Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lockdep_assert_held() failing #8

Open
jbagg opened this issue Feb 9, 2018 · 0 comments
Open

lockdep_assert_held() failing #8

jbagg opened this issue Feb 9, 2018 · 0 comments

Comments

@jbagg
Copy link

jbagg commented Feb 9, 2018

lockdep_assert_held() is failing in ath10k_peer_find_by_id() [txrx.c] when it is called from ath10k_htt_rx_proc_rx_ind_hl() [htt_rx.c]. In ath10k_htt_rx_proc_rx_ind_hl() struct peer is only used to show a warning if !peer, so the call to ath10k_peer_find_by_id() should maybe be removed? or wrapped with...
spin_lock_bh(&ar->data_lock);
spin_unlock_bh(&ar->data_lock);

Platform = iMX6, sdio, QCA9377
erstrom added a commit that referenced this issue Sep 9, 2018
@erstrom
ath10k: new implementation of TX locking (POSSIBLE ISSUE WITH DEAUTH)
3dba7ea 
The reason for this patch is make sure that we can reach the point where
we call ath10k_mac_tx_lock if we have too many pending msdus.

If the lock limit is higher than max_num_pending, we will not reach this
point in the code without this patch.

This patch should be squashed with:

"ath10k: increase TX lock limit for high latency devices"
"ath10k: add htt_tx num_pending window"

It needs more testing, as the following problem occured when powering
off a NITROGEN6 board:

[ 2444.953411] wlan0: deauthenticating from 60:38:e0:c7:6b:3a by local choice (Reason: 3=DEAUTH_LEAVING)
[ 2444.976335] Unable to handle kernel NULL pointer dereference at virtual address 00000004
[ 2444.984658] pgd = 11e5d79d
[ 2444.987384] [00000004] *pgd=00000000
[ 2444.990987] Internal error: Oops: 817 [#1] SMP ARM
[ 2444.995789] Modules linked in: ath10k_sdio ath10k_core ath coda imx_vdoa v4l2_mem2mem videobuf2_vmalloc dw_hdmi_ahb_audio evbug
[ 2445.007332] CPU: 0 PID: 89 Comm: irq/64-mmc0 Not tainted 4.18.0-wt-ath+ #8
[ 2445.014213] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 2445.020757] PC is at ieee80211_tx_dequeue+0x4c4/0xb64
[ 2445.025825] LR is at lock_is_held_type+0x48/0x6c
[ 2445.030451] pc : [<c0bbd5a8>]    lr : [<c0182df8>]    psr: 600f0013
[ 2445.036723] sp : e2ea3d18  ip : e2ea3cc8  fp : e2ea3dbc
[ 2445.041954] r10: e276c0d0  r9 : e276d740  r8 : e276e000
[ 2445.047187] r7 : 00000000  r6 : e276c000  r5 : df801c38  r4 : e09c4aa8
[ 2445.053722] r3 : 00000010  r2 : 00000000  r1 : 00000000  r0 : e276c008
[ 2445.060258] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[ 2445.067401] Control: 10c5387d  Table: 2f4dc04a  DAC: 00000051
[ 2445.073156] Process irq/64-mmc0 (pid: 89, stack limit = 0x1fa91abb)
[ 2445.079430] Stack: (0xe2ea3d18 to 0xe2ea4000)
[ 2445.083796] 3d00:                                                       df800640 e276d768
[ 2445.091984] 3d20: e276c0a0 df8006dc c0185750 e276c08c df800640 e276c000 e276e03c df801d30
[ 2445.100171] 3d40: 00000000 df800640 e2ea3d74 e2ea3d58 c0185828 c0185708 000001ff ffffe000
[ 2445.108359] 3d60: bf05d20c df801d30 e2ea3d84 e2ea3d78 c0185978 c0185780 e2ea3da4 e2ea3d88
[ 2445.116547] 3d80: c0135288 c0185970 bf05d20c c498e019 df801420 e276c0d0 df801c38 df801420
[ 2445.124734] 3da0: df801d30 00000000 df800640 e276d768 e2ea3e04 e2ea3dc0 bf05d22c c0bbd0f0
[ 2445.132920] 3dc0: c0c21e6c bf056970 df801420 c1208908 00000000 e2e74f68 bf056970 e276c0dc
[ 2445.141107] 3de0: df800640 e276c0d0 df801420 df8022e0 0000000f 00000000 e2ea3e4c e2ea3e08
[ 2445.149294] 3e00: bf05d564 bf05d1bc 00000000 00000000 bf05d400 df88314c df8022c0 e276c0dc
[ 2445.157481] 3e20: df801420 df88314c df882420 00000000 df801420 00180200 00036cf2 00000001
[ 2445.165669] 3e40: e2ea3e94 e2ea3e50 bf0c8ec8 bf05d3d4 00000001 df805868 e2ea3e84 01ea3e68
[ 2445.173855] 3e60: c0663f08 c498e019 00000000 e2e5a000 c1208908 e2e81000 00000001 e285b200
[ 2445.182043] 3e80: e2e57e80 00000001 e2ea3ed4 e2ea3e98 c0853214 bf0c8e34 c0161f90 00000100
[ 2445.190229] 3ea0: 00000200 c498e019 600f0013 e2e5a000 00000100 e2e5a648 00000001 e285b200
[ 2445.198416] 3ec0: e2e57e80 00000001 e2ea3eec e2ea3ed8 c08533d0 c08531d4 e2e5a480 00000100
[ 2445.206602] 3ee0: e2ea3f0c e2ea3ef0 c085e64c c0853390 e2e57e80 e285b200 e2e57ea4 00000001
[ 2445.214790] 3f00: e2ea3f2c e2ea3f10 c019804c c085e5d8 ffffe000 00000000 e2e57ea4 00000001
[ 2445.222976] 3f20: e2ea3f74 e2ea3f30 c01983ac c019802c c0c21eb0 c0198020 e2ea2000 00000000
[ 2445.231164] 3f40: c0198160 c498e019 c0154f7c 00000000 e2744780 e2e88000 e2ea2000 e2e57e80
[ 2445.239351] 3f60: c0198244 e227dc00 e2ea3fac e2ea3f78 c015544c c0198250 e27447b8 e27447b8
[ 2445.247538] 3f80: e2ea3fac e2e88000 c01552f8 00000000 00000000 00000000 00000000 00000000
[ 2445.255725] 3fa0: 00000000 e2ea3fb0 c01010b4 c0155304 00000000 00000000 00000000 00000000
[ 2445.263912] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 2445.272098] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[ 2445.280279] Backtrace:
[ 2445.282897] [<c0bbd0e4>] (ieee80211_tx_dequeue) from [<bf05d22c>] (ath10k_mac_tx_push_txq+0x7c/0x218 [ath10k_core])
[ 2445.293344]  r10:e276d768 r9:df800640 r8:00000000 r7:df801d30 r6:df801420 r5:df801c38
[ 2445.301179]  r4:e276c0d0
[ 2445.303948] [<bf05d1b0>] (ath10k_mac_tx_push_txq [ath10k_core]) from [<bf05d564>] (ath10k_mac_tx_push_pending+0x19c/0x254 [ath10k_core])
[ 2445.316219]  r10:00000000 r9:0000000f r8:df8022e0 r7:df801420 r6:e276c0d0 r5:df800640
[ 2445.324056]  r4:e276c0dc
[ 2445.326721] [<bf05d3c8>] (ath10k_mac_tx_push_pending [ath10k_core]) from [<bf0c8ec8>] (ath10k_sdio_irq_handler+0xa0/0x3d0 [ath10k_sdio])
[ 2445.338990]  r10:00000001 r9:00036cf2 r8:00180200 r7:df801420 r6:00000000 r5:df882420
[ 2445.346826]  r4:df88314c
[ 2445.349384] [<bf0c8e28>] (ath10k_sdio_irq_handler [ath10k_sdio]) from [<c0853214>] (process_sdio_pending_irqs+0x4c/0x1bc)
[ 2445.360349]  r10:00000001 r9:e2e57e80 r8:e285b200 r7:00000001 r6:e2e81000 r5:c1208908
[ 2445.368184]  r4:e2e5a000
[ 2445.370732] [<c08531c8>] (process_sdio_pending_irqs) from [<c08533d0>] (sdio_run_irqs+0x4c/0x68)
[ 2445.379527]  r10:00000001 r9:e2e57e80 r8:e285b200 r7:00000001 r6:e2e5a648 r5:00000100
[ 2445.387362]  r4:e2e5a000
[ 2445.389911] [<c0853384>] (sdio_run_irqs) from [<c085e64c>] (sdhci_thread_irq+0x80/0xbc)
[ 2445.397921]  r5:00000100 r4:e2e5a480
[ 2445.401513] [<c085e5cc>] (sdhci_thread_irq) from [<c019804c>] (irq_thread_fn+0x2c/0x64)
[ 2445.409524]  r7:00000001 r6:e2e57ea4 r5:e285b200 r4:e2e57e80
[ 2445.415197] [<c0198020>] (irq_thread_fn) from [<c01983ac>] (irq_thread+0x168/0x24c)
[ 2445.422861]  r7:00000001 r6:e2e57ea4 r5:00000000 r4:ffffe000
[ 2445.428535] [<c0198244>] (irq_thread) from [<c015544c>] (kthread+0x154/0x16c)
[ 2445.435680]  r10:e227dc00 r9:c0198244 r8:e2e57e80 r7:e2ea2000 r6:e2e88000 r5:e2744780
[ 2445.443515]  r4:00000000
[ 2445.446063] [<c01552f8>] (kthread) from [<c01010b4>] (ret_from_fork+0x14/0x20)
[ 2445.453291] Exception stack(0xe2ea3fb0 to 0xe2ea3ff8)
[ 2445.458351] 3fa0:                                     00000000 00000000 00000000 00000000
[ 2445.466537] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 2445.474722] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 2445.481346]  r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c01552f8
[ 2445.489181]  r4:e2e88000
[ 2445.491726] Code: e1560003 e1c820d0 0a000006 e3a01000 (e5823004)
[ 2445.497883] ---[ end trace 0e11545f0f62060d ]---
[ 2445.502511] Kernel panic - not syncing: Fatal exception in interrupt
[ 2445.508888] CPU1: stopping
[ 2445.511610] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G      D           4.18.0-wt-ath+ #8
[ 2445.519622] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 2445.526155] Backtrace:
[ 2445.528623] [<c010fa7c>] (dump_backtrace) from [<c010fd7c>] (show_stack+0x20/0x24)
[ 2445.536203]  r7:00000000 r6:60040193 r5:00000000 r4:c12ce41c
[ 2445.541876] [<c010fd5c>] (show_stack) from [<c0c03074>] (dump_stack+0xb4/0xec)
[ 2445.549114] [<c0c02fc0>] (dump_stack) from [<c0113eec>] (handle_IPI+0x344/0x38c)
[ 2445.556522]  r10:00000001 r9:ffffe000 r8:c12d6804 r7:00000000 r6:00000004 r5:c1208e7c
[ 2445.564359]  r4:c11d90e8 r3:c498e019
[ 2445.567948] [<c0113ba8>] (handle_IPI) from [<c01024c4>] (gic_handle_irq+0xb8/0xcc)
[ 2445.575529]  r10:c125d6cc r9:e22c1ed8 r8:c12090a8 r7:f4000100 r6:000003ff r5:000003eb
[ 2445.583365]  r4:f400010c
[ 2445.585910] [<c010240c>] (gic_handle_irq) from [<c0101a30>] (__irq_svc+0x70/0x98)
[ 2445.593400] Exception stack(0xe22c1ed8 to 0xe22c1f20)
[ 2445.598460] 1ec0:                                                       c083f588 e22b9900
[ 2445.606648] 1ee0: 00000000 00000000 c12d7114 63b01e07 00000001 e5fab9f8 6352718f 00000239
[ 2445.614835] 1f00: 00000239 e22c1f6c e22c1f18 e22c1f28 c0185978 c083f58c 60040013 ffffffff
[ 2445.623022]  r10:00000239 r9:e22c0000 r8:6352718f r7:e22c1f0c r6:ffffffff r5:60040013
[ 2445.630858]  r4:c083f58c
[ 2445.633405] [<c083f404>] (cpuidle_enter_state) from [<c083f8c4>] (cpuidle_enter+0x24/0x28)
[ 2445.641679]  r10:c1208908 r9:c120f8c8 r8:e5fab9f8 r7:c1208970 r6:00000002 r5:c1208930
[ 2445.649515]  r4:ffffe000
[ 2445.652063] [<c083f8a0>] (cpuidle_enter) from [<c0167a08>] (call_cpuidle+0x30/0x4c)
[ 2445.659729] [<c01679d8>] (call_cpuidle) from [<c0167e38>] (do_idle+0x230/0x2c4)
[ 2445.667048] [<c0167c08>] (do_idle) from [<c0168298>] (cpu_startup_entry+0x28/0x30)
[ 2445.674628]  r10:00000000 r9:412fc09a r8:1000406a r7:c12f1720 r6:10c0387d r5:00000001
[ 2445.682463]  r4:00000085
[ 2445.685011] [<c0168270>] (cpu_startup_entry) from [<c01138d0>] (secondary_start_kernel+0x164/0x1ac)
[ 2445.694068] [<c011376c>] (secondary_start_kernel) from [<10102b2c>] (0x10102b2c)
[ 2445.701471]  r5:00000051 r4:322ac06a
[ 2445.705054] CPU3: stopping
[ 2445.707777] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G      D           4.18.0-wt-ath+ #8
[ 2445.715787] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 2445.722320] Backtrace:
[ 2445.724786] [<c010fa7c>] (dump_backtrace) from [<c010fd7c>] (show_stack+0x20/0x24)
[ 2445.732365]  r7:00000000 r6:60040193 r5:00000000 r4:c12ce41c
[ 2445.738035] [<c010fd5c>] (show_stack) from [<c0c03074>] (dump_stack+0xb4/0xec)
[ 2445.745269] [<c0c02fc0>] (dump_stack) from [<c0113eec>] (handle_IPI+0x344/0x38c)
[ 2445.752675]  r10:00000003 r9:ffffe000 r8:c12d6804 r7:00000000 r6:00000004 r5:c1208e7c
[ 2445.760512]  r4:c11d90e8 r3:c498e019
[ 2445.764100] [<c0113ba8>] (handle_IPI) from [<c01024c4>] (gic_handle_irq+0xb8/0xcc)
[ 2445.771680]  r10:c125d6cc r9:e22c5ed8 r8:c12090a8 r7:f4000100 r6:000003ff r5:000003eb
[ 2445.779516]  r4:f400010c
[ 2445.782060] [<c010240c>] (gic_handle_irq) from [<c0101a30>] (__irq_svc+0x70/0x98)
[ 2445.789549] Exception stack(0xe22c5ed8 to 0xe22c5f20)
[ 2445.794608] 5ec0:                                                       c083f588 e22bb200
[ 2445.802796] 5ee0: 00000000 00000000 c12d7114 63b01e07 00000001 e5fcf9f8 44ed8632 00000239
[ 2445.810984] 5f00: 00000239 e22c5f6c e22c5f18 e22c5f28 c0185978 c083f58c 60040013 ffffffff
[ 2445.819172]  r10:00000239 r9:e22c4000 r8:44ed8632 r7:e22c5f0c r6:ffffffff r5:60040013
[ 2445.827007]  r4:c083f58c
[ 2445.829552] [<c083f404>] (cpuidle_enter_state) from [<c083f8c4>] (cpuidle_enter+0x24/0x28)
[ 2445.837827]  r10:c1208908 r9:c120f8c8 r8:e5fcf9f8 r7:c1208970 r6:00000008 r5:c1208930
[ 2445.845663]  r4:ffffe000
[ 2445.848209] [<c083f8a0>] (cpuidle_enter) from [<c0167a08>] (call_cpuidle+0x30/0x4c)
[ 2445.855875] [<c01679d8>] (call_cpuidle) from [<c0167e38>] (do_idle+0x230/0x2c4)
[ 2445.863195] [<c0167c08>] (do_idle) from [<c0168298>] (cpu_startup_entry+0x28/0x30)
[ 2445.870774]  r10:00000000 r9:412fc09a r8:1000406a r7:c12f1720 r6:10c0387d r5:00000003
[ 2445.878611]  r4:00000085
[ 2445.881157] [<c0168270>] (cpu_startup_entry) from [<c01138d0>] (secondary_start_kernel+0x164/0x1ac)
[ 2445.890213] [<c011376c>] (secondary_start_kernel) from [<10102b2c>] (0x10102b2c)
[ 2445.897617]  r5:00000051 r4:322ac06a
[ 2445.901200] CPU2: stopping
[ 2445.903923] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G      D           4.18.0-wt-ath+ #8
[ 2445.911933] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 2445.918467] Backtrace:
[ 2445.920931] [<c010fa7c>] (dump_backtrace) from [<c010fd7c>] (show_stack+0x20/0x24)
[ 2445.928511]  r7:00000000 r6:60040193 r5:00000000 r4:c12ce41c
[ 2445.934183] [<c010fd5c>] (show_stack) from [<c0c03074>] (dump_stack+0xb4/0xec)
[ 2445.941417] [<c0c02fc0>] (dump_stack) from [<c0113eec>] (handle_IPI+0x344/0x38c)
[ 2445.948824]  r10:00000002 r9:ffffe000 r8:c12d6804 r7:00000000 r6:00000004 r5:c1208e7c
[ 2445.956661]  r4:c11d90e8 r3:c498e019
[ 2445.960248] [<c0113ba8>] (handle_IPI) from [<c01024c4>] (gic_handle_irq+0xb8/0xcc)
[ 2445.967828]  r10:c125d6cc r9:e22c3ed8 r8:c12090a8 r7:f4000100 r6:000003ff r5:000003eb
[ 2445.975664]  r4:f400010c
[ 2445.978208] [<c010240c>] (gic_handle_irq) from [<c0101a30>] (__irq_svc+0x70/0x98)
[ 2445.985699] Exception stack(0xe22c3ed8 to 0xe22c3f20)
[ 2445.990758] 3ec0:                                                       c083f588 e22ba580
[ 2445.998946] 3ee0: 00000000 00000000 c12d7114 63b01e07 00000001 e5fbd9f8 44ed95d2 00000239
[ 2446.007134] 3f00: 00000239 e22c3f6c e22c3f18 e22c3f28 c0185978 c083f58c 60040013 ffffffff
[ 2446.015321]  r10:00000239 r9:e22c2000 r8:44ed95d2 r7:e22c3f0c r6:ffffffff r5:60040013
[ 2446.023156]  r4:c083f58c
[ 2446.025701] [<c083f404>] (cpuidle_enter_state) from [<c083f8c4>] (cpuidle_enter+0x24/0x28)
[ 2446.033976]  r10:c1208908 r9:c120f8c8 r8:e5fbd9f8 r7:c1208970 r6:00000004 r5:c1208930
[ 2446.041811]  r4:ffffe000
[ 2446.044356] [<c083f8a0>] (cpuidle_enter) from [<c0167a08>] (call_cpuidle+0x30/0x4c)
[ 2446.052023] [<c01679d8>] (call_cpuidle) from [<c0167e38>] (do_idle+0x230/0x2c4)
[ 2446.059342] [<c0167c08>] (do_idle) from [<c0168298>] (cpu_startup_entry+0x28/0x30)
[ 2446.066921]  r10:00000000 r9:412fc09a r8:1000406a r7:c12f1720 r6:10c0387d r5:00000002
[ 2446.074756]  r4:00000085
[ 2446.077302] [<c0168270>] (cpu_startup_entry) from [<c01138d0>] (secondary_start_kernel+0x164/0x1ac)
[ 2446.086358] [<c011376c>] (secondary_start_kernel) from [<10102b2c>] (0x10102b2c)
[ 2446.093761]  r5:00000051 r4:322ac06a
[ 2446.097360] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com>
erstrom pushed a commit that referenced this issue May 19, 2019
@torvalds
fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
8918955 
Syzkaller report this:

  sysctl could not get directory: /net//bridge -12
  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN PTI
  CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
  RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
  RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
  RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
  RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
  Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
  RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
  RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
  RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
  RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
  R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
  FS:  00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:
   erase_entry fs/proc/proc_sysctl.c:178 [inline]
   erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
   start_unregistering fs/proc/proc_sysctl.c:331 [inline]
   drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
   get_subdir fs/proc/proc_sysctl.c:1022 [inline]
   __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
   br_netfilter_init+0x68/0x1000 [br_netfilter]
   do_one_initcall+0xbc/0x47d init/main.c:901
   do_init_module+0x1b5/0x547 kernel/module.c:3456
   load_module+0x6405/0x8c10 kernel/module.c:3804
   __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
   do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe
  Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
   iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
  Dumping ftrace buffer:
     (ftrace buffer empty)
  ---[ end trace 68741688d5fbfe85 ]---

commit 23da958 ("fs/proc/proc_sysctl.c: fix NULL pointer
dereference in put_links") forgot to handle start_unregistering() case,
while header->parent is NULL, it calls erase_header() and as seen in the
above syzkaller call trace, accessing &header->parent->root will trigger
a NULL pointer dereference.

As that commit explained, there is also no need to call
start_unregistering() if header->parent is NULL.

Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
Fixes: 23da958 ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
Fixes: 0e47c99 ("sysctl: Replace root_list with links between sysctl_table_sets")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jbagg