Re: [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
To: Greg KH <gregkh@suse.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
	Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Oliver Pinter <oliver.pntr@gmail.com>,
	Jens Axboe <jens.axboe@oracle.com>,
	"Miller, Mike (OS Dev)" <Mike.Miller@hp.com>
Subject: Re: [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver
Date: Mon, 25 Feb 2008 10:06:33 -0500	[thread overview]
Message-ID: <1203951994.5046.2.camel@localhost> (raw)
In-Reply-To: <20080222214021.GH8686@suse.de>

On Fri, 2008-02-22 at 13:40 -0800, Greg KH wrote:
> plain text document attachment
> (cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch)
> 2.6.22-stable review patch.  If anyone has any objections, please let us
> know.

Greg, Jens:  Does 2.6.22 contain the scatter/gather chaining that caused
the problem in 23-rc6-mm1?  If not, I wouldn't think this patch is
necessary there.

Lee
> 
> ------------------
> 
> From: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
> 
> mainline: a683d652d334a546be9175b894f42dbd8e399536
> 
> New scatter/gather list chaining [sg_next()] treats 'page' member of
> struct scatterlist with low bit set [0x01] as a chain pointer to
> another struct scatterlist [array].  The CCISS driver request function
> passes an uninitialized, temporary, on-stack scatterlist array to
> blk_rq_map_sq().  sg_next() interprets random data on the stack as a
> chain pointer and eventually tries to de-reference an invalid pointer,
> resulting in:
> 
> [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
> PGD 6090c3067 PUD 0
> Oops: 0000 [1] SMP
> last sysfs file: /block/cciss!c0d0/cciss!c0d0p1/dev
> CPU 6
> Modules linked in: ehci_hcd ohci_hcd uhci_hcd
> Pid: 1, comm: init Not tainted 2.6.23-rc6-mm1 #3
> RIP: 0010:[<ffffffff8031dd70>] [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
> RSP: 0018:ffff81060901f768 EFLAGS: 00010206
> RAX: 000000040b161000 RBX: ffff81060901f7d8 RCX: 000000040b162c00
> RDX: 0000000000000000 RSI: ffff81060b13a260 RDI: ffff81060b139600
> RBP: 0000000000001400 R08: 00000000fffffffe R09: 0000000000000400
> R10: 0000000000000000 R11: 000000040b163000 R12: ffff810102fe0000
> R13: 0000000000000001 R14: 0000000000000001 R15: 00001e0000000000
> FS: 00000000026108f0(0063) GS:ffff810409000b80(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 000000010000001e CR3: 00000006090c6000 CR4: 00000000000006e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process init (pid: 1, threadinfo ffff81060901e000, task ffff810409020800)
> last branch before last exception/interrupt
> from [<ffffffff8031de0a>] blk_rq_map_sg+0x10a/0x170
> to [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
> Stack: 000000018068ea00 ffff810102fe0000 0000000000000000 ffff810011400000
> 0000000000000002 0000000000000000 ffff81040b172000 ffffffff803acd3d
> 0000000000003ec1 ffff8106090d5000 ffff8106090d5000 ffff810102fe0000
> Call Trace:
> [<ffffffff803acd3d>] do_cciss_request+0x15d/0x4c0
> [<ffffffff80298968>] new_slab+0x1c8/0x270
> [<ffffffff80298ffd>] __slab_alloc+0x22d/0x470
> [<ffffffff8027327b>] mempool_alloc+0x4b/0x130
> [<ffffffff8032b21e>] cfq_set_request+0xee/0x380
> [<ffffffff8027327b>] mempool_alloc+0x4b/0x130
> [<ffffffff8031ff98>] get_request+0x168/0x360
> [<ffffffff80331b0d>] rb_insert_color+0x8d/0x110
> [<ffffffff8031cfd8>] elv_rb_add+0x58/0x60
> [<ffffffff8032a329>] cfq_add_rq_rb+0x69/0xa0
> [<ffffffff8031c1ab>] elv_merged_request+0x5b/0x60
> [<ffffffff803224fd>] __make_request+0x23d/0x650
> [<ffffffff80298ffd>] __slab_alloc+0x22d/0x470
> [<ffffffff80270000>] generic_write_checks+0x140/0x190
> [<ffffffff8031f012>] generic_make_request+0x1c2/0x3a0
> <etc>
> Kernel panic - not syncing: Attempted to kill init!
> 
> This patch initializes the tmp_sg array to zeroes.  Perhaps not the ultimate
> fix, but an effective work-around.  I can now boot 23-rc6-mm1 on an HP
> Proliant x86_64 with CCISS boot disk.
> 
> Signed-off-by:  Lee Schermerhorn <lee.schermerhorn@hp.com>
> CC: Oliver Pinter <oliver.pntr@gmail.com>
> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> 
> ---
>  drivers/block/cciss.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> --- a/drivers/block/cciss.c
> +++ b/drivers/block/cciss.c
> @@ -2568,6 +2568,7 @@ static void do_cciss_request(request_que
>  	       (int)creq->nr_sectors);
>  #endif				/* CCISS_DEBUG */
>  
> +	memset(tmp_sg, 0, sizeof(tmp_sg));
>  	seg = blk_rq_map_sg(q, creq, tmp_sg);
>  
>  	/* get the DMA records for the setup */
>

next prev parent reply	other threads:[~2008-02-25 15:06 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080222213114.583282464@mini.kroah.org>
2008-02-22 21:39 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 21:39   ` [patch 01/23] cciss: fix memory leak Greg KH
2008-02-22 21:40   ` [patch 02/23] sata_promise: FastTrack TX4200 is a second-generation chip Greg KH
2008-02-22 21:40   ` [patch 03/23] sata_promise: ASIC PRD table bug workaround Greg KH
2008-02-22 21:40   ` [patch 04/23] PCI: Fix fakephp deadlock Greg KH
2008-02-22 21:40   ` [patch 05/23] quicklists: do not release off node pages early Greg KH
2008-02-22 21:40   ` [patch 06/23] NFS: Fix a potential file corruption issue when writing Greg KH
2008-02-22 21:40   ` [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver Greg KH
2008-02-25 15:06     ` Lee Schermerhorn [this message]
2008-02-25 15:39       ` Jens Axboe
2008-02-25 17:55         ` [stable] " Greg KH
2008-02-22 21:40   ` [patch 08/23] Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731) Greg KH
2008-02-22 21:40   ` [patch 09/23] i386: fixup TRACE_IRQ breakage (CVE-2007-3731) Greg KH
2008-02-22 21:40   ` [patch 10/23] Intel_agp: really fix 945/965GME Greg KH
2008-02-22 21:40   ` [patch 11/23] pci: fix unterminated pci_device_id lists Greg KH
2008-02-22 21:40   ` [patch 12/23] sony-laptop: call sonypi_compat_init earlier Greg KH
2008-02-22 21:40   ` [patch 13/23] VIA_VELOCITY: Dont oops on MTU change Greg KH
2008-02-22 21:40   ` [patch 14/23] via-velocity: dont oops on MTU change (resend) Greg KH
2008-02-22 21:40   ` [patch 15/23] knfsd: fix spurious EINVAL errors on first access of new filesystem Greg KH
2008-02-22 21:40   ` [patch 16/23] NFS: Fix nfs_reval_fsid() Greg KH
2008-02-22 21:40   ` [patch 17/23] NFSv2/v3: Fix a memory leak when using -onolock Greg KH
2008-02-22 21:40   ` [patch 18/23] NFS: Fix an Oops in encode_lookup() Greg KH
2008-02-22 21:40   ` [patch 19/23] knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME Greg KH
2008-02-22 21:40   ` [patch 20/23] quicklists: Only consider memory that can be used with GFP_KERNEL Greg KH
2008-02-22 21:40   ` [patch 21/23] Be more robust about bad arguments in get_user_pages() Greg KH
2008-02-22 21:40   ` [patch 22/23] SCSI: sd: handle bad lba in sense information Greg KH
2008-02-22 21:41   ` [patch 23/23] NETFILTER: nf_conntrack_tcp: conntrack reopening fix Greg KH
2008-02-22 21:44   ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 22:03     ` Oliver Pinter
2008-02-22 22:32       ` Greg KH
2008-02-23  8:47         ` Willy Tarreau
2008-02-22 21:59   ` Oliver Pinter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1203951994.5046.2.camel@localhost \
    --to=lee.schermerhorn@hp.com \
    --cc=Mike.Miller@hp.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=gregkh@suse.de \
    --cc=jens.axboe@oracle.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=oliver.pntr@gmail.com \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.