Re: [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Boaz Harrosh <bharrosh@panasas.com>
To: Sven Schnelle <svens@stackframe.org>,
	James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-kernel@vger.kernel.org,
	linux-scsi <linux-scsi@vger.kernel.org>,
	FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Subject: Re: [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference
Date: Mon, 10 Mar 2008 17:20:24 +0200	[thread overview]
Message-ID: <47D551B8.9080807@panasas.com> (raw)
In-Reply-To: <867igc3w8r.fsf@deprecated.bitebene.org>

On Sun, Mar 09 2008 at 14:41 +0200, Sven Schnelle <svens@stackframe.org> wrote:
> Hi,
> 
> i'm facing the following kernel oops with the latest git:
> 
> --------------------------------------8<--------------------------------------
> Stopping MD arrays...failed (no MD subsystem loaded).
> Mounting root filesystem read-only...done.
> Will now restart.
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> IP: [<ffffffff8051a97e>] __gdth_interrupt+0x96e/0xb7f
> PGD 7e51e067 PUD 7e6a1067 PMD 0 
> Oops: 0002 [1] PREEMPT SMP 
> CPU 3 
> Modules linked in: nvidia(P) lm85 hwmon_vid hwmon [last unloaded: nvidia]
> Pid: 0, comm: swapper Tainted: P         2.6.25-rc4-smp-00134-g84c6f60 #11 
> RIP: 0010:[<ffffffff8051a97e>]  [<ffffffff8051a97e>] __gdth_interrupt+0x96e/0xb7f
> RSP: 0018:ffff81007fbefed8  EFLAGS: 00010086
> RAX: 0000000000000000 RBX: ffff81007e0dda68 RCX: 0000000000000002
> RDX: 00000000ffffffff RSI: 0000000000000000 RDI: ffffc20000330000
> RBP: ffff81007fbeff08 R08: 0000000000000000 R09: ffff81007f01de70
> R10: 0000000000000000 R11: 0000000000000050 R12: ffff810000b10480
> R13: ffff810000b104ff R14: ffff81007e214200 R15: 0000000000000009
> FS:  0000000000000000(0000) GS:ffff81007f802c80(0000) knlGS:0000000000000000
> CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
> CR2: 0000000000000000 CR3: 000000007e643000 CR4: 00000000000006e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process swapper (pid: 0, threadinfo ffff81007fbe6000, task ffff81007fbe4000)
> Stack:  0000000000000046 ffff81007e8a93c0 0000000000000000 0000000000000000
>  0000000000000018 0000000000000003 ffff81007fbeff18 ffffffff8051ab9f
>  ffff81007fbeff48 ffffffff80258cc2 ffffffff8092e300 ffff81007e8a93c0
> Call Trace:
>  <IRQ>  [<ffffffff8051ab9f>] gdth_interrupt+0x10/0x12
>  [<ffffffff80258cc2>] handle_IRQ_event+0x27/0x57
>  [<ffffffff8025a055>] handle_fasteoi_irq+0x9c/0xdc
>  [<ffffffff8020def0>] do_IRQ+0x88/0xfc
>  [<ffffffff80209ffe>] ? default_idle+0x0/0x5f
>  [<ffffffff8020b851>] ret_from_intr+0x0/0xa
>  <EOI>  [<ffffffff8020a037>] ? default_idle+0x39/0x5f
>  [<ffffffff8020a032>] ? default_idle+0x34/0x5f
>  [<ffffffff80209ffe>] ? default_idle+0x0/0x5f
>  [<ffffffff8020a11c>] ? cpu_idle+0xbf/0xf5
>  [<ffffffff806cd973>] ? start_secondary+0x3e0/0x3ef
> 
> 
> Code: 00 04 eb 15 3c 17 75 11 41 0f b6 c5 48 c1 e0 05 41 80 a4 04 92 02 00 00 fb 41 c7 86 18 01 00 00 00 00 00 00 49 8b 86 c0 00 00 00 <c6> 00 00 e9 92 01 00 00 66 89 43 24 41 8b 84 24 68 02 00 00 89 
> RIP  [<ffffffff8051a97e>] __gdth_interrupt+0x96e/0xb7f
>  RSP <ffff81007fbefed8>
> CR2: 0000000000000000
> ---[ end trace e81e561a458e8791 ]---
> Kernel panic - not syncing: Aiee, killing interrupt handler!
> Rebooting in 5 seconds..
> --------------------------------------8<--------------------------------------
> 
> From 2dc63f9f8e61fd1c89f8b4d9b2d174be1c3bfbe2 Mon Sep 17 00:00:00 2001
> From: root <root@apollo.bitebene.org>
> Date: Sun, 9 Mar 2008 13:25:07 +0100
> Subject: 
> 
> This fixes a NULL pointer dereference during execution of Internal commands,
> where gdth only allocates scp, but not scp->sense_buffer. The rest of
> the code assumes that sense_buffer is allocated, which leads to a kernel
> oops e.g. on reboot (during cache flush).
> 
> So we have two choices here:
> 
> a) Allocate the sense_buffer
> b) surrounding all accesses to sense_buffer with some if (!internal_command)
> 
> I'm using solution a, as this keeps code simpler.
> 
> Signed-off-by: Sven Schnelle <svens@stackframe.org>
> ---
>  drivers/scsi/gdth.c |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
> index 27ebd33..0b2080d 100644
> --- a/drivers/scsi/gdth.c
> +++ b/drivers/scsi/gdth.c
> @@ -493,6 +493,12 @@ int __gdth_execute(struct scsi_device *sdev, gdth_cmd_str *gdtcmd, char *cmnd,
>      if (!scp)
>          return -ENOMEM;
>  
> +    scp->sense_buffer = kzalloc(SCSI_SENSE_BUFFERSIZE, GFP_KERNEL);
> +    if (!scp->sense_buffer) {
> +	kfree(scp);
> +	return -ENOMEM;
> +    }
> +
>      scp->device = sdev;
>      memset(&cmndinfo, 0, sizeof(cmndinfo));
>  
> @@ -513,6 +519,7 @@ int __gdth_execute(struct scsi_device *sdev, gdth_cmd_str *gdtcmd, char *cmnd,
>      rval = cmndinfo.status;
>      if (info)
>          *info = cmndinfo.info;
> +    kfree(scp->sense_buffer);
>      kfree(scp);
>      return rval;
>  }
James and linux-scsi CCed.

James it looks reasonable. It's a fallout from the sense_buffer separation patches.
Reviewed-by: Boaz Harrosh <bharrosh@panasas.com>

I will submit solution b) above as part of my sense handling patchset.

Boaz

next prev parent reply	other threads:[~2008-03-10 15:20 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-09 12:41 [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference Sven Schnelle
2008-03-10 15:20 ` Boaz Harrosh [this message]
2008-03-10 21:12   ` James Bottomley
2008-03-10 21:50     ` Sven Schnelle
2008-03-11 15:47       ` Boaz Harrosh
2008-03-11 16:16     ` Boaz Harrosh
2008-03-11 17:39       ` Matthew Dharm
2008-03-11 18:07       ` Alan Stern
2008-03-11 18:36         ` Boaz Harrosh
2008-03-11 19:18           ` Alan Stern
2008-03-12 13:07             ` Boaz Harrosh
2008-03-12 13:11               ` [PATCH] isd200: Allocate sense_buffer for hacked up scsi_cmnd Boaz Harrosh
2008-03-12 15:10                 ` Alan Stern
2008-03-12 15:24                   ` [PATCH resend] " Boaz Harrosh
2008-03-12 16:54                     ` James Bottomley
2008-03-12 17:05                       ` Boaz Harrosh
2008-03-12 17:20                         ` [PATCH ver3] " Boaz Harrosh
2008-03-13 20:01                           ` Andrew Morton
2008-03-13 20:16                             ` James Bottomley
2008-03-12 13:55               ` [PATCH] isd200: Fix memory leak in isd200_get_inquiry_data Boaz Harrosh
2008-03-12 15:11                 ` Alan Stern
2008-03-12 15:08               ` [PATCH] [SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference Alan Stern

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47D551B8.9080807@panasas.com \
    --to=bharrosh@panasas.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=fujita.tomonori@lab.ntt.co.jp \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=svens@stackframe.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox