From owner-freebsd-scsi Sun Apr 29 3:30:49 2001 Delivered-To: freebsd-scsi@freebsd.org Received: from eal.miknet.net (eal.miknet.net [202.174.235.5]) by hub.freebsd.org (Postfix) with ESMTP id B71E237B423 for ; Sun, 29 Apr 2001 03:30:44 -0700 (PDT) (envelope-from michael@miknet.net) Received: from michael by eal.miknet.net with local (Exim 3.22 #1 (Debian)) id 14toT2-0005Ob-00; Sun, 29 Apr 2001 20:30:16 +1000 Date: Sun, 29 Apr 2001 20:30:16 +1000 To: "Kenneth D. Merry" Cc: freebsd-scsi@FreeBSD.ORG Subject: Re: NULL pointer deref in scsi_sense_desc Message-ID: <20010429203016.A20311@miknet.net> References: <20010428114711.A7571@miknet.net> <20010428234800.A37675@panzer.kdm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: <20010428234800.A37675@panzer.kdm.org>; from ken@kdm.org on Sat, Apr 28, 2001 at 11:48:00PM -0600 From: Michael Samuel Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 28, 2001 at 11:48:00PM -0600, Kenneth D. Merry wrote: > Hmm, that would cause the code to deference a null pointer, which is bad. > It's probably a bug to do that without checking the pointer first, since a > drive could theoretically return a bogus sense key and cause a panic. Yes, that's exactly what the bug was. It died on that line, and the instruction it got the page fault in was a "movl 0x8(%eax), %eax" (from memory...), and I'm guessing that %eax would have been 0. This drive has been known in other systems to return bogus (or at-least uncommon) sense keys. The tape drive is a little bit stuffed, and has been causing hard lockups (not even ctrl-alt-esc responds) when I try to use it now. > Would it be possible for you to get a stack trace? If you need info on how > to get a stack trace: > > http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/kerneldebug.html Unfortunately, I had crash dumps turned off at the time, so when I rebooted (to examine the crash from the comfort of gdb), savecore failed. (oops) > What I'm looking for is what the sense key, asc, and ascq are. I think we > should have all existing sense keys covered, but if we don't I'd like to > know about it. (It would also be useful to know if the drive is just > returning a bogus sense key.) It's a seagate AIT drive, which in dmesg is reported as a "SEAGATE AIT 03j5", but has no other distinguishing marks, as far as I can tell. It was in a funny state at the time of the crash... > The attached patch should fix your problem. Let me know how it works. The patch looks "obviously correct", but maybe a debug message would be nice, to allow users to look up the sense key manually if they wish. (Or does it get printed anyway?) BTW, the same bug exists in scsi_error_action()... -- Michael Samuel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message