kern/59082: panic during dbcool attach

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59082: panic during dbcool attach
From: ef%math.uni-bonn.de@localhost
Date: Mon, 17 Feb 2025 16:30:01 +0000 (UTC)

>Number:         59082
>Category:       kern
>Synopsis:       panic during dbcool attach
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 17 16:30:01 +0000 2025
>Originator:     ef%math.uni-bonn.de@localhost
>Release:        NetBSD 10.1
>Organization:
	Mathematisches Institut der Uni Bonn
>Environment:
System: NetBSD peene.math.uni-bonn.de 10.1 NetBSD 10.1 (MI-Server) #6: Thu Dec 19 18:20:00 CET 2024 ef%peene.math.uni-bonn.de@localhost:/var/work/obj-10/sys/arch/amd64/compile/miserv amd64
Architecture: x86_64
Machine: amd64
>Description:
	After uncommenting the line
		dbcool* at iic? addr 0x2E		# Tyan S2882-D 
	a -10 kernel panics on a machine with that device present.
	A -8 kernel probes the device and works.
>How-To-Repeat:
	Build a kernel with
		dbcool* at iic? addr 0x2E
	and boot on a machine with a dbcool device at that address.
>Fix:
	riastradh@ identified this as a null pointer dereference in dbcool_attach()
	calling prop_object_retain() on a NULL sc->sc_prop.
	With the following patch suggested by him (or so I understood)

	Index: sys/dev/i2c/dbcool.c
	===================================================================
	RCS file: /cvsroot/src/sys/dev/i2c/dbcool.c,v
	retrieving revision 1.64
	diff -u -p -r1.64 dbcool.c
	--- sys/dev/i2c/dbcool.c	30 Mar 2022 00:06:50 -0000	1.64
	+++ sys/dev/i2c/dbcool.c	17 Feb 2025 16:11:13 -0000
	@@ -776,7 +776,7 @@ dbcool_attach(device_t parent, device_t 
		sc->sc_dc.dc_writereg = dbcool_writereg;
		sc->sc_dev = self;
		sc->sc_prop = args->ia_prop;
	-	prop_object_retain(sc->sc_prop);
	+	if (sc->sc_prop != NULL) prop_object_retain(sc->sc_prop);
	 
		if (dbcool_chip_ident(&sc->sc_dc) < 0 || sc->sc_dc.dc_chip == NULL)
			panic("could not identify chip at addr %d", args->ia_addr);
	@@ -1697,7 +1697,7 @@ dbcool_attach_sensor(struct dbcool_softc
	 
		name_index = sc->sc_dc.dc_chip->table[idx].name_index;
		snprintf(name, 7, "s%02x", sc->sc_dc.dc_chip->table[idx].reg.val_reg);
	-	if (prop_dictionary_get_string(sc->sc_prop, name, &desc)) {
	+	if (sc->sc_prop != NULL && prop_dictionary_get_string(sc->sc_prop, name, &desc)) {
			 strlcpy(sc->sc_sensor[idx].desc, desc,
				sizeof(sc->sc_sensor[idx].desc));
		} else {

	it works again (and reports data).

Prev by Date: Re: Re: bin/59046: dhcpd issue
Next by Date: PR/58767 CVS commit: src/sys
Previous by Thread: kern/59081: Add close_range() system call
Next by Thread: PR/58767 CVS commit: src/sys
Indexes:

Home | Main Index | Thread Index | Old Index