17AM +0200, Böszörményi Zoltán wrote:
>> On 2021. 09. 20. 18:00, Andy Shevchenko wrote:
>>> On Mon, Sep 20, 2021 at 4:00 PM <zboszor@pr.hu> wrote:
>>>> On an Elkhart Lake based POS hardware prototype, I got this Oops:
> ...
>
>>>> It's probably a firmware bug, so be overly protective:
>>> Patch is simply wrong. While Oops will be gone, the driver won't work correctly.
>> Of course. But a driver that gives up is better than a
>> crashing kernel which results in udevd and "udevadm settle"
>> stalling forever on it. systemd waits about 6 minutes before
>> continuing the boot process that involves these two services
>> timing out and this also prevents powering the computer down.
> Hiding real bugs is not a good strategy. What you may do is blacklisting it.

I got a better solution.

>>> Yes, it's either a firmware bug or the driver is outdated (depends
>>> from which side you look at this issue).
>>>
>>> I have heard that new firmware is on its way to the customers, but I
>>> have no more information right now.
>> Thanks, good to know.
>>
>> I also reported it to the manufacturer, I hope to receive
>> a response from them soon.

They responded with a kernel patch, switching the elkhartlake
pinctrl driver to probe the hardware via HID and this allowed
the driver to initialize.

>>
>> The kernel reports other firmware bugs for this
>> Celeron J6412 based machine.
> Yeah...
>