Date: Sun, 29 Apr 2001 17:05:40 -0600 From: "Kenneth D. Merry" <ken@kdm.org> To: Michael Samuel <michael@miknet.net> Cc: freebsd-scsi@FreeBSD.ORG Subject: Re: NULL pointer deref in scsi_sense_desc Message-ID: <20010429170540.A41755@panzer.kdm.org> In-Reply-To: <20010429203016.A20311@miknet.net>; from michael@miknet.net on Sun, Apr 29, 2001 at 08:30:16PM %2B1000 References: <20010428114711.A7571@miknet.net> <20010428234800.A37675@panzer.kdm.org> <20010429203016.A20311@miknet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Apr 29, 2001 at 20:30:16 +1000, Michael Samuel wrote: > On Sat, Apr 28, 2001 at 11:48:00PM -0600, Kenneth D. Merry wrote: > > Hmm, that would cause the code to deference a null pointer, which is bad. > > It's probably a bug to do that without checking the pointer first, since a > > drive could theoretically return a bogus sense key and cause a panic. > > Yes, that's exactly what the bug was. It died on that line, and the > instruction it got the page fault in was a "movl 0x8(%eax), %eax" (from > memory...), and I'm guessing that %eax would have been 0. > > This drive has been known in other systems to return bogus (or at-least > uncommon) sense keys. The tape drive is a little bit stuffed, and has been > causing hard lockups (not even ctrl-alt-esc responds) when I try to use it > now. It would be nice to know what those bogus sense keys are. > > Would it be possible for you to get a stack trace? If you need info on how > > to get a stack trace: > > > > http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/kerneldebug.html > > Unfortunately, I had crash dumps turned off at the time, so when I rebooted > (to examine the crash from the comfort of gdb), savecore failed. (oops) Could you try to reproduce the problem with crash dumps turned on? > > What I'm looking for is what the sense key, asc, and ascq are. I think we > > should have all existing sense keys covered, but if we don't I'd like to > > know about it. (It would also be useful to know if the drive is just > > returning a bogus sense key.) > > It's a seagate AIT drive, which in dmesg is reported as a "SEAGATE AIT 03j5", > but has no other distinguishing marks, as far as I can tell. It was in a > funny state at the time of the crash... > > > The attached patch should fix your problem. Let me know how it works. > > The patch looks "obviously correct", but maybe a debug message would be nice, > to allow users to look up the sense key manually if they wish. (Or does it > get printed anyway?) The numeric values generally only get printed for ASC/ASCQ pairs, since it is much more common to see unknown sense codes than sense keys. I've attached a patch that will print it, at least in the standard sense printing case. There isn't much space to do it in the da(4) or cd(4) drivers, and those drivers don't print out numbers for unknown asc/ascq'ss either. > BTW, the same bug exists in scsi_error_action()... Should be fixed in this patch. Ken -- Kenneth Merry ken@kdm.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="scsi_all.sense_desc.20010429" ==== //depot/FreeBSD-ken/src/sys/cam/scsi/scsi_all.c#9 - /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_all.c ==== *** /tmp/tmp.1035.0 Sun Apr 29 17:00:00 2001 --- /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_all.c Sun Apr 29 16:58:47 2001 *************** *** 1570,1576 **** &sense_entry, &asc_entry); ! *sense_key_desc = sense_entry->desc; if (asc_entry != NULL) *asc_desc = asc_entry->desc; --- 1570,1579 ---- &sense_entry, &asc_entry); ! if (sense_entry != NULL) ! *sense_key_desc = sense_entry->desc; ! else ! *sense_key_desc = NULL; if (asc_entry != NULL) *asc_desc = asc_entry->desc; *************** *** 1637,1644 **** if (asc_entry != NULL && (asc != 0 || ascq != 0)) action = asc_entry->action; ! else action = sense_entry->action; if (sense_key == SSD_KEY_RECOVERED_ERROR) { /* --- 1640,1649 ---- if (asc_entry != NULL && (asc != 0 || ascq != 0)) action = asc_entry->action; ! else if (sense_entry != NULL) action = sense_entry->action; + else + action = SS_RETRY|SSQ_DECREMENT_COUNT|SSQ_PRINT_SENSE; if (sense_key == SSD_KEY_RECOVERED_ERROR) { /* *************** *** 1950,1956 **** ascq = (sense->extra_len >= 6) ? sense->add_sense_code_qual : 0; scsi_sense_desc(sense_key, asc, ascq, inq_data, &sense_key_desc, &asc_desc); ! sbuf_cat(sb, sense_key_desc); info = scsi_4btoul(sense->info); --- 1955,1964 ---- ascq = (sense->extra_len >= 6) ? sense->add_sense_code_qual : 0; scsi_sense_desc(sense_key, asc, ascq, inq_data, &sense_key_desc, &asc_desc); ! if (sense_key_desc != NULL) ! sbuf_cat(sb, sense_key_desc); ! else ! sbuf_printf(sb, "Unknown Sense Key %#x", sense_key); info = scsi_4btoul(sense->info); ==== //depot/FreeBSD-ken/src/sys/cam/scsi/scsi_cd.c#16 - /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_cd.c ==== *** /tmp/tmp.1035.1 Sun Apr 29 17:00:00 2001 --- /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_cd.c Sun Apr 29 16:57:07 2001 *************** *** 1718,1728 **** &sense_key_desc, &asc_desc); snprintf(announce_buf, ! sizeof(announce_buf), ! "Attempt to query device " ! "size failed: %s, %s", ! sense_key_desc, ! asc_desc); } else if (SID_TYPE(&cgd.inq_data) == T_CDROM) { /* * We only print out an error for --- 1718,1730 ---- &sense_key_desc, &asc_desc); snprintf(announce_buf, ! sizeof(announce_buf), ! "Attempt to query device " ! "size failed: %s, %s", ! sense_key_desc ? ! sense_key_desc: ! "Unknown Sense Key", ! asc_desc); } else if (SID_TYPE(&cgd.inq_data) == T_CDROM) { /* * We only print out an error for ==== //depot/FreeBSD-ken/src/sys/cam/scsi/scsi_da.c#17 - /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_da.c ==== *** /tmp/tmp.1035.2 Sun Apr 29 17:00:00 2001 --- /usr/home/ken/perforce/FreeBSD-ken/src/sys/cam/scsi/scsi_da.c Sun Apr 29 16:58:10 2001 *************** *** 1377,1387 **** &sense_key_desc, &asc_desc); snprintf(announce_buf, ! sizeof(announce_buf), ! "Attempt to query device " ! "size failed: %s, %s", ! sense_key_desc, ! asc_desc); } else { if (have_sense) scsi_sense_print( --- 1377,1389 ---- &sense_key_desc, &asc_desc); snprintf(announce_buf, ! sizeof(announce_buf), ! "Attempt to query device " ! "size failed: %s, %s", ! sense_key_desc ? ! sense_key_desc : ! "Unknown Sense Key", ! asc_desc); } else { if (have_sense) scsi_sense_print( --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010429170540.A41755>