Re: kernel NULL pointer dereference in blk_rq_map_sg withv2.6.23-6815-g0895e91

From: Jens Axboe
Date: Tue Oct 23 2007 - 08:49:26 EST


On Tue, Oct 23 2007, Florin Iucha wrote:
> Jens,
>
> This is freshly after booting into this morning's kernel:
>
> [ 60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
> [ 60.656143] [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [ 60.656151] PGD 4640067 PUD 46d4067 PMD 0
> [ 60.656154] Oops: 0000 [1] SMP
> [ 60.656157] CPU 1
> [ 60.656159] Modules linked in: sbp2 lp dvb_pll lgdt330x cx88_dvb cx88_vp3054_i2c videobuf_dvb tuner tea5767 td
> a8290 tuner_simple mt20xx cx88_alsa cx8802 cx8800 cx88xx ir_common tveeprom videobuf_dma_sg videobuf_core btcx_ri
> sc i2c_nforce2 evdev rtc forcedeth ehci_hcd fuse
> [ 60.656176] Pid: 4250, comm: hald-probe-stor Not tainted 2.6.24-rc0-5 #1
> [ 60.656178] RIP: 0010:[<ffffffff80375553>] [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [ 60.656182] RSP: 0018:ffff810004791930 EFLAGS: 00010246
> [ 60.656184] RAX: 000000000403b000 RBX: 0000000000001000 RCX: 6db6db6db6db6db7
> [ 60.656187] RDX: 0000000000000000 RSI: ffff810001000000 RDI: 0000000005701000
> [ 60.656189] RBP: ffff810004791968 R08: 0000000005700000 R09: ffff8100044aa060
> [ 60.656191] R10: 0000000000000000 R11: ffff8100050dea00 R12: 0000000000002000
> [ 60.656193] R13: ffff8100060d2700 R14: 0000000000000000 R15: ffffffff807f0000
> [ 60.656196] FS: 00002b5da088e6e0(0000) GS:ffff810003011500(0000) knlGS:0000000000000000
> [ 60.656198] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [ 60.656200] CR2: 0000000000000000 CR3: 0000000004568000 CR4: 00000000000006e0
> [ 60.656202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 60.656204] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [ 60.656207] Process hald-probe-stor (pid: 4250, threadinfo ffff810004790000, task ffff810006312000)
> [ 60.656208] Stack: ffff81000607a000 0000000100000001 ffff8100040fa120 ffffffff807fe2c0
> [ 60.656213] ffff81000607a000 ffff81000607a000 ffffffff807fe2c0 ffff8100047919a8
> [ 60.656217] ffffffff8041bb58 ffff8100047919a8 ffff8100040fa120 ffffffff807fe2c0
> [ 60.656220] Call Trace:
> [ 60.656226] [<ffffffff8041bb58>] ide_map_sg+0x38/0xb0
> [ 60.656231] [<ffffffff8042952b>] cdrom_start_read_continuation+0x0/0xb5
> [ 60.656234] [<ffffffff80423806>] ide_build_sglist+0x38/0x88
> [ 60.656238] [<ffffffff80423885>] ide_build_dmatable+0x2f/0x172
> [ 60.656241] [<ffffffff804239fc>] ide_dma_setup+0x34/0xaa
> [ 60.656245] [<ffffffff804277e5>] cdrom_start_packet_command+0x5a/0x177
> [ 60.656249] [<ffffffff8037fac4>] cfq_dispatch_insert+0x38/0x50
> [ 60.656253] [<ffffffff80428339>] ide_do_rw_cdrom+0x423/0x57c
> [ 60.656257] [<ffffffff8041c56c>] ide_do_request+0x7a7/0xa74
> [ 60.656263] [<ffffffff8023c097>] del_timer+0x52/0x5d
> [ 60.656267] [<ffffffff8025d343>] sync_page+0x0/0x45
> [ 60.656269] [<ffffffff8041cba0>] do_ide_request+0x1b/0x1d
> [ 60.656273] [<ffffffff803778a7>] __generic_unplug_device+0x28/0x2c
> [ 60.656276] [<ffffffff80377c6e>] generic_unplug_device+0x20/0x31
> [ 60.656279] [<ffffffff803751b1>] blk_backing_dev_unplug+0x16/0x18
> [ 60.656283] [<ffffffff8029decc>] block_sync_page+0x42/0x44
> [ 60.656285] [<ffffffff8025d37f>] sync_page+0x3c/0x45
> [ 60.656290] [<ffffffff805589b8>] __wait_on_bit_lock+0x42/0x79
> [ 60.656294] [<ffffffff8025d32f>] __lock_page+0x64/0x6b
> [ 60.656298] [<ffffffff8024664b>] wake_bit_function+0x0/0x2a
> [ 60.656301] [<ffffffff8025da95>] do_generic_mapping_read+0x1da/0x383
> [ 60.656304] [<ffffffff8025d08d>] file_read_actor+0x0/0x137
> [ 60.656309] [<ffffffff8025f1af>] generic_file_aio_read+0x11e/0x15d
> [ 60.656315] [<ffffffff8027ee59>] do_sync_read+0xe2/0x126
> [ 60.656318] [<ffffffff8026b15a>] handle_mm_fault+0x62e/0x65e
> [ 60.656324] [<ffffffff80386fcc>] __up_read+0x8f/0x97
> [ 60.656327] [<ffffffff80246613>] autoremove_wake_function+0x0/0x38
> [ 60.656331] [<ffffffff80559233>] __mutex_lock_slowpath+0x22f/0x23c
> [ 60.656337] [<ffffffff8027f5f0>] vfs_read+0xab/0x134
> [ 60.656341] [<ffffffff8027f9b5>] sys_read+0x47/0x6f
> [ 60.656345] [<ffffffff8020b77e>] system_call+0x7e/0x83
> [ 60.656349]
> [ 60.656350]
> [ 60.656350] Code: 49 8b 02 41 c7 42 18 00 00 00 00 49 c7 42 10 00 00 00 00 83
> [ 60.656359] RIP [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [ 60.656362] RSP <ffff810004791930>
> [ 60.656363] CR2: 0000000000000000
>
> Platform is AMD64 and the userspace is Ubuntu 7/10 Gutsy Gibbon.

This should fix it, sorry about that.

diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c
index 61c2e39..de5ba47 100644
--- a/block/ll_rw_blk.c
+++ b/block/ll_rw_blk.c
@@ -1351,11 +1351,21 @@ int blk_rq_map_sg(struct request_queue *q, struct request *rq,
new_segment:
if (!sg)
sg = sglist;
- else
+ else {
+ /*
+ * If the driver previously mapped a shorter
+ * list, we could see a termination bit
+ * prematurely unless it fully inits the sg
+ * table on each mapping. We KNOW that there
+ * must be more entries here or the driver
+ * would be buggy, so force clear the
+ * termination bit to avoid doing a full
+ * sg_init_table() in drivers for each command.
+ */
+ sg->page_link &= ~0x02;
sg = sg_next(sg);
+ }

- sg_dma_len(sg) = 0;
- sg_dma_address(sg) = 0;
sg_set_page(sg, bvec->bv_page);
sg->length = nbytes;
sg->offset = bvec->bv_offset;


--
Jens Axboe

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/