amd_sfh: Null pointer dereference on early device init causes early panic and fails to boot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Medium
|
Matthew Ruffell |
Bug Description
BugLink: https:/
[Impact]
A regression was introduced into 5.13.0-23-generic for devices using AMD Ryzen chipsets that incorporate AMD Sensor Fusion Hub (SFH) HID devices, which are mostly Ryzen based laptops, but desktops do have the SOC embedded as well.
On early boot, when the driver initialises the device, it hits a null pointer dereference with the following stack trace:
BUG: kernel NULL pointer dereference, address: 000000000000000c
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] SMP NOPTI
CPU: 0 PID: 175 Comm: systemd-udevd Not tainted 5.13.0-23-generic #23-Ubuntu
RIP: 0010:amd_
Call Trace:
? __pci_set_
amd_mp2_
local_
pci_device_
really_
driver_
device_
__driver_
? device_
bus_for_
driver_
bus_add_
driver_
? 0xffffffffc03d2000
__pci_
amd_mp2_
do_one_
? kmem_cache_
do_init_
load_
__do_
__x64_
do_syscall_
? ksys_mmap_
? exit_to_
? syscall_
? __x64_sys_
? do_syscall_
? do_syscall_
? do_syscall_
? syscall_
? do_syscall_
? exc_page_
? asm_exc_
entry_
This causes a panic and the system is unable to continue booting, and the user must select an older kernel to boot.
[Fix]
The issue was introduced in 5.13.0-23-generic by the commit:
commit d46ef750ed58cbe
commit-impish 56559d7910e7044
Author: Evgeny Novikov <email address hidden>
Date: Tue Jun 1 19:38:01 2021 +0300
Subject:HID: amd_sfh: Fix potential NULL pointer dereference
Link: https:/
The issue is pretty straightforward, amd_sfh_client.c attempts to dereference cl_data, but it is NULL:
$ eu-addr2line -ifae ./usr/lib/
0x0000000000000767
amd_sfh_
/build/
134 int amd_sfh_
135 {
...
146
147 cl_data-
148
...
The patch moves the call to amd_sfh_
+ rc = amd_sfh_
+ if (rc)
+ return rc;
+
if (!privdata-
...
- return amd_sfh_
+ return 0;
The issue was fixed upstream in 5.15-rc4 by the commit:
commit 88a04049c08cd62
Author: Basavaraj Natikar <email address hidden>
Date: Thu Sep 23 17:59:27 2021 +0530
Subject: HID: amd_sfh: Fix potential NULL pointer dereference
Link: https:/
The fix places the call to amd_sfh_
This patch also landed in 5.14.10 -stable, but it seems it was omitted from being backported to impish, likely due to it sharing the exact same subject line as the regression commit, so it was likely dropped as a duplicate?
[Testcase]
You need an AMD Ryzen based system that has a AMD Sensor Fusion Hub HID device built in to test this.
Simply booting the system is enough to trigger the issue.
A test kernel is available in the following ppa:
https:/
A community user has tested the test kernel, and has confirmed that it fixes the issue.
[Where problems could occur]
If a regression were to occur, it would only affect AMD Ryzen based systems with the AMD Sensor Fusion Hub HID device SOC. Since the changes affect the device initialisation function, a regression could cause systems to panic during boot, forcing users to revert to older kernels to start their systems.
Saying that, the patch is present in 5.15-rc4 and is in 5.14.10, and is in widespread use, and is already present in Jammy.
CVE References
information type: | Public → Public Security |
information type: | Public Security → Public |
Changed in linux (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in linux (Ubuntu Impish): | |
status: | New → In Progress |
importance: | Undecided → Medium |
summary: |
- kernel panic after upgrading to kernel 5.13.0-23 + amd_sfh: Null pointer dereference on early device init causes early + panic and fails to boot |
description: | updated |
Changed in linux (Ubuntu Impish): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
I am attaching the full dmesg output for both bad kernel version and good version booting successfully. Please let me know if there is anything else I can provide.