* [PATCH] scsi_debug: fix map_region and unmap_region oops
@ 2010-06-27 16:04 FUJITA Tomonori
2010-06-28 17:18 ` Martin K. Petersen
2010-06-30 14:56 ` Douglas Gilbert
0 siblings, 2 replies; 4+ messages in thread
From: FUJITA Tomonori @ 2010-06-27 16:04 UTC (permalink / raw)
To: dgilbert, martin.petersen; +Cc: hch, James.Bottomley, linux-scsi
I got the following ops:
BUG: unable to handle kernel paging request at ffffc90021c0c000
IP: [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug]
PGD 11fc06067 PUD 21f802067 PMD d5632067 PTE 0
Oops: 0002 [#1] SMP
last sysfs file:
/sys/devices/pseudo_0/adapter0/host2/target2:0:0/2:0:0:0/type
CPU 10
Modules linked in: scsi_debug crc_t10dif sd_mod sg arcmsr cxgb3 mdio
[last unloaded: scsi_debug]
Pid: 0, comm: swapper Not tainted 2.6.35-rc3-dirty #1 /ProLiant DL360
G6
RIP: 0010:[<ffffffffa006cb8a>] [<ffffffffa006cb8a>]
unmap_region+0x5a/0x70 [scsi_debug]
RSP: 0018:ffff880001d43c08 EFLAGS: 00010046
RAX: 0000000000100000 RBX: 0000000000000001 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000100000 RDI: 00000000000fffff
RBP: 0000000000000000 R08: 0000000000100000 R09: 0000000000000001
R10: ffffc90021bec000 R11: 0000000020000000 R12: ffff88011abeaf00
R13: 0000000000000000 R14: 0000000000100000 R15: 0000000000000046
FS: 0000000000000000(0000) GS:ffff880001d40000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffc90021c0c000 CR3: 00000000019b9000 CR4: 00000000000006a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff88021f65c000, task
ffff88021f663000)
Stack:
ffffffffa006d413 ffff88011abeae00 ffff88011e9b1560 0000000000000000
<0> ffff88011abeaf00 ffff88011ea284e0 0000000000000001
0000000000000000
<0> ffffffffa006f93d 0000000000001000 ffff88011abf2e00
ffff88011a0c9000
Call Trace:
<IRQ>
[<ffffffffa006d413>] ? resp_write_same+0x163/0x1a0 [scsi_debug]
[<ffffffffa006f93d>] ? scsi_debug_queuecommand+0x83d/0x1a30
[scsi_debug]
[<ffffffff81223580>] ? scsi_done+0x0/0x10
[<ffffffff81229e4e>] ? scsi_init_io+0x1e/0x100
[<ffffffff8122a09d>] ? scsi_setup_blk_pc_cmnd+0x6d/0x130
[<ffffffffa00658e2>] ? sd_prep_fn+0x1e2/0xa70 [sd_mod]
[<ffffffff81223682>] ? scsi_dispatch_cmd+0xf2/0x220
[<ffffffff8122979d>] ? scsi_request_fn+0x34d/0x450
[<ffffffff8116eff5>] ? __blk_run_queue+0x65/0x150
[<ffffffff8116f1b8>] ? blk_run_queue+0x28/0x50
[<ffffffff81228c32>] ? scsi_run_queue+0xd2/0x390
[<ffffffff81229b0b>] ? scsi_next_command+0x3b/0x60
[<ffffffff8122a6f4>] ? scsi_io_completion+0x354/0x580
[<ffffffff81173f35>] ? blk_done_softirq+0x75/0x90
[<ffffffff810425be>] ? __do_softirq+0xae/0x140
[<ffffffff8100347c>] ? call_softirq+0x1c/0x30
[<ffffffff81005155>] ? do_softirq+0x65/0xa0
[<ffffffff8101992b>] ? smp_apic_timer_interrupt+0x6b/0xa0
[<ffffffff81002f53>] ? apic_timer_interrupt+0x13/0x20
<EOI>
[<ffffffff811d4417>] ? acpi_idle_enter_bm+0x294/0x2cb
[<ffffffff811d4410>] ? acpi_idle_enter_bm+0x28d/0x2cb
[<ffffffff8128eb7a>] ? cpuidle_idle_call+0xba/0x120
[<ffffffff810017de>] ? cpu_idle+0x5e/0xa0
Code: 00 48 89 c8 48 29 d0 48 01 c7 48 39 fe 76 2a 31 d2 4a 8d 04 0f
48 f7 f1 89 d2 49 89 c0 48 85 d2 75 df 48 8d 04 0f 48 39 c6 72 d6 <f0>
45 0f b3 02 eb cf 0f 1f 80 00 00 00 00 f3 c3 66 0f 1f 44 00
RIP [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug]
RSP <ffff880001d43c08>
CR2: ffffc90021c0c000
Same problem?
http://marc.info/?l=linux-scsi&m=125680100519614&w=2
=
From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Subject: [PATCH] scsi_debug: fix map_region and unmap_region oops
map_region and unmap_region could access to invalid memory area since
they don't check the size boundary.
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
---
drivers/scsi/scsi_debug.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 136329b..b02bdc6 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len)
block = lba + alignment;
rem = do_div(block, granularity);
- set_bit(block, map_storep);
+ if (block < map_size)
+ set_bit(block, map_storep);
lba += granularity - rem;
}
@@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len)
block = lba + alignment;
rem = do_div(block, granularity);
- if (rem == 0 && lba + granularity <= end)
+ if (rem == 0 && lba + granularity <= end &&
+ block < map_size)
clear_bit(block, map_storep);
lba += granularity - rem;
--
1.6.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] scsi_debug: fix map_region and unmap_region oops
2010-06-27 16:04 [PATCH] scsi_debug: fix map_region and unmap_region oops FUJITA Tomonori
@ 2010-06-28 17:18 ` Martin K. Petersen
2010-06-28 17:27 ` FUJITA Tomonori
2010-06-30 14:56 ` Douglas Gilbert
1 sibling, 1 reply; 4+ messages in thread
From: Martin K. Petersen @ 2010-06-28 17:18 UTC (permalink / raw)
To: FUJITA Tomonori
Cc: dgilbert, martin.petersen, hch, James.Bottomley, linux-scsi
>>>>> "Tomo" == FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> writes:
Tomo> = From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Subject:
Tomo> [PATCH] scsi_debug: fix map_region and unmap_region oops
Tomo> map_region and unmap_region could access to invalid memory area
Tomo> since they don't check the size boundary.
Tomo> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> ---
Tomo> drivers/scsi/scsi_debug.c | 6 ++++-- 1 files changed, 4
Tomo> insertions(+), 2 deletions(-)
Tomo> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
Tomo> index 136329b..b02bdc6 100644
Tomo> --- a/drivers/scsi/scsi_debug.c
Tomo> +++ b/drivers/scsi/scsi_debug.c
Tomo> @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba,
Tomo> unsigned int len)
Tomo> block = lba + alignment; rem = do_div(block,
Tomo> granularity);
Tomo> - set_bit(block, map_storep);
Tomo> + if (block < map_size)
Tomo> + set_bit(block, map_storep);
Tomo> lba += granularity - rem;
Tomo> }
Tomo> @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba,
Tomo> unsigned int len)
Tomo> block = lba + alignment; rem = do_div(block,
Tomo> granularity);
Tomo> - if (rem == 0 && lba + granularity <= end)
Tomo> + if (rem == 0 && lba + granularity <= end &&
Tomo> + block < map_size)
Tomo> clear_bit(block, map_storep);
Tomo> lba += granularity - rem;
I'm ok with the patch but I'm interested in what you were doing causing
it to access out of bounds?
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] scsi_debug: fix map_region and unmap_region oops
2010-06-28 17:18 ` Martin K. Petersen
@ 2010-06-28 17:27 ` FUJITA Tomonori
0 siblings, 0 replies; 4+ messages in thread
From: FUJITA Tomonori @ 2010-06-28 17:27 UTC (permalink / raw)
To: martin.petersen
Cc: fujita.tomonori, dgilbert, hch, James.Bottomley, linux-scsi
On Mon, 28 Jun 2010 13:18:20 -0400
"Martin K. Petersen" <martin.petersen@oracle.com> wrote:
> >>>>> "Tomo" == FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> writes:
>
> Tomo> = From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Subject:
> Tomo> [PATCH] scsi_debug: fix map_region and unmap_region oops
>
> Tomo> map_region and unmap_region could access to invalid memory area
> Tomo> since they don't check the size boundary.
>
> Tomo> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> ---
> Tomo> drivers/scsi/scsi_debug.c | 6 ++++-- 1 files changed, 4
> Tomo> insertions(+), 2 deletions(-)
>
> Tomo> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> Tomo> index 136329b..b02bdc6 100644
> Tomo> --- a/drivers/scsi/scsi_debug.c
> Tomo> +++ b/drivers/scsi/scsi_debug.c
> Tomo> @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba,
> Tomo> unsigned int len)
> Tomo> block = lba + alignment; rem = do_div(block,
> Tomo> granularity);
>
> Tomo> - set_bit(block, map_storep);
> Tomo> + if (block < map_size)
> Tomo> + set_bit(block, map_storep);
>
> Tomo> lba += granularity - rem;
> Tomo> }
> Tomo> @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba,
> Tomo> unsigned int len)
> Tomo> block = lba + alignment; rem = do_div(block,
> Tomo> granularity);
>
> Tomo> - if (rem == 0 && lba + granularity <= end)
> Tomo> + if (rem == 0 && lba + granularity <= end &&
> Tomo> + block < map_size)
> Tomo> clear_bit(block, map_storep);
>
> Tomo> lba += granularity - rem;
>
> I'm ok with the patch but I'm interested in what you were doing causing
> it to access out of bounds?
I set unmap_granularity to 1 and then run mkfs.xfs.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] scsi_debug: fix map_region and unmap_region oops
2010-06-27 16:04 [PATCH] scsi_debug: fix map_region and unmap_region oops FUJITA Tomonori
2010-06-28 17:18 ` Martin K. Petersen
@ 2010-06-30 14:56 ` Douglas Gilbert
1 sibling, 0 replies; 4+ messages in thread
From: Douglas Gilbert @ 2010-06-30 14:56 UTC (permalink / raw)
To: FUJITA Tomonori; +Cc: martin.petersen, hch, James.Bottomley, linux-scsi
On 10-06-27 12:04 PM, FUJITA Tomonori wrote:
> I got the following ops:
>
> BUG: unable to handle kernel paging request at ffffc90021c0c000
> IP: [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug]
> PGD 11fc06067 PUD 21f802067 PMD d5632067 PTE 0
> Oops: 0002 [#1] SMP
> last sysfs file:
> /sys/devices/pseudo_0/adapter0/host2/target2:0:0/2:0:0:0/type
> CPU 10
> Modules linked in: scsi_debug crc_t10dif sd_mod sg arcmsr cxgb3 mdio
> [last unloaded: scsi_debug]
>
> Pid: 0, comm: swapper Not tainted 2.6.35-rc3-dirty #1 /ProLiant DL360
> G6
> RIP: 0010:[<ffffffffa006cb8a>] [<ffffffffa006cb8a>]
> unmap_region+0x5a/0x70 [scsi_debug]
> RSP: 0018:ffff880001d43c08 EFLAGS: 00010046
> RAX: 0000000000100000 RBX: 0000000000000001 RCX: 0000000000000001
> RDX: 0000000000000000 RSI: 0000000000100000 RDI: 00000000000fffff
> RBP: 0000000000000000 R08: 0000000000100000 R09: 0000000000000001
> R10: ffffc90021bec000 R11: 0000000020000000 R12: ffff88011abeaf00
> R13: 0000000000000000 R14: 0000000000100000 R15: 0000000000000046
> FS: 0000000000000000(0000) GS:ffff880001d40000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: ffffc90021c0c000 CR3: 00000000019b9000 CR4: 00000000000006a0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process swapper (pid: 0, threadinfo ffff88021f65c000, task
> ffff88021f663000)
> Stack:
> ffffffffa006d413 ffff88011abeae00 ffff88011e9b1560 0000000000000000
> <0> ffff88011abeaf00 ffff88011ea284e0 0000000000000001
> 0000000000000000
> <0> ffffffffa006f93d 0000000000001000 ffff88011abf2e00
> ffff88011a0c9000
> Call Trace:
> <IRQ>
> [<ffffffffa006d413>] ? resp_write_same+0x163/0x1a0 [scsi_debug]
> [<ffffffffa006f93d>] ? scsi_debug_queuecommand+0x83d/0x1a30
> [scsi_debug]
> [<ffffffff81223580>] ? scsi_done+0x0/0x10
> [<ffffffff81229e4e>] ? scsi_init_io+0x1e/0x100
> [<ffffffff8122a09d>] ? scsi_setup_blk_pc_cmnd+0x6d/0x130
> [<ffffffffa00658e2>] ? sd_prep_fn+0x1e2/0xa70 [sd_mod]
> [<ffffffff81223682>] ? scsi_dispatch_cmd+0xf2/0x220
> [<ffffffff8122979d>] ? scsi_request_fn+0x34d/0x450
> [<ffffffff8116eff5>] ? __blk_run_queue+0x65/0x150
> [<ffffffff8116f1b8>] ? blk_run_queue+0x28/0x50
> [<ffffffff81228c32>] ? scsi_run_queue+0xd2/0x390
> [<ffffffff81229b0b>] ? scsi_next_command+0x3b/0x60
> [<ffffffff8122a6f4>] ? scsi_io_completion+0x354/0x580
> [<ffffffff81173f35>] ? blk_done_softirq+0x75/0x90
> [<ffffffff810425be>] ? __do_softirq+0xae/0x140
> [<ffffffff8100347c>] ? call_softirq+0x1c/0x30
> [<ffffffff81005155>] ? do_softirq+0x65/0xa0
> [<ffffffff8101992b>] ? smp_apic_timer_interrupt+0x6b/0xa0
> [<ffffffff81002f53>] ? apic_timer_interrupt+0x13/0x20
> <EOI>
> [<ffffffff811d4417>] ? acpi_idle_enter_bm+0x294/0x2cb
> [<ffffffff811d4410>] ? acpi_idle_enter_bm+0x28d/0x2cb
> [<ffffffff8128eb7a>] ? cpuidle_idle_call+0xba/0x120
> [<ffffffff810017de>] ? cpu_idle+0x5e/0xa0
> Code: 00 48 89 c8 48 29 d0 48 01 c7 48 39 fe 76 2a 31 d2 4a 8d 04 0f
> 48 f7 f1 89 d2 49 89 c0 48 85 d2 75 df 48 8d 04 0f 48 39 c6 72 d6<f0>
> 45 0f b3 02 eb cf 0f 1f 80 00 00 00 00 f3 c3 66 0f 1f 44 00
> RIP [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug]
> RSP<ffff880001d43c08>
> CR2: ffffc90021c0c000
>
> Same problem?
>
> http://marc.info/?l=linux-scsi&m=125680100519614&w=2
>
> =
> From: FUJITA Tomonori<fujita.tomonori@lab.ntt.co.jp>
> Subject: [PATCH] scsi_debug: fix map_region and unmap_region oops
>
> map_region and unmap_region could access to invalid memory area since
> they don't check the size boundary.
>
> Signed-off-by: FUJITA Tomonori<fujita.tomonori@lab.ntt.co.jp>
> ---
> drivers/scsi/scsi_debug.c | 6 ++++--
> 1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 136329b..b02bdc6 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len)
> block = lba + alignment;
> rem = do_div(block, granularity);
>
> - set_bit(block, map_storep);
> + if (block< map_size)
> + set_bit(block, map_storep);
>
> lba += granularity - rem;
> }
> @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len)
> block = lba + alignment;
> rem = do_div(block, granularity);
>
> - if (rem == 0&& lba + granularity<= end)
> + if (rem == 0&& lba + granularity<= end&&
> + block< map_size)
> clear_bit(block, map_storep);
>
> lba += granularity - rem;
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-06-30 14:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-06-27 16:04 [PATCH] scsi_debug: fix map_region and unmap_region oops FUJITA Tomonori
2010-06-28 17:18 ` Martin K. Petersen
2010-06-28 17:27 ` FUJITA Tomonori
2010-06-30 14:56 ` Douglas Gilbert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.