Re: PROBLEM: NULL pointer dereference in acpi_ns_check_object_type()

[Vlastimil Babka <caster@xxxxxxxxxx>]

On 07/02/2012 09:59 PM, Moore, Robert wrote:
> I was able to reproduce the problem here with your ACPI tables.
>
> Will look at your patch, and get back to you.

Thanks.

> You should probably open a bugzilla on this.

Done: bug 44171

https://bugzilla.kernel.org/show_bug.cgi?id=44171

> Thanks,
> Bob
>
>
> > -----Original Message-----
> > From: linux-acpi-owner@xxxxxxxxxxxxxxx [mailto:linux-acpi-
> > owner@xxxxxxxxxxxxxxx] On Behalf Of Vlastimil Babka
> > Sent: Monday, July 02, 2012 1:45 AM
> > To: linux-acpi@xxxxxxxxxxxxxxx
> > Subject: PROBLEM: NULL pointer dereference in
> > acpi_ns_check_object_type()
> >
> > Hello,
> >
> > I've been experiencing kernel panic with NULL pointer dereference in
> > acpi_ns_check_object_type since kernel 3.4 on a MacPro machine.
> >
> > By recompiling as much of ACPI as possible as modules, I was able to
> > get the system running and postpone the error until doing 'modprobe
> > acpi-cpufreq', which now results in oops, not panic. The log is
> > attached as error.log.
> >
> > By bisecting linus tree between 3.3 and 3.4, I found the guilty commit
> > 6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
> > "ACPICA: Object repair code: Support to add Package wrappers" [1]
> > However this patch does not directly touch the functions in the stack
> > trace.
> >
> > Next I created a kdump of the oops, and looked around with gdb.
> > - In acpi_ns_check_package(), the null pointer is in the parameter
> > return_object_ptr, which is dereferenced when initializing the variable
> > return_object.
> > - The calling function acpi_ns_check_package_list() is in the 'case
> > ACPI_PTYPE2_COUNT:' part, the passed null pointer is in the
> > sub_elements variable.
> > - Before the switch, sub_elements is initialized like this:
> >
> >    sub_elements = sub_package->package.elements
> >
> >    interestingly, in the crashdump, sub_elements is null, but
> >    sub_package->package.elements is non-null
> >
> > I've added some printk's and verified that the call of  status =
> > acpi_ns_check_object_type(data, &sub_package,
> > 				   ACPI_RTYPE_PACKAGE, i);
> >
> >   makes sub_package->package.elements become non-null, but sub_elements
> > was already initialized before this call and remains null.
> >
> > The above led me to create the attached patch which simply moves the
> > initialization of sub_elements after the sub_package check. I think
> > it's this check that results in the Integer to Package
> > conversion/wrapping.
> >
> > After this patch, the null pointer dereference is gone, but the debug
> > output of ACPI (acpi.debug_layer=0xffffffff
> > acpi.debug_level=0x00000008) shows that something is probably still
> > wrong:
> >
> > [    1.353677] nsrepair-0681 [4294967287] ns_wrap_with_package  :
> > \_PR_.CPU0._PSD: Wrapped Integer with expected Package object
> > [    1.353869] nsrepair-0681 [4294967287] ns_wrap_with_package  :
> > \_PR_.CPU0._PSD: Wrapped Integer with expected Package object
> > [    1.354059] ACPI Warning: For \_PR_.CPU0._PSD: Return Sub-Package[0]
> > is too small - found 1 elements, expected 5 (20120320/nspredef-905)
> > [    1.354253] ACPI: Invalid package argument
> > [    1.354322] ACPI: Invalid _PSD data
> > ... (the same for other CPUx)
> >
> >
> > In comparison, 3.3 kernel with same acpi debug options shows only stuff
> > like:
> > [    1.494238] nsrepair-0728 [4294967287] ns_repair_package_list:
> > \_PR_.CPU0._PSD: Repaired incorrectly formed Package
> > [    1.494449] nsrepair-0728 [4294967287] ns_repair_package_list:
> > \_PR_.CPU2._PSD: Repaired incorrectly formed Package
> > [    1.494657] nsrepair-0728 [4294967287] ns_repair_package_list:
> > \_PR_.CPU4._PSD: Repaired incorrectly formed Package ... (the same for
> > other CPUx)
> >
> > Since I don't know much about this subsystem, I figured that I should
> > just report my findings at this point. The patched system is usable,
> > but I guess it's not a complete fix.
> >
> > I also attach the output of acpidump. I hope I didn't forget anything
> > important, please ask for more information if needed.
> >
> > Thanks,
> > Vlastimil Babka
> >
> > [1]
> > git.kernel.org/?p=linux/kernel/git/torvalds/linux-
> > 2.6.git;a=commit;h=6a99b1c94d053b3420eaa4a4bc8b2883dd90a2f9
>
> N�����r��y���b�X��ǧv�^�)޺{.n�+����{�i�b�{ay�ʇڙ�,j��f���h���z��w������j:+v���w�j�m��������zZ+��ݢj"��!tml=


--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html