NetBSD Problem Report #59082
From ef@math.uni-bonn.de Mon Feb 17 16:28:53 2025
Return-Path: <ef@math.uni-bonn.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 891AA1A923D
for <gnats-bugs@gnats.NetBSD.org>; Mon, 17 Feb 2025 16:28:53 +0000 (UTC)
Message-Id: <20250217162847.B07CB4DEB4A@peene.math.uni-bonn.de>
Date: Mon, 17 Feb 2025 17:28:47 +0100 (CET)
From: ef@math.uni-bonn.de
Reply-To: ef@math.uni-bonn.de
To: gnats-bugs@NetBSD.org
Subject: panic during dbcool attach
X-Send-Pr-Version: 3.95
>Number: 59082
>Category: kern
>Synopsis: panic during dbcool attach
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 17 16:30:01 +0000 2025
>Originator: ef@math.uni-bonn.de
>Release: NetBSD 10.1
>Organization:
Mathematisches Institut der Uni Bonn
>Environment:
System: NetBSD peene.math.uni-bonn.de 10.1 NetBSD 10.1 (MI-Server) #6: Thu Dec 19 18:20:00 CET 2024 ef@peene.math.uni-bonn.de:/var/work/obj-10/sys/arch/amd64/compile/miserv amd64
Architecture: x86_64
Machine: amd64
>Description:
After uncommenting the line
dbcool* at iic? addr 0x2E # Tyan S2882-D
a -10 kernel panics on a machine with that device present.
A -8 kernel probes the device and works.
>How-To-Repeat:
Build a kernel with
dbcool* at iic? addr 0x2E
and boot on a machine with a dbcool device at that address.
>Fix:
riastradh@ identified this as a null pointer dereference in dbcool_attach()
calling prop_object_retain() on a NULL sc->sc_prop.
With the following patch suggested by him (or so I understood)
Index: sys/dev/i2c/dbcool.c
===================================================================
RCS file: /cvsroot/src/sys/dev/i2c/dbcool.c,v
retrieving revision 1.64
diff -u -p -r1.64 dbcool.c
--- sys/dev/i2c/dbcool.c 30 Mar 2022 00:06:50 -0000 1.64
+++ sys/dev/i2c/dbcool.c 17 Feb 2025 16:11:13 -0000
@@ -776,7 +776,7 @@ dbcool_attach(device_t parent, device_t
sc->sc_dc.dc_writereg = dbcool_writereg;
sc->sc_dev = self;
sc->sc_prop = args->ia_prop;
- prop_object_retain(sc->sc_prop);
+ if (sc->sc_prop != NULL) prop_object_retain(sc->sc_prop);
if (dbcool_chip_ident(&sc->sc_dc) < 0 || sc->sc_dc.dc_chip == NULL)
panic("could not identify chip at addr %d", args->ia_addr);
@@ -1697,7 +1697,7 @@ dbcool_attach_sensor(struct dbcool_softc
name_index = sc->sc_dc.dc_chip->table[idx].name_index;
snprintf(name, 7, "s%02x", sc->sc_dc.dc_chip->table[idx].reg.val_reg);
- if (prop_dictionary_get_string(sc->sc_prop, name, &desc)) {
+ if (sc->sc_prop != NULL && prop_dictionary_get_string(sc->sc_prop, name, &desc)) {
strlcpy(sc->sc_sensor[idx].desc, desc,
sizeof(sc->sc_sensor[idx].desc));
} else {
it works again (and reports data).
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home