So it seems we are moving the call to amd_sfh_hid_client_init(privdata) from the end of the function up a bit, and interestingly, before the call to privdata->cl_data = devm_kzalloc().
So... we are using privdata->cl_data before it is being allocated? Looks like we have found our NULL pointer dereference.
I suppose the commit to "fix" the null pointer dereference actually introduced another one.
Looking at this commit in the upstream tree, I came across:
The commit is listed there, but when I search the Impish git tree, it is missing?
I think what has happened is the two commits have the same name, and Kamal must have gotten confused and thought it was a duplicate, and dropped it.
Here's what we are going to do.
I will build you a test kernel based on 5.13.0-23-generic, that includes Basavaraj Natikar's fix, and I will provide instructions on how to install it. You can test it to make sure it fixes the issue, and if it does, I will submit the patch for SRU to the 5.13 kernel.
I will write back once the test kernel has finished building, probably tomorrow.
Hi Vadik, Oliver,
Thanks for reporting, and sorry that 5.13.0-24-generic in -proposed didn't solve the issue.
Let's do some analysis:
[ 1.381250] BUG: kernel NULL pointer dereference, address: 000000000000000c sfh_hid_ client_ init+0x47/ 0x350 [amd_sfh] master+ 0x5f/0xe0 pci_probe+ 0xad/0x160 [amd_sfh] probe+0x48/ 0x80
[ 1.381270] RIP: 0010:amd_
[ 1.381299] Call Trace:
[ 1.381302] ? __pci_set_
[ 1.381310] amd_mp2_
[ 1.381314] local_pci_
...
Okay, so a null pointer dereference in the amd_sfh module. The c in 000000000000000c probably means offset +12 in the struct we are trying to access.
Let's see where this is:
$ eu-addr2line -ifae ./usr/lib/ debug/lib/ modules/ 5.13.0- 23-generic/ kernel/ drivers/ hid/amd- sfh-hid/ amd_sfh. ko amd_sfh_ hid_client_ init+0x47 hid_client_ init linux-k2e9CH/ linux-5. 13.0/drivers/ hid/amd- sfh-hid/ amd_sfh_ client. c:147:27
0x0000000000000767
amd_sfh_
/build/
Let's have a look:
134 int amd_sfh_ hid_client_ init(struct amd_mp2_dev *privdata) >num_hid_ devices = amd_mp2_ get_sensor_ num(privdata, &cl_data- >sensor_ idx[0]) ;
135 {
...
146
147 cl_data-
148
...
Okay, so we are dereferencing either cl_data- >num_hid_ devices or &cl_data- >sensor_ idx[0], but they are both in cl_data, so cl_data will be NULL.
Since you mentioned that it worked in 5.13.0-22-generic, and broke in 5.13.0-23-generic, lets see if this changed in 5.13.0-23-generic:
$ git log --grep "amd_sfh" Ubuntu- 5.13.0- 22.22.. Ubuntu- 5.13.0- 23.23 eba2d9a55c99231 c30a172764 70ad72da58469b5 588e8cbf85 /github. com/torvalds/ linux/commit/ d46ef750ed58cbe eba2d9a55c99231 c30a172764
commit d46ef750ed58cbe
commit-impish 56559d7910e7044
Author: Evgeny Novikov <email address hidden>
Date: Tue Jun 1 19:38:01 2021 +0300
Subject:HID: amd_sfh: Fix potential NULL pointer dereference
Link: https:/
Okay, so this patch changes the parent function to amd_sfh_ hid_client_ init(), which is amd_mp2_ pci_probe( ).
+ rc = amd_sfh_ hid_client_ init(privdata) ;
privdata- >cl_data = devm_kzalloc( &pdev-> dev, sizeof(struct amdtp_cl_data), GFP_KERNEL); >cl_data)
return -ENOMEM; hid_client_ init(privdata) ;
+ if (rc)
+ return rc;
+
if (!privdata-
...
- return amd_sfh_
+ return 0;
So it seems we are moving the call to amd_sfh_ hid_client_ init(privdata) from the end of the function up a bit, and interestingly, before the call to privdata->cl_data = devm_kzalloc().
So... we are using privdata->cl_data before it is being allocated? Looks like we have found our NULL pointer dereference.
I suppose the commit to "fix" the null pointer dereference actually introduced another one.
Looking at this commit in the upstream tree, I came across:
commit 88a04049c08cd62 e698bc1b1af2d09 574b9e0aee /github. com/torvalds/ linux/commit/ 88a04049c08cd62 e698bc1b1af2d09 574b9e0aee
Author: Basavaraj Natikar <email address hidden>
Date: Thu Sep 23 17:59:27 2021 +0530
Subject: HID: amd_sfh: Fix potential NULL pointer dereference
Link: https:/
This patch seems to move the call to after cl_data is allocated, which should fix this.
- rc = amd_sfh_ hid_client_ init(privdata) ;
privdata- >cl_data = devm_kzalloc( &pdev-> dev, sizeof(struct amdtp_cl_data), GFP_KERNEL); >cl_data)
return -ENOMEM;
- if (rc)
- return rc;
-
if (!privdata-
- rc = devm_add_ action_ or_reset( &pdev-> dev, amd_mp2_pci_remove, privdata); ops(privdata) ; hid_client_ init(privdata) ;
+ mp2_select_
+
+ rc = amd_sfh_
This commit landed in 5.15-rc4:
$ git describe --contains 88a04049c08cd62 e698bc1b1af2d09 574b9e0aee
v5.15-rc4~40^2
It seems it was backported to 5.14.10:
https:/ /lwn.net/ Articles/ 872195/
Impish should have gotten 5.14.10 during its regular upstream -stable patches:
https:/ /bugs.launchpad .net/ubuntu/ +source/ linux/+ bug/1950388
The commit is listed there, but when I search the Impish git tree, it is missing?
I think what has happened is the two commits have the same name, and Kamal must have gotten confused and thought it was a duplicate, and dropped it.
Here's what we are going to do.
I will build you a test kernel based on 5.13.0-23-generic, that includes Basavaraj Natikar's fix, and I will provide instructions on how to install it. You can test it to make sure it fixes the issue, and if it does, I will submit the patch for SRU to the 5.13 kernel.
I will write back once the test kernel has finished building, probably tomorrow.
Thanks,
Matthew