From owner-freebsd-scsi Mon Apr 30 12: 1:43 2001 Delivered-To: freebsd-scsi@freebsd.org Received: from panzer.kdm.org (panzer.kdm.org [216.160.178.169]) by hub.freebsd.org (Postfix) with ESMTP id 0D47137B422 for ; Mon, 30 Apr 2001 12:01:34 -0700 (PDT) (envelope-from ken@panzer.kdm.org) Received: (from ken@localhost) by panzer.kdm.org (8.9.3/8.9.1) id NAA48014; Mon, 30 Apr 2001 13:01:17 -0600 (MDT) (envelope-from ken) Date: Mon, 30 Apr 2001 13:01:17 -0600 From: "Kenneth D. Merry" To: Michael Samuel Cc: freebsd-scsi@FreeBSD.ORG Subject: Re: NULL pointer deref in scsi_sense_desc Message-ID: <20010430130117.A47971@panzer.kdm.org> References: <20010428114711.A7571@miknet.net> <20010428234800.A37675@panzer.kdm.org> <20010429203016.A20311@miknet.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20010429203016.A20311@miknet.net>; from michael@miknet.net on Sun, Apr 29, 2001 at 08:30:16PM +1000 Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Apr 29, 2001 at 20:30:16 +1000, Michael Samuel wrote: > On Sat, Apr 28, 2001 at 11:48:00PM -0600, Kenneth D. Merry wrote: > > Hmm, that would cause the code to deference a null pointer, which is bad. > > It's probably a bug to do that without checking the pointer first, since a > > drive could theoretically return a bogus sense key and cause a panic. > > Yes, that's exactly what the bug was. It died on that line, and the > instruction it got the page fault in was a "movl 0x8(%eax), %eax" (from > memory...), and I'm guessing that %eax would have been 0. > > This drive has been known in other systems to return bogus (or at-least > uncommon) sense keys. The tape drive is a little bit stuffed, and has been > causing hard lockups (not even ctrl-alt-esc responds) when I try to use it > now. After looking at it some more, a better fix for the problem would be adding sense key table entries for the only two entries that aren't defined -- blank check and data protect. Your drive was probably returning one of those two errors. All sense key values are defined by the spec (although "equal" is listed as obsolete and 0xf is reserved), and with the attached patch, all sense keys are defined in the table. So with this patch it should be impossible to get a bogus sense_entry pointer; if it is, we should panic, since that's a bug. Ken -- Kenneth Merry ken@kdm.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="scsi_all.c.sense_key.20010430" ==== //depot/FreeBSD-adaptec/src/sys/cam/scsi/scsi_all.c#3 - /usr/home/ken/perforce/FreeBSD-adaptec/src/sys/cam/scsi/scsi_all.c ==== *** /tmp/tmp.10514.0 Mon Apr 30 12:55:56 2001 --- /usr/home/ken/perforce/FreeBSD-adaptec/src/sys/cam/scsi/scsi_all.c Mon Apr 30 12:55:36 2001 *************** *** 711,716 **** --- 711,718 ---- { SSD_KEY_HARDWARE_ERROR, SS_RDEF, "HARDWARE FAILURE" }, { SSD_KEY_ILLEGAL_REQUEST, SS_FATAL|EINVAL, "ILLEGAL REQUEST" }, { SSD_KEY_UNIT_ATTENTION, SS_FATAL|ENXIO, "UNIT ATTENTION" }, + { SSD_KEY_DATA_PROTECT, SS_FATAL|EACCES, "DATA PROTECT" }, + { SSD_KEY_BLANK_CHECK, SS_FATAL|ENOSPC, "BLANK CHECK" }, { SSD_KEY_Vendor_Specific, SS_FATAL|EIO, "Vendor Specific" }, { SSD_KEY_COPY_ABORTED, SS_FATAL|EIO, "COPY ABORTED" }, { SSD_KEY_ABORTED_COMMAND, SS_RDEF, "ABORTED COMMAND" }, --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message