All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] w1: w1_therm: fix possible NULL pointer dereference
@ 2021-03-17 14:11 Wilken Gottwalt
  0 siblings, 0 replies; only message in thread
From: Wilken Gottwalt @ 2021-03-17 14:11 UTC (permalink / raw)
  To: linux-kernel; +Cc: Evgeniy Polyakov

The bit function callbacks, read_bit, write_bit, touch_bit and triplet
are an optional implementation in the master drivers. The ds1wm driver
for example does not implement them. If the generic touch_bit is called,
the w1_read_bit and w1_write_bit functions are used, which just call
the implementations of the master driver without checking if they are
implemented at all. In earlier versions of the w1_therm slave driver
none of the bit functions were used. Now read_powermode calls the
touch_bit function which results in a NULL pointer dereference if the
master is the ds1wm driver.

[   17.069073] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   17.070786] #PF: supervisor instruction fetch in kernel mode
[   17.072487] #PF: error_code(0x0010) - not-present page
[   17.074159] PGD 0 P4D 0
[   17.075800] Oops: 0010 [#1] PREEMPT SMP PTI
[   17.077415] CPU: 1 PID: 1032 Comm: w1_bus_master2 Tainted: G           O      5.10.9-vanilla-standard #1
[   17.080621] Hardware name: Default string Default string/CXC-BT-JERO, BIOS S1.61.1.0# 09/17/2018
[   17.083899] RIP: 0010:0x0
[   17.085528] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   17.087205] RSP: 0018:ffffb05b401d3cc8 EFLAGS: 00010046
[   17.088898] RAX: ffff8fba4175b408 RBX: ffff8fba4175b000 RCX: 00000003f9646356
[   17.090597] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8fba43a450e8
[   17.092293] RBP: ffffb05b401d3ce0 R08: 0000000000000368 R09: ffff8fbb57c294b0
[   17.093980] R10: 000000000000020c R11: 000000000000023e R12: 0000000000000202
[   17.095642] R13: ffff8fba4175b0e8 R14: ffff8fba4175b000 R15: 7a00000013db673b
[   17.097284] FS:  0000000000000000(0000) GS:ffff8fbb57c80000(0000) knlGS:0000000000000000
[   17.100468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.102067] CR2: ffffffffffffffd6 CR3: 00000001e2c0c000 CR4: 00000000001006e0
[   17.103670] Call Trace:
[   17.105225]  w1_read_bit+0x28/0xa0 [wire]
[   17.106754]  w1_touch_bit+0x30/0x40 [wire]
[   17.108238]  read_powermode+0xbc/0x100 [w1_therm]
[   17.109702]  w1_therm_add_slave+0x94/0x140 [w1_therm]
[   17.111166]  w1_attach_slave_device+0x20f/0x320 [wire]
[   17.112629]  w1_slave_found+0xb3/0xc0 [wire]
[   17.114093]  ds1wm_search+0x254/0x5f0 [ds1wm]
[   17.115542]  ? w1_master_attribute_store_add+0xd0/0xd0 [wire]
[   17.116984]  ? w1_master_attribute_store_add+0xd0/0xd0 [wire]
[   17.118367]  w1_search_devices+0x39/0x48 [wire]
[   17.119751]  w1_search_process_cb+0x5f/0x100 [wire]
[   17.121125]  w1_process+0x15c/0x190 [wire]
[   17.122490]  ? w1_process_callbacks+0x90/0x90 [wire]
[   17.123864]  kthread+0x145/0x170
[   17.125199]  ? kthread_create_worker_on_cpu+0x40/0x40
[   17.126517]  ret_from_fork+0x22/0x30
[   17.127798] Modules linked in: lm75 w1_therm rtc_ds1307 sc4_i2c_devices(O) sc4_spi_devices(O) wb_i2cocores(O) i2c_ocores w1_smem wb_sysmod(O) robot_imager(O) ltc2640(O) wb_1wire(O) wb_spi(O) wb_uart(O) wb_ddr2(O) wb_dma(O) wb_supervisor(O) smi(O) ds1wm wire intel_rapl_msr intel_rapl_common intel_soc_dts_thermal intel_soc_dts_iosf intel_powerclamp input_leds robot_wb_adapter(O) wishbone_core(O) coretemp usbhid at24 iTCO_wdt pwm_lpss_platform pwm_lpss
[   17.136035] CR2: 0000000000000000

This patch changes it back to use of the w1_read_8 function. This one
uses the read_byte function provided by the master driver.

This is tested against a 1-wire ds1wm bus master with two w1_therm slaves.

Fixes: 2f6055c26f19 (w1: w1_therm: Fix conversion result for negative temperatures)
Signed-off-by: Wilken Gottwalt <wilken.gottwalt@posteo.net>
---
 drivers/w1/slaves/w1_therm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c
index 976eea28f268..98608e71917b 100644
--- a/drivers/w1/slaves/w1_therm.c
+++ b/drivers/w1/slaves/w1_therm.c
@@ -1415,11 +1415,11 @@ static int read_powermode(struct w1_slave *sl)
 		if (!reset_select_slave(sl)) {
 			w1_write_8(dev_master, W1_READ_PSUPPLY);
 			/*
-			 * Emit a read time slot and read only one bit,
+			 * Emit a read time slot and read a byte,
 			 * 1 is externally powered,
 			 * 0 is parasite powered
 			 */
-			ret = w1_touch_bit(dev_master, 1);
+			ret = w1_read_8(dev_master) ? 1 : 0;
 			/* ret should be either 1 either 0 */
 		}
 	}
-- 
2.30.2


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-03-17 14:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-17 14:11 [PATCH] w1: w1_therm: fix possible NULL pointer dereference Wilken Gottwalt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.