search

MEN-Mikro-Elektronik / 13MD05-90

MDIS5 System Package for Linux (including drivers)
Other
4 stars 4 forks source link

vme4l: vme_core: NULL pointer dereference when unloading modules #284

Closed mad-jsanjuan closed 1 year ago

mad-jsanjuan commented 1 year ago

VME4L gives a kernel NULL pointer dereference when unloading MDIS kernel modules.

When doing:

$ sudo modprobe -r men_ll_m33_sw men_bb_a203n_sw men_ll_m47_sw men_id_sw men_mdis_kernel men_bbis_kernel men_desc men_pldz002_cham men_lx_chameleon men_chameleon_io men_chameleon

We can see this on dmesg:

[  535.447802] MEN men_chameleon cleanup_module
[  535.479722] MEN men_chameleon_io cleanup_module
[  535.507787] MEN men_oss cleanup_module
[  535.535704] MEN men_dbg cleanup_module
[  535.555720] vme4l_exit_module
[  535.556024] vme4l_discard_adrswin spc=6 vmeAddr=0x0 sz=0x1000000 phys=000000005cecb148 flg=0x0
[  535.556033] BUG: kernel NULL pointer dereference, address: 0000000000000020
[  535.568667] #PF: supervisor read access in kernel mode
[  535.579056] #PF: error_code(0x0000) - not-present page
[  535.589243] PGD 0 P4D 0 
[  535.596351] Oops: 0000 [#1] SMP PTI
[  535.604417] CPU: 4 PID: 12140 Comm: modprobe Tainted: G        W  OE     5.15.0-67-generic #74-Ubuntu
[  535.622814] Hardware name: MEN Mikro Elektronik GmbH G25A/n/a, BIOS 1.02 02/10/2017
[  535.639317] RIP: 0010:do_free_adrswin.isra.0+0x41/0x180 [men_vme4l_core]
[  535.650715] Code: 4c 36 c1 c0 53 89 f3 e8 ad 94 da d3 84 db 0f 85 1f 01 00 00 48 8b 05 36 a8 00 00 49 8b 4c 24 20 49 8b 54 24 18 41 8b 74 24 10 <48> 8b 40 20 4d 8b 4c 24 48 45 8b 44 24 34 48 8b 3d 0a a8 00 00 e8
[  535.683166] RSP: 0018:ffffb07880bffde0 EFLAGS: 00010246
[  535.692898] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000001000000
[  535.704762] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffffc0c1364c
[  535.716587] RBP: ffffb07880bffe08 R08: 0000000000000003 R09: fffffffffffdf100
[  535.728375] R10: 0000000000ffff10 R11: 000000000000000f R12: ffffffffc0c13a80
[  535.740148] R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
[  535.751894] FS:  00007fc54d287c40(0000) GS:ffff9f5b37d00000(0000) knlGS:0000000000000000
[  535.768250] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  535.778304] CR2: 0000000000000020 CR3: 000000010b0cc006 CR4: 00000000003706e0
[  535.789909] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  535.801596] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  535.813251] Call Trace:
[  535.819574]  <TASK>
[  535.825470]  vme4l_cleanup+0xe1/0x144 [men_vme4l_core]
[  535.834678]  vme4l_cleanup_module+0x15/0x2d2 [men_vme4l_core]
[  535.844459]  __do_sys_delete_module.constprop.0+0x187/0x290
[  535.854025]  ? syscall_exit_to_user_mode+0x27/0x50
[  535.862708]  ? __x64_sys_close+0x11/0x50
[  535.870383]  __x64_sys_delete_module+0x12/0x20
[  535.878593]  do_syscall_64+0x5c/0xc0
[  535.885770]  ? syscall_exit_to_user_mode+0x27/0x50
[  535.894267]  ? __x64_sys_read+0x19/0x20
[  535.901601]  ? do_syscall_64+0x69/0xc0
[  535.908725]  ? syscall_exit_to_user_mode+0x27/0x50
[  535.916911]  ? do_syscall_64+0x69/0xc0
[  535.923912]  ? do_syscall_64+0x69/0xc0
[  535.930779]  ? do_syscall_64+0x69/0xc0
[  535.937638]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[  535.945635] RIP: 0033:0x7fc54d3afc9b
[  535.951948] Code: 73 01 c3 48 8b 0d 95 21 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 65 21 0f 00 f7 d8 64 89 01 48
[  535.980344] RSP: 002b:00007fff29202088 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[  535.993920] RAX: ffffffffffffffda RBX: 00005614d8a3d0d0 RCX: 00007fc54d3afc9b
[  536.004527] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005614d8a3d138
[  536.015084] RBP: 00005614d8a3d0d0 R08: 0000000000000000 R09: 0000000000000000
[  536.025674] R10: 00007fc54d447ac0 R11: 0000000000000206 R12: 00005614d8a3d138
[  536.036209] R13: 0000000000000000 R14: 00005614d8a439b8 R15: 0000000000000000
[  536.046558]  </TASK>
[  536.051347] Modules linked in: men_vme4l_core(OE-) intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm mei_me ioatdma rapl mei intel_cstate dca binfmt_misc mac_hid acpi_pad sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ipmi_devintf ipmi_msghandler msr ramoops reed_solomon mtd pstore_blk pstore_zone drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd gpio_ich mxm_wmi i2c_i801 xhci_pci cryptd e1000e lpc_ich xhci_pci_renesas i2c_smbus wmi [last unloaded: men_dbg]
[  536.151667] CR2: 0000000000000020
[  536.157940] ---[ end trace b1ad45002963a945 ]---
[  536.165717] RIP: 0010:do_free_adrswin.isra.0+0x41/0x180 [men_vme4l_core]
[  536.175814] Code: 4c 36 c1 c0 53 89 f3 e8 ad 94 da d3 84 db 0f 85 1f 01 00 00 48 8b 05 36 a8 00 00 49 8b 4c 24 20 49 8b 54 24 18 41 8b 74 24 10 <48> 8b 40 20 4d 8b 4c 24 48 45 8b 44 24 34 48 8b 3d 0a a8 00 00 e8
[  536.205189] RSP: 0018:ffffb07880bffde0 EFLAGS: 00010246
[  536.214149] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000001000000
[  536.225373] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffffc0c1364c
[  536.236433] RBP: ffffb07880bffe08 R08: 0000000000000003 R09: fffffffffffdf100
[  536.247435] R10: 0000000000ffff10 R11: 000000000000000f R12: ffffffffc0c13a80
[  536.258286] R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
[  536.269191] FS:  00007fc54d287c40(0000) GS:ffff9f5b37d00000(0000) knlGS:0000000000000000
[  536.283943] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  536.293234] CR2: 0000000000000020 CR3: 000000010b0cc006 CR4: 00000000003706e0
[  536.304164] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  536.315122] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400