On 10-06-27 12:04 PM, FUJITA Tomonori wrote:
I got the following ops: BUG: unable to handle kernel paging request at ffffc90021c0c000 IP: [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug] PGD 11fc06067 PUD 21f802067 PMD d5632067 PTE 0 Oops: 0002 [#1] SMP last sysfs file: /sys/devices/pseudo_0/adapter0/host2/target2:0:0/2:0:0:0/type CPU 10 Modules linked in: scsi_debug crc_t10dif sd_mod sg arcmsr cxgb3 mdio [last unloaded: scsi_debug] Pid: 0, comm: swapper Not tainted 2.6.35-rc3-dirty #1 /ProLiant DL360 G6 RIP: 0010:[<ffffffffa006cb8a>] [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug] RSP: 0018:ffff880001d43c08 EFLAGS: 00010046 RAX: 0000000000100000 RBX: 0000000000000001 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000100000 RDI: 00000000000fffff RBP: 0000000000000000 R08: 0000000000100000 R09: 0000000000000001 R10: ffffc90021bec000 R11: 0000000020000000 R12: ffff88011abeaf00 R13: 0000000000000000 R14: 0000000000100000 R15: 0000000000000046 FS: 0000000000000000(0000) GS:ffff880001d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffffc90021c0c000 CR3: 00000000019b9000 CR4: 00000000000006a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff88021f65c000, task ffff88021f663000) Stack: ffffffffa006d413 ffff88011abeae00 ffff88011e9b1560 0000000000000000 <0> ffff88011abeaf00 ffff88011ea284e0 0000000000000001 0000000000000000 <0> ffffffffa006f93d 0000000000001000 ffff88011abf2e00 ffff88011a0c9000 Call Trace: <IRQ> [<ffffffffa006d413>] ? resp_write_same+0x163/0x1a0 [scsi_debug] [<ffffffffa006f93d>] ? scsi_debug_queuecommand+0x83d/0x1a30 [scsi_debug] [<ffffffff81223580>] ? scsi_done+0x0/0x10 [<ffffffff81229e4e>] ? scsi_init_io+0x1e/0x100 [<ffffffff8122a09d>] ? scsi_setup_blk_pc_cmnd+0x6d/0x130 [<ffffffffa00658e2>] ? sd_prep_fn+0x1e2/0xa70 [sd_mod] [<ffffffff81223682>] ? scsi_dispatch_cmd+0xf2/0x220 [<ffffffff8122979d>] ? scsi_request_fn+0x34d/0x450 [<ffffffff8116eff5>] ? __blk_run_queue+0x65/0x150 [<ffffffff8116f1b8>] ? blk_run_queue+0x28/0x50 [<ffffffff81228c32>] ? scsi_run_queue+0xd2/0x390 [<ffffffff81229b0b>] ? scsi_next_command+0x3b/0x60 [<ffffffff8122a6f4>] ? scsi_io_completion+0x354/0x580 [<ffffffff81173f35>] ? blk_done_softirq+0x75/0x90 [<ffffffff810425be>] ? __do_softirq+0xae/0x140 [<ffffffff8100347c>] ? call_softirq+0x1c/0x30 [<ffffffff81005155>] ? do_softirq+0x65/0xa0 [<ffffffff8101992b>] ? smp_apic_timer_interrupt+0x6b/0xa0 [<ffffffff81002f53>] ? apic_timer_interrupt+0x13/0x20 <EOI> [<ffffffff811d4417>] ? acpi_idle_enter_bm+0x294/0x2cb [<ffffffff811d4410>] ? acpi_idle_enter_bm+0x28d/0x2cb [<ffffffff8128eb7a>] ? cpuidle_idle_call+0xba/0x120 [<ffffffff810017de>] ? cpu_idle+0x5e/0xa0 Code: 00 48 89 c8 48 29 d0 48 01 c7 48 39 fe 76 2a 31 d2 4a 8d 04 0f 48 f7 f1 89 d2 49 89 c0 48 85 d2 75 df 48 8d 04 0f 48 39 c6 72 d6<f0> 45 0f b3 02 eb cf 0f 1f 80 00 00 00 00 f3 c3 66 0f 1f 44 00 RIP [<ffffffffa006cb8a>] unmap_region+0x5a/0x70 [scsi_debug] RSP<ffff880001d43c08> CR2: ffffc90021c0c000 Same problem? http://marc.info/?l=linux-scsi&m=125680100519614&w=2 = From: FUJITA Tomonori<fujita.tomonori@xxxxxxxxxxxxx> Subject: [PATCH] scsi_debug: fix map_region and unmap_region oops map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: FUJITA Tomonori<fujita.tomonori@xxxxxxxxxxxxx> --- drivers/scsi/scsi_debug.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 136329b..b02bdc6 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len) block = lba + alignment; rem = do_div(block, granularity); - set_bit(block, map_storep); + if (block< map_size) + set_bit(block, map_storep); lba += granularity - rem; } @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len) block = lba + alignment; rem = do_div(block, granularity); - if (rem == 0&& lba + granularity<= end) + if (rem == 0&& lba + granularity<= end&& + block< map_size) clear_bit(block, map_storep); lba += granularity - rem;
Acked-by: Douglas Gilbert <dgilbert@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
