Re: BUG: Null pointer dereference in fs/open.c
From: Peter Osterlund
Date: Tue Apr 24 2007 - 16:46:32 EST
On Mon, 23 Apr 2007, Andrew Morton wrote:
@@ -777,7 +777,8 @@ static int pkt_generic_packet(struct pkt
rq->cmd_flags |= REQ_QUIET;
blk_execute_rq(rq->q, pd->bdev->bd_disk, rq, 0);
- ret = rq->errors;
+ if (rq->errors)
+ ret = -EIO;
The packet driver was assuming that request.errors is an errno, but it
isn't - it's some sort of diagnostic bitfield thing. Now why would the
packet driver have though that? Let's go read the comments:
Well there's your root cause right there.
I don't know why this wasn't oopsing in eariler kernels. Perhaps something
else is broken. Please test this urgently.
The code used to return -EIO until commit
406c9b605cbc45151c03ac9a3f95e9acf050808c, which was commited 2007-01-05,
so that would explain why older kernels didn't crash.
What the heck _is_ in request.errors?
According to linux/Documentation/block/request.txt, it is an error
counter. The info in that text file would probably do a lot more good as
comments in the structure definition though.
Should the packet driver even be looking at it?
I think so. How else is it supposed to know if the request failed?
Peter Osterlund - petero2@xxxxxxxxx
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/