[PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sven Schnelle <svens@stackframe.org>
To: linux-kernel@vger.kernel.org
Subject: [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference
Date: Sun, 09 Mar 2008 13:41:40 +0100	[thread overview]
Message-ID: <867igc3w8r.fsf@deprecated.bitebene.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 4343 bytes --]

Hi,

i'm facing the following kernel oops with the latest git:

--------------------------------------8<--------------------------------------
Stopping MD arrays...failed (no MD subsystem loaded).
Mounting root filesystem read-only...done.
Will now restart.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
IP: [<ffffffff8051a97e>] __gdth_interrupt+0x96e/0xb7f
PGD 7e51e067 PUD 7e6a1067 PMD 0 
Oops: 0002 [1] PREEMPT SMP 
CPU 3 
Modules linked in: nvidia(P) lm85 hwmon_vid hwmon [last unloaded: nvidia]
Pid: 0, comm: swapper Tainted: P         2.6.25-rc4-smp-00134-g84c6f60 #11 
RIP: 0010:[<ffffffff8051a97e>]  [<ffffffff8051a97e>] __gdth_interrupt+0x96e/0xb7f
RSP: 0018:ffff81007fbefed8  EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff81007e0dda68 RCX: 0000000000000002
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: ffffc20000330000
RBP: ffff81007fbeff08 R08: 0000000000000000 R09: ffff81007f01de70
R10: 0000000000000000 R11: 0000000000000050 R12: ffff810000b10480
R13: ffff810000b104ff R14: ffff81007e214200 R15: 0000000000000009
FS:  0000000000000000(0000) GS:ffff81007f802c80(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 000000007e643000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff81007fbe6000, task ffff81007fbe4000)
Stack:  0000000000000046 ffff81007e8a93c0 0000000000000000 0000000000000000
 0000000000000018 0000000000000003 ffff81007fbeff18 ffffffff8051ab9f
 ffff81007fbeff48 ffffffff80258cc2 ffffffff8092e300 ffff81007e8a93c0
Call Trace:
 <IRQ>  [<ffffffff8051ab9f>] gdth_interrupt+0x10/0x12
 [<ffffffff80258cc2>] handle_IRQ_event+0x27/0x57
 [<ffffffff8025a055>] handle_fasteoi_irq+0x9c/0xdc
 [<ffffffff8020def0>] do_IRQ+0x88/0xfc
 [<ffffffff80209ffe>] ? default_idle+0x0/0x5f
 [<ffffffff8020b851>] ret_from_intr+0x0/0xa
 <EOI>  [<ffffffff8020a037>] ? default_idle+0x39/0x5f
 [<ffffffff8020a032>] ? default_idle+0x34/0x5f
 [<ffffffff80209ffe>] ? default_idle+0x0/0x5f
 [<ffffffff8020a11c>] ? cpu_idle+0xbf/0xf5
 [<ffffffff806cd973>] ? start_secondary+0x3e0/0x3ef


Code: 00 04 eb 15 3c 17 75 11 41 0f b6 c5 48 c1 e0 05 41 80 a4 04 92 02 00 00 fb 41 c7 86 18 01 00 00 00 00 00 00 49 8b 86 c0 00 00 00 <c6> 00 00 e9 92 01 00 00 66 89 43 24 41 8b 84 24 68 02 00 00 89 
RIP  [<ffffffff8051a97e>] __gdth_interrupt+0x96e/0xb7f
 RSP <ffff81007fbefed8>
CR2: 0000000000000000
---[ end trace e81e561a458e8791 ]---
Kernel panic - not syncing: Aiee, killing interrupt handler!
Rebooting in 5 seconds..
--------------------------------------8<--------------------------------------

From 2dc63f9f8e61fd1c89f8b4d9b2d174be1c3bfbe2 Mon Sep 17 00:00:00 2001
From: root <root@apollo.bitebene.org>
Date: Sun, 9 Mar 2008 13:25:07 +0100
Subject: 

This fixes a NULL pointer dereference during execution of Internal commands,
where gdth only allocates scp, but not scp->sense_buffer. The rest of
the code assumes that sense_buffer is allocated, which leads to a kernel
oops e.g. on reboot (during cache flush).

So we have two choices here:

a) Allocate the sense_buffer
b) surrounding all accesses to sense_buffer with some if (!internal_command)

I'm using solution a, as this keeps code simpler.

Signed-off-by: Sven Schnelle <svens@stackframe.org>
---
 drivers/scsi/gdth.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index 27ebd33..0b2080d 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -493,6 +493,12 @@ int __gdth_execute(struct scsi_device *sdev, gdth_cmd_str *gdtcmd, char *cmnd,
     if (!scp)
         return -ENOMEM;
 
+    scp->sense_buffer = kzalloc(SCSI_SENSE_BUFFERSIZE, GFP_KERNEL);
+    if (!scp->sense_buffer) {
+	kfree(scp);
+	return -ENOMEM;
+    }
+
     scp->device = sdev;
     memset(&cmndinfo, 0, sizeof(cmndinfo));
 
@@ -513,6 +519,7 @@ int __gdth_execute(struct scsi_device *sdev, gdth_cmd_str *gdtcmd, char *cmnd,
     rval = cmndinfo.status;
     if (info)
         *info = cmndinfo.info;
+    kfree(scp->sense_buffer);
     kfree(scp);
     return rval;
 }
-- 
1.5.4.3

Cheers,

Sven.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

next             reply	other threads:[~2008-03-09 13:07 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-09 12:41 Sven Schnelle [this message]
2008-03-10 15:20 ` [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference Boaz Harrosh
2008-03-10 21:12   ` James Bottomley
2008-03-10 21:50     ` Sven Schnelle
2008-03-11 15:47       ` Boaz Harrosh
2008-03-11 16:16     ` Boaz Harrosh
2008-03-11 17:39       ` Matthew Dharm
2008-03-11 18:07       ` Alan Stern
2008-03-11 18:07         ` Alan Stern
2008-03-11 18:36         ` Boaz Harrosh
2008-03-11 19:18           ` Alan Stern
2008-03-11 19:18             ` Alan Stern
2008-03-12 13:07             ` Boaz Harrosh
2008-03-12 13:11               ` [PATCH] isd200: Allocate sense_buffer for hacked up scsi_cmnd Boaz Harrosh
2008-03-12 15:10                 ` Alan Stern
2008-03-12 15:10                   ` Alan Stern
2008-03-12 15:24                   ` [PATCH resend] " Boaz Harrosh
2008-03-12 16:54                     ` James Bottomley
2008-03-12 17:05                       ` Boaz Harrosh
2008-03-12 17:20                         ` [PATCH ver3] " Boaz Harrosh
2008-03-13 20:01                           ` Andrew Morton
2008-03-13 20:16                             ` James Bottomley
2008-03-12 13:55               ` [PATCH] isd200: Fix memory leak in isd200_get_inquiry_data Boaz Harrosh
2008-03-12 15:11                 ` Alan Stern
2008-03-12 15:11                   ` Alan Stern
2008-03-12 15:08               ` [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference Alan Stern
2008-03-12 15:08                 ` Alan Stern

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:27ebd33 dfblob:0b2080d )
 OR (
bs:"[PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=867igc3w8r.fsf@deprecated.bitebene.org \
    --to=svens@stackframe.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.