From owner-freebsd-bugs@FreeBSD.ORG  Sat Jan 10 01:10:23 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 29FDA16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 10 Jan 2004 01:10:23 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A230343D41
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 10 Jan 2004 01:10:20 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0A9AKFR025207	for <freebsd-bugs@freefall.freebsd.org>;
	Sat, 10 Jan 2004 01:10:20 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0A9AKVn025206;
	Sat, 10 Jan 2004 01:10:20 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Sat, 10 Jan 2004 01:10:20 -0800 (PST)
Resent-Message-Id: <200401100910.i0A9AKVn025206@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Heiner <h.eichmann@gmx.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CEF2F16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 10 Jan 2004 01:10:07 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.de [213.165.64.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id C2BE743D3F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 10 Jan 2004 01:10:05 -0800 (PST)
	(envelope-from h.eichmann@gmx.de)
Received: (qmail 3863 invoked by uid 65534); 10 Jan 2004 09:10:04 -0000
Received: from pD9EC29E0.dip.t-dialin.net (EHLO 7of9.unimatrix-zero.borg)
	(217.236.41.224)
	by mail.gmx.net (mp012) with SMTP; 10 Jan 2004 10:10:04 +0100
Message-Id: <200401101010.26236.h.eichmann@gmx.de>
Date: Sat, 10 Jan 2004 10:10:26 +0100
From: Heiner <h.eichmann@gmx.de>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: kern/61165: kernel page fault after calling cam_send_ccb
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jan 2004 09:10:23 -0000


>Number:         61165
>Category:       kern
>Synopsis:       kernel page fault after calling cam_send_ccb
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 10 01:10:20 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Heiner Eichmann <h.eichmann@gmx.de>
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
Sirius Cybernetics Corp.
>Environment:
=46reeBSD 7of9.unimatrix-zero.borg 4.9-STABLE FreeBSD 4.9-STABLE #0: Tue De=
c 30=20
09:19:53 CET 2003 =A0 =A0=20
root@7of9.unimatrix-zero.borg:/usr/obj/usr/src/sys/MYKERNEL =A0i386
CAM is compiled into the kernel.
>Description:
=46reeBSD dies immediately, if the attached program is executed. Note, that=
 it=20
contains a bug in line 36: a wrong constant (1) is used. If the correct one=
=20
(CAM_DIR_IN) is used instead, everything is fine. Nevertheless the kernel=20
should not crash.

Note: all it needs to perform this crash is the read/write access to pass0!
>How-To-Repeat:
Compile and run the attached program. Make sure, that the user has read/wri=
te=20
access to pass0.

WARNING: BSD dies immediately!
>Fix:




--Boundary-00=_CG8//He5c/0aNz1
Content-Type: text/x-c++src;
  charset="iso-8859-1";
  name="main2.cpp"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="main2.cpp"

#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <camlib.h>
#include <cam/scsi/scsi_message.h>
#include <cam/scsi/scsi_pass.h>
#include <errno.h>

int main(int)
{
   char pass[32] = "/dev/pass0";
   union ccb		ccb;
   memset (&ccb,0,sizeof(ccb));
   ccb.ccb_h.func_code = XPT_GDEVLIST;
   struct cam_device  *cam = cam_open_pass (pass,O_RDWR,NULL);
   if (!cam)
   {
      printf("result: %s\n", cam_errbuf);
      return -1;
   }
   int len = 8;
   unsigned char header[len];
   ::memset( header, 0, len );
   memset(&ccb,0,sizeof(ccb));
   ccb.ccb_h.path_id    = cam->path_id;
   ccb.ccb_h.target_id  = cam->target_id;
   ccb.ccb_h.target_lun = cam->target_lun;
   cam_fill_csio (&(ccb.csio), 1, NULL, CAM_DEV_QFRZDIS, MSG_SIMPLE_Q_TAG, NULL, 0, sizeof(ccb.csio.sense_data), 0, 30*1000);
   ccb.csio.cdb_len = 1;
   ccb.csio.cdb_io.cdb_bytes[0] = 0x46;	// GET CONFIGURATION
   ccb.csio.cdb_len = 9;
   ccb.csio.cdb_io.cdb_bytes[8] = 8;
   
   ccb.csio.ccb_h.flags |= 1;//CAM_DIR_IN;
   ccb.csio.data_ptr  = (u_int8_t *)header;
   ccb.csio.dxfer_len = len;
   printf("cam_send_ccb\n");
   int ret;
   if ((ret = cam_send_ccb(cam, &ccb)) < 0)
   {
      printf("cam_send_ccb: failed\n");
      cam_close_device(cam);
      return -1;
   }
   printf("cam_send_ccb: succeeded\n");
   cam_close_device(cam);
   return 0;
}

--Boundary-00=_CG8//He5c/0aNz1--

>Release-Note:
>Audit-Trail:
>Unformatted:
 --Boundary-00=_CG8//He5c/0aNz1
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline