Re: ata_eh_report() unable to handle kernel NULL pointer dereference

From: Tejun Heo
Date: Wed Jan 14 2015 - 09:47:52 EST

Next message: Cyrill Gorcunov: "Re: [PATCH 1/2] mm: rename mm->nr_ptes to mm->nr_pgtables"
Previous message: Marc Zyngier: "[PATCH v2 0/2] genirq: Make irqchip flags work with stacked irq domains"
In reply to: Sergey Senozhatsky: "Re: ata_eh_report() unable to handle kernel NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 14, 2015 at 11:30:33PM +0900, Sergey Senozhatsky wrote:
> On (01/13/15 10:27), Tejun Heo wrote:
> > On Tue, Jan 13, 2015 at 11:25:09PM +0900, Sergey Senozhatsky wrote:
> > > Hi,
> > >
> > > linux-next 20150112
> > >
> > > [ 934.572323] ata2: exception Emask 0x50 SAct 0x0 SErr 0x4090800 action 0xe frozen
> > > [ 934.572329] ata2: irq_stat 0x00400040, connection status changed
> > > [ 934.572332] ata2: SError: { HostInt PHYRdyChg 10B8B DevExch }
> > > [ 934.572341] BUG: unable to handle kernel NULL pointer dereference at 0000000000000460
> > > [ 934.572346] IP: [<ffffffff812c722c>] ata_eh_report+0x3ad/0x74d
> >
> > Any chance you can run addr2line on it and map it to the source line?
> >
>
> Hello,
>
> sorry for the delay, emails from my android gmail app are blocked as "outlook
> spam".
>
> here it is in reverse order, RIP is the last one.
>
> ~/_next$ addr2line -e vmlinux -i ffffffff812c97a3
> _next/drivers/ata/libata-eh.c:4020
> ~/_next$ addr2line -e vmlinux -i ffffffff812cfb7e
> _next/drivers/ata/libahci.c:1438
> ~/_next$ addr2line -e vmlinux -i ffffffff812cf943
> _next/drivers/ata/libahci.c:1470
> ~/_next$ addr2line -e vmlinux -i ffffffff812cfb7e
> _next/drivers/ata/libahci.c:1438
> ~/_next$ addr2line -e vmlinux -i ffffffff812d0bab
> _next/drivers/ata/libahci.c:1383
> ~/_next$ addr2line -e vmlinux -i ffffffff812c05c0
> _next/include/linux/libata.h:1085
> _next/drivers/ata/libata-core.c:3715
> ~/_next$ addr2line -e vmlinux -i ffffffff812c96e5
> _next/drivers/ata/libata-eh.c:3991
> ~/_next$ addr2line -e vmlinux -i ffffffff812c722c
> _next/drivers/ata/libata-eh.c:2485
> _next/drivers/ata/libata-eh.c:2583

Ah, the culprit is cbba5b0ee4c6 ("libata: use
__scsi_format_command()") which moved qc->dev->cdb_len deref to before
the loop verifies the qc is valid.

Hannes, I think the right thing to do is moving that variable
declaration inside the if (ata_is_atapi()) block. Can you please take
care of it?

Thanks a lot.

--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Cyrill Gorcunov: "Re: [PATCH 1/2] mm: rename mm->nr_ptes to mm->nr_pgtables"
Previous message: Marc Zyngier: "[PATCH v2 0/2] genirq: Make irqchip flags work with stacked irq domains"
In reply to: Sergey Senozhatsky: "Re: ata_eh_report() unable to handle kernel NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]