From owner-freebsd-scsi Sat Apr 28 22:48:20 2001 Delivered-To: freebsd-scsi@freebsd.org Received: from panzer.kdm.org (panzer.kdm.org [216.160.178.169]) by hub.freebsd.org (Postfix) with ESMTP id 82EF537B635 for ; Sat, 28 Apr 2001 22:48:15 -0700 (PDT) (envelope-from ken@panzer.kdm.org) Received: (from ken@localhost) by panzer.kdm.org (8.9.3/8.9.1) id XAA37740; Sat, 28 Apr 2001 23:48:00 -0600 (MDT) (envelope-from ken) Date: Sat, 28 Apr 2001 23:48:00 -0600 From: "Kenneth D. Merry" To: Michael Samuel Cc: freebsd-scsi@FreeBSD.ORG Subject: Re: NULL pointer deref in scsi_sense_desc Message-ID: <20010428234800.A37675@panzer.kdm.org> References: <20010428114711.A7571@miknet.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20010428114711.A7571@miknet.net>; from michael@miknet.net on Sat, Apr 28, 2001 at 11:47:11AM +1000 Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Apr 28, 2001 at 11:47:11 +1000, Michael Samuel wrote: > Hi, > > I got a "Page fault in kernel mode" which writing to a SCSI tape (which had > barfed on me with some SCSI sense messages shortly before the crash). > > This is in -current from the CVS as of about a week or 2 ago. > > It stopped at scsi_sense_desc+0x2f, which resolved in gdb -k to > cam/scsi/scsi_all.c line 1573, which in my copy of the source tree looks > like this: > > void > scsi_sense_desc(int sense_key, int asc, int ascq, > struct scsi_inquiry_data *inq_data, > const char **sense_key_desc, const char **asc_desc) > { > const struct asc_table_entry *asc_entry; > const struct sense_key_table_entry *sense_entry; > > fetchtableentries(sense_key, asc, ascq, > inq_data, > &sense_entry, > &asc_entry); > > *sense_key_desc = sense_entry->desc; > > It seems as though sense_entry is NULL after fetchtableentries() returns, > which when I took a quick peek at fetchtableentries(), it indicates that it > couldn't find a match. Hmm, that would cause the code to deference a null pointer, which is bad. It's probably a bug to do that without checking the pointer first, since a drive could theoretically return a bogus sense key and cause a panic. Would it be possible for you to get a stack trace? If you need info on how to get a stack trace: http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/kerneldebug.html What I'm looking for is what the sense key, asc, and ascq are. I think we should have all existing sense keys covered, but if we don't I'd like to know about it. (It would also be useful to know if the drive is just returning a bogus sense key.) The attached patch should fix your problem. Let me know how it works. > I'm not subscribed to this list, but if you need more info, feel free to > send me an email directly (or Cc me in your follow-ups). Ken -- Kenneth Merry ken@kdm.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="scsi_all.c.20010428" ==== //depot/FreeBSD-ken/src/sys/cam/scsi/scsi_all.c#9 - /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_all.c ==== *** /tmp/tmp.44053.0 Sat Apr 28 23:43:22 2001 --- /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_all.c Sat Apr 28 23:43:11 2001 *************** *** 1570,1576 **** &sense_entry, &asc_entry); ! *sense_key_desc = sense_entry->desc; if (asc_entry != NULL) *asc_desc = asc_entry->desc; --- 1570,1579 ---- &sense_entry, &asc_entry); ! if (sense_entry != NULL) ! *sense_key_desc = sense_entry->desc; ! else ! *sense_key_desc = "Unknown Sense Key"; if (asc_entry != NULL) *asc_desc = asc_entry->desc; --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message