lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150114144744.GF3565@htj.dyndns.org>
Date:	Wed, 14 Jan 2015 09:47:44 -0500
From:	Tejun Heo <tj@...nel.org>
To:	Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
	Hannes Reinecke <hare@...e.de>
Cc:	linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: ata_eh_report() unable to handle kernel NULL pointer dereference

On Wed, Jan 14, 2015 at 11:30:33PM +0900, Sergey Senozhatsky wrote:
> On (01/13/15 10:27), Tejun Heo wrote:
> > On Tue, Jan 13, 2015 at 11:25:09PM +0900, Sergey Senozhatsky wrote:
> > > Hi,
> > > 
> > > linux-next 20150112
> > > 
> > > [  934.572323] ata2: exception Emask 0x50 SAct 0x0 SErr 0x4090800 action 0xe frozen
> > > [  934.572329] ata2: irq_stat 0x00400040, connection status changed
> > > [  934.572332] ata2: SError: { HostInt PHYRdyChg 10B8B DevExch }
> > > [  934.572341] BUG: unable to handle kernel NULL pointer dereference at 0000000000000460
> > > [  934.572346] IP: [<ffffffff812c722c>] ata_eh_report+0x3ad/0x74d
> > 
> > Any chance you can run addr2line on it and map it to the source line?
> >
> 
> Hello,
> 
> sorry for the delay, emails from my android gmail app are blocked as "outlook
> spam".
> 
> here it is in reverse order, RIP is the last one.
> 
> ~/_next$ addr2line -e vmlinux -i ffffffff812c97a3
>    _next/drivers/ata/libata-eh.c:4020
> ~/_next$ addr2line -e vmlinux -i ffffffff812cfb7e
>    _next/drivers/ata/libahci.c:1438
> ~/_next$ addr2line -e vmlinux -i ffffffff812cf943
>    _next/drivers/ata/libahci.c:1470
> ~/_next$ addr2line -e vmlinux -i ffffffff812cfb7e
>    _next/drivers/ata/libahci.c:1438
> ~/_next$ addr2line -e vmlinux -i ffffffff812d0bab
>    _next/drivers/ata/libahci.c:1383
> ~/_next$ addr2line -e vmlinux -i ffffffff812c05c0
>    _next/include/linux/libata.h:1085
>    _next/drivers/ata/libata-core.c:3715
> ~/_next$ addr2line -e vmlinux -i ffffffff812c96e5
>    _next/drivers/ata/libata-eh.c:3991
> ~/_next$ addr2line -e vmlinux -i ffffffff812c722c
>    _next/drivers/ata/libata-eh.c:2485
>    _next/drivers/ata/libata-eh.c:2583

Ah, the culprit is cbba5b0ee4c6 ("libata: use
__scsi_format_command()") which moved qc->dev->cdb_len deref to before
the loop verifies the qc is valid.

Hannes, I think the right thing to do is moving that variable
declaration inside the if (ata_is_atapi()) block.  Can you please take
care of it?

Thanks a lot.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ