From: Stratos Psomadakis <psomas@gentoo.org>
To: linux-kernel@vger.kernel.org
Cc: Steffen Maier <maier@linux.vnet.ibm.com>,
stable@vger.kernel.org, gregkh@suse.de,
linux-scsi@vger.kernel.org, JBottomley@parallels.com,
matthew@wil.cx, Martin.vGagern@gmx.net, kernel@gentoo.org
Subject: Re: [SCSI] NULL pointer dereference in sym53c8xx (bisected)
Date: Sun, 04 Dec 2011 19:36:25 +0200 [thread overview]
Message-ID: <4EDBAF99.6010904@gentoo.org> (raw)
In-Reply-To: <4EDABAB5.10104@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 2341 bytes --]
On 12/04/2011 02:11 AM, Stratos Psomadakis wrote:
> On 12/03/2011 11:07 PM, Steffen Maier wrote:
>> On 12/02/2011 04:26 PM, Stratos Psomadakis wrote:
>>> After upstream commit 4e6c82b3614a18740ef63109d58743a359266daf ([SCSI]
>>> fix WARNING: at drivers/scsi/scsi_lib.c:1704), which is also included in
>>> 3.0-stable and 3.1-stable kernels, the kernel fails to boot (NULL
>>> pointer dereference in sym53c8xx_slave_destroy).
>>>
>>> Bug report at the Gentoo Bugzilla (reported and bisected by Martin von
>>> Gagern). [1] (stack trace [2])
>>>
>>> I think that the problem is that (after commit 4e6c82b)
>>> __scsi_remove_device() is called if slave_alloc() in scsi_alloc_sdev()
>>> fails. But __scsi_remove_device() calls slave_destroy(), which (I think)
>>> doesn't make much sense (ie to call slave_destroy() when slave_alloc()
>>> fails).
>>>
>>> For sym53c8xx, this results in a NULL pointer dereference (struct
>>> sym_lcb pointer) in slave_destroy().
>>>
>>> [1] https://bugs.gentoo.org/show_bug.cgi?id=392567
>>> [2] https://392567.bugs.gentoo.org/attachment.cgi?id=294381
>> To me this looks like the same thing we encountered in the zfcp LLD:
>> http://www.spinics.net/lists/linux-scsi/msg55575.html
>> James explained the pairing of slave_alloc and slave_destroy even if
>> slave_alloc returned early in which case slave_destroy needs to cope
>> with that:
>> http://www.spinics.net/lists/linux-scsi/msg55449.html
>>
> Indeed.
>
> I'll follow-up with a patch similar to the one you sent for zfcp. I
> think that returning if sym_lcb is NULL should be ok.
I forgot to chain the patch email in this thread, so here's the link:
http://marc.info/?l=linux-scsi&m=132295936832641&w=2
>> HTH
>> Steffen
>>
>> Linux on System z Development
>>
>> IBM Deutschland Research & Development GmbH
>> Vorsitzender des Aufsichtsrats: Martin Jetter
>> Geschäftsführung: Dirk Wittkopp
>> Sitz der Gesellschaft: Böblingen
>> Registergericht: Amtsgericht Stuttgart, HRB 243294
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
--
Stratos Psomadakis
<psomas@gentoo.org>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
prev parent reply other threads:[~2011-12-04 17:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-02 15:26 [SCSI] NULL pointer dereference in sym53c8xx (bisected) Stratos Psomadakis
2011-12-03 21:07 ` Steffen Maier
2011-12-04 0:11 ` Stratos Psomadakis
2011-12-04 17:36 ` Stratos Psomadakis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EDBAF99.6010904@gentoo.org \
--to=psomas@gentoo.org \
--cc=JBottomley@parallels.com \
--cc=Martin.vGagern@gmx.net \
--cc=gregkh@suse.de \
--cc=kernel@gentoo.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=maier@linux.vnet.ibm.com \
--cc=matthew@wil.cx \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.