Closed mad-jsanjuan closed 1 year ago
VME4L gives a kernel NULL pointer dereference when unloading MDIS kernel modules.
When doing:
$ sudo modprobe -r men_ll_m33_sw men_bb_a203n_sw men_ll_m47_sw men_id_sw men_mdis_kernel men_bbis_kernel men_desc men_pldz002_cham men_lx_chameleon men_chameleon_io men_chameleon
We can see this on dmesg:
[ 535.447802] MEN men_chameleon cleanup_module [ 535.479722] MEN men_chameleon_io cleanup_module [ 535.507787] MEN men_oss cleanup_module [ 535.535704] MEN men_dbg cleanup_module [ 535.555720] vme4l_exit_module [ 535.556024] vme4l_discard_adrswin spc=6 vmeAddr=0x0 sz=0x1000000 phys=000000005cecb148 flg=0x0 [ 535.556033] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 535.568667] #PF: supervisor read access in kernel mode [ 535.579056] #PF: error_code(0x0000) - not-present page [ 535.589243] PGD 0 P4D 0 [ 535.596351] Oops: 0000 [#1] SMP PTI [ 535.604417] CPU: 4 PID: 12140 Comm: modprobe Tainted: G W OE 5.15.0-67-generic #74-Ubuntu [ 535.622814] Hardware name: MEN Mikro Elektronik GmbH G25A/n/a, BIOS 1.02 02/10/2017 [ 535.639317] RIP: 0010:do_free_adrswin.isra.0+0x41/0x180 [men_vme4l_core] [ 535.650715] Code: 4c 36 c1 c0 53 89 f3 e8 ad 94 da d3 84 db 0f 85 1f 01 00 00 48 8b 05 36 a8 00 00 49 8b 4c 24 20 49 8b 54 24 18 41 8b 74 24 10 <48> 8b 40 20 4d 8b 4c 24 48 45 8b 44 24 34 48 8b 3d 0a a8 00 00 e8 [ 535.683166] RSP: 0018:ffffb07880bffde0 EFLAGS: 00010246 [ 535.692898] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000001000000 [ 535.704762] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffffc0c1364c [ 535.716587] RBP: ffffb07880bffe08 R08: 0000000000000003 R09: fffffffffffdf100 [ 535.728375] R10: 0000000000ffff10 R11: 000000000000000f R12: ffffffffc0c13a80 [ 535.740148] R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000 [ 535.751894] FS: 00007fc54d287c40(0000) GS:ffff9f5b37d00000(0000) knlGS:0000000000000000 [ 535.768250] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 535.778304] CR2: 0000000000000020 CR3: 000000010b0cc006 CR4: 00000000003706e0 [ 535.789909] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 535.801596] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 535.813251] Call Trace: [ 535.819574] <TASK> [ 535.825470] vme4l_cleanup+0xe1/0x144 [men_vme4l_core] [ 535.834678] vme4l_cleanup_module+0x15/0x2d2 [men_vme4l_core] [ 535.844459] __do_sys_delete_module.constprop.0+0x187/0x290 [ 535.854025] ? syscall_exit_to_user_mode+0x27/0x50 [ 535.862708] ? __x64_sys_close+0x11/0x50 [ 535.870383] __x64_sys_delete_module+0x12/0x20 [ 535.878593] do_syscall_64+0x5c/0xc0 [ 535.885770] ? syscall_exit_to_user_mode+0x27/0x50 [ 535.894267] ? __x64_sys_read+0x19/0x20 [ 535.901601] ? do_syscall_64+0x69/0xc0 [ 535.908725] ? syscall_exit_to_user_mode+0x27/0x50 [ 535.916911] ? do_syscall_64+0x69/0xc0 [ 535.923912] ? do_syscall_64+0x69/0xc0 [ 535.930779] ? do_syscall_64+0x69/0xc0 [ 535.937638] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 535.945635] RIP: 0033:0x7fc54d3afc9b [ 535.951948] Code: 73 01 c3 48 8b 0d 95 21 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 65 21 0f 00 f7 d8 64 89 01 48 [ 535.980344] RSP: 002b:00007fff29202088 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 535.993920] RAX: ffffffffffffffda RBX: 00005614d8a3d0d0 RCX: 00007fc54d3afc9b [ 536.004527] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005614d8a3d138 [ 536.015084] RBP: 00005614d8a3d0d0 R08: 0000000000000000 R09: 0000000000000000 [ 536.025674] R10: 00007fc54d447ac0 R11: 0000000000000206 R12: 00005614d8a3d138 [ 536.036209] R13: 0000000000000000 R14: 00005614d8a439b8 R15: 0000000000000000 [ 536.046558] </TASK> [ 536.051347] Modules linked in: men_vme4l_core(OE-) intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm mei_me ioatdma rapl mei intel_cstate dca binfmt_misc mac_hid acpi_pad sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ipmi_devintf ipmi_msghandler msr ramoops reed_solomon mtd pstore_blk pstore_zone drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd gpio_ich mxm_wmi i2c_i801 xhci_pci cryptd e1000e lpc_ich xhci_pci_renesas i2c_smbus wmi [last unloaded: men_dbg] [ 536.151667] CR2: 0000000000000020 [ 536.157940] ---[ end trace b1ad45002963a945 ]--- [ 536.165717] RIP: 0010:do_free_adrswin.isra.0+0x41/0x180 [men_vme4l_core] [ 536.175814] Code: 4c 36 c1 c0 53 89 f3 e8 ad 94 da d3 84 db 0f 85 1f 01 00 00 48 8b 05 36 a8 00 00 49 8b 4c 24 20 49 8b 54 24 18 41 8b 74 24 10 <48> 8b 40 20 4d 8b 4c 24 48 45 8b 44 24 34 48 8b 3d 0a a8 00 00 e8 [ 536.205189] RSP: 0018:ffffb07880bffde0 EFLAGS: 00010246 [ 536.214149] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000001000000 [ 536.225373] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffffc0c1364c [ 536.236433] RBP: ffffb07880bffe08 R08: 0000000000000003 R09: fffffffffffdf100 [ 536.247435] R10: 0000000000ffff10 R11: 000000000000000f R12: ffffffffc0c13a80 [ 536.258286] R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000 [ 536.269191] FS: 00007fc54d287c40(0000) GS:ffff9f5b37d00000(0000) knlGS:0000000000000000 [ 536.283943] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 536.293234] CR2: 0000000000000020 CR3: 000000010b0cc006 CR4: 00000000003706e0 [ 536.304164] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 536.315122] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
VME4L gives a kernel NULL pointer dereference when unloading MDIS kernel modules.
When doing:
We can see this on dmesg: