Bug 83391
Summary: | Oops on sd_mod | ||
---|---|---|---|
Product: | SCSI Drivers | Reporter: | tomsun (tomsunchen) |
Component: | Other | Assignee: | scsi_drivers-other |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | jmoyer |
Priority: | P1 | ||
Hardware: | i386 | ||
OS: | Linux | ||
Kernel Version: | 2.6.32 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: | the function disassemble info |
Description
tomsun
2014-08-28 02:32:01 UTC
Created attachment 148621 [details]
the function disassemble info
static void sd_read_block_limits(struct scsi_disk *sdkp) { unsigned int sector_sz = sdkp->device->sector_size; const int vpd_len = 32; unsigned char *buffer = kmalloc(vpd_len, GFP_KERNEL); if (!buffer || /* Block Limits VPD */ scsi_get_vpd_page(sdkp->device, 0xb0, buffer, vpd_len)) goto out; blk_queue_io_min(sdkp->disk->queue, get_unaligned_be16(&buffer[6]) * sector_sz); blk_queue_io_opt(sdkp->disk->queue, get_unaligned_be32(&buffer[12]) * sector_sz); if (buffer[3] == 0x3c) { unsigned int lba_count, desc_count; sdkp->max_ws_blocks = (u32) min_not_zero(get_unaligned_be64(&buffer[36]), (u64)0xffffffff); if (!sdkp->lbpme) goto out; lba_count = get_unaligned_be32(&buffer[20]); desc_count = get_unaligned_be32(&buffer[24]); if (lba_count && desc_count) sdkp->max_unmap_blocks = lba_count; sdkp->unmap_granularity = get_unaligned_be32(&buffer[28]); if (buffer[32] & 0x80) sdkp->unmap_alignment = get_unaligned_be32(&buffer[32]) & ~(1 << 31); if (!sdkp->lbpvpd) { /* LBP VPD page not provided */ if (sdkp->max_unmap_blocks) sd_config_discard(sdkp, SD_LBP_UNMAP); else sd_config_discard(sdkp, SD_LBP_WS16); } else { /* LBP VPD page tells us what to use */ if (sdkp->lbpu && sdkp->max_unmap_blocks) sd_config_discard(sdkp, SD_LBP_UNMAP); else if (sdkp->lbpws) sd_config_discard(sdkp, SD_LBP_WS16); else if (sdkp->lbpws10) sd_config_discard(sdkp, SD_LBP_WS10); else sd_config_discard(sdkp, SD_LBP_DISABLE); } } out: kfree(buffer); } first, the pointer of buffer is malloced 32 bytes memory, but the buffer be misused as 64 bytes memory, ex. sdkp->max_ws_blocks = (u32) min_not_zero(get_unaligned_be64(&buffer[36]), (u64)0xffffffff); I don't know why, is it the bug for this oops? thank you very much~ This is a vendor kernel. You should file a bug report with Red Hat here: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206 First, though, you should update to a newer kernel... that one is several years old. sorry, thank you very much! (In reply to Jeff Moyer from comment #3) > This is a vendor kernel. You should file a bug report with Red Hat here: > > https://bugzilla.redhat.com/enter_bug. > cgi?product=Red%20Hat%20Enterprise%20Linux%206 > > First, though, you should update to a newer kernel... that one is several > years old. |