SymDrive: Testing Drivers Without Devices UW--Madison Logo
Matthew J. Renzelmann, Asim Kadav, and Michael M. Swift
Home | Downloads | Related Work | Results
Linux v3.1.1 | Linux v2.6.29 | Out-Of-Tree Linux | FreeBSD 9 | Driver/Hardware Interaction

Bugs in Linux v3.1.1 Drivers

The bugs in this table are from drivers in Linux v3.1.1. We reported the bugs to verify that they were genuine.

Driver Bug Details
lp5523 This was a particularly insidious bug that was hard to diganose despite having a reproducible crash. Without going into the details of the symptom, the bug is a missing NULL terminator on the lp5523_attributes array. This array was placed next to lp5523_led_attribute_group in the compiled binary (and memory image) which is why the driver "mostly" works in any case. Greg Kroah-Hartman verified this bug is legitimate, here, though the patch remains un-merged. The bug is visible here.
lp5523 lp5523_probe calls lp5523_init_led repeatedly. After this call to lp5523_init_led, lp5523_probe calls INIT_WORK on the corresponding brightness_work structure. But what if during a call to lp5523_init_led the call to sysfs_create_group fails? This call takes place right after the call to led_classdev_register. In this case, lp5523_init_led calls led_classdev_unregister. But led_classdev_register completed successfully. So, in this case, led_classdev_unregister calls led_brightness_set, which invokes the driver function lp5523_set_brightness. But alas, this function calls schedule_work on the uninitialized work queue and the kernel panics. Bug fixed here. Bug visible here.
lp5523 (Not counted as a bug) Fixed here. This patch resulted from a crash in lp5523.
ks8851 Fix missing mutex_lock/unlock. Move the ks8851_rdreg16 call above the call to request_irq and cache the result for subsequent repeated use. A spurious interrupt may otherwise cause a crash. Thanks to Stephen Boyd, Flavio Leitner, and Ben Hutchings for feedback. Fixed here. Bug visible here.
ks8851 Fix request_irq/free_irq mismatch. The dev_id parameter passed to free_irq needs to match the one passed to the corresponding request_irq. Fixed here. Bug visible here.
ks8851 (Not counted as a bug) There appears to be a hardware-dependence bug in ks8851_rx_pkts.

rxh = ks8851_rdreg32(ks, KS_RXFHSR);
rxlen = rxh >> 16;
rxlen -= 4;
rxalign = ALIGN(rxlen, 4);
skb = netdev_alloc_skb_ip_align(ks->netdev, rxalign);
A hardware error could lead to the allocation of a very large packet but it's not clear this counts as a bug. The allocated skb could be up to ~65KB in size, which is bounded, but rather large.

Bug visible here.
ks8851 The driver does not cancel the work queue very well. The result is that ks8851_irq_work may execute during driver unload and can crash the system. We added cancel_work_sync as an experiment but this approach only shrinks the window of vulnerability. This bug was validated by Stephen Boyd here, assuming you accept the premise that hardware-dependence bugs should be fixed. However, without a good fix, it remains unpatched. The affected file is here.
hostap (Not counted this as a bug) We did not include results from this driver in the paper as we ran out of time to test it fully. We did find a bug though, which was patched here. The affected file is visible here.