[PATCH] firmware: arm_scmi: Fix NULL pointer dereference in mailbox_chan_free

Viresh Kumar viresh.kumar at linaro.org
Tue Sep 8 23:47:32 EDT 2020 

On 08-09-20, 12:26, Sudeep Holla wrote:
> scmi_mailbox is obtained from cinfo->transport_info and the first
> call to mailbox_chan_free frees the channel and sets cinfo->transport_info
> to NULL. Care is taken to check for non NULL smbox->chan but smbox can
> itself be NULL. Fix it by checking for it without which, kernel crashes
> with below NULL pointer dereference and eventually kernel panic.
> 
>    Unable to handle kernel NULL pointer dereference at
>    		virtual address 0000000000000038
>    Modules linked in: scmi_module(-)
>    Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno
>    		Development Platform, BIOS EDK II Sep  2 2020
>    pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--)
>    pc : mailbox_chan_free+0x2c/0x70 [scmi_module]
>    lr : idr_for_each+0x6c/0xf8
>    Call trace:
>     mailbox_chan_free+0x2c/0x70 [scmi_module]
>     idr_for_each+0x6c/0xf8
>     scmi_remove+0xa8/0xf0 [scmi_module]
>     platform_drv_remove+0x34/0x58
>     device_release_driver_internal+0x118/0x1f0
>     driver_detach+0x58/0xe8
>     bus_remove_driver+0x64/0xe0
>     driver_unregister+0x38/0x68
>     platform_driver_unregister+0x1c/0x28
>     scmi_driver_exit+0x38/0x44 [scmi_module]
>    ---[ end trace 17bde19f50436de9 ]---
>    Kernel panic - not syncing: Fatal exception
>    SMP: stopping secondary CPUs
>    Kernel Offset: 0x1d0000 from 0xffff800010000000
>    PHYS_OFFSET: 0x80000000
>    CPU features: 0x0240022,25806004
>    Memory Limit: none
>    ---[ end Kernel panic - not syncing: Fatal exception ]---
> 
> Cc: Cristian Marussi <cristian.marussi at arm.com>
> Cc: Viresh Kumar <viresh.kumar at linaro.org>
> Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
> Signed-off-by: Sudeep Holla <sudeep.holla at arm.com>
> ---
>  drivers/firmware/arm_scmi/mailbox.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Viresh Kumar <viresh.kumar at linaro.org>

-- 
viresh

More information about the linux-arm-kernel mailing list