Re: kernel memory corruption in private_data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Stefan,

On Tue, Mar 31, 2020 at 8:07 AM Stefan Reinauer
<stefan.k.reinauer@xxxxxxxxx> wrote:

My Linux system is now booting and I am trying to write a driver for
the MNT ZZ9000 graphics card (and network adapter and USB port).


Happy to hear that!


One of them is that my block device disk structure's private data gets
partly overwritten (only the pointer to the structures that have the
pointers to my ioremapped device memory:

The pointer reads back as 0x13f484b9 (instead of e781c9cc where the
struct really lives.
(See code and log below: ZZ9000 log)


Sounds like the obfuscated pointer issue: %p does not print the real
pointer value, %px does.

Cfr. commit ad67b74d2469d9b8 ("printk: hash addresses printed with %p").


[  329.480000] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[  329.500000] Unable to handle kernel NULL pointer dereference at
virtual address 13f484b9


This pointer value is obfuscated.

The values below are un-obssucated.


[  329.500000] Oops: 00000000
[  329.500000] Modules linked in: 8250(O+) 8250_base(O) zz9000(O) affs
ext4 crc16 mbcache jbd2 crc32c_generic ide_cd_mod cdrom ide_gd_me
[  329.500000] PC: [<1088fb92>] io_serial_in+0x22/0x36 [8250_base]


Hence if you look at the code at 1088fb92, you can identify which registers
are used to do the bad access, and look up their values below.

Or remove the hashing from lib/vsprintf.c:__ptr_to_hashval() if you're
debugging all the time.


[  329.500000] SR: 2714  SP: 15fb5dcc  a2: 0dcb1ac0
[  329.500000] d0: 00000000    d1: ffffffff    d2: 00000000    d3: 0dca120a
[  329.500000] d4: 10891ca4    d5: 0e192010    a0: 00000000    a1: 00000000
[  329.500000] Process insmod (pid: 143, task=c63d20d6)
[  329.500000] Frame format=4 fault addr=00000000 fslw=01450200
[  329.500000] Stack from 0f50fd50:
[  329.500000]         1089120a 10853338 00000001 00000000 0dca120a
0dd5ec7e 0e199140 00000013
[  329.500000]         000007f8 10853338 0dd5ec00 10853178 002e247e
1085301c 001d6eb0 001d6ef8
[  329.500000]         10853338 00000001 00000000 0dca120a 0013ce68
00051862 10853397 001d6d94
[  329.500000]         0f50fe78 0dca1200 0e19aef0 0002f740 0f50fe78
0f50fdd8 0f50fe78 001e584c
[  329.500000]         0dca120a 001e58b0 0dca120a 00000000 00000000
0013ce68 0e199140 00051862
[  329.500000]         0e19aef0 1087935a 10853178 10853338 00000002
00000000 10879216 0e19aef0
[  329.500000] Call Trace: [<1089120a>]
serial8250_config_port+0x70/0x8d4 [8250_base]
[  329.500000]  [<002e247e>] mutex_lock+0x0/0x34


Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
[Index of Archives]     [Video for Linux]     [Yosemite News]     [Linux S/390]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux