[Letux-kernel] New LetuxOS Kernels - strcmp(NULL)
H. Nikolaus Schaller
hns at goldelico.com
Sat Jun 23 18:47:37 CEST 2018
Hi,
> Am 23.06.2018 um 18:39 schrieb N. Jackson <nljlistbox2 at gmail.com>:
>
>> At 17:21 +0200 on Saturday 2018-06-23, H. Nikolaus Schaller wrote:
>>
>>> Am 23.06.2018 um 12:13 schrieb H. Nikolaus Schaller <hns at goldelico.com>:
>>>
>>> [ 7.657104] gname[15] = pinmux_penirq_pins
>>> [ 7.671142] gname[16] = pinmux_camera_pins
>>> [ 7.675598] gname[17] = hdq_pins
>>> [ 7.688140] pinctrl_generic_get_group_name: group>name is NULL
>>> [ 7.694244] gname[18] = (null)
>>
>> ^^^ this is interesting!
>>
>> The printk code behind pinctrl_generic_get_group_name is:
>>
>> const char *pinctrl_generic_get_group_name(struct pinctrl_dev *pctldev,
>> unsigned int selector)
>> {
>> struct group_desc *group;
>>
>> group = radix_tree_lookup(&pctldev->pin_group_tree,
>> selector);
>> if (!group) {
>> printk("%s: selector %d not found\n", __func__, selector);
>> }
>> if (!group)
>> return NULL;
>>
>> if (!group->name) {
>> printk("%s: group>name is NULL\n", __func__);
>> }
>> return group->name;
>> }
>>
>> Which means that the struct group_desc exists but the
>> group->name is NULL. So there is no NULL magically added
>> to the radix tree, but the group->name pointer becomes
>> NULL. Which means that the memory region was overwritten.
>
> Can you rule out the possibility that the group->name was
> not set to NULL when the group was created in
> pinctrl_generic_add_group?
Yes. There is a test for it - and the patch set from Tony tries to locate the
name in the radix tree before allocating a new one and that would also segfault
for a NULL name.
What I am currently thinking is that there is some index-out-of-bounds access
involved. Not necessarily related to the pinmux framework but I can't decide that
yet.
BR and thanks,
Nikolaus
More information about the Letux-kernel
mailing list