Re: NULL pointer dereference in iio_buffer_register()

From: Lars-Peter Clausen
Date: Tue Jul 31 2012 - 08:38:22 EST

Next message: Gerald Schaefer: "Re: [RFC PATCH v5 12/19] memory-hotplug: introduce new functionarch_remove_memory()"
Previous message: Thierry Reding: "Re: [RFC][PATCH v3 1/3] runtime interpreted power sequences"
In reply to: Fengguang Wu: "Re: NULL pointer dereference in iio_buffer_register()"
Next in thread: Fengguang Wu: "Re: NULL pointer dereference in iio_buffer_register()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07/31/2012 12:31 PM, Fengguang Wu wrote:
>> [ 7.623739] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
>
> I managed to root cause it:
>
> [ 2.108085] BUG: unable to handle kernel NULL pointer dereference at 00000060
> [ 2.112015] EIP: [<c19b4f4f>] iio_buffer_register+0x1f/0x360 SS:ESP 0068:ce837f34
>
> $ addr2line -e vmlinux -i c19b4f4f
> /c/wfg/linux/drivers/iio/industrialio-buffer.c:275
>
> (gdb) p &((struct iio_buffer *) 0)->attrs
> $1 = (const struct attribute_group **) 0x60
>
> The panic happens while trying to dereference the NULL indio_dev->buffer:
>
> 266 int iio_buffer_register(struct iio_dev *indio_dev,
> 267 const struct iio_chan_spec *channels,
> 268 int num_channels)
> 269 {
> 270 struct iio_dev_attr *p;
> 271 struct attribute **attr;
> 272 struct iio_buffer *buffer = indio_dev->buffer;
> 273 int ret, i, attrn, attrcount, attrcount_orig = 0;
> 274
> ==> 275 if (buffer->attrs)
> 276 indio_dev->groups[indio_dev->groupcounter++] = buffer->attrs;
>
> iio_dummy_probe() has the code to configure that buffer, however
> iio_simple_dummy_configure_buffer() is defined to do nothing on
> !CONFIG_IIO_SIMPLE_DUMMY_BUFFER..
>
> 448 /* Configure buffered capture support. */
> ==> 449 ret = iio_simple_dummy_configure_buffer(indio_dev);
> 450 if (ret < 0)
> 451 goto error_unregister_events;
> 452
> 453 /*
> 454 * Register the channels with the buffer, but avoid the output
> 455 * channel being registered by reducing the number of channels by 1.
> 456 */
> 457 ret = iio_buffer_register(indio_dev, iio_dummy_channels, 5);
> 458 if (ret < 0)
> 459 goto error_unconfigure_buffer;
>
> Any ideas to fix it?
>

Hi,

I think the best would be to move the iio_buffer_register to
iio_simple_dummy_configure_buffer.

- Lars
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gerald Schaefer: "Re: [RFC PATCH v5 12/19] memory-hotplug: introduce new functionarch_remove_memory()"
Previous message: Thierry Reding: "Re: [RFC][PATCH v3 1/3] runtime interpreted power sequences"
In reply to: Fengguang Wu: "Re: NULL pointer dereference in iio_buffer_register()"
Next in thread: Fengguang Wu: "Re: NULL pointer dereference in iio_buffer_register()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]