diff mbox

PROBLEM: NULL pointer dereference in acpi_ns_check_object_type()

Message ID 4FF15FA6.5070109@gentoo.org (mailing list archive)
State New, archived
Headers show

Commit Message

Vlastimil Babka July 2, 2012, 8:45 a.m. UTC 
Hello,

I've been experiencing kernel panic with NULL pointer dereference in
acpi_ns_check_object_type since kernel 3.4 on a MacPro machine.

By recompiling as much of ACPI as possible as modules, I was able to get
the system running and postpone the error until doing 'modprobe
acpi-cpufreq', which now results in oops, not panic. The log is attached
as error.log.

By bisecting linus tree between 3.3 and 3.4, I found the guilty commit
6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
"ACPICA: Object repair code: Support to add Package wrappers" [1]
However this patch does not directly touch the functions in the stack trace.

Next I created a kdump of the oops, and looked around with gdb.
- In acpi_ns_check_package(), the null pointer is in the parameter
return_object_ptr, which is dereferenced when initializing the variable
return_object.
- The calling function acpi_ns_check_package_list() is in the 'case
ACPI_PTYPE2_COUNT:' part, the passed null pointer is in the sub_elements
variable.
- Before the switch, sub_elements is initialized like this:

  sub_elements = sub_package->package.elements

  interestingly, in the crashdump, sub_elements is null, but
  sub_package->package.elements is non-null

I've added some printk's and verified that the call of
 status = acpi_ns_check_object_type(data, &sub_package,
				   ACPI_RTYPE_PACKAGE, i);

 makes sub_package->package.elements become non-null, but sub_elements
 was already initialized before this call and remains null.

The above led me to create the attached patch which simply moves the
initialization of sub_elements after the sub_package check. I think it's
this check that results in the Integer to Package conversion/wrapping.

After this patch, the null pointer dereference is gone, but the debug
output of ACPI (acpi.debug_layer=0xffffffff acpi.debug_level=0x00000008)
shows that something is probably still wrong:

[    1.353677] nsrepair-0681 [4294967287] ns_wrap_with_package  :
\_PR_.CPU0._PSD: Wrapped Integer with expected Package object
[    1.353869] nsrepair-0681 [4294967287] ns_wrap_with_package  :
\_PR_.CPU0._PSD: Wrapped Integer with expected Package object
[    1.354059] ACPI Warning: For \_PR_.CPU0._PSD: Return Sub-Package[0]
is too small - found 1 elements, expected 5 (20120320/nspredef-905)
[    1.354253] ACPI: Invalid package argument
[    1.354322] ACPI: Invalid _PSD data
... (the same for other CPUx)


In comparison, 3.3 kernel with same acpi debug options shows only stuff
like:
[    1.494238] nsrepair-0728 [4294967287] ns_repair_package_list:
\_PR_.CPU0._PSD: Repaired incorrectly formed Package
[    1.494449] nsrepair-0728 [4294967287] ns_repair_package_list:
\_PR_.CPU2._PSD: Repaired incorrectly formed Package
[    1.494657] nsrepair-0728 [4294967287] ns_repair_package_list:
\_PR_.CPU4._PSD: Repaired incorrectly formed Package
... (the same for other CPUx)

Since I don't know much about this subsystem, I figured that I should
just report my findings at this point. The patched system is usable, but
I guess it's not a complete fix.

I also attach the output of acpidump. I hope I didn't forget anything
important, please ask for more information if needed.

Thanks,
Vlastimil Babka

[1]
git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9

Comments

Moore, Robert July 2, 2012, 7:59 p.m. UTC | #1 
SSB3YXMgYWJsZSB0byByZXByb2R1Y2UgdGhlIHByb2JsZW0gaGVyZSB3aXRoIHlvdXIgQUNQSSB0
YWJsZXMuDQoNCldpbGwgbG9vayBhdCB5b3VyIHBhdGNoLCBhbmQgZ2V0IGJhY2sgdG8geW91Lg0K
DQpZb3Ugc2hvdWxkIHByb2JhYmx5IG9wZW4gYSBidWd6aWxsYSBvbiB0aGlzLg0KVGhhbmtzLA0K
Qm9iDQoNCg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBsaW51eC1hY3Bp
LW93bmVyQHZnZXIua2VybmVsLm9yZyBbbWFpbHRvOmxpbnV4LWFjcGktDQo+IG93bmVyQHZnZXIu
a2VybmVsLm9yZ10gT24gQmVoYWxmIE9mIFZsYXN0aW1pbCBCYWJrYQ0KPiBTZW50OiBNb25kYXks
IEp1bHkgMDIsIDIwMTIgMTo0NSBBTQ0KPiBUbzogbGludXgtYWNwaUB2Z2VyLmtlcm5lbC5vcmcN
Cj4gU3ViamVjdDogUFJPQkxFTTogTlVMTCBwb2ludGVyIGRlcmVmZXJlbmNlIGluDQo+IGFjcGlf
bnNfY2hlY2tfb2JqZWN0X3R5cGUoKQ0KPiANCj4gSGVsbG8sDQo+IA0KPiBJJ3ZlIGJlZW4gZXhw
ZXJpZW5jaW5nIGtlcm5lbCBwYW5pYyB3aXRoIE5VTEwgcG9pbnRlciBkZXJlZmVyZW5jZSBpbg0K
PiBhY3BpX25zX2NoZWNrX29iamVjdF90eXBlIHNpbmNlIGtlcm5lbCAzLjQgb24gYSBNYWNQcm8g
bWFjaGluZS4NCj4gDQo+IEJ5IHJlY29tcGlsaW5nIGFzIG11Y2ggb2YgQUNQSSBhcyBwb3NzaWJs
ZSBhcyBtb2R1bGVzLCBJIHdhcyBhYmxlIHRvDQo+IGdldCB0aGUgc3lzdGVtIHJ1bm5pbmcgYW5k
IHBvc3Rwb25lIHRoZSBlcnJvciB1bnRpbCBkb2luZyAnbW9kcHJvYmUNCj4gYWNwaS1jcHVmcmVx
Jywgd2hpY2ggbm93IHJlc3VsdHMgaW4gb29wcywgbm90IHBhbmljLiBUaGUgbG9nIGlzDQo+IGF0
dGFjaGVkIGFzIGVycm9yLmxvZy4NCj4gDQo+IEJ5IGJpc2VjdGluZyBsaW51cyB0cmVlIGJldHdl
ZW4gMy4zIGFuZCAzLjQsIEkgZm91bmQgdGhlIGd1aWx0eSBjb21taXQNCj4gNmE5OWIxYzk0ZDA1
M2IzNDIwZWFhNGE0YmM4YjI4ODNkZDkwYTJmOQ0KPiAiQUNQSUNBOiBPYmplY3QgcmVwYWlyIGNv
ZGU6IFN1cHBvcnQgdG8gYWRkIFBhY2thZ2Ugd3JhcHBlcnMiIFsxXQ0KPiBIb3dldmVyIHRoaXMg
cGF0Y2ggZG9lcyBub3QgZGlyZWN0bHkgdG91Y2ggdGhlIGZ1bmN0aW9ucyBpbiB0aGUgc3RhY2sN
Cj4gdHJhY2UuDQo+IA0KPiBOZXh0IEkgY3JlYXRlZCBhIGtkdW1wIG9mIHRoZSBvb3BzLCBhbmQg
bG9va2VkIGFyb3VuZCB3aXRoIGdkYi4NCj4gLSBJbiBhY3BpX25zX2NoZWNrX3BhY2thZ2UoKSwg
dGhlIG51bGwgcG9pbnRlciBpcyBpbiB0aGUgcGFyYW1ldGVyDQo+IHJldHVybl9vYmplY3RfcHRy
LCB3aGljaCBpcyBkZXJlZmVyZW5jZWQgd2hlbiBpbml0aWFsaXppbmcgdGhlIHZhcmlhYmxlDQo+
IHJldHVybl9vYmplY3QuDQo+IC0gVGhlIGNhbGxpbmcgZnVuY3Rpb24gYWNwaV9uc19jaGVja19w
YWNrYWdlX2xpc3QoKSBpcyBpbiB0aGUgJ2Nhc2UNCj4gQUNQSV9QVFlQRTJfQ09VTlQ6JyBwYXJ0
LCB0aGUgcGFzc2VkIG51bGwgcG9pbnRlciBpcyBpbiB0aGUNCj4gc3ViX2VsZW1lbnRzIHZhcmlh
YmxlLg0KPiAtIEJlZm9yZSB0aGUgc3dpdGNoLCBzdWJfZWxlbWVudHMgaXMgaW5pdGlhbGl6ZWQg
bGlrZSB0aGlzOg0KPiANCj4gICBzdWJfZWxlbWVudHMgPSBzdWJfcGFja2FnZS0+cGFja2FnZS5l
bGVtZW50cw0KPiANCj4gICBpbnRlcmVzdGluZ2x5LCBpbiB0aGUgY3Jhc2hkdW1wLCBzdWJfZWxl
bWVudHMgaXMgbnVsbCwgYnV0DQo+ICAgc3ViX3BhY2thZ2UtPnBhY2thZ2UuZWxlbWVudHMgaXMg
bm9uLW51bGwNCj4gDQo+IEkndmUgYWRkZWQgc29tZSBwcmludGsncyBhbmQgdmVyaWZpZWQgdGhh
dCB0aGUgY2FsbCBvZiAgc3RhdHVzID0NCj4gYWNwaV9uc19jaGVja19vYmplY3RfdHlwZShkYXRh
LCAmc3ViX3BhY2thZ2UsDQo+IAkJCQkgICBBQ1BJX1JUWVBFX1BBQ0tBR0UsIGkpOw0KPiANCj4g
IG1ha2VzIHN1Yl9wYWNrYWdlLT5wYWNrYWdlLmVsZW1lbnRzIGJlY29tZSBub24tbnVsbCwgYnV0
IHN1Yl9lbGVtZW50cw0KPiB3YXMgYWxyZWFkeSBpbml0aWFsaXplZCBiZWZvcmUgdGhpcyBjYWxs
IGFuZCByZW1haW5zIG51bGwuDQo+IA0KPiBUaGUgYWJvdmUgbGVkIG1lIHRvIGNyZWF0ZSB0aGUg
YXR0YWNoZWQgcGF0Y2ggd2hpY2ggc2ltcGx5IG1vdmVzIHRoZQ0KPiBpbml0aWFsaXphdGlvbiBv
ZiBzdWJfZWxlbWVudHMgYWZ0ZXIgdGhlIHN1Yl9wYWNrYWdlIGNoZWNrLiBJIHRoaW5rDQo+IGl0
J3MgdGhpcyBjaGVjayB0aGF0IHJlc3VsdHMgaW4gdGhlIEludGVnZXIgdG8gUGFja2FnZQ0KPiBj
b252ZXJzaW9uL3dyYXBwaW5nLg0KPiANCj4gQWZ0ZXIgdGhpcyBwYXRjaCwgdGhlIG51bGwgcG9p
bnRlciBkZXJlZmVyZW5jZSBpcyBnb25lLCBidXQgdGhlIGRlYnVnDQo+IG91dHB1dCBvZiBBQ1BJ
IChhY3BpLmRlYnVnX2xheWVyPTB4ZmZmZmZmZmYNCj4gYWNwaS5kZWJ1Z19sZXZlbD0weDAwMDAw
MDA4KSBzaG93cyB0aGF0IHNvbWV0aGluZyBpcyBwcm9iYWJseSBzdGlsbA0KPiB3cm9uZzoNCj4g
DQo+IFsgICAgMS4zNTM2NzddIG5zcmVwYWlyLTA2ODEgWzQyOTQ5NjcyODddIG5zX3dyYXBfd2l0
aF9wYWNrYWdlICA6DQo+IFxfUFJfLkNQVTAuX1BTRDogV3JhcHBlZCBJbnRlZ2VyIHdpdGggZXhw
ZWN0ZWQgUGFja2FnZSBvYmplY3QNCj4gWyAgICAxLjM1Mzg2OV0gbnNyZXBhaXItMDY4MSBbNDI5
NDk2NzI4N10gbnNfd3JhcF93aXRoX3BhY2thZ2UgIDoNCj4gXF9QUl8uQ1BVMC5fUFNEOiBXcmFw
cGVkIEludGVnZXIgd2l0aCBleHBlY3RlZCBQYWNrYWdlIG9iamVjdA0KPiBbICAgIDEuMzU0MDU5
XSBBQ1BJIFdhcm5pbmc6IEZvciBcX1BSXy5DUFUwLl9QU0Q6IFJldHVybiBTdWItUGFja2FnZVsw
XQ0KPiBpcyB0b28gc21hbGwgLSBmb3VuZCAxIGVsZW1lbnRzLCBleHBlY3RlZCA1ICgyMDEyMDMy
MC9uc3ByZWRlZi05MDUpDQo+IFsgICAgMS4zNTQyNTNdIEFDUEk6IEludmFsaWQgcGFja2FnZSBh
cmd1bWVudA0KPiBbICAgIDEuMzU0MzIyXSBBQ1BJOiBJbnZhbGlkIF9QU0QgZGF0YQ0KPiAuLi4g
KHRoZSBzYW1lIGZvciBvdGhlciBDUFV4KQ0KPiANCj4gDQo+IEluIGNvbXBhcmlzb24sIDMuMyBr
ZXJuZWwgd2l0aCBzYW1lIGFjcGkgZGVidWcgb3B0aW9ucyBzaG93cyBvbmx5IHN0dWZmDQo+IGxp
a2U6DQo+IFsgICAgMS40OTQyMzhdIG5zcmVwYWlyLTA3MjggWzQyOTQ5NjcyODddIG5zX3JlcGFp
cl9wYWNrYWdlX2xpc3Q6DQo+IFxfUFJfLkNQVTAuX1BTRDogUmVwYWlyZWQgaW5jb3JyZWN0bHkg
Zm9ybWVkIFBhY2thZ2UNCj4gWyAgICAxLjQ5NDQ0OV0gbnNyZXBhaXItMDcyOCBbNDI5NDk2NzI4
N10gbnNfcmVwYWlyX3BhY2thZ2VfbGlzdDoNCj4gXF9QUl8uQ1BVMi5fUFNEOiBSZXBhaXJlZCBp
bmNvcnJlY3RseSBmb3JtZWQgUGFja2FnZQ0KPiBbICAgIDEuNDk0NjU3XSBuc3JlcGFpci0wNzI4
IFs0Mjk0OTY3Mjg3XSBuc19yZXBhaXJfcGFja2FnZV9saXN0Og0KPiBcX1BSXy5DUFU0Ll9QU0Q6
IFJlcGFpcmVkIGluY29ycmVjdGx5IGZvcm1lZCBQYWNrYWdlIC4uLiAodGhlIHNhbWUgZm9yDQo+
IG90aGVyIENQVXgpDQo+IA0KPiBTaW5jZSBJIGRvbid0IGtub3cgbXVjaCBhYm91dCB0aGlzIHN1
YnN5c3RlbSwgSSBmaWd1cmVkIHRoYXQgSSBzaG91bGQNCj4ganVzdCByZXBvcnQgbXkgZmluZGlu
Z3MgYXQgdGhpcyBwb2ludC4gVGhlIHBhdGNoZWQgc3lzdGVtIGlzIHVzYWJsZSwNCj4gYnV0IEkg
Z3Vlc3MgaXQncyBub3QgYSBjb21wbGV0ZSBmaXguDQo+IA0KPiBJIGFsc28gYXR0YWNoIHRoZSBv
dXRwdXQgb2YgYWNwaWR1bXAuIEkgaG9wZSBJIGRpZG4ndCBmb3JnZXQgYW55dGhpbmcNCj4gaW1w
b3J0YW50LCBwbGVhc2UgYXNrIGZvciBtb3JlIGluZm9ybWF0aW9uIGlmIG5lZWRlZC4NCj4gDQo+
IFRoYW5rcywNCj4gVmxhc3RpbWlsIEJhYmthDQo+IA0KPiBbMV0NCj4gZ2l0Lmtlcm5lbC5vcmcv
P3A9bGludXgva2VybmVsL2dpdC90b3J2YWxkcy9saW51eC0NCj4gMi42LmdpdDthPWNvbW1pdDto
PTZhOTliMWM5NGQwNTNiMzQyMGVhYTRhNGJjOGIyODgzZGQ5MGEyZjkNCg0K
--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Vlastimil Babka July 3, 2012, 9:15 a.m. UTC | #2 
On 07/02/2012 09:59 PM, Moore, Robert wrote:
> I was able to reproduce the problem here with your ACPI tables.
>
> Will look at your patch, and get back to you.

Thanks.

> You should probably open a bugzilla on this.

Done: bug 44171

https://bugzilla.kernel.org/show_bug.cgi?id=44171

> Thanks,
> Bob
>
>
>> -----Original Message-----
>> From: linux-acpi-owner@vger.kernel.org [mailto:linux-acpi-
>> owner@vger.kernel.org] On Behalf Of Vlastimil Babka
>> Sent: Monday, July 02, 2012 1:45 AM
>> To: linux-acpi@vger.kernel.org
>> Subject: PROBLEM: NULL pointer dereference in
>> acpi_ns_check_object_type()
>>
>> Hello,
>>
>> I've been experiencing kernel panic with NULL pointer dereference in
>> acpi_ns_check_object_type since kernel 3.4 on a MacPro machine.
>>
>> By recompiling as much of ACPI as possible as modules, I was able to
>> get the system running and postpone the error until doing 'modprobe
>> acpi-cpufreq', which now results in oops, not panic. The log is
>> attached as error.log.
>>
>> By bisecting linus tree between 3.3 and 3.4, I found the guilty commit
>> 6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
>> "ACPICA: Object repair code: Support to add Package wrappers" [1]
>> However this patch does not directly touch the functions in the stack
>> trace.
>>
>> Next I created a kdump of the oops, and looked around with gdb.
>> - In acpi_ns_check_package(), the null pointer is in the parameter
>> return_object_ptr, which is dereferenced when initializing the variable
>> return_object.
>> - The calling function acpi_ns_check_package_list() is in the 'case
>> ACPI_PTYPE2_COUNT:' part, the passed null pointer is in the
>> sub_elements variable.
>> - Before the switch, sub_elements is initialized like this:
>>
>>    sub_elements = sub_package->package.elements
>>
>>    interestingly, in the crashdump, sub_elements is null, but
>>    sub_package->package.elements is non-null
>>
>> I've added some printk's and verified that the call of  status =
>> acpi_ns_check_object_type(data, &sub_package,
>> 				   ACPI_RTYPE_PACKAGE, i);
>>
>>   makes sub_package->package.elements become non-null, but sub_elements
>> was already initialized before this call and remains null.
>>
>> The above led me to create the attached patch which simply moves the
>> initialization of sub_elements after the sub_package check. I think
>> it's this check that results in the Integer to Package
>> conversion/wrapping.
>>
>> After this patch, the null pointer dereference is gone, but the debug
>> output of ACPI (acpi.debug_layer=0xffffffff
>> acpi.debug_level=0x00000008) shows that something is probably still
>> wrong:
>>
>> [    1.353677] nsrepair-0681 [4294967287] ns_wrap_with_package  :
>> \_PR_.CPU0._PSD: Wrapped Integer with expected Package object
>> [    1.353869] nsrepair-0681 [4294967287] ns_wrap_with_package  :
>> \_PR_.CPU0._PSD: Wrapped Integer with expected Package object
>> [    1.354059] ACPI Warning: For \_PR_.CPU0._PSD: Return Sub-Package[0]
>> is too small - found 1 elements, expected 5 (20120320/nspredef-905)
>> [    1.354253] ACPI: Invalid package argument
>> [    1.354322] ACPI: Invalid _PSD data
>> ... (the same for other CPUx)
>>
>>
>> In comparison, 3.3 kernel with same acpi debug options shows only stuff
>> like:
>> [    1.494238] nsrepair-0728 [4294967287] ns_repair_package_list:
>> \_PR_.CPU0._PSD: Repaired incorrectly formed Package
>> [    1.494449] nsrepair-0728 [4294967287] ns_repair_package_list:
>> \_PR_.CPU2._PSD: Repaired incorrectly formed Package
>> [    1.494657] nsrepair-0728 [4294967287] ns_repair_package_list:
>> \_PR_.CPU4._PSD: Repaired incorrectly formed Package ... (the same for
>> other CPUx)
>>
>> Since I don't know much about this subsystem, I figured that I should
>> just report my findings at this point. The patched system is usable,
>> but I guess it's not a complete fix.
>>
>> I also attach the output of acpidump. I hope I didn't forget anything
>> important, please ask for more information if needed.
>>
>> Thanks,
>> Vlastimil Babka
>>
>> [1]
>> git.kernel.org/?p=linux/kernel/git/torvalds/linux-
>> 2.6.git;a=commit;h=6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
>
> N?????r??y???b?X???v?^?)?{.n?+????{?i?b?{ay????,j??f???h???z??w??????j:+v???w?j?m????????zZ+???j"??!tml=
>


--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

From 0e83f804ecac018e6b1dbeef31478e83a53dd520 Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <caster@gentoo.org>
Date: Fri, 29 Jun 2012 15:19:03 +0200
Subject: [PATCH] Hopeful fix.

---
 drivers/acpi/acpica/nspredef.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/acpi/acpica/nspredef.c b/drivers/acpi/acpica/nspredef.c
index 23ce096..4a09384 100644
--- a/drivers/acpi/acpica/nspredef.c
+++ b/drivers/acpi/acpica/nspredef.c
@@ -718,7 +718,6 @@  acpi_ns_check_package_list(struct acpi_predefined_data *data,
 	 */
 	for (i = 0; i < count; i++) {
 		sub_package = *elements;
-		sub_elements = sub_package->package.elements;
 		data->parent_package = sub_package;
 
 		/* Each sub-object must be of type Package */
@@ -731,6 +730,7 @@  acpi_ns_check_package_list(struct acpi_predefined_data *data,
 
 		/* Examine the different types of expected sub-packages */
 
+		sub_elements = sub_package->package.elements;
 		data->parent_package = sub_package;
 		switch (package->ret_info.type) {
 		case ACPI_PTYPE2:
-- 
1.7.8.6