[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150114144744.GF3565@htj.dyndns.org>
Date: Wed, 14 Jan 2015 09:47:44 -0500
From: Tejun Heo <tj@...nel.org>
To: Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Hannes Reinecke <hare@...e.de>
Cc: linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: ata_eh_report() unable to handle kernel NULL pointer dereference
On Wed, Jan 14, 2015 at 11:30:33PM +0900, Sergey Senozhatsky wrote:
> On (01/13/15 10:27), Tejun Heo wrote:
> > On Tue, Jan 13, 2015 at 11:25:09PM +0900, Sergey Senozhatsky wrote:
> > > Hi,
> > >
> > > linux-next 20150112
> > >
> > > [ 934.572323] ata2: exception Emask 0x50 SAct 0x0 SErr 0x4090800 action 0xe frozen
> > > [ 934.572329] ata2: irq_stat 0x00400040, connection status changed
> > > [ 934.572332] ata2: SError: { HostInt PHYRdyChg 10B8B DevExch }
> > > [ 934.572341] BUG: unable to handle kernel NULL pointer dereference at 0000000000000460
> > > [ 934.572346] IP: [<ffffffff812c722c>] ata_eh_report+0x3ad/0x74d
> >
> > Any chance you can run addr2line on it and map it to the source line?
> >
>
> Hello,
>
> sorry for the delay, emails from my android gmail app are blocked as "outlook
> spam".
>
> here it is in reverse order, RIP is the last one.
>
> ~/_next$ addr2line -e vmlinux -i ffffffff812c97a3
> _next/drivers/ata/libata-eh.c:4020
> ~/_next$ addr2line -e vmlinux -i ffffffff812cfb7e
> _next/drivers/ata/libahci.c:1438
> ~/_next$ addr2line -e vmlinux -i ffffffff812cf943
> _next/drivers/ata/libahci.c:1470
> ~/_next$ addr2line -e vmlinux -i ffffffff812cfb7e
> _next/drivers/ata/libahci.c:1438
> ~/_next$ addr2line -e vmlinux -i ffffffff812d0bab
> _next/drivers/ata/libahci.c:1383
> ~/_next$ addr2line -e vmlinux -i ffffffff812c05c0
> _next/include/linux/libata.h:1085
> _next/drivers/ata/libata-core.c:3715
> ~/_next$ addr2line -e vmlinux -i ffffffff812c96e5
> _next/drivers/ata/libata-eh.c:3991
> ~/_next$ addr2line -e vmlinux -i ffffffff812c722c
> _next/drivers/ata/libata-eh.c:2485
> _next/drivers/ata/libata-eh.c:2583
Ah, the culprit is cbba5b0ee4c6 ("libata: use
__scsi_format_command()") which moved qc->dev->cdb_len deref to before
the loop verifies the qc is valid.
Hannes, I think the right thing to do is moving that variable
declaration inside the if (ata_is_atapi()) block. Can you please take
care of it?
Thanks a lot.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists