Usage of the intel_pmt_read() for binary sysfs, requires an allocated endpoint struct. The crashlog driver does not allocate the endpoint.
Without the ep, the crashlog usage causes the following NULL pointer exception:
BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110
Add the endpoint information to the crashlog driver to avoid the NULL pointer exception.
Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: stable@vger.kernel.org Signed-off-by: Michael J. Ruhl michael.j.ruhl@intel.com --- drivers/platform/x86/intel/pmt/crashlog.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/intel/pmt/crashlog.c b/drivers/platform/x86/intel/pmt/crashlog.c index 6a9eb3c4b313..74ce199e59f0 100644 --- a/drivers/platform/x86/intel/pmt/crashlog.c +++ b/drivers/platform/x86/intel/pmt/crashlog.c @@ -252,6 +252,7 @@ static struct intel_pmt_namespace pmt_crashlog_ns = { .xa = &crashlog_array, .attr_grp = &pmt_crashlog_group, .pmt_header_decode = pmt_crashlog_header_decode, + .pmt_add_endpoint = intel_pmt_add_endpoint, };
/* @@ -262,8 +263,12 @@ static void pmt_crashlog_remove(struct auxiliary_device *auxdev) struct pmt_crashlog_priv *priv = auxiliary_get_drvdata(auxdev); int i;
- for (i = 0; i < priv->num_entries; i++) - intel_pmt_dev_destroy(&priv->entry[i].entry, &pmt_crashlog_ns); + for (i = 0; i < priv->num_entries; i++) { + struct intel_pmt_entry *entry = &priv->entry[i].entry; + + intel_pmt_release_endpoint(entry->ep); + intel_pmt_dev_destroy(entry, &pmt_crashlog_ns); + } }
static int pmt_crashlog_probe(struct auxiliary_device *auxdev,
On Thu, 2025-06-05 at 14:44 -0400, Michael J. Ruhl wrote:
Usage of the intel_pmt_read() for binary sysfs, requires an allocated endpoint struct. The crashlog driver does not allocate the endpoint.
Without the ep, the crashlog usage causes the following NULL pointer exception:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Okay, there it is. I'll still review the rest to see if the endpoint is even needed, but if not then you could drop this patch too.
David
Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110
Add the endpoint information to the crashlog driver to avoid the NULL pointer exception.
Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: stable@vger.kernel.org Signed-off-by: Michael J. Ruhl michael.j.ruhl@intel.com
drivers/platform/x86/intel/pmt/crashlog.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/intel/pmt/crashlog.c b/drivers/platform/x86/intel/pmt/crashlog.c index 6a9eb3c4b313..74ce199e59f0 100644 --- a/drivers/platform/x86/intel/pmt/crashlog.c +++ b/drivers/platform/x86/intel/pmt/crashlog.c @@ -252,6 +252,7 @@ static struct intel_pmt_namespace pmt_crashlog_ns = { .xa = &crashlog_array, .attr_grp = &pmt_crashlog_group, .pmt_header_decode = pmt_crashlog_header_decode,
- .pmt_add_endpoint = intel_pmt_add_endpoint,
}; /* @@ -262,8 +263,12 @@ static void pmt_crashlog_remove(struct auxiliary_device *auxdev) struct pmt_crashlog_priv *priv = auxiliary_get_drvdata(auxdev); int i;
- for (i = 0; i < priv->num_entries; i++)
intel_pmt_dev_destroy(&priv->entry[i].entry,
&pmt_crashlog_ns);
- for (i = 0; i < priv->num_entries; i++) {
struct intel_pmt_entry *entry = &priv->entry[i].entry;
intel_pmt_release_endpoint(entry->ep);
intel_pmt_dev_destroy(entry, &pmt_crashlog_ns);
- }
} static int pmt_crashlog_probe(struct auxiliary_device *auxdev,
linux-stable-mirror@lists.linaro.org