Re: BUG: Null pointer dereference in fs/open.c

From: Peter Osterlund
Date: Tue Apr 24 2007 - 16:46:32 EST

On Mon, 23 Apr 2007, Andrew Morton wrote:

Try this:

--- a/drivers/block/pktcdvd.c~packet-fix-error-handling
+++ a/drivers/block/pktcdvd.c
@@ -777,7 +777,8 @@ static int pkt_generic_packet(struct pkt
rq->cmd_flags |= REQ_QUIET;

blk_execute_rq(rq->q, pd->bdev->bd_disk, rq, 0);
- ret = rq->errors;
+ if (rq->errors)
+ ret = -EIO;
return ret;

The packet driver was assuming that request.errors is an errno, but it
isn't - it's some sort of diagnostic bitfield thing. Now why would the
packet driver have though that? Let's go read the comments:
Well there's your root cause right there.

I don't know why this wasn't oopsing in eariler kernels. Perhaps something
else is broken. Please test this urgently.

The code used to return -EIO until commit 406c9b605cbc45151c03ac9a3f95e9acf050808c, which was commited 2007-01-05, so that would explain why older kernels didn't crash.

What the heck _is_ in request.errors?

According to linux/Documentation/block/request.txt, it is an error counter. The info in that text file would probably do a lot more good as comments in the structure definition though.

Should the packet driver even be looking at it?

I think so. How else is it supposed to know if the request failed?

Peter Osterlund - petero2@xxxxxxxxx
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at