Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2224217ybc; Wed, 20 Nov 2019 10:43:10 -0800 (PST) X-Google-Smtp-Source: APXvYqyPHoYTIIbDCk5wcCphGfIMLnCPHVSmSjDtX0CFLcclbV3p9/ahlGtg7Rb4b+LG8EXu91dp X-Received: by 2002:a7b:c92e:: with SMTP id h14mr5232644wml.29.1574275390794; Wed, 20 Nov 2019 10:43:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574275390; cv=none; d=google.com; s=arc-20160816; b=UPjpsMEx3WwqVLmWzKgMHY+HcIN4rgRhMCNDq1j14FuiubR87t0geoVte/YBofARBE YaQ4yqBDyY8QLmN8jO8IBLS32Jo7nyyJHB59QoRZYp00gRTW6XDntbJMCUA7nq/2KmVS 9vSnc1LFTNAdqOZaq9BizPnVY6b4K7ArQiqQi0o0NjnH1lDmlbarbJ/1yM7lIgVthCiV gKcgiB+fWQamNFglsnb9nLsHGBF7G5U5ZqTmVKF9CWpTTeftZKP93K850uNS7X96Kj75 UJjw3rRPaZ6fIbvflCG85/PmgUoZZlRa5mN90iCpyqB8QHTyMs0YwsR8GhJtjCQI5q1P 5k6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=vy3C1JoTj4SIn0dP9KR/i0t9AHef2A76gptCLcU+hwk=; b=uPkLaTmL7UpZ6kV7+Yf7kGQ0b1e+cKw0RUMlJSswn1WuRXH7wtaqlESdMcJuqQXo3o /XB567jHXCqA3taR+rys8JNJW1pp0pRH0BV1TPnrWwUwPm/MlBnyCOUpqVwQnYf3KEBG WsxQmssM+NhGnt2dDZGqKrDDcrDZCOlwDvgU7NL9Jik5uIyjpBWm/FHA/S3FPFgc8ddC SKtyW0DNLq9jiZr7UXDG+UQoZHz+4ebJEJ4G0nvHMUJXtBLueM+k9eV4/Apc/iXWqZEy wUJKqeXN7WD+uoP7R7TfV9Xwu7qCEuJXyhYDfljnjkvVYMnEG0QQzqmygEbeORSbMLhY NYiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ka7S4pOc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h11si222235ede.45.2019.11.20.10.42.46; Wed, 20 Nov 2019 10:43:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ka7S4pOc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732233AbfKTPmr (ORCPT + 99 others); Wed, 20 Nov 2019 10:42:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:41138 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730106AbfKTPmj (ORCPT ); Wed, 20 Nov 2019 10:42:39 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E8B2820709; Wed, 20 Nov 2019 15:42:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574264557; bh=lYA73il6i3J1+F/qks+KtJ7Xy1P07dI3VP4HbWEIyvs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ka7S4pOc+VaOoxYIgKYlvUAQotGBd1twFQz7recQ59AmLhA3JXhKipNLa9mk8/EWT Jj3fC/FFUVznctd6dnLkLhgw/XVrvOj4xDWcIGeWjealWFCrBF16EawIgzoPmrzHXE g+2++SCwKI6Pml+yrtDKg9fcIjVXaTjqRXSy10xk= Date: Wed, 20 Nov 2019 16:42:35 +0100 From: Greg KH To: Jiangfeng Xiao Cc: jslaby@suse.com, linux-serial@vger.kernel.org, linux-kernel@vger.kernel.org, leeyou.li@huawei.com, nixiaoming@huawei.com, zhangwen8@huawei.com Subject: Re: [PATCH] serial: serial_core: Perform NULL checks for break_ctl ops Message-ID: <20191120154235.GA3004157@kroah.com> References: <1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com> User-Agent: Mutt/1.12.2 (2019-09-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 20, 2019 at 11:18:53PM +0800, Jiangfeng Xiao wrote: > Doing fuzz test on sbsa uart device, causes a kernel crash > due to NULL pointer dereference: > > ------------[ cut here ]------------ > Unable to handle kernel paging request at virtual address fffffffffffffffc > pgd = ffffffe331723000 > [fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000 > Internal error: Oops: 96000005 [#1] PREEMPT SMP > Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O) > Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O) > hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O) > mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O) > uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4 > iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd > usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid > ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod > yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand > nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe > cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry > nfsv3 nfs nfs_acl lockd sunrpc grace autofs4 > CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 > task: ffffffe32b23f110 task.stack: ffffffe32bda4000 > PC is at uart_break_ctl+0x44/0x84 > LR is at uart_break_ctl+0x34/0x84 > pc : [] lr : [] pstate: 80000005 > sp : ffffffe32bda7cc0 > x29: ffffffe32bda7cc0 x28: ffffffe32b23f110 > x27: ffffff8393402000 x26: 0000000000000000 > x25: ffffffe32b233f40 x24: ffffffc07a8ec680 > x23: 0000000000005425 x22: 00000000ffffffff > x21: ffffffe33ed73c98 x20: 0000000000000000 > x19: ffffffe33ed94168 x18: 0000000000000004 > x17: 0000007f92ae9d30 x16: ffffff8392fa6064 > x15: 0000000000000010 x14: 0000000000000000 > x13: 0000000000000000 x12: 0000000000000000 > x11: 0000000000000020 x10: 0000007ffdac1708 > x9 : 0000000000000078 x8 : 000000000000001d > x7 : 0000000052a64887 x6 : ffffffe32bda7e08 > x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000 > x3 : ffffff83938d5018 x2 : 0000000000000080 > x1 : ffffffe32b23c040 x0 : ffffff83934428f8 > virtual start addr offset is 38ac00000 > module base offset is 2cd4cf1000 > linear region base offset is : 0 > Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000) > Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000) > 7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054 > 7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c > 7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600 > 7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425 > 7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003 > 7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e > 7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600 > 7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410 > 7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978 > 7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc > 7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 > 7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0 > 7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 > 7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78 > 7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c > 7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425 > 7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014 > 7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078 > 7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000 > 7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30 > 7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0 > 7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > 7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840 > 7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000 > 7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d > 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > Call trace: > Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0) > 7aa0: 0000000000001000 0000007fffffffff > 7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025 > 7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c > 7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20 > 7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000 > 7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110 > 7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600 > 7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018 > 7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887 > 7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020 > 7be0: 0000000000000000 0000000000000000 > [] uart_break_ctl+0x44/0x84 > [] send_break+0xa0/0x114 > [] tty_ioctl+0xc50/0xe84 > [] do_vfs_ioctl+0xc4/0x6e8 > [] SyS_ioctl+0x68/0x9c > [] __sys_trace_return+0x0/0x4 > Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) > ---[ end trace 8606094f1960c5e0 ]--- > Kernel panic - not syncing: Fatal exception > > Fix this problem by adding NULL checks prior to calling break_ctl ops. > > Signed-off-by: Jiangfeng Xiao > --- > drivers/tty/serial/serial_core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c > index c4a414a..b0a6eb1 100644 > --- a/drivers/tty/serial/serial_core.c > +++ b/drivers/tty/serial/serial_core.c > @@ -1111,7 +1111,7 @@ static int uart_break_ctl(struct tty_struct *tty, int break_state) > if (!uport) > goto out; > > - if (uport->type != PORT_UNKNOWN) > + if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl) What serial driver does not define break_ctl? You are running with a bunch of "out-of-tree" drivers, perhaps one of those needs to be fixed here instead? thanks, greg k-h