https://github.com/pftf/RPi3 UEFI/ACPI based booting: gic_acpi_identify crashes dereferencing a NULL pointer value
Date: Wed, 06 Apr 2022 08:01:31 UTC
https://github.com/pftf/RPi3 UEFI/ACPI use gets a boot crash in FreeBSD's gic_acpi_identify: . . . MAP 1d0000 mode 2 pages 32 MAP 339d0000 mode 2 pages 80 MAP 33a20000 mode 2 pages 256 MAP 37000000 mode 2 pages 400 MAP 37190000 mode 2 pages 592 kbd0 at kbdmux0 acpi0: <BC2836 RPI3> acpi0: Power Button (fixed) acpi0: Could not update all GPEs: AE_NOT_CONFIGURED psci0: <ARM Power State Co-ordination Interface Driver> on acpi0 Fatal data abort: x0: ffff000086ffe6b4 (crypto_dev + 858f044c) x1: ffff00000103d0d0 (initstack + 30d0) x2: ffff00000080ed2c (madt_handler + 0) x3: ffff00000103d0d0 (initstack + 30d0) x4: d2d9fffc x5: 0 x6: ffffffffffffffff x7: 2001 x8: 0 x9: 400 x10: 800 x11: 0 x12: ffff00000103d8dc (initstack + 38dc) x13: b6 x14: 551 x15: 16c x16: 0 x17: 1 x18: ffff00000103d0d0 (initstack + 30d0) x19: ffff000086ffe598 (crypto_dev + 858f0330) x20: ffffa00000dba200 x21: ffff00000103d0e0 (initstack + 30e0) x22: ffffa00000c37a40 x23: ffff000000ec8000 (devsoftc + 88) x24: ffff00000097fe1a (digits + 102f6) x25: 3800000 x26: ffff000000e74000 (gdb_tx_u + a98) x27: ffff000000e74000 (gdb_tx_u + a98) x28: ffff00004042bd28 (crypto_dev + 3ed1dac0) x29: ffff00000103d8e0 (initstack + 38e0) sp: ffff00000103d0d0 lr: ffff00000080e908 (gic_acpi_identify + 7c) elr: ffff00000080e90c (gic_acpi_identify + 80) spsr: 600000c5 far: 14 esr: 96000004 panic: vm_fault failed: ffff00000080e90c error 1 cpuid = 0 time = 1 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x30 vpanic() at vpanic+0x178 panic() at panic+0x44 data_abort() at data_abort+0x2bc handle_el1h_sync() at handle_el1h_sync+0x10 --- exception, esr 0x96000004 gic_acpi_identify() at gic_acpi_identify+0x80 bus_generic_new_pass() at bus_generic_new_pass+0x44 bus_generic_new_pass() at bus_generic_new_pass+0xb0 bus_generic_new_pass() at bus_generic_new_pass+0xb0 root_bus_configure() at root_bus_configure+0x40 mi_startup() at mi_startup+0x224 virtdone() at virtdone+0x7c KDB: enter: panic [ thread pid 0 tid 100000 ] Stopped at kdb_enter+0x48: undefined f901c11f This turns out to have gic_acpi_identify+0x80 with the code shown below: ffff00000080e904 <gic_acpi_identify+0x78> bl ffff00000011d640 <acpi_walk_subtables> ffff00000080e908 <gic_acpi_identify+0x7c> ldr x8, [sp, #8] ffff00000080e90c <gic_acpi_identify+0x80> ldrb w8, [x8, #20] and the register dump above shows: x8: 0 Looking up the source ( sys/arm/arm/gic_acpi.c ) there is the likes of: struct madt_table_data { device_t parent; ACPI_MADT_GENERIC_DISTRIBUTOR *dist; ACPI_MADT_GENERIC_INTERRUPT *intr[MAXCPU]; }; . . . bzero(&madt_data, sizeof(madt_data)); madt_data.parent = parent; madt_data.dist = NULL; acpi_walk_subtables(madt + 1, (char *)madt + madt->Header.Length, madt_handler, &madt_data); /* Check the version of the GIC we have */ switch (madt_data.dist->Version) { So it appears that madt_data.dist held a NULL pointer value that was not checked for. (I've no clue if such a NULL is supposed to be possible --but I do know it occured.) The following lines are: case ACPI_MADT_GIC_VERSION_NONE: case ACPI_MADT_GIC_VERSION_V1: case ACPI_MADT_GIC_VERSION_V2: break; default: goto out; } . . . out: acpi_unmap_table(madt); } That might suggest that madt_data.dist==NULL should lead to a "goto out". === Mark Millard marklmi at yahoo.com