From: bugzilla-daemon@bugzilla.kernel.org
To: linux-scsi@vger.kernel.org
Subject: [Bug 101891] mvsas prep failed, NULL pointer dereference in mvs_slot_task_free+0x5/0x1f0 [mvsas]
Date: Sun, 16 Aug 2015 22:14:00 +0000 [thread overview]
Message-ID: <bug-101891-11613-meD8jUxaYT@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-101891-11613@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=101891
--- Comment #3 from Dāvis <davispuh@gmail.com> ---
I narrowed it down to this section of mvs_abort_task function
(drivers/scsi/mvsas/mv_sas.c)
} else if (task->task_proto & SAS_PROTOCOL_SATA ||
task->task_proto & SAS_PROTOCOL_STP) {
if (SAS_SATA_DEV == dev->dev_type) {
struct mvs_slot_info *slot = task->lldd_task;
u32 slot_idx = (u32)(slot - mvi->slot_info);
mv_dprintk("mvs_abort_task() mvi=%p task=%p "
"slot=%p slot_idx=x%x\n",
mvi, task, slot, slot_idx);
task->task_state_flags |= SAS_TASK_STATE_ABORTED;
mvs_slot_task_free(mvi, task, slot, slot_idx);
rc = TMF_RESP_FUNC_COMPLETE;
goto out;
}
}
Basically this line "u32 slot_idx = (u32)(slot - mvi->slot_info)".
I think (slot - mvi->slot_info) returns 0x10 and that's why
(there's no "mvs_abort_task()" in journal so it crashes before that.
kernel: mvsas 0000:07:00.0: mvsas prep failed[0]!
kernel: sas: Enter sas_scsi_recover_host busy: 1 failed: 1
kernel: sas: trying to find task 0xffff8801fff87500
kernel: sas: sas_scsi_find_task: aborting task 0xffff8801fff87500
kernel: BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
kernel: IP: [<ffffffffa017afa5>] mvs_slot_task_free+0x5/0x1f0 [mvsas]
kernel: PGD 0
kernel: Oops: 0000 [#1] PREEMPT SMP
kernel: Modules linked in: nls_iso8859_4 nls_cp775 vfat fat fuse nvidia(PO)
xt_CHECKSUM ipt_MASQUERADE nf_nat_masq
kernel: serio_raw pcspkr fam15h_power snd_hda_codec_realtek snd_hda_codec_hdmi
snd_hda_codec_generic snd_hda_inte
kernel:
kernel: CPU: 3 PID: 222 Comm: scsi_eh_7 Tainted: P O
4.1.5-ARCH-dirty #2
kernel: Hardware name: Gigabyte Technology Co., Ltd.
GA-990FXA-UD3/GA-990FXA-UD3, BIOS FFe 11/08/2013
kernel: task: ffff880222718000 ti: ffff88007fc9c000 task.ti: ffff88007fc9c000
kernel: RIP: 0010:[<ffffffffa017afa5>] [<ffffffffa017afa5>]
mvs_slot_task_free+0x5/0x1f0 [mvsas]
kernel: RSP: 0018:ffff88007fc9fd00 EFLAGS: 00010a13
kernel: RAX: 2e8ba2e8ba2e8ba3 RBX: ffff8801fff87500 RCX: 45d175ba2d18107b
kernel: RDX: 0000000000000000 RSI: ffff8801fff87500 RDI: ffff88007fb80000
kernel: RBP: ffff88007fc9fd58 R08: 000000000000000a R09: 000000000000060d
kernel: R10: 0000000000020cd8 R11: 000000000000060d R12: ffff88007fb836a0
kernel: R13: ffff8800ce394e00 R14: ffff88007fb80000 R15: ffff8801fff87508
kernel: FS: 00007f0720ffe700(0000) GS:ffff88022ecc0000(0000)
knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
kernel: CR2: 0000000000000010 CR3: 0000000224182000 CR4: 00000000000406e0
kernel: Stack:
kernel: ffffffffa017dce2 ffff880000000018 ffff88007fc9fd68 ffff88007fc9fd28
kernel: 0000000020e55177 ffff88022536f208 0000000000000005 ffff88007fc9fdb0
kernel: ffff8801fff87508 ffff8800ce321000 ffff8801fff87500 ffff88007fc9fe28
kernel: Call Trace:
kernel: [<ffffffffa017dce2>] ? mvs_abort_task+0x272/0x2b0 [mvsas]
kernel: [<ffffffffa030aeab>] sas_scsi_recover_host+0x47b/0xc20 [libsas]
kernel: [<ffffffffa00dfb0c>] scsi_error_handler+0xfc/0x580 [scsi_mod]
kernel: [<ffffffff81588152>] ? __schedule+0x372/0xa30
kernel: [<ffffffffa00dfa10>] ? scsi_eh_get_sense+0x190/0x190 [scsi_mod]
kernel: [<ffffffff81097818>] kthread+0xd8/0xf0
kernel: [<ffffffff81097740>] ? kthread_worker_fn+0x170/0x170
kernel: [<ffffffff8158c8a2>] ret_from_fork+0x42/0x70
kernel: [<ffffffff81097740>] ? kthread_worker_fn+0x170/0x170
Code: 84 00 00 00 00 00 66 66 66 66 90 55 48 8b 87 b0 00 00 00 89 f6 48 89 e5
f0 48 0f b3 30 5d c3 0f 1f
80 00 00 00 00 66 66 66 66 90 <48> 83 7a 10 00 0f 84 60 01 00 00 55 48
kernel: Code: 84 00 00 00 00 00 66 66 66 66 90 55 48 8b 87 b0 00 00 00 89 f6 48
89 e5 f0 48 0f b3 30 5d c3 0f 1f 8
kernel: RIP [<ffffffffa017afa5>] mvs_slot_task_free+0x5/0x1f0 [mvsas]
kernel: RSP <ffff88007fc9fd00>
kernel: CR2: 0000000000000010
kernel: ---[ end trace 93debf717bb54039 ]---
--
You are receiving this mail because:
You are watching the assignee of the bug.--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-08-16 22:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-23 21:34 [Bug 101891] New: mvsas prep failed, NULL pointer dereference in mvs_slot_task_free+0x5/0x1f0 [mvsas] bugzilla-daemon
2015-07-23 22:01 ` [Bug 101891] " bugzilla-daemon
2015-07-24 11:48 ` bugzilla-daemon
2015-08-16 22:14 ` bugzilla-daemon [this message]
2015-08-18 14:54 ` bugzilla-daemon
2015-08-19 22:09 ` bugzilla-daemon
2015-08-20 7:55 ` bugzilla-daemon
2015-08-20 13:45 ` bugzilla-daemon
2016-02-05 16:45 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-101891-11613-meD8jUxaYT@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).