https://bugzilla.kernel.org/show_bug.cgi?id=44171
Summary: BUG: unable to handle kernel NULL pointer dereference
at acpi_ns_check_object_type
Product: ACPI
Version: 2.5
Kernel Version: 3.4
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: ACPICA-Core
AssignedTo: acpi_acpica-c...@kernel-bugs.osdl.org
ReportedBy: cas...@gentoo.org
Regression: No
(originally reported at linux-a...@vger.kernel.org [2], filling bug as
suggested)
Hello,
I've been experiencing kernel panic with NULL pointer dereference in
acpi_ns_check_object_type since kernel 3.4 on a MacPro machine.
By recompiling as much of ACPI as possible as modules, I was able to get
the system running and postpone the error until doing 'modprobe
acpi-cpufreq', which now results in oops, not panic. The log is attached
as error.log.
By bisecting linus tree between 3.3 and 3.4, I found the guilty commit
6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
"ACPICA: Object repair code: Support to add Package wrappers" [1]
However this patch does not directly touch the functions in the stack trace.
Next I created a kdump of the oops, and looked around with gdb.
- In acpi_ns_check_package(), the null pointer is in the parameter
return_object_ptr, which is dereferenced when initializing the variable
return_object.
- The calling function acpi_ns_check_package_list() is in the 'case
ACPI_PTYPE2_COUNT:' part, the passed null pointer is in the sub_elements
variable.
- Before the switch, sub_elements is initialized like this:
sub_elements = sub_package->package.elements
interestingly, in the crashdump, sub_elements is null, but
sub_package->package.elements is non-null
I've added some printk's and verified that the call of
status = acpi_ns_check_object_type(data, &sub_package,
ACPI_RTYPE_PACKAGE, i);
makes sub_package->package.elements become non-null, but sub_elements
was already initialized before this call and remains null.
The above led me to create the attached patch which simply moves the
initialization of sub_elements after the sub_package check. I think it's
this check that results in the Integer to Package conversion/wrapping.
After this patch, the null pointer dereference is gone, but the debug
output of ACPI (acpi.debug_layer=0xffffffff acpi.debug_level=0x00000008)
shows that something is probably still wrong:
[ 1.353677] nsrepair-0681 [4294967287] ns_wrap_with_package :
\_PR_.CPU0._PSD: Wrapped Integer with expected Package object
[ 1.353869] nsrepair-0681 [4294967287] ns_wrap_with_package :
\_PR_.CPU0._PSD: Wrapped Integer with expected Package object
[ 1.354059] ACPI Warning: For \_PR_.CPU0._PSD: Return Sub-Package[0]
is too small - found 1 elements, expected 5 (20120320/nspredef-905)
[ 1.354253] ACPI: Invalid package argument
[ 1.354322] ACPI: Invalid _PSD data
... (the same for other CPUx)
In comparison, 3.3 kernel with same acpi debug options shows only stuff
like:
[ 1.494238] nsrepair-0728 [4294967287] ns_repair_package_list:
\_PR_.CPU0._PSD: Repaired incorrectly formed Package
[ 1.494449] nsrepair-0728 [4294967287] ns_repair_package_list:
\_PR_.CPU2._PSD: Repaired incorrectly formed Package
[ 1.494657] nsrepair-0728 [4294967287] ns_repair_package_list:
\_PR_.CPU4._PSD: Repaired incorrectly formed Package
... (the same for other CPUx)
Since I don't know much about this subsystem, I figured that I should
just report my findings at this point. The patched system is usable, but
I guess it's not a complete fix.
I also attach the output of acpidump. I hope I didn't forget anything
important, please ask for more information if needed.
Thanks,
Vlastimil Babka
[1]
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
[2] http://marc.info/?t=134121902100001&r=1&w=2
error.log
Jun 29 13:50:01 macpro kernel: [ 334.597947] nsrepair-0681 [4294967287]
ns_wrap_with_package : \_PR_.CPU0._PSD: Wrapped Integer with expected Package
object
Jun 29 13:50:01 macpro kernel: [ 334.597951] nsrepair-0681 [4294967287]
ns_wrap_with_package : \_PR_.CPU0._PSD: Wrapped Integer with expected Package
object
Jun 29 13:50:01 macpro kernel: [ 334.597958] BUG: unable to handle kernel NULL
pointer dereference at (null)
Jun 29 13:50:01 macpro kernel: [ 334.597972] IP: [<ffffffff812da10e>]
acpi_ns_check_object_type+0x1a/0x1d2
Jun 29 13:50:01 macpro kernel: [ 334.597985] PGD 36a625067 PUD 36aa2d067 PMD 0
Jun 29 13:50:01 macpro kernel: [ 334.597995] Oops: 0000 [#1] PREEMPT SMP
Jun 29 13:50:01 macpro kernel: [ 334.598004] CPU 0
Jun 29 13:50:01 macpro kernel: [ 334.598007] Modules linked in:
acpi_cpufreq(+) mperf thermal fan battery acpi_ipmi ipmi_msghandler ac coretemp
btusb bluetooth ioatdma snd_hda_codec_realtek snd_hda_intel firewire_ohci
snd_hda_codec firewire_core i7core_edac i2c_i801 applesmc processor edac_core
dca snd_hwdep shpchp rtc_cmos button
Jun 29 13:50:01 macpro kernel: [ 334.598075]
Jun 29 13:50:01 macpro kernel: [ 334.598079] Pid: 8683, comm: modprobe Not
tainted 3.3.0+ #22 Apple Inc. MacPro4,1/Mac-F221BEC8
Jun 29 13:50:01 macpro kernel: [ 334.598091] RIP: 0010:[<ffffffff812da10e>]
[<ffffffff812da10e>] acpi_ns_check_object_type+0x1a/0x1d2
Jun 29 13:50:01 macpro kernel: [ 334.598102] RSP: 0018:ffff88036a75bb58
EFLAGS: 00010292
Jun 29 13:50:01 macpro kernel: [ 334.598107] RAX: ffff8803717c1ee8 RBX:
ffff88036bb79500 RCX: 0000000000000000
Jun 29 13:50:01 macpro kernel: [ 334.598113] RDX: 0000000000000002 RSI:
0000000000000000 RDI: ffff88036bb79500
Jun 29 13:50:01 macpro kernel: [ 334.598119] RBP: ffff88036a75bbd8 R08:
0000000000000000 R09: 0000000000000000
Jun 29 13:50:01 macpro kernel: [ 334.598126] R10: 0000000000000000 R11:
0a7463656a626f20 R12: ffff88036bb79500
Jun 29 13:50:01 macpro kernel: [ 334.598132] R13: 0000000000000000 R14:
0000000000000002 R15: 0000000000000000
Jun 29 13:50:01 macpro kernel: [ 334.598138] FS: 00007fa70776e700(0000)
GS:ffff88037fc00000(0000) knlGS:0000000000000000
Jun 29 13:50:01 macpro kernel: [ 334.598146] CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
Jun 29 13:50:01 macpro kernel: [ 334.598151] CR2: 0000000000000000 CR3:
000000036fa87000 CR4: 00000000000006f0
Jun 29 13:50:01 macpro kernel: [ 334.598157] DR0: 0000000000000000 DR1:
0000000000000000 DR2: 0000000000000000
Jun 29 13:50:01 macpro kernel: [ 334.598163] DR3: 0000000000000000 DR6:
00000000ffff0ff0 DR7: 0000000000000400
Jun 29 13:50:01 macpro kernel: [ 334.598173] Process modprobe (pid: 8683,
threadinfo ffff88036a75a000, task ffff880369005a40)
Jun 29 13:50:01 macpro kernel: [ 334.598180] Stack:
Jun 29 13:50:01 macpro kernel: [ 334.598183] 000000000000001e
000000000000001e 7865206874697720 5020646574636570
Jun 29 13:50:01 macpro kernel: [ 334.598196] ffff88036a75bb88
ffffffff812b1c0e ffff88036a75bc18 ffffffff812e695f
Jun 29 13:50:01 macpro kernel: [ 334.598208] ffff88036a75bbb8
ffffffff00000030 ffff88036a75bc38 ffffffff8184632e
Jun 29 13:50:01 macpro kernel: [ 334.598221] Call Trace:
Jun 29 13:50:01 macpro kernel: [ 334.598227] [<ffffffff812b1c0e>] ?
acpi_os_vprintf+0x2b/0x2d
Jun 29 13:50:01 macpro kernel: [ 334.598234] [<ffffffff812e695f>] ?
acpi_debug_print+0xf1/0x100
Jun 29 13:50:01 macpro kernel: [ 334.598241] [<ffffffff812da4b0>]
acpi_ns_check_package_list+0x157/0x21a
Jun 29 13:50:01 macpro kernel: [ 334.598249] [<ffffffff812daa7c>]
acpi_ns_check_predefined_names+0x3dd/0x48d
Jun 29 13:50:01 macpro kernel: [ 334.598256] [<ffffffff812b2373>] ?
acpi_os_signal_semaphore+0x5f/0x6f
Jun 29 13:50:01 macpro kernel: [ 334.598263] [<ffffffff812d8886>]
acpi_ns_evaluate+0x32e/0x3b7
Jun 29 13:50:01 macpro kernel: [ 334.598271] [<ffffffff810fd77f>] ?
kmem_cache_alloc+0x8f/0xb0
Jun 29 13:50:01 macpro kernel: [ 334.598278] [<ffffffff812dcc06>]
acpi_evaluate_object+0x1ec/0x34e
Jun 29 13:50:01 macpro kernel: [ 334.598286] [<ffffffff810d80eb>] ?
pcpu_alloc+0x90b/0xa10
Jun 29 13:50:01 macpro kernel: [ 334.598295] [<ffffffffa007157f>]
acpi_processor_preregister_performance+0x10e/0x458 [processor]
Jun 29 13:50:01 macpro kernel: [ 334.598304] [<ffffffff810bc9ad>] ?
jump_label_module_notify+0x7d/0x200
Jun 29 13:50:01 macpro kernel: [ 334.598312] [<ffffffffa0226000>] ?
0xffffffffa0225fff
Jun 29 13:50:01 macpro kernel: [ 334.598319] [<ffffffffa0226082>]
acpi_cpufreq_init+0x82/0xa4 [acpi_cpufreq]
Jun 29 13:50:01 macpro kernel: [ 334.598742] [<ffffffff810001ca>]
do_one_initcall+0x3a/0x160
Jun 29 13:50:01 macpro kernel: [ 334.599278] [<ffffffff810855c6>]
sys_init_module+0xa16/0x1bc0
Jun 29 13:50:01 macpro kernel: [ 334.599811] [<ffffffff81631be2>]
system_call_fastpath+0x16/0x1b
Jun 29 13:50:01 macpro kernel: [ 334.600337] Code: 00 e8 c9 c8 00 00 31 c0 5a
5b 41 5c 41 5d 5d c3 90 55 48 89 e5 41 57 41 56 41 89 d6 41 55 41 89 cd 41 54
53 48 89 fb 48 83 ec 58 <4c> 8b 26 4d 85 e4 75 13 48 89 f1 44 89 ea 44 89 f6 e8
08 0a 00
Jun 29 13:50:01 macpro kernel: [ 334.600970] RIP [<ffffffff812da10e>]
acpi_ns_check_object_type+0x1a/0x1d2
Jun 29 13:50:01 macpro kernel: [ 334.601559] RSP <ffff88036a75bb58>
Jun 29 13:50:01 macpro kernel: [ 334.602130] CR2: 0000000000000000
Jun 29 13:50:01 macpro kernel: [ 334.602838] ---[ end trace 217f289557e3f0cd
]---
--
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
acpi-bugzilla mailing list
acpi-bugzilla@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acpi-bugzilla
