[PATCH 0/1] Fix NULL ptr dereference in nbcon driver

[PATCH 0/1] Fix NULL ptr dereference in nbcon driver

[Sahil Chandna]

Add a missing check in nbcon driver which is causing NULL pointer
dereference bug.
Summary:
Testing with PREEMPT_RT patch version 6.6.12 on 6.6.13 kernel and crash
is seen during serial geni probe.
Patch applied from:https://cdn.kernel.org/pub/linux/kernel/projects/rt/6.6/older/patch-6.6.12-rt20.patch.gz

crash signature:
DMESG Log
=========================
0x0000000000000000 |      0.000000:   Booting Linux on physical CPU 0x0000000000 [0x412fd050]
0x0000000000000000 |      0.000000:   Linux version 6.6.13-rt20 (oe-user@oe-host) (aarch64-qcom-linux-gcc (GCC) 11.4.0, GNU ld (GNU Binutils) 2.38.20220708) #1 SMP PREEMPT_RT Tue Feb 20 17:59:33 UTC 2024
0x0000000000000000 |      0.000000:   KASLR enabled
0x0000000000000000 |      0.000000:   Machine model: Qualcomm Technologies, Inc. Robotics RB3gen2 addons platform
0x0000000000000000 |      0.000000:   efi: EFI v2.7 by Qualcomm Technologies, Inc.
0x00000000000164F7 |      2.788805:   Internal error: Oops: 0000000096000004 [#1] PREEMPT_RT SMP
0x00000000000164F7 |      2.788812:   Modules linked in:
0x00000000000164F7 |      2.788818:   CPU: 5 PID: 118 Comm: kworker/u16:4 Not tainted 6.6.13-rt20 #1
0x00000000000164F8 |      2.788826:   Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 addons platform (DT)
0x00000000000164F8 |      2.788830:   Workqueue: events_unbound deferred_probe_work_func
0x00000000000164F8 |      2.788844:   pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
0x00000000000164F9 |      2.788852:   pc : nbcon_release+0x30/0xa0
0x00000000000164F9 |      2.788865:   lr : serial_core_register_port+0x4a4/0x64c
0x00000000000164F9 |      2.788877:   sp : ffff8000808a39d0
0x00000000000164FA |      2.788879:   x29: ffff8000808a3a00 x28: ffff8000808a3a38 x27: ffffddb447ba6718
0x00000000000164FA |      2.788890:   x26: ffff6024fd9fcd30 x25: 0000000000000000 x24: ffff602400fafb60
0x00000000000164FA |      2.788899:   x23: ffff602403c8c800 x22: ffff602400fafa18 x21: ffffddb448518b88
0x00000000000164FA |      2.788907:   x20: ffffddb44870ac60 x19: 0000000000000000 x18: ffffddb448582b10
0x00000000000164FB |      2.788915:   x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000
0x00000000000164FB |      2.788924:   x14: ffff6024ff5752c0 x13: 0000000000000001 x12: 0000000000000000
0x00000000000164FB |      2.788932:   x11: ffff602400f7d9b0 x10: 0000000000000ba0 x9 : ffff602400f7d950
0x00000000000164FC |      2.788941:   x8 : ffff8000808a3574 x7 : 0000000000000000 x6 : ffff602400cf9000
0x00000000000164FC |      2.788949:   x5 : ffffddb446f93e48 x4 : ffffddb446f93e8c x3 : 0000000000000000
0x00000000000164FC |      2.788958:   x2 : 0000000000000001 x1 : ffff602400cf9000 x0 : ffffddb448518b88
0x00000000000164FC |      2.788966:   Call trace:
0x00000000000164FC |      2.788970:    nbcon_release+0x30/0xa0
0x00000000000164FD |      2.788978:    serial_core_register_port+0x4a4/0x64c
0x00000000000164FD |      2.788985:    serial_ctrl_register_port+0x10/0x1c
0x00000000000164FD |      2.788993:    uart_add_one_port+0x10/0x1c
0x00000000000164FD |      2.789001:    qcom_geni_serial_probe+0x2a4/0x450
0x00000000000164FE |      2.789007:    platform_probe+0x68/0xdc
0x00000000000164FE |      2.789016:    really_probe+0x148/0x2ac
0x00000000000164FE |      2.789022:    __driver_probe_device+0x78/0x12c
0x00000000000164FE |      2.789028:    driver_probe_device+0x3c/0x164
0x00000000000164FF |      2.789033:    __device_attach_driver+0xb8/0x140
0x00000000000164FF |      2.789039:    bus_for_each_drv+0x84/0xe4
0x00000000000164FF |      2.789044:    __device_attach+0xac/0x1b8
0x00000000000164FF |      2.789049:    device_initial_probe+0x14/0x20
0x00000000000164FF |      2.789054:    bus_probe_device+0xa8/0xac
0x00000000000164FF |      2.789059:    deferred_probe_work_func+0x88/0xc0
0x0000000000016500 |      2.789064:    process_one_work+0x160/0x3a8
0x0000000000016500 |      2.789072:    worker_thread+0x324/0x438
0x0000000000016500 |      2.789077:    kthread+0x118/0x11c
0x0000000000016500 |      2.789088:    ret_from_fork+0x10/0x20
0x0000000000016501 |      2.789098:   Code: f942dc23 f90017e3 d2800003 a900ffff (3942e260)
0x0000000000016501 |      2.789102:   ---[ end trace 0000000000000000 ]---
0x0000000000016501 |      2.789108:   Kernel panic - not syncing: Oops: Fatal exception
0x0000000000016501 |      2.789111:   SMP: stopping secondary CPUs
0x000000000001650C |      2.789446:   Triggering bite
0x000000000001650C |      2.789451:   platform hypervisor:qcom,gh-watchdog: Causing a QCOM Apps Watchdog bite!
0x000000000001650D |      2.789461:   platform hypervisor:qcom,gh-watchdog: vWdog-CTL: 1, vWdog-time since last pet: 1349, vWdog-expired status: 1

Sahil Chandna (1):
  printk: fix NULL ptr dereference in nbcon driver

 kernel/printk/nbcon.c | 3 +++
 1 file changed, 3 insertions(+)

--
2.17.1

[PATCH 1/1] printk: fix NULL ptr dereference in nbcon driver

[Sahil Chandna]

Add a check for NULL console in nbcon driver.

Signed-off-by: Sahil Chandna <quic_chandna@quicinc.com>
---
 printk/nbcon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/printk/nbcon.c b/kernel/printk/nbcon.c
index e697a8e..398739d 100644
--- a/kernel/printk/nbcon.c
+++ b/kernel/printk/nbcon.c
@@ -1623,6 +1623,9 @@ void nbcon_release(struct uart_port *up)
 		.prio		= NBCON_PRIO_NORMAL,
 	};
 
+	if (!con)
+		return;
+
 	if (!con->locked_port)
 		return;
 
-- 
2.17.1

Re: [PATCH 0/1] Fix NULL ptr dereference in nbcon driver

[John Ogness]

On 2024-02-22, Sahil Chandna <quic_chandna@quicinc.com> wrote:
> Add a missing check in nbcon driver which is causing NULL pointer
> dereference bug.

I believe the correct fix is here:

https://lore.kernel.org/lkml/20240123054033.183114-2-junxiao.chang@intel.com/

John

Re: [PATCH 0/1] Fix NULL ptr dereference in nbcon driver

[Sahil Chandna]

On 2/22/2024 6:09 PM, John Ogness wrote:
> On 2024-02-22, Sahil Chandna <quic_chandna@quicinc.com> wrote:
>> Add a missing check in nbcon driver which is causing NULL pointer
>> dereference bug.
> 
> I believe the correct fix is here:
> 
> https://lore.kernel.org/lkml/20240123054033.183114-2-junxiao.chang@intel.com/
Thanks John for sharing this fix, i tried applying this patch locally in 
my workspace and see issue is resolved. However, when i am checking the 
same fix on patch-6.6.14-rt21.patch.gz on 
https://cdn.kernel.org/pub/linux/kernel/projects/rt/6.6/older/, I don't 
see this fix. Even on latest stable version for 6.6. kernel i.e. 
patch-6.6.20-rt25.patch.gz, this fix is not present.

I see, the fix is available on 6.8 kernel i.e. 
patch-6.8-rc7-rt6.patch.gz patch but since i am working on 6.6 kernel 
these patches do not apply cleanly. Since, this issue is first reported 
on v6.6.10-rt18, so will the fix officially be released on all 6.6 
kernel sub-versions post 6.6.10-rt18 ?

> 
> John

Re: [PATCH 0/1] Fix NULL ptr dereference in nbcon driver

[John Ogness]

Hi Sahil,

On 2024-03-05, Sahil Chandna <quic_chandna@quicinc.com> wrote:
> https://cdn.kernel.org/pub/linux/kernel/projects/rt/6.6/older/, I
> don't see this fix. Even on latest stable version for 6.6. kernel i.e.
> patch-6.6.20-rt25.patch.gz, this fix is not present.

It _is_ part of 6.6.20-rt25:

https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-stable-rt.git/log/?h=v6.6-rt-rebase

02e87cb0499f ("printk: nbcon: move locked_port flag to struct uart_port")

John