From nobody Tue Dec 2 02:52:14 2025 Received: from exactco.de (exactco.de [176.9.10.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D33B31DF261 for ; Mon, 17 Nov 2025 19:12:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=176.9.10.151 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763406727; cv=none; b=Ghm156S37gBBGzraOjh6TCeDw+GoH9BgbY4qojzdPjXwXREoYEJlLIpueehTknt0r+wzEZlkCCMKMOw1I4Z9/zCxViyHtdWA3YW/0dcspNrqdMcRAM6Uy1tPUeiEaSgr/a+nQjZ8Zw5SGG349y0KhMHaD00QkUyh/8Igj3uhIeA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763406727; c=relaxed/simple; bh=AeeOisnKPSDEs89wMuHPU2o8HDC4PvmvRQB9Xgn3xpU=; h=Date:Message-Id:To:CC:Subject:From:Mime-Version:Content-Type; b=QofxQJeV9dz4gFNNxCcD2qoUSTU6jgEGKOSAcRMVtwyAH2WeOK+rN/oBczhsHGGwU+9dgx2ytIUxMIzpWWGZAbV4OnBcUJL2gqUP/1eQSQmXqkGMZiJ8D4zvjaVCS5tYE1EWD6uRd2DiNJF0edAeIMyWJqNrkIxik7wnCrVK0UI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=exactco.de; spf=pass smtp.mailfrom=exactco.de; dkim=pass (2048-bit key) header.d=exactco.de header.i=@exactco.de header.b=OBhop5m8; arc=none smtp.client-ip=176.9.10.151 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=exactco.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=exactco.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=exactco.de header.i=@exactco.de header.b="OBhop5m8" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=exactco.de; s=x; h=Content-Transfer-Encoding:Content-Type:Mime-Version:From:Subject:CC:To :Message-Id:Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=yPE8M9sKIjSxR8x89zkycVZjdddGteA2222eafpG/dE=; b=O Bhop5m8zDrN0lSbqKJKu7Q9UAa66hnnoPuz3o/VbMBcKKJ4js2KKJ8vfxAk6VHLdr1Oyc2gykYLDH vWUHu9+s8TwT1lLiFZ1H8s+ZtPJRHvDsIh4qVioCf/0ZW5wuCC8KhwwtgAF0ecpmhSwUWsiituJaP w2aY4VqrgivPNXCAIxcCVYTj9yxG6VNQwEnIHDiyxyxlYy+9dBU7pPgzzXfPKn8q1iCs76C17mQhj WOfrJhCYy2lGx746W76ndF9gd5t9pyZH3kubhc2lEXsYi5VjG+EUVe1OgfQ964ROTzm5otyNOV9UX P/Ax5enrj2UfxMj6cZakPK/w0k20WOZHA==; Date: Mon, 17 Nov 2025 20:12:13 +0100 (CET) Message-Id: <20251117.201213.525232316832831369.rene@exactco.de> To: Yazen Ghannam , linux-kernel@vger.kernel.org CC: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Subject: [PATCH] x86/amd_nb: fix NULL deref in amd64_agp From: =?iso-8859-1?Q?Ren=E9?= Rebe X-Mailer: Mew version 6.10 on Emacs 30.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: Text/Plain; charset="utf-8" bc7b2e629e0c ("x86/amd_nb: Use topology info to get AMD node count") broke amd_cache_northbridges as iterating a next_northbridge or two is not identical to amd_num_nodes() on older systems. Among other details, this causes amd64_agp nforce3_agp_init to oops w/ null-ptr deref at: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 2579067 P4D 2579067 PUD 2578067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 56 Comm: kworker/0:2 Not tainted 6.15.0-t2 #1 PREEMPT(la= zy) Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./ALiveDual-eSAT= A2, BIOS P1.80 09/11/2009 Workqueue: events work_for_cpu_fn RIP: 0010:amd64_fetch_size+0x1f/0xb0 [amd64_agp] Code: 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 53 48 83 ec 10 65 48 8b = 05 47 e7 05 e3 48 89 44 24 08 31 db 31 ff e8 e1 30 c d e1 <48> 8b 38 48 85 ff 74 5e 48 8d 54 24 04 c7 02 00 00 00 00 be 90 00 RSP: 0018:ffffa1574019bd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff8b0241365100 RDI: 0000000000000000 RBP: 00000000000000c0 R08: 0000000000000004 R09: ffffa1574019bd54 R10: 00000000ffffef01 R11: ffffffffa2818aa0 R12: ffff8b02419cd870 R13: ffff8b024189d400 R14: ffff8b0241094000 R15: ffff8b0241094000 FS: 0000000000000000(0000) GS:ffff8b02ba601000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000000257a000 CR4: 00000000000006f0 Call Trace: nforce3_agp_init+0x23/0x1d0 [amd64_agp] agp_amd64_probe+0x3dd/0x470 [amd64_agp] Fix this by only erroring out for the first node, limit amd_northbridges accordingly. Fixes: bc7b2e629e0c ("x86/amd_nb: Use topology info to get AMD node count") Signed-off-by: Rene Rebe --- Tested on AM2+ ASRock ALiveDual-eSATA2. --- a/arch/x86/kernel/amd_nb.c 2025-05-29 11:53:25.952929235 +0200 +++ b/arch/x86/kernel/amd_nb.c 2025-05-29 13:00:02.191707970 +0200 @@ -80,9 +82,13 @@ * If not, then uninitialize everything. */ if (!node_to_amd_nb(i)->misc) { - amd_northbridges.num =3D 0; - kfree(nb); - return -ENODEV; + if (i =3D=3D 0) { + kfree(nb); + return -ENODEV; + } + pr_info("next amd_northbridge not found, limiting to: %d\n", i); + amd_northbridges.num =3D i; + break; } =20 node_to_amd_nb(i)->link =3D amd_node_get_func(i, 4); --=20 Ren=C3=A9 Rebe, ExactCODE GmbH, Berlin, Germany https://exactco.de | https://t2linux.com | https://rene.rebe.de