NULL pointer dereference when Inserting the VIMC module

Bug #1840028 reported by Po-Hsu Lin on 2019-08-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Eoan
Bionic
Undecided
Po-Hsu Lin
Disco
Undecided
Po-Hsu Lin
Eoan
Undecided
Po-Hsu Lin

Bug Description

== SRU Justification ==
When trying to insert a vimc module on a system has other devices being registered in the component framework, if the device is not necessarily a platform_device, nor have a platform_data it will trigger a NULL pointer deference issue.

Issue found on a bare metal node with config vimc enabled.

ubuntu@amaura:~$ sudo modprobe vimc
Killed

dmesg output:
[ 2855.340272] media: Linux media interface: v0.10
[ 2855.344927] Linux video capture interface: v2.00
[ 2855.346146] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 2855.346172] IP: strcmp+0xe/0x30
[ 2855.346181] PGD 0 P4D 0
[ 2855.346189] Oops: 0000 [#1] SMP PTI
[ 2855.346198] Modules linked in: vimc(+) videodev media ppdev intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel binfmt_misc kvm irqbypass intel_cstate intel_rapl_perf ipmi_si joydev ipmi_devintf ipmi_msghandler intel_pch_thermal input_leds parport_pc lpc_ich shpchp parport mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc i915 mgag200 ttm drm_kms_helper aesni_intel syscopyarea aes_x86_64 sysfillrect crypto_simd igb sysimgblt glue_helper fb_sys_fops cryptd dca drm i2c_algo_bit
[ 2855.346366] ahci ptp libahci pps_core video
[ 2855.346379] CPU: 4 PID: 1505 Comm: modprobe Not tainted 4.15.0-58-generic #64
[ 2855.346395] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[ 2855.346418] RIP: 0010:strcmp+0xe/0x30
[ 2855.346428] RSP: 0018:ffffb63501f93a00 EFLAGS: 00010202
[ 2855.346440] RAX: ffffffffc0c860f0 RBX: 0000000000000000 RCX: 0000000000000000
[ 2855.346456] RDX: ffffa097d85ec440 RSI: ffffffffc0c8723f RDI: 0000000000000001
[ 2855.346473] RBP: ffffb63501f93a00 R08: ffffa097e09270a0 R09: ffffa097d265ca80
[ 2855.346489] R10: ffffe84b51559600 R11: 0000000000000200 R12: ffffa097dcdbf718
[ 2855.346505] R13: ffffa097d265ca80 R14: ffffa097d2f2b380 R15: 0000000000000000
[ 2855.346521] FS: 00007fd7f4e4b540(0000) GS:ffffa097e0900000(0000) knlGS:0000000000000000
[ 2855.346539] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2855.346553] CR2: 0000000000000000 CR3: 00000004580fc001 CR4: 00000000003606e0
[ 2855.346569] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2855.346585] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2855.346601] Call Trace:
[ 2855.346611] vimc_comp_compare+0x15/0x20 [vimc]
[ 2855.346624] try_to_bring_up_master+0xa3/0x260
[ 2855.346635] ? vimc_remove+0x90/0x90 [vimc]
[ 2855.346646] component_master_add_with_match+0x8b/0xd0
[ 2855.346659] vimc_probe+0x325/0x3c9 [vimc]
[ 2855.346672] ? acpi_dev_pm_attach+0x25/0xd0
[ 2855.346683] platform_drv_probe+0x3e/0xa0
[ 2855.346693] driver_probe_device+0x30c/0x490
[ 2855.346704] __driver_attach+0xa7/0xf0
[ 2855.346714] ? driver_probe_device+0x490/0x490
[ 2855.346725] bus_for_each_dev+0x70/0xc0
[ 2855.346735] driver_attach+0x1e/0x20
[ 2855.346744] bus_add_driver+0x1c7/0x270
[ 2855.346754] ? 0xffffffffc0c8b000
[ 2855.346763] driver_register+0x60/0xe0
[ 2855.346772] ? 0xffffffffc0c8b000
[ 2855.346781] __platform_driver_register+0x36/0x40
[ 2855.346793] vimc_init+0x46/0x1000 [vimc]
[ 2855.347306] do_one_initcall+0x52/0x19f
[ 2855.347810] ? __vunmap+0x8e/0xc0
[ 2855.348322] ? _cond_resched+0x19/0x40
[ 2855.348811] ? kmem_cache_alloc_trace+0x14e/0x1b0
[ 2855.349290] ? do_init_module+0x27/0x209
[ 2855.349768] do_init_module+0x5f/0x209
[ 2855.350246] load_module+0x193b/0x1f30
[ 2855.350710] ? ima_post_read_file+0x96/0xa0
[ 2855.351159] SYSC_finit_module+0xfc/0x120
[ 2855.351592] ? SYSC_finit_module+0xfc/0x120
[ 2855.352010] SyS_finit_module+0xe/0x10
[ 2855.352412] do_syscall_64+0x73/0x130
[ 2855.352797] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 2855.353169] RIP: 0033:0x7fd7f4959839
[ 2855.353538] RSP: 002b:00007ffd7e3fd5c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 2855.353915] RAX: ffffffffffffffda RBX: 0000563c3b02eea0 RCX: 00007fd7f4959839
[ 2855.354286] RDX: 0000000000000000 RSI: 0000563c39de5d2e RDI: 0000000000000005
[ 2855.354647] RBP: 0000563c39de5d2e R08: 0000000000000000 R09: 0000563c3b02eea0
[ 2855.355009] R10: 0000000000000005 R11: 0000000000000246 R12: 0000000000000000
[ 2855.355369] R13: 0000563c3b02ef20 R14: 0000000000040000 R15: 0000563c3b02eea0
[ 2855.355728] Code: 01 c8 c3 c6 44 07 ff 00 eb 91 31 c0 eb c9 48 c7 c0 f9 ff ff ff c3 0f 1f 80 00 00 00 00 55 48 89 e5 eb 04 84 c0 74 18 48 83 c7 01 <0f> b6 47 ff 48 83 c6 01 3a 46 ff 74 eb 19 c0 83 c8 01 5d c3 31
[ 2855.356503] RIP: strcmp+0xe/0x30 RSP: ffffb63501f93a00
[ 2855.356885] CR2: 0000000000000000
[ 2855.357259] ---[ end trace bfba48c80f803d2d ]---

== Fix ==
* ee1c71a8 (media: vimc: fix component match compare)

This patch can be cherry-picked in to B/D/E.
VIMC support was requested to enabled on these kernels (lp:1831482).

== Test ==
Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1840028-null-ptr-vimc/

Tested with node "amaura", patch works as expected, the vimc module can be inserted / removed without any issue.

== Regression Potential ==
Low, this patch is specific for vimc and we have positive test result with it.

Po-Hsu Lin (cypressyew) wrote :
description: updated
tags: added: bionic
Changed in linux (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Po-Hsu Lin (cypressyew)
status: New → Incomplete
status: Incomplete → In Progress
Po-Hsu Lin (cypressyew) wrote :

With the Bionic test kernel https://people.canonical.com/~phlin/kernel/lp-1840028-null-ptr-vimc/B/

This issue will gone:

ubuntu@amaura:~$ sudo modprobe vimc
ubuntu@amaura:~$

[ 10.048268] IPv6: ADDRCONF(NETDEV_CHANGE): eno1: link becomes ready
[ 127.217396] new mount options do not match the existing superblock, will be ignored
[ 142.328019] media: Linux media interface: v0.10
[ 142.332711] Linux video capture interface: v2.00
[ 142.343775] vimc vimc.0: bound vimc-sensor.1.auto (ops vimc_sen_comp_ops [vimc_sensor])
[ 142.343891] vimc vimc.0: bound vimc-sensor.2.auto (ops vimc_sen_comp_ops [vimc_sensor])
[ 142.343893] vimc vimc.0: bound vimc-debayer.3.auto (ops vimc_deb_comp_ops [vimc_debayer])
[ 142.343895] vimc vimc.0: bound vimc-debayer.4.auto (ops vimc_deb_comp_ops [vimc_debayer])
[ 142.343931] vimc vimc.0: bound vimc-capture.5.auto (ops vimc_cap_comp_ops [vimc_capture])
[ 142.343952] vimc vimc.0: bound vimc-capture.6.auto (ops vimc_cap_comp_ops [vimc_capture])
[ 142.344059] vimc vimc.0: bound vimc-sensor.7.auto (ops vimc_sen_comp_ops [vimc_sensor])
[ 142.344061] vimc vimc.0: bound vimc-scaler.8.auto (ops vimc_sca_comp_ops [vimc_scaler])
[ 142.344083] vimc vimc.0: bound vimc-capture.9.auto (ops vimc_cap_comp_ops [vimc_capture])

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1840028

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Po-Hsu Lin (cypressyew) wrote :

Affecting Disco as well, passed with patched kernel.

Changed in linux (Ubuntu Disco):
assignee: nobody → Po-Hsu Lin (cypressyew)
Po-Hsu Lin (cypressyew) on 2019-08-14
description: updated
Changed in linux (Ubuntu Disco):
status: New → In Progress
Changed in linux (Ubuntu Eoan):
status: Incomplete → In Progress
Po-Hsu Lin (cypressyew) on 2019-08-14
description: updated
Po-Hsu Lin (cypressyew) on 2019-08-14
description: updated
Seth Forshee (sforshee) on 2019-08-15
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew) on 2019-08-16
tags: added: disco eoan
Launchpad Janitor (janitor) wrote :
Download full text (27.8 KiB)

This bug was fixed in the package linux - 5.2.0-13.14

---------------
linux (5.2.0-13.14) eoan; urgency=medium

  * eoan/linux: 5.2.0-13.14 -proposed tracker (LP: #1840261)

  * NULL pointer dereference when Inserting the VIMC module (LP: #1840028)
    - media: vimc: fix component match compare

  * Miscellaneous upstream changes
    - selftests/bpf: remove bpf_util.h from BPF C progs

linux (5.2.0-12.13) eoan; urgency=medium

  * eoan/linux: 5.2.0-12.13 -proposed tracker (LP: #1840184)

  * Eoan update: v5.2.8 upstream stable release (LP: #1840178)
    - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure
    - libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant
    - libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock
    - ALSA: usb-audio: Sanity checks for each pipe and EP types
    - ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check
    - HID: wacom: fix bit shift for Cintiq Companion 2
    - HID: Add quirk for HP X1200 PIXART OEM mouse
    - atm: iphase: Fix Spectre v1 vulnerability
    - bnx2x: Disable multi-cos feature.
    - drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case
    - ife: error out when nla attributes are empty
    - ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6
    - ip6_tunnel: fix possible use-after-free on xmit
    - ipip: validate header length in ipip_tunnel_xmit
    - mlxsw: spectrum: Fix error path in mlxsw_sp_module_init()
    - mvpp2: fix panic on module removal
    - mvpp2: refactor MTU change code
    - net: bridge: delete local fdb on device init failure
    - net: bridge: mcast: don't delete permanent entries when fast leave is
      enabled
    - net: bridge: move default pvid init/deinit to NETDEV_REGISTER/UNREGISTER
    - net: fix ifindex collision during namespace removal
    - net/mlx5e: always initialize frag->last_in_page
    - net/mlx5: Use reversed order when unregister devices
    - net: phy: fixed_phy: print gpio error only if gpio node is present
    - net: phylink: don't start and stop SGMII PHYs in SFP modules twice
    - net: phylink: Fix flow control for fixed-link
    - net: phy: mscc: initialize stats array
    - net: qualcomm: rmnet: Fix incorrect UL checksum offload logic
    - net: sched: Fix a possible null-pointer dereference in dequeue_func()
    - net sched: update vlan action for batched events operations
    - net: sched: use temporary variable for actions indexes
    - net/smc: do not schedule tx_work in SMC_CLOSED state
    - net: stmmac: Use netif_tx_napi_add() for TX polling function
    - NFC: nfcmrvl: fix gpio-handling regression
    - ocelot: Cancel delayed work before wq destruction
    - tipc: compat: allow tipc commands without arguments
    - tipc: fix unitilized skb list crash
    - tun: mark small packets as owned by the tap sock
    - net/mlx5: Fix modify_cq_in alignment
    - net/mlx5e: Prevent encap flow counter update async to user query
    - r8169: don't use MSI before RTL8168d
    - bpf: fix XDP vlan selftests test_xdp_vlan.sh
    - selftests/bpf: add wrapper scripts for test_xdp_vlan.sh
    - selftests/bpf: reduce time to execute test_xdp_vlan.sh
    - net: fix bpf_xdp_adjust_head regression for generic-XDP
    - hv_sock: Fi...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers