Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2664162ybc; Wed, 20 Nov 2019 18:33:50 -0800 (PST) X-Google-Smtp-Source: APXvYqzte7fmTW2XZSmKnD8DOVpTcmSGjfv2KzR/cDyGMOkIdYqQjusmF/hIG4/O5eJg+uZqa8z4 X-Received: by 2002:a17:906:958b:: with SMTP id r11mr10069649ejx.332.1574303630001; Wed, 20 Nov 2019 18:33:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574303629; cv=none; d=google.com; s=arc-20160816; b=hdJhbQmBJF9sjp7vhVTZrEmvhxTqcaCuWcA+cPf4O7knbLSBV+M6Dw7TjgmPOuEaKc k31pLMl2LgkC4Xe/6dWg/9n0p9Y7PHGWeK1nwqRfknAIQPRxkoXRCENL1XmdtAZg8CZc Gc+0rwbkHuRWhnrLj0MsUA0PHjhoxPSS3AotRh9zRnHtUKy85iLRSCpcHwViEnSqEg8k WrVmDp6jTSwQPkpVHcXkgLHpMVtlA0j40VfvtURiA9zBYSyS23/W26oRgOUfCwY59qOG ophSg14BKZG5w1UOQ1Gfue/6MVadVWgnFEmFb5dNTvp71A1bMTRdK0xuUNWW1IogRcgM xFig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=sWTmPekJINWzocPRxwvCcUmyeafikfMpUY0/38q+f1A=; b=eg08yNcJuoYDJ4oaChBfp1XwFgTv1hEU0lY1KyWDNkJCB4TCodO9lUWKE/UpD5djoN FEQq2b5BY6y6gygurhr4SvlQVG2fAJWtWajGvzx6XqQh6+ufFJNB6elQMOIQL0O+I/zB MiFDelGIRJhCXW4rggs7M4e3emuMEGAfbuJOUJV27UfqGnTLkYPeZxUb+EAUYuuUmlWv TCu1/RB4IDW9jp0jniieOvXTnaIRTKpPbxRjMQH3xbG/FFUP1eG6T1zzt+uT2kYpr6eS 6OjsnesWIdtcmxZEY4937RNEm9mDPhl7V+HigNApFHoJhaKIkVKjp1PLITgkX+1WRvSM Qo+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w15si730991ejb.226.2019.11.20.18.33.26; Wed, 20 Nov 2019 18:33:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726747AbfKUCaz (ORCPT + 99 others); Wed, 20 Nov 2019 21:30:55 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:6260 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725819AbfKUCaz (ORCPT ); Wed, 20 Nov 2019 21:30:55 -0500 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 516E85B082EA019336F2; Thu, 21 Nov 2019 10:14:08 +0800 (CST) Received: from [127.0.0.1] (10.67.103.228) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.439.0; Thu, 21 Nov 2019 10:14:02 +0800 Subject: Re: [PATCH] serial: serial_core: Perform NULL checks for break_ctl ops To: Greg KH References: <1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com> <20191120154235.GA3004157@kroah.com> CC: , , , , , From: Jiangfeng Xiao Message-ID: <35ac1c40-d2f4-f6dc-5e2f-f168a0a17c8b@huawei.com> Date: Thu, 21 Nov 2019 10:14:02 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20191120154235.GA3004157@kroah.com> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.103.228] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/11/20 23:42, Greg KH wrote: > On Wed, Nov 20, 2019 at 11:18:53PM +0800, Jiangfeng Xiao wrote: >> Doing fuzz test on sbsa uart device, causes a kernel crash >> due to NULL pointer dereference: >> >> ------------[ cut here ]------------ >> Unable to handle kernel paging request at virtual address fffffffffffffffc >> CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 >> task: ffffffe32b23f110 task.stack: ffffffe32bda4000 >> PC is at uart_break_ctl+0x44/0x84 >> LR is at uart_break_ctl+0x34/0x84 >> pc : [] lr : [] pstate: 80000005 >> sp : ffffffe32bda7cc0 >> [] uart_break_ctl+0x44/0x84 >> [] send_break+0xa0/0x114 >> [] tty_ioctl+0xc50/0xe84 >> [] do_vfs_ioctl+0xc4/0x6e8 >> [] SyS_ioctl+0x68/0x9c >> [] __sys_trace_return+0x0/0x4 >> Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) >> ---[ end trace 8606094f1960c5e0 ]--- >> Kernel panic - not syncing: Fatal exception >> >> Fix this problem by adding NULL checks prior to calling break_ctl ops. >> >> Signed-off-by: Jiangfeng Xiao >> --- >> drivers/tty/serial/serial_core.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c >> index c4a414a..b0a6eb1 100644 >> --- a/drivers/tty/serial/serial_core.c >> +++ b/drivers/tty/serial/serial_core.c >> @@ -1111,7 +1111,7 @@ static int uart_break_ctl(struct tty_struct *tty, int break_state) >> if (!uport) >> goto out; >> >> - if (uport->type != PORT_UNKNOWN) >> + if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl) > > What serial driver does not define break_ctl? I'm using arm_sbsa_uart_platform_driver, and sbsa_uart_pops does not define break_ctl. I did a troubleshooting on the latest mainline 5.4-rc8 kernel. There are 7 uart_ops without defining break_ctl: ./drivers/tty/serial/men_z135_uart.c:774:static const struct uart_ops men_z135_ops = { ./drivers/tty/serial/amba-pl011.c:2173:static const struct uart_ops sbsa_uart_pops = { ./drivers/tty/serial/owl-uart.c:464:static const struct uart_ops owl_uart_ops = { ./drivers/tty/serial/meson_uart.c:430:static const struct uart_ops meson_uart_ops = { ./drivers/tty/serial/qcom_geni_serial.c:1212:static const struct uart_ops qcom_geni_console_pops = { ./drivers/tty/serial/qcom_geni_serial.c:1232:static const struct uart_ops qcom_geni_uart_pops = { ./drivers/tty/serial/rda-uart.c:559:static const struct uart_ops rda_uart_ops = { > You are running with a bunch of "out-of-tree" drivers, perhaps one of > those needs to be fixed here instead? I carefully confirmed it again, the kernel crash was caused by arm_sbsa_uart_platform_driver which is "in-tree". There are two ways to fix this problem, one is to add a null pointer check, and the other is to define break_ctl for each uart_ops. I am a newbie on serial_core, so I don't know which way is more reasonable. Based on the principle of minimal change, I chose to add a null pointer check. Thank you for your review.