lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <132d8dc4-e8d0-6eba-9ae2-4a7e2c9a589b@linux.vnet.ibm.com>
Date:   Fri, 28 Oct 2016 15:53:33 +0200
From:   Steffen Maier <maier@...ux.vnet.ibm.com>
To:     Hannes Reinecke <hare@...e.de>,
        Johannes Thumshirn <jthumshirn@...e.de>,
        Ulrich Weigand <Ulrich.Weigand@...ibm.com>,
        Andreas Krebbel <Andreas.Krebbel@...ibm.com>
Cc:     "Martin K . Petersen" <martin.petersen@...cle.com>,
        Christoph Hellwig <hch@...radead.org>,
        Linux Kernel Mailinglist <linux-kernel@...r.kernel.org>,
        Linux SCSI Mailinglist <linux-scsi@...r.kernel.org>,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        Anil Gurumurthy <anil.gurumurthy@...gic.com>,
        Sudarsana Kalluru <sudarsana.kalluru@...gic.com>,
        "James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>,
        Tyrel Datwyler <tyreld@...ux.vnet.ibm.com>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Paul Mackerras <paulus@...ba.org>,
        Michael Ellerman <mpe@...erman.id.au>,
        Johannes Thumshirn <jth@...nel.org>,
        James Smart <james.smart@...gotech.com>,
        Dick Kennedy <dick.kennedy@...gotech.com>,
        "supporter:QLOGIC QLA2XXX FC-SCSI DRIVER" 
        <qla2xxx-upstream@...gic.com>,
        "open list:S390 ZFCP DRIVER" <linux-s390@...r.kernel.org>,
        "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" 
        <linuxppc-dev@...ts.ozlabs.org>,
        "open list:FCOE SUBSYSTEM (libfc, libfcoe, fcoe)" 
        <fcoe-devel@...n-fcoe.org>, Richard Biener <rguenther@...e.de>
Subject: Re: [PATCH v2 02/16] scsi: don't use fc_bsg_job::request and
 fc_bsg_job::reply directly



On 10/28/2016 01:31 PM, Hannes Reinecke wrote:
> On 10/28/2016 11:53 AM, Steffen Maier wrote:
>> On 10/13/2016 06:24 PM, Johannes Thumshirn wrote:
>>> On Thu, Oct 13, 2016 at 05:15:25PM +0200, Steffen Maier wrote:
>>>> I'm puzzled.
>>>>
>>>> $ git bisect start fc_bsg master
>>
>>>>> 3087864ce3d7282f59021245d8a5f83ef1caef18 is the first bad commit
>>>>> commit 3087864ce3d7282f59021245d8a5f83ef1caef18
>>>>> Author: Johannes Thumshirn <jthumshirn@...e.de>
>>>>> Date:   Wed Oct 12 15:06:28 2016 +0200
>>>>>
>>>>>     scsi: don't use fc_bsg_job::request and fc_bsg_job::reply directly
>>>>>
>>>>>     Don't use fc_bsg_job::request and fc_bsg_job::reply directly,
>>>>> but use
>>>>>     helper variables bsg_request and bsg_reply. This will be
>>>>> helpfull  when
>>>>>     transitioning to bsg-lib.
>>>>>
>>>>>     Signed-off-by: Johannes Thumshirn <jthumshirn@...e.de>
>>>>>
>>>>> :040000 040000 140c4b6829d5cfaec4079716e0795f63f8bc3bd2
>>>>> 0d9fe225615679550be91fbd9f84c09ab1e280fc M    drivers
>>>>
>>>> From there (on the reverse bisect path) I get the following Oops,
>>>> except for the full patch set having another stack trace as in my
>>>> previous
>>>> mail (dying in zfcp code).
>>>
>>> [...]
>>>
>>>>> @@ -3937,6 +3944,7 @@ fc_bsg_request_handler(struct request_queue
>>>>> *q, struct Scsi_Host *shost,
>>>>>      struct request *req;
>>>>>      struct fc_bsg_job *job;
>>>>>      enum fc_dispatch_result ret;
>>>>> +    struct fc_bsg_reply *bsg_reply;
>>>>>
>>>>>      if (!get_device(dev))
>>>>>          return;
>>>>> @@ -3973,8 +3981,9 @@ fc_bsg_request_handler(struct request_queue
>>>>> *q, struct Scsi_Host *shost,
>>>>>          /* check if we have the msgcode value at least */
>>>>>          if (job->request_len < sizeof(uint32_t)) {
>>>>>              BUG_ON(job->reply_len < sizeof(uint32_t));
>>>>> -            job->reply->reply_payload_rcv_len = 0;
>>>>> -            job->reply->result = -ENOMSG;
>>>>> +            bsg_reply = job->reply;
>>>>> +            bsg_reply->reply_payload_rcv_len = 0;
>>>>> +            bsg_reply->result = -ENOMSG;
>>
>> Compiler optimization re-ordered above two lines and the first pointer
>> derefence is bsg_reply->result [field offset 0] where bsg_reply is NULL.
>> The assignment tries to write to memory at address NULL causing the
>> kernel page fault.
>>
> I spoke to our compiler people, and they strongly believed this not to
> be the case. Or, put it the other way round, if such a thing would
> happen it would be a compiler issue.
>
> Have you checked the compiler output?

I just mentioned the compiler optimization to explain why the assembler 
code visible in the panic dies at bsg_reply->result = -ENOMSG and not at 
bsg_reply->reply_payload_rcv_len = 0. I don't think it makes a 
difference regarding the issue, which remains a NULL pointer dereference 
with bsg_reply either way, which I doubt is caused by compiler output. 
But then again, see further down below.

> [   46.942560] Krnl PSW : 0704e00180000000 00000000007c91ec[   46.942574]  (fc_bsg_request_handler+0x404/0x4b0)
> [   46.942579]
> [   46.942583]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:000:
> [   46.942598]  RI:0 EA:3
> [   46.942601]
> [   46.942601] Krnl GPRS: 0000000000000000 00000000ffffffcb 0000000000000000 0000000080000001
> [   46.942603]            00000000007c8fe8 0000000064398c68 0000000069f967e8 000000006a3d8008
> [   46.942605]            000000006a5e02c8 00000000698b5490 0000000000000000 0000000000000000

 
        %r11 is NULL

> [   46.942607]            000000006a9ef5f8 0000000000a36840 00000000007c8fe8 000000005d2efa00
> [   46.942619] Krnl Code: 00000000007c91de: e55dc08c0003        clfhsi  140(%r12),3[   46.942622]
> [   46.942622]            00000000007c91e4: a7240004            brc     2,7c91ec
>                          #00000000007c91e8: a7f40001           brc     15,7c91ea[   46.942629]
> [   46.942629]           >00000000007c91ec: 5010b000            st      %r1,0(%r11)
>                           00000000007c91f0: e54cb0040000       mvhi    4(%r11),0[   46.942635]
> [   46.942635]            00000000007c91f6: e54cc08c0004        mvhi    140(%r12),4
>                           00000000007c91fc: b904002c           lgr     %r2,%r12[   46.942643]
> [   46.942643]            00000000007c9200: c0e5ffffe2c0        brasl   %r14,7c5780
> [   46.942646]
> [   46.942647] Call Trace:
> [   46.942650] ([<00000000007c8fe8>] fc_bsg_request_handler+0x200/0x4b0)
> [   46.942656] ([<00000000006b8e0a>] __blk_run_queue+0x52/0x68)
> [   46.942661] ([<00000000006c549a>] blk_execute_rq_nowait+0xf2/0x110)
> [   46.942664] ([<00000000006c557a>] blk_execute_rq+0xa2/0x110)
> [   46.942668] ([<00000000006de0ee>] bsg_ioctl+0x1f6/0x268)
> [   46.942675] ([<000000000036ca20>] do_vfs_ioctl+0x680/0x6d8)
> [   46.942677] ([<000000000036caf4>] SyS_ioctl+0x7c/0xb0)
> [   46.942685] ([<00000000009a541e>] system_call+0xd6/0x270)
> [   46.942687] INFO: lockdep is turned off.
> [   46.942688] Last Breaking-Event-Address:
> [   46.942692]  [<00000000007c91e4>] fc_bsg_request_handler+0x3fc/0x4b0
> [   46.942696]  [   46.942698] Kernel panic - not syncing: Fatal exception: panic_on_oops

all the following was written from bottom to top:

> crash> dis -l fc_bsg_request_handler
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3943

static void
fc_bsg_request_handler(struct request_queue *q, struct Scsi_Host *shost,
		       struct fc_rport *rport, struct device *dev)
{

> 0x7c8de8 <fc_bsg_request_handler>:      brcl    0,0x7c8de8 <fc_bsg_request_handler>
> 0x7c8dee <fc_bsg_request_handler+0x6>:  stmg    %r6,%r15,72(%r15)
> 0x7c8df4 <fc_bsg_request_handler+0xc>:  larl    %r13,0xa36840
> 0x7c8dfa <fc_bsg_request_handler+0x12>: tmll    %r15,16256
> 0x7c8dfe <fc_bsg_request_handler+0x16>: lgr     %r14,%r15
> 0x7c8e02 <fc_bsg_request_handler+0x1a>: je      0x7c8e04 <fc_bsg_request_handler+0x1c>
> 0x7c8e06 <fc_bsg_request_handler+0x1e>: lay     %r15,-112(%r15)
> 0x7c8e0c <fc_bsg_request_handler+0x24>: stg     %r14,152(%r15)
> 0x7c8e12 <fc_bsg_request_handler+0x2a>: lgr     %r9,%r2
> 0x7c8e16 <fc_bsg_request_handler+0x2e>: stg     %r5,176(%r15)
> 0x7c8e1c <fc_bsg_request_handler+0x34>: lgr     %r2,%r5
> 0x7c8e20 <fc_bsg_request_handler+0x38>: lgr     %r6,%r3
> 0x7c8e24 <fc_bsg_request_handler+0x3c>: lgr     %r10,%r4
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3949
> 0x7c8e28 <fc_bsg_request_handler+0x40>: brasl   %r14,0x787968 <get_device>
> 0x7c8e2e <fc_bsg_request_handler+0x46>: cgij    %r2,0,8,0x7c9288 <fc_bsg_request_handler+0x4a0>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3751

there is some confusing inlining of part of fc_req_to_bsgjob

> 0x7c8e34 <fc_bsg_request_handler+0x4c>: la      %r1,960(%r6)
> 0x7c8e38 <fc_bsg_request_handler+0x50>: stg     %r1,168(%r15)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3749
> 0x7c8e3e <fc_bsg_request_handler+0x56>: la      %r1,96(%r10)
> 0x7c8e42 <fc_bsg_request_handler+0x5a>: stg     %r1,160(%r15)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3953
> 0x7c8e48 <fc_bsg_request_handler+0x60>: cgij    %r10,0,8,0x7c9270 <fc_bsg_request_handler+0x488>
> 0x7c8e4e <fc_bsg_request_handler+0x66>: clc     4(4,%r13),40(%r10)
> 0x7c8e54 <fc_bsg_request_handler+0x6c>: jne     0x7c9258 <fc_bsg_request_handler+0x470>
> 0x7c8e58 <fc_bsg_request_handler+0x70>: tm      72(%r10),4
> 0x7c8e5c <fc_bsg_request_handler+0x74>: jne     0x7c9258 <fc_bsg_request_handler+0x470>
> 0x7c8e60 <fc_bsg_request_handler+0x78>: j       0x7c920a <fc_bsg_request_handler+0x422>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3961
> 0x7c8e64 <fc_bsg_request_handler+0x7c>: clc     0(4,%r13),40(%r10)
> 0x7c8e6a <fc_bsg_request_handler+0x82>: je      0x7c8e9e <fc_bsg_request_handler+0xb6>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3962

fc_bsg_request_handler()
                         req->errors = -ENXIO;

> 0x7c8e6e <fc_bsg_request_handler+0x86>: mvhi    260(%r12),-6

crash> struct -od request.errors
struct request {
   [260] int errors;
}

********************************************************************

BUT this seems the first time %r12 is used in fc_bsg_request_handler(),
especially I seem to miss %r12 being initalized with anything.
But then again I'm not at all well versed in disassembly.
Maybe fc_bsg_request_handler() is itself in turn inlined and I would 
need to start disassembling even earlier to get to %r12 init?
s390x ELF ABI says %r12:
usage: Local variable, commonly used as GOT pointer;
call effect: saved.
Even if it wasn't initialized and remained NULL below why did it not 
already page fault at above instruction? Silly me, we did not execute 
this instruction as it's "if" conditional. This makes me wonder even 
more where the content of %r12 comes from.

Ulli, Andreas, could you please shed some light on this?

********************************************************************

> /home/maier/kernel/linux-vanilla/./include/linux/spinlock.h: 357
> 0x7c8e74 <fc_bsg_request_handler+0x8c>: lg      %r2,2600(%r9)
> 0x7c8e7a <fc_bsg_request_handler+0x92>: brasl   %r14,0x9a46d0 <_raw_spin_unlock_irq>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3964
> 0x7c8e80 <fc_bsg_request_handler+0x98>: lgr     %r2,%r12
> 0x7c8e84 <fc_bsg_request_handler+0x9c>: lghi    %r3,-6
> 0x7c8e88 <fc_bsg_request_handler+0xa0>: brasl   %r14,0x6be2f0 <blk_end_request_all>
> /home/maier/kernel/linux-vanilla/./include/linux/spinlock.h: 332
> 0x7c8e8e <fc_bsg_request_handler+0xa6>: lg      %r2,2600(%r9)
> 0x7c8e94 <fc_bsg_request_handler+0xac>: brasl   %r14,0x9a4280 <_raw_spin_lock_irq>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3966
> 0x7c8e9a <fc_bsg_request_handler+0xb2>: j       0x7c8e48 <fc_bsg_request_handler+0x60>
> /home/maier/kernel/linux-vanilla/./include/linux/spinlock.h: 357
> 0x7c8e9e <fc_bsg_request_handler+0xb6>: lg      %r2,2600(%r9)
> 0x7c8ea4 <fc_bsg_request_handler+0xbc>: brasl   %r14,0x9a46d0 <_raw_spin_unlock_irq>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3709
> 0x7c8eaa <fc_bsg_request_handler+0xc2>: ltg     %r1,248(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3702
> 0x7c8eb0 <fc_bsg_request_handler+0xc8>: lg      %r7,512(%r6)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3703
> 0x7c8eb6 <fc_bsg_request_handler+0xce>: lg      %r8,360(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3709
> 0x7c8ebc <fc_bsg_request_handler+0xd4>: je      0x7c8ec4 <fc_bsg_request_handler+0xdc>
> 0x7c8ec0 <fc_bsg_request_handler+0xd8>: j       0x7c8ec2 <fc_bsg_request_handler+0xda>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3711
> 0x7c8ec4 <fc_bsg_request_handler+0xdc>: lg      %r1,568(%r7)
> 0x7c8eca <fc_bsg_request_handler+0xe2>: llgf    %r1,216(%r1)
> /home/maier/kernel/linux-vanilla/./include/linux/slab.h: 495
> 0x7c8ed0 <fc_bsg_request_handler+0xe8>: lgfi    %r3,37781696
> 0x7c8ed6 <fc_bsg_request_handler+0xee>: la      %r2,184(%r1)
> 0x7c8eda <fc_bsg_request_handler+0xf2>: brasl   %r14,0x325e38 <__kmalloc>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3713
> 0x7c8ee0 <fc_bsg_request_handler+0xf8>: lgr     %r11,%r2
> 0x7c8ee4 <fc_bsg_request_handler+0xfc>: cgij    %r2,0,8,0x7c9234 <fc_bsg_request_handler+0x44c>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3725

fc_req_to_bsgjob()
         req->special = job;

> 0x7c8eea <fc_bsg_request_handler+0x102>:        stg     %r2,248(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3726
> 0x7c8ef0 <fc_bsg_request_handler+0x108>:        stg     %r6,0(%r2)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3727
> 0x7c8ef6 <fc_bsg_request_handler+0x10e>:        stg     %r10,8(%r2)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3728

fc_req_to_bsgjob()
         job->req = req;

> 0x7c8efc <fc_bsg_request_handler+0x114>:        stg     %r12,24(%r2)

> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3729
> 0x7c8f02 <fc_bsg_request_handler+0x11a>:        lg      %r1,568(%r7)
> 0x7c8f08 <fc_bsg_request_handler+0x120>:        lt      %r1,216(%r1)
> 0x7c8f0e <fc_bsg_request_handler+0x126>:        je      0x7c8f1c <fc_bsg_request_handler+0x134>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3730
> 0x7c8f12 <fc_bsg_request_handler+0x12a>:        la      %r1,184(%r2)
> 0x7c8f16 <fc_bsg_request_handler+0x12e>:        stg     %r1,176(%r2)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3731
> 0x7c8f1c <fc_bsg_request_handler+0x134>:        larl    %r4,0x2054808 <proc_scsi+0x48>
> 0x7c8f22 <fc_bsg_request_handler+0x13a>:        larl    %r3,0xbddbd8
> 0x7c8f28 <fc_bsg_request_handler+0x140>:        la      %r2,32(%r11)
> 0x7c8f2c <fc_bsg_request_handler+0x144>:        brasl   %r14,0x1b7ac8 <__raw_spin_lock_init>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3733
> 0x7c8f32 <fc_bsg_request_handler+0x14a>:        llh     %r1,288(%r12)
> 0x7c8f38 <fc_bsg_request_handler+0x150>:        st      %r1,136(%r11)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3735
> 0x7c8f3c <fc_bsg_request_handler+0x154>:        mvhi    140(%r11),96
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3737
> 0x7c8f42 <fc_bsg_request_handler+0x15a>:        ltg     %r1,104(%r12)
> 0x7c8f48 <fc_bsg_request_handler+0x160>:        jne     0x7c8f56 <fc_bsg_request_handler+0x16e>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3742
> 0x7c8f4c <fc_bsg_request_handler+0x164>:        cgij    %r8,0,6,0x7c8f84 <fc_bsg_request_handler+0x19c>
> 0x7c8f52 <fc_bsg_request_handler+0x16a>:        j       0x7c8f6e <fc_bsg_request_handler+0x186>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3738
> 0x7c8f56 <fc_bsg_request_handler+0x16e>:        lgr     %r3,%r12
> 0x7c8f5a <fc_bsg_request_handler+0x172>:        la      %r2,144(%r11)
> 0x7c8f5e <fc_bsg_request_handler+0x176>:        brasl   %r14,0x7c56c8 <fc_bsg_map_buffer>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3739
> 0x7c8f64 <fc_bsg_request_handler+0x17c>:        cij     %r2,0,8,0x7c8f4c <fc_bsg_request_handler+0x164>
> 0x7c8f6a <fc_bsg_request_handler+0x182>:        j       0x7c900e <fc_bsg_request_handler+0x226>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3747
> 0x7c8f6e <fc_bsg_request_handler+0x186>:        larl    %r1,0x7c5780 <fc_bsg_jobdone>
> 0x7c8f74 <fc_bsg_request_handler+0x18c>:        stg     %r1,112(%r11)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3748
> 0x7c8f7a <fc_bsg_request_handler+0x192>:        cgij    %r10,0,6,0x7c8fa6 <fc_bsg_request_handler+0x1be>
> 0x7c8f80 <fc_bsg_request_handler+0x198>:        j       0x7c8fd2 <fc_bsg_request_handler+0x1ea>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3742
> 0x7c8f84 <fc_bsg_request_handler+0x19c>:        ltg     %r1,104(%r8)
> 0x7c8f8a <fc_bsg_request_handler+0x1a2>:        je      0x7c8f6e <fc_bsg_request_handler+0x186>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3743
> 0x7c8f8e <fc_bsg_request_handler+0x1a6>:        lgr     %r3,%r8
> 0x7c8f92 <fc_bsg_request_handler+0x1aa>:        la      %r2,160(%r11)
> 0x7c8f96 <fc_bsg_request_handler+0x1ae>:        brasl   %r14,0x7c56c8 <fc_bsg_map_buffer>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3744
> 0x7c8f9c <fc_bsg_request_handler+0x1b4>:        cij     %r2,0,8,0x7c8f6e <fc_bsg_request_handler+0x186>
> 0x7c8fa2 <fc_bsg_request_handler+0x1ba>:        j       0x7c9002 <fc_bsg_request_handler+0x21a>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3749
> 0x7c8fa6 <fc_bsg_request_handler+0x1be>:        lg      %r2,160(%r15)
> 0x7c8fac <fc_bsg_request_handler+0x1c4>:        stg     %r2,16(%r11)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3752
> 0x7c8fb2 <fc_bsg_request_handler+0x1ca>:        brasl   %r14,0x787968 <get_device>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3754
> 0x7c8fb8 <fc_bsg_request_handler+0x1d0>:        mvhi    108(%r11),1
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3979

      fc_bsg_request_handler()
            job = req->special;

> 0x7c8fbe <fc_bsg_request_handler+0x1d6>:        lg      %r12,248(%r12)

crash> struct -od request.special
struct request {
   [248] void *special;
}

********************************************************************

so above %r12 did contain req, below it contains job.
since we could deref req further up it must have been non-NULL and 
pointing to a mapped page, but req->special is NULL here?
well, req could even have been NULL and we read from address 248 in low 
core here which does not trigger a page fault (only on write to low core).

crash> x/g 248
0xf8 <_text+248>:       0x0

********************************************************************

> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3982
> 0x7c8fc4 <fc_bsg_request_handler+0x1dc>:        l       %r1,136(%r12)
> 0x7c8fc8 <fc_bsg_request_handler+0x1e0>:        clij    %r1,3,12,0x7c901c <fc_bsg_request_handler+0x234>
> 0x7c8fce <fc_bsg_request_handler+0x1e6>:        j       0x7c905c <fc_bsg_request_handler+0x274>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3751
> 0x7c8fd2 <fc_bsg_request_handler+0x1ea>:        lg      %r1,168(%r15)
> 0x7c8fd8 <fc_bsg_request_handler+0x1f0>:        stg     %r1,16(%r11)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3752
> 0x7c8fde <fc_bsg_request_handler+0x1f6>:        lgr     %r2,%r1
> 0x7c8fe2 <fc_bsg_request_handler+0x1fa>:        brasl   %r14,0x787968 <get_device>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3754
> 0x7c8fe8 <fc_bsg_request_handler+0x200>:        mvhi    108(%r11),1
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3979
> 0x7c8fee <fc_bsg_request_handler+0x206>:        lg      %r12,248(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3982
> 0x7c8ff4 <fc_bsg_request_handler+0x20c>:        l       %r1,136(%r12)
> 0x7c8ff8 <fc_bsg_request_handler+0x210>:        clij    %r1,3,12,0x7c901c <fc_bsg_request_handler+0x234>
> 0x7c8ffe <fc_bsg_request_handler+0x216>:        j       0x7c90f4 <fc_bsg_request_handler+0x30c>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3760
> 0x7c9002 <fc_bsg_request_handler+0x21a>:        lg      %r2,152(%r11)
> 0x7c9008 <fc_bsg_request_handler+0x220>:        brasl   %r14,0x328ff0 <kfree>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3762
> 0x7c900e <fc_bsg_request_handler+0x226>:        lgr     %r2,%r11
> 0x7c9012 <fc_bsg_request_handler+0x22a>:        brasl   %r14,0x328ff0 <kfree>
> 0x7c9018 <fc_bsg_request_handler+0x230>:        j       0x7c9234 <fc_bsg_request_handler+0x44c>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3983
> 0x7c901c <fc_bsg_request_handler+0x234>:        clfhsi  140(%r12),3
> 0x7c9022 <fc_bsg_request_handler+0x23a>:        jh      0x7c902a <fc_bsg_request_handler+0x242>
> 0x7c9026 <fc_bsg_request_handler+0x23e>:        j       0x7c9028 <fc_bsg_request_handler+0x240>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3984
> 0x7c902a <fc_bsg_request_handler+0x242>:        lg      %r1,128(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3985
> 0x7c9030 <fc_bsg_request_handler+0x248>:        mvhi    4(%r1),0
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3986
> 0x7c9036 <fc_bsg_request_handler+0x24e>:        mvhi    0(%r1),-42
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3988
> 0x7c903c <fc_bsg_request_handler+0x254>:        lgr     %r2,%r12
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3987
> 0x7c9040 <fc_bsg_request_handler+0x258>:        mvhi    140(%r12),4
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3988
> 0x7c9046 <fc_bsg_request_handler+0x25e>:        brasl   %r14,0x7c5780 <fc_bsg_jobdone>
> /home/maier/kernel/linux-vanilla/./include/linux/spinlock.h: 332
> 0x7c904c <fc_bsg_request_handler+0x264>:        lg      %r2,2600(%r9)
> 0x7c9052 <fc_bsg_request_handler+0x26a>:        brasl   %r14,0x9a4280 <_raw_spin_lock_irq>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3990
> 0x7c9058 <fc_bsg_request_handler+0x270>:        j       0x7c8e48 <fc_bsg_request_handler+0x60>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3892
> 0x7c905c <fc_bsg_request_handler+0x274>:        lg      %r2,120(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3887
> 0x7c9062 <fc_bsg_request_handler+0x27a>:        lg      %r11,128(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3892
> 0x7c9068 <fc_bsg_request_handler+0x280>:        l       %r2,0(%r2)
> 0x7c906c <fc_bsg_request_handler+0x284>:        iilf    %r3,1073741825
> 0x7c9072 <fc_bsg_request_handler+0x28a>:        crj     %r2,%r3,8,0x7c9088 <fc_bsg_request_handler+0x2a0>
> 0x7c9078 <fc_bsg_request_handler+0x290>:        iilf    %r3,1073741826
> 0x7c907e <fc_bsg_request_handler+0x296>:        crj     %r2,%r3,8,0x7c9090 <fc_bsg_request_handler+0x2a8>
> 0x7c9084 <fc_bsg_request_handler+0x29c>:        j       0x7c90d2 <fc_bsg_request_handler+0x2ea>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3894
> 0x7c9088 <fc_bsg_request_handler+0x2a0>:        lhi     %r2,5
> 0x7c908c <fc_bsg_request_handler+0x2a4>:        j       0x7c9094 <fc_bsg_request_handler+0x2ac>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3898
> 0x7c9090 <fc_bsg_request_handler+0x2a8>:        lhi     %r2,16
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3901
> 0x7c9094 <fc_bsg_request_handler+0x2ac>:        lt      %r3,144(%r12)
> 0x7c909a <fc_bsg_request_handler+0x2b2>:        je      0x7c90da <fc_bsg_request_handler+0x2f2>
> 0x7c909e <fc_bsg_request_handler+0x2b6>:        lt      %r3,160(%r12)
> 0x7c90a4 <fc_bsg_request_handler+0x2bc>:        je      0x7c90da <fc_bsg_request_handler+0x2f2>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3913
> 0x7c90a8 <fc_bsg_request_handler+0x2c0>:        clrj    %r2,%r1,2,0x7c90e2 <fc_bsg_request_handler+0x2fa>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3918
> 0x7c90ae <fc_bsg_request_handler+0x2c6>:        lg      %r1,512(%r6)
> 0x7c90b4 <fc_bsg_request_handler+0x2cc>:        lg      %r1,568(%r1)
> 0x7c90ba <fc_bsg_request_handler+0x2d2>:        lg      %r1,192(%r1)
> 0x7c90c0 <fc_bsg_request_handler+0x2d8>:        lgr     %r2,%r12
> 0x7c90c4 <fc_bsg_request_handler+0x2dc>:        basr    %r14,%r1
> 0x7c90c6 <fc_bsg_request_handler+0x2de>:        lr      %r1,%r2
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3919
> 0x7c90c8 <fc_bsg_request_handler+0x2e0>:        cij     %r2,0,6,0x7c90e6 <fc_bsg_request_handler+0x2fe>
> 0x7c90ce <fc_bsg_request_handler+0x2e6>:        j       0x7c9248 <fc_bsg_request_handler+0x460>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3908
> 0x7c90d2 <fc_bsg_request_handler+0x2ea>:        lhi     %r1,-53
> 0x7c90d6 <fc_bsg_request_handler+0x2ee>:        j       0x7c90e6 <fc_bsg_request_handler+0x2fe>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3903
> 0x7c90da <fc_bsg_request_handler+0x2f2>:        lhi     %r1,-22
> 0x7c90de <fc_bsg_request_handler+0x2f6>:        j       0x7c90e6 <fc_bsg_request_handler+0x2fe>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3914
> 0x7c90e2 <fc_bsg_request_handler+0x2fa>:        lhi     %r1,-42
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3924
> 0x7c90e6 <fc_bsg_request_handler+0x2fe>:        clfhsi  140(%r12),3
> 0x7c90ec <fc_bsg_request_handler+0x304>:        jh      0x7c91ec <fc_bsg_request_handler+0x404>
> 0x7c90f0 <fc_bsg_request_handler+0x308>:        j       0x7c90f2 <fc_bsg_request_handler+0x30a>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3785

fc_bsg_host_dispatch()
	struct fc_bsg_request *bsg_request = job->request;

> 0x7c90f4 <fc_bsg_request_handler+0x30c>:        lg      %r3,120(%r12)
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3786

fc_bsg_host_dispatch()
	struct fc_bsg_reply *bsg_reply = job->reply;

> 0x7c90fa <fc_bsg_request_handler+0x312>:        lg      %r11,128(%r12)

load content of address in %r12 with displacement 128 into %r11.
so presumably job->reply is NULL.
due to funny inlining incl. fc_bsg_host_dispatch(), it's tricky to 
backtrack where job in %r12 came from and what happened to it on the way.
%r11 is not clobbered until used below where the page fault happens.
displacement is consistent:
crash> struct -od fc_bsg_job
struct fc_bsg_job {
     [0] struct Scsi_Host *shost;
     [8] struct fc_rport *rport;
    [16] struct device *dev;
    [24] struct request *req;
    [32] spinlock_t job_lock;
   [104] unsigned int state_flags;
   [108] unsigned int ref_cnt;
   [112] void (*job_done)(struct fc_bsg_job *);
   [120] struct fc_bsg_request *request;
   [128] struct fc_bsg_reply *reply;
   [136] unsigned int request_len;
   [140] unsigned int reply_len;
   [144] struct bsg_buffer request_payload;
   [160] struct bsg_buffer reply_payload;
   [176] void *dd_data;
}
SIZE: 184

> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3791
> 0x7c9100 <fc_bsg_request_handler+0x318>:        l       %r2,0(%r3)
> 0x7c9104 <fc_bsg_request_handler+0x31c>:        clfi    %r2,2147483651
> 0x7c910a <fc_bsg_request_handler+0x322>:        je      0x7c913e <fc_bsg_request_handler+0x356>
> 0x7c910e <fc_bsg_request_handler+0x326>:        jh      0x7c9122 <fc_bsg_request_handler+0x33a>
> 0x7c9112 <fc_bsg_request_handler+0x32a>:        iilf    %r3,2147483649
> 0x7c9118 <fc_bsg_request_handler+0x330>:        clrj    %r2,%r3,10,0x7c9194 <fc_bsg_request_handler+0x3ac>
> 0x7c911e <fc_bsg_request_handler+0x336>:        j       0x7c91c2 <fc_bsg_request_handler+0x3da>
> 0x7c9122 <fc_bsg_request_handler+0x33a>:        iilf    %r4,2147483652
> 0x7c9128 <fc_bsg_request_handler+0x340>:        crj     %r2,%r4,8,0x7c9156 <fc_bsg_request_handler+0x36e>
> 0x7c912e <fc_bsg_request_handler+0x346>:        iilf    %r4,2147483903
> 0x7c9134 <fc_bsg_request_handler+0x34c>:        crj     %r2,%r4,8,0x7c9172 <fc_bsg_request_handler+0x38a>
> 0x7c913a <fc_bsg_request_handler+0x352>:        j       0x7c91c2 <fc_bsg_request_handler+0x3da>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3803
> 0x7c913e <fc_bsg_request_handler+0x356>:        lt      %r2,144(%r12)
> 0x7c9144 <fc_bsg_request_handler+0x35c>:        je      0x7c91ca <fc_bsg_request_handler+0x3e2>
> 0x7c9148 <fc_bsg_request_handler+0x360>:        lt      %r2,160(%r12)
> 0x7c914e <fc_bsg_request_handler+0x366>:        je      0x7c91ca <fc_bsg_request_handler+0x3e2>
> 0x7c9152 <fc_bsg_request_handler+0x36a>:        j       0x7c9194 <fc_bsg_request_handler+0x3ac>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3813
> 0x7c9156 <fc_bsg_request_handler+0x36e>:        lt      %r2,144(%r12)
> 0x7c915c <fc_bsg_request_handler+0x374>:        je      0x7c91ca <fc_bsg_request_handler+0x3e2>
> 0x7c9160 <fc_bsg_request_handler+0x378>:        lt      %r2,160(%r12)
> 0x7c9166 <fc_bsg_request_handler+0x37e>:        je      0x7c91ca <fc_bsg_request_handler+0x3e2>
> 0x7c916a <fc_bsg_request_handler+0x382>:        lhi     %r2,20
> 0x7c916e <fc_bsg_request_handler+0x386>:        j       0x7c9198 <fc_bsg_request_handler+0x3b0>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3822
> 0x7c9172 <fc_bsg_request_handler+0x38a>:        lg      %r2,504(%r6)
> 0x7c9178 <fc_bsg_request_handler+0x390>:        ltg     %r2,304(%r2)
> 0x7c917e <fc_bsg_request_handler+0x396>:        je      0x7c91d2 <fc_bsg_request_handler+0x3ea>
> 0x7c9182 <fc_bsg_request_handler+0x39a>:        cg      %r2,4(%r3)
> 0x7c9188 <fc_bsg_request_handler+0x3a0>:        jne     0x7c91d2 <fc_bsg_request_handler+0x3ea>
> 0x7c918c <fc_bsg_request_handler+0x3a4>:        lhi     %r2,12
> 0x7c9190 <fc_bsg_request_handler+0x3a8>:        j       0x7c9198 <fc_bsg_request_handler+0x3b0>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3791
> 0x7c9194 <fc_bsg_request_handler+0x3ac>:        lhi     %r2,8
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3836
> 0x7c9198 <fc_bsg_request_handler+0x3b0>:        clrj    %r2,%r1,2,0x7c91da <fc_bsg_request_handler+0x3f2>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3841
> 0x7c919e <fc_bsg_request_handler+0x3b6>:        lg      %r1,512(%r6)
> 0x7c91a4 <fc_bsg_request_handler+0x3bc>:        lg      %r1,568(%r1)
> 0x7c91aa <fc_bsg_request_handler+0x3c2>:        lg      %r1,192(%r1)
> 0x7c91b0 <fc_bsg_request_handler+0x3c8>:        lgr     %r2,%r12
> 0x7c91b4 <fc_bsg_request_handler+0x3cc>:        basr    %r14,%r1
> 0x7c91b6 <fc_bsg_request_handler+0x3ce>:        lr      %r1,%r2
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3842
> 0x7c91b8 <fc_bsg_request_handler+0x3d0>:        cij     %r2,0,6,0x7c91de <fc_bsg_request_handler+0x3f6>
> 0x7c91be <fc_bsg_request_handler+0x3d6>:        j       0x7c9248 <fc_bsg_request_handler+0x460>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3831
> 0x7c91c2 <fc_bsg_request_handler+0x3da>:        lhi     %r1,-53
> 0x7c91c6 <fc_bsg_request_handler+0x3de>:        j       0x7c91de <fc_bsg_request_handler+0x3f6>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3805
> 0x7c91ca <fc_bsg_request_handler+0x3e2>:        lhi     %r1,-22
> 0x7c91ce <fc_bsg_request_handler+0x3e6>:        j       0x7c91de <fc_bsg_request_handler+0x3f6>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3825
> 0x7c91d2 <fc_bsg_request_handler+0x3ea>:        lhi     %r1,-3
> 0x7c91d6 <fc_bsg_request_handler+0x3ee>:        j       0x7c91de <fc_bsg_request_handler+0x3f6>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3837
> 0x7c91da <fc_bsg_request_handler+0x3f2>:        lhi     %r1,-42
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3847

fc_bsg_host_dispatch()

fail_host_msg:
	/* return the errno failure code as the only status */
	BUG_ON(job->reply_len < sizeof(uint32_t));

> 0x7c91de <fc_bsg_request_handler+0x3f6>:        clfhsi  140(%r12),3
> 0x7c91e4 <fc_bsg_request_handler+0x3fc>:        jh      0x7c91ec <fc_bsg_request_handler+0x404>
> 0x7c91e8 <fc_bsg_request_handler+0x400>:        j       0x7c91ea <fc_bsg_request_handler+0x402>
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3849

	bsg_reply->result = ret;

> 0x7c91ec <fc_bsg_request_handler+0x404>:        st      %r1,0(%r11)

that store causes the kernel page fault because %r11 is NULL and with 
displacement 0 it still is NULL.

> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3848

	bsg_reply->reply_payload_rcv_len = 0;

> 0x7c91f0 <fc_bsg_request_handler+0x408>:        mvhi    4(%r11),0

if we would have gotten this far:
16-bit signed immediate 0 is extended to 4-bytes and stored to where 
%r11 with displacement 4 points to.
displacements nicely match structure fields:
crash> struct -od fc_bsg_reply
struct fc_bsg_reply {
    [0] uint32_t result;
    [4] uint32_t reply_payload_rcv_len;
        union {
            struct fc_bsg_host_vendor_reply vendor_reply;
            struct fc_bsg_ctels_reply ctels_reply;
    [8] } reply_data;
}
SIZE: 16

> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3850

	job->reply_len = sizeof(uint32_t);

> 0x7c91f6 <fc_bsg_request_handler+0x40e>:        mvhi    140(%r12),4
> /home/maier/kernel/linux-vanilla/drivers/scsi/scsi_transport_fc.c: 3851
> 0x7c91fc <fc_bsg_request_handler+0x414>:        lgr     %r2,%r12
> 0x7c9200 <fc_bsg_request_handler+0x418>:        brasl   %r14,0x7c5780 <fc_bsg_jobdone>

source code is based on
> $ git log --graph --oneline
> * 271c1723d9c8 scsi: don't use fc_bsg_job::request and fc_bsg_job::reply directly
> * a3c95a6c69e4 scsi: Get rid of struct fc_bsg_buffer
> *   1573d2caf713 Merge branch 'parisc-4.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux




-- 
Mit freundlichen Grüßen / Kind regards
Steffen Maier

Linux on z Systems Development

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschaeftsfuehrung: Dirk Wittkopp
Sitz der Gesellschaft: Boeblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ