From: Phillip Wood <phillip.wood@talktalk.net>
To: Borislav Petkov <bp@alien8.de>
Cc: "Anton V. Boyarshinov" <boyarsh@altlinux.org>,
phillip.wood@dunelm.org.uk, bugzilla-daemon@bugzilla.kernel.org,
linux-ide@vger.kernel.org, Jeff Garzik <jgarzik@pobox.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [Bug 49151] New: NULL pointer dereference in pata_acpi
Date: Sun, 21 Oct 2012 17:04:12 +0100 [thread overview]
Message-ID: <50841CFC.2030802@talktalk.net> (raw)
In-Reply-To: <20121020120047.GC17563@liondog.tnic>
On 10/20/2012 01:00 PM, Borislav Petkov wrote:
> On Sat, Oct 20, 2012 at 10:19:22AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=49151
>>
>> Summary: NULL pointer dereference in pata_acpi
>> Product: IO/Storage
>> Version: 2.5
>> Kernel Version: 3.6.2
>> Platform: All
>> OS/Version: Linux
>> Tree: Mainline
>> Status: NEW
>> Severity: normal
>> Priority: P1
>> Component: IDE
>> AssignedTo: io_ide@kernel-bugs.osdl.org
>> ReportedBy: phillip.wood@dunelm.org.uk
>> Regression: No
>>
>>
>> Just upgraded from 3.2.20 to 3.6.2 and when I try to boot a get
>>
>> BUG unable to handle kernel NULL pointer dereference at 00000010
>> IP [<efe4c2407>] pacpi_set_dmamode+0x50/0xa0 [pata_acpi]
>>
>> and it wont find my hard disc. I'm using the standard arch linux kernel config
>> available at
>> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/config?h=packages/linux
>>
>> I've attached a couple of photos of the message and backtrace
>
> Ok,
>
> let's first switch to mail.
>
> FWIW, there's another report of this
>
> http://marc.info/?l=linux-ide&m=134995465614435&w=2
>
> and it is on 64-bit while Phillip's is 32-bit. Adding Anton and a couple
> more people to CC.
>
> From Anton's disassembly I get:
>
> Ä 2.703078Ü Code: 01 00 00 00 f6 43 10 10 74 0a 41 89 c7 43 8d 0c 3f 41 d3 e6 41 0f b6 bd e1 02 00 00 e8 ce 74 0f 00 41 80 bd e1 02 00 00 3f 77 44 <0f> b7 40 10 41 f7 d6 44 21 73 10 4d 63 ff 42 89 44 fb 04 48 89
> All code
> ========
> 0: 01 00 add %eax,(%rax)
> 2: 00 00 add %al,(%rax)
> 4: f6 43 10 10 testb $0x10,0x10(%rbx)
> 8: 74 0a je 0x14
> a: 41 89 c7 mov %eax,%r15d
> d: 43 8d 0c 3f lea (%r15,%r15,1),%ecx
> 11: 41 d3 e6 shl %cl,%r14d
> 14: 41 0f b6 bd e1 02 00 movzbl 0x2e1(%r13),%edi
> 1b: 00
> 1c: e8 ce 74 0f 00 callq 0xf74ef
> 21: 41 80 bd e1 02 00 00 cmpb $0x3f,0x2e1(%r13)
> 28: 3f
> 29: 77 44 ja 0x6f
> 2b:* 0f b7 40 10 movzwl 0x10(%rax),%eax <-- trapping instruction
> 2f: 41 f7 d6 not %r14d
> 32: 44 21 73 10 and %r14d,0x10(%rbx)
> 36: 4d 63 ff movslq %r15d,%r15
> 39: 42 89 44 fb 04 mov %eax,0x4(%rbx,%r15,8)
> 3e: 48 rex.W
> 3f: 89 .byte 0x89
>
> And although I cannot generate the exact code here, building
> drivers/ata/pata_acpi.c locally gives only one instruction like the
> trapping one (thankfully, function is short enough):
>
> sall %cl, %eax # tmp92, tmp93
> orl %eax, 16(%rbx) # tmp93, acpi_6->gtm.flags
> jmp .L30 #
> .LVL46:
> .L29:
> .loc 1 151 0
> movzwl 16(%rax), %eax # t_12->cycle, t_12->cycle <---
> .LVL47:
> .loc 1 152 0
> leal (%r12,%r12), %ecx #, tmp97
>
> which could mean that ata_timing_find_mode() might be returning NULL
> on those systems (t is in %(r|e)ax in both oopses and the 0x10 offset
> points to ata_timing->cycle).
>
> So, Anton, Phillip, can you guys try the following debugging patch
> to confirm (it is against mainline but should apply cleanly ontop of
> 3.6-stable):
>
> ---
> diff --git a/drivers/ata/pata_acpi.c b/drivers/ata/pata_acpi.c
> index 09723b76beac..c5a54faecb98 100644
> --- a/drivers/ata/pata_acpi.c
> +++ b/drivers/ata/pata_acpi.c
> @@ -144,6 +144,12 @@ static void pacpi_set_dmamode(struct ata_port *ap, struct ata_device *adev)
>
> /* Now stuff the nS values into the structure */
> t = ata_timing_find_mode(adev->dma_mode);
> +
> + if (!t) {
> + WARN(1, "%s: ata_timing_find_mode gives NULL\n", __func__);
> + return;
> + }
> +
> if (adev->dma_mode >= XFER_UDMA_0) {
> acpi->gtm.drive[unit].dma = t->udma;
> acpi->gtm.flags |= (1 << (2 * unit));
> --
>
> Thanks.
>
Hi Borislav
Thanks for responding to the bug report so quickly. I've applied your
patch and the kernel now finds my hard drive and the logs (pasted below)
have a couple of warnings generated by the patch. So if I've understood
correctly then your theory that ata_timing_find_mode() is returning NULL
is correct.
Thanks for looking into this, just let me know if you want me to do
anything else
Best Wishes
Phillip
[ 1.932509] ------------[ cut here ]------------
[ 1.932509] WARNING: at drivers/ata/pata_acpi.c:149
pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]()
[ 1.932509] Hardware name: Portable PC
[ 1.932509] pacpi_set_dmamode: ata_timing_find_mode gives NULL
[ 1.932509] Modules linked in: pata_acpi ata_generic
[ 1.932509] Pid: 857, comm: scsi_eh_0 Not tainted 3.6.0-1-custom #1
[ 1.932509] Call Trace:
[ 1.932509] [<c102cd28>] ? warn_slowpath_common+0x78/0xb0
[ 1.932509] [<ef77e2b7>] ? pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]
[ 1.932509] [<ef77e2b7>] ? pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]
[ 1.932509] [<c102cdf3>] ? warn_slowpath_fmt+0x33/0x40
[ 1.932509] [<ef77e2b7>] ? pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]
[ 1.932509] [<ef77e375>] ? pacpi_qc_issue+0x45/0x64 [pata_acpi]
[ 1.932509] [<c126dfb2>] ? ata_qc_issue+0x152/0x320
[ 1.932509] [<c140d1bd>] ? schedule_timeout+0xed/0x170
[ 1.932509] [<c126e3c9>] ? ata_exec_internal_sg+0x249/0x510
[ 1.932509] [<c127d2d0>] ? ata_release_transport+0x40/0x40
[ 1.932509] [<c1039145>] ? msleep+0x15/0x20
[ 1.932509] [<c126e6f2>] ? ata_exec_internal+0x62/0xa0
[ 1.932509] [<c126e755>] ? ata_do_dev_read_id+0x25/0x30
[ 1.932509] [<c126ea35>] ? ata_dev_read_id+0x245/0x560
[ 1.932509] [<c127af72>] ? ata_eh_recover+0x762/0x1270
[ 1.932509] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 1.932509] [<ef77e180>] ? pacpi_port_start+0x80/0x80 [pata_acpi]
[ 1.932509] [<c127e210>] ? ata_sff_wait_after_reset+0x130/0x130
[ 1.932509] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 1.932509] [<c127c490>] ? ata_do_eh+0x40/0xb0
[ 1.932509] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 1.932509] [<c127e210>] ? ata_sff_wait_after_reset+0x130/0x130
[ 1.932509] [<ef77e180>] ? pacpi_port_start+0x80/0x80 [pata_acpi]
[ 1.932509] [<c127e210>] ? ata_sff_wait_after_reset+0x130/0x130
[ 1.932509] [<c127ec77>] ? ata_sff_error_handler+0xb7/0x120
[ 1.932509] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 1.932509] [<c127bfc5>] ? ata_scsi_port_error_handler+0x495/0x860
[ 1.932509] [<c127ece0>] ? ata_sff_error_handler+0x120/0x120
[ 1.932509] [<c127c413>] ? ata_scsi_error+0x83/0xc0
[ 1.932509] [<c125533c>] ? scsi_error_handler+0x8c/0x470
[ 1.932509] [<c104f6b4>] ? __wake_up_common+0x44/0x70
[ 1.932509] [<c12552b0>] ? scsi_eh_get_sense+0xd0/0xd0
[ 1.932509] [<c12552b0>] ? scsi_eh_get_sense+0xd0/0xd0
[ 1.932509] [<c104719c>] ? kthread+0x6c/0x80
[ 1.932509] [<c1047130>] ? kthread_freezable_should_stop+0x50/0x50
[ 1.932509] [<c140f8f6>] ? kernel_thread_helper+0x6/0xd
[ 1.932509] ---[ end trace 7db6a26b2c0e9208 ]---
[ 2.106520] ------------[ cut here ]------------
[ 2.106520] WARNING: at drivers/ata/pata_acpi.c:149
pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]()
[ 2.106520] Hardware name: Portable PC
[ 2.106520] pacpi_set_dmamode: ata_timing_find_mode gives NULL
[ 1.951725] ACPI: Invalid Power Resource to register!
[ 2.106520] Modules linked in: pata_acpi ata_generic
[ 2.106520] Pid: 863, comm: scsi_eh_1 Tainted: G W
3.6.0-1-custom #1
[ 2.106520] Call Trace:
[ 2.106520] [<c102cd28>] ? warn_slowpath_common+0x78/0xb0
[ 2.106520] [<ef77e2b7>] ? pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]
[ 2.106520] [<ef77e2b7>] ? pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]
[ 2.106520] [<c102cdf3>] ? warn_slowpath_fmt+0x33/0x40
[ 2.106520] [<ef77e2b7>] ? pacpi_set_dmamode+0xc7/0xe0 [pata_acpi]
[ 2.106520] [<ef77e375>] ? pacpi_qc_issue+0x45/0x64 [pata_acpi]
[ 2.106520] [<c126dfb2>] ? ata_qc_issue+0x152/0x320
[ 2.106520] [<c11cda30>] ? acpi_os_release_object+0x5/0x8
[ 2.106520] [<c10b0e7b>] ? __kmalloc+0x2b/0x130
[ 2.106520] [<c126e3c9>] ? ata_exec_internal_sg+0x249/0x510
[ 2.106520] [<c140d1bd>] ? schedule_timeout+0xed/0x170
[ 2.106520] [<c11eaa87>] ? acpi_ut_delete_internal_obj+0x162/0x172
[ 2.106520] [<c126e6f2>] ? ata_exec_internal+0x62/0xa0
[ 2.106520] [<c126e755>] ? ata_do_dev_read_id+0x25/0x30
[ 2.106520] [<c126ea35>] ? ata_dev_read_id+0x245/0x560
[ 2.106520] [<c127af72>] ? ata_eh_recover+0x762/0x1270
[ 2.106520] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 2.106520] [<ef77e180>] ? pacpi_port_start+0x80/0x80 [pata_acpi]
[ 2.106520] [<c127e210>] ? ata_sff_wait_after_reset+0x130/0x130
[ 2.106520] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 2.106520] [<c127c490>] ? ata_do_eh+0x40/0xb0
[ 2.106520] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 2.106520] [<c127e210>] ? ata_sff_wait_after_reset+0x130/0x130
[ 2.106520] [<ef77e180>] ? pacpi_port_start+0x80/0x80 [pata_acpi]
[ 2.106520] [<c127e210>] ? ata_sff_wait_after_reset+0x130/0x130
[ 2.106520] [<c127ec77>] ? ata_sff_error_handler+0xb7/0x120
[ 2.106520] [<c127dcb0>] ? ata_sff_drain_fifo+0x80/0x80
[ 2.106520] [<c127bfc5>] ? ata_scsi_port_error_handler+0x495/0x860
[ 2.106520] [<c127ece0>] ? ata_sff_error_handler+0x120/0x120
[ 2.106520] [<c127c413>] ? ata_scsi_error+0x83/0xc0
[ 2.106520] [<c125533c>] ? scsi_error_handler+0x8c/0x470
[ 2.106520] [<c104f6b4>] ? __wake_up_common+0x44/0x70
[ 2.106520] [<c12552b0>] ? scsi_eh_get_sense+0xd0/0xd0
[ 2.106520] [<c12552b0>] ? scsi_eh_get_sense+0xd0/0xd0
[ 2.106520] [<c104719c>] ? kthread+0x6c/0x80
[ 2.106520] [<c1047130>] ? kthread_freezable_should_stop+0x50/0x50
[ 2.106520] [<c140f8f6>] ? kernel_thread_helper+0x6/0xd
[ 2.106520] ---[ end trace 7db6a26b2c0e9209 ]---
next prev parent reply other threads:[~2012-10-21 16:14 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-20 10:19 [Bug 49151] New: NULL pointer dereference in pata_acpi bugzilla-daemon
2012-10-20 10:31 ` [Bug 49151] " bugzilla-daemon
2012-10-20 10:33 ` bugzilla-daemon
2012-10-20 12:00 ` [Bug 49151] New: " Borislav Petkov
2012-10-21 16:04 ` Phillip Wood [this message]
2012-10-21 16:57 ` Borislav Petkov
2012-10-22 15:47 ` Phillip Wood
2012-10-22 20:27 ` Borislav Petkov
2012-10-23 10:05 ` Alan Cox
2012-10-23 10:17 ` Borislav Petkov
2012-10-23 16:12 ` Borislav Petkov
2012-10-24 6:43 ` Anton V. Boyarshinov
2012-10-24 9:28 ` Phillip Wood
2012-10-24 10:57 ` Alan Cox
2012-11-03 4:26 ` Borislav Petkov
2012-11-03 16:30 ` Alan Cox
2012-11-03 16:48 ` Alan Cox
2012-11-16 4:50 ` Jeff Garzik
2012-10-20 12:00 ` [Bug 49151] " bugzilla-daemon
2012-10-21 16:04 ` bugzilla-daemon
2012-10-21 16:58 ` bugzilla-daemon
2012-10-22 12:15 ` bugzilla-daemon
2012-10-22 12:21 ` bugzilla-daemon
2012-10-22 12:42 ` bugzilla-daemon
2012-10-22 15:48 ` bugzilla-daemon
2012-10-22 20:27 ` bugzilla-daemon
2012-10-22 20:40 ` bugzilla-daemon
2012-10-22 21:06 ` bugzilla-daemon
2012-10-23 10:01 ` bugzilla-daemon
2012-10-23 10:17 ` bugzilla-daemon
2012-10-23 11:02 ` bugzilla-daemon
2012-10-23 12:54 ` bugzilla-daemon
2012-10-23 16:12 ` bugzilla-daemon
2012-10-23 16:39 ` bugzilla-daemon
2012-10-23 20:11 ` bugzilla-daemon
2012-10-23 20:41 ` bugzilla-daemon
2012-10-23 20:52 ` bugzilla-daemon
2012-10-23 21:10 ` bugzilla-daemon
2012-10-24 6:43 ` bugzilla-daemon
2012-10-24 9:28 ` bugzilla-daemon
2012-10-24 10:52 ` bugzilla-daemon
2012-10-24 15:25 ` bugzilla-daemon
2012-10-25 14:31 ` bugzilla-daemon
2012-10-29 13:15 ` bugzilla-daemon
2012-10-29 13:36 ` bugzilla-daemon
2012-11-01 15:18 ` bugzilla-daemon
2012-11-02 12:07 ` bugzilla-daemon
2012-11-03 4:23 ` bugzilla-daemon
2012-11-03 4:26 ` bugzilla-daemon
2012-11-03 7:37 ` bugzilla-daemon
2012-11-03 16:25 ` bugzilla-daemon
2012-11-03 16:43 ` bugzilla-daemon
2012-11-15 18:05 ` bugzilla-daemon
2012-11-15 18:07 ` bugzilla-daemon
2012-11-16 4:50 ` bugzilla-daemon
2012-11-16 4:59 ` bugzilla-daemon
2012-11-16 8:39 ` bugzilla-daemon
2012-11-17 16:29 ` bugzilla-daemon
2012-11-17 17:22 ` bugzilla-daemon
2012-11-25 12:55 ` bugzilla-daemon
2012-11-29 2:22 ` bugzilla-daemon
2012-11-29 11:21 ` bugzilla-daemon
2012-11-30 17:10 ` bugzilla-daemon
2012-12-02 17:46 ` bugzilla-daemon
2012-12-03 0:51 ` bugzilla-daemon
2012-12-03 3:39 ` bugzilla-daemon
2012-12-07 7:00 ` bugzilla-daemon
2012-12-18 7:13 ` bugzilla-daemon
2012-12-18 7:26 ` bugzilla-daemon
2012-12-18 12:48 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50841CFC.2030802@talktalk.net \
--to=phillip.wood@talktalk.net \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=boyarsh@altlinux.org \
--cc=bp@alien8.de \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=jgarzik@pobox.com \
--cc=linux-ide@vger.kernel.org \
--cc=phillip.wood@dunelm.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.