Bug 21872 - null pointer dereference when using the brcm80211 driver to load some bogus firmware
Summary: null pointer dereference when using the brcm80211 driver to load some bogus f...
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Staging (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Roland Vossen
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-03 06:31 UTC by Pramod Dematagoda
Modified: 2010-12-04 10:53 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.37-rc1
Subsystem:
Regression: No
Bisected commit-id:


Attachments

Description Pramod Dematagoda 2010-11-03 06:31:32 UTC
I compiled a 2.6.37-rc1 kernel with the new brcm80211 driver configured in, when I tried to provide it with some firmware that was included in the broadcom proprietary driver(probably not what it's looking for), it throws up a null pointer dereference error in the remove_vm_area function and crashes the whole kernel.

The error output is as follows:-
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff810f7a20>] remove_vm_area+0x42/0x78
PGD 0 
Oops: 0000 [#1] PREEMPT SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:04.0/0000:04:00.0/firmware/0000:04:00.0/loading
CPU 0 
Modules linked in: brcm80211(C+) hidp pppoe pppox ppp_generic slhc fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc rfcomm sco bnep l2cap sunrpc cpufreq_ondemand powernow_k8 freq_table mperf xt_physdev ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables ipv6 kvm_amd kvm uinput snd_hda_codec_hdmi snd_hda_codec_idt snd_hda_intel snd_usb_audio snd_hda_codec snd_seq snd_pcm snd_timer snd_hwdep snd_usbmidi_lib snd_rawmidi snd_seq_device snd mac80211 cfg80211 rtc_cmos soundcore rtc_core btusb bluetooth dell_wmi sparse_keymap dell_laptop dcdbas snd_page_alloc joydev wmi rtc_lib i2c_piix4 video r8169 mii microcode k10temp output pcspkr radeon ttm drm_kms_helper drm fb fbdev i2c_algo_bit i2c_core cfbcopyarea cfbimgblt cfbfillrect [last unloaded: brcm80211]
Pid: 2755, comm: work_for_cpu Tainted: G         C  2.6.37-rc1pmd #2 Inspiron M5010/Inspiron M5010
RIP: 0010:[<ffffffff810f7a20>]  [<ffffffff810f7a20>] remove_vm_area+0x42/0x78
RSP: 0018:ffff8800b8551d30  EFLAGS: 00010203
RAX: 0000000000000000 RBX: ffff880037995cc0 RCX: ffffc90012022000
RDX: 0000000000000000 RSI: ffff8800b8551d00 RDI: ffffffff81a20990
RBP: ffff8800b8551d40 R08: ffff880178df5c80 R09: 0000000000000004
R10: 00000000ffffffff R11: ffff880000000000 R12: ffff88012c57e780
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88010edeb7c0
FS:  00007f725acab7a0(0000) GS:ffff8800bf800000(0000) knlGS:00000000f74a1820
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000000001a03000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process work_for_cpu (pid: 2755, threadinfo ffff8800b8550000, task ffff880178df5c80)
Stack:
ffffc90012022000 0000000000000000 ffff8800b8551d80 ffffffff810f7b07
ffff8801b333d090 ffffc90012022000 6d63622f6d637262 ffffc90012022000
0000000000000000 ffff8801aa3fe4a0 ffff8800b8551da0 ffffffff810f7bcf
Call Trace:
[<ffffffff810f7b07>] __vunmap+0x3e/0xbd
[<ffffffff810f7bcf>] vunmap+0x49/0x4d
[<ffffffff812c8f83>] firmware_free_data+0x1b/0x55
[<ffffffff812c9006>] release_firmware+0x49/0x4f
[<ffffffffa05bd053>] wl_release_fw+0x1e/0x3a [brcm80211]
[<ffffffffa05efda6>] wl_pci_probe+0x37b/0x7a1 [brcm80211]
[<ffffffff81044862>] ? get_parent_ip+0x11/0x41
[<ffffffff81236e12>] local_pci_probe+0x4d/0x96
[<ffffffff81065adb>] ? do_work_for_cpu+0x0/0x2b
[<ffffffff81065af3>] do_work_for_cpu+0x18/0x2b
[<ffffffff81065adb>] ? do_work_for_cpu+0x0/0x2b
[<ffffffff8106af85>] kthread+0x82/0x8a
[<ffffffff8100bbe4>] kernel_thread_helper+0x4/0x10
[<ffffffff8106af03>] ? kthread+0x0/0x8a
[<ffffffff8100bbe0>] ? kernel_thread_helper+0x0/0x10
Code: 74 55 f6 40 10 04 74 4f 48 c7 c7 90 09 a2 81 48 8b 58 50 e8 a0 45 35 00 48 8b 05 74 52 bc 00 48 c7 c2 88 cc cb 81 eb 06 48 89 c2 <48> 8b 00 48 39 d8 75 f5 48 8b 03 48 c7 c7 90 09 a2 81 48 89 02 
RIP  [<ffffffff810f7a20>] remove_vm_area+0x42/0x78
RSP <ffff8800b8551d30>
CR2: 0000000000000000

I realise that this may not be a big kernel bug since the firmware is wrong, but I don't think that the whole kernel should crash on reception of an invalid firmware blob to use.
Comment 1 Greg Kroah-Hartman 2010-11-03 13:24:21 UTC
On Wed, Nov 03, 2010 at 06:31:34AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> I compiled a 2.6.37-rc1 kernel with the new brcm80211 driver configured in,
> when I tried to provide it with some firmware that was included in the
> broadcom
> proprietary driver(probably not what it's looking for), it throws up a null
> pointer dereference error in the remove_vm_area function and crashes the
> whole
> kernel.

Ick, not good.  I'll poke the Broadcom developers to get a fix for this.
Comment 2 Roland Vossen 2010-11-04 10:37:02 UTC
I am a developer @ broadcom. Will work on this problem.
Comment 3 Roland Vossen 2010-12-04 10:53:02 UTC
Patch has been submitted to Greg KH's staging-next tree.

Note You need to log in before you can comment on or make changes to this bug.