Skip to content

Commit

Permalink
xrp-kernel: fix function definition/invocation mismatch
Browse files Browse the repository at this point in the history 
xrp_acpi_init_v[01] are defined with single parameter, but invoked
through a pointer to xrp_init_function which has 4 parameters. On
android with control flow integrity enabled this results in a crash when
either of these functions is called:

  xrp: no symbol version for module_layout
  invalid opcode: 0000 [#1] PREEMPT SMP PTI
  CPU: 1 PID: 1832 Comm: insmod Tainted: G           O      5.4.47-01061-g22e35a1de440 #1
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
  RIP: 0010:__cfi_check_fail+0x10/0x20 [xrp]
  Code: 48 89 de e8 02 91 b4 f8 eb b0 55 48 89 e5 e8 07 ce ff ff 31 c0 5d c3 cc cc cc 55 48 89 e5 48 85 ff 74 07 80 3f 05 72 02 5d c3 <0f> 0b cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 48 89 e5 41 57
  RSP: 0018:ffff9f6240793910 EFLAGS: 00010246
  RAX: ffffffffc01e3440 RBX: ffffffffc01e3000 RCX: 1ffffffffffffff3
  RDX: 0000000000000000 RSI: ffffffffc01e33d8 RDI: 0000000000000000
  RBP: ffff9f6240793910 R08: 0000000000000000 R09: 000000000002cfc0
  R10: 0000000000000000 R11: ffffffffc01e3000 R12: ffffffffc01e3000
  R13: ffffffffc01e33d8 R14: 0000000000000000 R15: 237204e0dc49a9d8
  FS:  0000701cdc49dff8(0000) GS:ffff9355ffd00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00005e849acc42e0 CR3: 0000000064ea0000 CR4: 00000000000006e0
  Call Trace:
   __cfi_check+0x2f5/0x320 [xrp]
   ? __cfi_slowpath+0x97/0x100
   ? xrp_acpi_init_v1+0x8/0x8 [xrp]
   xrp_probe+0xae/0xb0 [xrp]
   ? xrp_remove+0x8/0x8 [xrp]
   platform_drv_probe+0xa9/0xf0
   ? sd_suspend_runtime+0x8/0x8
   really_probe+0x32b/0x790
   driver_probe_device+0x54/0xf0
   device_driver_attach+0x6a/0xb0
   ? cpu_subsys_match+0x8/0x8
   ? target_block+0x8/0x8
   __driver_attach+0xe8/0x190
   ? target_block+0x8/0x8
   bus_for_each_dev+0xc0/0x110
   driver_attach+0x19/0x20
   bus_add_driver+0x119/0x200
   ? cleanup_module.cfi_jt+0x10/0x10 [xrp]
   driver_register+0x85/0x120
   __platform_driver_register+0x31/0x40
   init_module+0x17/0x1000 [xrp]
   do_one_initcall+0x1d8/0x3a0
   do_init_module+0x5b/0x210
   load_module+0x4223/0x4520
   ? kernel_read_file+0x160/0x1e0
   __x64_sys_finit_module+0xd1/0x100
   ? __x64_sys_rmdir.cfi_jt+0x8/0x8
   do_syscall_64+0x6d/0xb0
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fix it by defining xrp_acpi_init_v[01] according to the xrp_init_function
type.

Signed-off-by: Max Filippov <[email protected]>
  • Loading branch information
@jcmvbkbc
jcmvbkbc committed Nov 3, 2020
1 parent fc0ea63 commit 1dad41d
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions xrp-kernel/xvp_main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2414,9 +2414,12 @@ MODULE_DEVICE_TABLE(of, xrp_of_match);
#endif

#ifdef CONFIG_ACPI
static long xrp_acpi_init_v0(struct platform_device *pdev)
static xrp_init_function xrp_acpi_init_v0;
static long xrp_acpi_init_v0(struct platform_device *pdev,
enum xrp_init_flags flags,
const struct xrp_hw_ops *hw_ops, void *hw_arg)
{
long ret = xrp_init(pdev, 0, &hw_ops, NULL);
long ret = xrp_init(pdev, flags, hw_ops, hw_arg);

if (!IS_ERR_VALUE(ret)) {
struct xvp *xvp = ERR_PTR(ret);
Expand Down Expand Up @@ -2448,9 +2451,12 @@ static long xrp_acpi_init_v0(struct platform_device *pdev)
return ret;
}

static long xrp_acpi_init_v1(struct platform_device *pdev)
static xrp_init_function xrp_acpi_init_v1;
static long xrp_acpi_init_v1(struct platform_device *pdev,
enum xrp_init_flags flags,
const struct xrp_hw_ops *hw_ops, void *hw_arg)
{
long ret = xrp_init_v1(pdev, 0, &hw_ops, NULL);
long ret = xrp_init_v1(pdev, flags, hw_ops, hw_arg);

if (!IS_ERR_VALUE(ret)) {
struct xvp *xvp = ERR_PTR(ret);
Expand Down

0 comments on commit 1dad41d

Please sign in to comment.