On Thu, Jul 09, 2009 at 08:37:38PM +0200, Remco wrote:
> I noticed the following code path in /sys/dev/softraid.c:
>
> int
> sr_scsi_cmd(struct scsi_xfer *xs)
> {
> ...
> sd = sc->sc_dis[link->scsibus];
> if (sd == NULL) {
> s = splhigh();
> sd = sc->sc_attach_dis;
> splx(s);
>
> DNPRINTF(SR_D_CMD, "%s: sr_scsi_cmd: attaching %p\n",
> DEVNAME(sc), sd);
> if (sd == NULL) {
> wu = NULL;
> printf("%s: sr_scsi_cmd NULL discipline\n",
> DEVNAME(sc));
> goto stuffup;
> ...
> stuffup:
> if (sd->sd_scsi_sense.error_code) {
>
>
> If I'm not mistaken this leads to dereferencing sd as a NULL pointer.
>
> I'm not sure whether this causes an actual real world problem or where to put
> a guard to avoid this.
If that situation would occur, we would indeed hit a NULL pointer deref,
which would crash the kernel.
We have fixed it now. Thanks for pointing it out.
> Regards,
> Remco
Regards,
Marcus
