NULL pointer dereference crash occurs in fc_lport_bsg_request() for bsg requests that do not contain a response request. Specifically, FC_BSG_HST_ADD_RPORT and FC_BSG_HST_DEL_RPORT bsg requests are not guaranteed to include a response request.
Here's a sample traceback. BUG: unable to handle kernel NULL pointer dereference at 0000000000000108 IP: [<ffffffffa0476078>] fc_lport_bsg_request+0x45/0x140 [libfc] PGD 10e4fa067 PUD 10c5e5067 PMD 0 Oops: 0002 [#1] SMP DEBUG_PAGEALLOC last sysfs file: /sys/devices/pci0000:80/0000:80:09.0/0000:84:00.1/local_cpus CPU 0 Modules linked in: bnx2fc libfcoe libfc scsi_transport_fc cnic 8021q nfs fscache nfsd lockd bridge nfs_acl auth_rpcgss exportfs stp bnep sco l2cap crc16 bluetooth sunrpc iptable_filter ip_tables ip6table_filter ip6_tables x_tables ipv6 loop scsi_dh uinput sr_mod cdrom bnx2x rtc_cmos rtc_core rtc_lib ata_piix pcspkr serio_raw bnx2 libata sg mdio button joydev dcdbas dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_mod shpchp mptsas mptscsih mptbase scsi_transport_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd [last unloaded: bnx2fc] Pid: 4053, comm: fc-crash Tainted: G W 2.6.32-next #34 PowerEdge T710 RIP: 0010:[<ffffffffa0476078>] [<ffffffffa0476078>] fc_lport_bsg_request+0x45/0x140 [libfc] RSP: 0018:ffff88010e47faf8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88012f1c3818 RCX: 0000000000000008 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88011529ca68 RBP: ffff88010e47fb18 R08: 0000000000000010 R09: ffff8801100eeea0 R10: ffff88010e47fb18 R11: ffffffff811892e7 R12: ffff88012f1c3818 R13: ffff88011529c650 R14: ffff88011529ca68 R15: ffff88011b143460 FS: 00007f05da58a6f0(0000) GS:ffff88002f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000108 CR3: 0000000103210000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process fc-crash (pid: 4053, threadinfo ffff88010e47e000, task ffff880108bbc2c0) Stack: ffff88012f1c3818 ffff8801100eeea0 0000000000000000 ffff88011b18c000 <0> ffff88010e47fb68 ffffffffa02d5e23 ffff88011529c2a0 0000000000000000 <0> ffff88011529c000 ffff88011b143460 ffff88011b143460 ffff8801100eeea0 Call Trace: [<ffffffffa02d5e23>] fc_bsg_request_handler+0x366/0x416 [scsi_transport_fc] [<ffffffffa02d5f4b>] fc_bsg_host_handler+0x1e/0x20 [scsi_transport_fc] [<ffffffff8116c777>] __generic_unplug_device+0x35/0x3a [<ffffffff81170b36>] blk_execute_rq_nowait+0x6f/0x96 [<ffffffff81170c2f>] blk_execute_rq+0xd2/0xff [<ffffffff8106928c>] ? lock_release_non_nested+0xd1/0x259 [<ffffffff8106908b>] ? __lock_acquire+0x7ca/0x816 [<ffffffff810c0847>] ? might_fault+0x5c/0xa9 [<ffffffff81175cee>] bsg_ioctl+0x1ab/0x1fd [<ffffffff81064558>] ? trace_hardirqs_off+0xd/0xf [<ffffffff8105c15e>] ? cpu_clock+0x2d/0x3f [<ffffffff8130c036>] ? _spin_unlock_irqrestore+0x44/0x4c [<ffffffff810ec7ce>] vfs_ioctl+0x2f/0xa2 [<ffffffff810ecd61>] do_vfs_ioctl+0x495/0x4e6 [<ffffffff8105ac3b>] ? up_read+0x2b/0x2f [<ffffffff8130ca29>] ? retint_swapgs+0xe/0x13 [<ffffffff810ece0e>] sys_ioctl+0x5c/0x7f [<ffffffff81180cb7>] ? __up_read+0x1a/0x83 [<ffffffff81002c1b>] system_call_fastpath+0x16/0x1b Code: 89 fc 48 8b 90 48 01 00 00 48 8b 47 78 49 81 c5 50 06 00 00 4d 8d b5 18 04 00 00 c7 40 04 00 00 00 00 8b 87 98 00 00 00 4c 89 f7 <89> 82 08 01 00 00 e8 a6 45 e9 e0 49 8b 74 24 70 8b 06 3d 02 00 RIP [<ffffffffa0476078>] fc_lport_bsg_request+0x45/0x140 [libfc] RSP <ffff88010e47faf8> CR2: 0000000000000108 ---[ end trace 5419ef98f02236eb ]--- Hugh Daschbach (1): Don't assume response request present. drivers/scsi/libfc/fc_lport.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) _______________________________________________ devel mailing list [email protected] http://www.open-fcoe.org/mailman/listinfo/devel
