scsi-related panic

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

scsi-related panic

Alexandre Ratchov
hello,

there is an u_long to int convertion in scsi_do_ioctl
(/sys/scsi/scsi_ioctl.c near line 386) that made my kernel panic (see
the attached dmesg and ddb trace/ps)

In 'len = screq->datalen' there is an implicit convertion from u_long
to int that can lead to negative values of 'len'. This causes the
assert 'todo < 0' in physio() to fail. The attached patch fixes this by
returning EINVAL if (screq->datalen > INT_MAX). Is this correct?

regards,

--
Alexandre
>> OpenBSD/i386 BOOT 2.10
boot>
booting hd0a:/bsd.mp: 4889824+872336 [52+252784+233762]=0x5f5aac
entry point at 0x100120

[ using 486972 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2005 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 3.8-current (GENERIC.MP) #0: Sat Dec  3 10:53:37 CET 2005
    [hidden email]:/h3/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 551 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MM
X,FXSR,SSE
real mem  = 804823040 (785960K)
avail mem = 727068672 (710028K)
using 4278 buffers containing 40345600 bytes (39400K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(98) BIOS, date 04/10/00, BIOS32 rev. 0 @ 0xfb380
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xb808
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 9 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xf400 0xd0000/0x6600
mainbus0: Intel MP Specification (Version 1.1) (OEM00000 PROD00000000)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 100 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 551 MHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
mainbus0: bus 0 is type PCI  
mainbus0: bus 1 is type PCI  
mainbus0: bus 2 is type ISA  
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Nvidia GeForce4 MX 440" rev 0xa3
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wi
red to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <IDE-CD, R/RW 8x4x32, 2.0> SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: apic 2 int 11 (irq
11)
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x02 at pci0 dev 7 function 3 not configured
rl0 at pci0 dev 16 function 0 "Realtek 8139" rev 0x10: apic 2 int 17 (irq 9), ad
dress 00:40:95:33:8d:25
rlphy0 at rl0 phy 0: RTL internal phy
ahc0 at pci0 dev 19 function 0 "Adaptec AHA-29160 U160" rev 0x02: apic 2 int 19
(irq 11)
scsibus1 at ahc0: 16 targets
sd0 at scsibus1 targ 6 lun 0: <IBM, DPSS-318350N, S80D> SCSI3 0/direct fixed
sd0: 17501MB, 14627 cyl, 5 head, 490 sec, 512 bytes/sec, 35843670 sec total
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: LM78J
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
isapnp0 at isa0 port 0x279: read port 0x203
sb1 at isapnp0 "Creative SB32 PnP, CTL0031, , Audio" port 0x220/16,0x330/2,0x388
/4 irq 5 drq 1,5: dsp v4.13
midi1 at sb1: <SB MPU-401 UART>
audio0 at sb1
opl0 at sb1: model OPL3
midi2 at opl0: <SB Yamaha OPL3>
wdc2 at isapnp0 "Creative SB32 PnP, CTL2011, PNP0600, IDE" port 0x168/8,0x36e/2
irq 10
"Creative SB32 PnP, CTL0021, , WaveTable" at isapnp0 port 0x620/4 not configured
joy0 at isapnp0 "Creative SB32 PnP, CTL7001, PNPB02F, Game" port 0x200/8
biomask 0 netmask 0 ttymask 0
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
apm0: disconnected
ahc0: target 6 using 16bit transfers
ahc0: target 6 synchronous at 20.0MHz, offset = 0x3f
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
Automatic boot in progress: starting file system checks.
/dev/rsd0a: file system is clean; not checking
/dev/rsd0d: file system is clean; not checking
/dev/rsd0f: file system is clean; not checking
/dev/rsd0e: file system is clean; not checking
/dev/rsd0h: file system is clean; not checking
/dev/rsd0k: file system is clean; not checking
setting tty flags
kbd: keyboard mapping set to fr
starting network
starting system logger
starting rpc daemons: portmap ypbind mountd nfsd.
savecore: no core dump
checking quotas: done.
building ps databases: kvm dev.
clearing /tmp
starting pre-securelevel daemons:.
setting kernel security level: kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files
starting network daemons: rwhod sendmail inetd sshd.
starting local daemons:.
standard daemons: cron.
Sat Dec  3 11:48:18 CET 2005

OpenBSD/i386 (homard.localdomain) (console)

login:
Password:
Login incorrect
login: Login timed out after 300 seconds

OpenBSD/i386 (homard.localdomain) (console)

login: panic: todo < 0; minphys broken
Stopped at      Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0}> trace
Debugger(e8bf3be0,1,d05c58a0,d154bc08,ffffc8e0) at Debugger+0x4
panic(d0506b1f,d154b400,d154b40c,2,d7556a98) at panic+0x63
physio(d035652c,d154bc08,f02,100000,d03650a4) at physio+0x246
scsi_do_ioctl(d1471080,f02,c0605101,e8bf3e68,3) at scsi_do_ioctl+0x205
cdioctl(f02,c0605101,e8bf3e68,3,d742754c) at cdioctl+0x185
spec_ioctl(e8bf3d58,d7502ccc,30042,d742754c,d1453f04) at spec_ioctl+0x40
spec_vnoperate(e8bf3d58,30042,d742754c,e8bf3d60,d05947e0) at spec_vnoperate+0x1
6
VOP_IOCTL(d746ec30,c0605101,e8bf3e68,3,d75274b0,d742754c,d05ee150,e8bf3db0) at V
OP_IOCTL+0x40
vn_ioctl(d750dea0,c0605101,e8bf3e68,d742754c) at vn_ioctl+0xd0
sys_ioctl(d742754c,e8bf3f68,e8bf3f58,cfbfa908,6ad) at sys_ioctl+0x112
syscall() at syscall+0x336
--- syscall (number 54) ---
0x2750219:
ddb{0}> ps
   PID   PPID   PGRP    UID  S       FLAGS  WAIT       COMMAND
 27854      1  27854      0  3   0x2004086  ttyin      getty
*27429  20181  27429      0  7   0x2004006             cdda2wav
 21417   5166  21417   1001  3   0x2004086  ttyin      sh
  5166  20181   5166   1001  3   0x2845186  select     xterm
 20181  11763  20181   1001  3   0x2004086  pause      sh
 11763      1  29422   1001  2   0x2044184             xterm
 31439      1  31439      0  3   0x2004086  ttyin      getty
 27087      1  27087      0  3   0x2004086  ttyin      getty
 29522      1  29522      0  3   0x2004086  ttyin      getty
 18518      1  18518      0  3   0x2004086  ttyin      getty
 16372      1  16372      0  3   0x2004086  ttyin      getty
  4876      1   4876      0  3   0x2000084  select     cron
  1118      1   1118      0  3   0x2040184  select     sendmail
 11073      1  11073      0  3   0x2000084  select     sshd
 21097      1  21097      0  3   0x2000184  select     inetd
  5881      1   5881      0  3   0x2000084  poll       rwhod
 30288      0      0      0  3   0x2100284  nfsidl     nfsio
 26756      0      0      0  3   0x2100284  nfsidl     nfsio
 26750      0      0      0  3   0x2100284  nfsidl     nfsio
  9611      0      0      0  3   0x2100284  nfsidl     nfsio
 32555  13958  13958      0  3   0x2000084  nfsd       nfsd
 20229  13958  13958      0  3   0x2000084  nfsd       nfsd
 21269  13958  13958      0  3   0x2000084  nfsd       nfsd
 30235  13958  13958      0  3   0x2000084  nfsd       nfsd
 13958      1  13958      0  3   0x2000084  netcon     nfsd
 29133      1  29133      0  3   0x2000084  select     mountd
  8694      1   8694      0  3   0x2000084  select     ypbind
 17806      1  17806     28  3   0x2000184  poll       portmap
  7267   8022   8022     73  3   0x2000184  poll       syslogd
  8022      1   8022      0  3   0x2000084  netio      syslogd
    11      0      0      0  3   0x2100204  crypto_wa  crypto
    10      0      0      0  3   0x2100204  aiodoned   aiodoned
     9      0      0      0  3   0x2100204  syncer     update
     8      0      0      0  3   0x2100204  cleaner    cleaner
     7      0      0      0  3    0x100204  reaper     reaper
     6      0      0      0  3   0x2100204  pgdaemon   pagedaemon
     5      0      0      0  3   0x2100204  pftm       pfpurge
     4      0      0      0  3   0x2100204  usbtsk     usbtask
     3      0      0      0  3   0x2100204  usbevt     usb0
     2      0      0      0  3   0x2100204  kmalloc    kmthread
     1      0      1      0  3   0x2004084  wait       init
     0     -1      0      0  3   0x2080204  scheduler  swapper
 21973  27429  27429      0  5      0x2002             cdda2wav
ddb{0}>
Index: scsi_ioctl.c
===================================================================
RCS file: /cvs/src/sys/scsi/scsi_ioctl.c,v
retrieving revision 1.21
diff -u -r1.21 scsi_ioctl.c
--- scsi_ioctl.c 10 Oct 2005 20:06:11 -0000 1.21
+++ scsi_ioctl.c 4 Dec 2005 08:59:37 -0000
@@ -383,6 +383,9 @@
  si = si_get();
  si->si_screq = *screq;
  si->si_sc_link = sc_link;
+ if (screq->datalen > INT_MAX) {
+ return EINVAL;
+ }
  len = screq->datalen;
  if (len) {
  si->si_iov.iov_base = screq->databuf;