| Summary: | DAHLIN-00398: NULL pointer de-ref | ||
| Reporter: | Harald Welte (laforge) | Labels: | patch |
| Date Opened: | 2022-04-16 06:46:25 | Date Closed: | |
| Priority: | Critical | Regression? | No |
| Status: | Triage/New | Components: | dahdi (the module) |
| Versions: | 2.11.1 3.0.1 3.1.0 | Frequency of Occurrence | Occasional |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 0001-Fix-NULL-pointer-dereference-for-pseudo-channels.patch | |
| Description: | [83851.069345] BUG: kernel NULL pointer dereference, address: 0000000000000084
[83851.070440] #PF: supervisor read access in kernel mode [83851.071289] #PF: error_code(0x0000) - not-present page [83851.072217] PGD 0 P4D 0 [83851.072750] Oops: 0000 [#1] SMP NOPTI [83851.073407] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G OE 5.10.0-13-amd64 #1 Debian 5.10.106-1 [83851.074750] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 [83851.075933] RIP: 0010:__putbuf_chunk.constprop.0+0x87c/0x8c0 [dahdi] [83851.076925] Code: 3f 82 c8 48 8b 7c 24 08 e9 f7 f8 ff ff be 1d 00 00 00 48 89 df e8 b4 d2 ff ff e9 06 fe ff ff 48 8b 34 24 48 8b 96 a0 01 00 00 <8b> 8a 84 00 00 00 85 c9 0f 84 23 f7 00 00 c7 83 9c 08 00 00 00 00 [83851.079604] RSP: 0018:ffffc38dc0120d08 EFLAGS: 00010046 [83851.080498] RAX: 0000000000000000 RBX: ffff9fa081f57000 RCX: 0000000000000200 [83851.081612] RDX: 0000000000000000 RSI: ffff9fa081f57000 RDI: 0000000000000000 [83851.082727] RBP: ffff9fa08307a158 R08: ffff9fa081f58000 R09: 000000008307a158 [83851.083845] R10: 0000000000000018 R11: 000000000000001e R12: 0000000000000000 [83851.084972] R13: 0000000000000000 R14: 0000000000000019 R15: 000000000000000a [83851.086099] FS: 0000000000000000(0000) GS:ffff9fa0fbd80000(0000) knlGS:0000000000000000 [83851.087343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83851.088323] CR2: 0000000000000084 CR3: 0000000102898001 CR4: 0000000000770ee0 [83851.089473] PKRU: 55555554 [83851.090122] Call Trace: [83851.090743] <IRQ> [83851.091310] ? try_to_wake_up+0x1d1/0x4f0 [83851.092106] __dahdi_receive_chunk+0x7e/0x1120 [dahdi] [83851.093031] ? pollwake+0x74/0x90 [83851.093750] _dahdi_receive+0x28d/0x350 [dahdi] [83851.094600] td_d_sync_tick+0x13d/0x1a0 [dahdi_trunkdev] [83851.095540] _process_masterspan+0x5fc/0x680 [dahdi] [83851.096440] _dahdi_receive+0x332/0x350 [dahdi] [83851.097291] ? try_to_wake_up+0x1d1/0x4f0 [83851.098078] t4_prep_gen2+0xc4/0x110 [wct4xxp] [83851.098910] t4_interrupt_gen2+0xb4/0x430 [wct4xxp] [83851.099791] __handle_irq_event_percpu+0x3d/0x160 [83851.100654] handle_irq_event+0x57/0xb0 [83851.101416] handle_fasteoi_irq+0x78/0x1c0 [83851.102204] asm_call_irq_on_stack+0x12/0x20 [83851.103009] </IRQ> [83851.103570] common_interrupt+0xb0/0x130 [83851.104337] asm_common_interrupt+0x1e/0x40 Some more debugging in https://osmocom.org/issues/5531 - we can see that the culprit is the unconditional ss->span->alarms de-reference in __putbuf_chunk on a Pseudo channel. Pseudo channels are characterized by the fact that they have their span member set to NULL. This is illustrated by the is_pseudo_chan() function. However, when using RXMIRROR/TXMIRROR, __putbuf_chunk() is called not just on the real channel, but also on the mirror (pseudo) channel. Hence, __putbuf_chunk() and friends must not dereference the ->span member without first checking that this channel actually does have a non-NULL span assigned. I originally thought that those unconditional de-references must have been introduced after the RXMIRROR/TXMIRROR was merged - but checked the git history and it seems like the bug has been present ever since this functionality was merged in 2010 in commit 9090c6fcd289b497e00e8e5fb9cc3546e0dfe7d6 | ||
| Comments: | By: Harald Welte (laforge) 2022-04-16 06:47:01.025-0500 Proposed patch to fix the issue. | ||